1 /** 2 * \file ssl_misc.h 3 * 4 * \brief Internal functions shared by the SSL modules 5 */ 6 /* 7 * Copyright The Mbed TLS Contributors 8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 9 */ 10 #ifndef MBEDTLS_SSL_MISC_H 11 #define MBEDTLS_SSL_MISC_H 12 13 #include "mbedtls/build_info.h" 14 #include "common.h" 15 16 #include "mbedtls/error.h" 17 18 #include "mbedtls/ssl.h" 19 #include "mbedtls/cipher.h" 20 21 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 22 #include "psa/crypto.h" 23 #include "psa_util_internal.h" 24 #endif 25 26 #if defined(MBEDTLS_MD_CAN_MD5) 27 #include "mbedtls/md5.h" 28 #endif 29 30 #if defined(MBEDTLS_MD_CAN_SHA1) 31 #include "mbedtls/sha1.h" 32 #endif 33 34 #if defined(MBEDTLS_MD_CAN_SHA256) 35 #include "mbedtls/sha256.h" 36 #endif 37 38 #if defined(MBEDTLS_MD_CAN_SHA512) 39 #include "mbedtls/sha512.h" 40 #endif 41 42 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 43 !defined(MBEDTLS_USE_PSA_CRYPTO) 44 #include "mbedtls/ecjpake.h" 45 #endif 46 47 #include "mbedtls/pk.h" 48 #include "ssl_ciphersuites_internal.h" 49 #include "x509_internal.h" 50 #include "pk_internal.h" 51 52 53 /* Shorthand for restartable ECC */ 54 #if defined(MBEDTLS_ECP_RESTARTABLE) && \ 55 defined(MBEDTLS_SSL_CLI_C) && \ 56 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 57 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 58 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED 59 #endif 60 61 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 62 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ 63 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ 64 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ 65 66 /* Faked handshake message identity for HelloRetryRequest. */ 67 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO) 68 69 /* 70 * Internal identity of handshake extensions 71 */ 72 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 73 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 74 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 75 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 76 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 77 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 78 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 79 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 80 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 81 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 82 #define MBEDTLS_SSL_EXT_ID_ALPN 8 83 #define MBEDTLS_SSL_EXT_ID_SCT 9 84 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 85 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 86 #define MBEDTLS_SSL_EXT_ID_PADDING 12 87 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 88 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 89 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 90 #define MBEDTLS_SSL_EXT_ID_COOKIE 16 91 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 92 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 93 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 94 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 95 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 96 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 97 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 98 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 99 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 100 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 101 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 102 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28 103 104 /* Utility for translating IANA extension type. */ 105 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type); 106 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type); 107 /* Macros used to define mask constants */ 108 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id)) 109 /* Reset value of extension mask */ 110 #define MBEDTLS_SSL_EXT_MASK_NONE 0 111 112 /* In messages containing extension requests, we should ignore unrecognized 113 * extensions. In messages containing extension responses, unrecognized 114 * extensions should result in handshake abortion. Messages containing 115 * extension requests include ClientHello, CertificateRequest and 116 * NewSessionTicket. Messages containing extension responses include 117 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. 118 * 119 * RFC 8446 section 4.1.3 120 * 121 * The ServerHello MUST only include extensions which are required to establish 122 * the cryptographic context and negotiate the protocol version. 123 * 124 * RFC 8446 section 4.2 125 * 126 * If an implementation receives an extension which it recognizes and which is 127 * not specified for the message in which it appears, it MUST abort the handshake 128 * with an "illegal_parameter" alert. 129 */ 130 131 /* Extensions that are not recognized by TLS 1.3 */ 132 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ 133 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \ 134 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \ 135 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \ 136 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \ 137 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \ 138 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED)) 139 140 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */ 141 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ 142 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 143 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 144 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 145 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 146 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 147 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 148 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 149 MBEDTLS_SSL_EXT_MASK(ALPN) | \ 150 MBEDTLS_SSL_EXT_MASK(SCT) | \ 151 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 152 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 153 MBEDTLS_SSL_EXT_MASK(PADDING) | \ 154 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 155 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 156 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \ 157 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 158 MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 159 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \ 160 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 161 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \ 162 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 163 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \ 164 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 165 166 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ 167 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ 168 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 169 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 170 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 171 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 172 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 173 MBEDTLS_SSL_EXT_MASK(ALPN) | \ 174 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 175 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 176 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 177 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) 178 179 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ 180 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ 181 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 182 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 183 MBEDTLS_SSL_EXT_MASK(SCT) | \ 184 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 185 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \ 186 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 187 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 188 189 /* RFC 8446 section 4.2. Allowed extensions for Certificate */ 190 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ 191 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 192 MBEDTLS_SSL_EXT_MASK(SCT)) 193 194 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */ 195 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ 196 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 197 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 198 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 199 200 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ 201 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ 202 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 203 MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 204 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 205 206 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ 207 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ 208 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 209 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 210 211 /* 212 * Helper macros for function call with return check. 213 */ 214 /* 215 * Exit when return non-zero value 216 */ 217 #define MBEDTLS_SSL_PROC_CHK(f) \ 218 do { \ 219 ret = (f); \ 220 if (ret != 0) \ 221 { \ 222 goto cleanup; \ 223 } \ 224 } while (0) 225 /* 226 * Exit when return negative value 227 */ 228 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \ 229 do { \ 230 ret = (f); \ 231 if (ret < 0) \ 232 { \ 233 goto cleanup; \ 234 } \ 235 } while (0) 236 237 /* 238 * DTLS retransmission states, see RFC 6347 4.2.4 239 * 240 * The SENDING state is merged in PREPARING for initial sends, 241 * but is distinct for resends. 242 * 243 * Note: initial state is wrong for server, but is not used anyway. 244 */ 245 #define MBEDTLS_SSL_RETRANS_PREPARING 0 246 #define MBEDTLS_SSL_RETRANS_SENDING 1 247 #define MBEDTLS_SSL_RETRANS_WAITING 2 248 #define MBEDTLS_SSL_RETRANS_FINISHED 3 249 250 /* 251 * Allow extra bytes for record, authentication and encryption overhead: 252 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). 253 */ 254 255 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 256 257 /* This macro determines whether CBC is supported. */ 258 #if defined(MBEDTLS_SSL_HAVE_CBC) && \ 259 (defined(MBEDTLS_SSL_HAVE_AES) || \ 260 defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \ 261 defined(MBEDTLS_SSL_HAVE_ARIA)) 262 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC 263 #endif 264 265 /* This macro determines whether a ciphersuite using a 266 * stream cipher can be used. */ 267 #if defined(MBEDTLS_CIPHER_NULL_CIPHER) 268 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM 269 #endif 270 271 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ 272 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 273 defined(MBEDTLS_SSL_PROTO_TLS1_2) 274 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC 275 #endif 276 277 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \ 278 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 279 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC 280 #endif 281 282 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */ 283 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 284 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 285 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM 286 #endif 287 288 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 289 290 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 291 /* Ciphersuites using HMAC */ 292 #if defined(MBEDTLS_MD_CAN_SHA384) 293 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ 294 #elif defined(MBEDTLS_MD_CAN_SHA256) 295 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ 296 #else 297 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ 298 #endif 299 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 300 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ 301 #define MBEDTLS_SSL_MAC_ADD 16 302 #endif 303 304 #if defined(MBEDTLS_SSL_HAVE_CBC) 305 #define MBEDTLS_SSL_PADDING_ADD 256 306 #else 307 #define MBEDTLS_SSL_PADDING_ADD 0 308 #endif 309 310 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 311 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 312 #else 313 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 314 #endif 315 316 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \ 317 MBEDTLS_SSL_MAC_ADD + \ 318 MBEDTLS_SSL_PADDING_ADD + \ 319 MBEDTLS_SSL_MAX_CID_EXPANSION \ 320 ) 321 322 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 323 (MBEDTLS_SSL_IN_CONTENT_LEN)) 324 325 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 326 (MBEDTLS_SSL_OUT_CONTENT_LEN)) 327 328 /* The maximum number of buffered handshake messages. */ 329 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 330 331 /* Maximum length we can advertise as our max content length for 332 RFC 6066 max_fragment_length extension negotiation purposes 333 (the lesser of both sizes, if they are unequal.) 334 */ 335 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ 336 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ 337 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \ 338 : (MBEDTLS_SSL_IN_CONTENT_LEN) \ 339 ) 340 341 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 342 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534 343 344 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 345 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2 346 347 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ 348 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 349 350 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 351 352 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 353 354 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE 355 356 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 357 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig) 358 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF) 359 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8) 360 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 361 362 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 363 364 /* 365 * Check that we obey the standard's message size bounds 366 */ 367 368 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384 369 #error "Bad configuration - incoming record content too large." 