blob: 2858353b6c25a8a62af173da03bba767da60d4d8 [file] [log] [blame]
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001/**
Chris Jones84a773f2021-03-05 18:38:47 +00002 * \file ssl_misc.h
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02003 *
4 * \brief Internal functions shared by the SSL modules
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Bence Szépkúti1e148272020-08-07 13:07:28 +02007 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02008 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020021 */
Chris Jones84a773f2021-03-05 18:38:47 +000022#ifndef MBEDTLS_SSL_MISC_H
23#define MBEDTLS_SSL_MISC_H
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020024
Bence Szépkútic662b362021-05-27 11:25:03 +020025#include "mbedtls/build_info.h"
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050026
Jaeden Amero6609aef2019-07-04 20:01:14 +010027#include "mbedtls/ssl.h"
28#include "mbedtls/cipher.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020029
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +010030#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Andrzej Kurekeb342242019-01-29 09:14:33 -050031#include "psa/crypto.h"
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +010032#include "mbedtls/psa_util.h"
Andrzej Kurekeb342242019-01-29 09:14:33 -050033#endif
34
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020035#if defined(MBEDTLS_MD5_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010036#include "mbedtls/md5.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020037#endif
38
39#if defined(MBEDTLS_SHA1_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010040#include "mbedtls/sha1.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020041#endif
42
43#if defined(MBEDTLS_SHA256_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010044#include "mbedtls/sha256.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020045#endif
46
47#if defined(MBEDTLS_SHA512_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010048#include "mbedtls/sha512.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020049#endif
50
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +020051#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jaeden Amero6609aef2019-07-04 20:01:14 +010052#include "mbedtls/ecjpake.h"
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +020053#endif
54
Jerry Yu1bab3012022-01-19 17:43:22 +080055#include "common.h"
56
Manuel Pégourié-Gonnard0223ab92015-10-05 11:40:01 +010057#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
58 !defined(inline) && !defined(__cplusplus)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020059#define inline __inline
Manuel Pégourié-Gonnard20af64d2015-07-07 18:33:39 +020060#endif
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020061
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +020062/* Shorthand for restartable ECC */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +020063#if defined(MBEDTLS_ECP_RESTARTABLE) && \
64 defined(MBEDTLS_SSL_CLI_C) && \
65 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
66 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskineeccd8882020-03-10 12:19:08 +010067#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +020068#endif
69
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020070#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
71#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
72#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
73#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
74
75/*
Jerry Yu8e7ca042021-08-26 15:31:37 +080076 * Mask of TLS 1.3 handshake extensions used in extensions_present
77 * of mbedtls_ssl_handshake_params.
78 */
79#define MBEDTLS_SSL_EXT_NONE 0
80
81#define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 )
82#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 )
83#define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 )
84#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 )
85#define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 )
86#define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 )
87#define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 )
88#define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 )
89#define MBEDTLS_SSL_EXT_SCT ( 1 << 8 )
Jerry Yu995ecd32021-08-30 17:53:49 +080090#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 )
91#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 )
Jerry Yu8e7ca042021-08-26 15:31:37 +080092#define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 )
93#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 )
94#define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 )
95#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 )
96#define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 )
97#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 )
98#define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 )
99#define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 )
100#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 )
101#define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 )
102#define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 )
Jerry Yu93bcd612021-08-18 12:47:24 +0800103
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800104/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800105 * Helper macros for function call with return check.
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800106 */
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800107/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800108 * Exit when return non-zero value
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800109 */
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800110#define MBEDTLS_SSL_PROC_CHK( f ) \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800111 do { \
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800112 ret = ( f ); \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800113 if( ret != 0 ) \
114 { \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800115 goto cleanup; \
116 } \
117 } while( 0 )
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800118/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800119 * Exit when return negative value
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800120 */
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800121#define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800122 do { \
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800123 ret = ( f ); \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800124 if( ret < 0 ) \
125 { \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800126 goto cleanup; \
127 } \
128 } while( 0 )
129
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200130/*
131 * DTLS retransmission states, see RFC 6347 4.2.4
132 *
133 * The SENDING state is merged in PREPARING for initial sends,
134 * but is distinct for resends.
135 *
136 * Note: initial state is wrong for server, but is not used anyway.
137 */
138#define MBEDTLS_SSL_RETRANS_PREPARING 0
139#define MBEDTLS_SSL_RETRANS_SENDING 1
140#define MBEDTLS_SSL_RETRANS_WAITING 2
141#define MBEDTLS_SSL_RETRANS_FINISHED 3
142
143/*
144 * Allow extra bytes for record, authentication and encryption overhead:
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100145 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200146 */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200147
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200148#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker0cc46612020-11-30 08:56:52 +0000149
Manuel Pégourié-Gonnard05579c42020-07-31 12:53:39 +0200150/* This macro determines whether CBC is supported. */
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200151#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
152 ( defined(MBEDTLS_AES_C) || \
153 defined(MBEDTLS_CAMELLIA_C) || \
154 defined(MBEDTLS_ARIA_C) || \
155 defined(MBEDTLS_DES_C) )
156#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
157#endif
158
Hanno Becker0cc46612020-11-30 08:56:52 +0000159/* This macro determines whether a ciphersuite using a
160 * stream cipher can be used. */
161#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
162#define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
163#endif
164
TRodziewicz0f82ec62021-05-12 17:49:18 +0200165/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
Manuel Pégourié-Gonnarded0e8642020-07-21 11:20:30 +0200166#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
TRodziewicz0f82ec62021-05-12 17:49:18 +0200167 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnarded0e8642020-07-21 11:20:30 +0200168#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
169#endif
170
Hanno Becker31351ce2021-03-22 11:05:58 +0000171#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200172 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000173#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
Hanno Becker52344c22018-01-03 15:24:20 +0000174#endif
175
Neil Armstrongf2c82f02022-04-05 11:16:53 +0200176/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
177#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
178 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
179#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
180#endif
181
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200182#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker0cc46612020-11-30 08:56:52 +0000183
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000184#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200185/* Ciphersuites using HMAC */
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200186#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200187#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
188#elif defined(MBEDTLS_SHA256_C)
189#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
190#else
191#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
192#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000193#else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200194/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
195#define MBEDTLS_SSL_MAC_ADD 16
196#endif
197
198#if defined(MBEDTLS_CIPHER_MODE_CBC)
199#define MBEDTLS_SSL_PADDING_ADD 256
200#else
201#define MBEDTLS_SSL_PADDING_ADD 0
202#endif
203
Hanno Beckera0e20d02019-05-15 14:03:01 +0100204#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
TRodziewicze8dd7092021-05-12 14:19:11 +0200205#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
Hanno Becker6cbad552019-05-08 15:40:11 +0100206#else
207#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
208#endif
209
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100210#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
Angus Grattond8213d02016-05-25 20:56:48 +1000211 MBEDTLS_SSL_MAC_ADD + \
Hanno Becker6cbad552019-05-08 15:40:11 +0100212 MBEDTLS_SSL_PADDING_ADD + \
213 MBEDTLS_SSL_MAX_CID_EXPANSION \
Angus Grattond8213d02016-05-25 20:56:48 +1000214 )
215
216#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
217 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
218
219#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
220 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
221
Hanno Becker0271f962018-08-16 13:23:47 +0100222/* The maximum number of buffered handshake messages. */
Hanno Beckerd488b9e2018-08-16 16:35:37 +0100223#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
Hanno Becker0271f962018-08-16 13:23:47 +0100224
Angus Grattond8213d02016-05-25 20:56:48 +1000225/* Maximum length we can advertise as our max content length for
226 RFC 6066 max_fragment_length extension negotiation purposes
227 (the lesser of both sizes, if they are unequal.)
228 */
229#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
230 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
231 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
232 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
233 )
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200234
Jerry Yu4131ec12022-01-19 10:36:30 +0800235/* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
236#define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
237
Jerry Yu8afd6e42022-01-20 15:54:26 +0800238/* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
Jerry Yu4131ec12022-01-19 10:36:30 +0800239#define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
Hanno Beckere131bfe2017-04-12 14:54:42 +0100240
241/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
242#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
243
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000244#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000245
Gabor Mezei15b95a62022-05-09 16:37:58 +0200246#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
247
Gabor Mezei24c7c2b2022-05-10 12:51:14 +0200248#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
249
Gabor Mezei15b95a62022-05-09 16:37:58 +0200250#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gabor Mezei3631cf62022-05-10 12:59:00 +0200251#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
252#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
253#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
Gabor Mezei15b95a62022-05-09 16:37:58 +0200254#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
255
Gabor Mezei15b95a62022-05-09 16:37:58 +0200256#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
257
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200258/*
Hanno Beckera8434e82017-09-18 10:54:39 +0100259 * Check that we obey the standard's message size bounds
260 */
261
David Horstmann95d516f2021-05-04 18:36:56 +0100262#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
263#error "Bad configuration - incoming record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100264#endif
265
David Horstmann95d516f2021-05-04 18:36:56 +0100266#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
267#error "Bad configuration - outgoing record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100268#endif
269
David Horstmann95d516f2021-05-04 18:36:56 +0100270#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
Angus Grattond8213d02016-05-25 20:56:48 +1000271#error "Bad configuration - incoming protected record payload too large."
272#endif
273
David Horstmann95d516f2021-05-04 18:36:56 +0100274#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
Angus Grattond8213d02016-05-25 20:56:48 +1000275#error "Bad configuration - outgoing protected record payload too large."
276#endif
277
278/* Calculate buffer sizes */
279
Hanno Becker25d6d1a2017-12-07 08:22:51 +0000280/* Note: Even though the TLS record header is only 5 bytes
281 long, we're internally using 8 bytes to store the
282 implicit sequence number. */
Hanno Beckerd25d4442017-10-04 13:56:42 +0100283#define MBEDTLS_SSL_HEADER_LEN 13
Hanno Beckera8434e82017-09-18 10:54:39 +0100284
Andrzej Kurek033c42a2020-03-03 05:57:59 -0500285#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000286#define MBEDTLS_SSL_IN_BUFFER_LEN \
287 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100288#else
289#define MBEDTLS_SSL_IN_BUFFER_LEN \
290 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
291 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
292#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000293
Andrzej Kurek033c42a2020-03-03 05:57:59 -0500294#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000295#define MBEDTLS_SSL_OUT_BUFFER_LEN \
296 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100297#else
298#define MBEDTLS_SSL_OUT_BUFFER_LEN \
299 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
300 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
301#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000302
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800303#define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
304#define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
305
Hanno Becker9752aad2021-04-21 05:54:33 +0100306#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
307/**
308 * \brief Return the maximum fragment length (payload, in bytes) for
309 * the output buffer. For the client, this is the configured
310 * value. For the server, it is the minimum of two - the
311 * configured value and the negotiated one.
