1/**
2 * \file ssl_internal.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6/*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 */
22#ifndef MBEDTLS_SSL_INTERNAL_H
23#define MBEDTLS_SSL_INTERNAL_H
24
25#if !defined(MBEDTLS_CONFIG_FILE)
26#include "mbedtls/config.h"
27#else
28#include MBEDTLS_CONFIG_FILE
29#endif
30
31#include "mbedtls/ssl.h"
32#include "mbedtls/cipher.h"
33
34#if defined(MBEDTLS_USE_PSA_CRYPTO)
35#include "psa/crypto.h"
36#endif
37
38#if defined(MBEDTLS_MD5_C)
39#include "mbedtls/md5.h"
40#endif
41
42#if defined(MBEDTLS_SHA1_C)
43#include "mbedtls/sha1.h"
44#endif
45
46#if defined(MBEDTLS_SHA256_C)
47#include "mbedtls/sha256.h"
48#endif
49
50#if defined(MBEDTLS_SHA512_C)
51#include "mbedtls/sha512.h"
52#endif
53
54#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
55#include "mbedtls/ecjpake.h"
56#endif
57
58#if defined(MBEDTLS_USE_PSA_CRYPTO)
59#include "psa/crypto.h"
60#include "mbedtls/psa_util.h"
61#endif /* MBEDTLS_USE_PSA_CRYPTO */
62
63#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
64 !defined(inline) && !defined(__cplusplus)
65#define inline __inline
66#endif
67
68/* Determine minimum supported version */
69#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
70
71#if defined(MBEDTLS_SSL_PROTO_SSL3)
72#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
73#else
74#if defined(MBEDTLS_SSL_PROTO_TLS1)
75#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
76#else
77#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
78#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
79#else
80#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
81#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
82#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
83#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
84#endif /* MBEDTLS_SSL_PROTO_TLS1 */
85#endif /* MBEDTLS_SSL_PROTO_SSL3 */
86
87#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
88#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
89
90/* Determine maximum supported version */
91#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
92
93#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
94#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
95#else
96#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
97#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
98#else
99#if defined(MBEDTLS_SSL_PROTO_TLS1)
100#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
101#else
102#if defined(MBEDTLS_SSL_PROTO_SSL3)
103#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
104#endif /* MBEDTLS_SSL_PROTO_SSL3 */
105#endif /* MBEDTLS_SSL_PROTO_TLS1 */
106#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
107#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
108
109/* Shorthand for restartable ECC */
110#if defined(MBEDTLS_ECP_RESTARTABLE) && \
111 defined(MBEDTLS_SSL_CLI_C) && \
112 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
113 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
114#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
115#endif
116
117#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
118#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
119#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
120#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
121
122/*
123 * DTLS retransmission states, see RFC 6347 4.2.4
124 *
125 * The SENDING state is merged in PREPARING for initial sends,
126 * but is distinct for resends.
127 *
128 * Note: initial state is wrong for server, but is not used anyway.
129 */
130#define MBEDTLS_SSL_RETRANS_PREPARING 0
131#define MBEDTLS_SSL_RETRANS_SENDING 1
132#define MBEDTLS_SSL_RETRANS_WAITING 2
133#define MBEDTLS_SSL_RETRANS_FINISHED 3
134
135/*
136 * Allow extra bytes for record, authentication and encryption overhead:
137 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
138 * and allow for a maximum of 1024 of compression expansion if
139 * enabled.
140 */
141#if defined(MBEDTLS_ZLIB_SUPPORT)
142#define MBEDTLS_SSL_COMPRESSION_ADD 1024
143#else
144#define MBEDTLS_SSL_COMPRESSION_ADD 0
145#endif
146
147/* This macro determines whether CBC is supported. */
148#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
149 (defined(MBEDTLS_AES_C) || \
150 defined(MBEDTLS_CAMELLIA_C) || \
151 defined(MBEDTLS_ARIA_C) || \
152 defined(MBEDTLS_DES_C))
153#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
154#endif
155
156/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
157 * opposed to the very different CBC construct used in SSLv3) is supported. */
158#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
159 (defined(MBEDTLS_SSL_PROTO_TLS1) || \
160 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
161 defined(MBEDTLS_SSL_PROTO_TLS1_2))
162#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
163#endif
164
165#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
166 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
167#define MBEDTLS_SSL_SOME_MODES_USE_MAC
168#endif
169
170#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
171/* Ciphersuites using HMAC */
172#if defined(MBEDTLS_SHA512_C)
173#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
174#elif defined(MBEDTLS_SHA256_C)
175#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
176#else
177#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
178#endif
179#else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
180/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
181#define MBEDTLS_SSL_MAC_ADD 16
182#endif
183
184#if defined(MBEDTLS_CIPHER_MODE_CBC)
185#define MBEDTLS_SSL_PADDING_ADD 256
186#else
187#define MBEDTLS_SSL_PADDING_ADD 0
188#endif
189
190#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
191#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY
192#else
193#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
194#endif
195
196#define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_SSL_COMPRESSION_ADD + \
197 MBEDTLS_MAX_IV_LENGTH + \
198 MBEDTLS_SSL_MAC_ADD + \
199 MBEDTLS_SSL_PADDING_ADD + \
200 MBEDTLS_SSL_MAX_CID_EXPANSION \
201 )
202
203#define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
204 (MBEDTLS_SSL_IN_CONTENT_LEN))
205
206#define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
207 (MBEDTLS_SSL_OUT_CONTENT_LEN))
208
209/* The maximum number of buffered handshake messages. */
210#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
211
212/* Maximum length we can advertise as our max content length for
213 RFC 6066 max_fragment_length extension negotiation purposes
214 (the lesser of both sizes, if they are unequal.)