370 #endif 371 372 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384 373 #error "Bad configuration - outgoing record content too large." 374 #endif 375 376 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048 377 #error "Bad configuration - incoming protected record payload too large." 378 #endif 379 380 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048 381 #error "Bad configuration - outgoing protected record payload too large." 382 #endif 383 384 /* Calculate buffer sizes */ 385 386 /* Note: Even though the TLS record header is only 5 bytes 387 long, we're internally using 8 bytes to store the 388 implicit sequence number. */ 389 #define MBEDTLS_SSL_HEADER_LEN 13 390 391 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 392 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 393 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN)) 394 #else 395 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 396 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \ 397 + (MBEDTLS_SSL_CID_IN_LEN_MAX)) 398 #endif 399 400 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 401 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 402 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)) 403 #else 404 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 405 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \ 406 + (MBEDTLS_SSL_CID_OUT_LEN_MAX)) 407 #endif 408 409 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 410 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 411 412 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 413 /** 414 * \brief Return the maximum fragment length (payload, in bytes) for 415 * the output buffer. For the client, this is the configured 416 * value. For the server, it is the minimum of two - the 417 * configured value and the negotiated one. 418 * 419 * \sa mbedtls_ssl_conf_max_frag_len() 420 * \sa mbedtls_ssl_get_max_out_record_payload() 421 * 422 * \param ssl SSL context 423 * 424 * \return Current maximum fragment length for the output buffer. 425 */ 426 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl); 427 428 /** 429 * \brief Return the maximum fragment length (payload, in bytes) for 430 * the input buffer. This is the negotiated maximum fragment 431 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. 432 * If it is not defined either, the value is 2^14. This function 433 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). 434 * 435 * \sa mbedtls_ssl_conf_max_frag_len() 436 * \sa mbedtls_ssl_get_max_in_record_payload() 437 * 438 * \param ssl SSL context 439 * 440 * \return Current maximum fragment length for the output buffer. 441 */ 442 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl); 443 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 444 445 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 446 /** 447 * \brief Get the size limit in bytes for the protected outgoing records 448 * as defined in RFC 8449 449 * 450 * \param ssl SSL context 451 * 452 * \return The size limit in bytes for the protected outgoing 453 * records as defined in RFC 8449. 454 */ 455 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl); 456 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 457 458 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 459 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) 460 { 461 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 462 return mbedtls_ssl_get_output_max_frag_len(ctx) 463 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 464 + MBEDTLS_SSL_CID_OUT_LEN_MAX; 465 #else 466 return mbedtls_ssl_get_output_max_frag_len(ctx) 467 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 468 #endif 469 } 470 471 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) 472 { 473 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 474 return mbedtls_ssl_get_input_max_frag_len(ctx) 475 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 476 + MBEDTLS_SSL_CID_IN_LEN_MAX; 477 #else 478 return mbedtls_ssl_get_input_max_frag_len(ctx) 479 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 480 #endif 481 } 482 #endif 483 484 /* 485 * TLS extension flags (for extensions with outgoing ServerHello content 486 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because 487 * of state of the renegotiation flag, so no indicator is required) 488 */ 489 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) 490 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) 491 492 /** 493 * \brief This function checks if the remaining size in a buffer is 494 * greater or equal than a needed space. 495 * 496 * \param cur Pointer to the current position in the buffer. 497 * \param end Pointer to one past the end of the buffer. 498 * \param need Needed space in bytes. 499 * 500 * \return Zero if the needed space is available in the buffer, non-zero 501 * otherwise. 502 */ 503 #if !defined(MBEDTLS_TEST_HOOKS) 504 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 505 const uint8_t *end, size_t need) 506 { 507 return (cur > end) || (need > (size_t) (end - cur)); 508 } 509 #else 510 typedef struct { 511 const uint8_t *cur; 512 const uint8_t *end; 513 size_t need; 514 } mbedtls_ssl_chk_buf_ptr_args; 515 516 void mbedtls_ssl_set_chk_buf_ptr_fail_args( 517 const uint8_t *cur, const uint8_t *end, size_t need); 518 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void); 519 520 MBEDTLS_CHECK_RETURN_CRITICAL 521 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args); 522 523 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 524 const uint8_t *end, size_t need) 525 { 526 if ((cur > end) || (need > (size_t) (end - cur))) { 527 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need); 528 return 1; 529 } 530 return 0; 531 } 532 #endif /* MBEDTLS_TEST_HOOKS */ 533 534 /** 535 * \brief This macro checks if the remaining size in a buffer is 536 * greater or equal than a needed space. If it is not the case, 537 * it returns an SSL_BUFFER_TOO_SMALL error. 538 * 539 * \param cur Pointer to the current position in the buffer. 540 * \param end Pointer to one past the end of the buffer. 541 * \param need Needed space in bytes. 542 * 543 */ 544 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \ 545 do { \ 546 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 547 { \ 548 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \ 549 } \ 550 } while (0) 551 552 /** 553 * \brief This macro checks if the remaining length in an input buffer is 554 * greater or equal than a needed length. If it is not the case, it 555 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a 556 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. 557 * 558 * This is a function-like macro. It is guaranteed to evaluate each 559 * argument exactly once. 560 * 561 * \param cur Pointer to the current position in the buffer. 562 * \param end Pointer to one past the end of the buffer. 563 * \param need Needed length in bytes. 564 * 565 */ 566 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \ 567 do { \ 568 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 569 { \ 570 MBEDTLS_SSL_DEBUG_MSG(1, \ 571 ("missing input data in %s", __func__)); \ 572 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ 573 MBEDTLS_ERR_SSL_DECODE_ERROR); \ 574 return MBEDTLS_ERR_SSL_DECODE_ERROR; \ 575 } \ 576 } while (0) 577 578 #ifdef __cplusplus 579 extern "C" { 580 #endif 581 582 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen, 583 const char *label, 584 const unsigned char *random, size_t rlen, 585 unsigned char *dstbuf, size_t dlen); 586 587 /* cipher.h exports the maximum IV, key and block length from 588 * all ciphers enabled in the config, regardless of whether those 589 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled 590 * in the default configuration and uses 64 Byte keys, but it is 591 * not used for record protection in SSL/TLS. 592 * 593 * In order to prevent unnecessary inflation of key structures, 594 * we introduce SSL-specific variants of the max-{key,block,IV} 595 * macros here which are meant to only take those ciphers into 596 * account which can be negotiated in SSL/TLS. 597 * 598 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH 599 * in cipher.h are rough overapproximations of the real maxima, here 600 * we content ourselves with replicating those overapproximations 601 * for the maximum block and IV length, and excluding XTS from the 602 * computation of the maximum key length. */ 603 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 604 #define MBEDTLS_SSL_MAX_IV_LENGTH 16 605 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 606 607 /** 608 * \brief The data structure holding the cryptographic material (key and IV) 609 * used for record protection in TLS 1.3. 610 */ 611 struct mbedtls_ssl_key_set { 612 /*! The key for client->server records. */ 613 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 614 /*! The key for server->client records. */ 615 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 616 /*! The IV for client->server records. */ 617 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 618 /*! The IV for server->client records. */ 619 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 620 621 size_t key_len; /*!< The length of client_write_key and 622 * server_write_key, in Bytes. */ 623 size_t iv_len; /*!< The length of client_write_iv and 624 * server_write_iv, in Bytes. */ 625 }; 626 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; 627 628 typedef struct { 629 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 630 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 631 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 632 } mbedtls_ssl_tls13_early_secrets; 633 634 typedef struct { 635 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 636 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 637 } mbedtls_ssl_tls13_handshake_secrets; 638 639 /* 640 * This structure contains the parameters only needed during handshake. 641 */ 642 struct mbedtls_ssl_handshake_params { 643 /* Frequently-used boolean or byte fields (placed early to take 644 * advantage of smaller code size for indirect access on Arm Thumb) */ 645 uint8_t resume; /*!< session resume indicator*/ 646 uint8_t cli_exts; /*!< client extension presence*/ 647 648 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 649 uint8_t sni_authmode; /*!< authmode from SNI callback */ 650 #endif 651 652 #if defined(MBEDTLS_SSL_SRV_C) 653 /* Flag indicating if a CertificateRequest message has been sent 654 * to the client or not. */ 655 uint8_t certificate_request_sent; 656 #if defined(MBEDTLS_SSL_EARLY_DATA) 657 /* Flag indicating if the server has accepted early data or not. */ 658 uint8_t early_data_accepted; 659 #endif 660 #endif /* MBEDTLS_SSL_SRV_C */ 661 662 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 663 uint8_t new_session_ticket; /*!< use NewSessionTicket? */ 664 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 665 666 #if defined(MBEDTLS_SSL_CLI_C) 667 /** Minimum TLS version to be negotiated. 668 * 669 * It is set up in the ClientHello writing preparation stage and used 670 * throughout the ClientHello writing. Not relevant anymore as soon as 671 * the protocol version has been negotiated thus as soon as the 672 * ServerHello is received. 673 * For a fresh handshake not linked to any previous handshake, it is 674 * equal to the configured minimum minor version to be negotiated. When 675 * renegotiating or resuming a session, it is equal to the previously 676 * negotiated minor version. 677 * 678 * There is no maximum TLS version field in this handshake context. 679 * From the start of the handshake, we need to define a current protocol 680 * version for the record layer which we define as the maximum TLS 681 * version to be negotiated. The `tls_version` field of the SSL context is 682 * used to store this maximum value until it contains the actual 683 * negotiated value. 684 */ 685 mbedtls_ssl_protocol_version min_tls_version; 686 #endif 687 688 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 689 uint8_t extended_ms; /*!< use Extended Master Secret? */ 690 #endif 691 692 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 693 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ 694 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 695 696 #if defined(MBEDTLS_SSL_PROTO_DTLS) 697 unsigned char retransmit_state; /*!< Retransmission state */ 698 #endif 699 700 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 701 unsigned char group_list_heap_allocated; 702 unsigned char sig_algs_heap_allocated; 703 #endif 704 705 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 706 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ 707 enum { /* this complements ssl->state with info on intra-state operations */ 708 ssl_ecrs_none = 0, /*!< nothing going on (yet) */ 709 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ 710 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ 711 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ 712 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ 713 } ecrs_state; /*!< current (or last) operation */ 714 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ 715 size_t ecrs_n; /*!< place for saving a length */ 716 #endif 717 718 mbedtls_ssl_ciphersuite_t const *ciphersuite_info; 719 720 MBEDTLS_CHECK_RETURN_CRITICAL 721 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); 722 MBEDTLS_CHECK_RETURN_CRITICAL 723 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); 724 MBEDTLS_CHECK_RETURN_CRITICAL 725 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); 726 mbedtls_ssl_tls_prf_cb *tls_prf; 727 728 /* 729 * Handshake specific crypto variables 730 */ 731 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 732 uint8_t key_exchange_mode; /*!< Selected key exchange mode */ 733 734 /** 735 * Flag indicating if, in the course of the current handshake, an 736 * HelloRetryRequest message has been sent by the server or received by 737 * the client (<> 0) or not (0). 