blob: f703da99b43fb7c3804370812636e469f9f4c86e [file] [log] [blame]
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001/**
Darryl Greena40a1012018-01-05 15:33:17 +00002 * \file ssl_internal.h
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02003 *
4 * \brief Internal functions shared by the SSL modules
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02008 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020021 *
22 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020023 */
24#ifndef MBEDTLS_SSL_INTERNAL_H
25#define MBEDTLS_SSL_INTERNAL_H
26
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050027#if !defined(MBEDTLS_CONFIG_FILE)
Jaeden Amero6609aef2019-07-04 20:01:14 +010028#include "mbedtls/config.h"
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050029#else
30#include MBEDTLS_CONFIG_FILE
31#endif
32
Jaeden Amero6609aef2019-07-04 20:01:14 +010033#include "mbedtls/ssl.h"
34#include "mbedtls/cipher.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020035
Andrzej Kurekeb342242019-01-29 09:14:33 -050036#if defined(MBEDTLS_USE_PSA_CRYPTO)
37#include "psa/crypto.h"
38#endif
39
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020040#if defined(MBEDTLS_MD5_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010041#include "mbedtls/md5.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020042#endif
43
44#if defined(MBEDTLS_SHA1_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010045#include "mbedtls/sha1.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020046#endif
47
48#if defined(MBEDTLS_SHA256_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010049#include "mbedtls/sha256.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020050#endif
51
52#if defined(MBEDTLS_SHA512_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010053#include "mbedtls/sha512.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020054#endif
55
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +020056#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jaeden Amero6609aef2019-07-04 20:01:14 +010057#include "mbedtls/ecjpake.h"
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +020058#endif
59
Hanno Beckerdf51dbe2019-02-18 16:41:55 +000060#if defined(MBEDTLS_USE_PSA_CRYPTO)
61#include "psa/crypto.h"
Jaeden Amero6609aef2019-07-04 20:01:14 +010062#include "mbedtls/psa_util.h"
Hanno Beckerdf51dbe2019-02-18 16:41:55 +000063#endif /* MBEDTLS_USE_PSA_CRYPTO */
64
Manuel Pégourié-Gonnard0223ab92015-10-05 11:40:01 +010065#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
66 !defined(inline) && !defined(__cplusplus)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020067#define inline __inline
Manuel Pégourié-Gonnard20af64d2015-07-07 18:33:39 +020068#endif
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020069
70/* Determine minimum supported version */
71#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
72
73#if defined(MBEDTLS_SSL_PROTO_SSL3)
74#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
75#else
76#if defined(MBEDTLS_SSL_PROTO_TLS1)
77#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
78#else
79#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
80#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
81#else
82#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
83#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
84#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
85#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
86#endif /* MBEDTLS_SSL_PROTO_TLS1 */
87#endif /* MBEDTLS_SSL_PROTO_SSL3 */
88
Ron Eldor5e9f14d2017-05-28 10:46:38 +030089#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
90#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
91
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020092/* Determine maximum supported version */
93#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
94
95#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
96#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
97#else
98#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
99#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
100#else
101#if defined(MBEDTLS_SSL_PROTO_TLS1)
102#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
103#else
104#if defined(MBEDTLS_SSL_PROTO_SSL3)
105#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
106#endif /* MBEDTLS_SSL_PROTO_SSL3 */
107#endif /* MBEDTLS_SSL_PROTO_TLS1 */
108#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
109#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
110
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200111/* Shorthand for restartable ECC */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200112#if defined(MBEDTLS_ECP_RESTARTABLE) && \
113 defined(MBEDTLS_SSL_CLI_C) && \
114 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
116#define MBEDTLS_SSL__ECP_RESTARTABLE
117#endif
118
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200119#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
120#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
121#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
122#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
123
124/*
125 * DTLS retransmission states, see RFC 6347 4.2.4
126 *
127 * The SENDING state is merged in PREPARING for initial sends,
128 * but is distinct for resends.
129 *
130 * Note: initial state is wrong for server, but is not used anyway.
131 */
132#define MBEDTLS_SSL_RETRANS_PREPARING 0
133#define MBEDTLS_SSL_RETRANS_SENDING 1
134#define MBEDTLS_SSL_RETRANS_WAITING 2
135#define MBEDTLS_SSL_RETRANS_FINISHED 3
136
137/*
138 * Allow extra bytes for record, authentication and encryption overhead:
139 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
140 * and allow for a maximum of 1024 of compression expansion if
141 * enabled.