215 */
216#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
217 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
218 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
219 : (MBEDTLS_SSL_IN_CONTENT_LEN) \
220 )
221
222/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
223#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
224
225/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
226#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
227
228/*
229 * Check that we obey the standard's message size bounds
230 */
231
232#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
233#error "Bad configuration - record content too large."
234#endif
235
236#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
237#error \
238 "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
239#endif
240
241#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
242#error \
243 "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
244#endif
245
246#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
247#error "Bad configuration - incoming protected record payload too large."
248#endif
249
250#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
251#error "Bad configuration - outgoing protected record payload too large."
252#endif
253
254/* Calculate buffer sizes */
255
256/* Note: Even though the TLS record header is only 5 bytes
257 long, we're internally using 8 bytes to store the
258 implicit sequence number. */
259#define MBEDTLS_SSL_HEADER_LEN 13
260
261#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
262#define MBEDTLS_SSL_IN_BUFFER_LEN \
263 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
264#else
265#define MBEDTLS_SSL_IN_BUFFER_LEN \
266 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
267 + (MBEDTLS_SSL_CID_IN_LEN_MAX))
268#endif
269
270#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
271#define MBEDTLS_SSL_OUT_BUFFER_LEN \
272 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
273#else
274#define MBEDTLS_SSL_OUT_BUFFER_LEN \
275 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
276 + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
277#endif
278
279#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
280static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
281{
282#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
283 return mbedtls_ssl_get_output_max_frag_len(ctx)
284 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
285 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
286#else
287 return mbedtls_ssl_get_output_max_frag_len(ctx)
288 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
289#endif
290}
291
292static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
293{
294#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
295 return mbedtls_ssl_get_input_max_frag_len(ctx)
296 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
297 + MBEDTLS_SSL_CID_IN_LEN_MAX;
298#else
299 return mbedtls_ssl_get_input_max_frag_len(ctx)
300 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
301#endif
302}
303#endif
304
305#ifdef MBEDTLS_ZLIB_SUPPORT
306/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
307#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
308 (MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN) \
309 ? MBEDTLS_SSL_IN_BUFFER_LEN \
310 : MBEDTLS_SSL_OUT_BUFFER_LEN \
311 )
312#endif
313
314/*
315 * TLS extension flags (for extensions with outgoing ServerHello content
316 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
317 * of state of the renegotiation flag, so no indicator is required)
318 */
319#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
320#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
321
322/**
323 * \brief This function checks if the remaining size in a buffer is
324 * greater or equal than a needed space.
325 *
326 * \param cur Pointer to the current position in the buffer.
327 * \param end Pointer to one past the end of the buffer.
328 * \param need Needed space in bytes.
329 *
330 * \return Zero if the needed space is available in the buffer, non-zero
331 * otherwise.
332 */
333static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
334 const uint8_t *end, size_t need)
335{
336 return (cur > end) || (need > (size_t) (end - cur));
337}
338
339/**
340 * \brief This macro checks if the remaining size in a buffer is
341 * greater or equal than a needed space. If it is not the case,
342 * it returns an SSL_BUFFER_TOO_SMALL error.
343 *
344 * \param cur Pointer to the current position in the buffer.
345 * \param end Pointer to one past the end of the buffer.
346 * \param need Needed space in bytes.
347 *
348 */
349#define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
350 do { \
351 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
352 { \
353 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
354 } \
355 } while (0)
356
357#ifdef __cplusplus
358extern "C" {
359#endif
360
361#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
362 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
363/*
364 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
365 */
366struct mbedtls_ssl_sig_hash_set_t {
367 /* At the moment, we only need to remember a single suitable
368 * hash algorithm per signature algorithm. As long as that's
369 * the case - and we don't need a general lookup function -
370 * we can implement the sig-hash-set as a map from signatures
371 * to hash algorithms. */
372 mbedtls_md_type_t rsa;
373 mbedtls_md_type_t ecdsa;
374};
375#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
376 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
377
378typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
379 const char *label,
380 const unsigned char *random, size_t rlen,
381 unsigned char *dstbuf, size_t dlen);
382
383/* cipher.h exports the maximum IV, key and block length from
384 * all ciphers enabled in the config, regardless of whether those
385 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
386 * in the default configuration and uses 64 Byte keys, but it is
387 * not used for record protection in SSL/TLS.
