1 /** 2 * \file ssl_misc.h 3 * 4 * \brief Internal functions shared by the SSL modules 5 */ 6 /* 7 * Copyright The Mbed TLS Contributors 8 * SPDX-License-Identifier: Apache-2.0 9 * 10 * Licensed under the Apache License, Version 2.0 (the "License"); you may 11 * not use this file except in compliance with the License. 12 * You may obtain a copy of the License at 13 * 14 * http://www.apache.org/licenses/LICENSE-2.0 15 * 16 * Unless required by applicable law or agreed to in writing, software 17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 * See the License for the specific language governing permissions and 20 * limitations under the License. 21 */ 22 #ifndef MBEDTLS_SSL_MISC_H 23 #define MBEDTLS_SSL_MISC_H 24 25 #include "mbedtls/build_info.h" 26 27 #include "mbedtls/ssl.h" 28 #include "mbedtls/cipher.h" 29 30 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 31 #include "psa/crypto.h" 32 #include "mbedtls/psa_util.h" 33 #include "hash_info.h" 34 #endif 35 #include "mbedtls/legacy_or_psa.h" 36 37 #if defined(MBEDTLS_MD5_C) 38 #include "mbedtls/md5.h" 39 #endif 40 41 #if defined(MBEDTLS_SHA1_C) 42 #include "mbedtls/sha1.h" 43 #endif 44 45 #if defined(MBEDTLS_SHA256_C) 46 #include "mbedtls/sha256.h" 47 #endif 48 49 #if defined(MBEDTLS_SHA512_C) 50 #include "mbedtls/sha512.h" 51 #endif 52 53 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 54 !defined(MBEDTLS_USE_PSA_CRYPTO) 55 #include "mbedtls/ecjpake.h" 56 #endif 57 58 #include "mbedtls/pk.h" 59 #include "common.h" 60 61 /* Shorthand for restartable ECC */ 62 #if defined(MBEDTLS_ECP_RESTARTABLE) && \ 63 defined(MBEDTLS_SSL_CLI_C) && \ 64 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 65 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 66 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED 67 #endif 68 69 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 70 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ 71 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ 72 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ 73 74 /* Faked handshake message identity for HelloRetryRequest. */ 75 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO) 76 77 /* 78 * Internal identity of handshake extensions 79 */ 80 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 81 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 82 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 83 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 84 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 85 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 86 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 87 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 88 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 89 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 90 #define MBEDTLS_SSL_EXT_ID_ALPN 8 91 #define MBEDTLS_SSL_EXT_ID_SCT 9 92 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 93 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 94 #define MBEDTLS_SSL_EXT_ID_PADDING 12 95 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 96 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 97 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 98 #define MBEDTLS_SSL_EXT_ID_COOKIE 16 99 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 100 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 101 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 102 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 103 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 104 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 105 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 106 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 107 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 108 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 109 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 110 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28 111 112 /* Utility for translating IANA extension type. */ 113 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type); 114 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type); 115 /* Macros used to define mask constants */ 116 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id)) 117 /* Reset value of extension mask */ 118 #define MBEDTLS_SSL_EXT_MASK_NONE 0 119 120 /* In messages containing extension requests, we should ignore unrecognized 121 * extensions. In messages containing extension responses, unrecognized 122 * extensions should result in handshake abortion. Messages containing 123 * extension requests include ClientHello, CertificateRequest and 124 * NewSessionTicket. Messages containing extension responses include 125 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. 126 * 127 * RFC 8446 section 4.1.3 128 * 129 * The ServerHello MUST only include extensions which are required to establish 130 * the cryptographic context and negotiate the protocol version. 131 * 132 * RFC 8446 section 4.2 133 * 134 * If an implementation receives an extension which it recognizes and which is 135 * not specified for the message in which it appears, it MUST abort the handshake 136 * with an "illegal_parameter" alert. 137 */ 138 139 /* Extensions that are not recognized by TLS 1.3 */ 140 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ 141 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \ 142 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \ 143 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \ 144 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \ 145 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \ 146 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED)) 147 148 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */ 149 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ 150 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 151 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 152 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 153 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 154 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 155 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 156 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 157 MBEDTLS_SSL_EXT_MASK(ALPN) | \ 158 MBEDTLS_SSL_EXT_MASK(SCT) | \ 159 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 160 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 161 MBEDTLS_SSL_EXT_MASK(PADDING) | \ 162 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 163 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 164 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \ 165 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 166 MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 167 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \ 168 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 169 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \ 170 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 171 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \ 172 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 173 174 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ 175 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ 176 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 177 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 178 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 179 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 180 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 181 MBEDTLS_SSL_EXT_MASK(ALPN) | \ 182 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 183 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 184 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 185 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) 186 187 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ 188 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ 189 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 190 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 191 MBEDTLS_SSL_EXT_MASK(SCT) | \ 192 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 193 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \ 194 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 195 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 196 197 /* RFC 8446 section 4.2. Allowed extensions for Certificate */ 198 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ 199 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 200 MBEDTLS_SSL_EXT_MASK(SCT)) 201 202 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */ 203 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ 204 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 205 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 206 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 207 208 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ 209 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ 210 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 211 MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 212 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 213 214 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ 215 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ 216 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 217 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 218 219 /* 220 * Helper macros for function call with return check. 221 */ 222 /* 223 * Exit when return non-zero value 224 */ 225 #define MBEDTLS_SSL_PROC_CHK(f) \ 226 do { \ 227 ret = (f); \ 228 if (ret != 0) \ 229 { \ 230 goto cleanup; \ 231 } \ 232 } while (0) 233 /* 234 * Exit when return negative value 235 */ 236 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \ 237 do { \ 238 ret = (f); \ 239 if (ret < 0) \ 240 { \ 241 goto cleanup; \ 242 } \ 243 } while (0) 244 245 /* 246 * DTLS retransmission states, see RFC 6347 4.2.4 247 * 248 * The SENDING state is merged in PREPARING for initial sends, 249 * but is distinct for resends. 250 * 251 * Note: initial state is wrong for server, but is not used anyway. 252 */ 253 #define MBEDTLS_SSL_RETRANS_PREPARING 0 254 #define MBEDTLS_SSL_RETRANS_SENDING 1 255 #define MBEDTLS_SSL_RETRANS_WAITING 2 256 #define MBEDTLS_SSL_RETRANS_FINISHED 3 257 258 /* 259 * Allow extra bytes for record, authentication and encryption overhead: 260 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). 261 */ 262 263 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 264 265 /* This macro determines whether CBC is supported. */ 266 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 267 (defined(MBEDTLS_AES_C) || \ 268 defined(MBEDTLS_CAMELLIA_C) || \ 269 defined(MBEDTLS_ARIA_C) || \ 270 defined(MBEDTLS_DES_C)) 271 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC 272 #endif 273 274 /* This macro determines whether a ciphersuite using a 275 * stream cipher can be used. */ 276 #if defined(MBEDTLS_CIPHER_NULL_CIPHER) 277 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM 278 #endif 279 280 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ 281 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 282 defined(MBEDTLS_SSL_PROTO_TLS1_2) 283 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC 284 #endif 285 286 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \ 287 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 288 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC 289 #endif 290 291 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */ 292 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 293 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 294 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM 295 #endif 296 297 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 298 299 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 300 /* Ciphersuites using HMAC */ 301 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 302 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ 303 #elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 304 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ 305 #else 306 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ 307 #endif 308 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 309 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ 310 #define MBEDTLS_SSL_MAC_ADD 16 311 #endif 312 313 #if defined(MBEDTLS_CIPHER_MODE_CBC) 314 #define MBEDTLS_SSL_PADDING_ADD 256 315 #else 316 #define MBEDTLS_SSL_PADDING_ADD 0 317 #endif 318 319 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 320 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 321 #else 322 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 323 #endif 324 325 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \ 326 MBEDTLS_SSL_MAC_ADD + \ 327 MBEDTLS_SSL_PADDING_ADD + \ 328 MBEDTLS_SSL_MAX_CID_EXPANSION \ 329 ) 330 331 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 332 (MBEDTLS_SSL_IN_CONTENT_LEN)) 333 334 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 335 (MBEDTLS_SSL_OUT_CONTENT_LEN)) 336 337 /* The maximum number of buffered handshake messages. */ 338 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 339 340 /* Maximum length we can advertise as our max content length for 341 RFC 6066 max_fragment_length extension negotiation purposes 342 (the lesser of both sizes, if they are unequal.) 