blob: f3f5f8df55d90105965ebbe8512f9880e87fb942 [file] [log] [blame]
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001/**
Chris Jones84a773f2021-03-05 18:38:47 +00002 * \file ssl_misc.h
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02003 *
4 * \brief Internal functions shared by the SSL modules
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Bence Szépkúti1e148272020-08-07 13:07:28 +02007 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02008 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020021 */
Chris Jones84a773f2021-03-05 18:38:47 +000022#ifndef MBEDTLS_SSL_MISC_H
23#define MBEDTLS_SSL_MISC_H
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020024
Bence Szépkútic662b362021-05-27 11:25:03 +020025#include "mbedtls/build_info.h"
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050026
Jaeden Amero6609aef2019-07-04 20:01:14 +010027#include "mbedtls/ssl.h"
28#include "mbedtls/cipher.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020029
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +010030#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Andrzej Kurekeb342242019-01-29 09:14:33 -050031#include "psa/crypto.h"
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +010032#include "mbedtls/psa_util.h"
Andrzej Kurekeb342242019-01-29 09:14:33 -050033#endif
34
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020035#if defined(MBEDTLS_MD5_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010036#include "mbedtls/md5.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020037#endif
38
39#if defined(MBEDTLS_SHA1_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010040#include "mbedtls/sha1.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020041#endif
42
43#if defined(MBEDTLS_SHA256_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010044#include "mbedtls/sha256.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020045#endif
46
47#if defined(MBEDTLS_SHA512_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010048#include "mbedtls/sha512.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020049#endif
50
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +020051#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jaeden Amero6609aef2019-07-04 20:01:14 +010052#include "mbedtls/ecjpake.h"
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +020053#endif
54
Hanno Beckerdf51dbe2019-02-18 16:41:55 +000055#if defined(MBEDTLS_USE_PSA_CRYPTO)
56#include "psa/crypto.h"
Jaeden Amero6609aef2019-07-04 20:01:14 +010057#include "mbedtls/psa_util.h"
Hanno Beckerdf51dbe2019-02-18 16:41:55 +000058#endif /* MBEDTLS_USE_PSA_CRYPTO */
59
Jerry Yu1bab3012022-01-19 17:43:22 +080060#include "common.h"
61
Manuel Pégourié-Gonnard0223ab92015-10-05 11:40:01 +010062#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
63 !defined(inline) && !defined(__cplusplus)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020064#define inline __inline
Manuel Pégourié-Gonnard20af64d2015-07-07 18:33:39 +020065#endif
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020066
Manuel Pégourié-Gonnardcac90a12021-06-04 11:42:30 +020067/* Legacy minor version numbers as defined by:
68 * - RFC 2246: ProtocolVersion version = { 3, 1 }; // TLS v1.0
69 * - RFC 4346: ProtocolVersion version = { 3, 2 }; // TLS v1.1
70 *
71 * We no longer support these versions, but some code still references those
TRodziewicz458280e2021-07-07 11:33:06 +020072 * constants as part of negotiating with the peer, so keep them available
73 * internally.
Manuel Pégourié-Gonnardcac90a12021-06-04 11:42:30 +020074 */
75#define MBEDTLS_SSL_MINOR_VERSION_1 1
76#define MBEDTLS_SSL_MINOR_VERSION_2 2
77
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020078/* Determine minimum supported version */
79#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
80
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020081#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
82#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
Jerry Yuc3091b12021-12-23 14:57:39 +080083#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
84#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4
85#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020086
TRodziewicz4ca18aa2021-05-20 14:46:20 +020087#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
Ron Eldor5e9f14d2017-05-28 10:46:38 +030088#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
89
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020090/* Determine maximum supported version */
91#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
92
Jerry Yu7d239632022-01-27 14:16:44 +080093#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yuc5aef882021-12-23 20:15:02 +080094#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4
Jerry Yu7d239632022-01-27 14:16:44 +080095#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
96#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020097#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
98
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +020099/* Shorthand for restartable ECC */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200100#if defined(MBEDTLS_ECP_RESTARTABLE) && \
101 defined(MBEDTLS_SSL_CLI_C) && \
102 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
103 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskineeccd8882020-03-10 12:19:08 +0100104#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200105#endif
106
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200107#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
108#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
109#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
110#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
111
112/*
Jerry Yu8e7ca042021-08-26 15:31:37 +0800113 * Mask of TLS 1.3 handshake extensions used in extensions_present
114 * of mbedtls_ssl_handshake_params.
115 */
116#define MBEDTLS_SSL_EXT_NONE 0
117
118#define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 )
119#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 )
120#define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 )
121#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 )
122#define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 )
123#define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 )
124#define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 )
125#define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 )
126#define MBEDTLS_SSL_EXT_SCT ( 1 << 8 )
Jerry Yu995ecd32021-08-30 17:53:49 +0800127#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 )
128#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 )
Jerry Yu8e7ca042021-08-26 15:31:37 +0800129#define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 )
130#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 )
131#define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 )
132#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 )
133#define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 )
134#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 )
135#define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 )
136#define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 )
137#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 )
138#define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 )
139#define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 )
Jerry Yu93bcd612021-08-18 12:47:24 +0800140
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800141/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800142 * Helper macros for function call with return check.
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800143 */
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800144/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800145 * Exit when return non-zero value
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800146 */
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800147#define MBEDTLS_SSL_PROC_CHK( f ) \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800148 do { \
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800149 ret = ( f ); \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800150 if( ret != 0 ) \
151 { \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800152 goto cleanup; \
153 } \
154 } while( 0 )
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800155/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800156 * Exit when return negative value
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800157 */
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800158#define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800159 do { \
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800160 ret = ( f ); \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800161 if( ret < 0 ) \
162 { \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800163 goto cleanup; \
164 } \
165 } while( 0 )
166
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200167/*
168 * DTLS retransmission states, see RFC 6347 4.2.4
169 *
170 * The SENDING state is merged in PREPARING for initial sends,
171 * but is distinct for resends.
172 *
173 * Note: initial state is wrong for server, but is not used anyway.
174 */
175#define MBEDTLS_SSL_RETRANS_PREPARING 0
176#define MBEDTLS_SSL_RETRANS_SENDING 1
177#define MBEDTLS_SSL_RETRANS_WAITING 2
178#define MBEDTLS_SSL_RETRANS_FINISHED 3
179
180/*
181 * Allow extra bytes for record, authentication and encryption overhead:
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100182 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200183 */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200184
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200185#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker0cc46612020-11-30 08:56:52 +0000186
Manuel Pégourié-Gonnard05579c42020-07-31 12:53:39 +0200187/* This macro determines whether CBC is supported. */
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200188#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
189 ( defined(MBEDTLS_AES_C) || \
190 defined(MBEDTLS_CAMELLIA_C) || \
191 defined(MBEDTLS_ARIA_C) || \
192 defined(MBEDTLS_DES_C) )
193#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
194#endif
195
Hanno Becker0cc46612020-11-30 08:56:52 +0000196/* This macro determines whether a ciphersuite using a
197 * stream cipher can be used. */
198#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
199#define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
200#endif
201
TRodziewicz0f82ec62021-05-12 17:49:18 +0200202/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
Manuel Pégourié-Gonnarded0e8642020-07-21 11:20:30 +0200203#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
TRodziewicz0f82ec62021-05-12 17:49:18 +0200204 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnarded0e8642020-07-21 11:20:30 +0200205#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
206#endif
207
Hanno Becker31351ce2021-03-22 11:05:58 +0000208#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200209 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000210#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
Hanno Becker52344c22018-01-03 15:24:20 +0000211#endif
212
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200213#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker0cc46612020-11-30 08:56:52 +0000214
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000215#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200216/* Ciphersuites using HMAC */
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200217#if defined(MBEDTLS_SHA384_C)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200218#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
219#elif defined(MBEDTLS_SHA256_C)
220#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
221#else
222#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
223#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000224#else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200225/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
226#define MBEDTLS_SSL_MAC_ADD 16
227#endif
228
229#if defined(MBEDTLS_CIPHER_MODE_CBC)
230#define MBEDTLS_SSL_PADDING_ADD 256
231#else
232#define MBEDTLS_SSL_PADDING_ADD 0
233#endif
234
Hanno Beckera0e20d02019-05-15 14:03:01 +0100235#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
TRodziewicze8dd7092021-05-12 14:19:11 +0200236#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
Hanno Becker6cbad552019-05-08 15:40:11 +0100237#else
238#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
239#endif
240
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100241#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
Angus Grattond8213d02016-05-25 20:56:48 +1000242 MBEDTLS_SSL_MAC_ADD + \
Hanno Becker6cbad552019-05-08 15:40:11 +0100243 MBEDTLS_SSL_PADDING_ADD + \
244 MBEDTLS_SSL_MAX_CID_EXPANSION \
Angus Grattond8213d02016-05-25 20:56:48 +1000245 )
246
247#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
248 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
249
250#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
251 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
252
Hanno Becker0271f962018-08-16 13:23:47 +0100253/* The maximum number of buffered handshake messages. */
Hanno Beckerd488b9e2018-08-16 16:35:37 +0100254#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
Hanno Becker0271f962018-08-16 13:23:47 +0100255
Angus Grattond8213d02016-05-25 20:56:48 +1000256/* Maximum length we can advertise as our max content length for
257 RFC 6066 max_fragment_length extension negotiation purposes
258 (the lesser of both sizes, if they are unequal.)
259 */
260#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
261 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
262 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
263 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
264 )
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200265
Jerry Yu4131ec12022-01-19 10:36:30 +0800266/* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
267#define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
268
Jerry Yu8afd6e42022-01-20 15:54:26 +0800269/* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
Jerry Yu4131ec12022-01-19 10:36:30 +0800270#define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
Hanno Beckere131bfe2017-04-12 14:54:42 +0100271
272/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
273#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
274
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000275#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000276
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200277/*
Hanno Beckera8434e82017-09-18 10:54:39 +0100278 * Check that we obey the standard's message size bounds
279 */
280
David Horstmann95d516f2021-05-04 18:36:56 +0100281#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
282#error "Bad configuration - incoming record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100283#endif
284
David Horstmann95d516f2021-05-04 18:36:56 +0100285#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
286#error "Bad configuration - outgoing record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100287#endif
288
David Horstmann95d516f2021-05-04 18:36:56 +0100289#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
Angus Grattond8213d02016-05-25 20:56:48 +1000290#error "Bad configuration - incoming protected record payload too large."