388 *
389 * In order to prevent unnecessary inflation of key structures,
390 * we introduce SSL-specific variants of the max-{key,block,IV}
391 * macros here which are meant to only take those ciphers into
392 * account which can be negotiated in SSL/TLS.
393 *
394 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
395 * in cipher.h are rough overapproximations of the real maxima, here
396 * we content ourselves with replicating those overapproximations
397 * for the maximum block and IV length, and excluding XTS from the
398 * computation of the maximum key length. */
399#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
400#define MBEDTLS_SSL_MAX_IV_LENGTH 16
401#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
402
403/**
404 * \brief The data structure holding the cryptographic material (key and IV)
405 * used for record protection in TLS 1.3.
406 */
407struct mbedtls_ssl_key_set {
408 /*! The key for client->server records. */
409 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
410 /*! The key for server->client records. */
411 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
412 /*! The IV for client->server records. */
413 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
414 /*! The IV for server->client records. */
415 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
416
417 size_t key_len; /*!< The length of client_write_key and
418 * server_write_key, in Bytes. */
419 size_t iv_len; /*!< The length of client_write_iv and
420 * server_write_iv, in Bytes. */
421};
422typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
423
424/*
425 * This structure contains the parameters only needed during handshake.
426 */
427struct mbedtls_ssl_handshake_params {
428 /*
429 * Handshake specific crypto variables
430 */
431
432 uint8_t max_major_ver; /*!< max. major version client*/
433 uint8_t max_minor_ver; /*!< max. minor version client*/
434 uint8_t resume; /*!< session resume indicator*/
435 uint8_t cli_exts; /*!< client extension presence*/
436
437#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
438 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
439 uint8_t sni_authmode; /*!< authmode from SNI callback */
440#endif
441
442#if defined(MBEDTLS_SSL_SESSION_TICKETS)
443 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
444#endif /* MBEDTLS_SSL_SESSION_TICKETS */
445
446#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
447 uint8_t extended_ms; /*!< use Extended Master Secret? */
448#endif
449
450#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
451 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
452#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
453
454#if defined(MBEDTLS_SSL_PROTO_DTLS)
455 unsigned char retransmit_state; /*!< Retransmission state */
456#endif
457
458#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
459 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
460 enum { /* this complements ssl->state with info on intra-state operations */
461 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
462 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
463 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
464 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
465 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
466 } ecrs_state; /*!< current (or last) operation */
467 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
468 size_t ecrs_n; /*!< place for saving a length */
469#endif
470
471#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
472 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
473 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
474#endif
475
476 size_t pmslen; /*!< premaster length */
477
478 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
479
480 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
481 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
482 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
483 mbedtls_ssl_tls_prf_cb *tls_prf;
484
485#if defined(MBEDTLS_DHM_C)
486 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
487#endif
488
489/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
490 * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
491 * in functionality that access to ecdh_ctx structure is needed for
492 * MBEDTLS_ECDSA_C which does not seem correct.
493 */
494#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
495 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
496
497#if defined(MBEDTLS_USE_PSA_CRYPTO)
498 psa_key_type_t ecdh_psa_type;
499 uint16_t ecdh_bits;
500 psa_key_id_t ecdh_psa_privkey;
501 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
502 size_t ecdh_psa_peerkey_len;
503#endif /* MBEDTLS_USE_PSA_CRYPTO */
504#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
505
506#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
507 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
508#if defined(MBEDTLS_SSL_CLI_C)
509 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
510 size_t ecjpake_cache_len; /*!< Length of cached data */
511#endif
512#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
513
514#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
515 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
516 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
517#endif
518
519#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
520#if defined(MBEDTLS_USE_PSA_CRYPTO)
521 psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
522#endif /* MBEDTLS_USE_PSA_CRYPTO */
523 unsigned char *psk; /*!< PSK from the callback */
524 size_t psk_len; /*!< Length of PSK from callback */
525#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
526
527#if defined(MBEDTLS_X509_CRT_PARSE_C)
528 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
529#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
530 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
531 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
532 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
533#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
534#endif /* MBEDTLS_X509_CRT_PARSE_C */
535
536#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
537 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
538#endif
539
540#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
541 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
542 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
543#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
544
545#if defined(MBEDTLS_SSL_PROTO_DTLS)
546 struct {
547 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
548 * buffers used for message buffering. */
549
550 uint8_t seen_ccs; /*!< Indicates if a CCS message has