343 */ 344 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ 345 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ 346 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \ 347 : (MBEDTLS_SSL_IN_CONTENT_LEN) \ 348 ) 349 350 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 351 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534 352 353 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 354 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2 355 356 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ 357 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 358 359 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 360 361 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 362 363 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE 364 365 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 366 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig) 367 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF) 368 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8) 369 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 370 371 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 372 373 /* 374 * Check that we obey the standard's message size bounds 375 */ 376 377 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384 378 #error "Bad configuration - incoming record content too large." 379 #endif 380 381 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384 382 #error "Bad configuration - outgoing record content too large." 383 #endif 384 385 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048 386 #error "Bad configuration - incoming protected record payload too large." 387 #endif 388 389 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048 390 #error "Bad configuration - outgoing protected record payload too large." 391 #endif 392 393 /* Calculate buffer sizes */ 394 395 /* Note: Even though the TLS record header is only 5 bytes 396 long, we're internally using 8 bytes to store the 397 implicit sequence number. */ 398 #define MBEDTLS_SSL_HEADER_LEN 13 399 400 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 401 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 402 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN)) 403 #else 404 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 405 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \ 406 + (MBEDTLS_SSL_CID_IN_LEN_MAX)) 407 #endif 408 409 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 410 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 411 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)) 412 #else 413 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 414 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \ 415 + (MBEDTLS_SSL_CID_OUT_LEN_MAX)) 416 #endif 417 418 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 419 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 420 421 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 422 /** 423 * \brief Return the maximum fragment length (payload, in bytes) for 424 * the output buffer. For the client, this is the configured 425 * value. For the server, it is the minimum of two - the 426 * configured value and the negotiated one. 427 * 428 * \sa mbedtls_ssl_conf_max_frag_len() 429 * \sa mbedtls_ssl_get_max_out_record_payload() 430 * 431 * \param ssl SSL context 432 * 433 * \return Current maximum fragment length for the output buffer. 434 */ 435 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl); 436 437 /** 438 * \brief Return the maximum fragment length (payload, in bytes) for 439 * the input buffer. This is the negotiated maximum fragment 440 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. 441 * If it is not defined either, the value is 2^14. This function 442 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). 443 * 444 * \sa mbedtls_ssl_conf_max_frag_len() 445 * \sa mbedtls_ssl_get_max_in_record_payload() 446 * 447 * \param ssl SSL context 448 * 449 * \return Current maximum fragment length for the output buffer. 450 */ 451 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl); 452 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 453 454 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 455 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) 456 { 457 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 458 return mbedtls_ssl_get_output_max_frag_len(ctx) 459 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 460 + MBEDTLS_SSL_CID_OUT_LEN_MAX; 461 #else 462 return mbedtls_ssl_get_output_max_frag_len(ctx) 463 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 464 #endif 465 } 466 467 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) 468 { 469 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 470 return mbedtls_ssl_get_input_max_frag_len(ctx) 471 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 472 + MBEDTLS_SSL_CID_IN_LEN_MAX; 473 #else 474 return mbedtls_ssl_get_input_max_frag_len(ctx) 475 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 476 #endif 477 } 478 #endif 479 480 /* 481 * TLS extension flags (for extensions with outgoing ServerHello content 482 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because 483 * of state of the renegotiation flag, so no indicator is required) 484 */ 485 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) 486 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) 487 488 /** 489 * \brief This function checks if the remaining size in a buffer is 490 * greater or equal than a needed space. 491 * 492 * \param cur Pointer to the current position in the buffer. 493 * \param end Pointer to one past the end of the buffer. 494 * \param need Needed space in bytes. 495 * 496 * \return Zero if the needed space is available in the buffer, non-zero 497 * otherwise. 498 */ 499 #if !defined(MBEDTLS_TEST_HOOKS) 500 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 501 const uint8_t *end, size_t need) 502 { 503 return (cur > end) || (need > (size_t) (end - cur)); 504 } 505 #else 506 typedef struct { 507 const uint8_t *cur; 508 const uint8_t *end; 509 size_t need; 510 } mbedtls_ssl_chk_buf_ptr_args; 511 512 void mbedtls_ssl_set_chk_buf_ptr_fail_args( 513 const uint8_t *cur, const uint8_t *end, size_t need); 514 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void); 515 516 MBEDTLS_CHECK_RETURN_CRITICAL 517 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args); 518 519 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 520 const uint8_t *end, size_t need) 521 { 522 if ((cur > end) || (need > (size_t) (end - cur))) { 523 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need); 524 return 1; 525 } 526 return 0; 527 } 528 #endif /* MBEDTLS_TEST_HOOKS */ 529 530 /** 531 * \brief This macro checks if the remaining size in a buffer is 532 * greater or equal than a needed space. If it is not the case, 533 * it returns an SSL_BUFFER_TOO_SMALL error. 534 * 535 * \param cur Pointer to the current position in the buffer. 536 * \param end Pointer to one past the end of the buffer. 537 * \param need Needed space in bytes. 538 * 539 */ 540 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \ 541 do { \ 542 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 543 { \ 544 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \ 545 } \ 546 } while (0) 547 548 /** 549 * \brief This macro checks if the remaining length in an input buffer is 550 * greater or equal than a needed length. If it is not the case, it 551 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a 552 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. 553 * 554 * This is a function-like macro. It is guaranteed to evaluate each 555 * argument exactly once. 556 * 557 * \param cur Pointer to the current position in the buffer. 558 * \param end Pointer to one past the end of the buffer. 559 * \param need Needed length in bytes. 560 * 561 */ 562 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \ 563 do { \ 564 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 565 { \ 566 MBEDTLS_SSL_DEBUG_MSG(1, \ 567 ("missing input data in %s", __func__)); \ 568 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ 569 MBEDTLS_ERR_SSL_DECODE_ERROR); \ 570 return MBEDTLS_ERR_SSL_DECODE_ERROR; \ 571 } \ 572 } while (0) 573 574 #ifdef __cplusplus 575 extern "C" { 576 #endif 577 578 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen, 579 const char *label, 580 const unsigned char *random, size_t rlen, 581 unsigned char *dstbuf, size_t dlen); 582 583 /* cipher.h exports the maximum IV, key and block length from 584 * all ciphers enabled in the config, regardless of whether those 585 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled 586 * in the default configuration and uses 64 Byte keys, but it is 587 * not used for record protection in SSL/TLS. 588 * 589 * In order to prevent unnecessary inflation of key structures, 590 * we introduce SSL-specific variants of the max-{key,block,IV} 591 * macros here which are meant to only take those ciphers into 592 * account which can be negotiated in SSL/TLS. 593 * 594 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH 595 * in cipher.h are rough overapproximations of the real maxima, here 596 * we content ourselves with replicating those overapproximations 597 * for the maximum block and IV length, and excluding XTS from the 598 * computation of the maximum key length. */ 599 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 600 #define MBEDTLS_SSL_MAX_IV_LENGTH 16 601 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 602 603 /** 604 * \brief The data structure holding the cryptographic material (key and IV) 605 * used for record protection in TLS 1.3. 606 */ 607 struct mbedtls_ssl_key_set { 608 /*! The key for client->server records. */ 609 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 610 /*! The key for server->client records. */ 611 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 612 /*! The IV for client->server records. */ 613 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 614 /*! The IV for server->client records. */ 615 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 616 617 size_t key_len; /*!< The length of client_write_key and 618 * server_write_key, in Bytes. */ 619 size_t iv_len; /*!< The length of client_write_iv and 620 * server_write_iv, in Bytes. */ 621 }; 622 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; 623 624 typedef struct { 625 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 626 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 627 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 628 } mbedtls_ssl_tls13_early_secrets; 629 630 typedef struct { 631 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 632 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 633 } mbedtls_ssl_tls13_handshake_secrets; 634 635 /* 636 * This structure contains the parameters only needed during handshake. 637 */ 638 struct mbedtls_ssl_handshake_params { 639 /* Frequently-used boolean or byte fields (placed early to take 640 * advantage of smaller code size for indirect access on Arm Thumb) */ 641 uint8_t resume; /*!< session resume indicator*/ 642 uint8_t cli_exts; /*!< client extension presence*/ 643 644 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 645 uint8_t sni_authmode; /*!< authmode from SNI callback */ 646 #endif 647 648 #if defined(MBEDTLS_SSL_SRV_C) 649 /* Flag indicating if a CertificateRequest message has been sent 650 * to the client or not. */ 651 uint8_t certificate_request_sent; 652 #endif /* MBEDTLS_SSL_SRV_C */ 653 654 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 655 uint8_t new_session_ticket; /*!< use NewSessionTicket? */ 656 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 657 658 #if defined(MBEDTLS_SSL_CLI_C) 659 /** Minimum TLS version to be negotiated. 660 * 661 * It is set up in the ClientHello writing preparation stage and used 662 * throughout the ClientHello writing. Not relevant anymore as soon as 663 * the protocol version has been negotiated thus as soon as the 664 * ServerHello is received. 