291#endif
292
David Horstmann95d516f2021-05-04 18:36:56 +0100293#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
Angus Grattond8213d02016-05-25 20:56:48 +1000294#error "Bad configuration - outgoing protected record payload too large."
295#endif
296
297/* Calculate buffer sizes */
298
Hanno Becker25d6d1a2017-12-07 08:22:51 +0000299/* Note: Even though the TLS record header is only 5 bytes
300 long, we're internally using 8 bytes to store the
301 implicit sequence number. */
Hanno Beckerd25d4442017-10-04 13:56:42 +0100302#define MBEDTLS_SSL_HEADER_LEN 13
Hanno Beckera8434e82017-09-18 10:54:39 +0100303
Andrzej Kurek033c42a2020-03-03 05:57:59 -0500304#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000305#define MBEDTLS_SSL_IN_BUFFER_LEN \
306 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100307#else
308#define MBEDTLS_SSL_IN_BUFFER_LEN \
309 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
310 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
311#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000312
Andrzej Kurek033c42a2020-03-03 05:57:59 -0500313#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000314#define MBEDTLS_SSL_OUT_BUFFER_LEN \
315 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100316#else
317#define MBEDTLS_SSL_OUT_BUFFER_LEN \
318 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
319 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
320#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000321
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800322#define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
323#define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
324
Hanno Becker9752aad2021-04-21 05:54:33 +0100325#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
326/**
327 * \brief Return the maximum fragment length (payload, in bytes) for
328 * the output buffer. For the client, this is the configured
329 * value. For the server, it is the minimum of two - the
330 * configured value and the negotiated one.
331 *
332 * \sa mbedtls_ssl_conf_max_frag_len()
333 * \sa mbedtls_ssl_get_max_out_record_payload()
334 *
335 * \param ssl SSL context
336 *
337 * \return Current maximum fragment length for the output buffer.
338 */
339size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
340
341/**
342 * \brief Return the maximum fragment length (payload, in bytes) for
343 * the input buffer. This is the negotiated maximum fragment
Hanno Beckerdf3b8632021-06-08 05:30:45 +0100344 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
Hanno Becker9752aad2021-04-21 05:54:33 +0100345 * If it is not defined either, the value is 2^14. This function
346 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
347 *
348 * \sa mbedtls_ssl_conf_max_frag_len()
349 * \sa mbedtls_ssl_get_max_in_record_payload()
350 *
351 * \param ssl SSL context
352 *
353 * \return Current maximum fragment length for the output buffer.
354 */
355size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
356#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
357
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500358#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500359static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500360{
361#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500362 return mbedtls_ssl_get_output_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500363 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
364 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
365#else
Andrzej Kurek069fa962021-01-07 08:02:15 -0500366 return mbedtls_ssl_get_output_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500367 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
368#endif
369}
370
Andrzej Kurek069fa962021-01-07 08:02:15 -0500371static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500372{
373#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500374 return mbedtls_ssl_get_input_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500375 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
376 + MBEDTLS_SSL_CID_IN_LEN_MAX;
377#else
Andrzej Kurek069fa962021-01-07 08:02:15 -0500378 return mbedtls_ssl_get_input_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500379 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
380#endif
381}
382#endif
383
Hanno Beckera8434e82017-09-18 10:54:39 +0100384/*
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200385 * TLS extension flags (for extensions with outgoing ServerHello content
386 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
387 * of state of the renegotiation flag, so no indicator is required)
388 */
389#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200390#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200391
Hanno Becker51018aa2017-04-12 14:54:42 +0100392/**
393 * \brief This function checks if the remaining size in a buffer is
394 * greater or equal than a needed space.
395 *
396 * \param cur Pointer to the current position in the buffer.
397 * \param end Pointer to one past the end of the buffer.
398 * \param need Needed space in bytes.
399 *
Ronald Cronb7b35e12020-06-11 09:50:51 +0200400 * \return Zero if the needed space is available in the buffer, non-zero
Hanno Becker51018aa2017-04-12 14:54:42 +0100401 * otherwise.
402 */
403static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
404 const uint8_t *end, size_t need )
405{
Ronald Cronb7b35e12020-06-11 09:50:51 +0200406 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
Hanno Becker51018aa2017-04-12 14:54:42 +0100407}
408
409/**
410 * \brief This macro checks if the remaining size in a buffer is
411 * greater or equal than a needed space. If it is not the case,
412 * it returns an SSL_BUFFER_TOO_SMALL error.
413 *
414 * \param cur Pointer to the current position in the buffer.
415 * \param end Pointer to one past the end of the buffer.
416 * \param need Needed space in bytes.
417 *
418 */
419#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
420 do { \
Ronald Cronb7b35e12020-06-11 09:50:51 +0200421 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
Hanno Becker51018aa2017-04-12 14:54:42 +0100422 { \
423 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
424 } \
425 } while( 0 )
426
Jerry Yu34da3722021-09-19 18:05:08 +0800427/**
Jerry Yue15e6652021-09-28 21:06:07 +0800428 * \brief This macro checks if the remaining length in an input buffer is
429 * greater or equal than a needed length. If it is not the case, it
Jerry Yu205fd822021-10-08 16:16:24 +0800430 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
Jerry Yudca3d5d2021-10-08 14:19:29 +0800431 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
Jerry Yue4eefc72021-10-09 10:40:40 +0800432 *
433 * This is a function-like macro. It is guaranteed to evaluate each
434 * argument exactly once.
Jerry Yu34da3722021-09-19 18:05:08 +0800435 *
436 * \param cur Pointer to the current position in the buffer.
437 * \param end Pointer to one past the end of the buffer.
Jerry Yue15e6652021-09-28 21:06:07 +0800438 * \param need Needed length in bytes.
Jerry Yu34da3722021-09-19 18:05:08 +0800439 *
440 */
441#define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
442 do { \
443 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
444 { \
445 MBEDTLS_SSL_DEBUG_MSG( 1, \
446 ( "missing input data in %s", __func__ ) ); \
447 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
448 MBEDTLS_ERR_SSL_DECODE_ERROR ); \
449 return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
450 } \
451 } while( 0 )
452
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200453#ifdef __cplusplus
454extern "C" {
455#endif
456
Hanno Becker7e5437a2017-04-28 17:15:26 +0100457#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100458 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100459/*
460 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
461 */
462struct mbedtls_ssl_sig_hash_set_t
463{
464 /* At the moment, we only need to remember a single suitable
465 * hash algorithm per signature algorithm. As long as that's
466 * the case - and we don't need a general lookup function -
467 * we can implement the sig-hash-set as a map from signatures
468 * to hash algorithms. */
469 mbedtls_md_type_t rsa;
470 mbedtls_md_type_t ecdsa;
471};
472#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Gilles Peskineeccd8882020-03-10 12:19:08 +0100473 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100474
Ron Eldor51d3ab52019-05-12 14:54:30 +0300475typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
476 const char *label,
477 const unsigned char *random, size_t rlen,
478 unsigned char *dstbuf, size_t dlen );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100479
Hanno Becker61baae72020-09-16 09:24:14 +0100480/* cipher.h exports the maximum IV, key and block length from
Hanno Becker15889832020-09-08 11:29:11 +0100481 * all ciphers enabled in the config, regardless of whether those
482 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
483 * in the default configuration and uses 64 Byte keys, but it is
484 * not used for record protection in SSL/TLS.
485 *
486 * In order to prevent unnecessary inflation of key structures,
487 * we introduce SSL-specific variants of the max-{key,block,IV}
488 * macros here which are meant to only take those ciphers into
489 * account which can be negotiated in SSL/TLS.
490 *
491 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
492 * in cipher.h are rough overapproximations of the real maxima, here
Hanno Becker9a7a2ac2020-09-09 09:24:54 +0100493 * we content ourselves with replicating those overapproximations
Hanno Becker15889832020-09-08 11:29:11 +0100494 * for the maximum block and IV length, and excluding XTS from the
495 * computation of the maximum key length. */
496#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
497#define MBEDTLS_SSL_MAX_IV_LENGTH 16
498#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
499
Hanno Becker3385a4d2020-08-21 13:03:34 +0100500/**
501 * \brief The data structure holding the cryptographic material (key and IV)
502 * used for record protection in TLS 1.3.
503 */
504struct mbedtls_ssl_key_set
505{
506 /*! The key for client->server records. */
Hanno Becker15889832020-09-08 11:29:11 +0100507 unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100508 /*! The key for server->client records. */
Hanno Becker15889832020-09-08 11:29:11 +0100509 unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100510 /*! The IV for client->server records. */
Hanno Becker15889832020-09-08 11:29:11 +0100511 unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100512 /*! The IV for server->client records. */
Hanno Becker15889832020-09-08 11:29:11 +0100513 unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100514
Hanno Becker493ea7f2020-09-08 11:01:00 +0100515 size_t key_len; /*!< The length of client_write_key and
516 * server_write_key, in Bytes. */
517 size_t iv_len; /*!< The length of client_write_iv and
518 * server_write_iv, in Bytes. */
Hanno Becker3385a4d2020-08-21 13:03:34 +0100519};
520typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100521
Jerry Yu61e35e02021-09-16 18:59:08 +0800522typedef struct
523{
Jerry Yuf532bb22021-10-13 10:34:03 +0800524 unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
525 unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
526 unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Xiaofei Bai746f9482021-11-12 08:53:56 +0000527} mbedtls_ssl_tls13_early_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800528
529typedef struct
530{
Jerry Yuf532bb22021-10-13 10:34:03 +0800531 unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
532 unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Xiaofei Bai746f9482021-11-12 08:53:56 +0000533} mbedtls_ssl_tls13_handshake_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800534
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200535/*
536 * This structure contains the parameters only needed during handshake.
