Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1 | /** |
Darryl Green | a40a101 | 2018-01-05 15:33:17 +0000 | [diff] [blame] | 2 | * \file ssl_internal.h |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 3 | * |
| 4 | * \brief Internal functions shared by the SSL modules |
Darryl Green | a40a101 | 2018-01-05 15:33:17 +0000 | [diff] [blame] | 5 | */ |
| 6 | /* |
Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 7 | * Copyright The Mbed TLS Contributors |
Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 8 | * SPDX-License-Identifier: Apache-2.0 |
| 9 | * |
| 10 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 11 | * not use this file except in compliance with the License. |
| 12 | * You may obtain a copy of the License at |
| 13 | * |
| 14 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 15 | * |
| 16 | * Unless required by applicable law or agreed to in writing, software |
| 17 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 18 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 19 | * See the License for the specific language governing permissions and |
| 20 | * limitations under the License. |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 21 | */ |
| 22 | #ifndef MBEDTLS_SSL_INTERNAL_H |
| 23 | #define MBEDTLS_SSL_INTERNAL_H |
| 24 | |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 25 | #if !defined(MBEDTLS_CONFIG_FILE) |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 26 | #include "mbedtls/config.h" |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 27 | #else |
| 28 | #include MBEDTLS_CONFIG_FILE |
| 29 | #endif |
| 30 | |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 31 | #include "mbedtls/ssl.h" |
| 32 | #include "mbedtls/cipher.h" |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 33 | |
Andrzej Kurek | eb34224 | 2019-01-29 09:14:33 -0500 | [diff] [blame] | 34 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 35 | #include "psa/crypto.h" |
| 36 | #endif |
| 37 | |
Manuel Pégourié-Gonnard | 56273da | 2015-05-26 12:19:45 +0200 | [diff] [blame] | 38 | #if defined(MBEDTLS_MD5_C) |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 39 | #include "mbedtls/md5.h" |
Manuel Pégourié-Gonnard | 56273da | 2015-05-26 12:19:45 +0200 | [diff] [blame] | 40 | #endif |
| 41 | |
| 42 | #if defined(MBEDTLS_SHA1_C) |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 43 | #include "mbedtls/sha1.h" |
Manuel Pégourié-Gonnard | 56273da | 2015-05-26 12:19:45 +0200 | [diff] [blame] | 44 | #endif |
| 45 | |
| 46 | #if defined(MBEDTLS_SHA256_C) |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 47 | #include "mbedtls/sha256.h" |
Manuel Pégourié-Gonnard | 56273da | 2015-05-26 12:19:45 +0200 | [diff] [blame] | 48 | #endif |
| 49 | |
| 50 | #if defined(MBEDTLS_SHA512_C) |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 51 | #include "mbedtls/sha512.h" |
Manuel Pégourié-Gonnard | 56273da | 2015-05-26 12:19:45 +0200 | [diff] [blame] | 52 | #endif |
| 53 | |
Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 54 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 55 | #include "mbedtls/ecjpake.h" |
Manuel Pégourié-Gonnard | 76cfd3f | 2015-09-15 12:10:54 +0200 | [diff] [blame] | 56 | #endif |
| 57 | |
Hanno Becker | df51dbe | 2019-02-18 16:41:55 +0000 | [diff] [blame] | 58 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 59 | #include "psa/crypto.h" |
Jaeden Amero | 6609aef | 2019-07-04 20:01:14 +0100 | [diff] [blame] | 60 | #include "mbedtls/psa_util.h" |
Hanno Becker | df51dbe | 2019-02-18 16:41:55 +0000 | [diff] [blame] | 61 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 62 | |
Manuel Pégourié-Gonnard | 0223ab9 | 2015-10-05 11:40:01 +0100 | [diff] [blame] | 63 | #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ |
| 64 | !defined(inline) && !defined(__cplusplus) |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 65 | #define inline __inline |
Manuel Pégourié-Gonnard | 20af64d | 2015-07-07 18:33:39 +0200 | [diff] [blame] | 66 | #endif |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 67 | |
| 68 | /* Determine minimum supported version */ |
| 69 | #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 |
| 70 | |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 71 | #if defined(MBEDTLS_SSL_PROTO_TLS1) |
| 72 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 |
| 73 | #else |
| 74 | #if defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| 75 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 |
| 76 | #else |
| 77 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 78 | #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 |
| 79 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 80 | #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ |
| 81 | #endif /* MBEDTLS_SSL_PROTO_TLS1 */ |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 82 | |
Ron Eldor | 5e9f14d | 2017-05-28 10:46:38 +0300 | [diff] [blame] | 83 | #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 |
| 84 | #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 |
| 85 | |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 86 | /* Determine maximum supported version */ |
| 87 | #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 |
| 88 | |
| 89 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 90 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 |
| 91 | #else |
| 92 | #if defined(MBEDTLS_SSL_PROTO_TLS1_1) |
| 93 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 |
| 94 | #else |
| 95 | #if defined(MBEDTLS_SSL_PROTO_TLS1) |
| 96 | #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 |
| 97 | #else |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 98 | #endif /* MBEDTLS_SSL_PROTO_TLS1 */ |
| 99 | #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ |
| 100 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 101 | |
Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 102 | /* Shorthand for restartable ECC */ |
Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 103 | #if defined(MBEDTLS_ECP_RESTARTABLE) && \ |
| 104 | defined(MBEDTLS_SSL_CLI_C) && \ |
| 105 | defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
| 106 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 107 | #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED |
Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 108 | #endif |
| 109 | |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 110 | #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 |
| 111 | #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ |
| 112 | #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ |
| 113 | #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ |
| 114 | |
| 115 | /* |
| 116 | * DTLS retransmission states, see RFC 6347 4.2.4 |
| 117 | * |
| 118 | * The SENDING state is merged in PREPARING for initial sends, |
| 119 | * but is distinct for resends. |
| 120 | * |
| 121 | * Note: initial state is wrong for server, but is not used anyway. |
| 122 | */ |
| 123 | #define MBEDTLS_SSL_RETRANS_PREPARING 0 |
| 124 | #define MBEDTLS_SSL_RETRANS_SENDING 1 |
| 125 | #define MBEDTLS_SSL_RETRANS_WAITING 2 |
| 126 | #define MBEDTLS_SSL_RETRANS_FINISHED 3 |
| 127 | |
| 128 | /* |
| 129 | * Allow extra bytes for record, authentication and encryption overhead: |
| 130 | * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256) |
| 131 | * and allow for a maximum of 1024 of compression expansion if |
| 132 | * enabled. |
| 133 | */ |
| 134 | #if defined(MBEDTLS_ZLIB_SUPPORT) |
| 135 | #define MBEDTLS_SSL_COMPRESSION_ADD 1024 |
| 136 | #else |
| 137 | #define MBEDTLS_SSL_COMPRESSION_ADD 0 |
| 138 | #endif |
| 139 | |
Manuel Pégourié-Gonnard | 05579c4 | 2020-07-31 12:53:39 +0200 | [diff] [blame] | 140 | /* This macro determines whether CBC is supported. */ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 141 | #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ |
| 142 | ( defined(MBEDTLS_AES_C) || \ |
| 143 | defined(MBEDTLS_CAMELLIA_C) || \ |
| 144 | defined(MBEDTLS_ARIA_C) || \ |
| 145 | defined(MBEDTLS_DES_C) ) |
| 146 | #define MBEDTLS_SSL_SOME_SUITES_USE_CBC |
| 147 | #endif |
| 148 | |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 149 | /* This macro determines whether the CBC construct used in TLS 1.0-1.2 is supported. */ |
Manuel Pégourié-Gonnard | ed0e864 | 2020-07-21 11:20:30 +0200 | [diff] [blame] | 150 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ |
| 151 | ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
| 152 | defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
| 153 | defined(MBEDTLS_SSL_PROTO_TLS1_2) ) |
| 154 | #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC |
| 155 | #endif |
| 156 | |
Hanno Becker | 52344c2 | 2018-01-03 15:24:20 +0000 | [diff] [blame] | 157 | #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ |
Manuel Pégourié-Gonnard | 2df1f1f | 2020-07-09 12:11:39 +0200 | [diff] [blame] | 158 | defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) |
Hanno Becker | 52344c2 | 2018-01-03 15:24:20 +0000 | [diff] [blame] | 159 | #define MBEDTLS_SSL_SOME_MODES_USE_MAC |
| 160 | #endif |
| 161 | |
| 162 | #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 163 | /* Ciphersuites using HMAC */ |
| 164 | #if defined(MBEDTLS_SHA512_C) |
| 165 | #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ |
| 166 | #elif defined(MBEDTLS_SHA256_C) |
| 167 | #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ |
| 168 | #else |
| 169 | #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ |
| 170 | #endif |
Hanno Becker | 52344c2 | 2018-01-03 15:24:20 +0000 | [diff] [blame] | 171 | #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 172 | /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ |
| 173 | #define MBEDTLS_SSL_MAC_ADD 16 |
| 174 | #endif |
| 175 | |
| 176 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
| 177 | #define MBEDTLS_SSL_PADDING_ADD 256 |
| 178 | #else |
| 179 | #define MBEDTLS_SSL_PADDING_ADD 0 |
| 180 | #endif |
| 181 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 182 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | b1aa1b3 | 2019-05-08 17:37:58 +0100 | [diff] [blame] | 183 | #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 184 | #else |
| 185 | #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 |
| 186 | #endif |
| 187 | |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 188 | #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \ |
| 189 | MBEDTLS_MAX_IV_LENGTH + \ |
| 190 | MBEDTLS_SSL_MAC_ADD + \ |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 191 | MBEDTLS_SSL_PADDING_ADD + \ |
| 192 | MBEDTLS_SSL_MAX_CID_EXPANSION \ |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 193 | ) |
| 194 | |
| 195 | #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ |
| 196 | ( MBEDTLS_SSL_IN_CONTENT_LEN ) ) |
| 197 | |
| 198 | #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ |
| 199 | ( MBEDTLS_SSL_OUT_CONTENT_LEN ) ) |
| 200 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 201 | /* The maximum number of buffered handshake messages. */ |
Hanno Becker | d488b9e | 2018-08-16 16:35:37 +0100 | [diff] [blame] | 202 | #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 203 | |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 204 | /* Maximum length we can advertise as our max content length for |
| 205 | RFC 6066 max_fragment_length extension negotiation purposes |
| 206 | (the lesser of both sizes, if they are unequal.) |
| 207 | */ |
| 208 | #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ |
| 209 | (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ |
| 210 | ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \ |
| 211 | : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \ |
| 212 | ) |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 213 | |
Hanno Becker | e131bfe | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 214 | /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */ |
| 215 | #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534 |
| 216 | |
| 217 | /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ |
| 218 | #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 |
| 219 | |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 220 | /* |
Hanno Becker | a8434e8 | 2017-09-18 10:54:39 +0100 | [diff] [blame] | 221 | * Check that we obey the standard's message size bounds |
| 222 | */ |
| 223 | |
| 224 | #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384 |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 225 | #error "Bad configuration - record content too large." |
Hanno Becker | a8434e8 | 2017-09-18 10:54:39 +0100 | [diff] [blame] | 226 | #endif |
| 227 | |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 228 | #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN |
| 229 | #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." |
Hanno Becker | a8434e8 | 2017-09-18 10:54:39 +0100 | [diff] [blame] | 230 | #endif |
| 231 | |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 232 | #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN |
| 233 | #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." |
| 234 | #endif |
| 235 | |
| 236 | #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 |
| 237 | #error "Bad configuration - incoming protected record payload too large." |
| 238 | #endif |
| 239 | |
| 240 | #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 |
| 241 | #error "Bad configuration - outgoing protected record payload too large." |
| 242 | #endif |
| 243 | |
| 244 | /* Calculate buffer sizes */ |
| 245 | |
Hanno Becker | 25d6d1a | 2017-12-07 08:22:51 +0000 | [diff] [blame] | 246 | /* Note: Even though the TLS record header is only 5 bytes |
| 247 | long, we're internally using 8 bytes to store the |
| 248 | implicit sequence number. */ |
Hanno Becker | d25d444 | 2017-10-04 13:56:42 +0100 | [diff] [blame] | 249 | #define MBEDTLS_SSL_HEADER_LEN 13 |
Hanno Becker | a8434e8 | 2017-09-18 10:54:39 +0100 | [diff] [blame] | 250 | |
Andrzej Kurek | 033c42a | 2020-03-03 05:57:59 -0500 | [diff] [blame] | 251 | #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 252 | #define MBEDTLS_SSL_IN_BUFFER_LEN \ |
| 253 | ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) ) |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 254 | #else |
| 255 | #define MBEDTLS_SSL_IN_BUFFER_LEN \ |
| 256 | ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \ |
| 257 | + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) ) |
| 258 | #endif |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 259 | |
Andrzej Kurek | 033c42a | 2020-03-03 05:57:59 -0500 | [diff] [blame] | 260 | #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 261 | #define MBEDTLS_SSL_OUT_BUFFER_LEN \ |
| 262 | ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) ) |
Hanno Becker | 6cbad55 | 2019-05-08 15:40:11 +0100 | [diff] [blame] | 263 | #else |
| 264 | #define MBEDTLS_SSL_OUT_BUFFER_LEN \ |
| 265 | ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \ |
| 266 | + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) |
| 267 | #endif |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 268 | |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 269 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
Andrzej Kurek | 069fa96 | 2021-01-07 08:02:15 -0500 | [diff] [blame] | 270 | static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx ) |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 271 | { |
| 272 | #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Andrzej Kurek | 069fa96 | 2021-01-07 08:02:15 -0500 | [diff] [blame] | 273 | return mbedtls_ssl_get_output_max_frag_len( ctx ) |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 274 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD |
| 275 | + MBEDTLS_SSL_CID_OUT_LEN_MAX; |
| 276 | #else |
Andrzej Kurek | 069fa96 | 2021-01-07 08:02:15 -0500 | [diff] [blame] | 277 | return mbedtls_ssl_get_output_max_frag_len( ctx ) |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 278 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; |
| 279 | #endif |
| 280 | } |
| 281 | |
Andrzej Kurek | 069fa96 | 2021-01-07 08:02:15 -0500 | [diff] [blame] | 282 | static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx ) |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 283 | { |
| 284 | #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Andrzej Kurek | 069fa96 | 2021-01-07 08:02:15 -0500 | [diff] [blame] | 285 | return mbedtls_ssl_get_input_max_frag_len( ctx ) |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 286 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD |
| 287 | + MBEDTLS_SSL_CID_IN_LEN_MAX; |
| 288 | #else |
Andrzej Kurek | 069fa96 | 2021-01-07 08:02:15 -0500 | [diff] [blame] | 289 | return mbedtls_ssl_get_input_max_frag_len( ctx ) |
Andrzej Kurek | 0afa2a1 | 2020-03-03 10:39:58 -0500 | [diff] [blame] | 290 | + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; |
| 291 | #endif |
| 292 | } |
| 293 | #endif |
| 294 | |
Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 295 | #ifdef MBEDTLS_ZLIB_SUPPORT |
| 296 | /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */ |
| 297 | #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \ |
| 298 | ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \ |
| 299 | ? MBEDTLS_SSL_IN_BUFFER_LEN \ |
| 300 | : MBEDTLS_SSL_OUT_BUFFER_LEN \ |
| 301 | ) |
| 302 | #endif |
Hanno Becker | a8434e8 | 2017-09-18 10:54:39 +0100 | [diff] [blame] | 303 | |
| 304 | /* |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 305 | * TLS extension flags (for extensions with outgoing ServerHello content |
| 306 | * that need it (e.g. for RENEGOTIATION_INFO the server already knows because |
| 307 | * of state of the renegotiation flag, so no indicator is required) |
| 308 | */ |
| 309 | #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) |
Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 310 | #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) |
Manuel Pégourié-Gonnard | 065122c | 2015-05-26 12:31:46 +0200 | [diff] [blame] | 311 | |
Hanno Becker | 51018aa | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 312 | /** |
| 313 | * \brief This function checks if the remaining size in a buffer is |
| 314 | * greater or equal than a needed space. |
| 315 | * |
| 316 | * \param cur Pointer to the current position in the buffer. |
| 317 | * \param end Pointer to one past the end of the buffer. |
| 318 | * \param need Needed space in bytes. |
| 319 | * |
Ronald Cron | b7b35e1 | 2020-06-11 09:50:51 +0200 | [diff] [blame] | 320 | * \return Zero if the needed space is available in the buffer, non-zero |
Hanno Becker | 51018aa | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 321 | * otherwise. |
| 322 | */ |
| 323 | static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, |
| 324 | const uint8_t *end, size_t need ) |
| 325 | { |
Ronald Cron | b7b35e1 | 2020-06-11 09:50:51 +0200 | [diff] [blame] | 326 | return( ( cur > end ) || ( need > (size_t)( end - cur ) ) ); |
Hanno Becker | 51018aa | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 327 | } |
| 328 | |
| 329 | /** |
| 330 | * \brief This macro checks if the remaining size in a buffer is |
| 331 | * greater or equal than a needed space. If it is not the case, |