142 */
143#if defined(MBEDTLS_ZLIB_SUPPORT)
144#define MBEDTLS_SSL_COMPRESSION_ADD 1024
145#else
146#define MBEDTLS_SSL_COMPRESSION_ADD 0
147#endif
148
Hanno Becker52344c22018-01-03 15:24:20 +0000149#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
150 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
151 ( defined(MBEDTLS_AES_C) || \
152 defined(MBEDTLS_CAMELLIA_C) || \
Hanno Becker34f88af2018-07-17 10:19:47 +0100153 defined(MBEDTLS_ARIA_C) || \
154 defined(MBEDTLS_DES_C) ) )
Hanno Becker52344c22018-01-03 15:24:20 +0000155#define MBEDTLS_SSL_SOME_MODES_USE_MAC
156#endif
157
158#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200159/* Ciphersuites using HMAC */
160#if defined(MBEDTLS_SHA512_C)
161#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
162#elif defined(MBEDTLS_SHA256_C)
163#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
164#else
165#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
166#endif
Hanno Becker52344c22018-01-03 15:24:20 +0000167#else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200168/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
169#define MBEDTLS_SSL_MAC_ADD 16
170#endif
171
172#if defined(MBEDTLS_CIPHER_MODE_CBC)
173#define MBEDTLS_SSL_PADDING_ADD 256
174#else
175#define MBEDTLS_SSL_PADDING_ADD 0
176#endif
177
Hanno Beckera0e20d02019-05-15 14:03:01 +0100178#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerb1aa1b32019-05-08 17:37:58 +0100179#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY
Hanno Becker6cbad552019-05-08 15:40:11 +0100180#else
181#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
182#endif
183
Angus Grattond8213d02016-05-25 20:56:48 +1000184#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
185 MBEDTLS_MAX_IV_LENGTH + \
186 MBEDTLS_SSL_MAC_ADD + \
Hanno Becker6cbad552019-05-08 15:40:11 +0100187 MBEDTLS_SSL_PADDING_ADD + \
188 MBEDTLS_SSL_MAX_CID_EXPANSION \
Angus Grattond8213d02016-05-25 20:56:48 +1000189 )
190
191#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
192 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
193
194#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
195 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
196
Hanno Becker0271f962018-08-16 13:23:47 +0100197/* The maximum number of buffered handshake messages. */
Hanno Beckerd488b9e2018-08-16 16:35:37 +0100198#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
Hanno Becker0271f962018-08-16 13:23:47 +0100199
Angus Grattond8213d02016-05-25 20:56:48 +1000200/* Maximum length we can advertise as our max content length for
201 RFC 6066 max_fragment_length extension negotiation purposes
202 (the lesser of both sizes, if they are unequal.)
203 */
204#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
205 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
206 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
207 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
208 )
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200209
210/*
Hanno Beckera8434e82017-09-18 10:54:39 +0100211 * Check that we obey the standard's message size bounds
212 */
213
214#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
Angus Grattond8213d02016-05-25 20:56:48 +1000215#error "Bad configuration - record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100216#endif
217
Angus Grattond8213d02016-05-25 20:56:48 +1000218#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
219#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
Hanno Beckera8434e82017-09-18 10:54:39 +0100220#endif
221
Angus Grattond8213d02016-05-25 20:56:48 +1000222#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
223#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
224#endif
225
226#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
227#error "Bad configuration - incoming protected record payload too large."
228#endif
229
230#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
231#error "Bad configuration - outgoing protected record payload too large."
232#endif
233
234/* Calculate buffer sizes */
235
Hanno Becker25d6d1a2017-12-07 08:22:51 +0000236/* Note: Even though the TLS record header is only 5 bytes
237 long, we're internally using 8 bytes to store the
238 implicit sequence number. */
Hanno Beckerd25d4442017-10-04 13:56:42 +0100239#define MBEDTLS_SSL_HEADER_LEN 13
Hanno Beckera8434e82017-09-18 10:54:39 +0100240
Hanno Beckera0e20d02019-05-15 14:03:01 +0100241#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000242#define MBEDTLS_SSL_IN_BUFFER_LEN \
243 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100244#else
245#define MBEDTLS_SSL_IN_BUFFER_LEN \
246 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
247 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
248#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000249
Hanno Beckera0e20d02019-05-15 14:03:01 +0100250#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000251#define MBEDTLS_SSL_OUT_BUFFER_LEN \
252 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100253#else
254#define MBEDTLS_SSL_OUT_BUFFER_LEN \
255 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
256 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
257#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000258
259#ifdef MBEDTLS_ZLIB_SUPPORT
260/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
261#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
262 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
263 ? MBEDTLS_SSL_IN_BUFFER_LEN \
264 : MBEDTLS_SSL_OUT_BUFFER_LEN \
265 )
266#endif
Hanno Beckera8434e82017-09-18 10:54:39 +0100267
268/*
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200269 * TLS extension flags (for extensions with outgoing ServerHello content
270 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
271 * of state of the renegotiation flag, so no indicator is required)
272 */
273#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200274#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200275
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200276#ifdef __cplusplus
277extern "C" {
278#endif
279
Hanno Becker7e5437a2017-04-28 17:15:26 +0100280#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
281 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
282/*
283 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
284 */
285struct mbedtls_ssl_sig_hash_set_t
286{
287 /* At the moment, we only need to remember a single suitable
288 * hash algorithm per signature algorithm. As long as that's
289 * the case - and we don't need a general lookup function -
290 * we can implement the sig-hash-set as a map from signatures
291 * to hash algorithms. */
292 mbedtls_md_type_t rsa;
293 mbedtls_md_type_t ecdsa;
294};
295#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
296 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
297
Ron Eldor51d3ab52019-05-12 14:54:30 +0300298typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
299 const char *label,
300 const unsigned char *random, size_t rlen,
301 unsigned char *dstbuf, size_t dlen );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200302/*
303 * This structure contains the parameters only needed during handshake.