551 * been seen in the current flight. */
552
553 struct mbedtls_ssl_hs_buffer {
554 unsigned is_valid : 1;
555 unsigned is_fragmented : 1;
556 unsigned is_complete : 1;
557 unsigned char *data;
558 size_t data_len;
559 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
560
561 struct {
562 unsigned char *data;
563 size_t len;
564 unsigned epoch;
565 } future_record;
566
567 } buffering;
568
569 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
570 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
571
572 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
573 Srv: unused */
574 unsigned char verify_cookie_len; /*!< Cli: cookie length
575 Srv: flag for sending a cookie */
576
577 uint32_t retransmit_timeout; /*!< Current value of timeout */
578 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
579 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
580 unsigned char *cur_msg_p; /*!< Position in current message */
581 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
582 flight being received */
583 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
584 resending messages */
585 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
586 for resending messages */
587
588#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
589 /* The state of CID configuration in this handshake. */
590
591 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
592 * has been negotiated. Possible values are
593 * #MBEDTLS_SSL_CID_ENABLED and
594 * #MBEDTLS_SSL_CID_DISABLED. */
595 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
596 uint8_t peer_cid_len; /*!< The length of
597 * \c peer_cid. */
598#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
599
600 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
601#endif /* MBEDTLS_SSL_PROTO_DTLS */
602
603 /*
604 * Checksum contexts
605 */
606#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
607 defined(MBEDTLS_SSL_PROTO_TLS1_1)
608 mbedtls_md5_context fin_md5;
609 mbedtls_sha1_context fin_sha1;
610#endif
611#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
612#if defined(MBEDTLS_SHA256_C)
613#if defined(MBEDTLS_USE_PSA_CRYPTO)
614 psa_hash_operation_t fin_sha256_psa;
615#else
616 mbedtls_sha256_context fin_sha256;
617#endif
618#endif
619#if defined(MBEDTLS_SHA512_C)
620#if defined(MBEDTLS_USE_PSA_CRYPTO)
621 psa_hash_operation_t fin_sha384_psa;
622#else
623 mbedtls_sha512_context fin_sha512;
624#endif
625#endif
626#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
627
628 unsigned char randbytes[64]; /*!< random bytes */
629 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
630 /*!< premaster secret */
631
632#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
633 /** Asynchronous operation context. This field is meant for use by the
634 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
635 * mbedtls_ssl_config::f_async_decrypt_start,
636 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
637 * The library does not use it internally. */
638 void *user_async_ctx;
639#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
640};
641
642typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
643
644/*
645 * Representation of decryption/encryption transformations on records
646 *
647 * There are the following general types of record transformations:
648 * - Stream transformations (TLS versions <= 1.2 only)
649 * Transformation adding a MAC and applying a stream-cipher
650 * to the authenticated message.
651 * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
652 * In addition to the distinction of the order of encryption and
653 * authentication, there's a fundamental difference between the
654 * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
655 * and TLS 1.0, the final IV after processing a record is used
656 * as the IV for the next record. No explicit IV is contained
657 * in an encrypted record. The IV for the first record is extracted
658 * at key extraction time. In contrast, for TLS 1.1 and 1.2, no
659 * IV is generated at key extraction time, but every encrypted
660 * record is explicitly prefixed by the IV with which it was encrypted.
661 * - AEAD transformations ([D]TLS versions >= 1.2 only)
662 * These come in two fundamentally different versions, the first one
663 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
664 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
665 * In the first transformation, the IV to be used for a record is obtained
666 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
667 * record sequence number, and explicitly prepending this sequence number
668 * to the encrypted record. In contrast, in the second transformation
669 * the IV is obtained by XOR'ing a static IV obtained at key extraction
670 * time with the 8-byte record sequence number, without prepending the
671 * latter to the encrypted record.
672 *
673 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
674 * which allows to add flexible length padding and to hide a record's true
675 * content type.
676 *
677 * In addition to type and version, the following parameters are relevant:
678 * - The symmetric cipher algorithm to be used.
679 * - The (static) encryption/decryption keys for the cipher.
680 * - For stream/CBC, the type of message digest to be used.
681 * - For stream/CBC, (static) encryption/decryption keys for the digest.
682 * - For AEAD transformations, the size (potentially 0) of an explicit,
683 * random initialization vector placed in encrypted records.
684 * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
685 * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
686 * and (if present) is combined with the explicit IV in a transformation-
687 * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
688 * - For stream/CBC, a flag determining the order of encryption and MAC.
689 * - The details of the transformation depend on the SSL/TLS version.
690 * - The length of the authentication tag.
691 *
692 * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
693 * constant across multiple encryption/decryption operations.
694 * For CBC, the implicit IV needs to be updated after each
695 * operation.
696 *
697 * The struct below refines this abstract view as follows:
698 * - The cipher underlying the transformation is managed in
699 * cipher contexts cipher_ctx_{enc/dec}, which must have the
700 * same cipher type. The mode of these cipher contexts determines
701 * the type of the transformation in the sense above: e.g., if
702 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
703 * then the transformation has type CBC resp. AEAD.
704 * - The cipher keys are never stored explicitly but
705 * are maintained within cipher_ctx_{enc/dec}.
