1 | /** |
2 | * \file ssl_internal.h |
3 | * |
4 | * \brief Internal functions shared by the SSL modules |
5 | */ |
6 | /* |
7 | * Copyright The Mbed TLS Contributors |
8 | * SPDX-License-Identifier: Apache-2.0 |
9 | * |
10 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
11 | * not use this file except in compliance with the License. |
12 | * You may obtain a copy of the License at |
13 | * |
14 | * http://www.apache.org/licenses/LICENSE-2.0 |
15 | * |
16 | * Unless required by applicable law or agreed to in writing, software |
17 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
18 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
19 | * See the License for the specific language governing permissions and |
20 | * limitations under the License. |
21 | */ |
22 | #ifndef MBEDTLS_SSL_INTERNAL_H |
23 | #define MBEDTLS_SSL_INTERNAL_H |
24 | |
25 | #if !defined(MBEDTLS_CONFIG_FILE) |
26 | #include "mbedtls/config.h" |
27 | #else |
28 | #include MBEDTLS_CONFIG_FILE |
29 | #endif |
30 | |
31 | #include "mbedtls/ssl.h" |
32 | #include "mbedtls/cipher.h" |
33 | |
34 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
35 | #include "psa/crypto.h" |
36 | #endif |
37 | |
38 | #if defined(MBEDTLS_MD5_C) |
39 | #include "mbedtls/md5.h" |
40 | #endif |
41 | |
42 | #if defined(MBEDTLS_SHA1_C) |
43 | #include "mbedtls/sha1.h" |
44 | #endif |
45 | |
46 | #if defined(MBEDTLS_SHA256_C) |
47 | #include "mbedtls/sha256.h" |
48 | #endif |
49 | |
50 | #if defined(MBEDTLS_SHA512_C) |
51 | #include "mbedtls/sha512.h" |
52 | #endif |
53 | |
54 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
55 | #include "mbedtls/ecjpake.h" |
56 | #endif |
57 | |
58 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
59 | #include "psa/crypto.h" |
60 | #include "mbedtls/psa_util.h" |
61 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
62 | |
63 | #if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \ |
64 | !defined(inline) && !defined(__cplusplus) |
65 | #define inline __inline |
66 | #endif |
67 | |
68 | /* Determine minimum supported version */ |
69 | #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 |
70 | |
71 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
72 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0 |
73 | #else |
74 | #if defined(MBEDTLS_SSL_PROTO_TLS1) |
75 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 |
76 | #else |
77 | #if defined(MBEDTLS_SSL_PROTO_TLS1_1) |
78 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 |
79 | #else |
80 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
81 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 |
82 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
83 | #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ |
84 | #endif /* MBEDTLS_SSL_PROTO_TLS1 */ |
85 | #endif /* MBEDTLS_SSL_PROTO_SSL3 */ |
86 | |
87 | #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 |
88 | #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 |
89 | |
90 | /* Determine maximum supported version */ |
91 | #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 |
92 | |
93 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
94 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 |
95 | #else |
96 | #if defined(MBEDTLS_SSL_PROTO_TLS1_1) |
97 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 |
98 | #else |
99 | #if defined(MBEDTLS_SSL_PROTO_TLS1) |
100 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 |
101 | #else |
102 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
103 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0 |
104 | #endif /* MBEDTLS_SSL_PROTO_SSL3 */ |
105 | #endif /* MBEDTLS_SSL_PROTO_TLS1 */ |
106 | #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ |
107 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
108 | |
109 | /* Shorthand for restartable ECC */ |
110 | #if defined(MBEDTLS_ECP_RESTARTABLE) && \ |
111 | defined(MBEDTLS_SSL_CLI_C) && \ |
112 | defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
113 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
114 | #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED |
115 | #endif |
116 | |
117 | #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 |
118 | #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ |
119 | #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ |
120 | #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ |
121 | |
122 | /* |
123 | * DTLS retransmission states, see RFC 6347 4.2.4 |
124 | * |
125 | * The SENDING state is merged in PREPARING for initial sends, |
126 | * but is distinct for resends. |
127 | * |
128 | * Note: initial state is wrong for server, but is not used anyway. |
129 | */ |
130 | #define MBEDTLS_SSL_RETRANS_PREPARING 0 |
131 | #define MBEDTLS_SSL_RETRANS_SENDING 1 |
132 | #define MBEDTLS_SSL_RETRANS_WAITING 2 |
133 | #define MBEDTLS_SSL_RETRANS_FINISHED 3 |
134 | |
135 | /* |
136 | * Allow extra bytes for record, authentication and encryption overhead: |
137 | * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256) |
138 | * and allow for a maximum of 1024 of compression expansion if |
139 | * enabled. |
140 | */ |
141 | #if defined(MBEDTLS_ZLIB_SUPPORT) |
142 | #define MBEDTLS_SSL_COMPRESSION_ADD 1024 |
143 | #else |
144 | #define MBEDTLS_SSL_COMPRESSION_ADD 0 |
145 | #endif |
146 | |
147 | /* This macro determines whether CBC is supported. */ |
148 | #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ |
149 | (defined(MBEDTLS_AES_C) || \ |
150 | defined(MBEDTLS_CAMELLIA_C) || \ |
151 | defined(MBEDTLS_ARIA_C) || \ |
152 | defined(MBEDTLS_DES_C)) |
153 | #define MBEDTLS_SSL_SOME_SUITES_USE_CBC |
154 | #endif |
155 | |
156 | /* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as |
157 | * opposed to the very different CBC construct used in SSLv3) is supported. */ |
158 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ |
159 | (defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
160 | defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
161 | defined(MBEDTLS_SSL_PROTO_TLS1_2)) |
162 | #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC |
163 | #endif |
164 | |
165 | #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ |
166 | defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) |
167 | #define MBEDTLS_SSL_SOME_MODES_USE_MAC |
168 | #endif |
169 | |
170 | #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) |
171 | /* Ciphersuites using HMAC */ |
172 | #if defined(MBEDTLS_SHA512_C) |
173 | #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ |
174 | #elif defined(MBEDTLS_SHA256_C) |
175 | #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ |
176 | #else |
177 | #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ |
178 | #endif |
179 | #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ |
180 | /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ |
181 | #define MBEDTLS_SSL_MAC_ADD 16 |
182 | #endif |
183 | |
184 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
185 | #define MBEDTLS_SSL_PADDING_ADD 256 |
186 | #else |
187 | #define MBEDTLS_SSL_PADDING_ADD 0 |
188 | #endif |