304 */
305struct mbedtls_ssl_handshake_params
306{
307 /*
308 * Handshake specific crypto variables
309 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100310
311#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
312 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
313 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
314#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200315#if defined(MBEDTLS_DHM_C)
316 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
317#endif
318#if defined(MBEDTLS_ECDH_C)
319 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000320
321#if defined(MBEDTLS_USE_PSA_CRYPTO)
322 psa_ecc_curve_t ecdh_psa_curve;
323 psa_key_handle_t ecdh_psa_privkey;
324 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
325 size_t ecdh_psa_peerkey_len;
326#endif /* MBEDTLS_USE_PSA_CRYPTO */
327#endif /* MBEDTLS_ECDH_C */
328
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200329#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200330 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200331#if defined(MBEDTLS_SSL_CLI_C)
332 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
333 size_t ecjpake_cache_len; /*!< Length of cached data */
334#endif
Hanno Becker1aa267c2017-04-28 17:08:27 +0100335#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200336#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200337 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200338 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
339#endif
340#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100341#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500342 psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100343#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200344 unsigned char *psk; /*!< PSK from the callback */
345 size_t psk_len; /*!< Length of PSK from callback */
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100346#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200347#if defined(MBEDTLS_X509_CRT_PARSE_C)
348 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
349#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200350 int sni_authmode; /*!< authmode from SNI callback */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200351 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
352 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
353 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100354#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200355#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200356#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200357 int ecrs_enabled; /*!< Handshake supports EC restart? */
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +0200358 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200359 enum { /* this complements ssl->state with info on intra-state operations */
360 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
361 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200362 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
363 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200364 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
365 } ecrs_state; /*!< current (or last) operation */
Hanno Becker3fd3f5e2019-02-25 10:08:06 +0000366 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200367 size_t ecrs_n; /*!< place for saving a length */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200368#endif
Hanno Becker75173122019-02-06 16:18:31 +0000369#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
370 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
371 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
372#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200373#if defined(MBEDTLS_SSL_PROTO_DTLS)
374 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
375 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
376
377 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
378 Srv: unused */
379 unsigned char verify_cookie_len; /*!< Cli: cookie length
380 Srv: flag for sending a cookie */
381
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200382 uint32_t retransmit_timeout; /*!< Current value of timeout */
383 unsigned char retransmit_state; /*!< Retransmission state */
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200384 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
385 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
386 unsigned char *cur_msg_p; /*!< Position in current message */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200387 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
388 flight being received */
389 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
390 resending messages */
391 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
392 for resending messages */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100393
Hanno Beckera0e20d02019-05-15 14:03:01 +0100394#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker2f28c102019-04-25 15:46:59 +0100395 /* The state of CID configuration in this handshake. */
396
397 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
Hanno Beckerf1a28082019-05-15 10:17:48 +0100398 * has been negotiated. Possible values are
Hanno Becker2f28c102019-04-25 15:46:59 +0100399 * #MBEDTLS_SSL_CID_ENABLED and
400 * #MBEDTLS_SSL_CID_DISABLED. */
401 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
402 uint8_t peer_cid_len; /*!< The length of
403 * \c peer_cid. */
Hanno Beckera0e20d02019-05-15 14:03:01 +0100404#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker2f28c102019-04-25 15:46:59 +0100405
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100406 struct
407 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100408 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
409 * buffers used for message buffering. */
410
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100411 uint8_t seen_ccs; /*!< Indicates if a CCS message has
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100412 * been seen in the current flight. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100413