738 */ 739 uint8_t hello_retry_request_flag; 740 741 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 742 /** 743 * Flag indicating if, in the course of the current handshake, a dummy 744 * change_cipher_spec (CCS) record has already been sent. Used to send only 745 * one CCS per handshake while not complicating the handshake state 746 * transitions for that purpose. 747 */ 748 uint8_t ccs_sent; 749 #endif 750 751 #if defined(MBEDTLS_SSL_SRV_C) 752 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 753 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ 754 #endif 755 /** selected_group of key_share extension in HelloRetryRequest message. */ 756 uint16_t hrr_selected_group; 757 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 758 uint16_t new_session_tickets_count; /*!< number of session tickets */ 759 #endif 760 #endif /* MBEDTLS_SSL_SRV_C */ 761 762 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 763 764 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 765 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; 766 #endif 767 768 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 769 const uint16_t *group_list; 770 const uint16_t *sig_algs; 771 #endif 772 773 #if defined(MBEDTLS_DHM_C) 774 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ 775 #endif 776 777 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 778 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 779 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ 780 #endif /* !MBEDTLS_USE_PSA_CRYPTO && 781 MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */ 782 783 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) 784 psa_key_type_t xxdh_psa_type; 785 size_t xxdh_psa_bits; 786 mbedtls_svc_key_id_t xxdh_psa_privkey; 787 uint8_t xxdh_psa_privkey_is_external; 788 unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; 789 size_t xxdh_psa_peerkey_len; 790 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ 791 792 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 793 #if defined(MBEDTLS_USE_PSA_CRYPTO) 794 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ 795 mbedtls_svc_key_id_t psa_pake_password; 796 uint8_t psa_pake_ctx_is_ok; 797 #else 798 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ 799 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 800 #if defined(MBEDTLS_SSL_CLI_C) 801 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ 802 size_t ecjpake_cache_len; /*!< Length of cached data */ 803 #endif 804 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 805 806 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ 807 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \ 808 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 809 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ 810 #endif 811 812 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 813 #if defined(MBEDTLS_USE_PSA_CRYPTO) 814 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ 815 uint8_t psk_opaque_is_internal; 816 #else 817 unsigned char *psk; /*!< PSK from the callback */ 818 size_t psk_len; /*!< Length of PSK from callback */ 819 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 820 uint16_t selected_identity; 821 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 822 823 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 824 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ 825 #endif 826 827 #if defined(MBEDTLS_X509_CRT_PARSE_C) 828 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ 829 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 830 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ 831 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ 832 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ 833 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 834 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 835 836 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 837 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 838 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ 839 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 840 841 struct { 842 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated 843 * buffers used for message buffering. */ 844 845 uint8_t seen_ccs; /*!< Indicates if a CCS message has 846 * been seen in the current flight. */ 847 848 struct mbedtls_ssl_hs_buffer { 849 unsigned is_valid : 1; 850 unsigned is_fragmented : 1; 851 unsigned is_complete : 1; 852 unsigned char *data; 853 size_t data_len; 854 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; 855 856 struct { 857 unsigned char *data; 858 size_t len; 859 unsigned epoch; 860 } future_record; 861 862 } buffering; 863 864 #if defined(MBEDTLS_SSL_CLI_C) && \ 865 (defined(MBEDTLS_SSL_PROTO_DTLS) || \ 866 defined(MBEDTLS_SSL_PROTO_TLS1_3)) 867 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS 868 * HelloRetryRequest cookie for TLS 1.3 */ 869 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 870 /* RFC 6347 page 15 871 ... 872 opaque cookie<0..2^8-1>; 873 ... 874 */ 875 uint8_t cookie_len; 876 #else 877 /* RFC 8446 page 39 878 ... 879 opaque cookie<0..2^16-1>; 880 ... 881 If TLS1_3 is enabled, the max length is 2^16 - 1 882 */ 883 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length 884 * TLS1_3: HelloRetryRequest cookie length */ 885 #endif 886 #endif /* MBEDTLS_SSL_CLI_C && 887 ( MBEDTLS_SSL_PROTO_DTLS || 888 MBEDTLS_SSL_PROTO_TLS1_3 ) */ 889 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS) 890 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */ 891 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */ 892 893 #if defined(MBEDTLS_SSL_PROTO_DTLS) 894 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ 895 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ 896 897 uint32_t retransmit_timeout; /*!< Current value of timeout */ 898 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ 899 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ 900 unsigned char *cur_msg_p; /*!< Position in current message */ 901 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the 902 flight being received */ 903 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for 904 resending messages */ 905 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter 906 for resending messages */ 907 908 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 909 /* The state of CID configuration in this handshake. */ 910 911 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension 912 * has been negotiated. Possible values are 913 * #MBEDTLS_SSL_CID_ENABLED and 914 * #MBEDTLS_SSL_CID_DISABLED. */ 915 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */ 916 uint8_t peer_cid_len; /*!< The length of 917 * \c peer_cid. */ 918 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 919 920 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ 921 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 922 923 /* 924 * Checksum contexts 925 */ 926 #if defined(MBEDTLS_MD_CAN_SHA256) 927 #if defined(MBEDTLS_USE_PSA_CRYPTO) 928 psa_hash_operation_t fin_sha256_psa; 929 #else 930 mbedtls_md_context_t fin_sha256; 931 #endif 932 #endif 933 #if defined(MBEDTLS_MD_CAN_SHA384) 934 #if defined(MBEDTLS_USE_PSA_CRYPTO) 935 psa_hash_operation_t fin_sha384_psa; 936 #else 937 mbedtls_md_context_t fin_sha384; 938 #endif 939 #endif 940 941 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 942 uint16_t offered_group_id; /* The NamedGroup value for the group 943 * that is being used for ephemeral 944 * key exchange. 945 * 946 * On the client: Defaults to the first 947 * entry in the client's group list, 948 * but can be overwritten by the HRR. */ 949 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 950 951 #if defined(MBEDTLS_SSL_CLI_C) 952 uint8_t client_auth; /*!< used to check if CertificateRequest has been 953 received from server side. If CertificateRequest 954 has been received, Certificate and CertificateVerify 955 should be sent to server */ 956 #endif /* MBEDTLS_SSL_CLI_C */ 957 /* 958 * State-local variables used during the processing 959 * of a specific handshake state. 960 */ 961 union { 962 /* Outgoing Finished message */ 963 struct { 964 uint8_t preparation_done; 965 966 /* Buffer holding digest of the handshake up to 967 * but excluding the outgoing finished message. */ 968 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 969 size_t digest_len; 970 } finished_out; 971 972 /* Incoming Finished message */ 973 struct { 974 uint8_t preparation_done; 975 976 /* Buffer holding digest of the handshake up to but 977 * excluding the peer's incoming finished message. */ 978 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 979 size_t digest_len; 980 } finished_in; 981 982 } state_local; 983 984 /* End of state-local variables. */ 985 986 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + 987 MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 988 /*!< random bytes */ 989 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 990 unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; 991 /*!< premaster secret */ 992 size_t pmslen; /*!< premaster length */ 993 #endif 994 995 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 996 uint32_t sent_extensions; /*!< extensions sent by endpoint */ 997 uint32_t received_extensions; /*!< extensions received by endpoint */ 998 999 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1000 unsigned char certificate_request_context_len; 1001 unsigned char *certificate_request_context; 1002 #endif 1003 1004 /** TLS 1.3 transform for encrypted handshake messages. */ 1005 mbedtls_ssl_transform *transform_handshake; 1006 union { 1007 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1008 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1009 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1010 } tls13_master_secrets; 1011 1012 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; 1013 #if defined(MBEDTLS_SSL_EARLY_DATA) 1014 /** TLS 1.3 transform for early data and handshake messages. */ 1015 mbedtls_ssl_transform *transform_earlydata; 1016 #endif 1017 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1018 1019 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 1020 /** Asynchronous operation context. This field is meant for use by the 1021 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, 1022 * mbedtls_ssl_config::f_async_decrypt_start, 1023 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). 1024 * The library does not use it internally. */ 1025 void *user_async_ctx; 1026 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 1027 1028 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1029 const unsigned char *sni_name; /*!< raw SNI */ 1030 size_t sni_name_len; /*!< raw SNI len */ 1031 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1032 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */ 1033 #endif 1034 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1035 }; 1036 1037 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; 1038 1039 /* 1040 * Representation of decryption/encryption transformations on records 1041 * 1042 * There are the following general types of record transformations: 1043 * - Stream transformations (TLS versions == 1.2 only) 1044 * Transformation adding a MAC and applying a stream-cipher 1045 * to the authenticated message. 1046 * - CBC block cipher transformations ([D]TLS versions == 1.2 only) 1047 * For TLS 1.2, no IV is generated at key extraction time, but every 1048 * encrypted record is explicitly prefixed by the IV with which it was 1049 * encrypted. 1050 * - AEAD transformations ([D]TLS versions == 1.2 only) 1051 * These come in two fundamentally different versions, the first one 1052 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second 1053 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. 1054 * In the first transformation, the IV to be used for a record is obtained 1055 * as the concatenation of an explicit, static 4-byte IV and the 8-byte 1056 * record sequence number, and explicitly prepending this sequence number 1057 * to the encrypted record. In contrast, in the second transformation 1058 * the IV is obtained by XOR'ing a static IV obtained at key extraction 1059 * time with the 8-byte record sequence number, without prepending the 1060 * latter to the encrypted record. 1061 * 1062 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext 1063 * which allows to add flexible length padding and to hide a record's true 1064 * content type. 1065 * 1066 * In addition to type and version, the following parameters are relevant: 1067 * - The symmetric cipher algorithm to be used. 1068 * - The (static) encryption/decryption keys for the cipher. 1069 * - For stream/CBC, the type of message digest to be used. 1070 * - For stream/CBC, (static) encryption/decryption keys for the digest. 1071 * - For AEAD transformations, the size (potentially 0) of an explicit, 1072 * random initialization vector placed in encrypted records. 1073 * - For some transformations (currently AEAD) an implicit IV. It is static 1074 * and (if present) is combined with the explicit IV in a transformation- 1075 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). 1076 * - For stream/CBC, a flag determining the order of encryption and MAC. 1077 * - The details of the transformation depend on the SSL/TLS version. 1078 * - The length of the authentication tag. 1079 * 1080 * The struct below refines this abstract view as follows: 1081 * - The cipher underlying the transformation is managed in 1082 * cipher contexts cipher_ctx_{enc/dec}, which must have the 1083 * same cipher type. The mode of these cipher contexts determines 1084 * the type of the transformation in the sense above: e.g., if 1085 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM 1086 * then the transformation has type CBC resp. AEAD. 1087 * - The cipher keys are never stored explicitly but 1088 * are maintained within cipher_ctx_{enc/dec}. 1089 * - For stream/CBC transformations, the message digest contexts 1090 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts 1091 * are unused for AEAD transformations. 1092 * - For stream/CBC transformations, the MAC keys are not stored explicitly 1093 * but maintained within md_ctx_{enc/dec}. 1094 * - The mac_enc and mac_dec fields are unused for EAD transformations. 1095 * - For transformations using an implicit IV maintained within 1096 * the transformation context, its contents are stored within 1097 * iv_{enc/dec}. 