189 | |
190 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
191 | #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY |
192 | #else |
193 | #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 |
194 | #endif |
195 | |
196 | #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_SSL_COMPRESSION_ADD + \ |
197 | MBEDTLS_MAX_IV_LENGTH + \ |
198 | MBEDTLS_SSL_MAC_ADD + \ |
199 | MBEDTLS_SSL_PADDING_ADD + \ |
200 | MBEDTLS_SSL_MAX_CID_EXPANSION \ |
201 | ) |
202 | |
203 | #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ |
204 | (MBEDTLS_SSL_IN_CONTENT_LEN)) |
205 | |
206 | #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ |
207 | (MBEDTLS_SSL_OUT_CONTENT_LEN)) |
208 | |
209 | /* The maximum number of buffered handshake messages. */ |
210 | #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 |
211 | |
212 | /* Maximum length we can advertise as our max content length for |
213 | RFC 6066 max_fragment_length extension negotiation purposes |
214 | (the lesser of both sizes, if they are unequal.) |
215 | */ |
216 | #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ |
217 | (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ |
218 | ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \ |
219 | : (MBEDTLS_SSL_IN_CONTENT_LEN) \ |
220 | ) |
221 | |
222 | /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */ |
223 | #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534 |
224 | |
225 | /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ |
226 | #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 |
227 | |
228 | /* |
229 | * Check that we obey the standard's message size bounds |
230 | */ |
231 | |
232 | #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384 |
233 | #error "Bad configuration - record content too large." |
234 | #endif |
235 | |
236 | #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN |
237 | #error \ |
238 | "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." |
239 | #endif |
240 | |
241 | #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN |
242 | #error \ |
243 | "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." |
244 | #endif |
245 | |
246 | #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 |
247 | #error "Bad configuration - incoming protected record payload too large." |
248 | #endif |
249 | |
250 | #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 |
251 | #error "Bad configuration - outgoing protected record payload too large." |
252 | #endif |
253 | |
254 | /* Calculate buffer sizes */ |
255 | |
256 | /* Note: Even though the TLS record header is only 5 bytes |
257 | long, we're internally using 8 bytes to store the |
258 | implicit sequence number. */ |
259 | #define 13 |
260 | |
261 | #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
262 | #define MBEDTLS_SSL_IN_BUFFER_LEN \ |
263 | ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN)) |
264 | #else |
265 | #define MBEDTLS_SSL_IN_BUFFER_LEN \ |
266 | ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \ |
267 | + (MBEDTLS_SSL_CID_IN_LEN_MAX)) |
268 | #endif |
269 | |
270 | #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
271 | #define MBEDTLS_SSL_OUT_BUFFER_LEN \ |
272 | ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)) |
273 | #else |
274 | #define MBEDTLS_SSL_OUT_BUFFER_LEN \ |
275 | ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \ |
276 | + (MBEDTLS_SSL_CID_OUT_LEN_MAX)) |
277 | #endif |
278 | |
279 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
280 | static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) |
281 | { |
282 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
283 | return mbedtls_ssl_get_output_max_frag_len(ctx) |
284 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD |
285 | + MBEDTLS_SSL_CID_OUT_LEN_MAX; |
286 | #else |
287 | return mbedtls_ssl_get_output_max_frag_len(ctx) |
288 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; |
289 | #endif |
290 | } |
291 | |
292 | static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) |
293 | { |
294 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
295 | return mbedtls_ssl_get_input_max_frag_len(ctx) |
296 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD |
297 | + MBEDTLS_SSL_CID_IN_LEN_MAX; |
298 | #else |
299 | return mbedtls_ssl_get_input_max_frag_len(ctx) |
300 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; |
301 | #endif |
302 | } |
303 | #endif |
304 | |
305 | #ifdef MBEDTLS_ZLIB_SUPPORT |
306 | /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */ |
307 | #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \ |
308 | (MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN) \ |
309 | ? MBEDTLS_SSL_IN_BUFFER_LEN \ |
310 | : MBEDTLS_SSL_OUT_BUFFER_LEN \ |
311 | ) |
312 | #endif |
313 | |
314 | /* |
315 | * TLS extension flags (for extensions with outgoing ServerHello content |
316 | * that need it (e.g. for RENEGOTIATION_INFO the server already knows because |
317 | * of state of the renegotiation flag, so no indicator is required) |
318 | */ |
319 | #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) |
320 | #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) |
321 | |
322 | /** |
323 | * \brief This function checks if the remaining size in a buffer is |
324 | * greater or equal than a needed space. |
325 | * |
326 | * \param cur Pointer to the current position in the buffer. |
327 | * \param end Pointer to one past the end of the buffer. |
328 | * \param need Needed space in bytes. |
329 | * |
330 | * \return Zero if the needed space is available in the buffer, non-zero |
331 | * otherwise. |
332 | */ |
333 | static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, |
334 | const uint8_t *end, size_t need) |
335 | { |
336 | return (cur > end) || (need > (size_t) (end - cur)); |
337 | } |
338 | |
339 | /** |
340 | * \brief This macro checks if the remaining size in a buffer is |
341 | * greater or equal than a needed space. If it is not the case, |
342 | * it returns an SSL_BUFFER_TOO_SMALL error. |
343 | * |
344 | * \param cur Pointer to the current position in the buffer. |
345 | * \param end Pointer to one past the end of the buffer. |
346 | * \param need Needed space in bytes. |
347 | * |
348 | */ |
349 | #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \ |
350 | do { \ |
351 | if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ |
352 | { \ |
353 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \ |
354 | } \ |
355 | } while (0) |
356 | |
357 | #ifdef __cplusplus |
358 | extern "C" { |
359 | #endif |
360 | |
361 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
362 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
363 | /* |
364 | * Abstraction for a grid of allowed signature-hash-algorithm pairs. |
365 | */ |
366 | struct mbedtls_ssl_sig_hash_set_t { |
367 | /* At the moment, we only need to remember a single suitable |
368 | * hash algorithm per signature algorithm. As long as that's |
369 | * the case - and we don't need a general lookup function - |
370 | * we can implement the sig-hash-set as a map from signatures |
