blob: 3aeab0cd84bc1b13e71f0a398c7053292e2984fc [file] [log] [blame]
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001/**
Chris Jones84a773f2021-03-05 18:38:47 +00002 * \file ssl_misc.h
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02003 *
4 * \brief Internal functions shared by the SSL modules
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Bence Szépkúti1e148272020-08-07 13:07:28 +02007 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02008 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020021 */
Chris Jones84a773f2021-03-05 18:38:47 +000022#ifndef MBEDTLS_SSL_MISC_H
23#define MBEDTLS_SSL_MISC_H
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020024
Bence Szépkútic662b362021-05-27 11:25:03 +020025#include "mbedtls/build_info.h"
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050026
Jaeden Amero6609aef2019-07-04 20:01:14 +010027#include "mbedtls/ssl.h"
28#include "mbedtls/cipher.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020029
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +010030#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Andrzej Kurekeb342242019-01-29 09:14:33 -050031#include "psa/crypto.h"
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +010032#include "mbedtls/psa_util.h"
Manuel Pégourié-Gonnardabac0372022-07-18 13:41:11 +020033#include "hash_info.h"
Andrzej Kurekeb342242019-01-29 09:14:33 -050034#endif
Manuel Pégourié-Gonnard07018f92022-09-15 11:29:35 +020035#include "mbedtls/legacy_or_psa.h"
Andrzej Kurekeb342242019-01-29 09:14:33 -050036
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020037#if defined(MBEDTLS_MD5_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010038#include "mbedtls/md5.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020039#endif
40
41#if defined(MBEDTLS_SHA1_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010042#include "mbedtls/sha1.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020043#endif
44
45#if defined(MBEDTLS_SHA256_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010046#include "mbedtls/sha256.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020047#endif
48
49#if defined(MBEDTLS_SHA512_C)
Jaeden Amero6609aef2019-07-04 20:01:14 +010050#include "mbedtls/sha512.h"
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020051#endif
52
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +020053#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jaeden Amero6609aef2019-07-04 20:01:14 +010054#include "mbedtls/ecjpake.h"
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +020055#endif
56
Jerry Yu1bab3012022-01-19 17:43:22 +080057#include "common.h"
58
Manuel Pégourié-Gonnard0223ab92015-10-05 11:40:01 +010059#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
60 !defined(inline) && !defined(__cplusplus)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020061#define inline __inline
Manuel Pégourié-Gonnard20af64d2015-07-07 18:33:39 +020062#endif
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020063
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +020064/* Shorthand for restartable ECC */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +020065#if defined(MBEDTLS_ECP_RESTARTABLE) && \
66 defined(MBEDTLS_SSL_CLI_C) && \
67 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
68 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskineeccd8882020-03-10 12:19:08 +010069#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +020070#endif
71
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020072#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
73#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
74#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
75#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
76
77/*
Jerry Yu8e7ca042021-08-26 15:31:37 +080078 * Mask of TLS 1.3 handshake extensions used in extensions_present
79 * of mbedtls_ssl_handshake_params.
80 */
81#define MBEDTLS_SSL_EXT_NONE 0
82
83#define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 )
84#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 )
85#define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 )
86#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 )
87#define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 )
88#define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 )
89#define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 )
90#define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 )
91#define MBEDTLS_SSL_EXT_SCT ( 1 << 8 )
Jerry Yu995ecd32021-08-30 17:53:49 +080092#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 )
93#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 )
Jerry Yu8e7ca042021-08-26 15:31:37 +080094#define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 )
95#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 )
96#define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 )
97#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 )
98#define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 )
99#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 )
100#define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 )
101#define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 )
102#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 )
103#define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 )
104#define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 )
Jerry Yu93bcd612021-08-18 12:47:24 +0800105
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800106/* In messages containing extension requests, we should ignore unrecognized
107 * extensions. In messages containing extension responses, unrecognized
108 * extensions should result in handshake abortion. Messages containing
109 * extension requests include ClientHello, CertificateRequest and
110 * NewSessionTicket. Messages containing extension responses include
111 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
Jerry Yue18dc7e2022-08-04 16:29:22 +0800112 *
Jerry Yud15992d2022-08-29 10:58:31 +0800113 * RFC 8446 section 4.1.3
Jerry Yue18dc7e2022-08-04 16:29:22 +0800114 *
115 * The ServerHello MUST only include extensions which are required to establish
116 * the cryptographic context and negotiate the protocol version.
117 *
Jerry Yud15992d2022-08-29 10:58:31 +0800118 * RFC 8446 section 4.2
Jerry Yue18dc7e2022-08-04 16:29:22 +0800119 *
120 * If an implementation receives an extension which it recognizes and which is
121 * not specified for the message in which it appears, it MUST abort the handshake
122 * with an "illegal_parameter" alert.
123 */
124#define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 )
125
Jerry Yud15992d2022-08-29 10:58:31 +0800126/* RFC 8446 section 4.2. Allowed extensions for ClienHello */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800127#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
128 ( MBEDTLS_SSL_EXT_SERVERNAME | \
129 MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \
130 MBEDTLS_SSL_EXT_STATUS_REQUEST | \
131 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \
132 MBEDTLS_SSL_EXT_SIG_ALG | \
133 MBEDTLS_SSL_EXT_USE_SRTP | \
134 MBEDTLS_SSL_EXT_HEARTBEAT | \
135 MBEDTLS_SSL_EXT_ALPN | \
136 MBEDTLS_SSL_EXT_SCT | \
137 MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \
138 MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \
139 MBEDTLS_SSL_EXT_PADDING | \
140 MBEDTLS_SSL_EXT_KEY_SHARE | \
141 MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \
142 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES | \
143 MBEDTLS_SSL_EXT_EARLY_DATA | \
144 MBEDTLS_SSL_EXT_COOKIE | \
145 MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \
146 MBEDTLS_SSL_EXT_CERT_AUTH | \
147 MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH | \
148 MBEDTLS_SSL_EXT_SIG_ALG_CERT | \
149 MBEDTLS_SSL_EXT_UNRECOGNIZED )
150
Jerry Yud15992d2022-08-29 10:58:31 +0800151/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800152#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
153 ( MBEDTLS_SSL_EXT_SERVERNAME | \
154 MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \
155 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \
156 MBEDTLS_SSL_EXT_USE_SRTP | \
157 MBEDTLS_SSL_EXT_HEARTBEAT | \
158 MBEDTLS_SSL_EXT_ALPN | \
159 MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \
160 MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \
Jerry Yud15992d2022-08-29 10:58:31 +0800161 MBEDTLS_SSL_EXT_EARLY_DATA )
Jerry Yue18dc7e2022-08-04 16:29:22 +0800162
Jerry Yud15992d2022-08-29 10:58:31 +0800163/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800164#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
165 ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \
166 MBEDTLS_SSL_EXT_SIG_ALG | \
167 MBEDTLS_SSL_EXT_SCT | \
168 MBEDTLS_SSL_EXT_CERT_AUTH | \
169 MBEDTLS_SSL_EXT_OID_FILTERS | \
170 MBEDTLS_SSL_EXT_SIG_ALG_CERT | \
171 MBEDTLS_SSL_EXT_UNRECOGNIZED )
172
Jerry Yud15992d2022-08-29 10:58:31 +0800173/* RFC 8446 section 4.2. Allowed extensions for Certificate */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800174#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
175 ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \
Jerry Yud15992d2022-08-29 10:58:31 +0800176 MBEDTLS_SSL_EXT_SCT )
Jerry Yue18dc7e2022-08-04 16:29:22 +0800177
Jerry Yud15992d2022-08-29 10:58:31 +0800178/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800179#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
180 ( MBEDTLS_SSL_EXT_KEY_SHARE | \
181 MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \
182 MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
183
Jerry Yud15992d2022-08-29 10:58:31 +0800184/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800185#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
186 ( MBEDTLS_SSL_EXT_KEY_SHARE | \
187 MBEDTLS_SSL_EXT_COOKIE | \
Jerry Yud15992d2022-08-29 10:58:31 +0800188 MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
Jerry Yue18dc7e2022-08-04 16:29:22 +0800189
Jerry Yud15992d2022-08-29 10:58:31 +0800190/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
Jerry Yue18dc7e2022-08-04 16:29:22 +0800191#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
192 ( MBEDTLS_SSL_EXT_EARLY_DATA | \
193 MBEDTLS_SSL_EXT_UNRECOGNIZED )
194
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800195/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800196 * Helper macros for function call with return check.
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800197 */
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800198/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800199 * Exit when return non-zero value
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800200 */
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800201#define MBEDTLS_SSL_PROC_CHK( f ) \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800202 do { \
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800203 ret = ( f ); \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800204 if( ret != 0 ) \
205 { \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800206 goto cleanup; \
207 } \
208 } while( 0 )
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800209/*
Jerry Yu8c02bb42021-09-03 21:09:22 +0800210 * Exit when return negative value
Jerry Yu5cc8f0a2021-08-27 17:21:44 +0800211 */
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800212#define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800213 do { \
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800214 ret = ( f ); \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800215 if( ret < 0 ) \
216 { \
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800217 goto cleanup; \
218 } \
219 } while( 0 )
220
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200221/*
222 * DTLS retransmission states, see RFC 6347 4.2.4
223 *
224 * The SENDING state is merged in PREPARING for initial sends,
225 * but is distinct for resends.
226 *
227 * Note: initial state is wrong for server, but is not used anyway.
228 */
229#define MBEDTLS_SSL_RETRANS_PREPARING 0
230#define MBEDTLS_SSL_RETRANS_SENDING 1
231#define MBEDTLS_SSL_RETRANS_WAITING 2
232#define MBEDTLS_SSL_RETRANS_FINISHED 3
233
234/*
235 * Allow extra bytes for record, authentication and encryption overhead:
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100236 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200237 */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200238
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200239#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Hanno Becker0cc46612020-11-30 08:56:52 +0000240
Manuel Pégourié-Gonnard05579c42020-07-31 12:53:39 +0200241/* This macro determines whether CBC is supported. */
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200242#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
243 ( defined(MBEDTLS_AES_C) || \
244 defined(MBEDTLS_CAMELLIA_C) || \
245 defined(MBEDTLS_ARIA_C) || \
246 defined(MBEDTLS_DES_C) )
247#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
248#endif
249
Hanno Becker0cc46612020-11-30 08:56:52 +0000250/* This macro determines whether a ciphersuite using a
251 * stream cipher can be used. */
252#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
253#define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
254#endif
255
TRodziewicz0f82ec62021-05-12 17:49:18 +0200256/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
Manuel Pégourié-Gonnarded0e8642020-07-21 11:20:30 +0200257#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
TRodziewicz0f82ec62021-05-12 17:49:18 +0200258 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnarded0e8642020-07-21 11:20:30 +0200259#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
260#endif
261
Hanno Becker31351ce2021-03-22 11:05:58 +0000262#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
Manuel Pégourié-Gonnard2df1f1f2020-07-09 12:11:39 +0200263 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000264#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
Hanno Becker52344c22018-01-03 15:24:20 +0000265#endif
266
Neil Armstrongf2c82f02022-04-05 11:16:53 +0200267/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
268#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
269 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
270#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
271#endif
272
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200273#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Hanno Becker0cc46612020-11-30 08:56:52 +0000274
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000275#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200276/* Ciphersuites using HMAC */
Andrzej Kurek25f27152022-08-17 16:09:31 -0400277#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200278#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
Andrzej Kurek25f27152022-08-17 16:09:31 -0400279#elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200280#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
281#else
282#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
283#endif
Hanno Beckerfd86ca82020-11-30 08:54:23 +0000284#else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200285/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
286#define MBEDTLS_SSL_MAC_ADD 16
287#endif
288
289#if defined(MBEDTLS_CIPHER_MODE_CBC)
290#define MBEDTLS_SSL_PADDING_ADD 256
291#else
292#define MBEDTLS_SSL_PADDING_ADD 0
293#endif
294
Hanno Beckera0e20d02019-05-15 14:03:01 +0100295#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
TRodziewicze8dd7092021-05-12 14:19:11 +0200296#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
Hanno Becker6cbad552019-05-08 15:40:11 +0100297#else
298#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
299#endif
300
Mateusz Starzyka3a99842021-02-19 14:27:22 +0100301#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
Angus Grattond8213d02016-05-25 20:56:48 +1000302 MBEDTLS_SSL_MAC_ADD + \
Hanno Becker6cbad552019-05-08 15:40:11 +0100303 MBEDTLS_SSL_PADDING_ADD + \
304 MBEDTLS_SSL_MAX_CID_EXPANSION \
Angus Grattond8213d02016-05-25 20:56:48 +1000305 )
306
307#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
308 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
309
310#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
311 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
312
Hanno Becker0271f962018-08-16 13:23:47 +0100313/* The maximum number of buffered handshake messages. */
Hanno Beckerd488b9e2018-08-16 16:35:37 +0100314#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
Hanno Becker0271f962018-08-16 13:23:47 +0100315
Angus Grattond8213d02016-05-25 20:56:48 +1000316/* Maximum length we can advertise as our max content length for
317 RFC 6066 max_fragment_length extension negotiation purposes
318 (the lesser of both sizes, if they are unequal.)