706 * - For stream/CBC transformations, the message digest contexts
707 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
708 * are unused for AEAD transformations.
709 * - For stream/CBC transformations and versions > SSL3, the
710 * MAC keys are not stored explicitly but maintained within
711 * md_ctx_{enc/dec}.
712 * - For stream/CBC transformations and version SSL3, the MAC
713 * keys are stored explicitly in mac_enc, mac_dec and have
714 * a fixed size of 20 bytes. These fields are unused for
715 * AEAD transformations or transformations >= TLS 1.0.
716 * - For transformations using an implicit IV maintained within
717 * the transformation context, its contents are stored within
718 * iv_{enc/dec}.
719 * - The value of ivlen indicates the length of the IV.
720 * This is redundant in case of stream/CBC transformations
721 * which always use 0 resp. the cipher's block length as the
722 * IV length, but is needed for AEAD ciphers and may be
723 * different from the underlying cipher's block length
724 * in this case.
725 * - The field fixed_ivlen is nonzero for AEAD transformations only
726 * and indicates the length of the static part of the IV which is
727 * constant throughout the communication, and which is stored in
728 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
729 * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
730 * still store IV's for continued use across multiple transformations,
731 * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
732 * not being used!
733 * - minor_ver denotes the SSL/TLS version
734 * - For stream/CBC transformations, maclen denotes the length of the
735 * authentication tag, while taglen is unused and 0.
736 * - For AEAD transformations, taglen denotes the length of the
737 * authentication tag, while maclen is unused and 0.
738 * - For CBC transformations, encrypt_then_mac determines the
739 * order of encryption and authentication. This field is unused
740 * in other transformations.
741 *
742 */
743struct mbedtls_ssl_transform {
744 /*
745 * Session specific crypto layer
746 */
747 size_t minlen; /*!< min. ciphertext length */
748 size_t ivlen; /*!< IV length */
749 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
750 size_t maclen; /*!< MAC(CBC) len */
751 size_t taglen; /*!< TAG(AEAD) len */
752
753 unsigned char iv_enc[16]; /*!< IV (encryption) */
754 unsigned char iv_dec[16]; /*!< IV (decryption) */
755
756#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
757
758#if defined(MBEDTLS_SSL_PROTO_SSL3)
759 /* Needed only for SSL v3.0 secret */
760 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
761 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
762#endif /* MBEDTLS_SSL_PROTO_SSL3 */
763
764 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
765 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
766
767#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
768 int encrypt_then_mac; /*!< flag for EtM activation */
769#endif
770
771#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
772
773 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
774 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
775 int minor_ver;
776
777#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
778 uint8_t in_cid_len;
779 uint8_t out_cid_len;
780 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
781 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
782#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
783
784 /*
785 * Session specific compression layer
786 */
787#if defined(MBEDTLS_ZLIB_SUPPORT)
788 z_stream ctx_deflate; /*!< compression context */
789 z_stream ctx_inflate; /*!< decompression context */
790#endif
791
792#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
793 /* We need the Hello random bytes in order to re-derive keys from the
794 * Master Secret and other session info, see ssl_populate_transform() */
795 unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
796#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
797};
798
799/*
800 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
801 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
802 */
803static inline int mbedtls_ssl_transform_uses_aead(
804 const mbedtls_ssl_transform *transform)
805{
806#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
807 return transform->maclen == 0 && transform->taglen != 0;
808#else
809 (void) transform;
810 return 1;
811#endif
812}
813
814/*
815 * Internal representation of record frames
816 *
817 * Instances come in two flavors:
818 * (1) Encrypted
819 * These always have data_offset = 0
820 * (2) Unencrypted
821 * These have data_offset set to the amount of
822 * pre-expansion during record protection. Concretely,
823 * this is the length of the fixed part of the explicit IV
824 * used for encryption, or 0 if no explicit IV is used
825 * (e.g. for CBC in TLS 1.0, or stream ciphers).
826 *
827 * The reason for the data_offset in the unencrypted case
828 * is to allow for in-place conversion of an unencrypted to
829 * an encrypted record. If the offset wasn't included, the
830 * encrypted content would need to be shifted afterwards to
831 * make space for the fixed IV.
832 *
833 */
834#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
835#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
836#else
837#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
838#endif
839
840typedef struct {
841 uint8_t ctr[8]; /* In TLS: The implicit record sequence number.
842 * In DTLS: The 2-byte epoch followed by
843 * the 6-byte sequence number.
844 * This is stored as a raw big endian byte array
845 * as opposed to a uint64_t because we rarely
846 * need to perform arithmetic on this, but do
847 * need it as a Byte array for the purpose of
848 * MAC computations. */
849 uint8_t type; /* The record content type. */
850 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
851 * Convert to internal presentation of versions
852 * using mbedtls_ssl_read_version() and
853 * mbedtls_ssl_write_version().