371 | * to hash algorithms. */ |
372 | mbedtls_md_type_t rsa; |
373 | mbedtls_md_type_t ecdsa; |
374 | }; |
375 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
376 | MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
377 | |
378 | typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen, |
379 | const char *label, |
380 | const unsigned char *random, size_t rlen, |
381 | unsigned char *dstbuf, size_t dlen); |
382 | |
383 | /* cipher.h exports the maximum IV, key and block length from |
384 | * all ciphers enabled in the config, regardless of whether those |
385 | * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled |
386 | * in the default configuration and uses 64 Byte keys, but it is |
387 | * not used for record protection in SSL/TLS. |
388 | * |
389 | * In order to prevent unnecessary inflation of key structures, |
390 | * we introduce SSL-specific variants of the max-{key,block,IV} |
391 | * macros here which are meant to only take those ciphers into |
392 | * account which can be negotiated in SSL/TLS. |
393 | * |
394 | * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH |
395 | * in cipher.h are rough overapproximations of the real maxima, here |
396 | * we content ourselves with replicating those overapproximations |
397 | * for the maximum block and IV length, and excluding XTS from the |
398 | * computation of the maximum key length. */ |
399 | #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 |
400 | #define MBEDTLS_SSL_MAX_IV_LENGTH 16 |
401 | #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 |
402 | |
403 | /** |
404 | * \brief The data structure holding the cryptographic material (key and IV) |
405 | * used for record protection in TLS 1.3. |
406 | */ |
407 | struct mbedtls_ssl_key_set { |
408 | /*! The key for client->server records. */ |
409 | unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; |
410 | /*! The key for server->client records. */ |
411 | unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; |
412 | /*! The IV for client->server records. */ |
413 | unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; |
414 | /*! The IV for server->client records. */ |
415 | unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; |
416 | |
417 | size_t key_len; /*!< The length of client_write_key and |
418 | * server_write_key, in Bytes. */ |
419 | size_t iv_len; /*!< The length of client_write_iv and |
420 | * server_write_iv, in Bytes. */ |
421 | }; |
422 | typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; |
423 | |
424 | /* |
425 | * This structure contains the parameters only needed during handshake. |
426 | */ |
427 | struct mbedtls_ssl_handshake_params { |
428 | /* |
429 | * Handshake specific crypto variables |
430 | */ |
431 | |
432 | uint8_t max_major_ver; /*!< max. major version client*/ |
433 | uint8_t max_minor_ver; /*!< max. minor version client*/ |
434 | uint8_t resume; /*!< session resume indicator*/ |
435 | uint8_t cli_exts; /*!< client extension presence*/ |
436 | |
437 | #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ |
438 | defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
439 | uint8_t sni_authmode; /*!< authmode from SNI callback */ |
440 | #endif |
441 | |
442 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
443 | uint8_t new_session_ticket; /*!< use NewSessionTicket? */ |
444 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
445 | |
446 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
447 | uint8_t extended_ms; /*!< use Extended Master Secret? */ |
448 | #endif |
449 | |
450 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
451 | uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ |
452 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
453 | |
454 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
455 | unsigned char retransmit_state; /*!< Retransmission state */ |
456 | #endif |
457 | |
458 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
459 | uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ |
460 | enum { /* this complements ssl->state with info on intra-state operations */ |
461 | ssl_ecrs_none = 0, /*!< nothing going on (yet) */ |
462 | ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ |
463 | ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ |
464 | ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ |
465 | ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ |
466 | } ecrs_state; /*!< current (or last) operation */ |
467 | mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ |
468 | size_t ecrs_n; /*!< place for saving a length */ |
469 | #endif |
470 | |
471 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
472 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
473 | mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ |
474 | #endif |
475 | |
476 | size_t pmslen; /*!< premaster length */ |
477 | |
478 | mbedtls_ssl_ciphersuite_t const *ciphersuite_info; |
479 | |
480 | void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); |
481 | void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); |
482 | void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); |
483 | mbedtls_ssl_tls_prf_cb *tls_prf; |
484 | |
485 | #if defined(MBEDTLS_DHM_C) |
486 | mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ |
487 | #endif |
488 | |
489 | /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due |
490 | * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap |
491 | * in functionality that access to ecdh_ctx structure is needed for |
492 | * MBEDTLS_ECDSA_C which does not seem correct. |
493 | */ |
494 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
495 | mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ |
496 | |
497 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
498 | psa_key_type_t ecdh_psa_type; |
499 | uint16_t ecdh_bits; |
500 | psa_key_id_t ecdh_psa_privkey; |
501 | unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; |
502 | size_t ecdh_psa_peerkey_len; |
503 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
504 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ |
505 | |
506 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
507 | mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ |
508 | #if defined(MBEDTLS_SSL_CLI_C) |
509 | unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ |
510 | size_t ecjpake_cache_len; /*!< Length of cached data */ |
511 | #endif |
512 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
513 | |
514 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
515 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
516 | const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ |
517 | #endif |
518 | |
519 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
520 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
521 | psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ |
522 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
523 | unsigned char *psk; /*!< PSK from the callback */ |
524 | size_t psk_len; /*!< Length of PSK from callback */ |