1098 * - The value of ivlen indicates the length of the IV. 1099 * This is redundant in case of stream/CBC transformations 1100 * which always use 0 resp. the cipher's block length as the 1101 * IV length, but is needed for AEAD ciphers and may be 1102 * different from the underlying cipher's block length 1103 * in this case. 1104 * - The field fixed_ivlen is nonzero for AEAD transformations only 1105 * and indicates the length of the static part of the IV which is 1106 * constant throughout the communication, and which is stored in 1107 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. 1108 * - tls_version denotes the 2-byte TLS version 1109 * - For stream/CBC transformations, maclen denotes the length of the 1110 * authentication tag, while taglen is unused and 0. 1111 * - For AEAD transformations, taglen denotes the length of the 1112 * authentication tag, while maclen is unused and 0. 1113 * - For CBC transformations, encrypt_then_mac determines the 1114 * order of encryption and authentication. This field is unused 1115 * in other transformations. 1116 * 1117 */ 1118 struct mbedtls_ssl_transform { 1119 /* 1120 * Session specific crypto layer 1121 */ 1122 size_t minlen; /*!< min. ciphertext length */ 1123 size_t ivlen; /*!< IV length */ 1124 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ 1125 size_t maclen; /*!< MAC(CBC) len */ 1126 size_t taglen; /*!< TAG(AEAD) len */ 1127 1128 unsigned char iv_enc[16]; /*!< IV (encryption) */ 1129 unsigned char iv_dec[16]; /*!< IV (decryption) */ 1130 1131 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1132 1133 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1134 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */ 1135 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */ 1136 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */ 1137 #else 1138 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ 1139 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ 1140 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1141 1142 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1143 int encrypt_then_mac; /*!< flag for EtM activation */ 1144 #endif 1145 1146 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 1147 1148 mbedtls_ssl_protocol_version tls_version; 1149 1150 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1151 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */ 1152 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */ 1153 psa_algorithm_t psa_alg; /*!< psa algorithm */ 1154 #else 1155 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ 1156 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ 1157 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1158 1159 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1160 uint8_t in_cid_len; 1161 uint8_t out_cid_len; 1162 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 1163 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; 1164 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1165 1166 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 1167 /* We need the Hello random bytes in order to re-derive keys from the 1168 * Master Secret and other session info, 1169 * see ssl_tls12_populate_transform() */ 1170 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + 1171 MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 1172 /*!< ServerHello.random+ClientHello.random */ 1173 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 1174 }; 1175 1176 /* 1177 * Return 1 if the transform uses an AEAD cipher, 0 otherwise. 1178 * Equivalently, return 0 if a separate MAC is used, 1 otherwise. 1179 */ 1180 static inline int mbedtls_ssl_transform_uses_aead( 1181 const mbedtls_ssl_transform *transform) 1182 { 1183 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1184 return transform->maclen == 0 && transform->taglen != 0; 1185 #else 1186 (void) transform; 1187 return 1; 1188 #endif 1189 } 1190 1191 /* 1192 * Internal representation of record frames 1193 * 1194 * Instances come in two flavors: 1195 * (1) Encrypted 1196 * These always have data_offset = 0 1197 * (2) Unencrypted 1198 * These have data_offset set to the amount of 1199 * pre-expansion during record protection. Concretely, 1200 * this is the length of the fixed part of the explicit IV 1201 * used for encryption, or 0 if no explicit IV is used 1202 * (e.g. for stream ciphers). 1203 * 1204 * The reason for the data_offset in the unencrypted case 1205 * is to allow for in-place conversion of an unencrypted to 1206 * an encrypted record. If the offset wasn't included, the 1207 * encrypted content would need to be shifted afterwards to 1208 * make space for the fixed IV. 1209 * 1210 */ 1211 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX 1212 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX 1213 #else 1214 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX 1215 #endif 1216 1217 typedef struct { 1218 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number. 1219 * In DTLS: The 2-byte epoch followed by 1220 * the 6-byte sequence number. 1221 * This is stored as a raw big endian byte array 1222 * as opposed to a uint64_t because we rarely 1223 * need to perform arithmetic on this, but do 1224 * need it as a Byte array for the purpose of 1225 * MAC computations. */ 1226 uint8_t type; /* The record content type. */ 1227 uint8_t ver[2]; /* SSL/TLS version as present on the wire. 1228 * Convert to internal presentation of versions 1229 * using mbedtls_ssl_read_version() and 1230 * mbedtls_ssl_write_version(). 1231 * Keep wire-format for MAC computations. */ 1232 1233 unsigned char *buf; /* Memory buffer enclosing the record content */ 1234 size_t buf_len; /* Buffer length */ 1235 size_t data_offset; /* Offset of record content */ 1236 size_t data_len; /* Length of record content */ 1237 1238 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1239 uint8_t cid_len; /* Length of the CID (0 if not present) */ 1240 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */ 1241 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1242 } mbedtls_record; 1243 1244 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1245 /* 1246 * List of certificate + private key pairs 1247 */ 1248 struct mbedtls_ssl_key_cert { 1249 mbedtls_x509_crt *cert; /*!< cert */ 1250 mbedtls_pk_context *key; /*!< private key */ 1251 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ 1252 }; 1253 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1254 1255 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1256 /* 1257 * List of handshake messages kept around for resending 1258 */ 1259 struct mbedtls_ssl_flight_item { 1260 unsigned char *p; /*!< message, including handshake headers */ 1261 size_t len; /*!< length of p */ 1262 unsigned char type; /*!< type of the message: handshake or CCS */ 1263 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ 1264 }; 1265 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1266 1267 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1268 /** 1269 * \brief Given an SSL context and its associated configuration, write the TLS 1270 * 1.2 specific extensions of the ClientHello message. 1271 * 1272 * \param[in] ssl SSL context 1273 * \param[in] buf Base address of the buffer where to write the extensions 1274 * \param[in] end End address of the buffer where to write the extensions 1275 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve 1276 * (<> 0) or not ( 0 ). 1277 * \param[out] out_len Length of the data written into the buffer \p buf 1278 */ 1279 MBEDTLS_CHECK_RETURN_CRITICAL 1280 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, 1281 unsigned char *buf, 1282 const unsigned char *end, 1283 int uses_ec, 1284 size_t *out_len); 1285 #endif 1286 1287 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 1288 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1289 1290 /** 1291 * \brief Find the preferred hash for a given signature algorithm. 1292 * 1293 * \param[in] ssl SSL context 1294 * \param[in] sig_alg A signature algorithm identifier as defined in the 1295 * TLS 1.2 SignatureAlgorithm enumeration. 1296 * 1297 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm 1298 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration. 1299 */ 1300 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 1301 mbedtls_ssl_context *ssl, 1302 unsigned int sig_alg); 1303 1304 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 1305 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1306 1307 /** 1308 * \brief Free referenced items in an SSL transform context and clear 1309 * memory 1310 * 1311 * \param transform SSL transform context 1312 */ 1313 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform); 1314 1315 /** 1316 * \brief Free referenced items in an SSL handshake context and clear 1317 * memory 1318 * 1319 * \param ssl SSL context 1320 */ 1321 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl); 1322 1323 /* set inbound transform of ssl context */ 1324 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl, 1325 mbedtls_ssl_transform *transform); 1326 1327 /* set outbound transform of ssl context */ 1328 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl, 1329 mbedtls_ssl_transform *transform); 1330 1331 MBEDTLS_CHECK_RETURN_CRITICAL 1332 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl); 1333 MBEDTLS_CHECK_RETURN_CRITICAL 1334 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl); 1335 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl); 1336 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, 1337 mbedtls_ssl_states state) 1338 { 1339 ssl->state = (int) state; 1340 } 1341 1342 MBEDTLS_CHECK_RETURN_CRITICAL 1343 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); 1344 1345 MBEDTLS_CHECK_RETURN_CRITICAL 1346 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); 1347 1348 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1349 MBEDTLS_CHECK_RETURN_CRITICAL 1350 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl); 1351 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1352 1353 MBEDTLS_CHECK_RETURN_CRITICAL 1354 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); 1355 MBEDTLS_CHECK_RETURN_CRITICAL 1356 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); 1357 MBEDTLS_CHECK_RETURN_CRITICAL 1358 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); 1359 1360 /** 1361 * \brief Update record layer 1362 * 1363 * This function roughly separates the implementation 1364 * of the logic of (D)TLS from the implementation 1365 * of the secure transport. 1366 * 1367 * \param ssl The SSL context to use. 1368 * \param update_hs_digest This indicates if the handshake digest 1369 * should be automatically updated in case 1370 * a handshake message is found. 1371 * 1372 * \return 0 or non-zero error code. 1373 * 1374 * \note A clarification on what is called 'record layer' here 1375 * is in order, as many sensible definitions are possible: 1376 * 1377 * The record layer takes as input an untrusted underlying 1378 * transport (stream or datagram) and transforms it into 1379 * a serially multiplexed, secure transport, which 1380 * conceptually provides the following: 1381 * 1382 * (1) Three datagram based, content-agnostic transports 1383 * for handshake, alert and CCS messages. 1384 * (2) One stream- or datagram-based transport 1385 * for application data. 1386 * (3) Functionality for changing the underlying transform 1387 * securing the contents. 1388 * 1389 * The interface to this functionality is given as follows: 1390 * 1391 * a Updating 1392 * [Currently implemented by mbedtls_ssl_read_record] 1393 * 1394 * Check if and on which of the four 'ports' data is pending: 1395 * Nothing, a controlling datagram of type (1), or application 1396 * data (2). In any case data is present, internal buffers 1397 * provide access to the data for the user to process it. 1398 * Consumption of type (1) datagrams is done automatically 1399 * on the next update, invalidating that the internal buffers 1400 * for previous datagrams, while consumption of application 1401 * data (2) is user-controlled. 1402 * 1403 * b Reading of application data 1404 * [Currently manual adaption of ssl->in_offt pointer] 1405 * 1406 * As mentioned in the last paragraph, consumption of data 1407 * is different from the automatic consumption of control 1408 * datagrams (1) because application data is treated as a stream. 1409 * 1410 * c Tracking availability of application data 1411 * [Currently manually through decreasing ssl->in_msglen] 1412 * 1413 * For efficiency and to retain datagram semantics for 1414 * application data in case of DTLS, the record layer 1415 * provides functionality for checking how much application 1416 * data is still available in the internal buffer. 1417 * 1418 * d Changing the transformation securing the communication. 1419 * 1420 * Given an opaque implementation of the record layer in the 1421 * above sense, it should be possible to implement the logic 1422 * of (D)TLS on top of it without the need to know anything 1423 * about the record layer's internals. This is done e.g. 1424 * in all the handshake handling functions, and in the 1425 * application data reading function mbedtls_ssl_read. 1426 * 1427 * \note The above tries to give a conceptual picture of the 1428 * record layer, but the current implementation deviates 1429 * from it in some places. For example, our implementation of 1430 * the update functionality through mbedtls_ssl_read_record 1431 * discards datagrams depending on the current state, which 1432 * wouldn't fall under the record layer's responsibility 1433 * following the above definition. 