Hanno Becker0271f962018-08-16 13:23:47 +0100414 struct mbedtls_ssl_hs_buffer
415 {
Hanno Becker98081a02018-08-22 13:32:50 +0100416 unsigned is_valid : 1;
417 unsigned is_fragmented : 1;
418 unsigned is_complete : 1;
Hanno Becker0271f962018-08-16 13:23:47 +0100419 unsigned char *data;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100420 size_t data_len;
Hanno Becker0271f962018-08-16 13:23:47 +0100421 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
422
Hanno Becker5f066e72018-08-16 14:56:31 +0100423 struct
424 {
425 unsigned char *data;
426 size_t len;
427 unsigned epoch;
428 } future_record;
429
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100430 } buffering;
Hanno Becker35462012018-08-22 10:25:40 +0100431
Manuel Pégourié-Gonnardf47a4af2018-08-22 10:38:52 +0200432 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100433#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200434
435 /*
436 * Checksum contexts
437 */
438#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
439 defined(MBEDTLS_SSL_PROTO_TLS1_1)
440 mbedtls_md5_context fin_md5;
441 mbedtls_sha1_context fin_sha1;
442#endif
443#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
444#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500445#if defined(MBEDTLS_USE_PSA_CRYPTO)
446 psa_hash_operation_t fin_sha256_psa;
447#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200448 mbedtls_sha256_context fin_sha256;
449#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500450#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200451#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500452#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500453 psa_hash_operation_t fin_sha384_psa;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500454#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200455 mbedtls_sha512_context fin_sha512;
456#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500457#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200458#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
459
460 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200461 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200462 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
Ron Eldor51d3ab52019-05-12 14:54:30 +0300463 mbedtls_ssl_tls_prf_cb *tls_prf;
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200464
Hanno Beckere694c3e2017-12-27 21:34:08 +0000465 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
466
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200467 size_t pmslen; /*!< premaster length */
468
469 unsigned char randbytes[64]; /*!< random bytes */
470 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
471 /*!< premaster secret */
472
473 int resume; /*!< session resume indicator*/
474 int max_major_ver; /*!< max. major version client*/
475 int max_minor_ver; /*!< max. minor version client*/
476 int cli_exts; /*!< client extension presence*/
477
478#if defined(MBEDTLS_SSL_SESSION_TICKETS)
479 int new_session_ticket; /*!< use NewSessionTicket? */
480#endif /* MBEDTLS_SSL_SESSION_TICKETS */
481#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
482 int extended_ms; /*!< use Extended Master Secret? */
483#endif
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200484
485#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine78300732018-04-26 13:03:29 +0200486 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200487#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
488
489#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
490 /** Asynchronous operation context. This field is meant for use by the
491 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
492 * mbedtls_ssl_config::f_async_decrypt_start,
493 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
494 * The library does not use it internally. */
495 void *user_async_ctx;
496#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200497};
498
Hanno Becker0271f962018-08-16 13:23:47 +0100499typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
500
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200501/*
Hanno Beckerd362dc52018-01-03 15:23:11 +0000502 * Representation of decryption/encryption transformations on records
503 *
504 * There are the following general types of record transformations:
505 * - Stream transformations (TLS versions <= 1.2 only)
506 * Transformation adding a MAC and applying a stream-cipher
507 * to the authenticated message.
508 * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
509 * In addition to the distinction of the order of encryption and
510 * authentication, there's a fundamental difference between the
511 * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
512 * and TLS 1.0, the final IV after processing a record is used
513 * as the IV for the next record. No explicit IV is contained
514 * in an encrypted record. The IV for the first record is extracted
515 * at key extraction time. In contrast, for TLS 1.1 and 1.2, no
516 * IV is generated at key extraction time, but every encrypted
517 * record is explicitly prefixed by the IV with which it was encrypted.
518 * - AEAD transformations ([D]TLS versions >= 1.2 only)
519 * These come in two fundamentally different versions, the first one
520 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
521 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
522 * In the first transformation, the IV to be used for a record is obtained
523 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
524 * record sequence number, and explicitly prepending this sequence number
525 * to the encrypted record. In contrast, in the second transformation
526 * the IV is obtained by XOR'ing a static IV obtained at key extraction
527 * time with the 8-byte record sequence number, without prepending the
528 * latter to the encrypted record.
529 *
530 * In addition to type and version, the following parameters are relevant:
531 * - The symmetric cipher algorithm to be used.
532 * - The (static) encryption/decryption keys for the cipher.
533 * - For stream/CBC, the type of message digest to be used.