525 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
526 | |
527 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
528 | mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ |
529 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
530 | mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ |
531 | mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ |
532 | mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ |
533 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
534 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
535 | |
536 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
537 | mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ |
538 | #endif |
539 | |
540 | #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ |
541 | !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
542 | mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ |
543 | #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
544 | |
545 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
546 | struct { |
547 | size_t total_bytes_buffered; /*!< Cumulative size of heap allocated |
548 | * buffers used for message buffering. */ |
549 | |
550 | uint8_t seen_ccs; /*!< Indicates if a CCS message has |
551 | * been seen in the current flight. */ |
552 | |
553 | struct mbedtls_ssl_hs_buffer { |
554 | unsigned is_valid : 1; |
555 | unsigned is_fragmented : 1; |
556 | unsigned is_complete : 1; |
557 | unsigned char *data; |
558 | size_t data_len; |
559 | } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; |
560 | |
561 | struct { |
562 | unsigned char *data; |
563 | size_t len; |
564 | unsigned epoch; |
565 | } future_record; |
566 | |
567 | } buffering; |
568 | |
569 | unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ |
570 | unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ |
571 | |
572 | unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie |
573 | Srv: unused */ |
574 | unsigned char verify_cookie_len; /*!< Cli: cookie length |
575 | Srv: flag for sending a cookie */ |
576 | |
577 | uint32_t retransmit_timeout; /*!< Current value of timeout */ |
578 | mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ |
579 | mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ |
580 | unsigned char *cur_msg_p; /*!< Position in current message */ |
581 | unsigned int in_flight_start_seq; /*!< Minimum message sequence in the |
582 | flight being received */ |
583 | mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for |
584 | resending messages */ |
585 | unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter |
586 | for resending messages */ |
587 | |
588 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
589 | /* The state of CID configuration in this handshake. */ |
590 | |
591 | uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension |
592 | * has been negotiated. Possible values are |
593 | * #MBEDTLS_SSL_CID_ENABLED and |
594 | * #MBEDTLS_SSL_CID_DISABLED. */ |
595 | unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */ |
596 | uint8_t peer_cid_len; /*!< The length of |
597 | * \c peer_cid. */ |
598 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
599 | |
600 | uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ |
601 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
602 | |
603 | /* |
604 | * Checksum contexts |
605 | */ |
606 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
607 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
608 | mbedtls_md5_context fin_md5; |
609 | mbedtls_sha1_context fin_sha1; |
610 | #endif |
611 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
612 | #if defined(MBEDTLS_SHA256_C) |
613 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
614 | psa_hash_operation_t fin_sha256_psa; |
615 | #else |
616 | mbedtls_sha256_context fin_sha256; |
617 | #endif |
618 | #endif |
619 | #if defined(MBEDTLS_SHA512_C) |
620 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
621 | psa_hash_operation_t fin_sha384_psa; |
622 | #else |
623 | mbedtls_sha512_context fin_sha512; |
624 | #endif |
625 | #endif |
626 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
627 | |
628 | unsigned char randbytes[64]; /*!< random bytes */ |
629 | unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; |
630 | /*!< premaster secret */ |
631 | |
632 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
633 | /** Asynchronous operation context. This field is meant for use by the |
634 | * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, |
635 | * mbedtls_ssl_config::f_async_decrypt_start, |
636 | * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). |
637 | * The library does not use it internally. */ |
638 | void *user_async_ctx; |
639 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
640 | }; |
641 | |
642 | typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; |
643 | |
644 | /* |
645 | * Representation of decryption/encryption transformations on records |
646 | * |
647 | * There are the following general types of record transformations: |
648 | * - Stream transformations (TLS versions <= 1.2 only) |
649 | * Transformation adding a MAC and applying a stream-cipher |
650 | * to the authenticated message. |
651 | * - CBC block cipher transformations ([D]TLS versions <= 1.2 only) |
652 | * In addition to the distinction of the order of encryption and |
653 | * authentication, there's a fundamental difference between the |
654 | * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3 |
655 | * and TLS 1.0, the final IV after processing a record is used |
656 | * as the IV for the next record. No explicit IV is contained |
657 | * in an encrypted record. The IV for the first record is extracted |
658 | * at key extraction time. In contrast, for TLS 1.1 and 1.2, no |
659 | * IV is generated at key extraction time, but every encrypted |
660 | * record is explicitly prefixed by the IV with which it was encrypted. |
661 | * - AEAD transformations ([D]TLS versions >= 1.2 only) |
662 | * These come in two fundamentally different versions, the first one |
663 | * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second |
664 | * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. |
665 | * In the first transformation, the IV to be used for a record is obtained |
666 | * as the concatenation of an explicit, static 4-byte IV and the 8-byte |
667 | * record sequence number, and explicitly prepending this sequence number |
668 | * to the encrypted record. In contrast, in the second transformation |
669 | * the IV is obtained by XOR'ing a static IV obtained at key extraction |
670 | * time with the 8-byte record sequence number, without prepending the |
671 | * latter to the encrypted record. |
672 | * |
673 | * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext |
674 | * which allows to add flexible length padding and to hide a record's true |
675 | * content type. |
676 | * |
677 | * In addition to type and version, the following parameters are relevant: |
678 | * - The symmetric cipher algorithm to be used. |
679 | * - The (static) encryption/decryption keys for the cipher. |