537 */
538struct mbedtls_ssl_handshake_params
539{
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100540 /* Frequently-used boolean or byte fields (placed early to take
541 * advantage of smaller code size for indirect access on Arm Thumb) */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100542 uint8_t resume; /*!< session resume indicator*/
543 uint8_t cli_exts; /*!< client extension presence*/
544
Ronald Cron86a477f2022-02-18 17:45:10 +0100545 /*!< Minimum minor version to be negotiated. */
546 unsigned char min_minor_ver;
547
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100548#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
549 uint8_t sni_authmode; /*!< authmode from SNI callback */
550#endif
551
552#if defined(MBEDTLS_SSL_SESSION_TICKETS)
553 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
554#endif /* MBEDTLS_SSL_SESSION_TICKETS */
555
556#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
557 uint8_t extended_ms; /*!< use Extended Master Secret? */
558#endif
559
560#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
561 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
562#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
563
564#if defined(MBEDTLS_SSL_PROTO_DTLS)
565 unsigned char retransmit_state; /*!< Retransmission state */
566#endif
567
Gilles Peskine41139a22021-12-08 18:25:39 +0100568#if !defined(MBEDTLS_DEPRECATED_REMOVED)
569 unsigned char group_list_heap_allocated;
Jerry Yuf017ee42022-01-12 15:49:48 +0800570 unsigned char sig_algs_heap_allocated;
Gilles Peskine41139a22021-12-08 18:25:39 +0100571#endif
572
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100573#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
574 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100575 enum { /* this complements ssl->state with info on intra-state operations */
576 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
577 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
578 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
579 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
580 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
581 } ecrs_state; /*!< current (or last) operation */
582 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
583 size_t ecrs_n; /*!< place for saving a length */
584#endif
585
586 size_t pmslen; /*!< premaster length */
587
588 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
589
590 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
591 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
592 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
593 mbedtls_ssl_tls_prf_cb *tls_prf;
594
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200595 /*
596 * Handshake specific crypto variables
597 */
Ronald Cron6f135e12021-12-08 16:57:54 +0100598#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000599 int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
Ronald Cron6f135e12021-12-08 16:57:54 +0100600#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100601
XiaokangQian647719a2021-12-07 09:16:29 +0000602#if defined(MBEDTLS_SSL_CLI_C)
603 /*!< Number of Hello Retry Request messages received from the server. */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000604 int hello_retry_request_count;
XiaokangQian647719a2021-12-07 09:16:29 +0000605#endif /* MBEDTLS_SSL_CLI_C */
606
Hanno Becker7e5437a2017-04-28 17:15:26 +0100607#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100608 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100609 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
610#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100611
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000612#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
613 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000614 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
615#endif
616
Gilles Peskine41139a22021-12-08 18:25:39 +0100617#if !defined(MBEDTLS_DEPRECATED_REMOVED)
618 const uint16_t *group_list;
Jerry Yuf017ee42022-01-12 15:49:48 +0800619 const uint16_t *sig_algs;
Gilles Peskine41139a22021-12-08 18:25:39 +0100620#endif
621
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200622#if defined(MBEDTLS_DHM_C)
623 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
624#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100625
John Durkop07cc04a2020-11-16 22:08:34 -0800626/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
Ronald Cronde1adee2022-03-07 16:20:30 +0100627 * to guards in client and server code. There is a gap in functionality that
628 * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
629 * seem correct.
John Durkop07cc04a2020-11-16 22:08:34 -0800630 */
631#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200632 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000633
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +0100634#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine42459802019-12-19 13:31:53 +0100635 psa_key_type_t ecdh_psa_type;
636 uint16_t ecdh_bits;
Andrzej Kurek03e01462022-01-03 12:53:24 +0100637 mbedtls_svc_key_id_t ecdh_psa_privkey;
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000638 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
639 size_t ecdh_psa_peerkey_len;
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +0100640#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
John Durkop07cc04a2020-11-16 22:08:34 -0800641#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000642
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200643#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200644 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200645#if defined(MBEDTLS_SSL_CLI_C)
646 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
647 size_t ecjpake_cache_len; /*!< Length of cached data */
648#endif
Hanno Becker1aa267c2017-04-28 17:08:27 +0100649#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine8716f172021-11-16 15:21:44 +0100650
651#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200652 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200653 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
654#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100655
Gilles Peskineeccd8882020-03-10 12:19:08 +0100656#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100657#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek03e01462022-01-03 12:53:24 +0100658 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100659#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200660 unsigned char *psk; /*!< PSK from the callback */
661 size_t psk_len; /*!< Length of PSK from callback */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100662#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Gilles Peskine8716f172021-11-16 15:21:44 +0100663
Gilles Peskinecfe74a32021-12-08 18:38:51 +0100664#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
665 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
666#endif
667
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200668#if defined(MBEDTLS_X509_CRT_PARSE_C)
669 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
670#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
671 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
672 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
673 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100674#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200675#endif /* MBEDTLS_X509_CRT_PARSE_C */
Gilles Peskine8716f172021-11-16 15:21:44 +0100676
Gilles Peskine8716f172021-11-16 15:21:44 +0100677#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
Hanno Becker75173122019-02-06 16:18:31 +0000678 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
679 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
680#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker2f28c102019-04-25 15:46:59 +0100681
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100682 struct
683 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100684 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
685 * buffers used for message buffering. */
686
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100687 uint8_t seen_ccs; /*!< Indicates if a CCS message has
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100688 * been seen in the current flight. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100689
Hanno Becker0271f962018-08-16 13:23:47 +0100690 struct mbedtls_ssl_hs_buffer
691 {
Hanno Becker98081a02018-08-22 13:32:50 +0100692 unsigned is_valid : 1;
693 unsigned is_fragmented : 1;
694 unsigned is_complete : 1;
Hanno Becker0271f962018-08-16 13:23:47 +0100695 unsigned char *data;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100696 size_t data_len;
Hanno Becker0271f962018-08-16 13:23:47 +0100697 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
698
Hanno Becker5f066e72018-08-16 14:56:31 +0100699 struct
700 {
701 unsigned char *data;
702 size_t len;
703 unsigned epoch;
704 } future_record;
705
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100706 } buffering;
Hanno Becker35462012018-08-22 10:25:40 +0100707
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000708#if defined(MBEDTLS_SSL_CLI_C) && \
709 ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
710 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
711 * HelloRetryRequest cookie for TLS 1.3 */
712#endif /* MBEDTLS_SSL_CLI_C &&
713 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
714#if defined(MBEDTLS_SSL_PROTO_DTLS)
715 unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie
716 * length
XiaokangQian34909742022-01-27 02:25:04 +0000717 * Srv: flag for sending a cookie */
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000718#endif /* MBEDTLS_SSL_PROTO_DTLS */
719#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
720 uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */
XiaokangQian20438972022-03-04 08:52:07 +0000721#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian52da5582022-01-26 09:49:29 +0000722
723#if defined(MBEDTLS_SSL_PROTO_DTLS)
724 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
725 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100726
727 uint32_t retransmit_timeout; /*!< Current value of timeout */
728 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
729 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
730 unsigned char *cur_msg_p; /*!< Position in current message */
731 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
732 flight being received */
733 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
734 resending messages */
735 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
736 for resending messages */
737
738#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
739 /* The state of CID configuration in this handshake. */
740
741 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
742 * has been negotiated. Possible values are
743 * #MBEDTLS_SSL_CID_ENABLED and
744 * #MBEDTLS_SSL_CID_DISABLED. */
745 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
746 uint8_t peer_cid_len; /*!< The length of
747 * \c peer_cid. */
748#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
749
Manuel Pégourié-Gonnardf47a4af2018-08-22 10:38:52 +0200750 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100751#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200752
Ronald Cron6f135e12021-12-08 16:57:54 +0100753#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckere043d152021-08-12 06:22:32 +0100754 /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
755 * Those pointers own the transforms they reference. */
Hanno Becker3aa186f2021-08-10 09:24:19 +0100756 mbedtls_ssl_transform *transform_handshake;
757 mbedtls_ssl_transform *transform_earlydata;
Ronald Cron6f135e12021-12-08 16:57:54 +0100758#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker3aa186f2021-08-10 09:24:19 +0100759
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200760 /*
761 * Checksum contexts
762 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200763#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500764#if defined(MBEDTLS_USE_PSA_CRYPTO)
765 psa_hash_operation_t fin_sha256_psa;
766#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200767 mbedtls_sha256_context fin_sha256;
768#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500769#endif
Mateusz Starzykc6d94ab2021-05-19 13:31:59 +0200770#if defined(MBEDTLS_SHA384_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500771#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500772 psa_hash_operation_t fin_sha384_psa;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500773#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200774 mbedtls_sha512_context fin_sha512;
775#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500776#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200777
Ronald Cron6f135e12021-12-08 16:57:54 +0100778#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800779 uint16_t offered_group_id; /* The NamedGroup value for the group
780 * that is being used for ephemeral
781 * key exchange.
782 *
783 * On the client: Defaults to the first
784 * entry in the client's group list,
785 * but can be overwritten by the HRR. */
Ronald Cron6f135e12021-12-08 16:57:54 +0100786#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800787
Jerry Yufb28b882022-01-28 11:05:58 +0800788#if defined(MBEDTLS_SSL_CLI_C)
Jerry Yu2d9a6942022-02-08 21:07:10 +0800789 uint8_t client_auth; /*!< used to check if CertificateRequest has been
Jerry Yu5c7d1cc2022-02-08 21:08:29 +0800790 received from server side. If CertificateRequest
Jerry Yu0ff8ac82022-02-08 10:10:48 +0800791 has been received, Certificate and CertificateVerify
Jerry Yufb28b882022-01-28 11:05:58 +0800792 should be sent to server */
793#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000794 /*
795 * State-local variables used during the processing
796 * of a specific handshake state.