312 *
313 * \sa mbedtls_ssl_conf_max_frag_len()
314 * \sa mbedtls_ssl_get_max_out_record_payload()
315 *
316 * \param ssl SSL context
317 *
318 * \return Current maximum fragment length for the output buffer.
319 */
320size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
321
322/**
323 * \brief Return the maximum fragment length (payload, in bytes) for
324 * the input buffer. This is the negotiated maximum fragment
Hanno Beckerdf3b8632021-06-08 05:30:45 +0100325 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
Hanno Becker9752aad2021-04-21 05:54:33 +0100326 * If it is not defined either, the value is 2^14. This function
327 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
328 *
329 * \sa mbedtls_ssl_conf_max_frag_len()
330 * \sa mbedtls_ssl_get_max_in_record_payload()
331 *
332 * \param ssl SSL context
333 *
334 * \return Current maximum fragment length for the output buffer.
335 */
336size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
337#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
338
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500339#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500340static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500341{
342#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500343 return mbedtls_ssl_get_output_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500344 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
345 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
346#else
Andrzej Kurek069fa962021-01-07 08:02:15 -0500347 return mbedtls_ssl_get_output_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500348 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
349#endif
350}
351
Andrzej Kurek069fa962021-01-07 08:02:15 -0500352static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500353{
354#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500355 return mbedtls_ssl_get_input_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500356 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
357 + MBEDTLS_SSL_CID_IN_LEN_MAX;
358#else
Andrzej Kurek069fa962021-01-07 08:02:15 -0500359 return mbedtls_ssl_get_input_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500360 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
361#endif
362}
363#endif
364
Hanno Beckera8434e82017-09-18 10:54:39 +0100365/*
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200366 * TLS extension flags (for extensions with outgoing ServerHello content
367 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
368 * of state of the renegotiation flag, so no indicator is required)
369 */
370#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200371#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200372
Hanno Becker51018aa2017-04-12 14:54:42 +0100373/**
374 * \brief This function checks if the remaining size in a buffer is
375 * greater or equal than a needed space.
376 *
377 * \param cur Pointer to the current position in the buffer.
378 * \param end Pointer to one past the end of the buffer.
379 * \param need Needed space in bytes.
380 *
Ronald Cronb7b35e12020-06-11 09:50:51 +0200381 * \return Zero if the needed space is available in the buffer, non-zero
Hanno Becker51018aa2017-04-12 14:54:42 +0100382 * otherwise.
383 */
384static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
385 const uint8_t *end, size_t need )
386{
Ronald Cronb7b35e12020-06-11 09:50:51 +0200387 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
Hanno Becker51018aa2017-04-12 14:54:42 +0100388}
389
390/**
391 * \brief This macro checks if the remaining size in a buffer is
392 * greater or equal than a needed space. If it is not the case,
393 * it returns an SSL_BUFFER_TOO_SMALL error.
394 *
395 * \param cur Pointer to the current position in the buffer.
396 * \param end Pointer to one past the end of the buffer.
397 * \param need Needed space in bytes.
398 *
399 */
400#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
401 do { \
Ronald Cronb7b35e12020-06-11 09:50:51 +0200402 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
Hanno Becker51018aa2017-04-12 14:54:42 +0100403 { \
404 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
405 } \
406 } while( 0 )
407
Jerry Yu34da3722021-09-19 18:05:08 +0800408/**
Jerry Yue15e6652021-09-28 21:06:07 +0800409 * \brief This macro checks if the remaining length in an input buffer is
410 * greater or equal than a needed length. If it is not the case, it
Jerry Yu205fd822021-10-08 16:16:24 +0800411 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
Jerry Yudca3d5d2021-10-08 14:19:29 +0800412 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
Jerry Yue4eefc72021-10-09 10:40:40 +0800413 *
414 * This is a function-like macro. It is guaranteed to evaluate each
415 * argument exactly once.
Jerry Yu34da3722021-09-19 18:05:08 +0800416 *
417 * \param cur Pointer to the current position in the buffer.
418 * \param end Pointer to one past the end of the buffer.
Jerry Yue15e6652021-09-28 21:06:07 +0800419 * \param need Needed length in bytes.
Jerry Yu34da3722021-09-19 18:05:08 +0800420 *
421 */
422#define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
423 do { \
424 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
425 { \
426 MBEDTLS_SSL_DEBUG_MSG( 1, \
427 ( "missing input data in %s", __func__ ) ); \
428 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
429 MBEDTLS_ERR_SSL_DECODE_ERROR ); \
430 return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
431 } \
432 } while( 0 )
433
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200434#ifdef __cplusplus
435extern "C" {
436#endif
437
Ron Eldor51d3ab52019-05-12 14:54:30 +0300438typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
439 const char *label,
440 const unsigned char *random, size_t rlen,
441 unsigned char *dstbuf, size_t dlen );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100442
Hanno Becker61baae72020-09-16 09:24:14 +0100443/* cipher.h exports the maximum IV, key and block length from
Hanno Becker15889832020-09-08 11:29:11 +0100444 * all ciphers enabled in the config, regardless of whether those
445 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
446 * in the default configuration and uses 64 Byte keys, but it is
447 * not used for record protection in SSL/TLS.
448 *
449 * In order to prevent unnecessary inflation of key structures,
450 * we introduce SSL-specific variants of the max-{key,block,IV}
451 * macros here which are meant to only take those ciphers into
452 * account which can be negotiated in SSL/TLS.
453 *
454 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
455 * in cipher.h are rough overapproximations of the real maxima, here
Hanno Becker9a7a2ac2020-09-09 09:24:54 +0100456 * we content ourselves with replicating those overapproximations
Hanno Becker15889832020-09-08 11:29:11 +0100457 * for the maximum block and IV length, and excluding XTS from the
458 * computation of the maximum key length. */
459#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
460#define MBEDTLS_SSL_MAX_IV_LENGTH 16
461#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
462
Hanno Becker3385a4d2020-08-21 13:03:34 +0100463/**
464 * \brief The data structure holding the cryptographic material (key and IV)
465 * used for record protection in TLS 1.3.
466 */
467struct mbedtls_ssl_key_set
468{
469 /*! The key for client->server records. */
Hanno Becker15889832020-09-08 11:29:11 +0100470 unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100471 /*! The key for server->client records. */
Hanno Becker15889832020-09-08 11:29:11 +0100472 unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100473 /*! The IV for client->server records. */
Hanno Becker15889832020-09-08 11:29:11 +0100474 unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100475 /*! The IV for server->client records. */
Hanno Becker15889832020-09-08 11:29:11 +0100476 unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100477
Hanno Becker493ea7f2020-09-08 11:01:00 +0100478 size_t key_len; /*!< The length of client_write_key and
479 * server_write_key, in Bytes. */
480 size_t iv_len; /*!< The length of client_write_iv and
481 * server_write_iv, in Bytes. */
Hanno Becker3385a4d2020-08-21 13:03:34 +0100482};
483typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100484
Jerry Yu61e35e02021-09-16 18:59:08 +0800485typedef struct
486{
Jerry Yuf532bb22021-10-13 10:34:03 +0800487 unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
488 unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
489 unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Xiaofei Bai746f9482021-11-12 08:53:56 +0000490} mbedtls_ssl_tls13_early_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800491
492typedef struct
493{
Jerry Yuf532bb22021-10-13 10:34:03 +0800494 unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
495 unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Xiaofei Bai746f9482021-11-12 08:53:56 +0000496} mbedtls_ssl_tls13_handshake_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800497
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200498/*
499 * This structure contains the parameters only needed during handshake.
500 */
501struct mbedtls_ssl_handshake_params
502{
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100503 /* Frequently-used boolean or byte fields (placed early to take
504 * advantage of smaller code size for indirect access on Arm Thumb) */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100505 uint8_t resume; /*!< session resume indicator*/
506 uint8_t cli_exts; /*!< client extension presence*/
507
Glenn Straussbbdc83b2022-04-12 07:31:46 -0400508#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
509 uint8_t sni_authmode; /*!< authmode from SNI callback */
510#endif
511
512#if defined(MBEDTLS_SSL_SESSION_TICKETS)
513 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
514#endif /* MBEDTLS_SSL_SESSION_TICKETS */
515
Ronald Cron82c785f2022-03-31 15:44:41 +0200516#if defined(MBEDTLS_SSL_CLI_C)
Ronald Cron217d6992022-04-04 10:23:22 +0200517 /** Minimum TLS version to be negotiated.
Ronald Cronbdb4f582022-03-31 15:37:44 +0200518 *
Ronald Cron217d6992022-04-04 10:23:22 +0200519 * It is set up in the ClientHello writing preparation stage and used
520 * throughout the ClientHello writing. Not relevant anymore as soon as
521 * the protocol version has been negotiated thus as soon as the
522 * ServerHello is received.
523 * For a fresh handshake not linked to any previous handshake, it is
524 * equal to the configured minimum minor version to be negotiated. When
525 * renegotiating or resuming a session, it is equal to the previously
526 * negotiated minor version.
Ronald Cronbdb4f582022-03-31 15:37:44 +0200527 *
Ronald Cron217d6992022-04-04 10:23:22 +0200528 * There is no maximum TLS version field in this handshake context.
529 * From the start of the handshake, we need to define a current protocol
530 * version for the record layer which we define as the maximum TLS
531 * version to be negotiated. The `tls_version` field of the SSL context is
532 * used to store this maximum value until it contains the actual
533 * negotiated value.