319 */
320#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
321 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
322 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
323 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
324 )
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200325
Jerry Yu4131ec12022-01-19 10:36:30 +0800326/* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
327#define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
328
Jerry Yu8afd6e42022-01-20 15:54:26 +0800329/* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
Jerry Yu4131ec12022-01-19 10:36:30 +0800330#define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
Hanno Beckere131bfe2017-04-12 14:54:42 +0100331
332/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
333#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
334
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000335#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000336
Ronald Crone68ab4f2022-10-05 12:46:29 +0200337#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Gabor Mezei15b95a62022-05-09 16:37:58 +0200338
Gabor Mezei24c7c2b2022-05-10 12:51:14 +0200339#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
340
Gabor Mezei15b95a62022-05-09 16:37:58 +0200341#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gabor Mezei3631cf62022-05-10 12:59:00 +0200342#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
343#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
344#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
Gabor Mezei15b95a62022-05-09 16:37:58 +0200345#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
346
Ronald Crone68ab4f2022-10-05 12:46:29 +0200347#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Gabor Mezei15b95a62022-05-09 16:37:58 +0200348
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200349/*
Hanno Beckera8434e82017-09-18 10:54:39 +0100350 * Check that we obey the standard's message size bounds
351 */
352
David Horstmann95d516f2021-05-04 18:36:56 +0100353#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
354#error "Bad configuration - incoming record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100355#endif
356
David Horstmann95d516f2021-05-04 18:36:56 +0100357#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
358#error "Bad configuration - outgoing record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100359#endif
360
David Horstmann95d516f2021-05-04 18:36:56 +0100361#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
Angus Grattond8213d02016-05-25 20:56:48 +1000362#error "Bad configuration - incoming protected record payload too large."
363#endif
364
David Horstmann95d516f2021-05-04 18:36:56 +0100365#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
Angus Grattond8213d02016-05-25 20:56:48 +1000366#error "Bad configuration - outgoing protected record payload too large."
367#endif
368
369/* Calculate buffer sizes */
370
Hanno Becker25d6d1a2017-12-07 08:22:51 +0000371/* Note: Even though the TLS record header is only 5 bytes
372 long, we're internally using 8 bytes to store the
373 implicit sequence number. */
Hanno Beckerd25d4442017-10-04 13:56:42 +0100374#define MBEDTLS_SSL_HEADER_LEN 13
Hanno Beckera8434e82017-09-18 10:54:39 +0100375
Andrzej Kurek033c42a2020-03-03 05:57:59 -0500376#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000377#define MBEDTLS_SSL_IN_BUFFER_LEN \
378 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100379#else
380#define MBEDTLS_SSL_IN_BUFFER_LEN \
381 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
382 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
383#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000384
Andrzej Kurek033c42a2020-03-03 05:57:59 -0500385#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Angus Grattond8213d02016-05-25 20:56:48 +1000386#define MBEDTLS_SSL_OUT_BUFFER_LEN \
387 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
Hanno Becker6cbad552019-05-08 15:40:11 +0100388#else
389#define MBEDTLS_SSL_OUT_BUFFER_LEN \
390 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
391 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
392#endif
Angus Grattond8213d02016-05-25 20:56:48 +1000393
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800394#define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
395#define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
396
Hanno Becker9752aad2021-04-21 05:54:33 +0100397#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
398/**
399 * \brief Return the maximum fragment length (payload, in bytes) for
400 * the output buffer. For the client, this is the configured
401 * value. For the server, it is the minimum of two - the
402 * configured value and the negotiated one.
403 *
404 * \sa mbedtls_ssl_conf_max_frag_len()
405 * \sa mbedtls_ssl_get_max_out_record_payload()
406 *
407 * \param ssl SSL context
408 *
409 * \return Current maximum fragment length for the output buffer.
410 */
411size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
412
413/**
414 * \brief Return the maximum fragment length (payload, in bytes) for
415 * the input buffer. This is the negotiated maximum fragment
Hanno Beckerdf3b8632021-06-08 05:30:45 +0100416 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
Hanno Becker9752aad2021-04-21 05:54:33 +0100417 * If it is not defined either, the value is 2^14. This function
418 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
419 *
420 * \sa mbedtls_ssl_conf_max_frag_len()
421 * \sa mbedtls_ssl_get_max_in_record_payload()
422 *
423 * \param ssl SSL context
424 *
425 * \return Current maximum fragment length for the output buffer.
426 */
427size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
428#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
429
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500430#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500431static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500432{
433#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500434 return mbedtls_ssl_get_output_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500435 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
436 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
437#else
Andrzej Kurek069fa962021-01-07 08:02:15 -0500438 return mbedtls_ssl_get_output_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500439 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
440#endif
441}
442
Andrzej Kurek069fa962021-01-07 08:02:15 -0500443static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500444{
445#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
Andrzej Kurek069fa962021-01-07 08:02:15 -0500446 return mbedtls_ssl_get_input_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500447 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
448 + MBEDTLS_SSL_CID_IN_LEN_MAX;
449#else
Andrzej Kurek069fa962021-01-07 08:02:15 -0500450 return mbedtls_ssl_get_input_max_frag_len( ctx )
Andrzej Kurek0afa2a12020-03-03 10:39:58 -0500451 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
452#endif
453}
454#endif
455
Hanno Beckera8434e82017-09-18 10:54:39 +0100456/*
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200457 * TLS extension flags (for extensions with outgoing ServerHello content
458 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
459 * of state of the renegotiation flag, so no indicator is required)
460 */
461#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200462#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200463
Hanno Becker51018aa2017-04-12 14:54:42 +0100464/**
465 * \brief This function checks if the remaining size in a buffer is
466 * greater or equal than a needed space.
467 *
468 * \param cur Pointer to the current position in the buffer.
469 * \param end Pointer to one past the end of the buffer.
470 * \param need Needed space in bytes.
471 *
Ronald Cronb7b35e12020-06-11 09:50:51 +0200472 * \return Zero if the needed space is available in the buffer, non-zero
Hanno Becker51018aa2017-04-12 14:54:42 +0100473 * otherwise.
474 */
Ronald Cronad8c17b2022-06-10 17:18:09 +0200475#if ! defined(MBEDTLS_TEST_HOOKS)
Hanno Becker51018aa2017-04-12 14:54:42 +0100476static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
477 const uint8_t *end, size_t need )
478{
Ronald Cronb7b35e12020-06-11 09:50:51 +0200479 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
Hanno Becker51018aa2017-04-12 14:54:42 +0100480}
Ronald Cronad8c17b2022-06-10 17:18:09 +0200481#else
482typedef struct
483{
484 const uint8_t *cur;
485 const uint8_t *end;
486 size_t need;
487} mbedtls_ssl_chk_buf_ptr_args;
488
489void mbedtls_ssl_set_chk_buf_ptr_fail_args(
490 const uint8_t *cur, const uint8_t *end, size_t need );
491void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void );
Ronald Cronce7d76e2022-07-08 18:56:49 +0200492
493MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronad8c17b2022-06-10 17:18:09 +0200494int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args );
495
496static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
497 const uint8_t *end, size_t need )
498{
499 if( ( cur > end ) || ( need > (size_t)( end - cur ) ) )
500 {
501 mbedtls_ssl_set_chk_buf_ptr_fail_args( cur, end, need );
502 return( 1 );
503 }
504 return( 0 );
505}
Ronald Croncf600bc2022-06-17 15:54:16 +0200506#endif /* MBEDTLS_TEST_HOOKS */
Hanno Becker51018aa2017-04-12 14:54:42 +0100507
508/**
509 * \brief This macro checks if the remaining size in a buffer is
510 * greater or equal than a needed space. If it is not the case,
511 * it returns an SSL_BUFFER_TOO_SMALL error.
512 *
513 * \param cur Pointer to the current position in the buffer.
514 * \param end Pointer to one past the end of the buffer.
515 * \param need Needed space in bytes.
516 *
517 */
518#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
519 do { \
Ronald Cronb7b35e12020-06-11 09:50:51 +0200520 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
Hanno Becker51018aa2017-04-12 14:54:42 +0100521 { \
522 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
523 } \
524 } while( 0 )
525
Jerry Yu34da3722021-09-19 18:05:08 +0800526/**
Jerry Yue15e6652021-09-28 21:06:07 +0800527 * \brief This macro checks if the remaining length in an input buffer is
528 * greater or equal than a needed length. If it is not the case, it
Jerry Yu205fd822021-10-08 16:16:24 +0800529 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
Jerry Yudca3d5d2021-10-08 14:19:29 +0800530 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
Jerry Yue4eefc72021-10-09 10:40:40 +0800531 *
532 * This is a function-like macro. It is guaranteed to evaluate each
533 * argument exactly once.
Jerry Yu34da3722021-09-19 18:05:08 +0800534 *
535 * \param cur Pointer to the current position in the buffer.
536 * \param end Pointer to one past the end of the buffer.
Jerry Yue15e6652021-09-28 21:06:07 +0800537 * \param need Needed length in bytes.
Jerry Yu34da3722021-09-19 18:05:08 +0800538 *
539 */
540#define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
541 do { \
542 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
543 { \
544 MBEDTLS_SSL_DEBUG_MSG( 1, \
545 ( "missing input data in %s", __func__ ) ); \
546 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
547 MBEDTLS_ERR_SSL_DECODE_ERROR ); \
548 return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
549 } \
550 } while( 0 )
551
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200552#ifdef __cplusplus
553extern "C" {
554#endif
555
Ron Eldor51d3ab52019-05-12 14:54:30 +0300556typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
557 const char *label,
558 const unsigned char *random, size_t rlen,
559 unsigned char *dstbuf, size_t dlen );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100560
Hanno Becker61baae72020-09-16 09:24:14 +0100561/* cipher.h exports the maximum IV, key and block length from
Hanno Becker15889832020-09-08 11:29:11 +0100562 * all ciphers enabled in the config, regardless of whether those
563 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
564 * in the default configuration and uses 64 Byte keys, but it is
565 * not used for record protection in SSL/TLS.