1434 * 1435 */ 1436 MBEDTLS_CHECK_RETURN_CRITICAL 1437 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, 1438 unsigned update_hs_digest); 1439 MBEDTLS_CHECK_RETURN_CRITICAL 1440 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want); 1441 1442 /* 1443 * Write handshake message header 1444 */ 1445 MBEDTLS_CHECK_RETURN_CRITICAL 1446 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type, 1447 unsigned char **buf, size_t *buf_len); 1448 1449 MBEDTLS_CHECK_RETURN_CRITICAL 1450 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, 1451 int update_checksum, 1452 int force_flush); 1453 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) 1454 { 1455 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */); 1456 } 1457 1458 /* 1459 * Write handshake message tail 1460 */ 1461 MBEDTLS_CHECK_RETURN_CRITICAL 1462 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl, 1463 size_t buf_len, size_t msg_len); 1464 1465 MBEDTLS_CHECK_RETURN_CRITICAL 1466 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush); 1467 MBEDTLS_CHECK_RETURN_CRITICAL 1468 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl); 1469 1470 MBEDTLS_CHECK_RETURN_CRITICAL 1471 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl); 1472 MBEDTLS_CHECK_RETURN_CRITICAL 1473 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl); 1474 1475 MBEDTLS_CHECK_RETURN_CRITICAL 1476 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl); 1477 MBEDTLS_CHECK_RETURN_CRITICAL 1478 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl); 1479 1480 MBEDTLS_CHECK_RETURN_CRITICAL 1481 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl); 1482 MBEDTLS_CHECK_RETURN_CRITICAL 1483 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl); 1484 1485 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 1486 const mbedtls_ssl_ciphersuite_t *ciphersuite_info); 1487 1488 /* 1489 * Update checksum of handshake messages. 1490 */ 1491 MBEDTLS_CHECK_RETURN_CRITICAL 1492 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 1493 unsigned hs_type, 1494 unsigned char const *msg, 1495 size_t msg_len); 1496 1497 MBEDTLS_CHECK_RETURN_CRITICAL 1498 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 1499 unsigned hs_type, 1500 size_t total_hs_len); 1501 1502 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 1503 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 1504 MBEDTLS_CHECK_RETURN_CRITICAL 1505 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, 1506 mbedtls_key_exchange_type_t key_ex); 1507 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 1508 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 1509 1510 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1511 #if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C) 1512 MBEDTLS_CHECK_RETURN_CRITICAL 1513 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf); 1514 #endif 1515 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1516 /** 1517 * Get the first defined opaque PSK by order of precedence: 1518 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK 1519 * callback 1520 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() 1521 * Return an opaque PSK 1522 */ 1523 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( 1524 const mbedtls_ssl_context *ssl) 1525 { 1526 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 1527 return ssl->handshake->psk_opaque; 1528 } 1529 1530 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) { 1531 return ssl->conf->psk_opaque; 1532 } 1533 1534 return MBEDTLS_SVC_KEY_ID_INIT; 1535 } 1536 #else 1537 /** 1538 * Get the first defined PSK by order of precedence: 1539 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback 1540 * 2. static PSK configured by \c mbedtls_ssl_conf_psk() 1541 * Return a code and update the pair (PSK, PSK length) passed to this function 1542 */ 1543 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl, 1544 const unsigned char **psk, size_t *psk_len) 1545 { 1546 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) { 1547 *psk = ssl->handshake->psk; 1548 *psk_len = ssl->handshake->psk_len; 1549 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) { 1550 *psk = ssl->conf->psk; 1551 *psk_len = ssl->conf->psk_len; 1552 } else { 1553 *psk = NULL; 1554 *psk_len = 0; 1555 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 1556 } 1557 1558 return 0; 1559 } 1560 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1561 1562 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 1563 1564 #if defined(MBEDTLS_PK_C) 1565 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); 1566 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); 1567 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); 1568 #endif 1569 1570 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); 1571 unsigned char mbedtls_ssl_hash_from_md_alg(int md); 1572 1573 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1574 MBEDTLS_CHECK_RETURN_CRITICAL 1575 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md); 1576 #endif 1577 1578 MBEDTLS_CHECK_RETURN_CRITICAL 1579 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id); 1580 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 1581 MBEDTLS_CHECK_RETURN_CRITICAL 1582 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id); 1583 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 1584 1585 /** 1586 * \brief Return PSA EC info for the specified TLS ID. 1587 * 1588 * \param tls_id The TLS ID to look for 1589 * \param type If the TLD ID is supported, then proper \c psa_key_type_t 1590 * value is returned here. Can be NULL. 1591 * \param bits If the TLD ID is supported, then proper bit size is returned 1592 * here. Can be NULL. 1593 * \return PSA_SUCCESS if the TLS ID is supported, 1594 * PSA_ERROR_NOT_SUPPORTED otherwise 1595 * 1596 * \note If either \c family or \c bits parameters are NULL, then 1597 * the corresponding value is not returned. 1598 * The function can be called with both parameters as NULL 1599 * simply to check if a specific TLS ID is supported. 1600 */ 1601 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 1602 psa_key_type_t *type, 1603 size_t *bits); 1604 1605 /** 1606 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID. 1607 * 1608 * \param tls_id The TLS ID to look for 1609 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported, 1610 * or MBEDTLS_ECP_DP_NONE otherwise 1611 */ 1612 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id); 1613 1614 /** 1615 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id. 1616 * 1617 * \param grp_id The \c mbedtls_ecp_group_id ID to look for 1618 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported, 1619 * or 0 otherwise 1620 */ 1621 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id); 1622 1623 #if defined(MBEDTLS_DEBUG_C) 1624 /** 1625 * \brief Return EC's name for the specified TLS ID. 1626 * 1627 * \param tls_id The TLS ID to look for 1628 * \return A pointer to a const string with the proper name. If TLS 1629 * ID is not supported, a NULL pointer is returned instead. 1630 */ 1631 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id); 1632 #endif 1633 1634 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1635 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value 1636 (const uint16_t srtp_profile_value) 1637 { 1638 switch (srtp_profile_value) { 1639 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: 1640 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: 1641 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: 1642 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: 1643 return srtp_profile_value; 1644 default: break; 1645 } 1646 return MBEDTLS_TLS_SRTP_UNSET; 1647 } 1648 #endif 1649 1650 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1651 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) 1652 { 1653 mbedtls_ssl_key_cert *key_cert; 1654 1655 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1656 key_cert = ssl->handshake->key_cert; 1657 } else { 1658 key_cert = ssl->conf->key_cert; 1659 } 1660 1661 return key_cert == NULL ? NULL : key_cert->key; 1662 } 1663 1664 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) 1665 { 1666 mbedtls_ssl_key_cert *key_cert; 1667 1668 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1669 key_cert = ssl->handshake->key_cert; 1670 } else { 1671 key_cert = ssl->conf->key_cert; 1672 } 1673 1674 return key_cert == NULL ? NULL : key_cert->cert; 1675 } 1676 1677 /* 1678 * Verify a certificate. 1679 * 1680 * [in/out] ssl: misc. things read 1681 * ssl->session_negotiate->verify_result updated 1682 * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED} 1683 * [in] chain: the certificate chain to verify (ie the peer's chain) 1684 * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite; 1685 * for TLS 1.3, may be left NULL. 1686 * [in] rs_ctx: restart context if restartable ECC is in use; 1687 * leave NULL for no restartable behaviour. 1688 * 1689 * Return: 1690 * - 0 if the handshake should continue. Depending on the 1691 * authmode it means: 1692 * - REQUIRED: the certificate was found to be valid, trusted & acceptable. 1693 * ssl->session_negotiate->verify_result is 0. 1694 * - OPTIONAL: the certificate may or may not be acceptable, but 1695 * ssl->session_negotiate->verify_result was updated with the result. 1696 * - NONE: the certificate wasn't even checked. 1697 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if 1698 * the certificate was found to be invalid/untrusted/unacceptable and the 1699 * handshake should be aborted (can only happen with REQUIRED). 1700 * - another error code if another error happened (out-of-memory, etc.) 1701 */ 1702 MBEDTLS_CHECK_RETURN_CRITICAL 1703 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, 1704 int authmode, 1705 mbedtls_x509_crt *chain, 1706 const mbedtls_ssl_ciphersuite_t *ciphersuite_info, 1707 void *rs_ctx); 1708 1709 /* 1710 * Check usage of a certificate wrt usage extensions: 1711 * keyUsage and extendedKeyUsage. 1712 * (Note: nSCertType is deprecated and not standard, we don't check it.) 1713 * 1714 * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL. 1715 * 1716 * Note: recv_endpoint is the receiver's endpoint. 1717 * 1718 * Return 0 if everything is OK, -1 if not. 1719 */ 1720 MBEDTLS_CHECK_RETURN_CRITICAL 1721 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 1722 const mbedtls_ssl_ciphersuite_t *ciphersuite, 1723 int recv_endpoint, 1724 mbedtls_ssl_protocol_version tls_version, 1725 uint32_t *flags); 1726 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1727 1728 void mbedtls_ssl_write_version(unsigned char version[2], int transport, 1729 mbedtls_ssl_protocol_version tls_version); 1730 uint16_t mbedtls_ssl_read_version(const unsigned char version[2], 1731 int transport); 1732 1733 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) 1734 { 1735 #if !defined(MBEDTLS_SSL_PROTO_DTLS) 1736 ((void) ssl); 1737 #endif 1738 1739 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1740 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1741 return 13; 1742 } else 1743 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1744 { 1745 return 5; 1746 } 1747 } 1748 1749 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) 1750 { 1751 return (size_t) (ssl->out_iv - ssl->out_hdr); 1752 } 1753 1754 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) 1755 { 1756 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1757 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1758 return 12; 1759 } 1760 #else 1761 ((void) ssl); 1762 #endif 1763 return 4; 1764 } 1765 1766 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1767 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); 1768 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); 1769 MBEDTLS_CHECK_RETURN_CRITICAL 1770 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl); 1771 MBEDTLS_CHECK_RETURN_CRITICAL 1772 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl); 1773 #endif 1774 1775 /* Visible for testing purposes only */ 1776 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1777 MBEDTLS_CHECK_RETURN_CRITICAL 1778 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl); 1779 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl); 1780 #endif 1781 1782 MBEDTLS_CHECK_RETURN_CRITICAL 1783 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 1784 const mbedtls_ssl_session *src); 1785 1786 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1787 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ 1788 MBEDTLS_CHECK_RETURN_CRITICAL 1789 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 1790 unsigned char *hash, size_t *hashlen, 1791 unsigned char *data, size_t data_len, 1792 mbedtls_md_type_t md_alg); 1793 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1794 1795 #ifdef __cplusplus 1796 } 1797 #endif 1798 1799 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); 1800 MBEDTLS_CHECK_RETURN_CRITICAL 1801 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, 1802 mbedtls_ssl_transform *transform, 1803 mbedtls_record *rec, 1804 int (*f_rng)(void *, unsigned char *, size_t), 1805 void *p_rng); 1806 MBEDTLS_CHECK_RETURN_CRITICAL 1807 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, 1808 mbedtls_ssl_transform *transform, 1809 mbedtls_record *rec); 1810 1811 /* Length of the "epoch" field in the record header */ 1812 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) 1813 { 1814 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1815 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1816 return 2; 1817 } 1818 #else 1819 ((void) ssl); 1820 #endif 1821 return 0; 1822 } 1823 1824 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1825 MBEDTLS_CHECK_RETURN_CRITICAL 1826 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl); 1827 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1828 1829 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); 1830 MBEDTLS_CHECK_RETURN_CRITICAL 1831 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); 1832 1833 void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl); 1834 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); 1835 void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl); 1836 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, 1837 mbedtls_ssl_transform *transform); 1838 1839 MBEDTLS_CHECK_RETURN_CRITICAL 1840 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); 1841 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1842 int partial); 1843 1844 /* 1845 * Send pending alert 1846 */ 1847 MBEDTLS_CHECK_RETURN_CRITICAL 1848 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl); 1849 1850 /* 1851 * Set pending fatal alert flag. 1852 */ 1853 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl, 1854 unsigned char alert_type, 1855 int alert_reason); 1856 1857 /* Alias of mbedtls_ssl_pend_fatal_alert */ 1858 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \ 1859 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value) 1860 1861 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1862 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl); 1863 #endif 1864 1865 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl); 1866 1867 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1868 MBEDTLS_CHECK_RETURN_CRITICAL 1869 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl); 1870 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1871 1872 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1873 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl); 1874 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl); 1875 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight); 1876 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1877 1878 /** 1879 * ssl utils functions for checking configuration. 