Ronald Cronbdb4f582022-03-31 15:37:44 +0200534 */
Glenn Straussbbdc83b2022-04-12 07:31:46 -0400535 mbedtls_ssl_protocol_version min_tls_version;
Ronald Cron82c785f2022-03-31 15:44:41 +0200536#endif
Ronald Cron86a477f2022-02-18 17:45:10 +0100537
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100538#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
539 uint8_t extended_ms; /*!< use Extended Master Secret? */
540#endif
541
542#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
543 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
544#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
545
546#if defined(MBEDTLS_SSL_PROTO_DTLS)
547 unsigned char retransmit_state; /*!< Retransmission state */
548#endif
549
Gilles Peskine41139a22021-12-08 18:25:39 +0100550#if !defined(MBEDTLS_DEPRECATED_REMOVED)
551 unsigned char group_list_heap_allocated;
Jerry Yuf017ee42022-01-12 15:49:48 +0800552 unsigned char sig_algs_heap_allocated;
Gilles Peskine41139a22021-12-08 18:25:39 +0100553#endif
554
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100555#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
556 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100557 enum { /* this complements ssl->state with info on intra-state operations */
558 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
559 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
560 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
561 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
562 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
563 } ecrs_state; /*!< current (or last) operation */
564 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
565 size_t ecrs_n; /*!< place for saving a length */
566#endif
567
568 size_t pmslen; /*!< premaster length */
569
570 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
571
572 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
573 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
574 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
575 mbedtls_ssl_tls_prf_cb *tls_prf;
576
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200577 /*
578 * Handshake specific crypto variables
579 */
Ronald Cron6f135e12021-12-08 16:57:54 +0100580#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000581 int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100582
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800583 /** Number of HelloRetryRequest messages received/sent from/to the server. */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000584 int hello_retry_request_count;
XiaokangQian08037552022-04-20 07:16:41 +0000585#if defined(MBEDTLS_SSL_SRV_C)
XiaokangQian318dc762022-04-20 09:43:51 +0000586 /** selected_group of key_share extension in HelloRetryRequest message. */
XiaokangQian08037552022-04-20 07:16:41 +0000587 uint16_t hrr_selected_group;
588#endif /* MBEDTLS_SSL_SRV_C */
Jerry Yu582dd062022-04-22 21:59:01 +0800589#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian08037552022-04-20 07:16:41 +0000590
Gabor Mezei078e8032022-04-27 21:17:56 +0200591#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000592 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
593#endif
594
Gilles Peskine41139a22021-12-08 18:25:39 +0100595#if !defined(MBEDTLS_DEPRECATED_REMOVED)
596 const uint16_t *group_list;
Jerry Yuf017ee42022-01-12 15:49:48 +0800597 const uint16_t *sig_algs;
Gilles Peskine41139a22021-12-08 18:25:39 +0100598#endif
599
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200600#if defined(MBEDTLS_DHM_C)
601 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
602#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100603
John Durkop07cc04a2020-11-16 22:08:34 -0800604/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
Ronald Cronde1adee2022-03-07 16:20:30 +0100605 * to guards in client and server code. There is a gap in functionality that
606 * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
607 * seem correct.
John Durkop07cc04a2020-11-16 22:08:34 -0800608 */
609#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Neil Armstrong769dc052022-04-13 15:12:43 +0200610#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200611 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
Neil Armstrong769dc052022-04-13 15:12:43 +0200612#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000613
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +0100614#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine42459802019-12-19 13:31:53 +0100615 psa_key_type_t ecdh_psa_type;
Neil Armstrong91477a72022-03-25 15:42:20 +0100616 size_t ecdh_bits;
Andrzej Kurek03e01462022-01-03 12:53:24 +0100617 mbedtls_svc_key_id_t ecdh_psa_privkey;
Neil Armstrongf716a702022-04-04 11:23:46 +0200618 uint8_t ecdh_psa_privkey_is_external;
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000619 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
620 size_t ecdh_psa_peerkey_len;
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +0100621#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
John Durkop07cc04a2020-11-16 22:08:34 -0800622#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000623
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200624#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200625 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200626#if defined(MBEDTLS_SSL_CLI_C)
627 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
628 size_t ecjpake_cache_len; /*!< Length of cached data */
629#endif
Hanno Becker1aa267c2017-04-28 17:08:27 +0100630#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine8716f172021-11-16 15:21:44 +0100631
632#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200633 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200634 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
635#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100636
Gilles Peskineeccd8882020-03-10 12:19:08 +0100637#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100638#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek03e01462022-01-03 12:53:24 +0100639 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
Neil Armstrong501c9322022-05-03 09:35:09 +0200640 uint8_t psk_opaque_is_internal;
Neil Armstronge952a302022-05-03 10:22:14 +0200641#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200642 unsigned char *psk; /*!< PSK from the callback */
643 size_t psk_len; /*!< Length of PSK from callback */
Neil Armstronge952a302022-05-03 10:22:14 +0200644#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100645#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Gilles Peskine8716f172021-11-16 15:21:44 +0100646
Gilles Peskinecfe74a32021-12-08 18:38:51 +0100647#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
648 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
649#endif
650
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200651#if defined(MBEDTLS_X509_CRT_PARSE_C)
652 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
653#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
654 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
655 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
656 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100657#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200658#endif /* MBEDTLS_X509_CRT_PARSE_C */
Gilles Peskine8716f172021-11-16 15:21:44 +0100659
Gilles Peskine8716f172021-11-16 15:21:44 +0100660#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
Hanno Becker75173122019-02-06 16:18:31 +0000661 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
662 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
663#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker2f28c102019-04-25 15:46:59 +0100664
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100665 struct
666 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100667 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
668 * buffers used for message buffering. */
669
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100670 uint8_t seen_ccs; /*!< Indicates if a CCS message has
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100671 * been seen in the current flight. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100672
Hanno Becker0271f962018-08-16 13:23:47 +0100673 struct mbedtls_ssl_hs_buffer
674 {
Hanno Becker98081a02018-08-22 13:32:50 +0100675 unsigned is_valid : 1;
676 unsigned is_fragmented : 1;
677 unsigned is_complete : 1;
Hanno Becker0271f962018-08-16 13:23:47 +0100678 unsigned char *data;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100679 size_t data_len;
Hanno Becker0271f962018-08-16 13:23:47 +0100680 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
681
Hanno Becker5f066e72018-08-16 14:56:31 +0100682 struct
683 {
684 unsigned char *data;
685 size_t len;
686 unsigned epoch;
687 } future_record;
688
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100689 } buffering;
Hanno Becker35462012018-08-22 10:25:40 +0100690
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000691#if defined(MBEDTLS_SSL_CLI_C) && \
692 ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
693 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
694 * HelloRetryRequest cookie for TLS 1.3 */
695#endif /* MBEDTLS_SSL_CLI_C &&
696 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
697#if defined(MBEDTLS_SSL_PROTO_DTLS)
698 unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie
699 * length
XiaokangQian34909742022-01-27 02:25:04 +0000700 * Srv: flag for sending a cookie */
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000701#endif /* MBEDTLS_SSL_PROTO_DTLS */
702#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
703 uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */
XiaokangQian20438972022-03-04 08:52:07 +0000704#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian52da5582022-01-26 09:49:29 +0000705
706#if defined(MBEDTLS_SSL_PROTO_DTLS)
707 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
708 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100709
710 uint32_t retransmit_timeout; /*!< Current value of timeout */
711 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
712 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
713 unsigned char *cur_msg_p; /*!< Position in current message */
714 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
715 flight being received */
716 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
717 resending messages */
718 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
719 for resending messages */
720
721#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
722 /* The state of CID configuration in this handshake. */
723
724 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
725 * has been negotiated. Possible values are
726 * #MBEDTLS_SSL_CID_ENABLED and
727 * #MBEDTLS_SSL_CID_DISABLED. */
728 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
729 uint8_t peer_cid_len; /*!< The length of
730 * \c peer_cid. */
731#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
732
Manuel Pégourié-Gonnardf47a4af2018-08-22 10:38:52 +0200733 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100734#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200735
Ronald Cron6f135e12021-12-08 16:57:54 +0100736#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckere043d152021-08-12 06:22:32 +0100737 /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
738 * Those pointers own the transforms they reference. */
Hanno Becker3aa186f2021-08-10 09:24:19 +0100739 mbedtls_ssl_transform *transform_handshake;
740 mbedtls_ssl_transform *transform_earlydata;
Ronald Cron6f135e12021-12-08 16:57:54 +0100741#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker3aa186f2021-08-10 09:24:19 +0100742
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200743 /*
744 * Checksum contexts
745 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200746#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500747#if defined(MBEDTLS_USE_PSA_CRYPTO)
748 psa_hash_operation_t fin_sha256_psa;
749#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200750 mbedtls_sha256_context fin_sha256;
751#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500752#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200753#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500754#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500755 psa_hash_operation_t fin_sha384_psa;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500756#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200757 mbedtls_sha512_context fin_sha512;
758#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500759#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200760
Ronald Cron6f135e12021-12-08 16:57:54 +0100761#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800762 uint16_t offered_group_id; /* The NamedGroup value for the group
763 * that is being used for ephemeral
764 * key exchange.
765 *
766 * On the client: Defaults to the first
767 * entry in the client's group list,
768 * but can be overwritten by the HRR. */
Ronald Cron6f135e12021-12-08 16:57:54 +0100769#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800770
Jerry Yufb28b882022-01-28 11:05:58 +0800771#if defined(MBEDTLS_SSL_CLI_C)
Jerry Yu2d9a6942022-02-08 21:07:10 +0800772 uint8_t client_auth; /*!< used to check if CertificateRequest has been
Jerry Yu5c7d1cc2022-02-08 21:08:29 +0800773 received from server side. If CertificateRequest
Jerry Yu0ff8ac82022-02-08 10:10:48 +0800774 has been received, Certificate and CertificateVerify
Jerry Yufb28b882022-01-28 11:05:58 +0800775 should be sent to server */
776#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000777 /*
778 * State-local variables used during the processing
779 * of a specific handshake state.
780 */
781 union
782 {
783 /* Outgoing Finished message */
784 struct
785 {
786 uint8_t preparation_done;
787
788 /* Buffer holding digest of the handshake up to
789 * but excluding the outgoing finished message. */
XiaokangQianc5c39d52021-11-09 11:55:10 +0000790 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000791 size_t digest_len;
792 } finished_out;
793
794 /* Incoming Finished message */
795 struct
796 {
XiaokangQian57b2aff2021-11-10 03:12:11 +0000797 uint8_t preparation_done;
798
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000799 /* Buffer holding digest of the handshake up to but
800 * excluding the peer's incoming finished message. */
XiaokangQianc5c39d52021-11-09 11:55:10 +0000801 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000802 size_t digest_len;
803 } finished_in;
804
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000805 } state_local;
806
807 /* End of state-local variables. */
808
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800809 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
810 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
811 /*!< random bytes */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200812 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
813 /*!< premaster secret */
814
Ronald Cron6f135e12021-12-08 16:57:54 +0100815#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu8e7ca042021-08-26 15:31:37 +0800816 int extensions_present; /*!< extension presence; Each bitfield
817 represents an extension and defined
818 as \c MBEDTLS_SSL_EXT_XXX */
Jerry Yu89ea3212021-09-09 14:31:24 +0800819
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000820#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
821 unsigned char certificate_request_context_len;
822 unsigned char *certificate_request_context;
Xiaofei Baie1e34422021-12-23 12:09:05 +0000823#endif
824
Jerry Yu89ea3212021-09-09 14:31:24 +0800825 union
826 {
Jerry Yud1ab2622021-10-08 15:36:57 +0800827 unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
828 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
829 unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE];
Xiaofei Baid25fab62021-12-02 06:36:27 +0000830 } tls13_master_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800831
Xiaofei Bai746f9482021-11-12 08:53:56 +0000832 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
Ronald Cron6f135e12021-12-08 16:57:54 +0100833#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200834
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200835#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
836 /** Asynchronous operation context. This field is meant for use by the
837 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
838 * mbedtls_ssl_config::f_async_decrypt_start,
839 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
840 * The library does not use it internally. */
841 void *user_async_ctx;
842#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Glenn Strauss69894072022-01-24 12:58:00 -0500843
844#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
845 const unsigned char *sni_name; /*!< raw SNI */
846 size_t sni_name_len; /*!< raw SNI len */
847#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200848};
849
Hanno Becker0271f962018-08-16 13:23:47 +0100850typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
851
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200852/*
Hanno Beckerd362dc52018-01-03 15:23:11 +0000853 * Representation of decryption/encryption transformations on records
854 *
855 * There are the following general types of record transformations:
TRodziewicz2abf03c2021-06-25 14:40:09 +0200856 * - Stream transformations (TLS versions == 1.2 only)
Hanno Beckerd362dc52018-01-03 15:23:11 +0000857 * Transformation adding a MAC and applying a stream-cipher
858 * to the authenticated message.