854 * Keep wire-format for MAC computations. */
855
856 unsigned char *buf; /* Memory buffer enclosing the record content */
857 size_t buf_len; /* Buffer length */
858 size_t data_offset; /* Offset of record content */
859 size_t data_len; /* Length of record content */
860
861#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
862 uint8_t cid_len; /* Length of the CID (0 if not present) */
863 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
864#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
865} mbedtls_record;
866
867#if defined(MBEDTLS_X509_CRT_PARSE_C)
868/*
869 * List of certificate + private key pairs
870 */
871struct mbedtls_ssl_key_cert {
872 mbedtls_x509_crt *cert; /*!< cert */
873 mbedtls_pk_context *key; /*!< private key */
874 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
875};
876#endif /* MBEDTLS_X509_CRT_PARSE_C */
877
878#if defined(MBEDTLS_SSL_PROTO_DTLS)
879/*
880 * List of handshake messages kept around for resending
881 */
882struct mbedtls_ssl_flight_item {
883 unsigned char *p; /*!< message, including handshake headers */
884 size_t len; /*!< length of p */
885 unsigned char type; /*!< type of the message: handshake or CCS */
886 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
887};
888#endif /* MBEDTLS_SSL_PROTO_DTLS */
889
890#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
891 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
892
893/* Find an entry in a signature-hash set matching a given hash algorithm. */
894mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set,
895 mbedtls_pk_type_t sig_alg);
896/* Add a signature-hash-pair to a signature-hash set */
897void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set,
898 mbedtls_pk_type_t sig_alg,
899 mbedtls_md_type_t md_alg);
900/* Allow exactly one hash algorithm for each signature. */
901void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set,
902 mbedtls_md_type_t md_alg);
903
904/* Setup an empty signature-hash set */
905static inline void mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t *set)
906{
907 mbedtls_ssl_sig_hash_set_const_hash(set, MBEDTLS_MD_NONE);
908}
909
910#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
911 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
912
913/**
914 * \brief Free referenced items in an SSL transform context and clear
915 * memory
916 *
917 * \param transform SSL transform context
918 */
919void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
920
921/**
922 * \brief Free referenced items in an SSL handshake context and clear
923 * memory
924 *
925 * \param ssl SSL context
926 */
927void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
928
929MBEDTLS_CHECK_RETURN_CRITICAL
930int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
931MBEDTLS_CHECK_RETURN_CRITICAL
932int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
933void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
934
935MBEDTLS_CHECK_RETURN_CRITICAL
936int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
937
938void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
939MBEDTLS_CHECK_RETURN_CRITICAL
940int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
941
942MBEDTLS_CHECK_RETURN_CRITICAL
943int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
944MBEDTLS_CHECK_RETURN_CRITICAL
945int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
946void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
947
948/**
949 * \brief Update record layer
950 *
951 * This function roughly separates the implementation
952 * of the logic of (D)TLS from the implementation
953 * of the secure transport.
954 *
955 * \param ssl The SSL context to use.
956 * \param update_hs_digest This indicates if the handshake digest
957 * should be automatically updated in case
958 * a handshake message is found.
959 *
960 * \return 0 or non-zero error code.
961 *
962 * \note A clarification on what is called 'record layer' here
963 * is in order, as many sensible definitions are possible:
964 *
965 * The record layer takes as input an untrusted underlying
966 * transport (stream or datagram) and transforms it into
967 * a serially multiplexed, secure transport, which
968 * conceptually provides the following:
969 *
970 * (1) Three datagram based, content-agnostic transports
971 * for handshake, alert and CCS messages.
972 * (2) One stream- or datagram-based transport
973 * for application data.
974 * (3) Functionality for changing the underlying transform
975 * securing the contents.
976 *
977 * The interface to this functionality is given as follows:
978 *
979 * a Updating
980 * [Currently implemented by mbedtls_ssl_read_record]
981 *
982 * Check if and on which of the four 'ports' data is pending:
983 * Nothing, a controlling datagram of type (1), or application
984 * data (2). In any case data is present, internal buffers
985 * provide access to the data for the user to process it.
986 * Consumption of type (1) datagrams is done automatically
987 * on the next update, invalidating that the internal buffers
988 * for previous datagrams, while consumption of application
989 * data (2) is user-controlled.
990 *
991 * b Reading of application data
992 * [Currently manual adaption of ssl->in_offt pointer]
993 *
994 * As mentioned in the last paragraph, consumption of data
995 * is different from the automatic consumption of control
996 * datagrams (1) because application data is treated as a stream.
997 *
998 * c Tracking availability of application data
999 * [Currently manually through decreasing ssl->in_msglen]
1000 *
1001 * For efficiency and to retain datagram semantics for
1002 * application data in case of DTLS, the record layer
1003 * provides functionality for checking how much application
1004 * data is still available in the internal buffer.
1005 *
1006 * d Changing the transformation securing the communication.