680 | * - For stream/CBC, the type of message digest to be used. |
681 | * - For stream/CBC, (static) encryption/decryption keys for the digest. |
682 | * - For AEAD transformations, the size (potentially 0) of an explicit, |
683 | * random initialization vector placed in encrypted records. |
684 | * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0) |
685 | * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC) |
686 | * and (if present) is combined with the explicit IV in a transformation- |
687 | * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). |
688 | * - For stream/CBC, a flag determining the order of encryption and MAC. |
689 | * - The details of the transformation depend on the SSL/TLS version. |
690 | * - The length of the authentication tag. |
691 | * |
692 | * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are |
693 | * constant across multiple encryption/decryption operations. |
694 | * For CBC, the implicit IV needs to be updated after each |
695 | * operation. |
696 | * |
697 | * The struct below refines this abstract view as follows: |
698 | * - The cipher underlying the transformation is managed in |
699 | * cipher contexts cipher_ctx_{enc/dec}, which must have the |
700 | * same cipher type. The mode of these cipher contexts determines |
701 | * the type of the transformation in the sense above: e.g., if |
702 | * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM |
703 | * then the transformation has type CBC resp. AEAD. |
704 | * - The cipher keys are never stored explicitly but |
705 | * are maintained within cipher_ctx_{enc/dec}. |
706 | * - For stream/CBC transformations, the message digest contexts |
707 | * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts |
708 | * are unused for AEAD transformations. |
709 | * - For stream/CBC transformations and versions > SSL3, the |
710 | * MAC keys are not stored explicitly but maintained within |
711 | * md_ctx_{enc/dec}. |
712 | * - For stream/CBC transformations and version SSL3, the MAC |
713 | * keys are stored explicitly in mac_enc, mac_dec and have |
714 | * a fixed size of 20 bytes. These fields are unused for |
715 | * AEAD transformations or transformations >= TLS 1.0. |
716 | * - For transformations using an implicit IV maintained within |
717 | * the transformation context, its contents are stored within |
718 | * iv_{enc/dec}. |
719 | * - The value of ivlen indicates the length of the IV. |
720 | * This is redundant in case of stream/CBC transformations |
721 | * which always use 0 resp. the cipher's block length as the |
722 | * IV length, but is needed for AEAD ciphers and may be |
723 | * different from the underlying cipher's block length |
724 | * in this case. |
725 | * - The field fixed_ivlen is nonzero for AEAD transformations only |
726 | * and indicates the length of the static part of the IV which is |
727 | * constant throughout the communication, and which is stored in |
728 | * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. |
729 | * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec} |
730 | * still store IV's for continued use across multiple transformations, |
731 | * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are |
732 | * not being used! |
733 | * - minor_ver denotes the SSL/TLS version |
734 | * - For stream/CBC transformations, maclen denotes the length of the |
735 | * authentication tag, while taglen is unused and 0. |
736 | * - For AEAD transformations, taglen denotes the length of the |
737 | * authentication tag, while maclen is unused and 0. |
738 | * - For CBC transformations, encrypt_then_mac determines the |
739 | * order of encryption and authentication. This field is unused |
740 | * in other transformations. |
741 | * |
742 | */ |
743 | struct mbedtls_ssl_transform { |
744 | /* |
745 | * Session specific crypto layer |
746 | */ |
747 | size_t minlen; /*!< min. ciphertext length */ |
748 | size_t ivlen; /*!< IV length */ |
749 | size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ |
750 | size_t maclen; /*!< MAC(CBC) len */ |
751 | size_t taglen; /*!< TAG(AEAD) len */ |
752 | |
753 | unsigned char iv_enc[16]; /*!< IV (encryption) */ |
754 | unsigned char iv_dec[16]; /*!< IV (decryption) */ |
755 | |
756 | #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) |
757 | |
758 | #if defined(MBEDTLS_SSL_PROTO_SSL3) |
759 | /* Needed only for SSL v3.0 secret */ |
760 | unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */ |
761 | unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */ |
762 | #endif /* MBEDTLS_SSL_PROTO_SSL3 */ |
763 | |
764 | mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ |
765 | mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ |
766 | |
767 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
768 | int encrypt_then_mac; /*!< flag for EtM activation */ |
769 | #endif |
770 | |
771 | #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ |
772 | |
773 | mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ |
774 | mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ |
775 | int minor_ver; |
776 | |
777 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
778 | uint8_t in_cid_len; |
779 | uint8_t out_cid_len; |
780 | unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; |
781 | unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; |
782 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
783 | |
784 | /* |
785 | * Session specific compression layer |
786 | */ |
787 | #if defined(MBEDTLS_ZLIB_SUPPORT) |
788 | z_stream ctx_deflate; /*!< compression context */ |
789 | z_stream ctx_inflate; /*!< decompression context */ |
790 | #endif |
791 | |
792 | #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) |
793 | /* We need the Hello random bytes in order to re-derive keys from the |
794 | * Master Secret and other session info, see ssl_populate_transform() */ |
795 | unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */ |
796 | #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ |
797 | }; |
798 | |
799 | /* |
800 | * Return 1 if the transform uses an AEAD cipher, 0 otherwise. |
801 | * Equivalently, return 0 if a separate MAC is used, 1 otherwise. |
802 | */ |
803 | static inline int mbedtls_ssl_transform_uses_aead( |
804 | const mbedtls_ssl_transform *transform) |
805 | { |
806 | #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) |
807 | return transform->maclen == 0 && transform->taglen != 0; |
808 | #else |
809 | (void) transform; |
810 | return 1; |
811 | #endif |
812 | } |
813 | |
814 | /* |
815 | * Internal representation of record frames |
816 | * |
817 | * Instances come in two flavors: |
818 | * (1) Encrypted |
819 | * These always have data_offset = 0 |
820 | * (2) Unencrypted |
821 | * These have data_offset set to the amount of |
822 | * pre-expansion during record protection. Concretely, |
823 | * this is the length of the fixed part of the explicit IV |
824 | * used for encryption, or 0 if no explicit IV is used |
825 | * (e.g. for CBC in TLS 1.0, or stream ciphers). |
826 | * |