TRodziewicz2abf03c2021-06-25 14:40:09 +0200859 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
860 * For TLS 1.2, no IV is generated at key extraction time, but every
861 * encrypted record is explicitly prefixed by the IV with which it was
862 * encrypted.
863 * - AEAD transformations ([D]TLS versions == 1.2 only)
Hanno Beckerd362dc52018-01-03 15:23:11 +0000864 * These come in two fundamentally different versions, the first one
865 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
866 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
867 * In the first transformation, the IV to be used for a record is obtained
868 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
869 * record sequence number, and explicitly prepending this sequence number
870 * to the encrypted record. In contrast, in the second transformation
871 * the IV is obtained by XOR'ing a static IV obtained at key extraction
872 * time with the 8-byte record sequence number, without prepending the
873 * latter to the encrypted record.
874 *
Hanno Becker7d343ec2020-05-04 12:29:05 +0100875 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
876 * which allows to add flexible length padding and to hide a record's true
877 * content type.
878 *
Hanno Beckerd362dc52018-01-03 15:23:11 +0000879 * In addition to type and version, the following parameters are relevant:
880 * - The symmetric cipher algorithm to be used.
881 * - The (static) encryption/decryption keys for the cipher.
882 * - For stream/CBC, the type of message digest to be used.
883 * - For stream/CBC, (static) encryption/decryption keys for the digest.
Hanno Becker0db7e0c2018-10-18 15:39:53 +0100884 * - For AEAD transformations, the size (potentially 0) of an explicit,
885 * random initialization vector placed in encrypted records.
TRodziewicz299510e2021-07-09 16:55:11 +0200886 * - For some transformations (currently AEAD) an implicit IV. It is static
Hanno Beckerd362dc52018-01-03 15:23:11 +0000887 * and (if present) is combined with the explicit IV in a transformation-
TRodziewicz299510e2021-07-09 16:55:11 +0200888 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
Hanno Beckerd362dc52018-01-03 15:23:11 +0000889 * - For stream/CBC, a flag determining the order of encryption and MAC.
890 * - The details of the transformation depend on the SSL/TLS version.
891 * - The length of the authentication tag.
892 *
893 * The struct below refines this abstract view as follows:
894 * - The cipher underlying the transformation is managed in
895 * cipher contexts cipher_ctx_{enc/dec}, which must have the
896 * same cipher type. The mode of these cipher contexts determines
897 * the type of the transformation in the sense above: e.g., if
898 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
899 * then the transformation has type CBC resp. AEAD.
900 * - The cipher keys are never stored explicitly but
901 * are maintained within cipher_ctx_{enc/dec}.
902 * - For stream/CBC transformations, the message digest contexts
903 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
904 * are unused for AEAD transformations.
TRodziewicz2abf03c2021-06-25 14:40:09 +0200905 * - For stream/CBC transformations, the MAC keys are not stored explicitly
906 * but maintained within md_ctx_{enc/dec}.
907 * - The mac_enc and mac_dec fields are unused for EAD transformations.
Hanno Beckerd362dc52018-01-03 15:23:11 +0000908 * - For transformations using an implicit IV maintained within
909 * the transformation context, its contents are stored within
910 * iv_{enc/dec}.
911 * - The value of ivlen indicates the length of the IV.
912 * This is redundant in case of stream/CBC transformations
913 * which always use 0 resp. the cipher's block length as the
914 * IV length, but is needed for AEAD ciphers and may be
915 * different from the underlying cipher's block length
916 * in this case.
917 * - The field fixed_ivlen is nonzero for AEAD transformations only
918 * and indicates the length of the static part of the IV which is
919 * constant throughout the communication, and which is stored in
920 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
Glenn Strauss07c64162022-03-14 12:34:51 -0400921 * - tls_version denotes the 2-byte TLS version
Hanno Beckerd362dc52018-01-03 15:23:11 +0000922 * - For stream/CBC transformations, maclen denotes the length of the
923 * authentication tag, while taglen is unused and 0.
924 * - For AEAD transformations, taglen denotes the length of the
925 * authentication tag, while maclen is unused and 0.
926 * - For CBC transformations, encrypt_then_mac determines the
927 * order of encryption and authentication. This field is unused
928 * in other transformations.
929 *
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200930 */
931struct mbedtls_ssl_transform
932{
933 /*
934 * Session specific crypto layer
935 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200936 size_t minlen; /*!< min. ciphertext length */
937 size_t ivlen; /*!< IV length */
938 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000939 size_t maclen; /*!< MAC(CBC) len */
940 size_t taglen; /*!< TAG(AEAD) len */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200941
942 unsigned char iv_enc[16]; /*!< IV (encryption) */
943 unsigned char iv_dec[16]; /*!< IV (decryption) */
944
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000945#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Hanno Beckerd56ed242018-01-03 15:32:51 +0000946
Neil Armstrong39b8e7d2022-02-23 09:24:45 +0100947#if defined(MBEDTLS_USE_PSA_CRYPTO)
948 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
949 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
950 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
Neil Armstrongcf8841a2022-02-24 11:17:45 +0100951#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200952 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
953 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
Neil Armstrongcf8841a2022-02-24 11:17:45 +0100954#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200955
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000956#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
957 int encrypt_then_mac; /*!< flag for EtM activation */
958#endif
959
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000960#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Hanno Beckerd56ed242018-01-03 15:32:51 +0000961
Glenn Strauss07c64162022-03-14 12:34:51 -0400962 mbedtls_ssl_protocol_version tls_version;
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000963
Przemyslaw Stekiel44187d72022-01-11 08:25:29 +0100964#if defined(MBEDTLS_USE_PSA_CRYPTO)
965 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
966 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
967 psa_algorithm_t psa_alg; /*!< psa algorithm */
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100968#else
969 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
970 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
Przemyslaw Stekiel44187d72022-01-11 08:25:29 +0100971#endif /* MBEDTLS_USE_PSA_CRYPTO */
972
Hanno Beckera0e20d02019-05-15 14:03:01 +0100973#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1327fa72019-04-25 15:54:02 +0100974 uint8_t in_cid_len;
975 uint8_t out_cid_len;
976 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
977 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckera0e20d02019-05-15 14:03:01 +0100978#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1327fa72019-04-25 15:54:02 +0100979
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200980#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
981 /* We need the Hello random bytes in order to re-derive keys from the
Hanno Beckerbd257552021-03-22 06:59:27 +0000982 * Master Secret and other session info,
983 * see ssl_tls12_populate_transform() */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800984 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
985 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
986 /*!< ServerHello.random+ClientHello.random */
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200987#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200988};
989
Hanno Becker12a3a862018-01-05 15:42:50 +0000990/*
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +0200991 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
992 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
993 */
994static inline int mbedtls_ssl_transform_uses_aead(
995 const mbedtls_ssl_transform *transform )
996{
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000997#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +0200998 return( transform->maclen == 0 && transform->taglen != 0 );
999#else
1000 (void) transform;
1001 return( 1 );
1002#endif
1003}
1004
1005/*
Hanno Becker12a3a862018-01-05 15:42:50 +00001006 * Internal representation of record frames
1007 *
Hanno Becker12a3a862018-01-05 15:42:50 +00001008 * Instances come in two flavors:
1009 * (1) Encrypted
1010 * These always have data_offset = 0
1011 * (2) Unencrypted
Hanno Beckercd430bc2019-04-04 16:29:48 +01001012 * These have data_offset set to the amount of
1013 * pre-expansion during record protection. Concretely,
1014 * this is the length of the fixed part of the explicit IV
1015 * used for encryption, or 0 if no explicit IV is used
TRodziewicz2abf03c2021-06-25 14:40:09 +02001016 * (e.g. for stream ciphers).
Hanno Becker12a3a862018-01-05 15:42:50 +00001017 *
1018 * The reason for the data_offset in the unencrypted case
1019 * is to allow for in-place conversion of an unencrypted to
1020 * an encrypted record. If the offset wasn't included, the
1021 * encrypted content would need to be shifted afterwards to
1022 * make space for the fixed IV.
1023 *
1024 */
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001025#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Becker75f080f2019-04-30 15:01:51 +01001026#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001027#else
Hanno Becker75f080f2019-04-30 15:01:51 +01001028#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001029#endif
1030
Hanno Becker12a3a862018-01-05 15:42:50 +00001031typedef struct
1032{
Jerry Yuae0b2e22021-10-08 15:21:19 +08001033 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1034 * In DTLS: The 2-byte epoch followed by
1035 * the 6-byte sequence number.
1036 * This is stored as a raw big endian byte array
1037 * as opposed to a uint64_t because we rarely
1038 * need to perform arithmetic on this, but do
1039 * need it as a Byte array for the purpose of
1040 * MAC computations. */
Hanno Beckerd840cea2019-07-11 09:24:36 +01001041 uint8_t type; /* The record content type. */
1042 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1043 * Convert to internal presentation of versions
1044 * using mbedtls_ssl_read_version() and
1045 * mbedtls_ssl_write_version().
1046 * Keep wire-format for MAC computations. */
Hanno Becker12a3a862018-01-05 15:42:50 +00001047
Hanno Beckerd840cea2019-07-11 09:24:36 +01001048 unsigned char *buf; /* Memory buffer enclosing the record content */
1049 size_t buf_len; /* Buffer length */
1050 size_t data_offset; /* Offset of record content */
1051 size_t data_len; /* Length of record content */
Hanno Becker12a3a862018-01-05 15:42:50 +00001052
Hanno Beckera0e20d02019-05-15 14:03:01 +01001053#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerd840cea2019-07-11 09:24:36 +01001054 uint8_t cid_len; /* Length of the CID (0 if not present) */
1055 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +01001056#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker12a3a862018-01-05 15:42:50 +00001057} mbedtls_record;
1058
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001059#if defined(MBEDTLS_X509_CRT_PARSE_C)
1060/*
1061 * List of certificate + private key pairs
1062 */
1063struct mbedtls_ssl_key_cert
1064{
1065 mbedtls_x509_crt *cert; /*!< cert */
1066 mbedtls_pk_context *key; /*!< private key */
1067 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1068};
1069#endif /* MBEDTLS_X509_CRT_PARSE_C */
1070
1071#if defined(MBEDTLS_SSL_PROTO_DTLS)
1072/*
1073 * List of handshake messages kept around for resending
1074 */
1075struct mbedtls_ssl_flight_item
1076{
1077 unsigned char *p; /*!< message, including handshake headers */
1078 size_t len; /*!< length of p */
1079 unsigned char type; /*!< type of the message: handshake or CCS */
1080 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1081};
1082#endif /* MBEDTLS_SSL_PROTO_DTLS */
1083
Ronald Cron4079abc2022-02-20 10:35:26 +01001084#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1085/**
1086 * \brief Given an SSL context and its associated configuration, write the TLS
1087 * 1.2 specific extensions of the ClientHello message.