1007 *
1008 * Given an opaque implementation of the record layer in the
1009 * above sense, it should be possible to implement the logic
1010 * of (D)TLS on top of it without the need to know anything
1011 * about the record layer's internals. This is done e.g.
1012 * in all the handshake handling functions, and in the
1013 * application data reading function mbedtls_ssl_read.
1014 *
1015 * \note The above tries to give a conceptual picture of the
1016 * record layer, but the current implementation deviates
1017 * from it in some places. For example, our implementation of
1018 * the update functionality through mbedtls_ssl_read_record
1019 * discards datagrams depending on the current state, which
1020 * wouldn't fall under the record layer's responsibility
1021 * following the above definition.
1022 *
1023 */
1024MBEDTLS_CHECK_RETURN_CRITICAL
1025int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
1026 unsigned update_hs_digest);
1027MBEDTLS_CHECK_RETURN_CRITICAL
1028int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
1029
1030MBEDTLS_CHECK_RETURN_CRITICAL
1031int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl);
1032MBEDTLS_CHECK_RETURN_CRITICAL
1033int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush);
1034MBEDTLS_CHECK_RETURN_CRITICAL
1035int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
1036
1037MBEDTLS_CHECK_RETURN_CRITICAL
1038int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
1039MBEDTLS_CHECK_RETURN_CRITICAL
1040int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
1041
1042MBEDTLS_CHECK_RETURN_CRITICAL
1043int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
1044MBEDTLS_CHECK_RETURN_CRITICAL
1045int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
1046
1047MBEDTLS_CHECK_RETURN_CRITICAL
1048int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
1049MBEDTLS_CHECK_RETURN_CRITICAL
1050int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
1051
1052void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
1053 const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
1054
1055#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1056MBEDTLS_CHECK_RETURN_CRITICAL
1057int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex);
1058
1059/**
1060 * Get the first defined PSK by order of precedence:
1061 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1062 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1063 * Return a code and update the pair (PSK, PSK length) passed to this function
1064 */
1065static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
1066 const unsigned char **psk, size_t *psk_len)
1067{
1068 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
1069 *psk = ssl->handshake->psk;
1070 *psk_len = ssl->handshake->psk_len;
1071 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
1072 *psk = ssl->conf->psk;
1073 *psk_len = ssl->conf->psk_len;
1074 } else {
1075 *psk = NULL;
1076 *psk_len = 0;
1077 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
1078 }
1079
1080 return 0;
1081}
1082
1083#if defined(MBEDTLS_USE_PSA_CRYPTO)
1084/**
1085 * Get the first defined opaque PSK by order of precedence:
1086 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1087 * callback
1088 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1089 * Return an opaque PSK
1090 */
1091static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
1092 const mbedtls_ssl_context *ssl)
1093{
1094 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1095 return ssl->handshake->psk_opaque;
1096 }
1097
1098 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
1099 return ssl->conf->psk_opaque;
1100 }
1101
1102 return MBEDTLS_SVC_KEY_ID_INIT;
1103}
1104#endif /* MBEDTLS_USE_PSA_CRYPTO */
1105
1106#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1107
1108#if defined(MBEDTLS_PK_C)
1109unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
1110unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
1111mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
1112#endif
1113
1114mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
1115unsigned char mbedtls_ssl_hash_from_md_alg(int md);
1116MBEDTLS_CHECK_RETURN_CRITICAL
1117int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
1118
1119#if defined(MBEDTLS_ECP_C)
1120MBEDTLS_CHECK_RETURN_CRITICAL
1121int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1122MBEDTLS_CHECK_RETURN_CRITICAL
1123int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1124#endif
1125
1126#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1127MBEDTLS_CHECK_RETURN_CRITICAL
1128int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl,
1129 mbedtls_md_type_t md);
1130#endif
1131
1132#if defined(MBEDTLS_SSL_DTLS_SRTP)
1133static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1134 (const uint16_t srtp_profile_value)
1135{
1136 switch (srtp_profile_value) {
1137 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1138 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1139 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1140 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1141 return srtp_profile_value;
1142 default: break;
1143 }
1144 return MBEDTLS_TLS_SRTP_UNSET;
1145}
1146#endif
1147
1148#if defined(MBEDTLS_X509_CRT_PARSE_C)
1149static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
1150{
1151 mbedtls_ssl_key_cert *key_cert;
1152
1153 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1154 key_cert = ssl->handshake->key_cert;
1155 } else {
1156 key_cert = ssl->conf->key_cert;
1157 }
1158
1159 return key_cert == NULL ? NULL : key_cert->key;
1160}
1161
1162static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
1163{
1164 mbedtls_ssl_key_cert *key_cert;
1165
1166 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1167 key_cert = ssl->handshake->key_cert;
1168 } else {
1169 key_cert = ssl->conf->key_cert;
1170 }
1171
1172 return key_cert == NULL ? NULL : key_cert->cert;
1173}
1174
1175/*
1176 * Check usage of a certificate wrt extensions:
1177 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1178 *
1179 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1180 * check a cert we received from them)!