797 */
798 union
799 {
800 /* Outgoing Finished message */
801 struct
802 {
803 uint8_t preparation_done;
804
805 /* Buffer holding digest of the handshake up to
806 * but excluding the outgoing finished message. */
XiaokangQianc5c39d52021-11-09 11:55:10 +0000807 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000808 size_t digest_len;
809 } finished_out;
810
811 /* Incoming Finished message */
812 struct
813 {
XiaokangQian57b2aff2021-11-10 03:12:11 +0000814 uint8_t preparation_done;
815
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000816 /* Buffer holding digest of the handshake up to but
817 * excluding the peer's incoming finished message. */
XiaokangQianc5c39d52021-11-09 11:55:10 +0000818 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000819 size_t digest_len;
820 } finished_in;
821
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000822 } state_local;
823
824 /* End of state-local variables. */
825
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800826 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
827 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
828 /*!< random bytes */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200829 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
830 /*!< premaster secret */
831
Ronald Cron6f135e12021-12-08 16:57:54 +0100832#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu8e7ca042021-08-26 15:31:37 +0800833 int extensions_present; /*!< extension presence; Each bitfield
834 represents an extension and defined
835 as \c MBEDTLS_SSL_EXT_XXX */
Jerry Yu89ea3212021-09-09 14:31:24 +0800836
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000837#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
838 unsigned char certificate_request_context_len;
839 unsigned char *certificate_request_context;
Xiaofei Baie1e34422021-12-23 12:09:05 +0000840#endif
841
Jerry Yu89ea3212021-09-09 14:31:24 +0800842 union
843 {
Jerry Yud1ab2622021-10-08 15:36:57 +0800844 unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
845 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
846 unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE];
Xiaofei Baid25fab62021-12-02 06:36:27 +0000847 } tls13_master_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800848
Xiaofei Bai746f9482021-11-12 08:53:56 +0000849 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
Ronald Cron6f135e12021-12-08 16:57:54 +0100850#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200851
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200852#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
853 /** Asynchronous operation context. This field is meant for use by the
854 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
855 * mbedtls_ssl_config::f_async_decrypt_start,
856 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
857 * The library does not use it internally. */
858 void *user_async_ctx;
859#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Glenn Strauss69894072022-01-24 12:58:00 -0500860
861#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
862 const unsigned char *sni_name; /*!< raw SNI */
863 size_t sni_name_len; /*!< raw SNI len */
864#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200865};
866
Hanno Becker0271f962018-08-16 13:23:47 +0100867typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
868
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200869/*
Hanno Beckerd362dc52018-01-03 15:23:11 +0000870 * Representation of decryption/encryption transformations on records
871 *
872 * There are the following general types of record transformations:
TRodziewicz2abf03c2021-06-25 14:40:09 +0200873 * - Stream transformations (TLS versions == 1.2 only)
Hanno Beckerd362dc52018-01-03 15:23:11 +0000874 * Transformation adding a MAC and applying a stream-cipher
875 * to the authenticated message.
TRodziewicz2abf03c2021-06-25 14:40:09 +0200876 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
877 * For TLS 1.2, no IV is generated at key extraction time, but every
878 * encrypted record is explicitly prefixed by the IV with which it was
879 * encrypted.
880 * - AEAD transformations ([D]TLS versions == 1.2 only)
Hanno Beckerd362dc52018-01-03 15:23:11 +0000881 * These come in two fundamentally different versions, the first one
882 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
883 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
884 * In the first transformation, the IV to be used for a record is obtained
885 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
886 * record sequence number, and explicitly prepending this sequence number
887 * to the encrypted record. In contrast, in the second transformation
888 * the IV is obtained by XOR'ing a static IV obtained at key extraction
889 * time with the 8-byte record sequence number, without prepending the
890 * latter to the encrypted record.
891 *
Hanno Becker7d343ec2020-05-04 12:29:05 +0100892 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
893 * which allows to add flexible length padding and to hide a record's true
894 * content type.
895 *
Hanno Beckerd362dc52018-01-03 15:23:11 +0000896 * In addition to type and version, the following parameters are relevant:
897 * - The symmetric cipher algorithm to be used.
898 * - The (static) encryption/decryption keys for the cipher.
899 * - For stream/CBC, the type of message digest to be used.
900 * - For stream/CBC, (static) encryption/decryption keys for the digest.
Hanno Becker0db7e0c2018-10-18 15:39:53 +0100901 * - For AEAD transformations, the size (potentially 0) of an explicit,
902 * random initialization vector placed in encrypted records.
TRodziewicz299510e2021-07-09 16:55:11 +0200903 * - For some transformations (currently AEAD) an implicit IV. It is static
Hanno Beckerd362dc52018-01-03 15:23:11 +0000904 * and (if present) is combined with the explicit IV in a transformation-
TRodziewicz299510e2021-07-09 16:55:11 +0200905 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
Hanno Beckerd362dc52018-01-03 15:23:11 +0000906 * - For stream/CBC, a flag determining the order of encryption and MAC.
907 * - The details of the transformation depend on the SSL/TLS version.
908 * - The length of the authentication tag.
909 *
910 * The struct below refines this abstract view as follows:
911 * - The cipher underlying the transformation is managed in
912 * cipher contexts cipher_ctx_{enc/dec}, which must have the
913 * same cipher type. The mode of these cipher contexts determines
914 * the type of the transformation in the sense above: e.g., if
915 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
916 * then the transformation has type CBC resp. AEAD.
917 * - The cipher keys are never stored explicitly but
918 * are maintained within cipher_ctx_{enc/dec}.
919 * - For stream/CBC transformations, the message digest contexts
920 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
921 * are unused for AEAD transformations.
TRodziewicz2abf03c2021-06-25 14:40:09 +0200922 * - For stream/CBC transformations, the MAC keys are not stored explicitly
923 * but maintained within md_ctx_{enc/dec}.
924 * - The mac_enc and mac_dec fields are unused for EAD transformations.
Hanno Beckerd362dc52018-01-03 15:23:11 +0000925 * - For transformations using an implicit IV maintained within
926 * the transformation context, its contents are stored within
927 * iv_{enc/dec}.
928 * - The value of ivlen indicates the length of the IV.
929 * This is redundant in case of stream/CBC transformations
930 * which always use 0 resp. the cipher's block length as the
931 * IV length, but is needed for AEAD ciphers and may be
932 * different from the underlying cipher's block length
933 * in this case.
934 * - The field fixed_ivlen is nonzero for AEAD transformations only
935 * and indicates the length of the static part of the IV which is
936 * constant throughout the communication, and which is stored in
937 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
Hanno Beckerd362dc52018-01-03 15:23:11 +0000938 * - minor_ver denotes the SSL/TLS version
939 * - For stream/CBC transformations, maclen denotes the length of the
940 * authentication tag, while taglen is unused and 0.
941 * - For AEAD transformations, taglen denotes the length of the
942 * authentication tag, while maclen is unused and 0.
943 * - For CBC transformations, encrypt_then_mac determines the
944 * order of encryption and authentication. This field is unused
945 * in other transformations.
946 *
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200947 */
948struct mbedtls_ssl_transform
949{
950 /*
951 * Session specific crypto layer
952 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200953 size_t minlen; /*!< min. ciphertext length */
954 size_t ivlen; /*!< IV length */
955 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000956 size_t maclen; /*!< MAC(CBC) len */
957 size_t taglen; /*!< TAG(AEAD) len */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200958
959 unsigned char iv_enc[16]; /*!< IV (encryption) */
960 unsigned char iv_dec[16]; /*!< IV (decryption) */
961
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000962#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Hanno Beckerd56ed242018-01-03 15:32:51 +0000963
Neil Armstrong39b8e7d2022-02-23 09:24:45 +0100964#if defined(MBEDTLS_USE_PSA_CRYPTO)
965 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
966 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
967 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
Neil Armstrongcf8841a2022-02-24 11:17:45 +0100968#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200969 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
970 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
Neil Armstrongcf8841a2022-02-24 11:17:45 +0100971#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200972
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000973#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
974 int encrypt_then_mac; /*!< flag for EtM activation */
975#endif
976
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000977#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Hanno Beckerd56ed242018-01-03 15:32:51 +0000978
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000979 int minor_ver;
980
Przemyslaw Stekiel44187d72022-01-11 08:25:29 +0100981#if defined(MBEDTLS_USE_PSA_CRYPTO)
982 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
983 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
984 psa_algorithm_t psa_alg; /*!< psa algorithm */
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100985#else
986 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
987 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
Przemyslaw Stekiel44187d72022-01-11 08:25:29 +0100988#endif /* MBEDTLS_USE_PSA_CRYPTO */
989
Hanno Beckera0e20d02019-05-15 14:03:01 +0100990#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1327fa72019-04-25 15:54:02 +0100991 uint8_t in_cid_len;
992 uint8_t out_cid_len;
993 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
994 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckera0e20d02019-05-15 14:03:01 +0100995#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1327fa72019-04-25 15:54:02 +0100996
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +0200997#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
998 /* We need the Hello random bytes in order to re-derive keys from the
Hanno Beckerbd257552021-03-22 06:59:27 +0000999 * Master Secret and other session info,
1000 * see ssl_tls12_populate_transform() */
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001001 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1002 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1003 /*!< ServerHello.random+ClientHello.random */
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +02001004#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001005};
1006
Hanno Becker12a3a862018-01-05 15:42:50 +00001007/*
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02001008 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1009 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1010 */
1011static inline int mbedtls_ssl_transform_uses_aead(
1012 const mbedtls_ssl_transform *transform )
1013{
Hanno Beckerfd86ca82020-11-30 08:54:23 +00001014#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02001015 return( transform->maclen == 0 && transform->taglen != 0 );
1016#else
1017 (void) transform;
1018 return( 1 );
1019#endif
1020}
1021
1022/*
Hanno Becker12a3a862018-01-05 15:42:50 +00001023 * Internal representation of record frames
1024 *
Hanno Becker12a3a862018-01-05 15:42:50 +00001025 * Instances come in two flavors:
1026 * (1) Encrypted
1027 * These always have data_offset = 0
1028 * (2) Unencrypted
Hanno Beckercd430bc2019-04-04 16:29:48 +01001029 * These have data_offset set to the amount of
1030 * pre-expansion during record protection. Concretely,
1031 * this is the length of the fixed part of the explicit IV
1032 * used for encryption, or 0 if no explicit IV is used
TRodziewicz2abf03c2021-06-25 14:40:09 +02001033 * (e.g. for stream ciphers).
Hanno Becker12a3a862018-01-05 15:42:50 +00001034 *
1035 * The reason for the data_offset in the unencrypted case
1036 * is to allow for in-place conversion of an unencrypted to
1037 * an encrypted record. If the offset wasn't included, the
1038 * encrypted content would need to be shifted afterwards to
1039 * make space for the fixed IV.
1040 *
1041 */
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001042#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Becker75f080f2019-04-30 15:01:51 +01001043#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001044#else
Hanno Becker75f080f2019-04-30 15:01:51 +01001045#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001046#endif
1047
Hanno Becker12a3a862018-01-05 15:42:50 +00001048typedef struct
1049{
Jerry Yuae0b2e22021-10-08 15:21:19 +08001050 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1051 * In DTLS: The 2-byte epoch followed by
1052 * the 6-byte sequence number.