1088 *
1089 * \param[in] ssl SSL context
1090 * \param[in] buf Base address of the buffer where to write the extensions
1091 * \param[in] end End address of the buffer where to write the extensions
1092 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1093 * (<> 0) or not ( 0 ).
1094 * \param[out] out_len Length of the data written into the buffer \p buf
1095 */
1096int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
1097 unsigned char *buf,
1098 const unsigned char *end,
1099 int uses_ec,
1100 size_t *out_len );
1101#endif
1102
Hanno Becker7e5437a2017-04-28 17:15:26 +01001103#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01001104 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01001105
Gabor Mezeia3d016c2022-05-10 12:44:09 +02001106/**
1107 * \brief Find the preferred hash for a given signature algorithm.
1108 *
1109 * \param[in] ssl SSL context
1110 * \param[in] sig_alg A signature algorithm identifier as defined in the
1111 * TLS 1.2 SignatureAlgorithm enumeration.
1112 *
1113 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1114 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1115 */
1116unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1117 mbedtls_ssl_context *ssl,
1118 unsigned int sig_alg );
1119
Gabor Mezei078e8032022-04-27 21:17:56 +02001120#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Gilles Peskineeccd8882020-03-10 12:19:08 +01001121 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001122
1123/**
1124 * \brief Free referenced items in an SSL transform context and clear
1125 * memory
1126 *
1127 * \param transform SSL transform context
1128 */
1129void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1130
1131/**
1132 * \brief Free referenced items in an SSL handshake context and clear
1133 * memory
1134 *
Gilles Peskine9b562d52018-04-25 20:32:43 +02001135 * \param ssl SSL context
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001136 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02001137void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001138
Jerry Yuc7875b52021-09-05 21:05:50 +08001139/* set inbound transform of ssl context */
1140void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1141 mbedtls_ssl_transform *transform );
1142
1143/* set outbound transform of ssl context */
1144void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1145 mbedtls_ssl_transform *transform );
1146
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001147int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
1148int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1149void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001150static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1151 mbedtls_ssl_states state )
1152{
1153 ssl->state = ( int ) state;
1154}
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001155
1156int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1157
1158void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
Jerry Yubef175d2022-01-28 10:52:05 +08001159
1160#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001161int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
Jerry Yubef175d2022-01-28 10:52:05 +08001162#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001163
Simon Butcher99000142016-10-13 17:21:01 +01001164int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
1165int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1166void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1167
Hanno Becker4a810fb2017-05-24 16:27:30 +01001168/**
1169 * \brief Update record layer
1170 *
1171 * This function roughly separates the implementation
1172 * of the logic of (D)TLS from the implementation
1173 * of the secure transport.
1174 *
Hanno Becker3a0aad12018-08-20 09:44:02 +01001175 * \param ssl The SSL context to use.
1176 * \param update_hs_digest This indicates if the handshake digest
1177 * should be automatically updated in case
1178 * a handshake message is found.
Hanno Becker4a810fb2017-05-24 16:27:30 +01001179 *
1180 * \return 0 or non-zero error code.
1181 *
1182 * \note A clarification on what is called 'record layer' here
1183 * is in order, as many sensible definitions are possible:
1184 *
1185 * The record layer takes as input an untrusted underlying
1186 * transport (stream or datagram) and transforms it into
1187 * a serially multiplexed, secure transport, which
1188 * conceptually provides the following:
1189 *
1190 * (1) Three datagram based, content-agnostic transports
1191 * for handshake, alert and CCS messages.
1192 * (2) One stream- or datagram-based transport
1193 * for application data.
1194 * (3) Functionality for changing the underlying transform
1195 * securing the contents.
1196 *
1197 * The interface to this functionality is given as follows:
1198 *
1199 * a Updating
1200 * [Currently implemented by mbedtls_ssl_read_record]
1201 *
1202 * Check if and on which of the four 'ports' data is pending:
1203 * Nothing, a controlling datagram of type (1), or application
1204 * data (2). In any case data is present, internal buffers
1205 * provide access to the data for the user to process it.
1206 * Consumption of type (1) datagrams is done automatically
1207 * on the next update, invalidating that the internal buffers
1208 * for previous datagrams, while consumption of application
1209 * data (2) is user-controlled.
1210 *
1211 * b Reading of application data
1212 * [Currently manual adaption of ssl->in_offt pointer]
1213 *
1214 * As mentioned in the last paragraph, consumption of data
1215 * is different from the automatic consumption of control
1216 * datagrams (1) because application data is treated as a stream.
1217 *
1218 * c Tracking availability of application data
1219 * [Currently manually through decreasing ssl->in_msglen]
1220 *
1221 * For efficiency and to retain datagram semantics for
1222 * application data in case of DTLS, the record layer
1223 * provides functionality for checking how much application
1224 * data is still available in the internal buffer.
1225 *
1226 * d Changing the transformation securing the communication.
1227 *
1228 * Given an opaque implementation of the record layer in the
1229 * above sense, it should be possible to implement the logic
1230 * of (D)TLS on top of it without the need to know anything
1231 * about the record layer's internals. This is done e.g.
1232 * in all the handshake handling functions, and in the
1233 * application data reading function mbedtls_ssl_read.
1234 *
1235 * \note The above tries to give a conceptual picture of the
1236 * record layer, but the current implementation deviates
1237 * from it in some places. For example, our implementation of
1238 * the update functionality through mbedtls_ssl_read_record
1239 * discards datagrams depending on the current state, which
1240 * wouldn't fall under the record layer's responsibility
1241 * following the above definition.
1242 *
1243 */
Hanno Becker3a0aad12018-08-20 09:44:02 +01001244int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1245 unsigned update_hs_digest );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001246int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1247
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001248/*
1249 * Write handshake message header
1250 */
1251int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
1252 unsigned char **buf, size_t *buf_len );
1253
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001254int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
Ronald Cron66dbf912022-02-02 15:33:46 +01001255 int update_checksum,
Ronald Cron00d012f22022-03-08 15:57:12 +01001256 int force_flush );
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001257static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1258{
Ronald Cron66dbf912022-02-02 15:33:46 +01001259 return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */, 1 /* force flush */ ) );
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001260}
1261
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001262/*
1263 * Write handshake message tail
1264 */
1265int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
1266 size_t buf_len, size_t msg_len );
1267
Ronald Cron00d012f22022-03-08 15:57:12 +01001268int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001269int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1270
1271int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1272int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1273
1274int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1275int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1276
1277int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1278int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1279
1280void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1281 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1282
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001283/*
1284 * Update checksum of handshake messages.
1285 */
1286void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1287 unsigned hs_type,
1288 unsigned char const *msg,
1289 size_t msg_len );
1290
Gilles Peskineeccd8882020-03-10 12:19:08 +01001291#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Neil Armstrong80f6f322022-05-03 17:56:38 +02001292#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001293int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
1294 mbedtls_key_exchange_type_t key_ex );
Neil Armstrong80f6f322022-05-03 17:56:38 +02001295#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Ronald Crond491c2d2022-02-19 18:30:46 +01001296#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
1297int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
1298#endif
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001299
Neil Armstrong044a32c2022-05-03 10:35:56 +02001300#if defined(MBEDTLS_USE_PSA_CRYPTO)
1301/**
1302 * Get the first defined opaque PSK by order of precedence:
1303 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1304 * callback
1305 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1306 * Return an opaque PSK
1307 */
1308static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1309 const mbedtls_ssl_context *ssl )
1310{
1311 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1312 return( ssl->handshake->psk_opaque );
1313
1314 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1315 return( ssl->conf->psk_opaque );
1316
1317 return( MBEDTLS_SVC_KEY_ID_INIT );
1318}
1319#else
Guilhem Bryant8a69ddd2020-03-27 11:13:39 +00001320/**
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001321 * Get the first defined PSK by order of precedence:
1322 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1323 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1324 * Return a code and update the pair (PSK, PSK length) passed to this function
1325 */
1326static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1327 const unsigned char **psk, size_t *psk_len )
1328{
1329 if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1330 {
1331 *psk = ssl->handshake->psk;
1332 *psk_len = ssl->handshake->psk_len;
1333 }
1334
1335 else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1336 {
1337 *psk = ssl->conf->psk;
1338 *psk_len = ssl->conf->psk_len;
1339 }
1340
1341 else
1342 {
Guilhem Bryantb5f04e42020-04-01 11:23:58 +01001343 *psk = NULL;
1344 *psk_len = 0;
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001345 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1346 }
1347
1348 return( 0 );
1349}
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001350#endif /* MBEDTLS_USE_PSA_CRYPTO */
1351
1352#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001353
1354#if defined(MBEDTLS_PK_C)
1355unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
Hanno Becker7e5437a2017-04-28 17:15:26 +01001356unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001357mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1358#endif
1359
1360mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02001361unsigned char mbedtls_ssl_hash_from_md_alg( int md );
Ronald Cron4dcbca92022-03-07 10:21:40 +01001362
1363#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Simon Butcher99000142016-10-13 17:21:01 +01001364int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
Ronald Cron4dcbca92022-03-07 10:21:40 +01001365#endif
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001366
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01001367int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02001368#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02001369int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001370#endif
1371
Ron Eldor089c9fe2018-12-06 17:12:49 +02001372#if defined(MBEDTLS_SSL_DTLS_SRTP)
Johan Pascal43f94902020-09-22 12:25:52 +02001373static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1374 ( const uint16_t srtp_profile_value )
Ron Eldor089c9fe2018-12-06 17:12:49 +02001375{
Johan Pascal43f94902020-09-22 12:25:52 +02001376 switch( srtp_profile_value )
Ron Eldor089c9fe2018-12-06 17:12:49 +02001377 {
Johan Pascal85269572020-08-25 10:01:54 +02001378 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
Johan Pascal85269572020-08-25 10:01:54 +02001379 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
Johan Pascal85269572020-08-25 10:01:54 +02001380 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
Johan Pascal85269572020-08-25 10:01:54 +02001381 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
Johan Pascal43f94902020-09-22 12:25:52 +02001382 return srtp_profile_value;
Ron Eldor089c9fe2018-12-06 17:12:49 +02001383 default: break;
1384 }
Johan Pascal43f94902020-09-22 12:25:52 +02001385 return( MBEDTLS_TLS_SRTP_UNSET );
Ron Eldor089c9fe2018-12-06 17:12:49 +02001386}
1387#endif
1388
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001389#if defined(MBEDTLS_X509_CRT_PARSE_C)
1390static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1391{
1392 mbedtls_ssl_key_cert *key_cert;
1393
1394 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1395 key_cert = ssl->handshake->key_cert;
1396 else
1397 key_cert = ssl->conf->key_cert;
1398
1399 return( key_cert == NULL ? NULL : key_cert->key );
1400}
1401
1402static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1403{
1404 mbedtls_ssl_key_cert *key_cert;
1405
1406 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1407 key_cert = ssl->handshake->key_cert;
1408 else
1409 key_cert = ssl->conf->key_cert;
1410
1411 return( key_cert == NULL ? NULL : key_cert->cert );
1412}
1413
1414/*
1415 * Check usage of a certificate wrt extensions:
1416 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1417 *
1418 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1419 * check a cert we received from them)!