534 * - For stream/CBC, (static) encryption/decryption keys for the digest.
Hanno Becker0db7e0c2018-10-18 15:39:53 +0100535 * - For AEAD transformations, the size (potentially 0) of an explicit,
536 * random initialization vector placed in encrypted records.
Hanno Beckerd362dc52018-01-03 15:23:11 +0000537 * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
538 * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
539 * and (if present) is combined with the explicit IV in a transformation-
540 * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
541 * - For stream/CBC, a flag determining the order of encryption and MAC.
542 * - The details of the transformation depend on the SSL/TLS version.
543 * - The length of the authentication tag.
544 *
Hanno Becker0db7e0c2018-10-18 15:39:53 +0100545 * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
546 * constant across multiple encryption/decryption operations.
547 * For CBC, the implicit IV needs to be updated after each
548 * operation.
549 *
Hanno Beckerd362dc52018-01-03 15:23:11 +0000550 * The struct below refines this abstract view as follows:
551 * - The cipher underlying the transformation is managed in
552 * cipher contexts cipher_ctx_{enc/dec}, which must have the
553 * same cipher type. The mode of these cipher contexts determines
554 * the type of the transformation in the sense above: e.g., if
555 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
556 * then the transformation has type CBC resp. AEAD.
557 * - The cipher keys are never stored explicitly but
558 * are maintained within cipher_ctx_{enc/dec}.
559 * - For stream/CBC transformations, the message digest contexts
560 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
561 * are unused for AEAD transformations.
562 * - For stream/CBC transformations and versions > SSL3, the
563 * MAC keys are not stored explicitly but maintained within
564 * md_ctx_{enc/dec}.
565 * - For stream/CBC transformations and version SSL3, the MAC
566 * keys are stored explicitly in mac_enc, mac_dec and have
567 * a fixed size of 20 bytes. These fields are unused for
568 * AEAD transformations or transformations >= TLS 1.0.
569 * - For transformations using an implicit IV maintained within
570 * the transformation context, its contents are stored within
571 * iv_{enc/dec}.
572 * - The value of ivlen indicates the length of the IV.
573 * This is redundant in case of stream/CBC transformations
574 * which always use 0 resp. the cipher's block length as the
575 * IV length, but is needed for AEAD ciphers and may be
576 * different from the underlying cipher's block length
577 * in this case.
578 * - The field fixed_ivlen is nonzero for AEAD transformations only
579 * and indicates the length of the static part of the IV which is
580 * constant throughout the communication, and which is stored in
581 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
582 * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
583 * still store IV's for continued use across multiple transformations,
584 * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
585 * not being used!
586 * - minor_ver denotes the SSL/TLS version
587 * - For stream/CBC transformations, maclen denotes the length of the
588 * authentication tag, while taglen is unused and 0.
589 * - For AEAD transformations, taglen denotes the length of the
590 * authentication tag, while maclen is unused and 0.
591 * - For CBC transformations, encrypt_then_mac determines the
592 * order of encryption and authentication. This field is unused
593 * in other transformations.
594 *
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200595 */
596struct mbedtls_ssl_transform
597{
598 /*
599 * Session specific crypto layer
600 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200601 size_t minlen; /*!< min. ciphertext length */
602 size_t ivlen; /*!< IV length */
603 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000604 size_t maclen; /*!< MAC(CBC) len */
605 size_t taglen; /*!< TAG(AEAD) len */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200606
607 unsigned char iv_enc[16]; /*!< IV (encryption) */
608 unsigned char iv_dec[16]; /*!< IV (decryption) */
609
Hanno Beckerd56ed242018-01-03 15:32:51 +0000610#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
611
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200612#if defined(MBEDTLS_SSL_PROTO_SSL3)
613 /* Needed only for SSL v3.0 secret */
614 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
615 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
616#endif /* MBEDTLS_SSL_PROTO_SSL3 */
617
618 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
619 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
620
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000621#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
622 int encrypt_then_mac; /*!< flag for EtM activation */
623#endif
624
Hanno Beckerd56ed242018-01-03 15:32:51 +0000625#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
626
627 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
628 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000629 int minor_ver;
630
Hanno Beckera0e20d02019-05-15 14:03:01 +0100631#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1327fa72019-04-25 15:54:02 +0100632 uint8_t in_cid_len;
633 uint8_t out_cid_len;
634 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
635 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckera0e20d02019-05-15 14:03:01 +0100636#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1327fa72019-04-25 15:54:02 +0100637
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200638 /*
639 * Session specific compression layer
640 */
641#if defined(MBEDTLS_ZLIB_SUPPORT)
642 z_stream ctx_deflate; /*!< compression context */
643 z_stream ctx_inflate; /*!< decompression context */
644#endif
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200645
646#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
647 /* We need the Hello random bytes in order to re-derive keys from the
648 * Master Secret and other session info, see ssl_populate_transform() */
649 unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
650#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200651};
652
Hanno Becker12a3a862018-01-05 15:42:50 +0000653/*
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +0200654 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
655 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
656 */
657static inline int mbedtls_ssl_transform_uses_aead(
658 const mbedtls_ssl_transform *transform )
659{
660#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
661 return( transform->maclen == 0 && transform->taglen != 0 );
662#else
663 (void) transform;
664 return( 1 );
665#endif
666}
667
668/*
Hanno Becker12a3a862018-01-05 15:42:50 +0000669 * Internal representation of record frames
670 *
Hanno Becker12a3a862018-01-05 15:42:50 +0000671 * Instances come in two flavors:
672 * (1) Encrypted
673 * These always have data_offset = 0
674 * (2) Unencrypted
Hanno Beckercd430bc2019-04-04 16:29:48 +0100675 * These have data_offset set to the amount of
676 * pre-expansion during record protection. Concretely,
677 * this is the length of the fixed part of the explicit IV
678 * used for encryption, or 0 if no explicit IV is used
679 * (e.g. for CBC in TLS 1.0, or stream ciphers).