1053 * This is stored as a raw big endian byte array
1054 * as opposed to a uint64_t because we rarely
1055 * need to perform arithmetic on this, but do
1056 * need it as a Byte array for the purpose of
1057 * MAC computations. */
Hanno Beckerd840cea2019-07-11 09:24:36 +01001058 uint8_t type; /* The record content type. */
1059 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1060 * Convert to internal presentation of versions
1061 * using mbedtls_ssl_read_version() and
1062 * mbedtls_ssl_write_version().
1063 * Keep wire-format for MAC computations. */
Hanno Becker12a3a862018-01-05 15:42:50 +00001064
Hanno Beckerd840cea2019-07-11 09:24:36 +01001065 unsigned char *buf; /* Memory buffer enclosing the record content */
1066 size_t buf_len; /* Buffer length */
1067 size_t data_offset; /* Offset of record content */
1068 size_t data_len; /* Length of record content */
Hanno Becker12a3a862018-01-05 15:42:50 +00001069
Hanno Beckera0e20d02019-05-15 14:03:01 +01001070#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerd840cea2019-07-11 09:24:36 +01001071 uint8_t cid_len; /* Length of the CID (0 if not present) */
1072 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +01001073#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker12a3a862018-01-05 15:42:50 +00001074} mbedtls_record;
1075
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001076#if defined(MBEDTLS_X509_CRT_PARSE_C)
1077/*
1078 * List of certificate + private key pairs
1079 */
1080struct mbedtls_ssl_key_cert
1081{
1082 mbedtls_x509_crt *cert; /*!< cert */
1083 mbedtls_pk_context *key; /*!< private key */
1084 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1085};
1086#endif /* MBEDTLS_X509_CRT_PARSE_C */
1087
1088#if defined(MBEDTLS_SSL_PROTO_DTLS)
1089/*
1090 * List of handshake messages kept around for resending
1091 */
1092struct mbedtls_ssl_flight_item
1093{
1094 unsigned char *p; /*!< message, including handshake headers */
1095 size_t len; /*!< length of p */
1096 unsigned char type; /*!< type of the message: handshake or CCS */
1097 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1098};
1099#endif /* MBEDTLS_SSL_PROTO_DTLS */
1100
Hanno Becker7e5437a2017-04-28 17:15:26 +01001101#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01001102 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01001103
1104/* Find an entry in a signature-hash set matching a given hash algorithm. */
1105mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
1106 mbedtls_pk_type_t sig_alg );
1107/* Add a signature-hash-pair to a signature-hash set */
1108void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
1109 mbedtls_pk_type_t sig_alg,
1110 mbedtls_md_type_t md_alg );
1111/* Allow exactly one hash algorithm for each signature. */
1112void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
1113 mbedtls_md_type_t md_alg );
1114
1115/* Setup an empty signature-hash set */
1116static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
1117{
1118 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
1119}
1120
1121#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
Gilles Peskineeccd8882020-03-10 12:19:08 +01001122 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001123
1124/**
1125 * \brief Free referenced items in an SSL transform context and clear
1126 * memory
1127 *
1128 * \param transform SSL transform context
1129 */
1130void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1131
1132/**
1133 * \brief Free referenced items in an SSL handshake context and clear
1134 * memory
1135 *
Gilles Peskine9b562d52018-04-25 20:32:43 +02001136 * \param ssl SSL context
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001137 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02001138void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001139
Jerry Yuc7875b52021-09-05 21:05:50 +08001140/* set inbound transform of ssl context */
1141void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1142 mbedtls_ssl_transform *transform );
1143
1144/* set outbound transform of ssl context */
1145void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1146 mbedtls_ssl_transform *transform );
1147
Xiaofei Bai15a56812021-11-05 10:52:12 +00001148#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1149int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
1150 unsigned char *buf,
1151 const unsigned char *end,
1152 size_t *olen );
1153#endif
1154
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001155int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
1156int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1157void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001158static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1159 mbedtls_ssl_states state )
1160{
1161 ssl->state = ( int ) state;
1162}
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001163
1164int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1165
1166void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
Jerry Yubef175d2022-01-28 10:52:05 +08001167
1168#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001169int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
Jerry Yubef175d2022-01-28 10:52:05 +08001170#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001171
Simon Butcher99000142016-10-13 17:21:01 +01001172int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
1173int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1174void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1175
Hanno Becker4a810fb2017-05-24 16:27:30 +01001176/**
1177 * \brief Update record layer
1178 *
1179 * This function roughly separates the implementation
1180 * of the logic of (D)TLS from the implementation
1181 * of the secure transport.
1182 *
Hanno Becker3a0aad12018-08-20 09:44:02 +01001183 * \param ssl The SSL context to use.
1184 * \param update_hs_digest This indicates if the handshake digest
1185 * should be automatically updated in case
1186 * a handshake message is found.
Hanno Becker4a810fb2017-05-24 16:27:30 +01001187 *
1188 * \return 0 or non-zero error code.
1189 *
1190 * \note A clarification on what is called 'record layer' here
1191 * is in order, as many sensible definitions are possible:
1192 *
1193 * The record layer takes as input an untrusted underlying
1194 * transport (stream or datagram) and transforms it into
1195 * a serially multiplexed, secure transport, which
1196 * conceptually provides the following:
1197 *
1198 * (1) Three datagram based, content-agnostic transports
1199 * for handshake, alert and CCS messages.
1200 * (2) One stream- or datagram-based transport
1201 * for application data.
1202 * (3) Functionality for changing the underlying transform
1203 * securing the contents.
1204 *
1205 * The interface to this functionality is given as follows:
1206 *
1207 * a Updating
1208 * [Currently implemented by mbedtls_ssl_read_record]
1209 *
1210 * Check if and on which of the four 'ports' data is pending:
1211 * Nothing, a controlling datagram of type (1), or application
1212 * data (2). In any case data is present, internal buffers
1213 * provide access to the data for the user to process it.
1214 * Consumption of type (1) datagrams is done automatically
1215 * on the next update, invalidating that the internal buffers
1216 * for previous datagrams, while consumption of application
1217 * data (2) is user-controlled.
1218 *
1219 * b Reading of application data
1220 * [Currently manual adaption of ssl->in_offt pointer]
1221 *
1222 * As mentioned in the last paragraph, consumption of data
1223 * is different from the automatic consumption of control
1224 * datagrams (1) because application data is treated as a stream.
1225 *
1226 * c Tracking availability of application data
1227 * [Currently manually through decreasing ssl->in_msglen]
1228 *
1229 * For efficiency and to retain datagram semantics for
1230 * application data in case of DTLS, the record layer
1231 * provides functionality for checking how much application
1232 * data is still available in the internal buffer.
1233 *
1234 * d Changing the transformation securing the communication.
1235 *
1236 * Given an opaque implementation of the record layer in the
1237 * above sense, it should be possible to implement the logic
1238 * of (D)TLS on top of it without the need to know anything
1239 * about the record layer's internals. This is done e.g.
1240 * in all the handshake handling functions, and in the
1241 * application data reading function mbedtls_ssl_read.
1242 *
1243 * \note The above tries to give a conceptual picture of the
1244 * record layer, but the current implementation deviates
1245 * from it in some places. For example, our implementation of
1246 * the update functionality through mbedtls_ssl_read_record
1247 * discards datagrams depending on the current state, which
1248 * wouldn't fall under the record layer's responsibility
1249 * following the above definition.
1250 *
1251 */
Hanno Becker3a0aad12018-08-20 09:44:02 +01001252int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1253 unsigned update_hs_digest );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001254int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1255
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001256/*
1257 * Write handshake message header
1258 */
1259int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
1260 unsigned char **buf, size_t *buf_len );
1261
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001262int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
Ronald Cron66dbf912022-02-02 15:33:46 +01001263 int update_checksum,
Ronald Cron00d012f22022-03-08 15:57:12 +01001264 int force_flush );
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001265static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1266{
Ronald Cron66dbf912022-02-02 15:33:46 +01001267 return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */, 1 /* force flush */ ) );
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001268}
1269
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001270/*
1271 * Write handshake message tail
1272 */
1273int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
1274 size_t buf_len, size_t msg_len );
1275
Ronald Cron00d012f22022-03-08 15:57:12 +01001276int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001277int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1278
1279int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1280int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1281
1282int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1283int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1284
1285int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1286int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1287
1288void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1289 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1290
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001291/*
1292 * Update checksum of handshake messages.