1420 *
1421 * Return 0 if everything is OK, -1 if not.
1422 */
1423int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1424 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1425 int cert_endpoint,
1426 uint32_t *flags );
1427#endif /* MBEDTLS_X509_CRT_PARSE_C */
1428
Glenn Strausse3af4cb2022-03-15 03:23:42 -04001429void mbedtls_ssl_write_version( unsigned char version[2], int transport,
1430 mbedtls_ssl_protocol_version tls_version );
1431uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
1432 int transport );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001433
Hanno Becker5903de42019-05-03 14:46:38 +01001434static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001435{
Hanno Becker47be7682019-07-12 09:55:46 +01001436#if !defined(MBEDTLS_SSL_PROTO_DTLS)
1437 ((void) ssl);
1438#endif
1439
1440#if defined(MBEDTLS_SSL_PROTO_DTLS)
1441 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1442 {
1443 return( 13 );
1444 }
1445 else
1446#endif /* MBEDTLS_SSL_PROTO_DTLS */
1447 {
1448 return( 5 );
1449 }
Hanno Becker5903de42019-05-03 14:46:38 +01001450}
1451
1452static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1453{
Hanno Becker3b154c12019-05-03 15:05:27 +01001454 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001455}
1456
1457static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1458{
1459#if defined(MBEDTLS_SSL_PROTO_DTLS)
1460 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1461 return( 12 );
1462#else
1463 ((void) ssl);
1464#endif
1465 return( 4 );
1466}
1467
1468#if defined(MBEDTLS_SSL_PROTO_DTLS)
1469void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1470void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1471int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02001472int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001473#endif
1474
1475/* Visible for testing purposes only */
1476#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker0183d692019-07-12 08:50:37 +01001477int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001478void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1479#endif
1480
Hanno Becker52055ae2019-02-06 14:30:46 +00001481int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1482 const mbedtls_ssl_session *src );
1483
TRodziewicz0f82ec62021-05-12 17:49:18 +02001484#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek814feff2019-01-14 04:35:19 -05001485/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001486int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02001487 unsigned char *hash, size_t *hashlen,
1488 unsigned char *data, size_t data_len,
1489 mbedtls_md_type_t md_alg );
TRodziewicz0f82ec62021-05-12 17:49:18 +02001490#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001491
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001492#ifdef __cplusplus
1493}
1494#endif
1495
Hanno Beckera18d1322018-01-03 14:27:32 +00001496void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1497int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1498 mbedtls_ssl_transform *transform,
1499 mbedtls_record *rec,
1500 int (*f_rng)(void *, unsigned char *, size_t),
1501 void *p_rng );
Hanno Becker605949f2019-07-12 08:23:59 +01001502int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +00001503 mbedtls_ssl_transform *transform,
1504 mbedtls_record *rec );
1505
Hanno Beckerdd772292020-02-05 10:38:31 +00001506/* Length of the "epoch" field in the record header */
1507static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1508{
1509#if defined(MBEDTLS_SSL_PROTO_DTLS)
1510 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1511 return( 2 );
1512#else
1513 ((void) ssl);
1514#endif
1515 return( 0 );
1516}
1517
Hanno Becker08f09132020-02-11 15:40:07 +00001518#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker786300f2020-02-05 10:46:40 +00001519int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
Hanno Becker08f09132020-02-11 15:40:07 +00001520#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker0f57a652020-02-05 10:37:26 +00001521
1522void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
Hanno Becker7876d122020-02-05 10:39:31 +00001523int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1524
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00001525void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1526void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1527 mbedtls_ssl_transform *transform );
1528void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1529
Hanno Becker43aefe22020-02-05 10:44:56 +00001530int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
XiaokangQian78b1fa72022-01-19 06:56:30 +00001531void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
1532 int partial );
Hanno Becker43aefe22020-02-05 10:44:56 +00001533
Jerry Yue7047812021-09-13 19:26:39 +08001534/*
Jerry Yu394ece62021-09-14 22:17:21 +08001535 * Send pending alert
Jerry Yue7047812021-09-13 19:26:39 +08001536 */
1537int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1538
Jerry Yu394ece62021-09-14 22:17:21 +08001539/*
1540 * Set pending fatal alert flag.
1541 */
1542void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1543 unsigned char alert_type,
1544 int alert_reason );
1545
1546/* Alias of mbedtls_ssl_pend_fatal_alert */
1547#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \
1548 mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1549
Hanno Becker7e8e6a62020-02-05 10:45:48 +00001550#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1551void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1552#endif
1553
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00001554void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1555
Hanno Becker08f09132020-02-11 15:40:07 +00001556#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker40cdaa12020-02-05 10:48:27 +00001557int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
Hanno Becker08f09132020-02-11 15:40:07 +00001558#endif /* MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker89490712020-02-05 10:50:12 +00001559
Hanno Becker533ab5f2020-02-05 10:49:13 +00001560#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker08f09132020-02-11 15:40:07 +00001561size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
Hanno Becker533ab5f2020-02-05 10:49:13 +00001562void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1563void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1564#endif /* MBEDTLS_SSL_PROTO_DTLS */
1565
Jerry Yu60835a82021-08-04 10:13:52 +08001566/**
1567 * ssl utils functions for checking configuration.
1568 */
1569
Ronald Cron6f135e12021-12-08 16:57:54 +01001570#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08001571static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1572{
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001573 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1574 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
Jerry Yu60835a82021-08-04 10:13:52 +08001575}
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001576
Ronald Cron6f135e12021-12-08 16:57:54 +01001577#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu60835a82021-08-04 10:13:52 +08001578
1579#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1580static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1581{
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001582 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1583 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 );
Jerry Yu60835a82021-08-04 10:13:52 +08001584}
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001585
Jerry Yu60835a82021-08-04 10:13:52 +08001586#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1587
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001588static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
1589{
1590#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001591 return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1592 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3 );
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001593#else
1594 ((void) conf);
1595 return( 0 );
1596#endif
1597}
1598
1599static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
1600{
1601#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001602 return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1603 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2 );
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001604#else
1605 ((void) conf);
1606 return( 0 );
1607#endif
1608}
1609
Ronald Cron6f135e12021-12-08 16:57:54 +01001610#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08001611static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1612{
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001613 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1614 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
Jerry Yu60835a82021-08-04 10:13:52 +08001615}
Ronald Cron6f135e12021-12-08 16:57:54 +01001616#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu60835a82021-08-04 10:13:52 +08001617
Ronald Cron6f135e12021-12-08 16:57:54 +01001618#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yufbe3e642022-04-25 19:31:51 +08001619extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1620 MBEDTLS_SERVER_HELLO_RANDOM_LEN ];
Jerry Yua6e6c272021-11-17 17:54:13 +08001621int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
1622int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
1623void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
1624
1625/**
Ronald Cron3d580bf2022-02-18 17:24:56 +01001626 * \brief Given an SSL context and its associated configuration, write the TLS
1627 * 1.3 specific extensions of the ClientHello message.
1628 *
1629 * \param[in] ssl SSL context
1630 * \param[in] buf Base address of the buffer where to write the extensions
1631 * \param[in] end End address of the buffer where to write the extensions
1632 * \param[out] out_len Length of the data written into the buffer \p buf
1633 */
1634int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1635 unsigned char *buf,
1636 unsigned char *end,
1637 size_t *out_len );
1638
1639/**
Jerry Yua6e6c272021-11-17 17:54:13 +08001640 * \brief TLS 1.3 client side state machine entry
1641 *
1642 * \param ssl SSL context
1643 */
1644int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1645
1646/**
1647 * \brief TLS 1.3 server side state machine entry
1648 *
1649 * \param ssl SSL context
1650 */
1651int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1652
Jerry Yu26f4d152021-08-23 17:42:37 +08001653
1654/*
1655 * Helper functions around key exchange modes.
1656 */
Jerry Yub60e3cf2021-09-08 16:41:02 +08001657static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
Jerry Yu26f4d152021-08-23 17:42:37 +08001658 int kex_mode_mask )
1659{
1660 return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1661}
1662
Jerry Yub60e3cf2021-09-08 16:41:02 +08001663static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu26f4d152021-08-23 17:42:37 +08001664{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001665 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001666 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001667}
1668
1669static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1670{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001671 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001672 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001673}
1674
Jerry Yub60e3cf2021-09-08 16:41:02 +08001675static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu26f4d152021-08-23 17:42:37 +08001676{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001677 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001678 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001679}
1680
1681static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1682{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001683 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001684 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001685}
1686
1687static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1688{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001689 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001690 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001691}
1692
Jerry Yuadf861a2021-09-29 21:22:08 +08001693/**
1694 * Given a list of key exchange modes, check if at least one of them is
1695 * supported.
1696 *
1697 * \param[in] ssl SSL context
Jerry Yu0cabad32021-09-30 09:52:35 +08001698 * \param kex_modes_mask Mask of the key exchange modes to check
Jerry Yuadf861a2021-09-29 21:22:08 +08001699 *
1700 * \return 0 if at least one of the key exchange modes is supported,
Jerry Yudca3d5d2021-10-08 14:19:29 +08001701 * !=0 otherwise.