566 *
567 * In order to prevent unnecessary inflation of key structures,
568 * we introduce SSL-specific variants of the max-{key,block,IV}
569 * macros here which are meant to only take those ciphers into
570 * account which can be negotiated in SSL/TLS.
571 *
572 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
573 * in cipher.h are rough overapproximations of the real maxima, here
Hanno Becker9a7a2ac2020-09-09 09:24:54 +0100574 * we content ourselves with replicating those overapproximations
Hanno Becker15889832020-09-08 11:29:11 +0100575 * for the maximum block and IV length, and excluding XTS from the
576 * computation of the maximum key length. */
577#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
578#define MBEDTLS_SSL_MAX_IV_LENGTH 16
579#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
580
Hanno Becker3385a4d2020-08-21 13:03:34 +0100581/**
582 * \brief The data structure holding the cryptographic material (key and IV)
583 * used for record protection in TLS 1.3.
584 */
585struct mbedtls_ssl_key_set
586{
587 /*! The key for client->server records. */
Hanno Becker15889832020-09-08 11:29:11 +0100588 unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100589 /*! The key for server->client records. */
Hanno Becker15889832020-09-08 11:29:11 +0100590 unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100591 /*! The IV for client->server records. */
Hanno Becker15889832020-09-08 11:29:11 +0100592 unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100593 /*! The IV for server->client records. */
Hanno Becker15889832020-09-08 11:29:11 +0100594 unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
Hanno Becker3385a4d2020-08-21 13:03:34 +0100595
Hanno Becker493ea7f2020-09-08 11:01:00 +0100596 size_t key_len; /*!< The length of client_write_key and
597 * server_write_key, in Bytes. */
598 size_t iv_len; /*!< The length of client_write_iv and
599 * server_write_iv, in Bytes. */
Hanno Becker3385a4d2020-08-21 13:03:34 +0100600};
601typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100602
Jerry Yu61e35e02021-09-16 18:59:08 +0800603typedef struct
604{
Jerry Yuf532bb22021-10-13 10:34:03 +0800605 unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
606 unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
607 unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Xiaofei Bai746f9482021-11-12 08:53:56 +0000608} mbedtls_ssl_tls13_early_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800609
610typedef struct
611{
Jerry Yuf532bb22021-10-13 10:34:03 +0800612 unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
613 unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Xiaofei Bai746f9482021-11-12 08:53:56 +0000614} mbedtls_ssl_tls13_handshake_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800615
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200616/*
617 * This structure contains the parameters only needed during handshake.
618 */
619struct mbedtls_ssl_handshake_params
620{
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100621 /* Frequently-used boolean or byte fields (placed early to take
622 * advantage of smaller code size for indirect access on Arm Thumb) */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100623 uint8_t resume; /*!< session resume indicator*/
624 uint8_t cli_exts; /*!< client extension presence*/
625
Glenn Straussbbdc83b2022-04-12 07:31:46 -0400626#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
627 uint8_t sni_authmode; /*!< authmode from SNI callback */
628#endif
629
XiaokangQian189ded22022-05-10 08:12:17 +0000630#if defined(MBEDTLS_SSL_SRV_C)
XiaokangQianc3017f62022-05-13 05:55:41 +0000631 /* Flag indicating if a CertificateRequest message has been sent
632 * to the client or not. */
XiaokangQian63e713e2022-05-15 04:26:57 +0000633 uint8_t certificate_request_sent;
XiaokangQian189ded22022-05-10 08:12:17 +0000634#endif /* MBEDTLS_SSL_SRV_C */
635
Glenn Straussbbdc83b2022-04-12 07:31:46 -0400636#if defined(MBEDTLS_SSL_SESSION_TICKETS)
637 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
638#endif /* MBEDTLS_SSL_SESSION_TICKETS */
639
Ronald Cron82c785f2022-03-31 15:44:41 +0200640#if defined(MBEDTLS_SSL_CLI_C)
Ronald Cron217d6992022-04-04 10:23:22 +0200641 /** Minimum TLS version to be negotiated.
Ronald Cronbdb4f582022-03-31 15:37:44 +0200642 *
Ronald Cron217d6992022-04-04 10:23:22 +0200643 * It is set up in the ClientHello writing preparation stage and used
644 * throughout the ClientHello writing. Not relevant anymore as soon as
645 * the protocol version has been negotiated thus as soon as the
646 * ServerHello is received.
647 * For a fresh handshake not linked to any previous handshake, it is
648 * equal to the configured minimum minor version to be negotiated. When
649 * renegotiating or resuming a session, it is equal to the previously
650 * negotiated minor version.
Ronald Cronbdb4f582022-03-31 15:37:44 +0200651 *
Ronald Cron217d6992022-04-04 10:23:22 +0200652 * There is no maximum TLS version field in this handshake context.
653 * From the start of the handshake, we need to define a current protocol
654 * version for the record layer which we define as the maximum TLS
655 * version to be negotiated. The `tls_version` field of the SSL context is
656 * used to store this maximum value until it contains the actual
657 * negotiated value.
Ronald Cronbdb4f582022-03-31 15:37:44 +0200658 */
Glenn Straussbbdc83b2022-04-12 07:31:46 -0400659 mbedtls_ssl_protocol_version min_tls_version;
Ronald Cron82c785f2022-03-31 15:44:41 +0200660#endif
Ronald Cron86a477f2022-02-18 17:45:10 +0100661
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100662#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
663 uint8_t extended_ms; /*!< use Extended Master Secret? */
664#endif
665
666#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
667 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
668#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
669
670#if defined(MBEDTLS_SSL_PROTO_DTLS)
671 unsigned char retransmit_state; /*!< Retransmission state */
672#endif
673
Gilles Peskine41139a22021-12-08 18:25:39 +0100674#if !defined(MBEDTLS_DEPRECATED_REMOVED)
675 unsigned char group_list_heap_allocated;
Jerry Yuf017ee42022-01-12 15:49:48 +0800676 unsigned char sig_algs_heap_allocated;
Gilles Peskine41139a22021-12-08 18:25:39 +0100677#endif
678
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100679#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
680 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100681 enum { /* this complements ssl->state with info on intra-state operations */
682 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
683 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
684 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
685 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
686 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
687 } ecrs_state; /*!< current (or last) operation */
688 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
689 size_t ecrs_n; /*!< place for saving a length */
690#endif
691
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100692 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
693
694 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
695 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
696 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
697 mbedtls_ssl_tls_prf_cb *tls_prf;
698
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200699 /*
700 * Handshake specific crypto variables
701 */
Ronald Cron6f135e12021-12-08 16:57:54 +0100702#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Ronald Cron85385492022-07-20 16:44:00 +0200703 uint8_t key_exchange_mode; /*!< Selected key exchange mode */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100704
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800705 /** Number of HelloRetryRequest messages received/sent from/to the server. */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000706 int hello_retry_request_count;
Ronald Cronbc817ba2022-07-21 09:35:20 +0200707
XiaokangQian08037552022-04-20 07:16:41 +0000708#if defined(MBEDTLS_SSL_SRV_C)
XiaokangQian318dc762022-04-20 09:43:51 +0000709 /** selected_group of key_share extension in HelloRetryRequest message. */
XiaokangQian08037552022-04-20 07:16:41 +0000710 uint16_t hrr_selected_group;
Ronald Cron41a443a2022-10-04 16:38:25 +0200711#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Ronald Cronbc817ba2022-07-21 09:35:20 +0200712 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
713#endif
Jerry Yud4e75002022-08-09 13:33:50 +0800714#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf3bdf9d2022-09-22 23:30:49 +0800715 uint16_t new_session_tickets_count; /*!< number of session tickets */
Jerry Yud4e75002022-08-09 13:33:50 +0800716#endif
XiaokangQian08037552022-04-20 07:16:41 +0000717#endif /* MBEDTLS_SSL_SRV_C */
Ronald Cronbc817ba2022-07-21 09:35:20 +0200718
Jerry Yu582dd062022-04-22 21:59:01 +0800719#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian08037552022-04-20 07:16:41 +0000720
Ronald Crone68ab4f2022-10-05 12:46:29 +0200721#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Xiaofei Baif5b4d252022-01-28 06:37:15 +0000722 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
723#endif
724
Gilles Peskine41139a22021-12-08 18:25:39 +0100725#if !defined(MBEDTLS_DEPRECATED_REMOVED)
726 const uint16_t *group_list;
Jerry Yuf017ee42022-01-12 15:49:48 +0800727 const uint16_t *sig_algs;
Gilles Peskine41139a22021-12-08 18:25:39 +0100728#endif
729
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200730#if defined(MBEDTLS_DHM_C)
731 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
732#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100733
John Durkop07cc04a2020-11-16 22:08:34 -0800734/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
Ronald Cronde1adee2022-03-07 16:20:30 +0100735 * to guards in client and server code. There is a gap in functionality that
736 * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
737 * seem correct.