1880 */ 1881 1882 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1883 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf) 1884 { 1885 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1886 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1887 } 1888 1889 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1890 1891 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1892 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf) 1893 { 1894 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1895 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2; 1896 } 1897 1898 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1899 1900 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf) 1901 { 1902 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1903 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && 1904 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3; 1905 #else 1906 ((void) conf); 1907 return 0; 1908 #endif 1909 } 1910 1911 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf) 1912 { 1913 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1914 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 && 1915 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2; 1916 #else 1917 ((void) conf); 1918 return 0; 1919 #endif 1920 } 1921 1922 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1923 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf) 1924 { 1925 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1926 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1927 } 1928 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ 1929 1930 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1931 1932 /** \brief Initialize the PSA crypto subsystem if necessary. 1933 * 1934 * Call this function before doing any cryptography in a TLS 1.3 handshake. 1935 * 1936 * This is necessary in Mbed TLS 3.x for backward compatibility. 1937 * Up to Mbed TLS 3.5, in the default configuration, you could perform 1938 * a TLS connection with default parameters without having called 1939 * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and 1940 * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if 1941 * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default 1942 * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled 1943 * by default, and the TLS 1.3 layer uses PSA crypto. This means that 1944 * applications that are not otherwise using PSA crypto and that worked 1945 * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to 1946 * a peer that supports TLS 1.3. See 1947 * https://github.com/Mbed-TLS/mbedtls/issues/9072 1948 */ 1949 int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl); 1950 1951 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ 1952 MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 1953 MBEDTLS_CHECK_RETURN_CRITICAL 1954 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl); 1955 MBEDTLS_CHECK_RETURN_CRITICAL 1956 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl); 1957 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl); 1958 1959 /** 1960 * \brief Given an SSL context and its associated configuration, write the TLS 1961 * 1.3 specific extensions of the ClientHello message. 1962 * 1963 * \param[in] ssl SSL context 1964 * \param[in] buf Base address of the buffer where to write the extensions 1965 * \param[in] end End address of the buffer where to write the extensions 1966 * \param[out] out_len Length of the data written into the buffer \p buf 1967 */ 1968 MBEDTLS_CHECK_RETURN_CRITICAL 1969 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, 1970 unsigned char *buf, 1971 unsigned char *end, 1972 size_t *out_len); 1973 1974 /** 1975 * \brief TLS 1.3 client side state machine entry 1976 * 1977 * \param ssl SSL context 1978 */ 1979 MBEDTLS_CHECK_RETURN_CRITICAL 1980 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl); 1981 1982 /** 1983 * \brief TLS 1.3 server side state machine entry 1984 * 1985 * \param ssl SSL context 1986 */ 1987 MBEDTLS_CHECK_RETURN_CRITICAL 1988 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl); 1989 1990 1991 /* 1992 * Helper functions around key exchange modes. 1993 */ 1994 static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl, 1995 int kex_mode_mask) 1996 { 1997 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0; 1998 } 1999 2000 static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl) 2001 { 2002 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2003 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 2004 } 2005 2006 static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl) 2007 { 2008 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2009 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 2010 } 2011 2012 static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl) 2013 { 2014 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2015 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 2016 } 2017 2018 static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 2019 { 2020 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2021 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2022 } 2023 2024 static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl) 2025 { 2026 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2027 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2028 } 2029 2030 #if defined(MBEDTLS_SSL_SRV_C) && \ 2031 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2032 /** 2033 * Given a list of key exchange modes, check if at least one of them is 2034 * supported by peer. 2035 * 2036 * \param[in] ssl SSL context 2037 * \param kex_modes_mask Mask of the key exchange modes to check 2038 * 2039 * \return Non-zero if at least one of the key exchange modes is supported by 2040 * the peer, otherwise \c 0. 2041 */ 2042 static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl, 2043 int kex_modes_mask) 2044 { 2045 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0; 2046 } 2047 2048 static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl) 2049 { 2050 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2051 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 2052 } 2053 2054 static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported( 2055 mbedtls_ssl_context *ssl) 2056 { 2057 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2058 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 2059 } 2060 2061 static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl) 2062 { 2063 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2064 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 2065 } 2066 2067 static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl) 2068 { 2069 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2070 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2071 } 2072 2073 static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl) 2074 { 2075 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2076 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2077 } 2078 #endif /* MBEDTLS_SSL_SRV_C && 2079 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2080 2081 /* 2082 * Helper functions for extensions checking. 2083 */ 2084 2085 MBEDTLS_CHECK_RETURN_CRITICAL 2086 int mbedtls_ssl_tls13_check_received_extension( 2087 mbedtls_ssl_context *ssl, 2088 int hs_msg_type, 2089 unsigned int received_extension_type, 2090 uint32_t hs_msg_allowed_extensions_mask); 2091 2092 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( 2093 mbedtls_ssl_context *ssl, unsigned int extension_type) 2094 { 2095 ssl->handshake->sent_extensions |= 2096 mbedtls_ssl_get_extension_mask(extension_type); 2097 } 2098 2099 /* 2100 * Helper functions to check the selected key exchange mode. 2101 */ 2102 static inline int mbedtls_ssl_tls13_key_exchange_mode_check( 2103 mbedtls_ssl_context *ssl, int kex_mask) 2104 { 2105 return (ssl->handshake->key_exchange_mode & kex_mask) != 0; 2106 } 2107 2108 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( 2109 mbedtls_ssl_context *ssl) 2110 { 2111 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2112 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2113 } 2114 2115 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( 2116 mbedtls_ssl_context *ssl) 2117 { 2118 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2119 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2120 } 2121 2122 /* 2123 * Fetch TLS 1.3 handshake message header 2124 */ 2125 MBEDTLS_CHECK_RETURN_CRITICAL 2126 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, 2127 unsigned hs_type, 2128 unsigned char **buf, 2129 size_t *buf_len); 2130 2131 /** 2132 * \brief Detect if a list of extensions contains a supported_versions 2133 * extension or not. 2134 * 2135 * \param[in] ssl SSL context 2136 * \param[in] buf Address of the first byte of the extensions vector. 2137 * \param[in] end End of the buffer containing the list of extensions. 2138 * \param[out] supported_versions_data If the extension is present, address of 2139 * its first byte of data, NULL otherwise. 2140 * \param[out] supported_versions_data_end If the extension is present, address 2141 * of the first byte immediately 2142 * following the extension data, NULL 2143 * otherwise. 2144 * \return 0 if the list of extensions does not contain a supported_versions 2145 * extension. 2146 * \return 1 if the list of extensions contains a supported_versions 2147 * extension. 2148 * \return A negative value if an error occurred while parsing the 2149 * extensions. 2150 */ 2151 MBEDTLS_CHECK_RETURN_CRITICAL 2152 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( 2153 mbedtls_ssl_context *ssl, 2154 const unsigned char *buf, const unsigned char *end, 2155 const unsigned char **supported_versions_data, 2156 const unsigned char **supported_versions_data_end); 2157 2158 /* 2159 * Handler of TLS 1.3 server certificate message 2160 */ 2161 MBEDTLS_CHECK_RETURN_CRITICAL 2162 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl); 2163 2164 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2165 /* 2166 * Handler of TLS 1.3 write Certificate message 2167 */ 2168 MBEDTLS_CHECK_RETURN_CRITICAL 2169 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl); 2170 2171 /* 2172 * Handler of TLS 1.3 write Certificate Verify message 2173 */ 2174 MBEDTLS_CHECK_RETURN_CRITICAL 2175 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl); 2176 2177 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2178 2179 /* 2180 * Generic handler of Certificate Verify 2181 */ 2182 MBEDTLS_CHECK_RETURN_CRITICAL 2183 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl); 2184 2185 /* 2186 * Write of dummy-CCS's for middlebox compatibility 2187 */ 2188 MBEDTLS_CHECK_RETURN_CRITICAL 2189 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl); 2190 2191 MBEDTLS_CHECK_RETURN_CRITICAL 2192 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl); 2193 2194 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) 2195 MBEDTLS_CHECK_RETURN_CRITICAL 2196 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange( 2197 mbedtls_ssl_context *ssl, 2198 uint16_t named_group, 2199 unsigned char *buf, 2200 unsigned char *end, 2201 size_t *out_len); 2202 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ 2203 2204 #if defined(MBEDTLS_SSL_EARLY_DATA) 2205 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, 2206 int in_new_session_ticket, 2207 unsigned char *buf, 2208 const unsigned char *end, 2209 size_t *out_len); 2210 2211 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, 2212 size_t early_data_len); 2213 2214 typedef enum { 2215 /* 2216 * The client has not sent the first ClientHello yet, the negotiation of early 2217 * data has not started yet. 2218 */ 2219 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE, 2220 2221 /* 2222 * In its ClientHello, the client has not included an early data indication 2223 * extension. 2224 */ 2225 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT, 2226 2227 /* 2228 * The client has sent an early data indication extension in its first 2229 * ClientHello, it has not received the response (ServerHello or 2230 * HelloRetryRequest) from the server yet. The transform to protect early data 2231 * is not set either as for middlebox compatibility a dummy CCS may have to be 2232 * sent in clear. Early data cannot be sent to the server yet. 2233 */ 2234 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT, 2235 2236 /* 2237 * The client has sent an early data indication extension in its first 2238 * ClientHello, it has not received the response (ServerHello or 2239 * HelloRetryRequest) from the server yet. The transform to protect early data 2240 * has been set and early data can be written now. 2241 */ 2242 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE, 2243 2244 /* 2245 * The client has indicated the use of early data and the server has accepted 2246 * it. 2247 */ 2248 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED, 2249 2250 /* 2251 * The client has indicated the use of early data but the server has rejected 2252 * it. 2253 */ 2254 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED, 2255 2256 /* 2257 * The client has sent an early data indication extension in its first 2258 * ClientHello, the server has accepted them and the client has received the 2259 * server Finished message. It cannot send early data to the server anymore. 