Jerry Yuadf861a2021-09-29 21:22:08 +08001702 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00001703static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1704 int kex_modes_mask )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001705{
Xiaofei Baid25fab62021-12-02 06:36:27 +00001706 return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001707}
1708
Xiaofei Bai746f9482021-11-12 08:53:56 +00001709static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001710{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001711 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1712 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001713}
1714
Xiaofei Bai746f9482021-11-12 08:53:56 +00001715static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001716 mbedtls_ssl_context *ssl )
1717{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001718 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1719 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001720}
1721
Xiaofei Bai746f9482021-11-12 08:53:56 +00001722static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001723{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001724 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1725 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001726}
1727
Xiaofei Bai746f9482021-11-12 08:53:56 +00001728static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001729{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001730 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1731 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001732}
1733
Xiaofei Bai746f9482021-11-12 08:53:56 +00001734static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001735{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001736 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1737 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001738}
1739
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001740/*
XiaokangQian6b226b02021-09-24 07:51:16 +00001741 * Fetch TLS 1.3 handshake message header
1742 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00001743int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
1744 unsigned hs_type,
1745 unsigned char **buf,
1746 size_t *buf_len );
XiaokangQian6b226b02021-09-24 07:51:16 +00001747
1748/*
Xiaofei Bai947571e2021-09-29 09:12:03 +00001749 * Handler of TLS 1.3 server certificate message
1750 */
1751int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
1752
Jerry Yu90f152d2022-01-29 22:12:42 +08001753#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001754/*
Jerry Yu3e536442022-02-15 11:05:59 +08001755 * Handler of TLS 1.3 write Certificate message
Jerry Yu5cc35062022-01-28 16:16:08 +08001756 */
1757int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
1758
1759/*
Jerry Yu3e536442022-02-15 11:05:59 +08001760 * Handler of TLS 1.3 write Certificate Verify message
Jerry Yu8511f122022-01-29 10:01:04 +08001761 */
1762int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
Jerry Yu90f152d2022-01-29 22:12:42 +08001763
1764#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1765
Jerry Yu8511f122022-01-29 10:01:04 +08001766/*
Jerry Yu30b071c2021-09-12 20:16:03 +08001767 * Generic handler of Certificate Verify
1768 */
1769int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
1770
1771/*
Ronald Cron49ad6192021-11-24 16:25:31 +01001772 * Write of dummy-CCS's for middlebox compatibility
1773 */
1774int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1775
XiaokangQian647719a2021-12-07 09:16:29 +00001776int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
1777
Jerry Yu89e103c2022-03-30 22:43:29 +08001778#if defined(MBEDTLS_ECDH_C)
1779int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1780 mbedtls_ssl_context *ssl,
1781 uint16_t named_group,
1782 unsigned char *buf,
1783 unsigned char *end,
1784 size_t *out_len );
1785#endif /* MBEDTLS_ECDH_C */
1786
1787
Jerry Yuf017ee42022-01-12 15:49:48 +08001788#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1789
Jerry Yubc20bdd2021-08-24 15:59:48 +08001790#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001791/*
Gabor Mezei53a3b142022-05-10 13:20:55 +02001792 * Parse TLS Signature Algorithm extension
Xiaofei Bai69fcd392022-01-20 08:25:00 +00001793 */
Gabor Mezei078e8032022-04-27 21:17:56 +02001794int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
1795 const unsigned char *buf,
1796 const unsigned char *end );
Jerry Yubc20bdd2021-08-24 15:59:48 +08001797#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu65dd2cc2021-08-18 16:38:40 +08001798
Jerry Yu000f9762021-09-14 11:12:51 +08001799/* Get handshake transcript */
1800int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
1801 const mbedtls_md_type_t md,
1802 unsigned char *dst,
1803 size_t dst_len,
1804 size_t *olen );
1805
Brett Warrene0edc842021-08-17 09:53:13 +01001806/*
1807 * Return supported groups.
1808 *
1809 * In future, invocations can be changed to ssl->conf->group_list
1810 * when mbedtls_ssl_conf_curves() is deleted.
1811 *
1812 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
1813 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
1814 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
1815 *
1816 */
1817static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
1818{
1819 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
1820 return( ssl->conf->group_list );
1821 #else
1822 if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) )
1823 return( ssl->handshake->group_list );
1824 else
1825 return( ssl->conf->group_list );
1826 #endif
1827}
1828
Jerry Yuba073422021-12-20 22:22:15 +08001829/*
1830 * Helper functions for NamedGroup.
1831 */
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001832static inline int mbedtls_ssl_tls12_named_group_is_ecdhe( uint16_t named_group )
Jerry Yuba073422021-12-20 22:22:15 +08001833{
1834 /*
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001835 * RFC 8422 section 5.1.1
Jerry Yuba073422021-12-20 22:22:15 +08001836 */
Jerry Yuf0fede52022-01-12 10:57:47 +08001837 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
1838 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
1839 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
1840 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
1841 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
1842 /* Below deprected curves should be removed with notice to users */
1843 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001844 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
1845 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
1846 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
1847 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
1848 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
1849 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
Jerry Yuf0fede52022-01-12 10:57:47 +08001850 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 );
Jerry Yuba073422021-12-20 22:22:15 +08001851}
1852
1853static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
1854{
Jerry Yuf0fede52022-01-12 10:57:47 +08001855 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
1856 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
Jerry Yuba073422021-12-20 22:22:15 +08001857 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
1858 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
Jerry Yuba073422021-12-20 22:22:15 +08001859 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
1860}
1861
1862static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
1863{
1864 return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
1865 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
1866}
1867
XiaokangQian08037552022-04-20 07:16:41 +00001868static inline int mbedtls_ssl_named_group_is_offered(
1869 const mbedtls_ssl_context *ssl, uint16_t named_group )
1870{
1871 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
1872
1873 if( group_list == NULL )
1874 return( 0 );
1875
1876 for( ; *group_list != 0; group_list++ )
1877 {
1878 if( *group_list == named_group )
1879 return( 1 );
1880 }
1881
1882 return( 0 );
1883}
1884
1885static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group )
1886{
1887#if defined(MBEDTLS_ECDH_C)
1888 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
1889 {
1890 const mbedtls_ecp_curve_info *curve_info =
1891 mbedtls_ecp_curve_info_from_tls_id( named_group );
1892 if( curve_info != NULL )
1893 return( 1 );
1894 }
1895#else
1896 ((void) named_group);
1897#endif /* MBEDTLS_ECDH_C */
1898 return( 0 );
1899}
1900
Jerry Yuafdfed12021-12-22 10:49:02 +08001901/*
Jerry Yu713013f2022-01-17 18:16:35 +08001902 * Return supported signature algorithms.
1903 *
1904 * In future, invocations can be changed to ssl->conf->sig_algs when
1905 * mbedtls_ssl_conf_sig_hashes() is deleted.
1906 *
Jerry Yu7ddc38c2022-01-19 11:08:05 +08001907 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
1908 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
1909 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
1910 * been more recently invoked.
1911 *
Jerry Yuafdfed12021-12-22 10:49:02 +08001912 */
Jerry Yu713013f2022-01-17 18:16:35 +08001913static inline const void *mbedtls_ssl_get_sig_algs(
1914 const mbedtls_ssl_context *ssl )
Jerry Yuafdfed12021-12-22 10:49:02 +08001915{
1916#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01001917
Jerry Yu6106fdc2022-01-12 16:36:14 +08001918#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1919 if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL )
1920 return( ssl->handshake->sig_algs );
1921#endif
1922 return( ssl->conf->sig_algs );
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01001923
1924#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08001925
Jerry Yu6106fdc2022-01-12 16:36:14 +08001926 ((void) ssl);
Jerry Yu713013f2022-01-17 18:16:35 +08001927 return( NULL );
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01001928#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08001929}
Jerry Yuba073422021-12-20 22:22:15 +08001930
Jerry Yua23b9d92022-02-09 19:57:53 +08001931
Jerry Yu1bab3012022-01-19 17:43:22 +08001932#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu24811fb2022-01-19 18:02:15 +08001933
Jerry Yua23b9d92022-02-09 19:57:53 +08001934#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu8511f122022-01-29 10:01:04 +08001935static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
1936 uint16_t own_sig_alg )
1937{
Jerry Yu1bb5a1f2022-01-30 10:52:11 +08001938 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
1939 if( sig_alg == NULL )
1940 return( 0 );
1941
Gabor Mezei15b95a62022-05-09 16:37:58 +02001942 for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
Jerry Yu1bb5a1f2022-01-30 10:52:11 +08001943 {
1944 if( *sig_alg == own_sig_alg )
1945 return( 1 );
1946 }
1947 return( 0 );
Jerry Yu8511f122022-01-29 10:01:04 +08001948}
Jerry Yua23b9d92022-02-09 19:57:53 +08001949#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu8511f122022-01-29 10:01:04 +08001950
Jerry Yu24811fb2022-01-19 18:02:15 +08001951static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
1952 uint16_t proposed_sig_alg )
1953{
1954 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
1955 if( sig_alg == NULL )
1956 return( 0 );
1957
Gabor Mezei15b95a62022-05-09 16:37:58 +02001958 for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
Jerry Yu24811fb2022-01-19 18:02:15 +08001959 {
1960 if( *sig_alg == proposed_sig_alg )
1961 return( 1 );
1962 }
1963 return( 0 );
1964}
1965
Jerry Yu8c338862022-03-23 13:34:04 +08001966#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1967static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +08001968 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
Jerry Yu8c338862022-03-23 13:34:04 +08001969{
1970 *pk_type = MBEDTLS_PK_NONE;
1971 *md_alg = MBEDTLS_MD_NONE;
Jerry Yuf8aa9a42022-03-23 20:40:28 +08001972
Jerry Yu8c338862022-03-23 13:34:04 +08001973 switch( sig_alg )
1974 {
Jerry Yue26acee2022-03-23 21:01:33 +08001975#if defined(MBEDTLS_ECDSA_C)
1976
1977#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Jerry Yu8c338862022-03-23 13:34:04 +08001978 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1979 *md_alg = MBEDTLS_MD_SHA256;
1980 *pk_type = MBEDTLS_PK_ECDSA;
1981 break;
Jerry Yue26acee2022-03-23 21:01:33 +08001982#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Jerry Yu8c338862022-03-23 13:34:04 +08001983
Jerry Yue26acee2022-03-23 21:01:33 +08001984#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Jerry Yu8c338862022-03-23 13:34:04 +08001985 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1986 *md_alg = MBEDTLS_MD_SHA384;