665 * For a fresh handshake not linked to any previous handshake, it is 666 * equal to the configured minimum minor version to be negotiated. When 667 * renegotiating or resuming a session, it is equal to the previously 668 * negotiated minor version. 669 * 670 * There is no maximum TLS version field in this handshake context. 671 * From the start of the handshake, we need to define a current protocol 672 * version for the record layer which we define as the maximum TLS 673 * version to be negotiated. The `tls_version` field of the SSL context is 674 * used to store this maximum value until it contains the actual 675 * negotiated value. 676 */ 677 mbedtls_ssl_protocol_version min_tls_version; 678 #endif 679 680 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 681 uint8_t extended_ms; /*!< use Extended Master Secret? */ 682 #endif 683 684 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 685 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ 686 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 687 688 #if defined(MBEDTLS_SSL_PROTO_DTLS) 689 unsigned char retransmit_state; /*!< Retransmission state */ 690 #endif 691 692 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 693 unsigned char group_list_heap_allocated; 694 unsigned char sig_algs_heap_allocated; 695 #endif 696 697 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 698 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ 699 enum { /* this complements ssl->state with info on intra-state operations */ 700 ssl_ecrs_none = 0, /*!< nothing going on (yet) */ 701 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ 702 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ 703 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ 704 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ 705 } ecrs_state; /*!< current (or last) operation */ 706 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ 707 size_t ecrs_n; /*!< place for saving a length */ 708 #endif 709 710 mbedtls_ssl_ciphersuite_t const *ciphersuite_info; 711 712 MBEDTLS_CHECK_RETURN_CRITICAL 713 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); 714 MBEDTLS_CHECK_RETURN_CRITICAL 715 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); 716 MBEDTLS_CHECK_RETURN_CRITICAL 717 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); 718 mbedtls_ssl_tls_prf_cb *tls_prf; 719 720 /* 721 * Handshake specific crypto variables 722 */ 723 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 724 uint8_t key_exchange_mode; /*!< Selected key exchange mode */ 725 726 /** Number of HelloRetryRequest messages received/sent from/to the server. */ 727 int hello_retry_request_count; 728 729 #if defined(MBEDTLS_SSL_SRV_C) 730 /** selected_group of key_share extension in HelloRetryRequest message. */ 731 uint16_t hrr_selected_group; 732 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 733 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ 734 #endif 735 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 736 uint16_t new_session_tickets_count; /*!< number of session tickets */ 737 #endif 738 #endif /* MBEDTLS_SSL_SRV_C */ 739 740 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 741 742 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 743 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; 744 #endif 745 746 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 747 const uint16_t *group_list; 748 const uint16_t *sig_algs; 749 #endif 750 751 #if defined(MBEDTLS_DHM_C) 752 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ 753 #endif 754 755 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due 756 * to guards in client and server code. There is a gap in functionality that 757 * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not 758 * seem correct. 759 */ 760 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 761 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 762 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ 763 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 764 765 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 766 psa_key_type_t ecdh_psa_type; 767 size_t ecdh_bits; 768 mbedtls_svc_key_id_t ecdh_psa_privkey; 769 uint8_t ecdh_psa_privkey_is_external; 770 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; 771 size_t ecdh_psa_peerkey_len; 772 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 773 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 774 775 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 776 #if defined(MBEDTLS_USE_PSA_CRYPTO) 777 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ 778 mbedtls_svc_key_id_t psa_pake_password; 779 uint8_t psa_pake_ctx_is_ok; 780 #else 781 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ 782 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 783 #if defined(MBEDTLS_SSL_CLI_C) 784 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ 785 size_t ecjpake_cache_len; /*!< Length of cached data */ 786 #endif 787 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 788 789 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 790 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 791 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ 792 #endif 793 794 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 795 #if defined(MBEDTLS_USE_PSA_CRYPTO) 796 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ 797 uint8_t psk_opaque_is_internal; 798 #else 799 unsigned char *psk; /*!< PSK from the callback */ 800 size_t psk_len; /*!< Length of PSK from callback */ 801 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 802 uint16_t selected_identity; 803 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 804 805 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 806 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ 807 #endif 808 809 #if defined(MBEDTLS_X509_CRT_PARSE_C) 810 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ 811 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 812 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ 813 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ 814 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ 815 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 816 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 817 818 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 819 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 820 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ 821 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 822 823 struct { 824 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated 825 * buffers used for message buffering. */ 826 827 uint8_t seen_ccs; /*!< Indicates if a CCS message has 828 * been seen in the current flight. */ 829 830 struct mbedtls_ssl_hs_buffer { 831 unsigned is_valid : 1; 832 unsigned is_fragmented : 1; 833 unsigned is_complete : 1; 834 unsigned char *data; 835 size_t data_len; 836 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; 837 838 struct { 839 unsigned char *data; 840 size_t len; 841 unsigned epoch; 842 } future_record; 843 844 } buffering; 845 846 #if defined(MBEDTLS_SSL_CLI_C) && \ 847 (defined(MBEDTLS_SSL_PROTO_DTLS) || \ 848 defined(MBEDTLS_SSL_PROTO_TLS1_3)) 849 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS 850 * HelloRetryRequest cookie for TLS 1.3 */ 851 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 852 /* RFC 6347 page 15 853 ... 854 opaque cookie<0..2^8-1>; 855 ... 856 */ 857 uint8_t cookie_len; 858 #else 859 /* RFC 8446 page 39 860 ... 861 opaque cookie<0..2^16-1>; 862 ... 863 If TLS1_3 is enabled, the max length is 2^16 - 1 864 */ 865 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length 866 * TLS1_3: HelloRetryRequest cookie length */ 867 #endif 868 #endif /* MBEDTLS_SSL_CLI_C && 869 ( MBEDTLS_SSL_PROTO_DTLS || 870 MBEDTLS_SSL_PROTO_TLS1_3 ) */ 871 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS) 872 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */ 873 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */ 874 875 #if defined(MBEDTLS_SSL_PROTO_DTLS) 876 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ 877 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ 878 879 uint32_t retransmit_timeout; /*!< Current value of timeout */ 880 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ 881 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ 882 unsigned char *cur_msg_p; /*!< Position in current message */ 883 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the 884 flight being received */ 885 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for 886 resending messages */ 887 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter 888 for resending messages */ 889 890 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 891 /* The state of CID configuration in this handshake. */ 892 893 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension 894 * has been negotiated. Possible values are 895 * #MBEDTLS_SSL_CID_ENABLED and 896 * #MBEDTLS_SSL_CID_DISABLED. */ 897 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */ 898 uint8_t peer_cid_len; /*!< The length of 899 * \c peer_cid. */ 900 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 901 902 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ 903 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 904 905 /* 906 * Checksum contexts 907 */ 908 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 909 #if defined(MBEDTLS_USE_PSA_CRYPTO) 910 psa_hash_operation_t fin_sha256_psa; 911 #else 912 mbedtls_md_context_t fin_sha256; 913 #endif 914 #endif 915 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 916 #if defined(MBEDTLS_USE_PSA_CRYPTO) 917 psa_hash_operation_t fin_sha384_psa; 918 #else 919 mbedtls_md_context_t fin_sha384; 920 #endif 921 #endif 922 923 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 924 uint16_t offered_group_id; /* The NamedGroup value for the group 925 * that is being used for ephemeral 926 * key exchange. 927 * 928 * On the client: Defaults to the first 929 * entry in the client's group list, 930 * but can be overwritten by the HRR. */ 931 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 932 933 #if defined(MBEDTLS_SSL_CLI_C) 934 uint8_t client_auth; /*!< used to check if CertificateRequest has been 935 received from server side. If CertificateRequest 936 has been received, Certificate and CertificateVerify 937 should be sent to server */ 938 #endif /* MBEDTLS_SSL_CLI_C */ 939 /* 940 * State-local variables used during the processing 941 * of a specific handshake state. 942 */ 943 union { 944 /* Outgoing Finished message */ 945 struct { 946 uint8_t preparation_done; 947 948 /* Buffer holding digest of the handshake up to 949 * but excluding the outgoing finished message. */ 950 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 951 size_t digest_len; 952 } finished_out; 953 954 /* Incoming Finished message */ 955 struct { 956 uint8_t preparation_done; 957 958 /* Buffer holding digest of the handshake up to but 959 * excluding the peer's incoming finished message. */ 960 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 961 size_t digest_len; 962 } finished_in; 963 964 } state_local; 965 966 /* End of state-local variables. */ 967 968 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + 969 MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 970 /*!< random bytes */ 971 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 972 unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; 973 /*!< premaster secret */ 974 size_t pmslen; /*!< premaster length */ 975 #endif 976 977 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 978 uint32_t sent_extensions; /*!< extensions sent by endpoint */ 979 uint32_t received_extensions; /*!< extensions received by endpoint */ 980 981 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 982 unsigned char certificate_request_context_len; 983 unsigned char *certificate_request_context; 984 #endif 985 986 /** TLS 1.3 transform for encrypted handshake messages. */ 987 mbedtls_ssl_transform *transform_handshake; 988 union { 989 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 990 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 991 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 992 } tls13_master_secrets; 993 994 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; 995 #if defined(MBEDTLS_SSL_EARLY_DATA) 996 /** TLS 1.3 transform for early data and handshake messages. */ 997 mbedtls_ssl_transform *transform_earlydata; 998 #endif 999 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1000 1001 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 1002 /** Asynchronous operation context. This field is meant for use by the 1003 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, 1004 * mbedtls_ssl_config::f_async_decrypt_start, 1005 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). 