| 332 | * it returns an SSL_BUFFER_TOO_SMALL error. |
| 333 | * |
| 334 | * \param cur Pointer to the current position in the buffer. |
| 335 | * \param end Pointer to one past the end of the buffer. |
| 336 | * \param need Needed space in bytes. |
| 337 | * |
| 338 | */ |
| 339 | #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \ |
| 340 | do { \ |
Ronald Cron | b7b35e1 | 2020-06-11 09:50:51 +0200 | [diff] [blame] | 341 | if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \ |
Hanno Becker | 51018aa | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 342 | { \ |
| 343 | return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \ |
| 344 | } \ |
| 345 | } while( 0 ) |
| 346 | |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 347 | #ifdef __cplusplus |
| 348 | extern "C" { |
| 349 | #endif |
| 350 | |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 351 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 352 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 353 | /* |
| 354 | * Abstraction for a grid of allowed signature-hash-algorithm pairs. |
| 355 | */ |
| 356 | struct mbedtls_ssl_sig_hash_set_t |
| 357 | { |
| 358 | /* At the moment, we only need to remember a single suitable |
| 359 | * hash algorithm per signature algorithm. As long as that's |
| 360 | * the case - and we don't need a general lookup function - |
| 361 | * we can implement the sig-hash-set as a map from signatures |
| 362 | * to hash algorithms. */ |
| 363 | mbedtls_md_type_t rsa; |
| 364 | mbedtls_md_type_t ecdsa; |
| 365 | }; |
| 366 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 367 | MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 368 | |
Ron Eldor | 51d3ab5 | 2019-05-12 14:54:30 +0300 | [diff] [blame] | 369 | typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, |
| 370 | const char *label, |
| 371 | const unsigned char *random, size_t rlen, |
| 372 | unsigned char *dstbuf, size_t dlen ); |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 373 | |
Hanno Becker | 61baae7 | 2020-09-16 09:24:14 +0100 | [diff] [blame] | 374 | /* cipher.h exports the maximum IV, key and block length from |
Hanno Becker | 1588983 | 2020-09-08 11:29:11 +0100 | [diff] [blame] | 375 | * all ciphers enabled in the config, regardless of whether those |
| 376 | * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled |
| 377 | * in the default configuration and uses 64 Byte keys, but it is |
| 378 | * not used for record protection in SSL/TLS. |
| 379 | * |
| 380 | * In order to prevent unnecessary inflation of key structures, |
| 381 | * we introduce SSL-specific variants of the max-{key,block,IV} |
| 382 | * macros here which are meant to only take those ciphers into |
| 383 | * account which can be negotiated in SSL/TLS. |
| 384 | * |
| 385 | * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH |
| 386 | * in cipher.h are rough overapproximations of the real maxima, here |
Hanno Becker | 9a7a2ac | 2020-09-09 09:24:54 +0100 | [diff] [blame] | 387 | * we content ourselves with replicating those overapproximations |
Hanno Becker | 1588983 | 2020-09-08 11:29:11 +0100 | [diff] [blame] | 388 | * for the maximum block and IV length, and excluding XTS from the |
| 389 | * computation of the maximum key length. */ |
| 390 | #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 |
| 391 | #define MBEDTLS_SSL_MAX_IV_LENGTH 16 |
| 392 | #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 |
| 393 | |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 394 | /** |
| 395 | * \brief The data structure holding the cryptographic material (key and IV) |
| 396 | * used for record protection in TLS 1.3. |
| 397 | */ |
| 398 | struct mbedtls_ssl_key_set |
| 399 | { |
| 400 | /*! The key for client->server records. */ |
Hanno Becker | 1588983 | 2020-09-08 11:29:11 +0100 | [diff] [blame] | 401 | unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ]; |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 402 | /*! The key for server->client records. */ |
Hanno Becker | 1588983 | 2020-09-08 11:29:11 +0100 | [diff] [blame] | 403 | unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ]; |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 404 | /*! The IV for client->server records. */ |
Hanno Becker | 1588983 | 2020-09-08 11:29:11 +0100 | [diff] [blame] | 405 | unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ]; |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 406 | /*! The IV for server->client records. */ |
Hanno Becker | 1588983 | 2020-09-08 11:29:11 +0100 | [diff] [blame] | 407 | unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ]; |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 408 | |
Hanno Becker | 493ea7f | 2020-09-08 11:01:00 +0100 | [diff] [blame] | 409 | size_t key_len; /*!< The length of client_write_key and |
| 410 | * server_write_key, in Bytes. */ |
| 411 | size_t iv_len; /*!< The length of client_write_iv and |
| 412 | * server_write_iv, in Bytes. */ |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 413 | }; |
| 414 | typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; |
Hanno Becker | 3385a4d | 2020-08-21 13:03:34 +0100 | [diff] [blame] | 415 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 416 | /* |
| 417 | * This structure contains the parameters only needed during handshake. |
| 418 | */ |
| 419 | struct mbedtls_ssl_handshake_params |
| 420 | { |
| 421 | /* |
| 422 | * Handshake specific crypto variables |
| 423 | */ |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 424 | |
| 425 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 426 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 427 | mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ |
| 428 | #endif |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 429 | #if defined(MBEDTLS_DHM_C) |
| 430 | mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ |
| 431 | #endif |
John Durkop | 07cc04a | 2020-11-16 22:08:34 -0800 | [diff] [blame] | 432 | /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due |
| 433 | * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap |
| 434 | * in functionality that access to ecdh_ctx structure is needed for |
| 435 | * MBEDTLS_ECDSA_C which does not seem correct. |
| 436 | */ |
| 437 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 438 | mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ |
Hanno Becker | df51dbe | 2019-02-18 16:41:55 +0000 | [diff] [blame] | 439 | |
| 440 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 4245980 | 2019-12-19 13:31:53 +0100 | [diff] [blame] | 441 | psa_key_type_t ecdh_psa_type; |
| 442 | uint16_t ecdh_bits; |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 443 | psa_key_id_t ecdh_psa_privkey; |
Hanno Becker | df51dbe | 2019-02-18 16:41:55 +0000 | [diff] [blame] | 444 | unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; |
| 445 | size_t ecdh_psa_peerkey_len; |
| 446 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
John Durkop | 07cc04a | 2020-11-16 22:08:34 -0800 | [diff] [blame] | 447 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ |
Hanno Becker | df51dbe | 2019-02-18 16:41:55 +0000 | [diff] [blame] | 448 | |
Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 449 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
Manuel Pégourié-Gonnard | 76cfd3f | 2015-09-15 12:10:54 +0200 | [diff] [blame] | 450 | mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ |
Manuel Pégourié-Gonnard | 77c0646 | 2015-09-17 13:59:49 +0200 | [diff] [blame] | 451 | #if defined(MBEDTLS_SSL_CLI_C) |
| 452 | unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ |
| 453 | size_t ecjpake_cache_len; /*!< Length of cached data */ |
| 454 | #endif |
Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 455 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 456 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 457 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 458 | const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ |
| 459 | #endif |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 460 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
Hanno Becker | d9f7d43 | 2018-10-22 15:29:46 +0100 | [diff] [blame] | 461 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 462 | psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ |
Hanno Becker | d9f7d43 | 2018-10-22 15:29:46 +0100 | [diff] [blame] | 463 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 464 | unsigned char *psk; /*!< PSK from the callback */ |
| 465 | size_t psk_len; /*!< Length of PSK from callback */ |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 466 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 467 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| 468 | mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ |
| 469 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 470 | int sni_authmode; /*!< authmode from SNI callback */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 471 | mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ |
| 472 | mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ |
| 473 | mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ |
Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 474 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 475 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 476 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 477 | int ecrs_enabled; /*!< Handshake supports EC restart? */ |
Manuel Pégourié-Gonnard | 6b7301c | 2017-08-15 12:08:45 +0200 | [diff] [blame] | 478 | mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ |
Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 479 | enum { /* this complements ssl->state with info on intra-state operations */ |
| 480 | ssl_ecrs_none = 0, /*!< nothing going on (yet) */ |
| 481 | ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ |
Manuel Pégourié-Gonnard | c37423f | 2018-10-16 10:28:17 +0200 | [diff] [blame] | 482 | ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ |
| 483 | ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ |
Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 484 | ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ |
| 485 | } ecrs_state; /*!< current (or last) operation */ |
Hanno Becker | 3fd3f5e | 2019-02-25 10:08:06 +0000 | [diff] [blame] | 486 | mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ |
Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 487 | size_t ecrs_n; /*!< place for saving a length */ |
Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 488 | #endif |
Hanno Becker | 7517312 | 2019-02-06 16:18:31 +0000 | [diff] [blame] | 489 | #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ |
| 490 | !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 491 | mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ |
| 492 | #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 493 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 494 | unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ |
| 495 | unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ |
| 496 | |
| 497 | unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie |
| 498 | Srv: unused */ |
| 499 | unsigned char verify_cookie_len; /*!< Cli: cookie length |
| 500 | Srv: flag for sending a cookie */ |
| 501 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 502 | uint32_t retransmit_timeout; /*!< Current value of timeout */ |
| 503 | unsigned char retransmit_state; /*!< Retransmission state */ |
Manuel Pégourié-Gonnard | 28f4bea | 2017-09-13 14:00:05 +0200 | [diff] [blame] | 504 | mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ |
| 505 | mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ |
| 506 | unsigned char *cur_msg_p; /*!< Position in current message */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 507 | unsigned int in_flight_start_seq; /*!< Minimum message sequence in the |
| 508 | flight being received */ |
| 509 | mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for |
| 510 | resending messages */ |
| 511 | unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter |
| 512 | for resending messages */ |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 513 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 514 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 2f28c10 | 2019-04-25 15:46:59 +0100 | [diff] [blame] | 515 | /* The state of CID configuration in this handshake. */ |
| 516 | |
| 517 | uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension |
Hanno Becker | f1a2808 | 2019-05-15 10:17:48 +0100 | [diff] [blame] | 518 | * has been negotiated. Possible values are |
Hanno Becker | 2f28c10 | 2019-04-25 15:46:59 +0100 | [diff] [blame] | 519 | * #MBEDTLS_SSL_CID_ENABLED and |
| 520 | * #MBEDTLS_SSL_CID_DISABLED. */ |
| 521 | unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */ |
| 522 | uint8_t peer_cid_len; /*!< The length of |
| 523 | * \c peer_cid. */ |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 524 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 2f28c10 | 2019-04-25 15:46:59 +0100 | [diff] [blame] | 525 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 526 | struct |
| 527 | { |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 528 | size_t total_bytes_buffered; /*!< Cumulative size of heap allocated |
| 529 | * buffers used for message buffering. */ |
| 530 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 531 | uint8_t seen_ccs; /*!< Indicates if a CCS message has |
Hanno Becker | 2ed6bcc | 2018-08-15 15:11:57 +0100 | [diff] [blame] | 532 | * been seen in the current flight. */ |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 533 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 534 | struct mbedtls_ssl_hs_buffer |
| 535 | { |
Hanno Becker | 98081a0 | 2018-08-22 13:32:50 +0100 | [diff] [blame] | 536 | unsigned is_valid : 1; |
| 537 | unsigned is_fragmented : 1; |
| 538 | unsigned is_complete : 1; |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 539 | unsigned char *data; |
Hanno Becker | e0b150f | 2018-08-21 15:51:03 +0100 | [diff] [blame] | 540 | size_t data_len; |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 541 | } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; |
| 542 | |
Hanno Becker | 5f066e7 | 2018-08-16 14:56:31 +0100 | [diff] [blame] | 543 | struct |
| 544 | { |
| 545 | unsigned char *data; |
| 546 | size_t len; |
| 547 | unsigned epoch; |
| 548 | } future_record; |
| 549 | |
Hanno Becker | d7f8ae2 | 2018-08-16 09:45:56 +0100 | [diff] [blame] | 550 | } buffering; |
Hanno Becker | 3546201 | 2018-08-22 10:25:40 +0100 | [diff] [blame] | 551 | |
Manuel Pégourié-Gonnard | f47a4af | 2018-08-22 10:38:52 +0200 | [diff] [blame] | 552 | uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ |
Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 553 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 554 | |
| 555 | /* |
| 556 | * Checksum contexts |
| 557 | */ |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 558 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 559 | mbedtls_md5_context fin_md5; |
| 560 | mbedtls_sha1_context fin_sha1; |
| 561 | #endif |
| 562 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 563 | #if defined(MBEDTLS_SHA256_C) |
Andrzej Kurek | eb34224 | 2019-01-29 09:14:33 -0500 | [diff] [blame] | 564 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 565 | psa_hash_operation_t fin_sha256_psa; |
| 566 | #else |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 567 | mbedtls_sha256_context fin_sha256; |
| 568 | #endif |
Andrzej Kurek | eb34224 | 2019-01-29 09:14:33 -0500 | [diff] [blame] | 569 | #endif |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 570 | #if defined(MBEDTLS_SHA512_C) |
Andrzej Kurek | eb34224 | 2019-01-29 09:14:33 -0500 | [diff] [blame] | 571 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Andrzej Kurek | 972fba5 | 2019-01-30 03:29:12 -0500 | [diff] [blame] | 572 | psa_hash_operation_t fin_sha384_psa; |
Andrzej Kurek | eb34224 | 2019-01-29 09:14:33 -0500 | [diff] [blame] | 573 | #else |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 574 | mbedtls_sha512_context fin_sha512; |
| 575 | #endif |
Andrzej Kurek | eb34224 | 2019-01-29 09:14:33 -0500 | [diff] [blame] | 576 | #endif |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 577 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 578 | |
| 579 | void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); |
Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 580 | void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 581 | void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); |
Ron Eldor | 51d3ab5 | 2019-05-12 14:54:30 +0300 | [diff] [blame] | 582 | mbedtls_ssl_tls_prf_cb *tls_prf; |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 583 | |
Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 584 | mbedtls_ssl_ciphersuite_t const *ciphersuite_info; |
| 585 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 586 | size_t pmslen; /*!< premaster length */ |
| 587 | |
| 588 | unsigned char randbytes[64]; /*!< random bytes */ |
| 589 | unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; |
| 590 | /*!< premaster secret */ |
| 591 | |
| 592 | int resume; /*!< session resume indicator*/ |
| 593 | int max_major_ver; /*!< max. major version client*/ |
| 594 | int max_minor_ver; /*!< max. minor version client*/ |
| 595 | int cli_exts; /*!< client extension presence*/ |
| 596 | |
| 597 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 598 | int new_session_ticket; /*!< use NewSessionTicket? */ |
| 599 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 600 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 601 | int extended_ms; /*!< use Extended Master Secret? */ |
| 602 | #endif |
Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 603 | |
| 604 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
Gilles Peskine | 7830073 | 2018-04-26 13:03:29 +0200 | [diff] [blame] | 605 | unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */ |
Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 606 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 607 | |
| 608 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 609 | /** Asynchronous operation context. This field is meant for use by the |
| 610 | * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, |
| 611 | * mbedtls_ssl_config::f_async_decrypt_start, |
| 612 | * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). |
| 613 | * The library does not use it internally. */ |
| 614 | void *user_async_ctx; |
| 615 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 616 | }; |
| 617 | |
Hanno Becker | 0271f96 | 2018-08-16 13:23:47 +0100 | [diff] [blame] | 618 | typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; |
| 619 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 620 | /* |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 621 | * Representation of decryption/encryption transformations on records |
| 622 | * |
| 623 | * There are the following general types of record transformations: |
| 624 | * - Stream transformations (TLS versions <= 1.2 only) |
| 625 | * Transformation adding a MAC and applying a stream-cipher |
| 626 | * to the authenticated message. |