John Durkop07cc04a2020-11-16 22:08:34 -0800738 */
739#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Neil Armstrong769dc052022-04-13 15:12:43 +0200740#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200741 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
Neil Armstrong769dc052022-04-13 15:12:43 +0200742#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000743
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +0100744#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Gilles Peskine42459802019-12-19 13:31:53 +0100745 psa_key_type_t ecdh_psa_type;
Neil Armstrong91477a72022-03-25 15:42:20 +0100746 size_t ecdh_bits;
Andrzej Kurek03e01462022-01-03 12:53:24 +0100747 mbedtls_svc_key_id_t ecdh_psa_privkey;
Neil Armstrongf716a702022-04-04 11:23:46 +0200748 uint8_t ecdh_psa_privkey_is_external;
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000749 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
750 size_t ecdh_psa_peerkey_len;
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +0100751#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
John Durkop07cc04a2020-11-16 22:08:34 -0800752#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000753
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200754#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200755 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200756#if defined(MBEDTLS_SSL_CLI_C)
757 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
758 size_t ecjpake_cache_len; /*!< Length of cached data */
759#endif
Hanno Becker1aa267c2017-04-28 17:08:27 +0100760#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine8716f172021-11-16 15:21:44 +0100761
762#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200763 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200764 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
765#endif
Gilles Peskine8716f172021-11-16 15:21:44 +0100766
Ronald Cron73fe8df2022-10-05 14:31:43 +0200767#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100768#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek03e01462022-01-03 12:53:24 +0100769 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
Neil Armstrong501c9322022-05-03 09:35:09 +0200770 uint8_t psk_opaque_is_internal;
Neil Armstronge952a302022-05-03 10:22:14 +0200771#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200772 unsigned char *psk; /*!< PSK from the callback */
773 size_t psk_len; /*!< Length of PSK from callback */
Neil Armstronge952a302022-05-03 10:22:14 +0200774#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jerry Yu96a2e362022-07-21 15:11:34 +0800775 uint16_t selected_identity;
Ronald Cron73fe8df2022-10-05 14:31:43 +0200776#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Gilles Peskine8716f172021-11-16 15:21:44 +0100777
Gilles Peskinecfe74a32021-12-08 18:38:51 +0100778#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
779 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
780#endif
781
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200782#if defined(MBEDTLS_X509_CRT_PARSE_C)
783 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
784#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
785 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
786 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
787 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100788#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200789#endif /* MBEDTLS_X509_CRT_PARSE_C */
Gilles Peskine8716f172021-11-16 15:21:44 +0100790
Gilles Peskine8716f172021-11-16 15:21:44 +0100791#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
Hanno Becker75173122019-02-06 16:18:31 +0000792 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
793 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
794#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker2f28c102019-04-25 15:46:59 +0100795
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100796 struct
797 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100798 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
799 * buffers used for message buffering. */
800
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100801 uint8_t seen_ccs; /*!< Indicates if a CCS message has
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100802 * been seen in the current flight. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100803
Hanno Becker0271f962018-08-16 13:23:47 +0100804 struct mbedtls_ssl_hs_buffer
805 {
Hanno Becker98081a02018-08-22 13:32:50 +0100806 unsigned is_valid : 1;
807 unsigned is_fragmented : 1;
808 unsigned is_complete : 1;
Hanno Becker0271f962018-08-16 13:23:47 +0100809 unsigned char *data;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100810 size_t data_len;
Hanno Becker0271f962018-08-16 13:23:47 +0100811 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
812
Hanno Becker5f066e72018-08-16 14:56:31 +0100813 struct
814 {
815 unsigned char *data;
816 size_t len;
817 unsigned epoch;
818 } future_record;
819
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100820 } buffering;
Hanno Becker35462012018-08-22 10:25:40 +0100821
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000822#if defined(MBEDTLS_SSL_CLI_C) && \
823 ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
824 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
825 * HelloRetryRequest cookie for TLS 1.3 */
826#endif /* MBEDTLS_SSL_CLI_C &&
827 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
828#if defined(MBEDTLS_SSL_PROTO_DTLS)
829 unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie
830 * length
XiaokangQian34909742022-01-27 02:25:04 +0000831 * Srv: flag for sending a cookie */
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000832#endif /* MBEDTLS_SSL_PROTO_DTLS */
833#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
834 uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */
XiaokangQian20438972022-03-04 08:52:07 +0000835#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
XiaokangQian52da5582022-01-26 09:49:29 +0000836
837#if defined(MBEDTLS_SSL_PROTO_DTLS)
838 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
839 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
Gilles Peskineec45c1e2021-11-29 12:18:09 +0100840
841 uint32_t retransmit_timeout; /*!< Current value of timeout */
842 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
843 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
844 unsigned char *cur_msg_p; /*!< Position in current message */
845 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
846 flight being received */
847 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
848 resending messages */
849 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
850 for resending messages */
851
852#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
853 /* The state of CID configuration in this handshake. */
854
855 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
856 * has been negotiated. Possible values are
857 * #MBEDTLS_SSL_CID_ENABLED and
858 * #MBEDTLS_SSL_CID_DISABLED. */
859 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
860 uint8_t peer_cid_len; /*!< The length of
861 * \c peer_cid. */
862#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
863
Manuel Pégourié-Gonnardf47a4af2018-08-22 10:38:52 +0200864 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100865#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200866
Ronald Cron6f135e12021-12-08 16:57:54 +0100867#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckere043d152021-08-12 06:22:32 +0100868 /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
869 * Those pointers own the transforms they reference. */
Hanno Becker3aa186f2021-08-10 09:24:19 +0100870 mbedtls_ssl_transform *transform_handshake;
871 mbedtls_ssl_transform *transform_earlydata;
Ronald Cron6f135e12021-12-08 16:57:54 +0100872#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Hanno Becker3aa186f2021-08-10 09:24:19 +0100873
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200874 /*
875 * Checksum contexts
876 */
Andrzej Kurek25f27152022-08-17 16:09:31 -0400877#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500878#if defined(MBEDTLS_USE_PSA_CRYPTO)
879 psa_hash_operation_t fin_sha256_psa;
880#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200881 mbedtls_sha256_context fin_sha256;
882#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500883#endif
Andrzej Kurek25f27152022-08-17 16:09:31 -0400884#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500885#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500886 psa_hash_operation_t fin_sha384_psa;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500887#else
Andrzej Kureka242e832022-08-11 10:03:14 -0400888 mbedtls_sha512_context fin_sha384;
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200889#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500890#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200891
Ronald Cron6f135e12021-12-08 16:57:54 +0100892#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800893 uint16_t offered_group_id; /* The NamedGroup value for the group
894 * that is being used for ephemeral
895 * key exchange.
896 *
897 * On the client: Defaults to the first
898 * entry in the client's group list,
899 * but can be overwritten by the HRR. */
Ronald Cron6f135e12021-12-08 16:57:54 +0100900#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800901
Jerry Yufb28b882022-01-28 11:05:58 +0800902#if defined(MBEDTLS_SSL_CLI_C)
Jerry Yu2d9a6942022-02-08 21:07:10 +0800903 uint8_t client_auth; /*!< used to check if CertificateRequest has been
Jerry Yu5c7d1cc2022-02-08 21:08:29 +0800904 received from server side. If CertificateRequest
Jerry Yu0ff8ac82022-02-08 10:10:48 +0800905 has been received, Certificate and CertificateVerify
Jerry Yufb28b882022-01-28 11:05:58 +0800906 should be sent to server */
907#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000908 /*
909 * State-local variables used during the processing
910 * of a specific handshake state.
911 */
912 union
913 {
914 /* Outgoing Finished message */
915 struct
916 {
917 uint8_t preparation_done;
918
919 /* Buffer holding digest of the handshake up to
920 * but excluding the outgoing finished message. */
XiaokangQianc5c39d52021-11-09 11:55:10 +0000921 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000922 size_t digest_len;
923 } finished_out;
924
925 /* Incoming Finished message */
926 struct
927 {
XiaokangQian57b2aff2021-11-10 03:12:11 +0000928 uint8_t preparation_done;
929
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000930 /* Buffer holding digest of the handshake up to but
931 * excluding the peer's incoming finished message. */
XiaokangQianc5c39d52021-11-09 11:55:10 +0000932 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000933 size_t digest_len;
934 } finished_in;
935
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000936 } state_local;
937
938 /* End of state-local variables. */
939
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800940 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
941 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
942 /*!< random bytes */
Ronald Cron3b056202022-10-05 17:20:21 +0200943#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200944 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
945 /*!< premaster secret */
Ronald Cron3b056202022-10-05 17:20:21 +0200946 size_t pmslen; /*!< premaster length */
947#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200948
Ronald Cron6f135e12021-12-08 16:57:54 +0100949#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu0c354a22022-08-29 15:25:36 +0800950 uint32_t sent_extensions; /*!< extensions sent by endpoint */
951 uint32_t received_extensions; /*!< extensions received by endpoint */
Jerry Yu89ea3212021-09-09 14:31:24 +0800952
Ronald Crone68ab4f2022-10-05 12:46:29 +0200953#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000954 unsigned char certificate_request_context_len;
955 unsigned char *certificate_request_context;
Xiaofei Baie1e34422021-12-23 12:09:05 +0000956#endif
957
Jerry Yu89ea3212021-09-09 14:31:24 +0800958 union
959 {
Jerry Yud1ab2622021-10-08 15:36:57 +0800960 unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
961 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
962 unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE];
Xiaofei Baid25fab62021-12-02 06:36:27 +0000963 } tls13_master_secrets;
Jerry Yu61e35e02021-09-16 18:59:08 +0800964
Xiaofei Bai746f9482021-11-12 08:53:56 +0000965 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
Ronald Cron6f135e12021-12-08 16:57:54 +0100966#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200967
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200968#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
969 /** Asynchronous operation context. This field is meant for use by the
970 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
971 * mbedtls_ssl_config::f_async_decrypt_start,
972 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
973 * The library does not use it internally. */
974 void *user_async_ctx;
975#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Glenn Strauss69894072022-01-24 12:58:00 -0500976
977#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
978 const unsigned char *sni_name; /*!< raw SNI */
979 size_t sni_name_len; /*!< raw SNI len */
Glenn Strauss999ef702022-03-11 01:37:23 -0500980#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
981 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
982#endif
Glenn Strauss69894072022-01-24 12:58:00 -0500983#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200984};
985
Hanno Becker0271f962018-08-16 13:23:47 +0100986typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
987
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200988/*
Hanno Beckerd362dc52018-01-03 15:23:11 +0000989 * Representation of decryption/encryption transformations on records
990 *
991 * There are the following general types of record transformations:
TRodziewicz2abf03c2021-06-25 14:40:09 +0200992 * - Stream transformations (TLS versions == 1.2 only)
Hanno Beckerd362dc52018-01-03 15:23:11 +0000993 * Transformation adding a MAC and applying a stream-cipher
994 * to the authenticated message.
TRodziewicz2abf03c2021-06-25 14:40:09 +0200995 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
996 * For TLS 1.2, no IV is generated at key extraction time, but every
997 * encrypted record is explicitly prefixed by the IV with which it was
998 * encrypted.
999 * - AEAD transformations ([D]TLS versions == 1.2 only)
Hanno Beckerd362dc52018-01-03 15:23:11 +00001000 * These come in two fundamentally different versions, the first one
1001 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1002 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1003 * In the first transformation, the IV to be used for a record is obtained
1004 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
1005 * record sequence number, and explicitly prepending this sequence number
1006 * to the encrypted record. In contrast, in the second transformation
1007 * the IV is obtained by XOR'ing a static IV obtained at key extraction
1008 * time with the 8-byte record sequence number, without prepending the
1009 * latter to the encrypted record.
1010 *
Hanno Becker7d343ec2020-05-04 12:29:05 +01001011 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1012 * which allows to add flexible length padding and to hide a record's true
1013 * content type.
1014 *
Hanno Beckerd362dc52018-01-03 15:23:11 +00001015 * In addition to type and version, the following parameters are relevant:
1016 * - The symmetric cipher algorithm to be used.
1017 * - The (static) encryption/decryption keys for the cipher.
1018 * - For stream/CBC, the type of message digest to be used.
1019 * - For stream/CBC, (static) encryption/decryption keys for the digest.
Hanno Becker0db7e0c2018-10-18 15:39:53 +01001020 * - For AEAD transformations, the size (potentially 0) of an explicit,
1021 * random initialization vector placed in encrypted records.
TRodziewicz299510e2021-07-09 16:55:11 +02001022 * - For some transformations (currently AEAD) an implicit IV. It is static
Hanno Beckerd362dc52018-01-03 15:23:11 +00001023 * and (if present) is combined with the explicit IV in a transformation-
TRodziewicz299510e2021-07-09 16:55:11 +02001024 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
Hanno Beckerd362dc52018-01-03 15:23:11 +00001025 * - For stream/CBC, a flag determining the order of encryption and MAC.
1026 * - The details of the transformation depend on the SSL/TLS version.
1027 * - The length of the authentication tag.
1028 *
1029 * The struct below refines this abstract view as follows:
1030 * - The cipher underlying the transformation is managed in
1031 * cipher contexts cipher_ctx_{enc/dec}, which must have the
1032 * same cipher type. The mode of these cipher contexts determines
1033 * the type of the transformation in the sense above: e.g., if
1034 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1035 * then the transformation has type CBC resp. AEAD.
1036 * - The cipher keys are never stored explicitly but
1037 * are maintained within cipher_ctx_{enc/dec}.
1038 * - For stream/CBC transformations, the message digest contexts
1039 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1040 * are unused for AEAD transformations.
TRodziewicz2abf03c2021-06-25 14:40:09 +02001041 * - For stream/CBC transformations, the MAC keys are not stored explicitly
1042 * but maintained within md_ctx_{enc/dec}.
1043 * - The mac_enc and mac_dec fields are unused for EAD transformations.