1293 */
1294void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1295 unsigned hs_type,
1296 unsigned char const *msg,
1297 size_t msg_len );
1298
Gilles Peskineeccd8882020-03-10 12:19:08 +01001299#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001300int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
1301 mbedtls_key_exchange_type_t key_ex );
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001302
Guilhem Bryant8a69ddd2020-03-27 11:13:39 +00001303/**
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001304 * Get the first defined PSK by order of precedence:
1305 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1306 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1307 * Return a code and update the pair (PSK, PSK length) passed to this function
1308 */
1309static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1310 const unsigned char **psk, size_t *psk_len )
1311{
1312 if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1313 {
1314 *psk = ssl->handshake->psk;
1315 *psk_len = ssl->handshake->psk_len;
1316 }
1317
1318 else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1319 {
1320 *psk = ssl->conf->psk;
1321 *psk_len = ssl->conf->psk_len;
1322 }
1323
1324 else
1325 {
Guilhem Bryantb5f04e42020-04-01 11:23:58 +01001326 *psk = NULL;
1327 *psk_len = 0;
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001328 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1329 }
1330
1331 return( 0 );
1332}
1333
1334#if defined(MBEDTLS_USE_PSA_CRYPTO)
Guilhem Bryant8a69ddd2020-03-27 11:13:39 +00001335/**
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001336 * Get the first defined opaque PSK by order of precedence:
1337 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1338 * callback
1339 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1340 * Return an opaque PSK
1341 */
Andrzej Kurek03e01462022-01-03 12:53:24 +01001342static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001343 const mbedtls_ssl_context *ssl )
1344{
Ronald Croncf56a0a2020-08-04 09:51:30 +02001345 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001346 return( ssl->handshake->psk_opaque );
1347
Ronald Croncf56a0a2020-08-04 09:51:30 +02001348 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001349 return( ssl->conf->psk_opaque );
1350
Ronald Croncf56a0a2020-08-04 09:51:30 +02001351 return( MBEDTLS_SVC_KEY_ID_INIT );
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001352}
Przemyslaw Stekiel430f3372022-01-10 11:55:46 +01001353
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001354#endif /* MBEDTLS_USE_PSA_CRYPTO */
1355
1356#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001357
1358#if defined(MBEDTLS_PK_C)
1359unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
Hanno Becker7e5437a2017-04-28 17:15:26 +01001360unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001361mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1362#endif
1363
1364mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02001365unsigned char mbedtls_ssl_hash_from_md_alg( int md );
Ronald Cron4dcbca92022-03-07 10:21:40 +01001366
1367#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Simon Butcher99000142016-10-13 17:21:01 +01001368int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
Ronald Cron4dcbca92022-03-07 10:21:40 +01001369#endif
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001370
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01001371int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02001372#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02001373int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001374#endif
1375
Ron Eldor089c9fe2018-12-06 17:12:49 +02001376#if defined(MBEDTLS_SSL_DTLS_SRTP)
Johan Pascal43f94902020-09-22 12:25:52 +02001377static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1378 ( const uint16_t srtp_profile_value )
Ron Eldor089c9fe2018-12-06 17:12:49 +02001379{
Johan Pascal43f94902020-09-22 12:25:52 +02001380 switch( srtp_profile_value )
Ron Eldor089c9fe2018-12-06 17:12:49 +02001381 {
Johan Pascal85269572020-08-25 10:01:54 +02001382 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
Johan Pascal85269572020-08-25 10:01:54 +02001383 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
Johan Pascal85269572020-08-25 10:01:54 +02001384 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
Johan Pascal85269572020-08-25 10:01:54 +02001385 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
Johan Pascal43f94902020-09-22 12:25:52 +02001386 return srtp_profile_value;
Ron Eldor089c9fe2018-12-06 17:12:49 +02001387 default: break;
1388 }
Johan Pascal43f94902020-09-22 12:25:52 +02001389 return( MBEDTLS_TLS_SRTP_UNSET );
Ron Eldor089c9fe2018-12-06 17:12:49 +02001390}
1391#endif
1392
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001393#if defined(MBEDTLS_X509_CRT_PARSE_C)
1394static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1395{
1396 mbedtls_ssl_key_cert *key_cert;
1397
1398 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1399 key_cert = ssl->handshake->key_cert;
1400 else
1401 key_cert = ssl->conf->key_cert;
1402
1403 return( key_cert == NULL ? NULL : key_cert->key );
1404}
1405
1406static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1407{
1408 mbedtls_ssl_key_cert *key_cert;
1409
1410 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1411 key_cert = ssl->handshake->key_cert;
1412 else
1413 key_cert = ssl->conf->key_cert;
1414
1415 return( key_cert == NULL ? NULL : key_cert->cert );
1416}
1417
1418/*
1419 * Check usage of a certificate wrt extensions:
1420 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1421 *
1422 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1423 * check a cert we received from them)!
1424 *
1425 * Return 0 if everything is OK, -1 if not.
1426 */
1427int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1428 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1429 int cert_endpoint,
1430 uint32_t *flags );
1431#endif /* MBEDTLS_X509_CRT_PARSE_C */
1432
1433void mbedtls_ssl_write_version( int major, int minor, int transport,
1434 unsigned char ver[2] );
1435void mbedtls_ssl_read_version( int *major, int *minor, int transport,
1436 const unsigned char ver[2] );
1437
Hanno Becker5903de42019-05-03 14:46:38 +01001438static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001439{
Hanno Becker47be7682019-07-12 09:55:46 +01001440#if !defined(MBEDTLS_SSL_PROTO_DTLS)
1441 ((void) ssl);
1442#endif
1443
1444#if defined(MBEDTLS_SSL_PROTO_DTLS)
1445 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1446 {
1447 return( 13 );
1448 }
1449 else
1450#endif /* MBEDTLS_SSL_PROTO_DTLS */
1451 {
1452 return( 5 );
1453 }
Hanno Becker5903de42019-05-03 14:46:38 +01001454}
1455
1456static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1457{
Hanno Becker3b154c12019-05-03 15:05:27 +01001458 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001459}
1460
1461static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1462{
1463#if defined(MBEDTLS_SSL_PROTO_DTLS)
1464 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1465 return( 12 );
1466#else
1467 ((void) ssl);
1468#endif
1469 return( 4 );
1470}
1471
1472#if defined(MBEDTLS_SSL_PROTO_DTLS)
1473void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1474void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1475int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02001476int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001477#endif
1478
1479/* Visible for testing purposes only */
1480#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Hanno Becker0183d692019-07-12 08:50:37 +01001481int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001482void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1483#endif
1484
Hanno Becker52055ae2019-02-06 14:30:46 +00001485int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1486 const mbedtls_ssl_session *src );
1487
TRodziewicz0f82ec62021-05-12 17:49:18 +02001488#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek814feff2019-01-14 04:35:19 -05001489/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001490int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02001491 unsigned char *hash, size_t *hashlen,
1492 unsigned char *data, size_t data_len,
1493 mbedtls_md_type_t md_alg );
TRodziewicz0f82ec62021-05-12 17:49:18 +02001494#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001495
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001496#ifdef __cplusplus
1497}
1498#endif
1499
Hanno Beckera18d1322018-01-03 14:27:32 +00001500void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1501int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1502 mbedtls_ssl_transform *transform,
1503 mbedtls_record *rec,
1504 int (*f_rng)(void *, unsigned char *, size_t),
1505 void *p_rng );
Hanno Becker605949f2019-07-12 08:23:59 +01001506int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +00001507 mbedtls_ssl_transform *transform,
1508 mbedtls_record *rec );
1509
Hanno Beckerdd772292020-02-05 10:38:31 +00001510/* Length of the "epoch" field in the record header */
1511static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1512{
1513#if defined(MBEDTLS_SSL_PROTO_DTLS)
1514 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1515 return( 2 );
1516#else
1517 ((void) ssl);
1518#endif
1519 return( 0 );
1520}
1521
Hanno Becker08f09132020-02-11 15:40:07 +00001522#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker786300f2020-02-05 10:46:40 +00001523int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
Hanno Becker08f09132020-02-11 15:40:07 +00001524#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker0f57a652020-02-05 10:37:26 +00001525
1526void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
Hanno Becker7876d122020-02-05 10:39:31 +00001527int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1528
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00001529void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1530void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1531 mbedtls_ssl_transform *transform );
1532void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1533
Hanno Becker43aefe22020-02-05 10:44:56 +00001534int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
XiaokangQian78b1fa72022-01-19 06:56:30 +00001535void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
1536 int partial );
Hanno Becker43aefe22020-02-05 10:44:56 +00001537
Jerry Yue7047812021-09-13 19:26:39 +08001538/*
Jerry Yu394ece62021-09-14 22:17:21 +08001539 * Send pending alert
Jerry Yue7047812021-09-13 19:26:39 +08001540 */
1541int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1542
Jerry Yu394ece62021-09-14 22:17:21 +08001543/*
1544 * Set pending fatal alert flag.
1545 */
1546void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1547 unsigned char alert_type,
1548 int alert_reason );
1549
1550/* Alias of mbedtls_ssl_pend_fatal_alert */
1551#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \
1552 mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1553
Hanno Becker7e8e6a62020-02-05 10:45:48 +00001554#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1555void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1556#endif
1557
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00001558void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1559
Hanno Becker08f09132020-02-11 15:40:07 +00001560#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker40cdaa12020-02-05 10:48:27 +00001561int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
Hanno Becker08f09132020-02-11 15:40:07 +00001562#endif /* MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker89490712020-02-05 10:50:12 +00001563
Hanno Becker533ab5f2020-02-05 10:49:13 +00001564#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker08f09132020-02-11 15:40:07 +00001565size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
Hanno Becker533ab5f2020-02-05 10:49:13 +00001566void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1567void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1568#endif /* MBEDTLS_SSL_PROTO_DTLS */
1569
Jerry Yu60835a82021-08-04 10:13:52 +08001570/**
1571 * ssl utils functions for checking configuration.
1572 */
1573
Ronald Cron6f135e12021-12-08 16:57:54 +01001574#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08001575static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1576{
1577 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1578 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1579 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 &&
1580 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1581 {
1582 return( 1 );
1583 }
1584 return( 0 );
1585}
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001586
Ronald Cron6f135e12021-12-08 16:57:54 +01001587#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu60835a82021-08-04 10:13:52 +08001588
1589#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1590static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1591{
1592 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1593 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1594 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1595 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1596 {
1597 return( 1 );
1598 }
1599 return( 0 );
1600}
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001601
Jerry Yu60835a82021-08-04 10:13:52 +08001602#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1603
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001604static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
1605{
1606#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1607 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1608 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1609 conf->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_4 &&
1610 conf->max_minor_ver >= MBEDTLS_SSL_MINOR_VERSION_4 )
1611 {
1612 return( 1 );
1613 }
1614 return( 0 );
1615#else
1616 ((void) conf);
1617 return( 0 );
1618#endif
1619}
1620
1621static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
1622{
1623#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1624 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1625 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1626 conf->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 &&
1627 conf->max_minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 )
1628 {
1629 return( 1 );
1630 }
1631 return( 0 );
1632#else
1633 ((void) conf);
1634 return( 0 );
1635#endif
1636}
1637
Ronald Cron6f135e12021-12-08 16:57:54 +01001638#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08001639static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1640{
1641 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1642 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1643 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1644 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1645 {
1646 return( 1 );
1647 }
1648 return( 0 );
1649}
Ronald Cron6f135e12021-12-08 16:57:54 +01001650#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu60835a82021-08-04 10:13:52 +08001651
Ronald Cron6f135e12021-12-08 16:57:54 +01001652#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yua6e6c272021-11-17 17:54:13 +08001653
1654int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
1655int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
1656void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
1657
1658/**
Ronald Cron3d580bf2022-02-18 17:24:56 +01001659 * \brief Given an SSL context and its associated configuration, write the TLS
1660 * 1.3 specific extensions of the ClientHello message.