827 | * The reason for the data_offset in the unencrypted case |
828 | * is to allow for in-place conversion of an unencrypted to |
829 | * an encrypted record. If the offset wasn't included, the |
830 | * encrypted content would need to be shifted afterwards to |
831 | * make space for the fixed IV. |
832 | * |
833 | */ |
834 | #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX |
835 | #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX |
836 | #else |
837 | #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX |
838 | #endif |
839 | |
840 | typedef struct { |
841 | uint8_t ctr[8]; /* In TLS: The implicit record sequence number. |
842 | * In DTLS: The 2-byte epoch followed by |
843 | * the 6-byte sequence number. |
844 | * This is stored as a raw big endian byte array |
845 | * as opposed to a uint64_t because we rarely |
846 | * need to perform arithmetic on this, but do |
847 | * need it as a Byte array for the purpose of |
848 | * MAC computations. */ |
849 | uint8_t type; /* The record content type. */ |
850 | uint8_t ver[2]; /* SSL/TLS version as present on the wire. |
851 | * Convert to internal presentation of versions |
852 | * using mbedtls_ssl_read_version() and |
853 | * mbedtls_ssl_write_version(). |
854 | * Keep wire-format for MAC computations. */ |
855 | |
856 | unsigned char *buf; /* Memory buffer enclosing the record content */ |
857 | size_t buf_len; /* Buffer length */ |
858 | size_t data_offset; /* Offset of record content */ |
859 | size_t data_len; /* Length of record content */ |
860 | |
861 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
862 | uint8_t cid_len; /* Length of the CID (0 if not present) */ |
863 | unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */ |
864 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
865 | } mbedtls_record; |
866 | |
867 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
868 | /* |
869 | * List of certificate + private key pairs |
870 | */ |
871 | struct mbedtls_ssl_key_cert { |
872 | mbedtls_x509_crt *cert; /*!< cert */ |
873 | mbedtls_pk_context *key; /*!< private key */ |
874 | mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ |
875 | }; |
876 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
877 | |
878 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
879 | /* |
880 | * List of handshake messages kept around for resending |
881 | */ |
882 | struct mbedtls_ssl_flight_item { |
883 | unsigned char *p; /*!< message, including handshake headers */ |
884 | size_t len; /*!< length of p */ |
885 | unsigned char type; /*!< type of the message: handshake or CCS */ |
886 | mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ |
887 | }; |
888 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
889 | |
890 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
891 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
892 | |
893 | /* Find an entry in a signature-hash set matching a given hash algorithm. */ |
894 | mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set, |
895 | mbedtls_pk_type_t sig_alg); |
896 | /* Add a signature-hash-pair to a signature-hash set */ |
897 | void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set, |
898 | mbedtls_pk_type_t sig_alg, |
899 | mbedtls_md_type_t md_alg); |
900 | /* Allow exactly one hash algorithm for each signature. */ |
901 | void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set, |
902 | mbedtls_md_type_t md_alg); |
903 | |
904 | /* Setup an empty signature-hash set */ |
905 | static inline void mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t *set) |
906 | { |
907 | mbedtls_ssl_sig_hash_set_const_hash(set, MBEDTLS_MD_NONE); |
908 | } |
909 | |
910 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2) && |
911 | MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
912 | |
913 | /** |
914 | * \brief Free referenced items in an SSL transform context and clear |
915 | * memory |
916 | * |
917 | * \param transform SSL transform context |
918 | */ |
919 | void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform); |
920 | |
921 | /** |
922 | * \brief Free referenced items in an SSL handshake context and clear |
923 | * memory |
924 | * |
925 | * \param ssl SSL context |
926 | */ |
927 | void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl); |
928 | |
929 | MBEDTLS_CHECK_RETURN_CRITICAL |
930 | int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl); |
931 | MBEDTLS_CHECK_RETURN_CRITICAL |
932 | int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl); |
933 | void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl); |
934 | |
935 | MBEDTLS_CHECK_RETURN_CRITICAL |
936 | int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); |
937 | |
938 | void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); |
939 | MBEDTLS_CHECK_RETURN_CRITICAL |
940 | int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl); |
941 | |
942 | MBEDTLS_CHECK_RETURN_CRITICAL |
943 | int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); |
944 | MBEDTLS_CHECK_RETURN_CRITICAL |
945 | int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); |
946 | void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); |
947 | |
948 | /** |
949 | * \brief Update record layer |
950 | * |
951 | * This function roughly separates the implementation |
952 | * of the logic of (D)TLS from the implementation |
953 | * of the secure transport. |
954 | * |
955 | * \param ssl The SSL context to use. |
956 | * \param update_hs_digest This indicates if the handshake digest |
957 | * should be automatically updated in case |
958 | * a handshake message is found. |
959 | * |
960 | * \return 0 or non-zero error code. |
961 | * |
962 | * \note A clarification on what is called 'record layer' here |
963 | * is in order, as many sensible definitions are possible: |
964 | * |
965 | * The record layer takes as input an untrusted underlying |
966 | * transport (stream or datagram) and transforms it into |
967 | * a serially multiplexed, secure transport, which |
968 | * conceptually provides the following: |
969 | * |
970 | * (1) Three datagram based, content-agnostic transports |
971 | * for handshake, alert and CCS messages. |
972 | * (2) One stream- or datagram-based transport |
973 | * for application data. |
974 | * (3) Functionality for changing the underlying transform |
975 | * securing the contents. |
976 | * |
977 | * The interface to this functionality is given as follows: |
978 | * |
979 | * a Updating |
980 | * [Currently implemented by mbedtls_ssl_read_record] |
981 | * |
982 | * Check if and on which of the four 'ports' data is pending: |
983 | * Nothing, a controlling datagram of type (1), or application |
984 | * data (2). In any case data is present, internal buffers |
985 | * provide access to the data for the user to process it. |
986 | * Consumption of type (1) datagrams is done automatically |
987 | * on the next update, invalidating that the internal buffers |
988 | * for previous datagrams, while consumption of application |
989 | * data (2) is user-controlled. |
990 | * |