Hanno Becker12a3a862018-01-05 15:42:50 +0000680 *
681 * The reason for the data_offset in the unencrypted case
682 * is to allow for in-place conversion of an unencrypted to
683 * an encrypted record. If the offset wasn't included, the
684 * encrypted content would need to be shifted afterwards to
685 * make space for the fixed IV.
686 *
687 */
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100688#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Becker75f080f2019-04-30 15:01:51 +0100689#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100690#else
Hanno Becker75f080f2019-04-30 15:01:51 +0100691#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100692#endif
693
Hanno Becker12a3a862018-01-05 15:42:50 +0000694typedef struct
695{
Hanno Beckerd840cea2019-07-11 09:24:36 +0100696 uint8_t ctr[8]; /* In TLS: The implicit record sequence number.
697 * In DTLS: The 2-byte epoch followed by
698 * the 6-byte sequence number.
699 * This is stored as a raw big endian byte array
700 * as opposed to a uint64_t because we rarely
701 * need to perform arithmetic on this, but do
702 * need it as a Byte array for the purpose of
703 * MAC computations. */
704 uint8_t type; /* The record content type. */
705 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
706 * Convert to internal presentation of versions
707 * using mbedtls_ssl_read_version() and
708 * mbedtls_ssl_write_version().
709 * Keep wire-format for MAC computations. */
Hanno Becker12a3a862018-01-05 15:42:50 +0000710
Hanno Beckerd840cea2019-07-11 09:24:36 +0100711 unsigned char *buf; /* Memory buffer enclosing the record content */
712 size_t buf_len; /* Buffer length */
713 size_t data_offset; /* Offset of record content */
714 size_t data_len; /* Length of record content */
Hanno Becker12a3a862018-01-05 15:42:50 +0000715
Hanno Beckera0e20d02019-05-15 14:03:01 +0100716#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerd840cea2019-07-11 09:24:36 +0100717 uint8_t cid_len; /* Length of the CID (0 if not present) */
718 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +0100719#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker12a3a862018-01-05 15:42:50 +0000720} mbedtls_record;
721
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200722#if defined(MBEDTLS_X509_CRT_PARSE_C)
723/*
724 * List of certificate + private key pairs
725 */
726struct mbedtls_ssl_key_cert
727{
728 mbedtls_x509_crt *cert; /*!< cert */
729 mbedtls_pk_context *key; /*!< private key */
730 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
731};
732#endif /* MBEDTLS_X509_CRT_PARSE_C */
733
734#if defined(MBEDTLS_SSL_PROTO_DTLS)
735/*
736 * List of handshake messages kept around for resending
737 */
738struct mbedtls_ssl_flight_item
739{
740 unsigned char *p; /*!< message, including handshake headers */
741 size_t len; /*!< length of p */
742 unsigned char type; /*!< type of the message: handshake or CCS */
743 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
744};
745#endif /* MBEDTLS_SSL_PROTO_DTLS */
746
Hanno Becker7e5437a2017-04-28 17:15:26 +0100747#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
748 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
749
750/* Find an entry in a signature-hash set matching a given hash algorithm. */
751mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
752 mbedtls_pk_type_t sig_alg );
753/* Add a signature-hash-pair to a signature-hash set */
754void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
755 mbedtls_pk_type_t sig_alg,
756 mbedtls_md_type_t md_alg );
757/* Allow exactly one hash algorithm for each signature. */
758void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
759 mbedtls_md_type_t md_alg );
760
761/* Setup an empty signature-hash set */
762static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
763{
764 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
765}
766
767#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
768 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200769
770/**
771 * \brief Free referenced items in an SSL transform context and clear
772 * memory
773 *
774 * \param transform SSL transform context
775 */
776void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
777
778/**
779 * \brief Free referenced items in an SSL handshake context and clear
780 * memory
781 *
Gilles Peskine9b562d52018-04-25 20:32:43 +0200782 * \param ssl SSL context
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200783 */
Gilles Peskine9b562d52018-04-25 20:32:43 +0200784void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200785
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200786int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
787int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
788void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
789
790int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
791
792void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
793int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
794
Simon Butcher99000142016-10-13 17:21:01 +0100795int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
796int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
797void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
798
Hanno Becker4a810fb2017-05-24 16:27:30 +0100799/**
800 * \brief Update record layer
801 *
802 * This function roughly separates the implementation
803 * of the logic of (D)TLS from the implementation
804 * of the secure transport.