1006 * The library does not use it internally. */ 1007 void *user_async_ctx; 1008 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 1009 1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1011 const unsigned char *sni_name; /*!< raw SNI */ 1012 size_t sni_name_len; /*!< raw SNI len */ 1013 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1014 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */ 1015 #endif 1016 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1017 }; 1018 1019 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; 1020 1021 /* 1022 * Representation of decryption/encryption transformations on records 1023 * 1024 * There are the following general types of record transformations: 1025 * - Stream transformations (TLS versions == 1.2 only) 1026 * Transformation adding a MAC and applying a stream-cipher 1027 * to the authenticated message. 1028 * - CBC block cipher transformations ([D]TLS versions == 1.2 only) 1029 * For TLS 1.2, no IV is generated at key extraction time, but every 1030 * encrypted record is explicitly prefixed by the IV with which it was 1031 * encrypted. 1032 * - AEAD transformations ([D]TLS versions == 1.2 only) 1033 * These come in two fundamentally different versions, the first one 1034 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second 1035 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. 1036 * In the first transformation, the IV to be used for a record is obtained 1037 * as the concatenation of an explicit, static 4-byte IV and the 8-byte 1038 * record sequence number, and explicitly prepending this sequence number 1039 * to the encrypted record. In contrast, in the second transformation 1040 * the IV is obtained by XOR'ing a static IV obtained at key extraction 1041 * time with the 8-byte record sequence number, without prepending the 1042 * latter to the encrypted record. 1043 * 1044 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext 1045 * which allows to add flexible length padding and to hide a record's true 1046 * content type. 1047 * 1048 * In addition to type and version, the following parameters are relevant: 1049 * - The symmetric cipher algorithm to be used. 1050 * - The (static) encryption/decryption keys for the cipher. 1051 * - For stream/CBC, the type of message digest to be used. 1052 * - For stream/CBC, (static) encryption/decryption keys for the digest. 1053 * - For AEAD transformations, the size (potentially 0) of an explicit, 1054 * random initialization vector placed in encrypted records. 1055 * - For some transformations (currently AEAD) an implicit IV. It is static 1056 * and (if present) is combined with the explicit IV in a transformation- 1057 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). 1058 * - For stream/CBC, a flag determining the order of encryption and MAC. 1059 * - The details of the transformation depend on the SSL/TLS version. 1060 * - The length of the authentication tag. 1061 * 1062 * The struct below refines this abstract view as follows: 1063 * - The cipher underlying the transformation is managed in 1064 * cipher contexts cipher_ctx_{enc/dec}, which must have the 1065 * same cipher type. The mode of these cipher contexts determines 1066 * the type of the transformation in the sense above: e.g., if 1067 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM 1068 * then the transformation has type CBC resp. AEAD. 1069 * - The cipher keys are never stored explicitly but 1070 * are maintained within cipher_ctx_{enc/dec}. 1071 * - For stream/CBC transformations, the message digest contexts 1072 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts 1073 * are unused for AEAD transformations. 1074 * - For stream/CBC transformations, the MAC keys are not stored explicitly 1075 * but maintained within md_ctx_{enc/dec}. 1076 * - The mac_enc and mac_dec fields are unused for EAD transformations. 1077 * - For transformations using an implicit IV maintained within 1078 * the transformation context, its contents are stored within 1079 * iv_{enc/dec}. 1080 * - The value of ivlen indicates the length of the IV. 1081 * This is redundant in case of stream/CBC transformations 1082 * which always use 0 resp. the cipher's block length as the 1083 * IV length, but is needed for AEAD ciphers and may be 1084 * different from the underlying cipher's block length 1085 * in this case. 1086 * - The field fixed_ivlen is nonzero for AEAD transformations only 1087 * and indicates the length of the static part of the IV which is 1088 * constant throughout the communication, and which is stored in 1089 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. 1090 * - tls_version denotes the 2-byte TLS version 1091 * - For stream/CBC transformations, maclen denotes the length of the 1092 * authentication tag, while taglen is unused and 0. 1093 * - For AEAD transformations, taglen denotes the length of the 1094 * authentication tag, while maclen is unused and 0. 1095 * - For CBC transformations, encrypt_then_mac determines the 1096 * order of encryption and authentication. This field is unused 1097 * in other transformations. 1098 * 1099 */ 1100 struct mbedtls_ssl_transform { 1101 /* 1102 * Session specific crypto layer 1103 */ 1104 size_t minlen; /*!< min. ciphertext length */ 1105 size_t ivlen; /*!< IV length */ 1106 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ 1107 size_t maclen; /*!< MAC(CBC) len */ 1108 size_t taglen; /*!< TAG(AEAD) len */ 1109 1110 unsigned char iv_enc[16]; /*!< IV (encryption) */ 1111 unsigned char iv_dec[16]; /*!< IV (decryption) */ 1112 1113 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1114 1115 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1116 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */ 1117 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */ 1118 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */ 1119 #else 1120 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ 1121 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ 1122 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1123 1124 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1125 int encrypt_then_mac; /*!< flag for EtM activation */ 1126 #endif 1127 1128 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 1129 1130 mbedtls_ssl_protocol_version tls_version; 1131 1132 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1133 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */ 1134 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */ 1135 psa_algorithm_t psa_alg; /*!< psa algorithm */ 1136 #else 1137 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ 1138 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ 1139 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1140 1141 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1142 uint8_t in_cid_len; 1143 uint8_t out_cid_len; 1144 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 1145 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; 1146 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1147 1148 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 1149 /* We need the Hello random bytes in order to re-derive keys from the 1150 * Master Secret and other session info, 1151 * see ssl_tls12_populate_transform() */ 1152 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + 1153 MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 1154 /*!< ServerHello.random+ClientHello.random */ 1155 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 1156 }; 1157 1158 /* 1159 * Return 1 if the transform uses an AEAD cipher, 0 otherwise. 1160 * Equivalently, return 0 if a separate MAC is used, 1 otherwise. 1161 */ 1162 static inline int mbedtls_ssl_transform_uses_aead( 1163 const mbedtls_ssl_transform *transform) 1164 { 1165 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1166 return transform->maclen == 0 && transform->taglen != 0; 1167 #else 1168 (void) transform; 1169 return 1; 1170 #endif 1171 } 1172 1173 /* 1174 * Internal representation of record frames 1175 * 1176 * Instances come in two flavors: 1177 * (1) Encrypted 1178 * These always have data_offset = 0 1179 * (2) Unencrypted 1180 * These have data_offset set to the amount of 1181 * pre-expansion during record protection. Concretely, 1182 * this is the length of the fixed part of the explicit IV 1183 * used for encryption, or 0 if no explicit IV is used 1184 * (e.g. for stream ciphers). 1185 * 1186 * The reason for the data_offset in the unencrypted case 1187 * is to allow for in-place conversion of an unencrypted to 1188 * an encrypted record. If the offset wasn't included, the 1189 * encrypted content would need to be shifted afterwards to 1190 * make space for the fixed IV. 1191 * 1192 */ 1193 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX 1194 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX 1195 #else 1196 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX 1197 #endif 1198 1199 typedef struct { 1200 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number. 1201 * In DTLS: The 2-byte epoch followed by 1202 * the 6-byte sequence number. 1203 * This is stored as a raw big endian byte array 1204 * as opposed to a uint64_t because we rarely 1205 * need to perform arithmetic on this, but do 1206 * need it as a Byte array for the purpose of 1207 * MAC computations. */ 1208 uint8_t type; /* The record content type. */ 1209 uint8_t ver[2]; /* SSL/TLS version as present on the wire. 1210 * Convert to internal presentation of versions 1211 * using mbedtls_ssl_read_version() and 1212 * mbedtls_ssl_write_version(). 1213 * Keep wire-format for MAC computations. */ 1214 1215 unsigned char *buf; /* Memory buffer enclosing the record content */ 1216 size_t buf_len; /* Buffer length */ 1217 size_t data_offset; /* Offset of record content */ 1218 size_t data_len; /* Length of record content */ 1219 1220 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1221 uint8_t cid_len; /* Length of the CID (0 if not present) */ 1222 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */ 1223 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1224 } mbedtls_record; 1225 1226 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1227 /* 1228 * List of certificate + private key pairs 1229 */ 1230 struct mbedtls_ssl_key_cert { 1231 mbedtls_x509_crt *cert; /*!< cert */ 1232 mbedtls_pk_context *key; /*!< private key */ 1233 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ 1234 }; 1235 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1236 1237 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1238 /* 1239 * List of handshake messages kept around for resending 1240 */ 1241 struct mbedtls_ssl_flight_item { 1242 unsigned char *p; /*!< message, including handshake headers */ 1243 size_t len; /*!< length of p */ 1244 unsigned char type; /*!< type of the message: handshake or CCS */ 1245 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ 1246 }; 1247 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1248 1249 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1250 /** 1251 * \brief Given an SSL context and its associated configuration, write the TLS 1252 * 1.2 specific extensions of the ClientHello message. 1253 * 1254 * \param[in] ssl SSL context 1255 * \param[in] buf Base address of the buffer where to write the extensions 1256 * \param[in] end End address of the buffer where to write the extensions 1257 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve 1258 * (<> 0) or not ( 0 ). 1259 * \param[out] out_len Length of the data written into the buffer \p buf 1260 */ 1261 MBEDTLS_CHECK_RETURN_CRITICAL 1262 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, 1263 unsigned char *buf, 1264 const unsigned char *end, 1265 int uses_ec, 1266 size_t *out_len); 1267 #endif 1268 1269 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 1270 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1271 1272 /** 1273 * \brief Find the preferred hash for a given signature algorithm. 1274 * 1275 * \param[in] ssl SSL context 1276 * \param[in] sig_alg A signature algorithm identifier as defined in the 1277 * TLS 1.2 SignatureAlgorithm enumeration. 1278 * 1279 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm 1280 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration. 