Hanno Beckerd362dc52018-01-03 15:23:11 +00001044 * - For transformations using an implicit IV maintained within
1045 * the transformation context, its contents are stored within
1046 * iv_{enc/dec}.
1047 * - The value of ivlen indicates the length of the IV.
1048 * This is redundant in case of stream/CBC transformations
1049 * which always use 0 resp. the cipher's block length as the
1050 * IV length, but is needed for AEAD ciphers and may be
1051 * different from the underlying cipher's block length
1052 * in this case.
1053 * - The field fixed_ivlen is nonzero for AEAD transformations only
1054 * and indicates the length of the static part of the IV which is
1055 * constant throughout the communication, and which is stored in
1056 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
Glenn Strauss07c64162022-03-14 12:34:51 -04001057 * - tls_version denotes the 2-byte TLS version
Hanno Beckerd362dc52018-01-03 15:23:11 +00001058 * - For stream/CBC transformations, maclen denotes the length of the
1059 * authentication tag, while taglen is unused and 0.
1060 * - For AEAD transformations, taglen denotes the length of the
1061 * authentication tag, while maclen is unused and 0.
1062 * - For CBC transformations, encrypt_then_mac determines the
1063 * order of encryption and authentication. This field is unused
1064 * in other transformations.
1065 *
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001066 */
1067struct mbedtls_ssl_transform
1068{
1069 /*
1070 * Session specific crypto layer
1071 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001072 size_t minlen; /*!< min. ciphertext length */
1073 size_t ivlen; /*!< IV length */
1074 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
Hanno Beckere694c3e2017-12-27 21:34:08 +00001075 size_t maclen; /*!< MAC(CBC) len */
1076 size_t taglen; /*!< TAG(AEAD) len */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001077
1078 unsigned char iv_enc[16]; /*!< IV (encryption) */
1079 unsigned char iv_dec[16]; /*!< IV (decryption) */
1080
Hanno Beckerfd86ca82020-11-30 08:54:23 +00001081#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Hanno Beckerd56ed242018-01-03 15:32:51 +00001082
Neil Armstrong39b8e7d2022-02-23 09:24:45 +01001083#if defined(MBEDTLS_USE_PSA_CRYPTO)
1084 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
1085 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
1086 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
Neil Armstrongcf8841a2022-02-24 11:17:45 +01001087#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001088 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
1089 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
Neil Armstrongcf8841a2022-02-24 11:17:45 +01001090#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001091
Hanno Becker9eddaeb2017-12-27 21:37:21 +00001092#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1093 int encrypt_then_mac; /*!< flag for EtM activation */
1094#endif
1095
Hanno Beckerfd86ca82020-11-30 08:54:23 +00001096#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
Hanno Beckerd56ed242018-01-03 15:32:51 +00001097
Glenn Strauss07c64162022-03-14 12:34:51 -04001098 mbedtls_ssl_protocol_version tls_version;
Hanno Becker9eddaeb2017-12-27 21:37:21 +00001099
Przemyslaw Stekiel44187d72022-01-11 08:25:29 +01001100#if defined(MBEDTLS_USE_PSA_CRYPTO)
1101 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
1102 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
1103 psa_algorithm_t psa_alg; /*!< psa algorithm */
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +01001104#else
1105 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
1106 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
Przemyslaw Stekiel44187d72022-01-11 08:25:29 +01001107#endif /* MBEDTLS_USE_PSA_CRYPTO */
1108
Hanno Beckera0e20d02019-05-15 14:03:01 +01001109#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1327fa72019-04-25 15:54:02 +01001110 uint8_t in_cid_len;
1111 uint8_t out_cid_len;
1112 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
1113 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
Hanno Beckera0e20d02019-05-15 14:03:01 +01001114#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1327fa72019-04-25 15:54:02 +01001115
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +02001116#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
1117 /* We need the Hello random bytes in order to re-derive keys from the
Hanno Beckerbd257552021-03-22 06:59:27 +00001118 * Master Secret and other session info,
1119 * see ssl_tls12_populate_transform() */
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001120 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1121 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1122 /*!< ServerHello.random+ClientHello.random */
Manuel Pégourié-Gonnard96fb0ee2019-07-09 12:54:17 +02001123#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001124};
1125
Hanno Becker12a3a862018-01-05 15:42:50 +00001126/*
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02001127 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1128 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1129 */
1130static inline int mbedtls_ssl_transform_uses_aead(
1131 const mbedtls_ssl_transform *transform )
1132{
Hanno Beckerfd86ca82020-11-30 08:54:23 +00001133#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
Manuel Pégourié-Gonnard1aaf6692019-07-10 14:14:05 +02001134 return( transform->maclen == 0 && transform->taglen != 0 );
1135#else
1136 (void) transform;
1137 return( 1 );
1138#endif
1139}
1140
1141/*
Hanno Becker12a3a862018-01-05 15:42:50 +00001142 * Internal representation of record frames
1143 *
Hanno Becker12a3a862018-01-05 15:42:50 +00001144 * Instances come in two flavors:
1145 * (1) Encrypted
1146 * These always have data_offset = 0
1147 * (2) Unencrypted
Hanno Beckercd430bc2019-04-04 16:29:48 +01001148 * These have data_offset set to the amount of
1149 * pre-expansion during record protection. Concretely,
1150 * this is the length of the fixed part of the explicit IV
1151 * used for encryption, or 0 if no explicit IV is used
TRodziewicz2abf03c2021-06-25 14:40:09 +02001152 * (e.g. for stream ciphers).
Hanno Becker12a3a862018-01-05 15:42:50 +00001153 *
1154 * The reason for the data_offset in the unencrypted case
1155 * is to allow for in-place conversion of an unencrypted to
1156 * an encrypted record. If the offset wasn't included, the
1157 * encrypted content would need to be shifted afterwards to
1158 * make space for the fixed IV.
1159 *
1160 */
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001161#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Becker75f080f2019-04-30 15:01:51 +01001162#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001163#else
Hanno Becker75f080f2019-04-30 15:01:51 +01001164#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +01001165#endif
1166
Hanno Becker12a3a862018-01-05 15:42:50 +00001167typedef struct
1168{
Jerry Yuae0b2e22021-10-08 15:21:19 +08001169 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1170 * In DTLS: The 2-byte epoch followed by
1171 * the 6-byte sequence number.
1172 * This is stored as a raw big endian byte array
1173 * as opposed to a uint64_t because we rarely
1174 * need to perform arithmetic on this, but do
1175 * need it as a Byte array for the purpose of
1176 * MAC computations. */
Hanno Beckerd840cea2019-07-11 09:24:36 +01001177 uint8_t type; /* The record content type. */
1178 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1179 * Convert to internal presentation of versions
1180 * using mbedtls_ssl_read_version() and
1181 * mbedtls_ssl_write_version().
1182 * Keep wire-format for MAC computations. */
Hanno Becker12a3a862018-01-05 15:42:50 +00001183
Hanno Beckerd840cea2019-07-11 09:24:36 +01001184 unsigned char *buf; /* Memory buffer enclosing the record content */
1185 size_t buf_len; /* Buffer length */
1186 size_t data_offset; /* Offset of record content */
1187 size_t data_len; /* Length of record content */
Hanno Becker12a3a862018-01-05 15:42:50 +00001188
Hanno Beckera0e20d02019-05-15 14:03:01 +01001189#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckerd840cea2019-07-11 09:24:36 +01001190 uint8_t cid_len; /* Length of the CID (0 if not present) */
1191 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
Hanno Beckera0e20d02019-05-15 14:03:01 +01001192#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker12a3a862018-01-05 15:42:50 +00001193} mbedtls_record;
1194
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001195#if defined(MBEDTLS_X509_CRT_PARSE_C)
1196/*
1197 * List of certificate + private key pairs
1198 */
1199struct mbedtls_ssl_key_cert
1200{
1201 mbedtls_x509_crt *cert; /*!< cert */
1202 mbedtls_pk_context *key; /*!< private key */
1203 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1204};
1205#endif /* MBEDTLS_X509_CRT_PARSE_C */
1206
1207#if defined(MBEDTLS_SSL_PROTO_DTLS)
1208/*
1209 * List of handshake messages kept around for resending
1210 */
1211struct mbedtls_ssl_flight_item
1212{
1213 unsigned char *p; /*!< message, including handshake headers */
1214 size_t len; /*!< length of p */
1215 unsigned char type; /*!< type of the message: handshake or CCS */
1216 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1217};
1218#endif /* MBEDTLS_SSL_PROTO_DTLS */
1219
Ronald Cron4079abc2022-02-20 10:35:26 +01001220#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1221/**
1222 * \brief Given an SSL context and its associated configuration, write the TLS
1223 * 1.2 specific extensions of the ClientHello message.
1224 *
1225 * \param[in] ssl SSL context
1226 * \param[in] buf Base address of the buffer where to write the extensions
1227 * \param[in] end End address of the buffer where to write the extensions
1228 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1229 * (<> 0) or not ( 0 ).
1230 * \param[out] out_len Length of the data written into the buffer \p buf
1231 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001232MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron4079abc2022-02-20 10:35:26 +01001233int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
1234 unsigned char *buf,
1235 const unsigned char *end,
1236 int uses_ec,
1237 size_t *out_len );
1238#endif
1239
Hanno Becker7e5437a2017-04-28 17:15:26 +01001240#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01001241 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +01001242
Gabor Mezeia3d016c2022-05-10 12:44:09 +02001243/**
1244 * \brief Find the preferred hash for a given signature algorithm.
1245 *
1246 * \param[in] ssl SSL context
1247 * \param[in] sig_alg A signature algorithm identifier as defined in the
1248 * TLS 1.2 SignatureAlgorithm enumeration.
1249 *
1250 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1251 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1252 */
1253unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1254 mbedtls_ssl_context *ssl,
1255 unsigned int sig_alg );
Hanno Becker7e5437a2017-04-28 17:15:26 +01001256
Gabor Mezei078e8032022-04-27 21:17:56 +02001257#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Gilles Peskineeccd8882020-03-10 12:19:08 +01001258 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001259
1260/**
1261 * \brief Free referenced items in an SSL transform context and clear
1262 * memory
1263 *
1264 * \param transform SSL transform context
1265 */
1266void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1267
1268/**
1269 * \brief Free referenced items in an SSL handshake context and clear
1270 * memory
1271 *
Gilles Peskine9b562d52018-04-25 20:32:43 +02001272 * \param ssl SSL context
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001273 */
Gilles Peskine9b562d52018-04-25 20:32:43 +02001274void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +02001275
Jerry Yuc7875b52021-09-05 21:05:50 +08001276/* set inbound transform of ssl context */
1277void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1278 mbedtls_ssl_transform *transform );
1279
1280/* set outbound transform of ssl context */
1281void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1282 mbedtls_ssl_transform *transform );
1283
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001284MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001285int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001286MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001287int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1288void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001289static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1290 mbedtls_ssl_states state )
1291{
1292 ssl->state = ( int ) state;
1293}
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001294
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001295MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001296int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1297
1298void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
Jerry Yubef175d2022-01-28 10:52:05 +08001299
1300#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001301MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001302int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
Jerry Yubef175d2022-01-28 10:52:05 +08001303#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001304
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001305MBEDTLS_CHECK_RETURN_CRITICAL
Simon Butcher99000142016-10-13 17:21:01 +01001306int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001307MBEDTLS_CHECK_RETURN_CRITICAL
Simon Butcher99000142016-10-13 17:21:01 +01001308int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1309void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1310
Hanno Becker4a810fb2017-05-24 16:27:30 +01001311/**
1312 * \brief Update record layer
1313 *
1314 * This function roughly separates the implementation
1315 * of the logic of (D)TLS from the implementation
1316 * of the secure transport.