1661 *
1662 * \param[in] ssl SSL context
1663 * \param[in] buf Base address of the buffer where to write the extensions
1664 * \param[in] end End address of the buffer where to write the extensions
1665 * \param[out] out_len Length of the data written into the buffer \p buf
1666 */
1667int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1668 unsigned char *buf,
1669 unsigned char *end,
1670 size_t *out_len );
1671
1672/**
Jerry Yua6e6c272021-11-17 17:54:13 +08001673 * \brief TLS 1.3 client side state machine entry
1674 *
1675 * \param ssl SSL context
1676 */
1677int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1678
1679/**
1680 * \brief TLS 1.3 server side state machine entry
1681 *
1682 * \param ssl SSL context
1683 */
1684int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1685
Jerry Yu26f4d152021-08-23 17:42:37 +08001686
1687/*
1688 * Helper functions around key exchange modes.
1689 */
Jerry Yub60e3cf2021-09-08 16:41:02 +08001690static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
Jerry Yu26f4d152021-08-23 17:42:37 +08001691 int kex_mode_mask )
1692{
1693 return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1694}
1695
Jerry Yub60e3cf2021-09-08 16:41:02 +08001696static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu26f4d152021-08-23 17:42:37 +08001697{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001698 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001699 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001700}
1701
1702static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1703{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001704 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001705 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001706}
1707
Jerry Yub60e3cf2021-09-08 16:41:02 +08001708static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu26f4d152021-08-23 17:42:37 +08001709{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001710 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001711 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001712}
1713
1714static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1715{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001716 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001717 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001718}
1719
1720static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1721{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001722 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001723 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001724}
1725
Jerry Yuadf861a2021-09-29 21:22:08 +08001726/**
1727 * Given a list of key exchange modes, check if at least one of them is
1728 * supported.
1729 *
1730 * \param[in] ssl SSL context
Jerry Yu0cabad32021-09-30 09:52:35 +08001731 * \param kex_modes_mask Mask of the key exchange modes to check
Jerry Yuadf861a2021-09-29 21:22:08 +08001732 *
1733 * \return 0 if at least one of the key exchange modes is supported,
Jerry Yudca3d5d2021-10-08 14:19:29 +08001734 * !=0 otherwise.
Jerry Yuadf861a2021-09-29 21:22:08 +08001735 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00001736static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1737 int kex_modes_mask )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001738{
Xiaofei Baid25fab62021-12-02 06:36:27 +00001739 return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001740}
1741
Xiaofei Bai746f9482021-11-12 08:53:56 +00001742static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001743{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001744 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1745 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001746}
1747
Xiaofei Bai746f9482021-11-12 08:53:56 +00001748static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001749 mbedtls_ssl_context *ssl )
1750{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001751 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1752 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001753}
1754
Xiaofei Bai746f9482021-11-12 08:53:56 +00001755static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001756{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001757 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1758 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001759}
1760
Xiaofei Bai746f9482021-11-12 08:53:56 +00001761static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001762{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001763 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1764 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001765}
1766
Xiaofei Bai746f9482021-11-12 08:53:56 +00001767static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001768{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001769 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1770 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001771}
1772
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001773/*
XiaokangQian6b226b02021-09-24 07:51:16 +00001774 * Fetch TLS 1.3 handshake message header
1775 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00001776int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
1777 unsigned hs_type,
1778 unsigned char **buf,
1779 size_t *buf_len );
XiaokangQian6b226b02021-09-24 07:51:16 +00001780
1781/*
Xiaofei Bai947571e2021-09-29 09:12:03 +00001782 * Handler of TLS 1.3 server certificate message
1783 */
1784int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
1785
Jerry Yu90f152d2022-01-29 22:12:42 +08001786#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001787/*
Jerry Yu3e536442022-02-15 11:05:59 +08001788 * Handler of TLS 1.3 write Certificate message
Jerry Yu5cc35062022-01-28 16:16:08 +08001789 */
1790int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
1791
1792/*
Jerry Yu3e536442022-02-15 11:05:59 +08001793 * Handler of TLS 1.3 write Certificate Verify message
Jerry Yu8511f122022-01-29 10:01:04 +08001794 */
1795int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
Jerry Yu90f152d2022-01-29 22:12:42 +08001796
1797#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1798
Jerry Yu8511f122022-01-29 10:01:04 +08001799/*
Jerry Yu30b071c2021-09-12 20:16:03 +08001800 * Generic handler of Certificate Verify
1801 */
1802int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
1803
1804/*
Ronald Cron49ad6192021-11-24 16:25:31 +01001805 * Write of dummy-CCS's for middlebox compatibility
1806 */
1807int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1808
XiaokangQian647719a2021-12-07 09:16:29 +00001809int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
1810
Jerry Yuf017ee42022-01-12 15:49:48 +08001811#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1812
Jerry Yubc20bdd2021-08-24 15:59:48 +08001813#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001814/*
Jerry Yuf017ee42022-01-12 15:49:48 +08001815 * Write Signature Algorithm extension
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001816 */
Jerry Yuf017ee42022-01-12 15:49:48 +08001817int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
Jerry Yu713013f2022-01-17 18:16:35 +08001818 const unsigned char *end, size_t *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +08001819
Xiaofei Bai69fcd392022-01-20 08:25:00 +00001820/*
1821 * Parse TLS 1.3 Signature Algorithm extension
1822 */
1823int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
1824 const unsigned char *buf,
1825 const unsigned char *end );
Jerry Yubc20bdd2021-08-24 15:59:48 +08001826#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu65dd2cc2021-08-18 16:38:40 +08001827
Jerry Yu000f9762021-09-14 11:12:51 +08001828/* Get handshake transcript */
1829int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
1830 const mbedtls_md_type_t md,
1831 unsigned char *dst,
1832 size_t dst_len,
1833 size_t *olen );
1834
Brett Warrene0edc842021-08-17 09:53:13 +01001835/*
1836 * Return supported groups.
1837 *
1838 * In future, invocations can be changed to ssl->conf->group_list
1839 * when mbedtls_ssl_conf_curves() is deleted.
1840 *
1841 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
1842 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
1843 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
1844 *
1845 */
1846static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
1847{
1848 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
1849 return( ssl->conf->group_list );
1850 #else
1851 if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) )
1852 return( ssl->handshake->group_list );
1853 else
1854 return( ssl->conf->group_list );
1855 #endif
1856}
1857
Jerry Yuba073422021-12-20 22:22:15 +08001858/*
1859 * Helper functions for NamedGroup.
1860 */
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001861static inline int mbedtls_ssl_tls12_named_group_is_ecdhe( uint16_t named_group )
Jerry Yuba073422021-12-20 22:22:15 +08001862{
1863 /*
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001864 * RFC 8422 section 5.1.1
Jerry Yuba073422021-12-20 22:22:15 +08001865 */
Jerry Yuf0fede52022-01-12 10:57:47 +08001866 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
1867 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
1868 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
1869 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
1870 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
1871 /* Below deprected curves should be removed with notice to users */
1872 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001873 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
1874 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
1875 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
1876 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
1877 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
1878 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
Jerry Yuf0fede52022-01-12 10:57:47 +08001879 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 );
Jerry Yuba073422021-12-20 22:22:15 +08001880}
1881
1882static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
1883{
Jerry Yuf0fede52022-01-12 10:57:47 +08001884 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
1885 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
Jerry Yuba073422021-12-20 22:22:15 +08001886 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
1887 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
Jerry Yuba073422021-12-20 22:22:15 +08001888 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
1889}
1890
1891static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
1892{
1893 return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
1894 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
1895}
1896
Jerry Yu1ea9d102021-12-21 13:41:49 +08001897#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
1898 defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1899 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yuba073422021-12-20 22:22:15 +08001900int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
1901 unsigned char *buf,
Jerry Yu17532612021-12-20 22:32:09 +08001902 const unsigned char *end,
Jerry Yuba073422021-12-20 22:22:15 +08001903 size_t *out_len );
1904
Jerry Yu1ea9d102021-12-21 13:41:49 +08001905#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED ||
1906 MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1907 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08001908/*
Jerry Yu713013f2022-01-17 18:16:35 +08001909 * Return supported signature algorithms.
1910 *
1911 * In future, invocations can be changed to ssl->conf->sig_algs when
1912 * mbedtls_ssl_conf_sig_hashes() is deleted.
1913 *
Jerry Yu7ddc38c2022-01-19 11:08:05 +08001914 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
1915 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
1916 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
1917 * been more recently invoked.