1281 */ 1282 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 1283 mbedtls_ssl_context *ssl, 1284 unsigned int sig_alg); 1285 1286 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 1287 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1288 1289 /** 1290 * \brief Free referenced items in an SSL transform context and clear 1291 * memory 1292 * 1293 * \param transform SSL transform context 1294 */ 1295 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform); 1296 1297 /** 1298 * \brief Free referenced items in an SSL handshake context and clear 1299 * memory 1300 * 1301 * \param ssl SSL context 1302 */ 1303 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl); 1304 1305 /* set inbound transform of ssl context */ 1306 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl, 1307 mbedtls_ssl_transform *transform); 1308 1309 /* set outbound transform of ssl context */ 1310 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl, 1311 mbedtls_ssl_transform *transform); 1312 1313 MBEDTLS_CHECK_RETURN_CRITICAL 1314 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl); 1315 MBEDTLS_CHECK_RETURN_CRITICAL 1316 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl); 1317 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl); 1318 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, 1319 mbedtls_ssl_states state) 1320 { 1321 ssl->state = (int) state; 1322 } 1323 1324 MBEDTLS_CHECK_RETURN_CRITICAL 1325 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); 1326 1327 MBEDTLS_CHECK_RETURN_CRITICAL 1328 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); 1329 1330 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1331 MBEDTLS_CHECK_RETURN_CRITICAL 1332 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl); 1333 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1334 1335 MBEDTLS_CHECK_RETURN_CRITICAL 1336 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); 1337 MBEDTLS_CHECK_RETURN_CRITICAL 1338 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); 1339 MBEDTLS_CHECK_RETURN_CRITICAL 1340 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); 1341 1342 /** 1343 * \brief Update record layer 1344 * 1345 * This function roughly separates the implementation 1346 * of the logic of (D)TLS from the implementation 1347 * of the secure transport. 1348 * 1349 * \param ssl The SSL context to use. 1350 * \param update_hs_digest This indicates if the handshake digest 1351 * should be automatically updated in case 1352 * a handshake message is found. 1353 * 1354 * \return 0 or non-zero error code. 1355 * 1356 * \note A clarification on what is called 'record layer' here 1357 * is in order, as many sensible definitions are possible: 1358 * 1359 * The record layer takes as input an untrusted underlying 1360 * transport (stream or datagram) and transforms it into 1361 * a serially multiplexed, secure transport, which 1362 * conceptually provides the following: 1363 * 1364 * (1) Three datagram based, content-agnostic transports 1365 * for handshake, alert and CCS messages. 1366 * (2) One stream- or datagram-based transport 1367 * for application data. 1368 * (3) Functionality for changing the underlying transform 1369 * securing the contents. 1370 * 1371 * The interface to this functionality is given as follows: 1372 * 1373 * a Updating 1374 * [Currently implemented by mbedtls_ssl_read_record] 1375 * 1376 * Check if and on which of the four 'ports' data is pending: 1377 * Nothing, a controlling datagram of type (1), or application 1378 * data (2). In any case data is present, internal buffers 1379 * provide access to the data for the user to process it. 1380 * Consumption of type (1) datagrams is done automatically 1381 * on the next update, invalidating that the internal buffers 1382 * for previous datagrams, while consumption of application 1383 * data (2) is user-controlled. 1384 * 1385 * b Reading of application data 1386 * [Currently manual adaption of ssl->in_offt pointer] 1387 * 1388 * As mentioned in the last paragraph, consumption of data 1389 * is different from the automatic consumption of control 1390 * datagrams (1) because application data is treated as a stream. 1391 * 1392 * c Tracking availability of application data 1393 * [Currently manually through decreasing ssl->in_msglen] 1394 * 1395 * For efficiency and to retain datagram semantics for 1396 * application data in case of DTLS, the record layer 1397 * provides functionality for checking how much application 1398 * data is still available in the internal buffer. 1399 * 1400 * d Changing the transformation securing the communication. 1401 * 1402 * Given an opaque implementation of the record layer in the 1403 * above sense, it should be possible to implement the logic 1404 * of (D)TLS on top of it without the need to know anything 1405 * about the record layer's internals. This is done e.g. 1406 * in all the handshake handling functions, and in the 1407 * application data reading function mbedtls_ssl_read. 1408 * 1409 * \note The above tries to give a conceptual picture of the 1410 * record layer, but the current implementation deviates 1411 * from it in some places. For example, our implementation of 1412 * the update functionality through mbedtls_ssl_read_record 1413 * discards datagrams depending on the current state, which 1414 * wouldn't fall under the record layer's responsibility 1415 * following the above definition. 1416 * 1417 */ 1418 MBEDTLS_CHECK_RETURN_CRITICAL 1419 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, 1420 unsigned update_hs_digest); 1421 MBEDTLS_CHECK_RETURN_CRITICAL 1422 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want); 1423 1424 /* 1425 * Write handshake message header 1426 */ 1427 MBEDTLS_CHECK_RETURN_CRITICAL 1428 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type, 1429 unsigned char **buf, size_t *buf_len); 1430 1431 MBEDTLS_CHECK_RETURN_CRITICAL 1432 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, 1433 int update_checksum, 1434 int force_flush); 1435 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) 1436 { 1437 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */); 1438 } 1439 1440 /* 1441 * Write handshake message tail 1442 */ 1443 MBEDTLS_CHECK_RETURN_CRITICAL 1444 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl, 1445 size_t buf_len, size_t msg_len); 1446 1447 MBEDTLS_CHECK_RETURN_CRITICAL 1448 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush); 1449 MBEDTLS_CHECK_RETURN_CRITICAL 1450 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl); 1451 1452 MBEDTLS_CHECK_RETURN_CRITICAL 1453 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl); 1454 MBEDTLS_CHECK_RETURN_CRITICAL 1455 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl); 1456 1457 MBEDTLS_CHECK_RETURN_CRITICAL 1458 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl); 1459 MBEDTLS_CHECK_RETURN_CRITICAL 1460 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl); 1461 1462 MBEDTLS_CHECK_RETURN_CRITICAL 1463 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl); 1464 MBEDTLS_CHECK_RETURN_CRITICAL 1465 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl); 1466 1467 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 1468 const mbedtls_ssl_ciphersuite_t *ciphersuite_info); 1469 1470 /* 1471 * Update checksum of handshake messages. 1472 */ 1473 MBEDTLS_CHECK_RETURN_CRITICAL 1474 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 1475 unsigned hs_type, 1476 unsigned char const *msg, 1477 size_t msg_len); 1478 1479 MBEDTLS_CHECK_RETURN_CRITICAL 1480 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 1481 unsigned hs_type, 1482 size_t total_hs_len); 1483 1484 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 1485 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 1486 MBEDTLS_CHECK_RETURN_CRITICAL 1487 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, 1488 mbedtls_key_exchange_type_t key_ex); 1489 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 1490 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 1491 1492 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1493 #if defined(MBEDTLS_SSL_CLI_C) 1494 MBEDTLS_CHECK_RETURN_CRITICAL 1495 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf); 1496 #endif 1497 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1498 /** 1499 * Get the first defined opaque PSK by order of precedence: 1500 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK 1501 * callback 1502 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() 1503 * Return an opaque PSK 1504 */ 1505 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( 1506 const mbedtls_ssl_context *ssl) 1507 { 1508 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 1509 return ssl->handshake->psk_opaque; 1510 } 1511 1512 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) { 1513 return ssl->conf->psk_opaque; 1514 } 1515 1516 return MBEDTLS_SVC_KEY_ID_INIT; 1517 } 1518 #else 1519 /** 1520 * Get the first defined PSK by order of precedence: 1521 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback 1522 * 2. static PSK configured by \c mbedtls_ssl_conf_psk() 1523 * Return a code and update the pair (PSK, PSK length) passed to this function 1524 */ 1525 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl, 1526 const unsigned char **psk, size_t *psk_len) 1527 { 1528 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) { 1529 *psk = ssl->handshake->psk; 1530 *psk_len = ssl->handshake->psk_len; 1531 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) { 1532 *psk = ssl->conf->psk; 1533 *psk_len = ssl->conf->psk_len; 1534 } else { 1535 *psk = NULL; 1536 *psk_len = 0; 1537 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 1538 } 1539 1540 return 0; 1541 } 1542 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1543 1544 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 1545 1546 #if defined(MBEDTLS_PK_C) 1547 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); 1548 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); 1549 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); 1550 #endif 1551 1552 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); 1553 unsigned char mbedtls_ssl_hash_from_md_alg(int md); 1554 1555 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1556 MBEDTLS_CHECK_RETURN_CRITICAL 1557 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md); 1558 #endif 1559 1560 MBEDTLS_CHECK_RETURN_CRITICAL 1561 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id); 1562 #if defined(MBEDTLS_ECP_C) 1563 MBEDTLS_CHECK_RETURN_CRITICAL 1564 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id); 1565 #endif 1566 1567 /** 1568 * \brief Return PSA EC info for the specified TLS ID. 1569 * 1570 * \param tls_id The TLS ID to look for 1571 * \param family If the TLD ID is supported, then proper \c psa_ecc_family_t 1572 * value is returned here. Can be NULL. 1573 * \param bits If the TLD ID is supported, then proper bit size is returned 1574 * here. Can be NULL. 1575 * \return PSA_SUCCESS if the TLS ID is supported, 1576 * PSA_ERROR_NOT_SUPPORTED otherwise 1577 * 1578 * \note If either \c family or \c bits parameters are NULL, then 1579 * the corresponding value is not returned. 1580 * The function can be called with both parameters as NULL 1581 * simply to check if a specific TLS ID is supported. 1582 */ 1583 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 1584 psa_ecc_family_t *family, 1585 size_t *bits); 1586 1587 /** 1588 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID. 1589 * 1590 * \param tls_id The TLS ID to look for 1591 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported, 1592 * or MBEDTLS_ECP_DP_NONE otherwise 1593 */ 1594 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id); 1595 1596 /** 1597 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id. 1598 * 1599 * \param grp_id The \c mbedtls_ecp_group_id ID to look for 1600 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported, 1601 * or 0 otherwise 1602 */ 1603 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id); 1604 1605 #if defined(MBEDTLS_DEBUG_C) 1606 /** 1607 * \brief Return EC's name for the specified TLS ID. 1608 * 1609 * \param tls_id The TLS ID to look for 1610 * \return A pointer to a const string with the proper name. If TLS 1611 * ID is not supported, a NULL pointer is returned instead. 