1317 *
Hanno Becker3a0aad12018-08-20 09:44:02 +01001318 * \param ssl The SSL context to use.
1319 * \param update_hs_digest This indicates if the handshake digest
1320 * should be automatically updated in case
1321 * a handshake message is found.
Hanno Becker4a810fb2017-05-24 16:27:30 +01001322 *
1323 * \return 0 or non-zero error code.
1324 *
1325 * \note A clarification on what is called 'record layer' here
1326 * is in order, as many sensible definitions are possible:
1327 *
1328 * The record layer takes as input an untrusted underlying
1329 * transport (stream or datagram) and transforms it into
1330 * a serially multiplexed, secure transport, which
1331 * conceptually provides the following:
1332 *
1333 * (1) Three datagram based, content-agnostic transports
1334 * for handshake, alert and CCS messages.
1335 * (2) One stream- or datagram-based transport
1336 * for application data.
1337 * (3) Functionality for changing the underlying transform
1338 * securing the contents.
1339 *
1340 * The interface to this functionality is given as follows:
1341 *
1342 * a Updating
1343 * [Currently implemented by mbedtls_ssl_read_record]
1344 *
1345 * Check if and on which of the four 'ports' data is pending:
1346 * Nothing, a controlling datagram of type (1), or application
1347 * data (2). In any case data is present, internal buffers
1348 * provide access to the data for the user to process it.
1349 * Consumption of type (1) datagrams is done automatically
1350 * on the next update, invalidating that the internal buffers
1351 * for previous datagrams, while consumption of application
1352 * data (2) is user-controlled.
1353 *
1354 * b Reading of application data
1355 * [Currently manual adaption of ssl->in_offt pointer]
1356 *
1357 * As mentioned in the last paragraph, consumption of data
1358 * is different from the automatic consumption of control
1359 * datagrams (1) because application data is treated as a stream.
1360 *
1361 * c Tracking availability of application data
1362 * [Currently manually through decreasing ssl->in_msglen]
1363 *
1364 * For efficiency and to retain datagram semantics for
1365 * application data in case of DTLS, the record layer
1366 * provides functionality for checking how much application
1367 * data is still available in the internal buffer.
1368 *
1369 * d Changing the transformation securing the communication.
1370 *
1371 * Given an opaque implementation of the record layer in the
1372 * above sense, it should be possible to implement the logic
1373 * of (D)TLS on top of it without the need to know anything
1374 * about the record layer's internals. This is done e.g.
1375 * in all the handshake handling functions, and in the
1376 * application data reading function mbedtls_ssl_read.
1377 *
1378 * \note The above tries to give a conceptual picture of the
1379 * record layer, but the current implementation deviates
1380 * from it in some places. For example, our implementation of
1381 * the update functionality through mbedtls_ssl_read_record
1382 * discards datagrams depending on the current state, which
1383 * wouldn't fall under the record layer's responsibility
1384 * following the above definition.
1385 *
1386 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001387MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker3a0aad12018-08-20 09:44:02 +01001388int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1389 unsigned update_hs_digest );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001390MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001391int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1392
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001393/*
1394 * Write handshake message header
1395 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001396MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001397int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
1398 unsigned char **buf, size_t *buf_len );
1399
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001400MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001401int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
Ronald Cron66dbf912022-02-02 15:33:46 +01001402 int update_checksum,
Ronald Cron00d012f22022-03-08 15:57:12 +01001403 int force_flush );
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001404static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1405{
Ronald Cron66dbf912022-02-02 15:33:46 +01001406 return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */, 1 /* force flush */ ) );
Hanno Beckerf3cce8b2021-08-07 14:29:49 +01001407}
1408
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001409/*
1410 * Write handshake message tail
1411 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001412MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001413int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
1414 size_t buf_len, size_t msg_len );
1415
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001416MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron00d012f22022-03-08 15:57:12 +01001417int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001418MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001419int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1420
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001421MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001422int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001423MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001424int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1425
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001426MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001427int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001428MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001429int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1430
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001431MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001432int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001433MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001434int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1435
1436void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1437 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1438
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001439/*
1440 * Update checksum of handshake messages.
1441 */
1442void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1443 unsigned hs_type,
1444 unsigned char const *msg,
1445 size_t msg_len );
1446
XiaokangQian86981952022-07-19 09:51:50 +00001447void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
1448 unsigned hs_type,
1449 size_t total_hs_len );
1450
Gilles Peskineeccd8882020-03-10 12:19:08 +01001451#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Neil Armstrong80f6f322022-05-03 17:56:38 +02001452#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001453MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001454int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
1455 mbedtls_key_exchange_type_t key_ex );
Neil Armstrong80f6f322022-05-03 17:56:38 +02001456#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Ronald Cron73fe8df2022-10-05 14:31:43 +02001457#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Ronald Crond29e13e2022-10-19 10:33:48 +02001458
Ronald Cron73fe8df2022-10-05 14:31:43 +02001459#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
Ronald Crond29e13e2022-10-19 10:33:48 +02001460#if defined(MBEDTLS_SSL_CLI_C)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001461MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Crond491c2d2022-02-19 18:30:46 +01001462int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
1463#endif
Neil Armstrong044a32c2022-05-03 10:35:56 +02001464#if defined(MBEDTLS_USE_PSA_CRYPTO)
1465/**
1466 * Get the first defined opaque PSK by order of precedence:
1467 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1468 * callback
1469 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1470 * Return an opaque PSK
1471 */
1472static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1473 const mbedtls_ssl_context *ssl )
1474{
1475 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1476 return( ssl->handshake->psk_opaque );
1477
1478 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1479 return( ssl->conf->psk_opaque );
1480
1481 return( MBEDTLS_SVC_KEY_ID_INIT );
1482}
1483#else
Guilhem Bryant8a69ddd2020-03-27 11:13:39 +00001484/**
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001485 * Get the first defined PSK by order of precedence:
1486 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1487 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1488 * Return a code and update the pair (PSK, PSK length) passed to this function
1489 */
1490static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1491 const unsigned char **psk, size_t *psk_len )
1492{
1493 if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1494 {
1495 *psk = ssl->handshake->psk;
1496 *psk_len = ssl->handshake->psk_len;
1497 }
1498
1499 else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1500 {
1501 *psk = ssl->conf->psk;
1502 *psk_len = ssl->conf->psk_len;
1503 }
1504
1505 else
1506 {
Guilhem Bryantb5f04e42020-04-01 11:23:58 +01001507 *psk = NULL;
1508 *psk_len = 0;
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001509 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1510 }
1511
1512 return( 0 );
1513}
Guilhem Bryantd511ac32020-03-25 17:06:37 +00001514#endif /* MBEDTLS_USE_PSA_CRYPTO */
1515
Ronald Cron73fe8df2022-10-05 14:31:43 +02001516#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001517
1518#if defined(MBEDTLS_PK_C)
1519unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
Hanno Becker7e5437a2017-04-28 17:15:26 +01001520unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001521mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1522#endif
1523
1524mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02001525unsigned char mbedtls_ssl_hash_from_md_alg( int md );
Ronald Cron4dcbca92022-03-07 10:21:40 +01001526
1527#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001528MBEDTLS_CHECK_RETURN_CRITICAL
Simon Butcher99000142016-10-13 17:21:01 +01001529int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
Ronald Cron4dcbca92022-03-07 10:21:40 +01001530#endif
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001531
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001532MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard0d63b842022-01-18 13:10:56 +01001533int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02001534#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001535MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02001536int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001537#endif
1538
Ron Eldor089c9fe2018-12-06 17:12:49 +02001539#if defined(MBEDTLS_SSL_DTLS_SRTP)
Johan Pascal43f94902020-09-22 12:25:52 +02001540static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1541 ( const uint16_t srtp_profile_value )
Ron Eldor089c9fe2018-12-06 17:12:49 +02001542{
Johan Pascal43f94902020-09-22 12:25:52 +02001543 switch( srtp_profile_value )
Ron Eldor089c9fe2018-12-06 17:12:49 +02001544 {
Johan Pascal85269572020-08-25 10:01:54 +02001545 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
Johan Pascal85269572020-08-25 10:01:54 +02001546 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
Johan Pascal85269572020-08-25 10:01:54 +02001547 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
Johan Pascal85269572020-08-25 10:01:54 +02001548 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
Johan Pascal43f94902020-09-22 12:25:52 +02001549 return srtp_profile_value;
Ron Eldor089c9fe2018-12-06 17:12:49 +02001550 default: break;
1551 }
Johan Pascal43f94902020-09-22 12:25:52 +02001552 return( MBEDTLS_TLS_SRTP_UNSET );
Ron Eldor089c9fe2018-12-06 17:12:49 +02001553}
1554#endif
1555
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001556#if defined(MBEDTLS_X509_CRT_PARSE_C)
1557static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1558{
1559 mbedtls_ssl_key_cert *key_cert;
1560
1561 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1562 key_cert = ssl->handshake->key_cert;
1563 else
1564 key_cert = ssl->conf->key_cert;
1565
1566 return( key_cert == NULL ? NULL : key_cert->key );
1567}
1568
1569static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1570{
1571 mbedtls_ssl_key_cert *key_cert;
1572
1573 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1574 key_cert = ssl->handshake->key_cert;
1575 else
1576 key_cert = ssl->conf->key_cert;
1577
1578 return( key_cert == NULL ? NULL : key_cert->cert );
1579}
1580
1581/*
1582 * Check usage of a certificate wrt extensions:
1583 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1584 *
1585 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1586 * check a cert we received from them)!
1587 *
1588 * Return 0 if everything is OK, -1 if not.