2260 */ 2261 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED, 2262 2263 } mbedtls_ssl_early_data_state; 2264 #endif /* MBEDTLS_SSL_EARLY_DATA */ 2265 2266 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2267 2268 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2269 /* 2270 * Write Signature Algorithm extension 2271 */ 2272 MBEDTLS_CHECK_RETURN_CRITICAL 2273 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 2274 const unsigned char *end, size_t *out_len); 2275 /* 2276 * Parse TLS Signature Algorithm extension 2277 */ 2278 MBEDTLS_CHECK_RETURN_CRITICAL 2279 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 2280 const unsigned char *buf, 2281 const unsigned char *end); 2282 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2283 2284 /* Get handshake transcript */ 2285 MBEDTLS_CHECK_RETURN_CRITICAL 2286 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 2287 const mbedtls_md_type_t md, 2288 unsigned char *dst, 2289 size_t dst_len, 2290 size_t *olen); 2291 2292 /* 2293 * Return supported groups. 2294 * 2295 * In future, invocations can be changed to ssl->conf->group_list 2296 * when mbedtls_ssl_conf_curves() is deleted. 2297 * 2298 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group 2299 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to 2300 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. 2301 * 2302 */ 2303 static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) 2304 { 2305 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) 2306 return ssl->conf->group_list; 2307 #else 2308 if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) { 2309 return ssl->handshake->group_list; 2310 } else { 2311 return ssl->conf->group_list; 2312 } 2313 #endif 2314 } 2315 2316 /* 2317 * Helper functions for NamedGroup. 2318 */ 2319 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) 2320 { 2321 /* 2322 * RFC 8422 section 5.1.1 2323 */ 2324 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2325 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 || 2326 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 || 2327 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || 2328 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || 2329 /* Below deprecated curves should be removed with notice to users */ 2330 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || 2331 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || 2332 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || 2333 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || 2334 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || 2335 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2336 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2337 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1; 2338 } 2339 2340 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group) 2341 { 2342 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2343 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2344 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2345 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 || 2346 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448; 2347 } 2348 2349 static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group) 2350 { 2351 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 && 2352 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192; 2353 } 2354 2355 static inline int mbedtls_ssl_named_group_is_offered( 2356 const mbedtls_ssl_context *ssl, uint16_t named_group) 2357 { 2358 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 2359 2360 if (group_list == NULL) { 2361 return 0; 2362 } 2363 2364 for (; *group_list != 0; group_list++) { 2365 if (*group_list == named_group) { 2366 return 1; 2367 } 2368 } 2369 2370 return 0; 2371 } 2372 2373 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group) 2374 { 2375 #if defined(PSA_WANT_ALG_ECDH) 2376 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) { 2377 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) != 2378 MBEDTLS_ECP_DP_NONE) { 2379 return 1; 2380 } 2381 } 2382 #endif 2383 #if defined(PSA_WANT_ALG_FFDH) 2384 if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) { 2385 return 1; 2386 } 2387 #endif 2388 #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH) 2389 (void) named_group; 2390 #endif 2391 return 0; 2392 } 2393 2394 /* 2395 * Return supported signature algorithms. 2396 * 2397 * In future, invocations can be changed to ssl->conf->sig_algs when 2398 * mbedtls_ssl_conf_sig_hashes() is deleted. 2399 * 2400 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS 2401 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been 2402 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has 2403 * been more recently invoked. 2404 * 2405 */ 2406 static inline const void *mbedtls_ssl_get_sig_algs( 2407 const mbedtls_ssl_context *ssl) 2408 { 2409 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2410 2411 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2412 if (ssl->handshake != NULL && 2413 ssl->handshake->sig_algs_heap_allocated == 1 && 2414 ssl->handshake->sig_algs != NULL) { 2415 return ssl->handshake->sig_algs; 2416 } 2417 #endif 2418 return ssl->conf->sig_algs; 2419 2420 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2421 2422 ((void) ssl); 2423 return NULL; 2424 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2425 } 2426 2427 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2428 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl, 2429 uint16_t own_sig_alg) 2430 { 2431 const uint16_t *sig_alg = ssl->handshake->received_sig_algs; 2432 if (sig_alg == NULL) { 2433 return 0; 2434 } 2435 2436 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2437 if (*sig_alg == own_sig_alg) { 2438 return 1; 2439 } 2440 } 2441 return 0; 2442 } 2443 2444 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2445 const uint16_t sig_alg) 2446 { 2447 switch (sig_alg) { 2448 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2449 #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256) 2450 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: 2451 break; 2452 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 2453 #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384) 2454 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: 2455 break; 2456 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 2457 #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521) 2458 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: 2459 break; 2460 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 2461 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ 2462 2463 #if defined(MBEDTLS_PKCS1_V21) 2464 #if defined(PSA_WANT_ALG_SHA_256) 2465 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2466 break; 2467 #endif /* PSA_WANT_ALG_SHA_256 */ 2468 #if defined(PSA_WANT_ALG_SHA_384) 2469 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2470 break; 2471 #endif /* PSA_WANT_ALG_SHA_384 */ 2472 #if defined(PSA_WANT_ALG_SHA_512) 2473 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2474 break; 2475 #endif /* PSA_WANT_ALG_SHA_512 */ 2476 #endif /* MBEDTLS_PKCS1_V21 */ 2477 default: 2478 return 0; 2479 } 2480 return 1; 2481 2482 } 2483 2484 static inline int mbedtls_ssl_tls13_sig_alg_is_supported( 2485 const uint16_t sig_alg) 2486 { 2487 switch (sig_alg) { 2488 #if defined(MBEDTLS_PKCS1_V15) 2489 #if defined(MBEDTLS_MD_CAN_SHA256) 2490 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: 2491 break; 2492 #endif /* MBEDTLS_MD_CAN_SHA256 */ 2493 #if defined(MBEDTLS_MD_CAN_SHA384) 2494 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: 2495 break; 2496 #endif /* MBEDTLS_MD_CAN_SHA384 */ 2497 #if defined(MBEDTLS_MD_CAN_SHA512) 2498 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: 2499 break; 2500 #endif /* MBEDTLS_MD_CAN_SHA512 */ 2501 #endif /* MBEDTLS_PKCS1_V15 */ 2502 default: 2503 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2504 sig_alg); 2505 } 2506 return 1; 2507 } 2508 2509 MBEDTLS_CHECK_RETURN_CRITICAL 2510 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, 2511 mbedtls_pk_context *key); 2512 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2513 2514 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2515 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, 2516 uint16_t proposed_sig_alg) 2517 { 2518 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 2519 if (sig_alg == NULL) { 2520 return 0; 2521 } 2522 2523 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2524 if (*sig_alg == proposed_sig_alg) { 2525 return 1; 2526 } 2527 } 2528 return 0; 2529 } 2530 2531 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 2532 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) 2533 { 2534 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); 2535 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); 2536 2537 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { 2538 return 0; 2539 } 2540 2541 switch (sig_alg) { 2542 #if defined(MBEDTLS_PKCS1_V21) 2543 #if defined(MBEDTLS_MD_CAN_SHA256) 2544 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2545 *md_alg = MBEDTLS_MD_SHA256; 2546 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2547 break; 2548 #endif /* MBEDTLS_MD_CAN_SHA256 */ 2549 #if defined(MBEDTLS_MD_CAN_SHA384) 2550 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2551 *md_alg = MBEDTLS_MD_SHA384; 2552 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2553 break; 2554 #endif /* MBEDTLS_MD_CAN_SHA384 */ 2555 #if defined(MBEDTLS_MD_CAN_SHA512) 2556 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2557 *md_alg = MBEDTLS_MD_SHA512; 2558 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2559 break; 2560 #endif /* MBEDTLS_MD_CAN_SHA512 */ 2561 #endif /* MBEDTLS_PKCS1_V21 */ 2562 default: 2563 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2564 } 2565 return 0; 2566 } 2567 2568 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2569 static inline int mbedtls_ssl_tls12_sig_alg_is_supported( 2570 const uint16_t sig_alg) 2571 { 2572 /* High byte is hash */ 2573 unsigned char hash = MBEDTLS_BYTE_1(sig_alg); 2574 unsigned char sig = MBEDTLS_BYTE_0(sig_alg); 2575 2576 switch (hash) { 2577 #if defined(MBEDTLS_MD_CAN_MD5) 2578 case MBEDTLS_SSL_HASH_MD5: 2579 break; 2580 #endif 2581 2582 #if defined(MBEDTLS_MD_CAN_SHA1) 2583 case MBEDTLS_SSL_HASH_SHA1: 2584 break; 2585 #endif 2586 2587 #if defined(MBEDTLS_MD_CAN_SHA224) 2588 case MBEDTLS_SSL_HASH_SHA224: 2589 break; 2590 #endif 2591 2592 #if defined(MBEDTLS_MD_CAN_SHA256) 2593 case MBEDTLS_SSL_HASH_SHA256: 2594 break; 2595 #endif 2596 2597 #if defined(MBEDTLS_MD_CAN_SHA384) 2598 case MBEDTLS_SSL_HASH_SHA384: 2599 break; 2600 #endif 2601 2602 #if defined(MBEDTLS_MD_CAN_SHA512) 2603 case MBEDTLS_SSL_HASH_SHA512: 2604 break; 2605 #endif 2606 2607 default: 2608 return 0; 2609 } 2610 2611 switch (sig) { 2612 #if defined(MBEDTLS_RSA_C) 2613 case MBEDTLS_SSL_SIG_RSA: 2614 break; 2615 #endif 2616 2617 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 2618 case MBEDTLS_SSL_SIG_ECDSA: 2619 break; 2620 #endif 2621 2622 default: 2623 return 0; 2624 } 2625 2626 return 1; 2627 } 2628 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2629 2630 static inline int mbedtls_ssl_sig_alg_is_supported( 2631 const mbedtls_ssl_context *ssl, 2632 const uint16_t sig_alg) 2633 { 2634 2635 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2636 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2637 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg); 2638 } 2639 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2640 2641 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2642 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2643 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg); 2644 } 2645 #endif 2646 ((void) ssl); 2647 ((void) sig_alg); 2648 return 0; 2649 } 2650 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2651 2652 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2653 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. 2654 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is 2655 * guaranteed to not be a valid PSA algorithm identifier. 2656 */ 2657 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000 2658 2659 /** 2660 * \brief Translate mbedtls cipher type/taglen pair to psa: 2661 * algorithm, key type and key size. 2662 * 2663 * \param mbedtls_cipher_type [in] given mbedtls cipher type 2664 * \param taglen [in] given tag length 2665 * 0 - default tag length 2666 * \param alg [out] corresponding PSA alg 2667 * There is no corresponding PSA 2668 * alg for MBEDTLS_CIPHER_NULL, so 2669 * in this case MBEDTLS_SSL_NULL_CIPHER 2670 * is returned via this parameter 2671 * \param key_type [out] corresponding PSA key type 2672 * \param key_size [out] corresponding PSA key size 2673 * 2674 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if 2675 * conversion is not supported. 