1612 */ 1613 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id); 1614 #endif 1615 1616 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1617 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value 1618 (const uint16_t srtp_profile_value) 1619 { 1620 switch (srtp_profile_value) { 1621 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: 1622 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: 1623 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: 1624 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: 1625 return srtp_profile_value; 1626 default: break; 1627 } 1628 return MBEDTLS_TLS_SRTP_UNSET; 1629 } 1630 #endif 1631 1632 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1633 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) 1634 { 1635 mbedtls_ssl_key_cert *key_cert; 1636 1637 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1638 key_cert = ssl->handshake->key_cert; 1639 } else { 1640 key_cert = ssl->conf->key_cert; 1641 } 1642 1643 return key_cert == NULL ? NULL : key_cert->key; 1644 } 1645 1646 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) 1647 { 1648 mbedtls_ssl_key_cert *key_cert; 1649 1650 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1651 key_cert = ssl->handshake->key_cert; 1652 } else { 1653 key_cert = ssl->conf->key_cert; 1654 } 1655 1656 return key_cert == NULL ? NULL : key_cert->cert; 1657 } 1658 1659 /* 1660 * Check usage of a certificate wrt extensions: 1661 * keyUsage, extendedKeyUsage (later), and nSCertType (later). 1662 * 1663 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we 1664 * check a cert we received from them)! 1665 * 1666 * Return 0 if everything is OK, -1 if not. 1667 */ 1668 MBEDTLS_CHECK_RETURN_CRITICAL 1669 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 1670 const mbedtls_ssl_ciphersuite_t *ciphersuite, 1671 int cert_endpoint, 1672 uint32_t *flags); 1673 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1674 1675 void mbedtls_ssl_write_version(unsigned char version[2], int transport, 1676 mbedtls_ssl_protocol_version tls_version); 1677 uint16_t mbedtls_ssl_read_version(const unsigned char version[2], 1678 int transport); 1679 1680 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) 1681 { 1682 #if !defined(MBEDTLS_SSL_PROTO_DTLS) 1683 ((void) ssl); 1684 #endif 1685 1686 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1687 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1688 return 13; 1689 } else 1690 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1691 { 1692 return 5; 1693 } 1694 } 1695 1696 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) 1697 { 1698 return (size_t) (ssl->out_iv - ssl->out_hdr); 1699 } 1700 1701 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) 1702 { 1703 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1704 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1705 return 12; 1706 } 1707 #else 1708 ((void) ssl); 1709 #endif 1710 return 4; 1711 } 1712 1713 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1714 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); 1715 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); 1716 MBEDTLS_CHECK_RETURN_CRITICAL 1717 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl); 1718 MBEDTLS_CHECK_RETURN_CRITICAL 1719 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl); 1720 #endif 1721 1722 /* Visible for testing purposes only */ 1723 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1724 MBEDTLS_CHECK_RETURN_CRITICAL 1725 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl); 1726 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl); 1727 #endif 1728 1729 MBEDTLS_CHECK_RETURN_CRITICAL 1730 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 1731 const mbedtls_ssl_session *src); 1732 1733 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1734 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ 1735 MBEDTLS_CHECK_RETURN_CRITICAL 1736 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 1737 unsigned char *hash, size_t *hashlen, 1738 unsigned char *data, size_t data_len, 1739 mbedtls_md_type_t md_alg); 1740 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1741 1742 #ifdef __cplusplus 1743 } 1744 #endif 1745 1746 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); 1747 MBEDTLS_CHECK_RETURN_CRITICAL 1748 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, 1749 mbedtls_ssl_transform *transform, 1750 mbedtls_record *rec, 1751 int (*f_rng)(void *, unsigned char *, size_t), 1752 void *p_rng); 1753 MBEDTLS_CHECK_RETURN_CRITICAL 1754 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, 1755 mbedtls_ssl_transform *transform, 1756 mbedtls_record *rec); 1757 1758 /* Length of the "epoch" field in the record header */ 1759 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) 1760 { 1761 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1762 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1763 return 2; 1764 } 1765 #else 1766 ((void) ssl); 1767 #endif 1768 return 0; 1769 } 1770 1771 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1772 MBEDTLS_CHECK_RETURN_CRITICAL 1773 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl); 1774 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1775 1776 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); 1777 MBEDTLS_CHECK_RETURN_CRITICAL 1778 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); 1779 1780 void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl); 1781 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, 1782 mbedtls_ssl_transform *transform); 1783 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); 1784 1785 MBEDTLS_CHECK_RETURN_CRITICAL 1786 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); 1787 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1788 int partial); 1789 1790 /* 1791 * Send pending alert 1792 */ 1793 MBEDTLS_CHECK_RETURN_CRITICAL 1794 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl); 1795 1796 /* 1797 * Set pending fatal alert flag. 1798 */ 1799 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl, 1800 unsigned char alert_type, 1801 int alert_reason); 1802 1803 /* Alias of mbedtls_ssl_pend_fatal_alert */ 1804 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \ 1805 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value) 1806 1807 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1808 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl); 1809 #endif 1810 1811 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl); 1812 1813 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1814 MBEDTLS_CHECK_RETURN_CRITICAL 1815 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl); 1816 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1817 1818 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1819 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl); 1820 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl); 1821 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight); 1822 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1823 1824 /** 1825 * ssl utils functions for checking configuration. 1826 */ 1827 1828 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1829 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf) 1830 { 1831 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1832 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1833 } 1834 1835 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1836 1837 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1838 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf) 1839 { 1840 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1841 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2; 1842 } 1843 1844 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1845 1846 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf) 1847 { 1848 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1849 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && 1850 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3; 1851 #else 1852 ((void) conf); 1853 return 0; 1854 #endif 1855 } 1856 1857 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf) 1858 { 1859 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1860 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 && 1861 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2; 1862 #else 1863 ((void) conf); 1864 return 0; 1865 #endif 1866 } 1867 1868 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1869 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf) 1870 { 1871 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1872 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1873 } 1874 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ 1875 1876 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1877 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ 1878 MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 1879 MBEDTLS_CHECK_RETURN_CRITICAL 1880 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl); 1881 MBEDTLS_CHECK_RETURN_CRITICAL 1882 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl); 1883 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl); 1884 1885 /** 1886 * \brief Given an SSL context and its associated configuration, write the TLS 1887 * 1.3 specific extensions of the ClientHello message. 1888 * 1889 * \param[in] ssl SSL context 1890 * \param[in] buf Base address of the buffer where to write the extensions 1891 * \param[in] end End address of the buffer where to write the extensions 1892 * \param[out] out_len Length of the data written into the buffer \p buf 1893 */ 1894 MBEDTLS_CHECK_RETURN_CRITICAL 1895 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, 1896 unsigned char *buf, 1897 unsigned char *end, 1898 size_t *out_len); 1899 1900 /** 1901 * \brief TLS 1.3 client side state machine entry 1902 * 1903 * \param ssl SSL context 1904 */ 1905 MBEDTLS_CHECK_RETURN_CRITICAL 1906 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl); 1907 1908 /** 1909 * \brief TLS 1.3 server side state machine entry 1910 * 1911 * \param ssl SSL context 1912 */ 1913 MBEDTLS_CHECK_RETURN_CRITICAL 1914 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl); 1915 1916 1917 /* 1918 * Helper functions around key exchange modes. 1919 */ 1920 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl, 1921 int kex_mode_mask) 1922 { 1923 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0; 1924 } 1925 1926 static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl) 1927 { 1928 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1929 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 1930 } 1931 1932 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl) 1933 { 1934 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1935 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 1936 } 1937 1938 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl) 1939 { 1940 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1941 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 1942 } 1943 1944 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 1945 { 1946 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1947 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 1948 } 1949 1950 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl) 1951 { 1952 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1953 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 1954 } 1955 1956 #if defined(MBEDTLS_SSL_SRV_C) && \ 1957 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1958 /** 1959 * Given a list of key exchange modes, check if at least one of them is 1960 * supported. 1961 * 1962 * \param[in] ssl SSL context 1963 * \param kex_modes_mask Mask of the key exchange modes to check 1964 * 1965 * \return 0 if at least one of the key exchange modes is supported, 1966 * !=0 otherwise. 1967 */ 1968 static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl, 1969 int kex_modes_mask) 1970 { 1971 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0; 1972 } 1973 1974 static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl) 1975 { 1976 return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1977 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 1978 } 1979 1980 static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled( 1981 mbedtls_ssl_context *ssl) 1982 { 1983 return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1984 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 1985 } 1986 1987 static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl) 1988 { 1989 return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1990 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 1991 } 1992 1993 static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 1994 { 1995 return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1996 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 1997 } 1998 1999 static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl) 2000 { 2001 return !mbedtls_ssl_tls13_check_kex_modes(ssl, 2002 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2003 } 2004 #endif /* MBEDTLS_SSL_SRV_C && 2005 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2006 2007 /* 2008 * Helper functions for extensions checking. 