1181 *
1182 * Return 0 if everything is OK, -1 if not.
1183 */
1184MBEDTLS_CHECK_RETURN_CRITICAL
1185int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
1186 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1187 int cert_endpoint,
1188 uint32_t *flags);
1189#endif /* MBEDTLS_X509_CRT_PARSE_C */
1190
1191void mbedtls_ssl_write_version(int major, int minor, int transport,
1192 unsigned char ver[2]);
1193void mbedtls_ssl_read_version(int *major, int *minor, int transport,
1194 const unsigned char ver[2]);
1195
1196static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
1197{
1198#if !defined(MBEDTLS_SSL_PROTO_DTLS)
1199 ((void) ssl);
1200#endif
1201
1202#if defined(MBEDTLS_SSL_PROTO_DTLS)
1203 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1204 return 13;
1205 } else
1206#endif /* MBEDTLS_SSL_PROTO_DTLS */
1207 {
1208 return 5;
1209 }
1210}
1211
1212static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
1213{
1214 return (size_t) (ssl->out_iv - ssl->out_hdr);
1215}
1216
1217static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
1218{
1219#if defined(MBEDTLS_SSL_PROTO_DTLS)
1220 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1221 return 12;
1222 }
1223#else
1224 ((void) ssl);
1225#endif
1226 return 4;
1227}
1228
1229#if defined(MBEDTLS_SSL_PROTO_DTLS)
1230void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
1231void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
1232MBEDTLS_CHECK_RETURN_CRITICAL
1233int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
1234MBEDTLS_CHECK_RETURN_CRITICAL
1235int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
1236#endif
1237
1238/* Visible for testing purposes only */
1239#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1240MBEDTLS_CHECK_RETURN_CRITICAL
1241int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
1242void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
1243#endif
1244
1245MBEDTLS_CHECK_RETURN_CRITICAL
1246int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
1247 const mbedtls_ssl_session *src);
1248
1249#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
1250 defined(MBEDTLS_SSL_PROTO_TLS1_1)
1251MBEDTLS_CHECK_RETURN_CRITICAL
1252int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl,
1253 unsigned char *output,
1254 unsigned char *data, size_t data_len);
1255#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
1256 MBEDTLS_SSL_PROTO_TLS1_1 */
1257
1258#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1259 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1260/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1261MBEDTLS_CHECK_RETURN_CRITICAL
1262int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
1263 unsigned char *hash, size_t *hashlen,
1264 unsigned char *data, size_t data_len,
1265 mbedtls_md_type_t md_alg);
1266#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1267 MBEDTLS_SSL_PROTO_TLS1_2 */
1268
1269#ifdef __cplusplus
1270}
1271#endif
1272
1273void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
1274MBEDTLS_CHECK_RETURN_CRITICAL
1275int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
1276 mbedtls_ssl_transform *transform,
1277 mbedtls_record *rec,
1278 int (*f_rng)(void *, unsigned char *, size_t),
1279 void *p_rng);
1280MBEDTLS_CHECK_RETURN_CRITICAL
1281int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
1282 mbedtls_ssl_transform *transform,
1283 mbedtls_record *rec);
1284
1285/* Length of the "epoch" field in the record header */
1286static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
1287{
1288#if defined(MBEDTLS_SSL_PROTO_DTLS)
1289 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1290 return 2;
1291 }
1292#else
1293 ((void) ssl);
1294#endif
1295 return 0;
1296}
1297
1298#if defined(MBEDTLS_SSL_PROTO_DTLS)
1299MBEDTLS_CHECK_RETURN_CRITICAL
1300int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
1301#endif /* MBEDTLS_SSL_PROTO_DTLS */
1302
1303void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
1304MBEDTLS_CHECK_RETURN_CRITICAL
1305int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
1306
1307void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
1308void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
1309 mbedtls_ssl_transform *transform);
1310void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1311
1312MBEDTLS_CHECK_RETURN_CRITICAL
1313int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
1314
1315#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1316void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
1317#endif
1318
1319void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
1320
1321#if defined(MBEDTLS_SSL_RENEGOTIATION)
1322MBEDTLS_CHECK_RETURN_CRITICAL
1323int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
1324#endif /* MBEDTLS_SSL_RENEGOTIATION */
1325
1326#if defined(MBEDTLS_SSL_PROTO_DTLS)
1327size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
1328void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
1329void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
1330#endif /* MBEDTLS_SSL_PROTO_DTLS */
1331
1332#if defined(MBEDTLS_TEST_HOOKS)
1333int mbedtls_ssl_check_dtls_clihlo_cookie(
1334 mbedtls_ssl_context *ssl,
1335 const unsigned char *cli_id, size_t cli_id_len,
1336 const unsigned char *in, size_t in_len,
1337 unsigned char *obuf, size_t buf_len, size_t *olen);
1338#endif
1339
1340#endif /* ssl_internal.h */
1341