| 627 | * - CBC block cipher transformations ([D]TLS versions <= 1.2 only) |
| 628 | * In addition to the distinction of the order of encryption and |
| 629 | * authentication, there's a fundamental difference between the |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 630 | * handling in TLS 1.0 and TLS 1.1 and TLS 1.2: For TLS 1.0, |
| 631 | * the final IV after processing a record is used |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 632 | * as the IV for the next record. No explicit IV is contained |
| 633 | * in an encrypted record. The IV for the first record is extracted |
| 634 | * at key extraction time. In contrast, for TLS 1.1 and 1.2, no |
| 635 | * IV is generated at key extraction time, but every encrypted |
| 636 | * record is explicitly prefixed by the IV with which it was encrypted. |
| 637 | * - AEAD transformations ([D]TLS versions >= 1.2 only) |
| 638 | * These come in two fundamentally different versions, the first one |
| 639 | * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second |
| 640 | * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. |
| 641 | * In the first transformation, the IV to be used for a record is obtained |
| 642 | * as the concatenation of an explicit, static 4-byte IV and the 8-byte |
| 643 | * record sequence number, and explicitly prepending this sequence number |
| 644 | * to the encrypted record. In contrast, in the second transformation |
| 645 | * the IV is obtained by XOR'ing a static IV obtained at key extraction |
| 646 | * time with the 8-byte record sequence number, without prepending the |
| 647 | * latter to the encrypted record. |
| 648 | * |
Hanno Becker | 7d343ec | 2020-05-04 12:29:05 +0100 | [diff] [blame] | 649 | * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext |
| 650 | * which allows to add flexible length padding and to hide a record's true |
| 651 | * content type. |
| 652 | * |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 653 | * In addition to type and version, the following parameters are relevant: |
| 654 | * - The symmetric cipher algorithm to be used. |
| 655 | * - The (static) encryption/decryption keys for the cipher. |
| 656 | * - For stream/CBC, the type of message digest to be used. |
| 657 | * - For stream/CBC, (static) encryption/decryption keys for the digest. |
Hanno Becker | 0db7e0c | 2018-10-18 15:39:53 +0100 | [diff] [blame] | 658 | * - For AEAD transformations, the size (potentially 0) of an explicit, |
| 659 | * random initialization vector placed in encrypted records. |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 660 | * - For some transformations (currently AEAD and CBC in TLS 1.0) |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 661 | * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC) |
| 662 | * and (if present) is combined with the explicit IV in a transformation- |
| 663 | * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). |
| 664 | * - For stream/CBC, a flag determining the order of encryption and MAC. |
| 665 | * - The details of the transformation depend on the SSL/TLS version. |
| 666 | * - The length of the authentication tag. |
| 667 | * |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 668 | * Note: Except for CBC in TLS 1.0, these parameters are |
Hanno Becker | 0db7e0c | 2018-10-18 15:39:53 +0100 | [diff] [blame] | 669 | * constant across multiple encryption/decryption operations. |
| 670 | * For CBC, the implicit IV needs to be updated after each |
| 671 | * operation. |
| 672 | * |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 673 | * The struct below refines this abstract view as follows: |
| 674 | * - The cipher underlying the transformation is managed in |
| 675 | * cipher contexts cipher_ctx_{enc/dec}, which must have the |
| 676 | * same cipher type. The mode of these cipher contexts determines |
| 677 | * the type of the transformation in the sense above: e.g., if |
| 678 | * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM |
| 679 | * then the transformation has type CBC resp. AEAD. |
| 680 | * - The cipher keys are never stored explicitly but |
| 681 | * are maintained within cipher_ctx_{enc/dec}. |
| 682 | * - For stream/CBC transformations, the message digest contexts |
| 683 | * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts |
| 684 | * are unused for AEAD transformations. |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 685 | * - For stream/CBC transformations and versions >= TLS 1.0, the |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 686 | * MAC keys are not stored explicitly but maintained within |
| 687 | * md_ctx_{enc/dec}. |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 688 | * - The mac_enc and mac_dec fields are unused for EAD transformations or |
| 689 | * transformations >= TLS 1.0. |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 690 | * - For transformations using an implicit IV maintained within |
| 691 | * the transformation context, its contents are stored within |
| 692 | * iv_{enc/dec}. |
| 693 | * - The value of ivlen indicates the length of the IV. |
| 694 | * This is redundant in case of stream/CBC transformations |
| 695 | * which always use 0 resp. the cipher's block length as the |
| 696 | * IV length, but is needed for AEAD ciphers and may be |
| 697 | * different from the underlying cipher's block length |
| 698 | * in this case. |
| 699 | * - The field fixed_ivlen is nonzero for AEAD transformations only |
| 700 | * and indicates the length of the static part of the IV which is |
| 701 | * constant throughout the communication, and which is stored in |
| 702 | * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 703 | * Note: For CBC in TLS 1.0, the fields iv_{enc/dec} |
Hanno Becker | d362dc5 | 2018-01-03 15:23:11 +0000 | [diff] [blame] | 704 | * still store IV's for continued use across multiple transformations, |
| 705 | * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are |
| 706 | * not being used! |
| 707 | * - minor_ver denotes the SSL/TLS version |
| 708 | * - For stream/CBC transformations, maclen denotes the length of the |
| 709 | * authentication tag, while taglen is unused and 0. |
| 710 | * - For AEAD transformations, taglen denotes the length of the |
| 711 | * authentication tag, while maclen is unused and 0. |
| 712 | * - For CBC transformations, encrypt_then_mac determines the |
| 713 | * order of encryption and authentication. This field is unused |
| 714 | * in other transformations. |
| 715 | * |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 716 | */ |
| 717 | struct mbedtls_ssl_transform |
| 718 | { |
| 719 | /* |
| 720 | * Session specific crypto layer |
| 721 | */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 722 | size_t minlen; /*!< min. ciphertext length */ |
| 723 | size_t ivlen; /*!< IV length */ |
| 724 | size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ |
Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 725 | size_t maclen; /*!< MAC(CBC) len */ |
| 726 | size_t taglen; /*!< TAG(AEAD) len */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 727 | |
| 728 | unsigned char iv_enc[16]; /*!< IV (encryption) */ |
| 729 | unsigned char iv_dec[16]; /*!< IV (decryption) */ |
| 730 | |
Hanno Becker | d56ed24 | 2018-01-03 15:32:51 +0000 | [diff] [blame] | 731 | #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) |
| 732 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 733 | mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ |
| 734 | mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ |
| 735 | |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 736 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| 737 | int encrypt_then_mac; /*!< flag for EtM activation */ |
| 738 | #endif |
| 739 | |
Hanno Becker | d56ed24 | 2018-01-03 15:32:51 +0000 | [diff] [blame] | 740 | #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ |
| 741 | |
| 742 | mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ |
| 743 | mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ |
Hanno Becker | 9eddaeb | 2017-12-27 21:37:21 +0000 | [diff] [blame] | 744 | int minor_ver; |
| 745 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 746 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | 1327fa7 | 2019-04-25 15:54:02 +0100 | [diff] [blame] | 747 | uint8_t in_cid_len; |
| 748 | uint8_t out_cid_len; |
| 749 | unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; |
| 750 | unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 751 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 1327fa7 | 2019-04-25 15:54:02 +0100 | [diff] [blame] | 752 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 753 | /* |
| 754 | * Session specific compression layer |
| 755 | */ |
| 756 | #if defined(MBEDTLS_ZLIB_SUPPORT) |
| 757 | z_stream ctx_deflate; /*!< compression context */ |
| 758 | z_stream ctx_inflate; /*!< decompression context */ |
| 759 | #endif |
Manuel Pégourié-Gonnard | 96fb0ee | 2019-07-09 12:54:17 +0200 | [diff] [blame] | 760 | |
| 761 | #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) |
| 762 | /* We need the Hello random bytes in order to re-derive keys from the |
| 763 | * Master Secret and other session info, see ssl_populate_transform() */ |
| 764 | unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */ |
| 765 | #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 766 | }; |
| 767 | |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 768 | /* |
Manuel Pégourié-Gonnard | 1aaf669 | 2019-07-10 14:14:05 +0200 | [diff] [blame] | 769 | * Return 1 if the transform uses an AEAD cipher, 0 otherwise. |
| 770 | * Equivalently, return 0 if a separate MAC is used, 1 otherwise. |