2676 */ 2677 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2678 size_t taglen, 2679 psa_algorithm_t *alg, 2680 psa_key_type_t *key_type, 2681 size_t *key_size); 2682 2683 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2684 /** 2685 * \brief Convert given PSA status to mbedtls error code. 2686 * 2687 * \param status [in] given PSA status 2688 * 2689 * \return corresponding mbedtls error code 2690 */ 2691 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status) 2692 { 2693 switch (status) { 2694 case PSA_SUCCESS: 2695 return 0; 2696 case PSA_ERROR_INSUFFICIENT_MEMORY: 2697 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2698 case PSA_ERROR_NOT_SUPPORTED: 2699 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2700 case PSA_ERROR_INVALID_SIGNATURE: 2701 return MBEDTLS_ERR_SSL_INVALID_MAC; 2702 case PSA_ERROR_INVALID_ARGUMENT: 2703 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2704 case PSA_ERROR_BAD_STATE: 2705 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2706 case PSA_ERROR_BUFFER_TOO_SMALL: 2707 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 2708 default: 2709 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 2710 } 2711 } 2712 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2713 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2714 2715 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 2716 defined(MBEDTLS_USE_PSA_CRYPTO) 2717 2718 typedef enum { 2719 MBEDTLS_ECJPAKE_ROUND_ONE, 2720 MBEDTLS_ECJPAKE_ROUND_TWO 2721 } mbedtls_ecjpake_rounds_t; 2722 2723 /** 2724 * \brief Parse the provided input buffer for getting the first round 2725 * of key exchange. This code is common between server and client 2726 * 2727 * \param pake_ctx [in] the PAKE's operation/context structure 2728 * \param buf [in] input buffer to parse 2729 * \param len [in] length of the input buffer 2730 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2731 * MBEDTLS_ECJPAKE_ROUND_TWO 2732 * 2733 * \return 0 on success or a negative error code in case of failure 2734 */ 2735 int mbedtls_psa_ecjpake_read_round( 2736 psa_pake_operation_t *pake_ctx, 2737 const unsigned char *buf, 2738 size_t len, mbedtls_ecjpake_rounds_t round); 2739 2740 /** 2741 * \brief Write the first round of key exchange into the provided output 2742 * buffer. This code is common between server and client 2743 * 2744 * \param pake_ctx [in] the PAKE's operation/context structure 2745 * \param buf [out] the output buffer in which data will be written to 2746 * \param len [in] length of the output buffer 2747 * \param olen [out] the length of the data really written on the buffer 2748 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2749 * MBEDTLS_ECJPAKE_ROUND_TWO 2750 * 2751 * \return 0 on success or a negative error code in case of failure 2752 */ 2753 int mbedtls_psa_ecjpake_write_round( 2754 psa_pake_operation_t *pake_ctx, 2755 unsigned char *buf, 2756 size_t len, size_t *olen, 2757 mbedtls_ecjpake_rounds_t round); 2758 2759 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 2760 2761 /** 2762 * \brief TLS record protection modes 2763 */ 2764 typedef enum { 2765 MBEDTLS_SSL_MODE_STREAM = 0, 2766 MBEDTLS_SSL_MODE_CBC, 2767 MBEDTLS_SSL_MODE_CBC_ETM, 2768 MBEDTLS_SSL_MODE_AEAD 2769 } mbedtls_ssl_mode_t; 2770 2771 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2772 const mbedtls_ssl_transform *transform); 2773 2774 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2775 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2776 int encrypt_then_mac, 2777 const mbedtls_ssl_ciphersuite_t *suite); 2778 #else 2779 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2780 const mbedtls_ssl_ciphersuite_t *suite); 2781 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2782 2783 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) 2784 2785 MBEDTLS_CHECK_RETURN_CRITICAL 2786 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl, 2787 const unsigned char *buf, 2788 size_t buf_len); 2789 2790 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ 2791 2792 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( 2793 mbedtls_ssl_context *ssl, int cipher_suite) 2794 { 2795 const int *ciphersuite_list = ssl->conf->ciphersuite_list; 2796 2797 /* Check whether we have offered this ciphersuite */ 2798 for (size_t i = 0; ciphersuite_list[i] != 0; i++) { 2799 if (ciphersuite_list[i] == cipher_suite) { 2800 return 1; 2801 } 2802 } 2803 return 0; 2804 } 2805 2806 /** 2807 * \brief Validate cipher suite against config in SSL context. 2808 * 2809 * \param ssl SSL context 2810 * \param suite_info Cipher suite to validate 2811 * \param min_tls_version Minimal TLS version to accept a cipher suite 2812 * \param max_tls_version Maximal TLS version to accept a cipher suite 2813 * 2814 * \return 0 if valid, negative value otherwise. 2815 */ 2816 MBEDTLS_CHECK_RETURN_CRITICAL 2817 int mbedtls_ssl_validate_ciphersuite( 2818 const mbedtls_ssl_context *ssl, 2819 const mbedtls_ssl_ciphersuite_t *suite_info, 2820 mbedtls_ssl_protocol_version min_tls_version, 2821 mbedtls_ssl_protocol_version max_tls_version); 2822 2823 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2824 MBEDTLS_CHECK_RETURN_CRITICAL 2825 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 2826 const unsigned char *buf, 2827 const unsigned char *end); 2828 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2829 2830 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 2831 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2) 2832 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */ 2833 2834 MBEDTLS_CHECK_RETURN_CRITICAL 2835 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl, 2836 const unsigned char *buf, 2837 const unsigned char *end); 2838 2839 MBEDTLS_CHECK_RETURN_CRITICAL 2840 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl, 2841 unsigned char *buf, 2842 const unsigned char *end, 2843 size_t *out_len); 2844 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 2845 2846 #if defined(MBEDTLS_SSL_ALPN) 2847 MBEDTLS_CHECK_RETURN_CRITICAL 2848 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 2849 const unsigned char *buf, 2850 const unsigned char *end); 2851 2852 2853 MBEDTLS_CHECK_RETURN_CRITICAL 2854 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 2855 unsigned char *buf, 2856 unsigned char *end, 2857 size_t *out_len); 2858 #endif /* MBEDTLS_SSL_ALPN */ 2859 2860 #if defined(MBEDTLS_TEST_HOOKS) 2861 int mbedtls_ssl_check_dtls_clihlo_cookie( 2862 mbedtls_ssl_context *ssl, 2863 const unsigned char *cli_id, size_t cli_id_len, 2864 const unsigned char *in, size_t in_len, 2865 unsigned char *obuf, size_t buf_len, size_t *olen); 2866 #endif 2867 2868 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2869 /** 2870 * \brief Given an SSL context and its associated configuration, write the TLS 2871 * 1.3 specific Pre-Shared key extension. 2872 * 2873 * \param[in] ssl SSL context 2874 * \param[in] buf Base address of the buffer where to write the extension 2875 * \param[in] end End address of the buffer where to write the extension 2876 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data 2877 * written into the buffer \p buf by this function plus 2878 * the length of the binders to be written. 2879 * \param[out] binders_len Length of the binders to be written at the end of 2880 * the extension. 2881 */ 2882 MBEDTLS_CHECK_RETURN_CRITICAL 2883 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( 2884 mbedtls_ssl_context *ssl, 2885 unsigned char *buf, unsigned char *end, 2886 size_t *out_len, size_t *binders_len); 2887 2888 /** 2889 * \brief Given an SSL context and its associated configuration, write the TLS 2890 * 1.3 specific Pre-Shared key extension binders at the end of the 2891 * ClientHello. 2892 * 2893 * \param[in] ssl SSL context 2894 * \param[in] buf Base address of the buffer where to write the binders 2895 * \param[in] end End address of the buffer where to write the binders 2896 */ 2897 MBEDTLS_CHECK_RETURN_CRITICAL 2898 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( 2899 mbedtls_ssl_context *ssl, 2900 unsigned char *buf, unsigned char *end); 2901 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2902 2903 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2904 /** Get the host name from the SSL context. 2905 * 2906 * \param[in] ssl SSL context 2907 * 2908 * \return The \p hostname pointer from the SSL context. 2909 * \c NULL if mbedtls_ssl_set_hostname() has never been called on 2910 * \p ssl or if it was last called with \p NULL. 2911 */ 2912 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl); 2913 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2914 2915 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 2916 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 2917 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 2918 defined(MBEDTLS_SSL_CLI_C) 2919 MBEDTLS_CHECK_RETURN_CRITICAL 2920 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 2921 const char *hostname); 2922 #endif 2923 2924 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \ 2925 defined(MBEDTLS_SSL_ALPN) 2926 MBEDTLS_CHECK_RETURN_CRITICAL 2927 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, 2928 const char *alpn); 2929 #endif 2930 2931 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 2932 2933 #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800) 2934 2935 static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags( 2936 mbedtls_ssl_session *session, unsigned int flags) 2937 { 2938 return session->ticket_flags & 2939 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2940 } 2941 2942 /** 2943 * Check if at least one of the given flags is set in 2944 * the session ticket. See the definition of 2945 * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all 2946 * permitted flags. 2947 */ 2948 static inline int mbedtls_ssl_tls13_session_ticket_has_flags( 2949 mbedtls_ssl_session *session, unsigned int flags) 2950 { 2951 return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0; 2952 } 2953 2954 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk( 2955 mbedtls_ssl_session *session) 2956 { 2957 return mbedtls_ssl_tls13_session_ticket_has_flags( 2958 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION); 2959 } 2960 2961 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral( 2962 mbedtls_ssl_session *session) 2963 { 2964 return mbedtls_ssl_tls13_session_ticket_has_flags( 2965 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION); 2966 } 2967 2968 static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data( 2969 mbedtls_ssl_session *session) 2970 { 2971 return mbedtls_ssl_tls13_session_ticket_has_flags( 2972 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); 2973 } 2974 2975 static inline void mbedtls_ssl_tls13_session_set_ticket_flags( 2976 mbedtls_ssl_session *session, unsigned int flags) 2977 { 2978 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2979 } 2980 2981 static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( 2982 mbedtls_ssl_session *session, unsigned int flags) 2983 { 2984 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2985 } 2986 2987 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 2988 2989 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 2990 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0 2991 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1 2992 2993 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \ 2994 (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT) 2995 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \ 2996 (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT) 2997 2998 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2999 static inline int mbedtls_ssl_conf_get_session_tickets( 3000 const mbedtls_ssl_config *conf) 3001 { 3002 return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ? 3003 MBEDTLS_SSL_SESSION_TICKETS_ENABLED : 3004 MBEDTLS_SSL_SESSION_TICKETS_DISABLED; 3005 } 3006 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3007 3008 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3009 static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled( 3010 const mbedtls_ssl_config *conf) 3011 { 3012 return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ? 3013 MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED : 3014 MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED; 3015 } 3016 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3017 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 3018 3019 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 3020 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); 3021 #endif 3022 3023 #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 3024 3025 /** Compute the HMAC of variable-length data with constant flow. 3026 * 3027 * This function computes the HMAC of the concatenation of \p add_data and \p 3028 * data, and does with a code flow and memory access pattern that does not 3029 * depend on \p data_len_secret, but only on \p min_data_len and \p 3030 * max_data_len. In particular, this function always reads exactly \p 3031 * max_data_len bytes from \p data. 3032 * 3033 * \param ctx The HMAC context. It must have keys configured 3034 * with mbedtls_md_hmac_starts() and use one of the 3035 * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. 3036 * It is reset using mbedtls_md_hmac_reset() after 3037 * the computation is complete to prepare for the 3038 * next computation. 3039 * \param add_data The first part of the message whose HMAC is being 3040 * calculated. This must point to a readable buffer 3041 * of \p add_data_len bytes. 3042 * \param add_data_len The length of \p add_data in bytes. 3043 * \param data The buffer containing the second part of the 3044 * message. This must point to a readable buffer 3045 * of \p max_data_len bytes. 3046 * \param data_len_secret The length of the data to process in \p data. 3047 * This must be no less than \p min_data_len and no 3048 * greater than \p max_data_len. 3049 * \param min_data_len The minimal length of the second part of the 3050 * message, read from \p data. 3051 * \param max_data_len The maximal length of the second part of the 3052 * message, read from \p data. 3053 * \param output The HMAC will be written here. This must point to 3054 * a writable buffer of sufficient size to hold the 3055 * HMAC value. 3056 * 3057 * \retval 0 on success. 3058 * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED 3059 * The hardware accelerator failed. 3060 */ 3061 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3062 int mbedtls_ct_hmac(mbedtls_svc_key_id_t key, 3063 psa_algorithm_t mac_alg, 3064 const unsigned char *add_data, 3065 size_t add_data_len, 3066 const unsigned char *data, 3067 size_t data_len_secret, 3068 size_t min_data_len, 3069 size_t max_data_len, 3070 unsigned char *output); 3071 #else 3072 int mbedtls_ct_hmac(mbedtls_md_context_t *ctx, 3073 const unsigned char *add_data, 3074 size_t add_data_len, 3075 const unsigned char *data, 3076 size_t data_len_secret, 3077 size_t min_data_len, 3078 size_t max_data_len, 3079 unsigned char *output); 3080 #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */ 3081 #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */ 3082 3083 #endif /* ssl_misc.h */ 3084