1589 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001590MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001591int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1592 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1593 int cert_endpoint,
1594 uint32_t *flags );
1595#endif /* MBEDTLS_X509_CRT_PARSE_C */
1596
Glenn Strausse3af4cb2022-03-15 03:23:42 -04001597void mbedtls_ssl_write_version( unsigned char version[2], int transport,
1598 mbedtls_ssl_protocol_version tls_version );
1599uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
1600 int transport );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001601
Hanno Becker5903de42019-05-03 14:46:38 +01001602static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001603{
Hanno Becker47be7682019-07-12 09:55:46 +01001604#if !defined(MBEDTLS_SSL_PROTO_DTLS)
1605 ((void) ssl);
1606#endif
1607
1608#if defined(MBEDTLS_SSL_PROTO_DTLS)
1609 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1610 {
1611 return( 13 );
1612 }
1613 else
1614#endif /* MBEDTLS_SSL_PROTO_DTLS */
1615 {
1616 return( 5 );
1617 }
Hanno Becker5903de42019-05-03 14:46:38 +01001618}
1619
1620static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1621{
Hanno Becker3b154c12019-05-03 15:05:27 +01001622 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001623}
1624
1625static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1626{
1627#if defined(MBEDTLS_SSL_PROTO_DTLS)
1628 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1629 return( 12 );
1630#else
1631 ((void) ssl);
1632#endif
1633 return( 4 );
1634}
1635
1636#if defined(MBEDTLS_SSL_PROTO_DTLS)
1637void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1638void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001639MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001640int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001641MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02001642int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001643#endif
1644
1645/* Visible for testing purposes only */
1646#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001647MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker0183d692019-07-12 08:50:37 +01001648int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001649void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1650#endif
1651
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001652MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker52055ae2019-02-06 14:30:46 +00001653int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1654 const mbedtls_ssl_session *src );
1655
TRodziewicz0f82ec62021-05-12 17:49:18 +02001656#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek814feff2019-01-14 04:35:19 -05001657/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001658MBEDTLS_CHECK_RETURN_CRITICAL
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001659int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +02001660 unsigned char *hash, size_t *hashlen,
1661 unsigned char *data, size_t data_len,
1662 mbedtls_md_type_t md_alg );
TRodziewicz0f82ec62021-05-12 17:49:18 +02001663#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01001664
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001665#ifdef __cplusplus
1666}
1667#endif
1668
Hanno Beckera18d1322018-01-03 14:27:32 +00001669void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001670MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckera18d1322018-01-03 14:27:32 +00001671int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1672 mbedtls_ssl_transform *transform,
1673 mbedtls_record *rec,
1674 int (*f_rng)(void *, unsigned char *, size_t),
1675 void *p_rng );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001676MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker605949f2019-07-12 08:23:59 +01001677int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
Hanno Beckera18d1322018-01-03 14:27:32 +00001678 mbedtls_ssl_transform *transform,
1679 mbedtls_record *rec );
1680
Hanno Beckerdd772292020-02-05 10:38:31 +00001681/* Length of the "epoch" field in the record header */
1682static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1683{
1684#if defined(MBEDTLS_SSL_PROTO_DTLS)
1685 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1686 return( 2 );
1687#else
1688 ((void) ssl);
1689#endif
1690 return( 0 );
1691}
1692
Hanno Becker08f09132020-02-11 15:40:07 +00001693#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001694MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker786300f2020-02-05 10:46:40 +00001695int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
Hanno Becker08f09132020-02-11 15:40:07 +00001696#endif /* MBEDTLS_SSL_PROTO_DTLS */
Hanno Becker0f57a652020-02-05 10:37:26 +00001697
1698void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001699MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker7876d122020-02-05 10:39:31 +00001700int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1701
Hanno Becker3e6f8ab2020-02-05 10:40:57 +00001702void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1703void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1704 mbedtls_ssl_transform *transform );
1705void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1706
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001707MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker43aefe22020-02-05 10:44:56 +00001708int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
XiaokangQian78b1fa72022-01-19 06:56:30 +00001709void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
1710 int partial );
Hanno Becker43aefe22020-02-05 10:44:56 +00001711
Jerry Yue7047812021-09-13 19:26:39 +08001712/*
Jerry Yu394ece62021-09-14 22:17:21 +08001713 * Send pending alert
Jerry Yue7047812021-09-13 19:26:39 +08001714 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001715MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue7047812021-09-13 19:26:39 +08001716int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1717
Jerry Yu394ece62021-09-14 22:17:21 +08001718/*
1719 * Set pending fatal alert flag.
1720 */
1721void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1722 unsigned char alert_type,
1723 int alert_reason );
1724
1725/* Alias of mbedtls_ssl_pend_fatal_alert */
1726#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \
1727 mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1728
Hanno Becker7e8e6a62020-02-05 10:45:48 +00001729#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1730void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1731#endif
1732
Hanno Beckerce5f5fd2020-02-05 10:47:44 +00001733void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1734
Hanno Becker08f09132020-02-11 15:40:07 +00001735#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001736MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker40cdaa12020-02-05 10:48:27 +00001737int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
Hanno Becker08f09132020-02-11 15:40:07 +00001738#endif /* MBEDTLS_SSL_RENEGOTIATION */
Hanno Becker89490712020-02-05 10:50:12 +00001739
Hanno Becker533ab5f2020-02-05 10:49:13 +00001740#if defined(MBEDTLS_SSL_PROTO_DTLS)
Hanno Becker08f09132020-02-11 15:40:07 +00001741size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
Hanno Becker533ab5f2020-02-05 10:49:13 +00001742void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1743void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1744#endif /* MBEDTLS_SSL_PROTO_DTLS */
1745
Jerry Yu60835a82021-08-04 10:13:52 +08001746/**
1747 * ssl utils functions for checking configuration.
1748 */
1749
Ronald Cron6f135e12021-12-08 16:57:54 +01001750#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08001751static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1752{
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001753 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1754 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
Jerry Yu60835a82021-08-04 10:13:52 +08001755}
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001756
Ronald Cron6f135e12021-12-08 16:57:54 +01001757#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu60835a82021-08-04 10:13:52 +08001758
1759#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1760static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1761{
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001762 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1763 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 );
Jerry Yu60835a82021-08-04 10:13:52 +08001764}
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001765
Jerry Yu60835a82021-08-04 10:13:52 +08001766#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1767
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001768static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
1769{
1770#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001771 return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1772 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3 );
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001773#else
1774 ((void) conf);
1775 return( 0 );
1776#endif
1777}
1778
1779static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
1780{
1781#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001782 return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1783 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2 );
Jerry Yu3ad14ac2022-01-11 17:13:16 +08001784#else
1785 ((void) conf);
1786 return( 0 );
1787#endif
1788}
1789
Ronald Cron6f135e12021-12-08 16:57:54 +01001790#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu60835a82021-08-04 10:13:52 +08001791static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1792{
Glenn Strauss2dfcea22022-03-14 17:26:42 -04001793 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1794 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
Jerry Yu60835a82021-08-04 10:13:52 +08001795}
Ronald Cron6f135e12021-12-08 16:57:54 +01001796#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu60835a82021-08-04 10:13:52 +08001797
Ronald Cron6f135e12021-12-08 16:57:54 +01001798#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yufbe3e642022-04-25 19:31:51 +08001799extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1800 MBEDTLS_SERVER_HELLO_RANDOM_LEN ];
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001801MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yua6e6c272021-11-17 17:54:13 +08001802int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001803MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yua6e6c272021-11-17 17:54:13 +08001804int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
1805void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
1806
1807/**
Ronald Cron3d580bf2022-02-18 17:24:56 +01001808 * \brief Given an SSL context and its associated configuration, write the TLS
1809 * 1.3 specific extensions of the ClientHello message.
1810 *
1811 * \param[in] ssl SSL context
1812 * \param[in] buf Base address of the buffer where to write the extensions
1813 * \param[in] end End address of the buffer where to write the extensions
1814 * \param[out] out_len Length of the data written into the buffer \p buf
1815 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001816MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron3d580bf2022-02-18 17:24:56 +01001817int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1818 unsigned char *buf,
1819 unsigned char *end,
1820 size_t *out_len );
1821
1822/**
Jerry Yua6e6c272021-11-17 17:54:13 +08001823 * \brief TLS 1.3 client side state machine entry
1824 *
1825 * \param ssl SSL context
1826 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001827MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yua6e6c272021-11-17 17:54:13 +08001828int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1829
1830/**
1831 * \brief TLS 1.3 server side state machine entry
1832 *
1833 * \param ssl SSL context
1834 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001835MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yua6e6c272021-11-17 17:54:13 +08001836int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1837
Jerry Yu26f4d152021-08-23 17:42:37 +08001838
1839/*
1840 * Helper functions around key exchange modes.
1841 */
Jerry Yub60e3cf2021-09-08 16:41:02 +08001842static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
Jerry Yu26f4d152021-08-23 17:42:37 +08001843 int kex_mode_mask )
1844{
1845 return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1846}
1847
Jerry Yub60e3cf2021-09-08 16:41:02 +08001848static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu26f4d152021-08-23 17:42:37 +08001849{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001850 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001851 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001852}
1853
1854static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1855{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001856 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001857 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001858}
1859
Jerry Yub60e3cf2021-09-08 16:41:02 +08001860static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu26f4d152021-08-23 17:42:37 +08001861{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001862 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001863 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001864}
1865
1866static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1867{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001868 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001869 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001870}
1871
1872static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1873{
Jerry Yub60e3cf2021-09-08 16:41:02 +08001874 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
Xiaofei Bai746f9482021-11-12 08:53:56 +00001875 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
Jerry Yu26f4d152021-08-23 17:42:37 +08001876}
1877
Ronald Cron41a443a2022-10-04 16:38:25 +02001878#if defined(MBEDTLS_SSL_SRV_C) && \
1879 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yuadf861a2021-09-29 21:22:08 +08001880/**
1881 * Given a list of key exchange modes, check if at least one of them is
1882 * supported.
1883 *
1884 * \param[in] ssl SSL context
Jerry Yu0cabad32021-09-30 09:52:35 +08001885 * \param kex_modes_mask Mask of the key exchange modes to check
Jerry Yuadf861a2021-09-29 21:22:08 +08001886 *
1887 * \return 0 if at least one of the key exchange modes is supported,
Jerry Yudca3d5d2021-10-08 14:19:29 +08001888 * !=0 otherwise.
Jerry Yuadf861a2021-09-29 21:22:08 +08001889 */
Xiaofei Bai746f9482021-11-12 08:53:56 +00001890static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1891 int kex_modes_mask )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001892{
Xiaofei Baid25fab62021-12-02 06:36:27 +00001893 return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001894}
1895
Xiaofei Bai746f9482021-11-12 08:53:56 +00001896static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001897{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001898 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1899 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001900}
1901
Xiaofei Bai746f9482021-11-12 08:53:56 +00001902static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001903 mbedtls_ssl_context *ssl )
1904{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001905 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1906 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001907}
1908
Xiaofei Bai746f9482021-11-12 08:53:56 +00001909static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001910{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001911 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1912 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001913}
1914
Xiaofei Bai746f9482021-11-12 08:53:56 +00001915static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001916{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001917 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1918 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001919}
1920
Xiaofei Bai746f9482021-11-12 08:53:56 +00001921static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001922{
Xiaofei Bai746f9482021-11-12 08:53:56 +00001923 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1924 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001925}
Ronald Cron41a443a2022-10-04 16:38:25 +02001926#endif /* MBEDTLS_SSL_SRV_C &&
1927 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yu1b7c4a42021-09-09 17:09:12 +08001928
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001929/*
Jerry Yuffa15822022-08-29 15:19:42 +08001930 * Helper functions for extensions checking and convert.
Jerry Yue18dc7e2022-08-04 16:29:22 +08001931 */
Jerry Yue18dc7e2022-08-04 16:29:22 +08001932
Jerry Yu03112ae2022-08-30 16:27:17 +08001933uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type );
Jerry Yue18dc7e2022-08-04 16:29:22 +08001934
Jerry Yu0c354a22022-08-29 15:25:36 +08001935MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001936int mbedtls_ssl_tls13_check_received_extension(
1937 mbedtls_ssl_context *ssl,
1938 int hs_msg_type,
1939 unsigned int received_extension_type,
1940 uint32_t hs_msg_allowed_extensions_mask );
Jerry Yu0c354a22022-08-29 15:25:36 +08001941
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001942static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1943 mbedtls_ssl_context *ssl, unsigned int extension_type )
Jerry Yu0c354a22022-08-29 15:25:36 +08001944{
1945 ssl->handshake->sent_extensions |=
1946 mbedtls_tls13_get_extension_mask( extension_type );
1947}
Jerry Yue18dc7e2022-08-04 16:29:22 +08001948
1949/*
Ronald Cron85385492022-07-20 16:44:00 +02001950 * Helper functions to check the selected key exchange mode.