| 771 | */ |
| 772 | static inline int mbedtls_ssl_transform_uses_aead( |
| 773 | const mbedtls_ssl_transform *transform ) |
| 774 | { |
| 775 | #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) |
| 776 | return( transform->maclen == 0 && transform->taglen != 0 ); |
| 777 | #else |
| 778 | (void) transform; |
| 779 | return( 1 ); |
| 780 | #endif |
| 781 | } |
| 782 | |
| 783 | /* |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 784 | * Internal representation of record frames |
| 785 | * |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 786 | * Instances come in two flavors: |
| 787 | * (1) Encrypted |
| 788 | * These always have data_offset = 0 |
| 789 | * (2) Unencrypted |
Hanno Becker | cd430bc | 2019-04-04 16:29:48 +0100 | [diff] [blame] | 790 | * These have data_offset set to the amount of |
| 791 | * pre-expansion during record protection. Concretely, |
| 792 | * this is the length of the fixed part of the explicit IV |
| 793 | * used for encryption, or 0 if no explicit IV is used |
| 794 | * (e.g. for CBC in TLS 1.0, or stream ciphers). |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 795 | * |
| 796 | * The reason for the data_offset in the unencrypted case |
| 797 | * is to allow for in-place conversion of an unencrypted to |
| 798 | * an encrypted record. If the offset wasn't included, the |
| 799 | * encrypted content would need to be shifted afterwards to |
| 800 | * make space for the fixed IV. |
| 801 | * |
| 802 | */ |
Hanno Becker | f2ed448 | 2019-04-29 13:45:54 +0100 | [diff] [blame] | 803 | #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX |
Hanno Becker | 75f080f | 2019-04-30 15:01:51 +0100 | [diff] [blame] | 804 | #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX |
Hanno Becker | f2ed448 | 2019-04-29 13:45:54 +0100 | [diff] [blame] | 805 | #else |
Hanno Becker | 75f080f | 2019-04-30 15:01:51 +0100 | [diff] [blame] | 806 | #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX |
Hanno Becker | f2ed448 | 2019-04-29 13:45:54 +0100 | [diff] [blame] | 807 | #endif |
| 808 | |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 809 | typedef struct |
| 810 | { |
Hanno Becker | d840cea | 2019-07-11 09:24:36 +0100 | [diff] [blame] | 811 | uint8_t ctr[8]; /* In TLS: The implicit record sequence number. |
| 812 | * In DTLS: The 2-byte epoch followed by |
| 813 | * the 6-byte sequence number. |
| 814 | * This is stored as a raw big endian byte array |
| 815 | * as opposed to a uint64_t because we rarely |
| 816 | * need to perform arithmetic on this, but do |
| 817 | * need it as a Byte array for the purpose of |
| 818 | * MAC computations. */ |
| 819 | uint8_t type; /* The record content type. */ |
| 820 | uint8_t ver[2]; /* SSL/TLS version as present on the wire. |
| 821 | * Convert to internal presentation of versions |
| 822 | * using mbedtls_ssl_read_version() and |
| 823 | * mbedtls_ssl_write_version(). |
| 824 | * Keep wire-format for MAC computations. */ |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 825 | |
Hanno Becker | d840cea | 2019-07-11 09:24:36 +0100 | [diff] [blame] | 826 | unsigned char *buf; /* Memory buffer enclosing the record content */ |
| 827 | size_t buf_len; /* Buffer length */ |
| 828 | size_t data_offset; /* Offset of record content */ |
| 829 | size_t data_len; /* Length of record content */ |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 830 | |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 831 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
Hanno Becker | d840cea | 2019-07-11 09:24:36 +0100 | [diff] [blame] | 832 | uint8_t cid_len; /* Length of the CID (0 if not present) */ |
| 833 | unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */ |
Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 834 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
Hanno Becker | 12a3a86 | 2018-01-05 15:42:50 +0000 | [diff] [blame] | 835 | } mbedtls_record; |
| 836 | |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 837 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| 838 | /* |
| 839 | * List of certificate + private key pairs |
| 840 | */ |
| 841 | struct mbedtls_ssl_key_cert |
| 842 | { |
| 843 | mbedtls_x509_crt *cert; /*!< cert */ |
| 844 | mbedtls_pk_context *key; /*!< private key */ |
| 845 | mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ |
| 846 | }; |
| 847 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| 848 | |
| 849 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 850 | /* |
| 851 | * List of handshake messages kept around for resending |
| 852 | */ |
| 853 | struct mbedtls_ssl_flight_item |
| 854 | { |
| 855 | unsigned char *p; /*!< message, including handshake headers */ |
| 856 | size_t len; /*!< length of p */ |
| 857 | unsigned char type; /*!< type of the message: handshake or CCS */ |
| 858 | mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ |
| 859 | }; |
| 860 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 861 | |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 862 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 863 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 864 | |
| 865 | /* Find an entry in a signature-hash set matching a given hash algorithm. */ |
| 866 | mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, |
| 867 | mbedtls_pk_type_t sig_alg ); |
| 868 | /* Add a signature-hash-pair to a signature-hash set */ |
| 869 | void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set, |
| 870 | mbedtls_pk_type_t sig_alg, |
| 871 | mbedtls_md_type_t md_alg ); |
| 872 | /* Allow exactly one hash algorithm for each signature. */ |
| 873 | void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set, |
| 874 | mbedtls_md_type_t md_alg ); |
| 875 | |
| 876 | /* Setup an empty signature-hash set */ |
| 877 | static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set ) |
| 878 | { |
| 879 | mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE ); |
| 880 | } |
| 881 | |
| 882 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2) && |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 883 | MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 884 | |
| 885 | /** |
| 886 | * \brief Free referenced items in an SSL transform context and clear |
| 887 | * memory |
| 888 | * |
| 889 | * \param transform SSL transform context |
| 890 | */ |
| 891 | void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ); |
| 892 | |
| 893 | /** |
| 894 | * \brief Free referenced items in an SSL handshake context and clear |
| 895 | * memory |
| 896 | * |
Gilles Peskine | 9b562d5 | 2018-04-25 20:32:43 +0200 | [diff] [blame] | 897 | * \param ssl SSL context |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 898 | */ |
Gilles Peskine | 9b562d5 | 2018-04-25 20:32:43 +0200 | [diff] [blame] | 899 | void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ); |
Manuel Pégourié-Gonnard | cd4fcc6 | 2015-05-26 12:11:48 +0200 | [diff] [blame] | 900 | |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 901 | int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); |
| 902 | int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); |
| 903 | void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); |
| 904 | |
| 905 | int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); |
| 906 | |
| 907 | void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ); |
| 908 | int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ); |
| 909 | |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 910 | int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ); |
| 911 | int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ); |
| 912 | void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ); |
| 913 | |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 914 | /** |
| 915 | * \brief Update record layer |
| 916 | * |
| 917 | * This function roughly separates the implementation |
| 918 | * of the logic of (D)TLS from the implementation |
| 919 | * of the secure transport. |
| 920 | * |
Hanno Becker | 3a0aad1 | 2018-08-20 09:44:02 +0100 | [diff] [blame] | 921 | * \param ssl The SSL context to use. |
| 922 | * \param update_hs_digest This indicates if the handshake digest |
| 923 | * should be automatically updated in case |
| 924 | * a handshake message is found. |
Hanno Becker | 4a810fb | 2017-05-24 16:27:30 +0100 | [diff] [blame] | 925 | * |
| 926 | * \return 0 or non-zero error code. |
| 927 | * |
| 928 | * \note A clarification on what is called 'record layer' here |
| 929 | * is in order, as many sensible definitions are possible: |
| 930 | * |
| 931 | * The record layer takes as input an untrusted underlying |
| 932 | * transport (stream or datagram) and transforms it into |
| 933 | * a serially multiplexed, secure transport, which |
| 934 | * conceptually provides the following: |
| 935 | * |
| 936 | * (1) Three datagram based, content-agnostic transports |
| 937 | * for handshake, alert and CCS messages. |
| 938 | * (2) One stream- or datagram-based transport |
| 939 | * for application data. |
| 940 | * (3) Functionality for changing the underlying transform |
| 941 | * securing the contents. |
| 942 | * |
| 943 | * The interface to this functionality is given as follows: |
| 944 | * |
| 945 | * a Updating |
| 946 | * [Currently implemented by mbedtls_ssl_read_record] |
| 947 | * |
| 948 | * Check if and on which of the four 'ports' data is pending: |
| 949 | * Nothing, a controlling datagram of type (1), or application |
| 950 | * data (2). In any case data is present, internal buffers |
| 951 | * provide access to the data for the user to process it. |