1918 *
Jerry Yuafdfed12021-12-22 10:49:02 +08001919 */
Jerry Yu713013f2022-01-17 18:16:35 +08001920static inline const void *mbedtls_ssl_get_sig_algs(
1921 const mbedtls_ssl_context *ssl )
Jerry Yuafdfed12021-12-22 10:49:02 +08001922{
1923#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01001924
Jerry Yu6106fdc2022-01-12 16:36:14 +08001925#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1926 if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL )
1927 return( ssl->handshake->sig_algs );
1928#endif
1929 return( ssl->conf->sig_algs );
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01001930
1931#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08001932
Jerry Yu6106fdc2022-01-12 16:36:14 +08001933 ((void) ssl);
Jerry Yu713013f2022-01-17 18:16:35 +08001934 return( NULL );
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01001935#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08001936}
Jerry Yuba073422021-12-20 22:22:15 +08001937
Jerry Yua23b9d92022-02-09 19:57:53 +08001938
Jerry Yu1bab3012022-01-19 17:43:22 +08001939#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu24811fb2022-01-19 18:02:15 +08001940
Jerry Yua23b9d92022-02-09 19:57:53 +08001941#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu8511f122022-01-29 10:01:04 +08001942static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
1943 uint16_t own_sig_alg )
1944{
Jerry Yu1bb5a1f2022-01-30 10:52:11 +08001945 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
1946 if( sig_alg == NULL )
1947 return( 0 );
1948
1949 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
1950 {
1951 if( *sig_alg == own_sig_alg )
1952 return( 1 );
1953 }
1954 return( 0 );
Jerry Yu8511f122022-01-29 10:01:04 +08001955}
Jerry Yua23b9d92022-02-09 19:57:53 +08001956#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu8511f122022-01-29 10:01:04 +08001957
Jerry Yu24811fb2022-01-19 18:02:15 +08001958static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
1959 uint16_t proposed_sig_alg )
1960{
1961 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
1962 if( sig_alg == NULL )
1963 return( 0 );
1964
1965 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
1966 {
1967 if( *sig_alg == proposed_sig_alg )
1968 return( 1 );
1969 }
1970 return( 0 );
1971}
1972
Jerry Yu8c338862022-03-23 13:34:04 +08001973#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1974static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yuf8aa9a42022-03-23 20:40:28 +08001975 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
Jerry Yu8c338862022-03-23 13:34:04 +08001976{
1977 *pk_type = MBEDTLS_PK_NONE;
1978 *md_alg = MBEDTLS_MD_NONE;
Jerry Yuf8aa9a42022-03-23 20:40:28 +08001979
Jerry Yu8c338862022-03-23 13:34:04 +08001980 switch( sig_alg )
1981 {
Jerry Yue26acee2022-03-23 21:01:33 +08001982#if defined(MBEDTLS_ECDSA_C)
1983
1984#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Jerry Yu8c338862022-03-23 13:34:04 +08001985 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1986 *md_alg = MBEDTLS_MD_SHA256;
1987 *pk_type = MBEDTLS_PK_ECDSA;
1988 break;
Jerry Yue26acee2022-03-23 21:01:33 +08001989#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
Jerry Yu8c338862022-03-23 13:34:04 +08001990
Jerry Yue26acee2022-03-23 21:01:33 +08001991#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Jerry Yu8c338862022-03-23 13:34:04 +08001992 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1993 *md_alg = MBEDTLS_MD_SHA384;
1994 *pk_type = MBEDTLS_PK_ECDSA;
1995 break;
Jerry Yue26acee2022-03-23 21:01:33 +08001996#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
Jerry Yu8c338862022-03-23 13:34:04 +08001997
Jerry Yue26acee2022-03-23 21:01:33 +08001998#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Jerry Yu8c338862022-03-23 13:34:04 +08001999 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2000 *md_alg = MBEDTLS_MD_SHA512;
2001 *pk_type = MBEDTLS_PK_ECDSA;
2002 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002003#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Jerry Yu8c338862022-03-23 13:34:04 +08002004
Jerry Yue26acee2022-03-23 21:01:33 +08002005#endif /* MBEDTLS_ECDSA_C */
2006
2007#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
2008
2009#if defined(MBEDTLS_SHA256_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002010 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2011 *md_alg = MBEDTLS_MD_SHA256;
2012 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2013 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002014#endif /* MBEDTLS_SHA256_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002015
Jerry Yue26acee2022-03-23 21:01:33 +08002016#if defined(MBEDTLS_SHA384_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002017 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2018 *md_alg = MBEDTLS_MD_SHA384;
2019 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2020 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002021#endif /* MBEDTLS_SHA384_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002022
Jerry Yue26acee2022-03-23 21:01:33 +08002023#if defined(MBEDTLS_SHA512_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002024 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2025 *md_alg = MBEDTLS_MD_SHA512;
2026 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2027 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002028#endif /* MBEDTLS_SHA512_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002029
Jerry Yue26acee2022-03-23 21:01:33 +08002030#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
2031
2032#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
2033
2034#if defined(MBEDTLS_SHA256_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002035 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2036 *md_alg = MBEDTLS_MD_SHA256;
2037 *pk_type = MBEDTLS_PK_RSA;
2038 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002039#endif /* MBEDTLS_SHA256_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002040
Jerry Yue26acee2022-03-23 21:01:33 +08002041#if defined(MBEDTLS_SHA384_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002042 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2043 *md_alg = MBEDTLS_MD_SHA384;
2044 *pk_type = MBEDTLS_PK_RSA;
2045 break;
Jerry Yue26acee2022-03-23 21:01:33 +08002046#endif /* MBEDTLS_SHA384_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002047
Jerry Yue26acee2022-03-23 21:01:33 +08002048#if defined(MBEDTLS_SHA512_C)
Jerry Yu8c338862022-03-23 13:34:04 +08002049 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2050 *md_alg = MBEDTLS_MD_SHA512;
2051 *pk_type = MBEDTLS_PK_RSA;
2052 break;
Jerry Yu6c6f1022022-03-25 11:09:50 +08002053#endif /* MBEDTLS_SHA512_C */
Jerry Yue26acee2022-03-23 21:01:33 +08002054
2055#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
Jerry Yu8c338862022-03-23 13:34:04 +08002056
2057 default:
Jerry Yuf8aa9a42022-03-23 20:40:28 +08002058 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Jerry Yu8c338862022-03-23 13:34:04 +08002059 }
Jerry Yuf8aa9a42022-03-23 20:40:28 +08002060 return( 0 );
Jerry Yu8c338862022-03-23 13:34:04 +08002061}
2062#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2063
Jerry Yu1bab3012022-01-19 17:43:22 +08002064static inline int mbedtls_ssl_sig_alg_is_supported(
2065 const mbedtls_ssl_context *ssl,
2066 const uint16_t sig_alg )
2067{
2068
2069#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2070 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3)
2071 {
2072 /* High byte is hash */
2073 unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
2074 unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
2075
2076 switch( hash )
2077 {
Jerry Yu97198852022-01-21 16:16:01 +08002078#if defined(MBEDTLS_MD5_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002079 case MBEDTLS_SSL_HASH_MD5:
2080 break;
Jerry Yu97198852022-01-21 16:16:01 +08002081#endif
2082
2083#if defined(MBEDTLS_SHA1_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002084 case MBEDTLS_SSL_HASH_SHA1:
2085 break;
Jerry Yu97198852022-01-21 16:16:01 +08002086#endif
2087
2088#if defined(MBEDTLS_SHA224_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002089 case MBEDTLS_SSL_HASH_SHA224:
2090 break;
Jerry Yu97198852022-01-21 16:16:01 +08002091#endif
2092
2093#if defined(MBEDTLS_SHA256_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002094 case MBEDTLS_SSL_HASH_SHA256:
2095 break;
Jerry Yu97198852022-01-21 16:16:01 +08002096#endif
2097
2098#if defined(MBEDTLS_SHA384_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002099 case MBEDTLS_SSL_HASH_SHA384:
2100 break;
Jerry Yu97198852022-01-21 16:16:01 +08002101#endif
2102
2103#if defined(MBEDTLS_SHA512_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002104 case MBEDTLS_SSL_HASH_SHA512:
2105 break;
Jerry Yu97198852022-01-21 16:16:01 +08002106#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002107
2108 default:
2109 return( 0 );
2110 }
2111
2112 switch( sig )
2113 {
Jerry Yu97198852022-01-21 16:16:01 +08002114#if defined(MBEDTLS_RSA_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002115 case MBEDTLS_SSL_SIG_RSA:
2116 break;
Jerry Yu97198852022-01-21 16:16:01 +08002117#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002118
Jerry Yu97198852022-01-21 16:16:01 +08002119#if defined(MBEDTLS_ECDSA_C)
Jerry Yu1bab3012022-01-19 17:43:22 +08002120 case MBEDTLS_SSL_SIG_ECDSA:
2121 break;
Jerry Yu97198852022-01-21 16:16:01 +08002122#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002123
2124 default:
2125 return( 0 );
2126 }
2127
2128 return( 1 );
2129 }
2130#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2131
2132#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2133 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4)
2134 {
Jerry Yu8c338862022-03-23 13:34:04 +08002135 mbedtls_pk_type_t pk_type;
2136 mbedtls_md_type_t md_alg;
Jerry Yuf8aa9a42022-03-23 20:40:28 +08002137 return( ! mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
Jerry Yu8c338862022-03-23 13:34:04 +08002138 sig_alg, &pk_type, &md_alg ) );
Jerry Yu1bab3012022-01-19 17:43:22 +08002139 }
2140#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2141 ((void) ssl);
2142 ((void) sig_alg);
2143 return( 0 );
2144}
2145#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
2146
Jerry Yue12f1dd2022-01-13 14:38:22 +08002147#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2148 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2149#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
2150#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
2151 (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
2152#elif defined(MBEDTLS_ECDSA_C)
2153#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA),
2154#elif defined(MBEDTLS_RSA_C)
2155#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
2156#else
2157#define MBEDTLS_SSL_SIG_ALG( hash )
2158#endif /* MBEDTLS_ECDSA_C && MBEDTLS_RSA_C */
2159#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002160#if defined(MBEDTLS_USE_PSA_CRYPTO)
2161/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2162 * Same value is used fo PSA_ALG_CATEGORY_CIPHER, hence it is
2163 * guaranteed to not be a valid PSA algorithm identifier.
2164 */
2165#define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2166
2167/**
2168 * \brief Translate mbedtls cipher type/taglen pair to psa:
2169 * algorithm, key type and key size.
2170 *
2171 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2172 * \param taglen [in] given tag length
2173 * 0 - default tag length
2174 * \param alg [out] corresponding PSA alg
2175 * There is no corresponding PSA
Przemyslaw Stekiel8c010eb2022-02-03 10:44:02 +01002176 * alg for MBEDTLS_CIPHER_NULL, so
2177 * in this case MBEDTLS_SSL_NULL_CIPHER
2178 * is returned via this parameter
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002179 * \param key_type [out] corresponding PSA key type
2180 * \param key_size [out] corresponding PSA key size
2181 *
2182 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2183 * conversion is not supported.
2184 */
2185psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
2186 size_t taglen,
2187 psa_algorithm_t *alg,
2188 psa_key_type_t *key_type,
2189 size_t *key_size );
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002190#endif /* MBEDTLS_USE_PSA_CRYPTO */
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002191
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002192#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002193/**
2194 * \brief Convert given PSA status to mbedtls error code.
2195 *
2196 * \param status [in] given PSA status
2197 *
2198 * \return corresponding mbedtls error code
2199 */
Przemyslaw Stekiel77aec8d2022-01-31 20:22:53 +01002200static inline int psa_ssl_status_to_mbedtls( psa_status_t status )
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002201{
2202 switch( status )
2203 {
2204 case PSA_SUCCESS:
2205 return( 0 );
2206 case PSA_ERROR_INSUFFICIENT_MEMORY:
2207 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
2208 case PSA_ERROR_NOT_SUPPORTED:
2209 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
Przemyslaw Stekiel89dad932022-01-31 09:18:07 +01002210 case PSA_ERROR_INVALID_SIGNATURE:
2211 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002212 default:
2213 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
2214 }
2215}
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002216#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu1bab3012022-01-19 17:43:22 +08002217
Chris Jones84a773f2021-03-05 18:38:47 +00002218#endif /* ssl_misc.h */