2009 */ 2010 2011 MBEDTLS_CHECK_RETURN_CRITICAL 2012 int mbedtls_ssl_tls13_check_received_extension( 2013 mbedtls_ssl_context *ssl, 2014 int hs_msg_type, 2015 unsigned int received_extension_type, 2016 uint32_t hs_msg_allowed_extensions_mask); 2017 2018 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( 2019 mbedtls_ssl_context *ssl, unsigned int extension_type) 2020 { 2021 ssl->handshake->sent_extensions |= 2022 mbedtls_ssl_get_extension_mask(extension_type); 2023 } 2024 2025 /* 2026 * Helper functions to check the selected key exchange mode. 2027 */ 2028 static inline int mbedtls_ssl_tls13_key_exchange_mode_check( 2029 mbedtls_ssl_context *ssl, int kex_mask) 2030 { 2031 return (ssl->handshake->key_exchange_mode & kex_mask) != 0; 2032 } 2033 2034 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( 2035 mbedtls_ssl_context *ssl) 2036 { 2037 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2038 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2039 } 2040 2041 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( 2042 mbedtls_ssl_context *ssl) 2043 { 2044 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2045 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2046 } 2047 2048 /* 2049 * Fetch TLS 1.3 handshake message header 2050 */ 2051 MBEDTLS_CHECK_RETURN_CRITICAL 2052 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, 2053 unsigned hs_type, 2054 unsigned char **buf, 2055 size_t *buf_len); 2056 2057 /* 2058 * Handler of TLS 1.3 server certificate message 2059 */ 2060 MBEDTLS_CHECK_RETURN_CRITICAL 2061 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl); 2062 2063 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2064 /* 2065 * Handler of TLS 1.3 write Certificate message 2066 */ 2067 MBEDTLS_CHECK_RETURN_CRITICAL 2068 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl); 2069 2070 /* 2071 * Handler of TLS 1.3 write Certificate Verify message 2072 */ 2073 MBEDTLS_CHECK_RETURN_CRITICAL 2074 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl); 2075 2076 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2077 2078 /* 2079 * Generic handler of Certificate Verify 2080 */ 2081 MBEDTLS_CHECK_RETURN_CRITICAL 2082 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl); 2083 2084 /* 2085 * Write of dummy-CCS's for middlebox compatibility 2086 */ 2087 MBEDTLS_CHECK_RETURN_CRITICAL 2088 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl); 2089 2090 MBEDTLS_CHECK_RETURN_CRITICAL 2091 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl); 2092 2093 #if defined(MBEDTLS_ECDH_C) 2094 MBEDTLS_CHECK_RETURN_CRITICAL 2095 int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( 2096 mbedtls_ssl_context *ssl, 2097 uint16_t named_group, 2098 unsigned char *buf, 2099 unsigned char *end, 2100 size_t *out_len); 2101 #endif /* MBEDTLS_ECDH_C */ 2102 2103 #if defined(MBEDTLS_SSL_EARLY_DATA) 2104 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, 2105 unsigned char *buf, 2106 const unsigned char *end, 2107 size_t *out_len); 2108 #endif /* MBEDTLS_SSL_EARLY_DATA */ 2109 2110 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2111 2112 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2113 /* 2114 * Write Signature Algorithm extension 2115 */ 2116 MBEDTLS_CHECK_RETURN_CRITICAL 2117 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 2118 const unsigned char *end, size_t *out_len); 2119 /* 2120 * Parse TLS Signature Algorithm extension 2121 */ 2122 MBEDTLS_CHECK_RETURN_CRITICAL 2123 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 2124 const unsigned char *buf, 2125 const unsigned char *end); 2126 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2127 2128 /* Get handshake transcript */ 2129 MBEDTLS_CHECK_RETURN_CRITICAL 2130 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 2131 const mbedtls_md_type_t md, 2132 unsigned char *dst, 2133 size_t dst_len, 2134 size_t *olen); 2135 2136 /* 2137 * Return supported groups. 2138 * 2139 * In future, invocations can be changed to ssl->conf->group_list 2140 * when mbedtls_ssl_conf_curves() is deleted. 2141 * 2142 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group 2143 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to 2144 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. 2145 * 2146 */ 2147 static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) 2148 { 2149 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) 2150 return ssl->conf->group_list; 2151 #else 2152 if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) { 2153 return ssl->handshake->group_list; 2154 } else { 2155 return ssl->conf->group_list; 2156 } 2157 #endif 2158 } 2159 2160 /* 2161 * Helper functions for NamedGroup. 2162 */ 2163 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) 2164 { 2165 /* 2166 * RFC 8422 section 5.1.1 2167 */ 2168 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2169 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 || 2170 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 || 2171 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || 2172 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || 2173 /* Below deprecated curves should be removed with notice to users */ 2174 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || 2175 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || 2176 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || 2177 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || 2178 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || 2179 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2180 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2181 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1; 2182 } 2183 2184 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group) 2185 { 2186 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2187 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2188 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2189 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 || 2190 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448; 2191 } 2192 2193 static inline int mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group) 2194 { 2195 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 && 2196 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192; 2197 } 2198 2199 static inline int mbedtls_ssl_named_group_is_offered( 2200 const mbedtls_ssl_context *ssl, uint16_t named_group) 2201 { 2202 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 2203 2204 if (group_list == NULL) { 2205 return 0; 2206 } 2207 2208 for (; *group_list != 0; group_list++) { 2209 if (*group_list == named_group) { 2210 return 1; 2211 } 2212 } 2213 2214 return 0; 2215 } 2216 2217 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group) 2218 { 2219 #if defined(MBEDTLS_ECDH_C) 2220 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) { 2221 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) != 2222 MBEDTLS_ECP_DP_NONE) { 2223 return 1; 2224 } 2225 } 2226 #else 2227 ((void) named_group); 2228 #endif /* MBEDTLS_ECDH_C */ 2229 return 0; 2230 } 2231 2232 /* 2233 * Return supported signature algorithms. 2234 * 2235 * In future, invocations can be changed to ssl->conf->sig_algs when 2236 * mbedtls_ssl_conf_sig_hashes() is deleted. 2237 * 2238 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS 2239 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been 2240 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has 2241 * been more recently invoked. 2242 * 2243 */ 2244 static inline const void *mbedtls_ssl_get_sig_algs( 2245 const mbedtls_ssl_context *ssl) 2246 { 2247 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2248 2249 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2250 if (ssl->handshake != NULL && 2251 ssl->handshake->sig_algs_heap_allocated == 1 && 2252 ssl->handshake->sig_algs != NULL) { 2253 return ssl->handshake->sig_algs; 2254 } 2255 #endif 2256 return ssl->conf->sig_algs; 2257 2258 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2259 2260 ((void) ssl); 2261 return NULL; 2262 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2263 } 2264 2265 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2266 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl, 2267 uint16_t own_sig_alg) 2268 { 2269 const uint16_t *sig_alg = ssl->handshake->received_sig_algs; 2270 if (sig_alg == NULL) { 2271 return 0; 2272 } 2273 2274 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2275 if (*sig_alg == own_sig_alg) { 2276 return 1; 2277 } 2278 } 2279 return 0; 2280 } 2281 2282 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2283 const uint16_t sig_alg) 2284 { 2285 switch (sig_alg) { 2286 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2287 #if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 2288 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: 2289 break; 2290 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 2291 #if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 2292 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: 2293 break; 2294 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 2295 #if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 2296 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: 2297 break; 2298 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 2299 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ 2300 2301 #if defined(MBEDTLS_PKCS1_V21) 2302 #if defined(PSA_WANT_ALG_SHA_256) 2303 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2304 break; 2305 #endif /* PSA_WANT_ALG_SHA_256 */ 2306 #if defined(PSA_WANT_ALG_SHA_384) 2307 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2308 break; 2309 #endif /* PSA_WANT_ALG_SHA_384 */ 2310 #if defined(PSA_WANT_ALG_SHA_512) 2311 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2312 break; 2313 #endif /* PSA_WANT_ALG_SHA_512 */ 2314 #endif /* MBEDTLS_PKCS1_V21 */ 2315 default: 2316 return 0; 2317 } 2318 return 1; 2319 2320 } 2321 2322 static inline int mbedtls_ssl_tls13_sig_alg_is_supported( 2323 const uint16_t sig_alg) 2324 { 2325 switch (sig_alg) { 2326 #if defined(MBEDTLS_PKCS1_V15) 2327 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2328 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: 2329 break; 2330 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2331 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2332 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: 2333 break; 2334 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2335 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2336 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: 2337 break; 2338 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2339 #endif /* MBEDTLS_PKCS1_V15 */ 2340 default: 2341 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2342 sig_alg); 2343 } 2344 return 1; 2345 } 2346 2347 MBEDTLS_CHECK_RETURN_CRITICAL 2348 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, 2349 mbedtls_pk_context *key); 2350 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2351 2352 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2353 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, 2354 uint16_t proposed_sig_alg) 2355 { 2356 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 2357 if (sig_alg == NULL) { 2358 return 0; 2359 } 2360 2361 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2362 if (*sig_alg == proposed_sig_alg) { 2363 return 1; 2364 } 2365 } 2366 return 0; 2367 } 2368 2369 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 2370 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) 2371 { 2372 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); 2373 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); 2374 2375 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { 2376 return 0; 2377 } 2378 2379 switch (sig_alg) { 2380 #if defined(MBEDTLS_PKCS1_V21) 2381 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2382 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2383 *md_alg = MBEDTLS_MD_SHA256; 2384 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2385 break; 2386 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2387 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2388 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2389 *md_alg = MBEDTLS_MD_SHA384; 2390 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2391 break; 2392 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2393 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2394 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2395 *md_alg = MBEDTLS_MD_SHA512; 2396 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2397 break; 2398 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2399 #endif /* MBEDTLS_PKCS1_V21 */ 2400 default: 2401 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2402 } 2403 return 0; 2404 } 2405 2406 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2407 static inline int mbedtls_ssl_tls12_sig_alg_is_supported( 2408 const uint16_t sig_alg) 2409 { 2410 /* High byte is hash */ 2411 unsigned char hash = MBEDTLS_BYTE_1(sig_alg); 2412 unsigned char sig = MBEDTLS_BYTE_0(sig_alg); 2413 2414 switch (hash) { 2415 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2416 case MBEDTLS_SSL_HASH_MD5: 2417 break; 2418 #endif 2419 2420 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2421 case MBEDTLS_SSL_HASH_SHA1: 2422 break; 2423 #endif 2424 2425 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2426 case MBEDTLS_SSL_HASH_SHA224: 2427 break; 2428 #endif 2429 2430 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2431 case MBEDTLS_SSL_HASH_SHA256: 2432 break; 2433 #endif 2434 2435 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2436 case MBEDTLS_SSL_HASH_SHA384: 2437 break; 2438 #endif 2439 2440 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2441 case MBEDTLS_SSL_HASH_SHA512: 2442 break; 2443 #endif 2444 2445 default: 2446 return 0; 2447 } 2448 2449 switch (sig) { 2450 #if defined(MBEDTLS_RSA_C) 2451 case MBEDTLS_SSL_SIG_RSA: 2452 break; 2453 #endif 2454 2455 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2456 case MBEDTLS_SSL_SIG_ECDSA: 2457 break; 2458 #endif 2459 2460 default: 2461 return 0; 2462 } 2463 2464 return 1; 2465 } 2466 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2467 2468 static inline int mbedtls_ssl_sig_alg_is_supported( 2469 const mbedtls_ssl_context *ssl, 2470 const uint16_t sig_alg) 2471 { 2472 2473 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2474 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2475 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg); 2476 } 2477 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2478 2479 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2480 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2481 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg); 2482 } 2483 #endif 2484 ((void) ssl); 2485 ((void) sig_alg); 2486 return 0; 2487 } 2488 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2489 2490 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2491 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. 2492 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is 2493 * guaranteed to not be a valid PSA algorithm identifier. 2494 */ 2495 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000 2496 2497 /** 2498 * \brief Translate mbedtls cipher type/taglen pair to psa: 2499 * algorithm, key type and key size. 2500 * 2501 * \param mbedtls_cipher_type [in] given mbedtls cipher type 2502 * \param taglen [in] given tag length 2503 * 0 - default tag length 2504 * \param alg [out] corresponding PSA alg 2505 * There is no corresponding PSA 2506 * alg for MBEDTLS_CIPHER_NULL, so 2507 * in this case MBEDTLS_SSL_NULL_CIPHER 2508 * is returned via this parameter 2509 * \param key_type [out] corresponding PSA key type 2510 * \param key_size [out] corresponding PSA key size 2511 * 2512 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if 2513 * conversion is not supported. 2514 */ 2515 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2516 size_t taglen, 2517 psa_algorithm_t *alg, 2518 psa_key_type_t *key_type, 2519 size_t *key_size); 2520 2521 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2522 /** 2523 * \brief Convert given PSA status to mbedtls error code. 2524 * 2525 * \param status [in] given PSA status 2526 * 2527 * \return corresponding mbedtls error code 2528 */ 2529 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status) 2530 { 2531 switch (status) { 2532 case PSA_SUCCESS: 2533 return 0; 2534 case PSA_ERROR_INSUFFICIENT_MEMORY: 2535 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2536 case PSA_ERROR_NOT_SUPPORTED: 2537 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2538 case PSA_ERROR_INVALID_SIGNATURE: 2539 return MBEDTLS_ERR_SSL_INVALID_MAC; 2540 case PSA_ERROR_INVALID_ARGUMENT: 2541 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2542 case PSA_ERROR_BAD_STATE: 2543 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2544 case PSA_ERROR_BUFFER_TOO_SMALL: 2545 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 2546 default: 2547 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 2548 } 2549 } 2550 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2551 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2552 2553 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 2554 defined(MBEDTLS_USE_PSA_CRYPTO) 2555 2556 typedef enum { 2557 MBEDTLS_ECJPAKE_ROUND_ONE, 2558 MBEDTLS_ECJPAKE_ROUND_TWO 2559 } mbedtls_ecjpake_rounds_t; 2560 2561 /** 2562 * \brief Parse the provided input buffer for getting the first round 2563 * of key exchange. This code is common between server and client 2564 * 2565 * \param pake_ctx [in] the PAKE's operation/context structure 2566 * \param buf [in] input buffer to parse 2567 * \param len [in] length of the input buffer 2568 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2569 * MBEDTLS_ECJPAKE_ROUND_TWO 2570 * 2571 * \return 0 on success or a negative error code in case of failure 2572 */ 2573 int mbedtls_psa_ecjpake_read_round( 2574 psa_pake_operation_t *pake_ctx, 2575 const unsigned char *buf, 2576 size_t len, mbedtls_ecjpake_rounds_t round); 2577 2578 /** 2579 * \brief Write the first round of key exchange into the provided output 2580 * buffer. This code is common between server and client 2581 * 2582 * \param pake_ctx [in] the PAKE's operation/context structure 2583 * \param buf [out] the output buffer in which data will be written to 2584 * \param len [in] length of the output buffer 2585 * \param olen [out] the length of the data really written on the buffer 2586 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2587 * MBEDTLS_ECJPAKE_ROUND_TWO 2588 * 2589 * \return 0 on success or a negative error code in case of failure 2590 */ 2591 int mbedtls_psa_ecjpake_write_round( 2592 psa_pake_operation_t *pake_ctx, 2593 unsigned char *buf, 2594 size_t len, size_t *olen, 2595 mbedtls_ecjpake_rounds_t round); 2596 2597 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 2598 2599 /** 2600 * \brief TLS record protection modes 2601 */ 2602 typedef enum { 2603 MBEDTLS_SSL_MODE_STREAM = 0, 2604 MBEDTLS_SSL_MODE_CBC, 2605 MBEDTLS_SSL_MODE_CBC_ETM, 2606 MBEDTLS_SSL_MODE_AEAD 2607 } mbedtls_ssl_mode_t; 2608 2609 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2610 const mbedtls_ssl_transform *transform); 2611 2612 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2613 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2614 int encrypt_then_mac, 2615 const mbedtls_ssl_ciphersuite_t *suite); 2616 #else 2617 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2618 const mbedtls_ssl_ciphersuite_t *suite); 2619 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2620 2621 #if defined(MBEDTLS_ECDH_C) 2622 2623 MBEDTLS_CHECK_RETURN_CRITICAL 2624 int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl, 2625 const unsigned char *buf, 2626 size_t buf_len); 2627 2628 #endif /* MBEDTLS_ECDH_C */ 2629 2630 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( 2631 mbedtls_ssl_context *ssl, int cipher_suite) 2632 { 2633 const int *ciphersuite_list = ssl->conf->ciphersuite_list; 2634 2635 /* Check whether we have offered this ciphersuite */ 2636 for (size_t i = 0; ciphersuite_list[i] != 0; i++) { 2637 if (ciphersuite_list[i] == cipher_suite) { 2638 return 1; 2639 } 2640 } 2641 return 0; 2642 } 2643 2644 /** 2645 * \brief Validate cipher suite against config in SSL context. 2646 * 2647 * \param ssl SSL context 2648 * \param suite_info Cipher suite to validate 2649 * \param min_tls_version Minimal TLS version to accept a cipher suite 2650 * \param max_tls_version Maximal TLS version to accept a cipher suite 2651 * 2652 * \return 0 if valid, negative value otherwise. 2653 */ 2654 MBEDTLS_CHECK_RETURN_CRITICAL 2655 int mbedtls_ssl_validate_ciphersuite( 2656 const mbedtls_ssl_context *ssl, 2657 const mbedtls_ssl_ciphersuite_t *suite_info, 2658 mbedtls_ssl_protocol_version min_tls_version, 2659 mbedtls_ssl_protocol_version max_tls_version); 2660 2661 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2662 MBEDTLS_CHECK_RETURN_CRITICAL 2663 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 2664 const unsigned char *buf, 2665 const unsigned char *end); 2666 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2667 2668 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 2669 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2) 2670 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) 2671 2672 MBEDTLS_CHECK_RETURN_CRITICAL 2673 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl, 2674 const unsigned char *buf, 2675 const unsigned char *end); 2676 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 2677 2678 #if defined(MBEDTLS_SSL_ALPN) 2679 MBEDTLS_CHECK_RETURN_CRITICAL 2680 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 2681 const unsigned char *buf, 2682 const unsigned char *end); 2683 2684 2685 MBEDTLS_CHECK_RETURN_CRITICAL 2686 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 2687 unsigned char *buf, 2688 unsigned char *end, 2689 size_t *out_len); 2690 #endif /* MBEDTLS_SSL_ALPN */ 2691 2692 #if defined(MBEDTLS_TEST_HOOKS) 2693 int mbedtls_ssl_check_dtls_clihlo_cookie( 2694 mbedtls_ssl_context *ssl, 2695 const unsigned char *cli_id, size_t cli_id_len, 2696 const unsigned char *in, size_t in_len, 2697 unsigned char *obuf, size_t buf_len, size_t *olen); 2698 #endif 2699 2700 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2701 /** 2702 * \brief Given an SSL context and its associated configuration, write the TLS 2703 * 1.3 specific Pre-Shared key extension. 2704 * 2705 * \param[in] ssl SSL context 2706 * \param[in] buf Base address of the buffer where to write the extension 2707 * \param[in] end End address of the buffer where to write the extension 2708 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data 2709 * written into the buffer \p buf by this function plus 2710 * the length of the binders to be written. 2711 * \param[out] binders_len Length of the binders to be written at the end of 2712 * the extension. 2713 */ 2714 MBEDTLS_CHECK_RETURN_CRITICAL 2715 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( 2716 mbedtls_ssl_context *ssl, 2717 unsigned char *buf, unsigned char *end, 2718 size_t *out_len, size_t *binders_len); 2719 2720 /** 2721 * \brief Given an SSL context and its associated configuration, write the TLS 2722 * 1.3 specific Pre-Shared key extension binders at the end of the 2723 * ClientHello. 2724 * 2725 * \param[in] ssl SSL context 2726 * \param[in] buf Base address of the buffer where to write the binders 2727 * \param[in] end End address of the buffer where to write the binders 2728 */ 2729 MBEDTLS_CHECK_RETURN_CRITICAL 2730 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( 2731 mbedtls_ssl_context *ssl, 2732 unsigned char *buf, unsigned char *end); 2733 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2734 2735 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 2736 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 2737 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 2738 defined(MBEDTLS_SSL_CLI_C) 2739 MBEDTLS_CHECK_RETURN_CRITICAL 2740 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 2741 const char *hostname); 2742 #endif 2743 2744 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 2745 static inline unsigned int mbedtls_ssl_session_get_ticket_flags( 2746 mbedtls_ssl_session *session, unsigned int flags) 2747 { 2748 return session->ticket_flags & 2749 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2750 } 2751 2752 static inline void mbedtls_ssl_session_set_ticket_flags( 2753 mbedtls_ssl_session *session, unsigned int flags) 2754 { 2755 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2756 } 2757 2758 static inline void mbedtls_ssl_session_clear_ticket_flags( 2759 mbedtls_ssl_session *session, unsigned int flags) 2760 { 2761 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2762 } 2763 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 2764 2765 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 2766 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); 2767 #endif 2768 2769 #endif /* ssl_misc.h */ 2770