| 952 | * Consumption of type (1) datagrams is done automatically |
| 953 | * on the next update, invalidating that the internal buffers |
| 954 | * for previous datagrams, while consumption of application |
| 955 | * data (2) is user-controlled. |
| 956 | * |
| 957 | * b Reading of application data |
| 958 | * [Currently manual adaption of ssl->in_offt pointer] |
| 959 | * |
| 960 | * As mentioned in the last paragraph, consumption of data |
| 961 | * is different from the automatic consumption of control |
| 962 | * datagrams (1) because application data is treated as a stream. |
| 963 | * |
| 964 | * c Tracking availability of application data |
| 965 | * [Currently manually through decreasing ssl->in_msglen] |
| 966 | * |
| 967 | * For efficiency and to retain datagram semantics for |
| 968 | * application data in case of DTLS, the record layer |
| 969 | * provides functionality for checking how much application |
| 970 | * data is still available in the internal buffer. |
| 971 | * |
| 972 | * d Changing the transformation securing the communication. |
| 973 | * |
| 974 | * Given an opaque implementation of the record layer in the |
| 975 | * above sense, it should be possible to implement the logic |
| 976 | * of (D)TLS on top of it without the need to know anything |
| 977 | * about the record layer's internals. This is done e.g. |
| 978 | * in all the handshake handling functions, and in the |
| 979 | * application data reading function mbedtls_ssl_read. |
| 980 | * |
| 981 | * \note The above tries to give a conceptual picture of the |
| 982 | * record layer, but the current implementation deviates |
| 983 | * from it in some places. For example, our implementation of |
| 984 | * the update functionality through mbedtls_ssl_read_record |
| 985 | * discards datagrams depending on the current state, which |
| 986 | * wouldn't fall under the record layer's responsibility |
| 987 | * following the above definition. |
| 988 | * |
| 989 | */ |
Hanno Becker | 3a0aad1 | 2018-08-20 09:44:02 +0100 | [diff] [blame] | 990 | int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, |
| 991 | unsigned update_hs_digest ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 992 | int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ); |
| 993 | |
Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 994 | int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ); |
Hanno Becker | 67bc7c3 | 2018-08-06 11:33:50 +0100 | [diff] [blame] | 995 | int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 996 | int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ); |
| 997 | |
| 998 | int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ); |
| 999 | int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ); |
| 1000 | |
| 1001 | int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ); |
| 1002 | int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ); |
| 1003 | |
| 1004 | int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ); |
| 1005 | int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ); |
| 1006 | |
| 1007 | void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, |
| 1008 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info ); |
| 1009 | |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1010 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1011 | int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ); |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1012 | |
Guilhem Bryant | 8a69ddd | 2020-03-27 11:13:39 +0000 | [diff] [blame] | 1013 | /** |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1014 | * Get the first defined PSK by order of precedence: |
| 1015 | * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback |
| 1016 | * 2. static PSK configured by \c mbedtls_ssl_conf_psk() |
| 1017 | * Return a code and update the pair (PSK, PSK length) passed to this function |
| 1018 | */ |
| 1019 | static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, |
| 1020 | const unsigned char **psk, size_t *psk_len ) |
| 1021 | { |
| 1022 | if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 ) |
| 1023 | { |
| 1024 | *psk = ssl->handshake->psk; |
| 1025 | *psk_len = ssl->handshake->psk_len; |
| 1026 | } |
| 1027 | |
| 1028 | else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 ) |
| 1029 | { |
| 1030 | *psk = ssl->conf->psk; |
| 1031 | *psk_len = ssl->conf->psk_len; |
| 1032 | } |
| 1033 | |
| 1034 | else |
| 1035 | { |
Guilhem Bryant | b5f04e4 | 2020-04-01 11:23:58 +0100 | [diff] [blame] | 1036 | *psk = NULL; |
| 1037 | *psk_len = 0; |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1038 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| 1039 | } |
| 1040 | |
| 1041 | return( 0 ); |
| 1042 | } |
| 1043 | |
| 1044 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Guilhem Bryant | 8a69ddd | 2020-03-27 11:13:39 +0000 | [diff] [blame] | 1045 | /** |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1046 | * Get the first defined opaque PSK by order of precedence: |
| 1047 | * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK |
| 1048 | * callback |
| 1049 | * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() |
| 1050 | * Return an opaque PSK |
| 1051 | */ |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 1052 | static inline psa_key_id_t mbedtls_ssl_get_opaque_psk( |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1053 | const mbedtls_ssl_context *ssl ) |
| 1054 | { |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 1055 | if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1056 | return( ssl->handshake->psk_opaque ); |
| 1057 | |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 1058 | if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) ) |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1059 | return( ssl->conf->psk_opaque ); |
| 1060 | |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 1061 | return( MBEDTLS_SVC_KEY_ID_INIT ); |
Guilhem Bryant | d511ac3 | 2020-03-25 17:06:37 +0000 | [diff] [blame] | 1062 | } |
| 1063 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1064 | |
| 1065 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1066 | |
| 1067 | #if defined(MBEDTLS_PK_C) |
| 1068 | unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ); |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1069 | unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1070 | mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ); |
| 1071 | #endif |
| 1072 | |
| 1073 | mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ); |
Manuel Pégourié-Gonnard | 7bfc122 | 2015-06-17 14:34:48 +0200 | [diff] [blame] | 1074 | unsigned char mbedtls_ssl_hash_from_md_alg( int md ); |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 1075 | int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1076 | |
Manuel Pégourié-Gonnard | b541da6 | 2015-06-17 11:43:30 +0200 | [diff] [blame] | 1077 | #if defined(MBEDTLS_ECP_C) |
Manuel Pégourié-Gonnard | 9d412d8 | 2015-06-17 12:10:46 +0200 | [diff] [blame] | 1078 | int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1079 | #endif |
| 1080 | |
Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1081 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
Manuel Pégourié-Gonnard | 7bfc122 | 2015-06-17 14:34:48 +0200 | [diff] [blame] | 1082 | int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, |
| 1083 | mbedtls_md_type_t md ); |
| 1084 | #endif |
| 1085 | |
Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1086 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1087 | static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value |
| 1088 | ( const uint16_t srtp_profile_value ) |
Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1089 | { |
Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1090 | switch( srtp_profile_value ) |
Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1091 | { |
Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 1092 | case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: |
Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 1093 | case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: |
Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 1094 | case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: |
Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 1095 | case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: |
Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1096 | return srtp_profile_value; |
Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1097 | default: break; |
| 1098 | } |
Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1099 | return( MBEDTLS_TLS_SRTP_UNSET ); |
Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1100 | } |
| 1101 | #endif |
| 1102 | |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1103 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| 1104 | static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl ) |
| 1105 | { |
| 1106 | mbedtls_ssl_key_cert *key_cert; |
| 1107 | |
| 1108 | if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) |
| 1109 | key_cert = ssl->handshake->key_cert; |
| 1110 | else |
| 1111 | key_cert = ssl->conf->key_cert; |
| 1112 | |
| 1113 | return( key_cert == NULL ? NULL : key_cert->key ); |
| 1114 | } |
| 1115 | |
| 1116 | static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl ) |
| 1117 | { |
| 1118 | mbedtls_ssl_key_cert *key_cert; |
| 1119 | |
| 1120 | if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) |
| 1121 | key_cert = ssl->handshake->key_cert; |
| 1122 | else |
| 1123 | key_cert = ssl->conf->key_cert; |
| 1124 | |