1987 *pk_type = MBEDTLS_PK_ECDSA;
1988 break;
Jerry Yue26acee2022-03-23 21:01:33 +08001989#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Jerry Yu8c338862022-03-23 13:34:04 +08001990
Jerry Yue26acee2022-03-23 21:01:33 +08001991#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Jerry Yu8c338862022-03-23 13:34:04 +08001992 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1993 *md_alg = MBEDTLS_MD_SHA512;
1994 *pk_type = MBEDTLS_PK_ECDSA;
1995 break;
Jerry Yue26acee2022-03-23 21:01:33 +08001996#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Jerry Yu8c338862022-03-23 13:34:04 +08001997
Jerry Yue26acee2022-03-23 21:01:33 +08001998#endif /* MBEDTLS_ECDSA_C */
1999
2000#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
2001
2002#if defined(MBEDTLS_SHA256_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002003 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2004 *md_alg = MBEDTLS_MD_SHA256;
2005 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2006 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002007#endif /* MBEDTLS_SHA256_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002008
Jerry Yue26acee2022-03-23 21:01:33 +08002009#if defined(MBEDTLS_SHA384_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002010 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2011 *md_alg = MBEDTLS_MD_SHA384;
2012 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2013 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002014#endif /* MBEDTLS_SHA384_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002015
Jerry Yue26acee2022-03-23 21:01:33 +08002016#if defined(MBEDTLS_SHA512_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002017 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2018 *md_alg = MBEDTLS_MD_SHA512;
2019 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2020 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002021#endif /* MBEDTLS_SHA512_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002022
Jerry Yue26acee2022-03-23 21:01:33 +08002023#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
2024
2025#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
2026
2027#if defined(MBEDTLS_SHA256_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002028 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2029 *md_alg = MBEDTLS_MD_SHA256;
2030 *pk_type = MBEDTLS_PK_RSA;
2031 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002032#endif /* MBEDTLS_SHA256_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002033
Jerry Yue26acee2022-03-23 21:01:33 +08002034#if defined(MBEDTLS_SHA384_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002035 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2036 *md_alg = MBEDTLS_MD_SHA384;
2037 *pk_type = MBEDTLS_PK_RSA;
2038 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002039#endif /* MBEDTLS_SHA384_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002040
Jerry Yue26acee2022-03-23 21:01:33 +08002041#if defined(MBEDTLS_SHA512_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002042 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2043 *md_alg = MBEDTLS_MD_SHA512;
2044 *pk_type = MBEDTLS_PK_RSA;
2045 break;
Jerry Yu6c6f1022022-03-25 11:09:50 +08002046#endif /* MBEDTLS_SHA512_C */
Jerry Yue26acee2022-03-23 21:01:33 +08002047
2048#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002049
2050 default:
Jerry Yuf8aa9a42022-03-23 20:40:28 +08002051 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Jerry Yu8c338862022-03-23 13:34:04 +08002052 }
Jerry Yuf8aa9a42022-03-23 20:40:28 +08002053 return( 0 );
Jerry Yu8c338862022-03-23 13:34:04 +08002054}
2055#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2056
Jerry Yu1bab3012022-01-19 17:43:22 +08002057static inline int mbedtls_ssl_sig_alg_is_supported(
2058 const mbedtls_ssl_context *ssl,
2059 const uint16_t sig_alg )
2060{
2061
2062#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Glenn Strauss60bfe602022-03-14 19:04:24 -04002063 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yu1bab3012022-01-19 17:43:22 +08002064 {
2065 /* High byte is hash */
2066 unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
2067 unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
2068
2069 switch( hash )
2070 {
Jerry Yu97198852022-01-21 16:16:01 +08002071#if defined(MBEDTLS_MD5_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002072 case MBEDTLS_SSL_HASH_MD5:
2073 break;
Jerry Yu97198852022-01-21 16:16:01 +08002074#endif
2075
2076#if defined(MBEDTLS_SHA1_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002077 case MBEDTLS_SSL_HASH_SHA1:
2078 break;
Jerry Yu97198852022-01-21 16:16:01 +08002079#endif
2080
2081#if defined(MBEDTLS_SHA224_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002082 case MBEDTLS_SSL_HASH_SHA224:
2083 break;
Jerry Yu97198852022-01-21 16:16:01 +08002084#endif
2085
2086#if defined(MBEDTLS_SHA256_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002087 case MBEDTLS_SSL_HASH_SHA256:
2088 break;
Jerry Yu97198852022-01-21 16:16:01 +08002089#endif
2090
2091#if defined(MBEDTLS_SHA384_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002092 case MBEDTLS_SSL_HASH_SHA384:
2093 break;
Jerry Yu97198852022-01-21 16:16:01 +08002094#endif
2095
2096#if defined(MBEDTLS_SHA512_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002097 case MBEDTLS_SSL_HASH_SHA512:
2098 break;
Jerry Yu97198852022-01-21 16:16:01 +08002099#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002100
2101 default:
2102 return( 0 );
2103 }
2104
2105 switch( sig )
2106 {
Jerry Yu97198852022-01-21 16:16:01 +08002107#if defined(MBEDTLS_RSA_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002108 case MBEDTLS_SSL_SIG_RSA:
2109 break;
Jerry Yu97198852022-01-21 16:16:01 +08002110#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002111
Jerry Yu97198852022-01-21 16:16:01 +08002112#if defined(MBEDTLS_ECDSA_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002113 case MBEDTLS_SSL_SIG_ECDSA:
2114 break;
Jerry Yu97198852022-01-21 16:16:01 +08002115#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002116
2117 default:
2118 return( 0 );
2119 }
2120
2121 return( 1 );
2122 }
2123#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2124
2125#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Glenn Strauss60bfe602022-03-14 19:04:24 -04002126 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yu1bab3012022-01-19 17:43:22 +08002127 {
Jerry Yu8c338862022-03-23 13:34:04 +08002128 mbedtls_pk_type_t pk_type;
2129 mbedtls_md_type_t md_alg;
Jerry Yuf8aa9a42022-03-23 20:40:28 +08002130 return( ! mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yu8c338862022-03-23 13:34:04 +08002131 sig_alg, &pk_type, &md_alg ) );
Jerry Yu1bab3012022-01-19 17:43:22 +08002132 }
2133#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2134 ((void) ssl);
2135 ((void) sig_alg);
2136 return( 0 );
2137}
2138#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
2139
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002140#if defined(MBEDTLS_USE_PSA_CRYPTO)
2141/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2142 * Same value is used fo PSA_ALG_CATEGORY_CIPHER, hence it is
2143 * guaranteed to not be a valid PSA algorithm identifier.
2144 */
2145#define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2146
2147/**
2148 * \brief Translate mbedtls cipher type/taglen pair to psa:
2149 * algorithm, key type and key size.
2150 *
2151 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2152 * \param taglen [in] given tag length
2153 * 0 - default tag length
2154 * \param alg [out] corresponding PSA alg
2155 * There is no corresponding PSA
Przemyslaw Stekiel8c010eb2022-02-03 10:44:02 +01002156 * alg for MBEDTLS_CIPHER_NULL, so
2157 * in this case MBEDTLS_SSL_NULL_CIPHER
2158 * is returned via this parameter
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002159 * \param key_type [out] corresponding PSA key type
2160 * \param key_size [out] corresponding PSA key size
2161 *
2162 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2163 * conversion is not supported.
2164 */
2165psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
2166 size_t taglen,
2167 psa_algorithm_t *alg,
2168 psa_key_type_t *key_type,
2169 size_t *key_size );
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002170#endif /* MBEDTLS_USE_PSA_CRYPTO */
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002171
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002172#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002173/**
2174 * \brief Convert given PSA status to mbedtls error code.
2175 *
2176 * \param status [in] given PSA status
2177 *
2178 * \return corresponding mbedtls error code
2179 */
Przemyslaw Stekiel77aec8d2022-01-31 20:22:53 +01002180static inline int psa_ssl_status_to_mbedtls( psa_status_t status )
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002181{
2182 switch( status )
2183 {
2184 case PSA_SUCCESS:
2185 return( 0 );
2186 case PSA_ERROR_INSUFFICIENT_MEMORY:
Gabor Mezei1bf075f2022-03-21 12:19:52 +01002187 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002188 case PSA_ERROR_NOT_SUPPORTED:
Gabor Mezei1bf075f2022-03-21 12:19:52 +01002189 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Przemyslaw Stekiel89dad932022-01-31 09:18:07 +01002190 case PSA_ERROR_INVALID_SIGNATURE:
2191 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Gabor Mezeiadfeadc2022-03-21 12:17:49 +01002192 case PSA_ERROR_INVALID_ARGUMENT:
2193 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2194 case PSA_ERROR_BAD_STATE:
2195 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Przemek Stekiel85836272022-04-05 10:50:53 +02002196 case PSA_ERROR_BUFFER_TOO_SMALL:
2197 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002198 default:
2199 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
2200 }
2201}
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002202#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu1bab3012022-01-19 17:43:22 +08002203
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002204/**
2205 * \brief TLS record protection modes
2206 */
2207typedef enum {
2208 MBEDTLS_SSL_MODE_STREAM = 0,
2209 MBEDTLS_SSL_MODE_CBC,
2210 MBEDTLS_SSL_MODE_CBC_ETM,
2211 MBEDTLS_SSL_MODE_AEAD
2212} mbedtls_ssl_mode_t;
2213
Neil Armstrongab555e02022-04-04 11:07:59 +02002214mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002215 const mbedtls_ssl_transform *transform );
2216
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002217#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Neil Armstrongab555e02022-04-04 11:07:59 +02002218mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002219 int encrypt_then_mac,
2220 const mbedtls_ssl_ciphersuite_t *suite );
2221#else
Neil Armstrongab555e02022-04-04 11:07:59 +02002222mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002223 const mbedtls_ssl_ciphersuite_t *suite );
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002224#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002225
XiaokangQian9b5d04b2022-04-10 10:20:43 +00002226#if defined(MBEDTLS_ECDH_C)
2227
2228int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
2229 const unsigned char *buf,
2230 size_t buf_len );
2231
2232#endif /* MBEDTLS_ECDH_C */
2233
XiaokangQian0a1b54e2022-04-21 03:01:38 +00002234static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2235 mbedtls_ssl_context *ssl, int cipher_suite )
2236{
2237 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2238
2239 /* Check whether we have offered this ciphersuite */
2240 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
2241 {
2242 if( ciphersuite_list[i] == cipher_suite )
2243 {
2244 return( 1 );
2245 }
2246 }
2247 return( 0 );
2248}
2249
2250/**
2251 * \brief Validate cipher suite against config in SSL context.
2252 *
2253 * \param ssl SSL context
2254 * \param suite_info Cipher suite to validate
2255 * \param min_tls_version Minimal TLS version to accept a cipher suite
2256 * \param max_tls_version Maximal TLS version to accept a cipher suite
2257 *
2258 * \return 0 if valid, negative value otherwise.
2259 */
2260int mbedtls_ssl_validate_ciphersuite(
2261 const mbedtls_ssl_context *ssl,
2262 const mbedtls_ssl_ciphersuite_t *suite_info,
2263 mbedtls_ssl_protocol_version min_tls_version,
2264 mbedtls_ssl_protocol_version max_tls_version );
XiaokangQian08037552022-04-20 07:16:41 +00002265
XiaokangQianeaf36512022-04-24 09:07:44 +00002266int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
2267 const unsigned char *end, size_t *out_len );
2268
Chris Jones84a773f2021-03-05 18:38:47 +00002269#endif /* ssl_misc.h */