805 *
Hanno Becker3a0aad12018-08-20 09:44:02 +0100806 * \param ssl The SSL context to use.
807 * \param update_hs_digest This indicates if the handshake digest
808 * should be automatically updated in case
809 * a handshake message is found.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100810 *
811 * \return 0 or non-zero error code.
812 *
813 * \note A clarification on what is called 'record layer' here
814 * is in order, as many sensible definitions are possible:
815 *
816 * The record layer takes as input an untrusted underlying
817 * transport (stream or datagram) and transforms it into
818 * a serially multiplexed, secure transport, which
819 * conceptually provides the following:
820 *
821 * (1) Three datagram based, content-agnostic transports
822 * for handshake, alert and CCS messages.
823 * (2) One stream- or datagram-based transport
824 * for application data.
825 * (3) Functionality for changing the underlying transform
826 * securing the contents.
827 *
828 * The interface to this functionality is given as follows:
829 *
830 * a Updating
831 * [Currently implemented by mbedtls_ssl_read_record]
832 *
833 * Check if and on which of the four 'ports' data is pending:
834 * Nothing, a controlling datagram of type (1), or application
835 * data (2). In any case data is present, internal buffers
836 * provide access to the data for the user to process it.
837 * Consumption of type (1) datagrams is done automatically
838 * on the next update, invalidating that the internal buffers
839 * for previous datagrams, while consumption of application
840 * data (2) is user-controlled.
841 *
842 * b Reading of application data
843 * [Currently manual adaption of ssl->in_offt pointer]
844 *
845 * As mentioned in the last paragraph, consumption of data
846 * is different from the automatic consumption of control
847 * datagrams (1) because application data is treated as a stream.
848 *
849 * c Tracking availability of application data
850 * [Currently manually through decreasing ssl->in_msglen]
851 *
852 * For efficiency and to retain datagram semantics for
853 * application data in case of DTLS, the record layer
854 * provides functionality for checking how much application
855 * data is still available in the internal buffer.
856 *
857 * d Changing the transformation securing the communication.
858 *
859 * Given an opaque implementation of the record layer in the
860 * above sense, it should be possible to implement the logic
861 * of (D)TLS on top of it without the need to know anything
862 * about the record layer's internals. This is done e.g.
863 * in all the handshake handling functions, and in the
864 * application data reading function mbedtls_ssl_read.
865 *
866 * \note The above tries to give a conceptual picture of the
867 * record layer, but the current implementation deviates
868 * from it in some places. For example, our implementation of
869 * the update functionality through mbedtls_ssl_read_record
870 * discards datagrams depending on the current state, which
871 * wouldn't fall under the record layer's responsibility
872 * following the above definition.