| 1125 | return( key_cert == NULL ? NULL : key_cert->cert ); |
| 1126 | } |
| 1127 | |
| 1128 | /* |
| 1129 | * Check usage of a certificate wrt extensions: |
| 1130 | * keyUsage, extendedKeyUsage (later), and nSCertType (later). |
| 1131 | * |
| 1132 | * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we |
| 1133 | * check a cert we received from them)! |
| 1134 | * |
| 1135 | * Return 0 if everything is OK, -1 if not. |
| 1136 | */ |
| 1137 | int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, |
| 1138 | const mbedtls_ssl_ciphersuite_t *ciphersuite, |
| 1139 | int cert_endpoint, |
| 1140 | uint32_t *flags ); |
| 1141 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| 1142 | |
| 1143 | void mbedtls_ssl_write_version( int major, int minor, int transport, |
| 1144 | unsigned char ver[2] ); |
| 1145 | void mbedtls_ssl_read_version( int *major, int *minor, int transport, |
| 1146 | const unsigned char ver[2] ); |
| 1147 | |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 1148 | static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl ) |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1149 | { |
Hanno Becker | 47be768 | 2019-07-12 09:55:46 +0100 | [diff] [blame] | 1150 | #if !defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1151 | ((void) ssl); |
| 1152 | #endif |
| 1153 | |
| 1154 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1155 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 1156 | { |
| 1157 | return( 13 ); |
| 1158 | } |
| 1159 | else |
| 1160 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 1161 | { |
| 1162 | return( 5 ); |
| 1163 | } |
Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 1164 | } |
| 1165 | |
| 1166 | static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl ) |
| 1167 | { |
Hanno Becker | 3b154c1 | 2019-05-03 15:05:27 +0100 | [diff] [blame] | 1168 | return( (size_t) ( ssl->out_iv - ssl->out_hdr ) ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1169 | } |
| 1170 | |
| 1171 | static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl ) |
| 1172 | { |
| 1173 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1174 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 1175 | return( 12 ); |
| 1176 | #else |
| 1177 | ((void) ssl); |
| 1178 | #endif |
| 1179 | return( 4 ); |
| 1180 | } |
| 1181 | |
| 1182 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1183 | void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ); |
| 1184 | void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ); |
| 1185 | int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ); |
Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 1186 | int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1187 | #endif |
| 1188 | |
| 1189 | /* Visible for testing purposes only */ |
| 1190 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
Hanno Becker | 0183d69 | 2019-07-12 08:50:37 +0100 | [diff] [blame] | 1191 | int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl ); |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1192 | void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ); |
| 1193 | #endif |
| 1194 | |
Hanno Becker | 52055ae | 2019-02-06 14:30:46 +0000 | [diff] [blame] | 1195 | int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, |
| 1196 | const mbedtls_ssl_session *src ); |
| 1197 | |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1198 | /* constant-time buffer comparison */ |
| 1199 | static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n ) |
| 1200 | { |
| 1201 | size_t i; |
Hanno Becker | 59e6963 | 2017-06-26 13:26:58 +0100 | [diff] [blame] | 1202 | volatile const unsigned char *A = (volatile const unsigned char *) a; |
| 1203 | volatile const unsigned char *B = (volatile const unsigned char *) b; |
| 1204 | volatile unsigned char diff = 0; |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1205 | |
| 1206 | for( i = 0; i < n; i++ ) |
Azim Khan | 45b79cf | 2018-05-23 16:55:16 +0100 | [diff] [blame] | 1207 | { |
| 1208 | /* Read volatile data in order before computing diff. |
| 1209 | * This avoids IAR compiler warning: |
| 1210 | * 'the order of volatile accesses is undefined ..' */ |
| 1211 | unsigned char x = A[i], y = B[i]; |
| 1212 | diff |= x ^ y; |
| 1213 | } |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1214 | |
| 1215 | return( diff ); |
| 1216 | } |
| 1217 | |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 1218 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) |
Andres Amaya Garcia | 46f5a3e | 2017-07-20 16:17:51 +0100 | [diff] [blame] | 1219 | int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, |
| 1220 | unsigned char *output, |
| 1221 | unsigned char *data, size_t data_len ); |
Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame^] | 1222 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ |
Andres Amaya Garcia | 46f5a3e | 2017-07-20 16:17:51 +0100 | [diff] [blame] | 1223 | |
| 1224 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
| 1225 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
Andrzej Kurek | 814feff | 2019-01-14 04:35:19 -0500 | [diff] [blame] | 1226 | /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ |
Andres Amaya Garcia | 46f5a3e | 2017-07-20 16:17:51 +0100 | [diff] [blame] | 1227 | int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, |
Gilles Peskine | ca1d742 | 2018-04-24 11:53:22 +0200 | [diff] [blame] | 1228 | unsigned char *hash, size_t *hashlen, |
| 1229 | unsigned char *data, size_t data_len, |
| 1230 | mbedtls_md_type_t md_alg ); |
Andres Amaya Garcia | 46f5a3e | 2017-07-20 16:17:51 +0100 | [diff] [blame] | 1231 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ |
| 1232 | MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 1233 | |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1234 | #ifdef __cplusplus |
| 1235 | } |
| 1236 | #endif |
| 1237 | |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 1238 | void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform ); |
| 1239 | int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, |
| 1240 | mbedtls_ssl_transform *transform, |
| 1241 | mbedtls_record *rec, |
| 1242 | int (*f_rng)(void *, unsigned char *, size_t), |
| 1243 | void *p_rng ); |
Hanno Becker | 605949f | 2019-07-12 08:23:59 +0100 | [diff] [blame] | 1244 | int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, |
Hanno Becker | a18d132 | 2018-01-03 14:27:32 +0000 | [diff] [blame] | 1245 | mbedtls_ssl_transform *transform, |
| 1246 | mbedtls_record *rec ); |
| 1247 | |
Hanno Becker | dd77229 | 2020-02-05 10:38:31 +0000 | [diff] [blame] | 1248 | /* Length of the "epoch" field in the record header */ |
| 1249 | static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl ) |
| 1250 | { |
| 1251 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1252 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 1253 | return( 2 ); |
| 1254 | #else |
| 1255 | ((void) ssl); |
| 1256 | #endif |
| 1257 | return( 0 ); |
| 1258 | } |
| 1259 | |
Hanno Becker | 08f0913 | 2020-02-11 15:40:07 +0000 | [diff] [blame] | 1260 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 786300f | 2020-02-05 10:46:40 +0000 | [diff] [blame] | 1261 | int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl ); |
Hanno Becker | 08f0913 | 2020-02-11 15:40:07 +0000 | [diff] [blame] | 1262 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
Hanno Becker | 0f57a65 | 2020-02-05 10:37:26 +0000 | [diff] [blame] | 1263 | |
| 1264 | void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ); |
Hanno Becker | 7876d12 | 2020-02-05 10:39:31 +0000 | [diff] [blame] | 1265 | int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ); |
| 1266 | |
Hanno Becker | 3e6f8ab | 2020-02-05 10:40:57 +0000 | [diff] [blame] | 1267 | void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ); |
| 1268 | void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, |
| 1269 | mbedtls_ssl_transform *transform ); |
| 1270 | void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ); |
| 1271 | |
Hanno Becker | 43aefe2 | 2020-02-05 10:44:56 +0000 | [diff] [blame] | 1272 | int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); |
| 1273 | |
Hanno Becker | 7e8e6a6 | 2020-02-05 10:45:48 +0000 | [diff] [blame] | 1274 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| 1275 | void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); |
| 1276 | #endif |
| 1277 | |
Hanno Becker | ce5f5fd | 2020-02-05 10:47:44 +0000 | [diff] [blame] | 1278 | void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); |
| 1279 | |
Hanno Becker | 08f0913 | 2020-02-11 15:40:07 +0000 | [diff] [blame] | 1280 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
Hanno Becker | 40cdaa1 | 2020-02-05 10:48:27 +0000 | [diff] [blame] | 1281 | int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl ); |
Hanno Becker | 08f0913 | 2020-02-11 15:40:07 +0000 | [diff] [blame] | 1282 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
Hanno Becker | 8949071 | 2020-02-05 10:50:12 +0000 | [diff] [blame] | 1283 | |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 1284 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
Hanno Becker | 08f0913 | 2020-02-11 15:40:07 +0000 | [diff] [blame] | 1285 | size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl ); |
Hanno Becker | 533ab5f | 2020-02-05 10:49:13 +0000 | [diff] [blame] | 1286 | void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ); |
| 1287 | void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ); |
| 1288 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 1289 | |
Manuel Pégourié-Gonnard | 5e94dde | 2015-05-26 11:57:05 +0200 | [diff] [blame] | 1290 | #endif /* ssl_internal.h */ |