991 | * b Reading of application data |
992 | * [Currently manual adaption of ssl->in_offt pointer] |
993 | * |
994 | * As mentioned in the last paragraph, consumption of data |
995 | * is different from the automatic consumption of control |
996 | * datagrams (1) because application data is treated as a stream. |
997 | * |
998 | * c Tracking availability of application data |
999 | * [Currently manually through decreasing ssl->in_msglen] |
1000 | * |
1001 | * For efficiency and to retain datagram semantics for |
1002 | * application data in case of DTLS, the record layer |
1003 | * provides functionality for checking how much application |
1004 | * data is still available in the internal buffer. |
1005 | * |
1006 | * d Changing the transformation securing the communication. |
1007 | * |
1008 | * Given an opaque implementation of the record layer in the |
1009 | * above sense, it should be possible to implement the logic |
1010 | * of (D)TLS on top of it without the need to know anything |
1011 | * about the record layer's internals. This is done e.g. |
1012 | * in all the handshake handling functions, and in the |
1013 | * application data reading function mbedtls_ssl_read. |
1014 | * |
1015 | * \note The above tries to give a conceptual picture of the |
1016 | * record layer, but the current implementation deviates |
1017 | * from it in some places. For example, our implementation of |
1018 | * the update functionality through mbedtls_ssl_read_record |
1019 | * discards datagrams depending on the current state, which |
1020 | * wouldn't fall under the record layer's responsibility |
1021 | * following the above definition. |
1022 | * |
1023 | */ |
1024 | MBEDTLS_CHECK_RETURN_CRITICAL |
1025 | int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, |
1026 | unsigned update_hs_digest); |
1027 | MBEDTLS_CHECK_RETURN_CRITICAL |
1028 | int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want); |
1029 | |
1030 | MBEDTLS_CHECK_RETURN_CRITICAL |
1031 | int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl); |
1032 | MBEDTLS_CHECK_RETURN_CRITICAL |
1033 | int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush); |
1034 | MBEDTLS_CHECK_RETURN_CRITICAL |
1035 | int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl); |
1036 | |
1037 | MBEDTLS_CHECK_RETURN_CRITICAL |
1038 | int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl); |
1039 | MBEDTLS_CHECK_RETURN_CRITICAL |
1040 | int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl); |
1041 | |
1042 | MBEDTLS_CHECK_RETURN_CRITICAL |
1043 | int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl); |
1044 | MBEDTLS_CHECK_RETURN_CRITICAL |
1045 | int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl); |
1046 | |
1047 | MBEDTLS_CHECK_RETURN_CRITICAL |
1048 | int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl); |
1049 | MBEDTLS_CHECK_RETURN_CRITICAL |
1050 | int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl); |
1051 | |
1052 | void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, |
1053 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info); |
1054 | |
1055 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
1056 | MBEDTLS_CHECK_RETURN_CRITICAL |
1057 | int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex); |
1058 | |
1059 | /** |
1060 | * Get the first defined PSK by order of precedence: |
1061 | * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback |
1062 | * 2. static PSK configured by \c mbedtls_ssl_conf_psk() |
1063 | * Return a code and update the pair (PSK, PSK length) passed to this function |
1064 | */ |
1065 | static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl, |
1066 | const unsigned char **psk, size_t *psk_len) |
1067 | { |
1068 | if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) { |
1069 | *psk = ssl->handshake->psk; |
1070 | *psk_len = ssl->handshake->psk_len; |
1071 | } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) { |
1072 | *psk = ssl->conf->psk; |
1073 | *psk_len = ssl->conf->psk_len; |
1074 | } else { |
1075 | *psk = NULL; |
1076 | *psk_len = 0; |
1077 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
1078 | } |
1079 | |
1080 | return 0; |
1081 | } |
1082 | |
1083 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1084 | /** |
1085 | * Get the first defined opaque PSK by order of precedence: |
1086 | * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK |
1087 | * callback |
1088 | * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() |
1089 | * Return an opaque PSK |
1090 | */ |
1091 | static inline psa_key_id_t mbedtls_ssl_get_opaque_psk( |
1092 | const mbedtls_ssl_context *ssl) |
1093 | { |
1094 | if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { |
1095 | return ssl->handshake->psk_opaque; |
1096 | } |
1097 | |
1098 | if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) { |
1099 | return ssl->conf->psk_opaque; |
1100 | } |
1101 | |
1102 | return MBEDTLS_SVC_KEY_ID_INIT; |
1103 | } |
1104 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1105 | |
1106 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
1107 | |
1108 | #if defined(MBEDTLS_PK_C) |
1109 | unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); |
1110 | unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); |
1111 | mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); |
1112 | #endif |
1113 | |
1114 | mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); |
1115 | unsigned char mbedtls_ssl_hash_from_md_alg(int md); |
1116 | MBEDTLS_CHECK_RETURN_CRITICAL |
1117 | int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md); |
1118 | |
1119 | #if defined(MBEDTLS_ECP_C) |
1120 | MBEDTLS_CHECK_RETURN_CRITICAL |
1121 | int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id); |
1122 | MBEDTLS_CHECK_RETURN_CRITICAL |
1123 | int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id); |
1124 | #endif |
1125 | |
1126 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
1127 | MBEDTLS_CHECK_RETURN_CRITICAL |
1128 | int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl, |
1129 | mbedtls_md_type_t md); |
1130 | #endif |
1131 | |
1132 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
1133 | static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value |
1134 | (const uint16_t srtp_profile_value) |
1135 | { |
1136 | switch (srtp_profile_value) { |
1137 | case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: |
1138 | case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: |
1139 | case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: |
1140 | case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: |
1141 | return srtp_profile_value; |
1142 | default: break; |
1143 | } |
1144 | return MBEDTLS_TLS_SRTP_UNSET; |
1145 | } |
1146 | #endif |
1147 | |
1148 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
1149 | static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) |
1150 | { |
1151 | mbedtls_ssl_key_cert *key_cert; |
1152 | |
1153 | if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { |
1154 | key_cert = ssl->handshake->key_cert; |
1155 | } else { |
1156 | key_cert = ssl->conf->key_cert; |