873 *
874 */
Hanno Becker3a0aad12018-08-20 09:44:02 +0100875int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
876 unsigned update_hs_digest );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200877int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
878
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200879int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100880int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200881int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
882
883int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
884int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
885
886int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
887int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
888
889int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
890int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
891
892void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
893 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
894
895#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
896int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
897#endif
898
899#if defined(MBEDTLS_PK_C)
900unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
Hanno Becker7e5437a2017-04-28 17:15:26 +0100901unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200902mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
903#endif
904
905mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200906unsigned char mbedtls_ssl_hash_from_md_alg( int md );
Simon Butcher99000142016-10-13 17:21:01 +0100907int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200908
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200909#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200910int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200911#endif
912
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200913#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200914int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
915 mbedtls_md_type_t md );
916#endif
917
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200918#if defined(MBEDTLS_X509_CRT_PARSE_C)
919static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
920{
921 mbedtls_ssl_key_cert *key_cert;
922
923 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
924 key_cert = ssl->handshake->key_cert;
925 else
926 key_cert = ssl->conf->key_cert;
927
928 return( key_cert == NULL ? NULL : key_cert->key );
929}
930
931static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
932{
933 mbedtls_ssl_key_cert *key_cert;
934
935 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
936 key_cert = ssl->handshake->key_cert;
937 else
938 key_cert = ssl->conf->key_cert;
939
940 return( key_cert == NULL ? NULL : key_cert->cert );
941}
942
943/*
944 * Check usage of a certificate wrt extensions:
945 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
946 *
947 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
948 * check a cert we received from them)!
949 *
950 * Return 0 if everything is OK, -1 if not.
951 */
952int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
953 const mbedtls_ssl_ciphersuite_t *ciphersuite,
954 int cert_endpoint,
955 uint32_t *flags );
956#endif /* MBEDTLS_X509_CRT_PARSE_C */
957
958void mbedtls_ssl_write_version( int major, int minor, int transport,
959 unsigned char ver[2] );
960void mbedtls_ssl_read_version( int *major, int *minor, int transport,
961 const unsigned char ver[2] );
962
Hanno Becker5903de42019-05-03 14:46:38 +0100963static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200964{
Hanno Becker47be7682019-07-12 09:55:46 +0100965#if !defined(MBEDTLS_SSL_PROTO_DTLS)
966 ((void) ssl);
967#endif
968
969#if defined(MBEDTLS_SSL_PROTO_DTLS)
970 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
971 {
972 return( 13 );
973 }
974 else
975#endif /* MBEDTLS_SSL_PROTO_DTLS */
976 {
977 return( 5 );
978 }
Hanno Becker5903de42019-05-03 14:46:38 +0100979}
980
981static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
982{
Hanno Becker3b154c12019-05-03 15:05:27 +0100983 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200984}
985
986static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
987{
988#if defined(MBEDTLS_SSL_PROTO_DTLS)
989 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
990 return( 12 );
991#else
992 ((void) ssl);
993#endif
994 return( 4 );
995}
996
997#if defined(MBEDTLS_SSL_PROTO_DTLS)
998void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
999void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1000int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02001001int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001002#endif
1003
1004/* Visible for testing purposes only */
1005#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker0183d692019-07-12 08:50:37 +01001006int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001007void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1008#endif
1009
Hanno Becker52055ae2019-02-06 14:30:46 +00001010int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1011 const mbedtls_ssl_session *src );
1012
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001013/* constant-time buffer comparison */
1014static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
1015{
1016 size_t i;
Hanno Becker59e69632017-06-26 13:26:58 +01001017 volatile const unsigned char *A = (volatile const unsigned char *) a;
1018 volatile const unsigned char *B = (volatile const unsigned char *) b;
1019 volatile unsigned char diff = 0;
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001020
1021 for( i = 0; i < n; i++ )
Azim Khan45b79cf2018-05-23 16:55:16 +01001022 {
1023 /* Read volatile data in order before computing diff.
1024 * This avoids IAR compiler warning:
1025 * 'the order of volatile accesses is undefined ..' */
1026 unsigned char x = A[i], y = B[i];
1027 diff |= x ^ y;
1028 }
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001029
1030 return( diff );
1031}
1032
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001033#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
1034 defined(MBEDTLS_SSL_PROTO_TLS1_1)
1035int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
1036 unsigned char *output,
1037 unsigned char *data, size_t data_len );
1038#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
1039 MBEDTLS_SSL_PROTO_TLS1_1 */
1040
1041#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1042 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek814feff2019-01-14 04:35:19 -05001043/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001044int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02001045 unsigned char *hash, size_t *hashlen,
1046 unsigned char *data, size_t data_len,
1047 mbedtls_md_type_t md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001048#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1049 MBEDTLS_SSL_PROTO_TLS1_2 */
1050
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001051#ifdef __cplusplus
1052}
1053#endif
1054
Hanno Beckera18d1322018-01-03 14:27:32 +00001055void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1056int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1057 mbedtls_ssl_transform *transform,
1058 mbedtls_record *rec,
1059 int (*f_rng)(void *, unsigned char *, size_t),
1060 void *p_rng );
Hanno Becker605949f2019-07-12 08:23:59 +01001061int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +00001062 mbedtls_ssl_transform *transform,
1063 mbedtls_record *rec );
1064
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001065#endif /* ssl_internal.h */