1157 | } |
1158 | |
1159 | return key_cert == NULL ? NULL : key_cert->key; |
1160 | } |
1161 | |
1162 | static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) |
1163 | { |
1164 | mbedtls_ssl_key_cert *key_cert; |
1165 | |
1166 | if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { |
1167 | key_cert = ssl->handshake->key_cert; |
1168 | } else { |
1169 | key_cert = ssl->conf->key_cert; |
1170 | } |
1171 | |
1172 | return key_cert == NULL ? NULL : key_cert->cert; |
1173 | } |
1174 | |
1175 | /* |
1176 | * Check usage of a certificate wrt extensions: |
1177 | * keyUsage, extendedKeyUsage (later), and nSCertType (later). |
1178 | * |
1179 | * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we |
1180 | * check a cert we received from them)! |
1181 | * |
1182 | * Return 0 if everything is OK, -1 if not. |
1183 | */ |
1184 | MBEDTLS_CHECK_RETURN_CRITICAL |
1185 | int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, |
1186 | const mbedtls_ssl_ciphersuite_t *ciphersuite, |
1187 | int cert_endpoint, |
1188 | uint32_t *flags); |
1189 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
1190 | |
1191 | void mbedtls_ssl_write_version(int major, int minor, int transport, |
1192 | unsigned char ver[2]); |
1193 | void mbedtls_ssl_read_version(int *major, int *minor, int transport, |
1194 | const unsigned char ver[2]); |
1195 | |
1196 | static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) |
1197 | { |
1198 | #if !defined(MBEDTLS_SSL_PROTO_DTLS) |
1199 | ((void) ssl); |
1200 | #endif |
1201 | |
1202 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1203 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
1204 | return 13; |
1205 | } else |
1206 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
1207 | { |
1208 | return 5; |
1209 | } |
1210 | } |
1211 | |
1212 | static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) |
1213 | { |
1214 | return (size_t) (ssl->out_iv - ssl->out_hdr); |
1215 | } |
1216 | |
1217 | static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) |
1218 | { |
1219 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1220 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
1221 | return 12; |
1222 | } |
1223 | #else |
1224 | ((void) ssl); |
1225 | #endif |
1226 | return 4; |
1227 | } |
1228 | |
1229 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1230 | void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); |
1231 | void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); |
1232 | MBEDTLS_CHECK_RETURN_CRITICAL |
1233 | int mbedtls_ssl_resend(mbedtls_ssl_context *ssl); |
1234 | MBEDTLS_CHECK_RETURN_CRITICAL |
1235 | int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl); |
1236 | #endif |
1237 | |
1238 | /* Visible for testing purposes only */ |
1239 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
1240 | MBEDTLS_CHECK_RETURN_CRITICAL |
1241 | int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl); |
1242 | void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl); |
1243 | #endif |
1244 | |
1245 | MBEDTLS_CHECK_RETURN_CRITICAL |
1246 | int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, |
1247 | const mbedtls_ssl_session *src); |
1248 | |
1249 | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
1250 | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
1251 | MBEDTLS_CHECK_RETURN_CRITICAL |
1252 | int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl, |
1253 | unsigned char *output, |
1254 | unsigned char *data, size_t data_len); |
1255 | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
1256 | MBEDTLS_SSL_PROTO_TLS1_1 */ |
1257 | |
1258 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
1259 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
1260 | /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ |
1261 | MBEDTLS_CHECK_RETURN_CRITICAL |
1262 | int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, |
1263 | unsigned char *hash, size_t *hashlen, |
1264 | unsigned char *data, size_t data_len, |
1265 | mbedtls_md_type_t md_alg); |
1266 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ |
1267 | MBEDTLS_SSL_PROTO_TLS1_2 */ |
1268 | |
1269 | #ifdef __cplusplus |
1270 | } |
1271 | #endif |
1272 | |
1273 | void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); |
1274 | MBEDTLS_CHECK_RETURN_CRITICAL |
1275 | int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, |
1276 | mbedtls_ssl_transform *transform, |
1277 | mbedtls_record *rec, |
1278 | int (*f_rng)(void *, unsigned char *, size_t), |
1279 | void *p_rng); |
1280 | MBEDTLS_CHECK_RETURN_CRITICAL |
1281 | int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, |
1282 | mbedtls_ssl_transform *transform, |
1283 | mbedtls_record *rec); |
1284 | |
1285 | /* Length of the "epoch" field in the record header */ |
1286 | static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) |
1287 | { |
1288 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1289 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
1290 | return 2; |
1291 | } |
1292 | #else |
1293 | ((void) ssl); |
1294 | #endif |
1295 | return 0; |
1296 | } |
1297 | |
1298 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1299 | MBEDTLS_CHECK_RETURN_CRITICAL |
1300 | int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl); |
1301 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
1302 | |
1303 | void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); |
1304 | MBEDTLS_CHECK_RETURN_CRITICAL |
1305 | int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); |
1306 | |
1307 | void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl); |
1308 | void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, |
1309 | mbedtls_ssl_transform *transform); |
1310 | void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); |
1311 | |
1312 | MBEDTLS_CHECK_RETURN_CRITICAL |
1313 | int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); |
1314 | |
1315 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
1316 | void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl); |
1317 | #endif |
1318 | |
1319 | void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl); |
1320 | |
1321 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1322 | MBEDTLS_CHECK_RETURN_CRITICAL |
1323 | int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl); |
1324 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
1325 | |
1326 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1327 | size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl); |
1328 | void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl); |
1329 | void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight); |
1330 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
1331 | |
1332 | #if defined(MBEDTLS_TEST_HOOKS) |
1333 | int mbedtls_ssl_check_dtls_clihlo_cookie( |
1334 | mbedtls_ssl_context *ssl, |
1335 | const unsigned char *cli_id, size_t cli_id_len, |
1336 | const unsigned char *in, size_t in_len, |
1337 | unsigned char *obuf, size_t buf_len, size_t *olen); |
1338 | #endif |
1339 | |
1340 | #endif /* ssl_internal.h */ |
1341 | |