1951 */
1952static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
1953 mbedtls_ssl_context *ssl, int kex_mask )
1954{
1955 return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 );
1956}
1957
1958static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
1959 mbedtls_ssl_context *ssl )
1960{
1961 return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
1962 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1963}
1964
1965static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
1966 mbedtls_ssl_context *ssl )
1967{
1968 return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
1969 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1970}
1971
1972/*
XiaokangQian6b226b02021-09-24 07:51:16 +00001973 * Fetch TLS 1.3 handshake message header
1974 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001975MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00001976int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
1977 unsigned hs_type,
1978 unsigned char **buf,
1979 size_t *buf_len );
XiaokangQian6b226b02021-09-24 07:51:16 +00001980
1981/*
Xiaofei Bai947571e2021-09-29 09:12:03 +00001982 * Handler of TLS 1.3 server certificate message
1983 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001984MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai947571e2021-09-29 09:12:03 +00001985int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
1986
Ronald Cron928cbd32022-10-04 16:14:26 +02001987#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08001988/*
Jerry Yu3e536442022-02-15 11:05:59 +08001989 * Handler of TLS 1.3 write Certificate message
Jerry Yu5cc35062022-01-28 16:16:08 +08001990 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001991MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu5cc35062022-01-28 16:16:08 +08001992int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
1993
1994/*
Jerry Yu3e536442022-02-15 11:05:59 +08001995 * Handler of TLS 1.3 write Certificate Verify message
Jerry Yu8511f122022-01-29 10:01:04 +08001996 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02001997MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8511f122022-01-29 10:01:04 +08001998int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
Jerry Yu90f152d2022-01-29 22:12:42 +08001999
Ronald Cron928cbd32022-10-04 16:14:26 +02002000#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu90f152d2022-01-29 22:12:42 +08002001
Jerry Yu8511f122022-01-29 10:01:04 +08002002/*
Jerry Yu30b071c2021-09-12 20:16:03 +08002003 * Generic handler of Certificate Verify
2004 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002005MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu30b071c2021-09-12 20:16:03 +08002006int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
2007
2008/*
Ronald Cron49ad6192021-11-24 16:25:31 +01002009 * Write of dummy-CCS's for middlebox compatibility
2010 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002011MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron49ad6192021-11-24 16:25:31 +01002012int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
2013
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002014MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian647719a2021-12-07 09:16:29 +00002015int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
2016
Jerry Yu89e103c2022-03-30 22:43:29 +08002017#if defined(MBEDTLS_ECDH_C)
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002018MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu89e103c2022-03-30 22:43:29 +08002019int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
2020 mbedtls_ssl_context *ssl,
2021 uint16_t named_group,
2022 unsigned char *buf,
2023 unsigned char *end,
2024 size_t *out_len );
2025#endif /* MBEDTLS_ECDH_C */
2026
2027
Jerry Yuf017ee42022-01-12 15:49:48 +08002028#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2029
Ronald Crone68ab4f2022-10-05 12:46:29 +02002030#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Jerry Yu5cc8f0a2021-08-27 17:21:44 +08002031/*
Gabor Mezei53a3b142022-05-10 13:20:55 +02002032 * Parse TLS Signature Algorithm extension
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002033 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002034MBEDTLS_CHECK_RETURN_CRITICAL
Gabor Mezei078e8032022-04-27 21:17:56 +02002035int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
2036 const unsigned char *buf,
2037 const unsigned char *end );
Ronald Crone68ab4f2022-10-05 12:46:29 +02002038#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yu65dd2cc2021-08-18 16:38:40 +08002039
Jerry Yu000f9762021-09-14 11:12:51 +08002040/* Get handshake transcript */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002041MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu000f9762021-09-14 11:12:51 +08002042int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
2043 const mbedtls_md_type_t md,
2044 unsigned char *dst,
2045 size_t dst_len,
2046 size_t *olen );
2047
Brett Warrene0edc842021-08-17 09:53:13 +01002048/*
2049 * Return supported groups.
2050 *
2051 * In future, invocations can be changed to ssl->conf->group_list
2052 * when mbedtls_ssl_conf_curves() is deleted.
2053 *
2054 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
2055 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
2056 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
2057 *
2058 */
2059static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
2060{
2061 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
2062 return( ssl->conf->group_list );
2063 #else
2064 if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) )
2065 return( ssl->handshake->group_list );
2066 else
2067 return( ssl->conf->group_list );
2068 #endif
2069}
2070
Jerry Yuba073422021-12-20 22:22:15 +08002071/*
2072 * Helper functions for NamedGroup.
2073 */
Jerry Yu3ad14ac2022-01-11 17:13:16 +08002074static inline int mbedtls_ssl_tls12_named_group_is_ecdhe( uint16_t named_group )
Jerry Yuba073422021-12-20 22:22:15 +08002075{
2076 /*
Jerry Yu3ad14ac2022-01-11 17:13:16 +08002077 * RFC 8422 section 5.1.1
Jerry Yuba073422021-12-20 22:22:15 +08002078 */
Jerry Yuf0fede52022-01-12 10:57:47 +08002079 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2080 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
2081 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
2082 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
2083 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
Andrzej Kurek5c65c572022-04-13 14:28:52 -04002084 /* Below deprecated curves should be removed with notice to users */
Jerry Yuf0fede52022-01-12 10:57:47 +08002085 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
Jerry Yu3ad14ac2022-01-11 17:13:16 +08002086 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
2087 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
2088 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
2089 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2090 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2091 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
Jerry Yuf0fede52022-01-12 10:57:47 +08002092 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 );
Jerry Yuba073422021-12-20 22:22:15 +08002093}
2094
2095static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
2096{
Jerry Yuf0fede52022-01-12 10:57:47 +08002097 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2098 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
Jerry Yuba073422021-12-20 22:22:15 +08002099 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2100 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
Jerry Yuba073422021-12-20 22:22:15 +08002101 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
2102}
2103
2104static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
2105{
2106 return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2107 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
2108}
2109
XiaokangQian08037552022-04-20 07:16:41 +00002110static inline int mbedtls_ssl_named_group_is_offered(
2111 const mbedtls_ssl_context *ssl, uint16_t named_group )
2112{
2113 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
2114
2115 if( group_list == NULL )
2116 return( 0 );
2117
2118 for( ; *group_list != 0; group_list++ )
2119 {
2120 if( *group_list == named_group )
2121 return( 1 );
2122 }
2123
2124 return( 0 );
2125}
2126
2127static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group )
2128{
2129#if defined(MBEDTLS_ECDH_C)
2130 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
2131 {
2132 const mbedtls_ecp_curve_info *curve_info =
2133 mbedtls_ecp_curve_info_from_tls_id( named_group );
2134 if( curve_info != NULL )
2135 return( 1 );
2136 }
2137#else
2138 ((void) named_group);
2139#endif /* MBEDTLS_ECDH_C */
2140 return( 0 );
2141}
2142
Jerry Yuafdfed12021-12-22 10:49:02 +08002143/*
Jerry Yu713013f2022-01-17 18:16:35 +08002144 * Return supported signature algorithms.
2145 *
2146 * In future, invocations can be changed to ssl->conf->sig_algs when
2147 * mbedtls_ssl_conf_sig_hashes() is deleted.
2148 *
Jerry Yu7ddc38c2022-01-19 11:08:05 +08002149 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
2150 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
2151 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
2152 * been more recently invoked.
2153 *
Jerry Yuafdfed12021-12-22 10:49:02 +08002154 */
Jerry Yu713013f2022-01-17 18:16:35 +08002155static inline const void *mbedtls_ssl_get_sig_algs(
2156 const mbedtls_ssl_context *ssl )
Jerry Yuafdfed12021-12-22 10:49:02 +08002157{
Ronald Crone68ab4f2022-10-05 12:46:29 +02002158#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01002159
Jerry Yu6106fdc2022-01-12 16:36:14 +08002160#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Jerry Yucc539102022-06-27 16:27:35 +08002161 if( ssl->handshake != NULL &&
2162 ssl->handshake->sig_algs_heap_allocated == 1 &&
Jerry Yuee28e7a2022-06-24 19:35:40 +08002163 ssl->handshake->sig_algs != NULL )
2164 {
Jerry Yu6106fdc2022-01-12 16:36:14 +08002165 return( ssl->handshake->sig_algs );
Jerry Yuee28e7a2022-06-24 19:35:40 +08002166 }
Jerry Yu6106fdc2022-01-12 16:36:14 +08002167#endif
2168 return( ssl->conf->sig_algs );
Manuel Pégourié-Gonnardf7d704d2022-01-28 10:05:56 +01002169
Ronald Crone68ab4f2022-10-05 12:46:29 +02002170#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08002171
Jerry Yu6106fdc2022-01-12 16:36:14 +08002172 ((void) ssl);
Jerry Yu713013f2022-01-17 18:16:35 +08002173 return( NULL );
Ronald Crone68ab4f2022-10-05 12:46:29 +02002174#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yuafdfed12021-12-22 10:49:02 +08002175}
Jerry Yuba073422021-12-20 22:22:15 +08002176
Ronald Cron928cbd32022-10-04 16:14:26 +02002177#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu8511f122022-01-29 10:01:04 +08002178static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
2179 uint16_t own_sig_alg )
2180{
Jerry Yu1bb5a1f2022-01-30 10:52:11 +08002181 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
2182 if( sig_alg == NULL )
2183 return( 0 );
2184
Gabor Mezei15b95a62022-05-09 16:37:58 +02002185 for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
Jerry Yu1bb5a1f2022-01-30 10:52:11 +08002186 {
2187 if( *sig_alg == own_sig_alg )
2188 return( 1 );
2189 }
2190 return( 0 );
Jerry Yu8511f122022-01-29 10:01:04 +08002191}
2192
Jerry Yua1255e62022-06-24 10:10:47 +08002193static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
Jerry Yu0ebce952022-06-16 13:54:47 +08002194 const uint16_t sig_alg )
2195{
Jerry Yu96ee23e2022-06-21 16:34:57 +08002196 switch( sig_alg )
2197 {
2198#if defined(MBEDTLS_ECDSA_C)
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002199#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
Jerry Yu96ee23e2022-06-21 16:34:57 +08002200 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2201 break;
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002202#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2203#if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
Jerry Yu96ee23e2022-06-21 16:34:57 +08002204 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2205 break;
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002206#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2207#if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
Jerry Yu96ee23e2022-06-21 16:34:57 +08002208 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2209 break;
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002210#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
Jerry Yu96ee23e2022-06-21 16:34:57 +08002211#endif /* MBEDTLS_ECDSA_C */
2212
Jerry Yu52b7d922022-07-01 18:03:31 +08002213#if defined(MBEDTLS_PKCS1_V21)
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002214#if defined(PSA_WANT_ALG_SHA_256)
Jerry Yu96ee23e2022-06-21 16:34:57 +08002215 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2216 break;
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002217#endif /* PSA_WANT_ALG_SHA_256 */
2218#if defined(PSA_WANT_ALG_SHA_384)
Jerry Yu96ee23e2022-06-21 16:34:57 +08002219 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2220 break;
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002221#endif /* PSA_WANT_ALG_SHA_384 */
2222#if defined(PSA_WANT_ALG_SHA_512)
Jerry Yu96ee23e2022-06-21 16:34:57 +08002223 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2224 break;
Przemyslaw Stekiel004c2182022-09-14 09:09:16 +02002225#endif /* PSA_WANT_ALG_SHA_512 */
Jerry Yu52b7d922022-07-01 18:03:31 +08002226#endif /* MBEDTLS_PKCS1_V21 */
Jerry Yu96ee23e2022-06-21 16:34:57 +08002227 default:
2228 return( 0 );
2229 }
2230 return( 1 );
Jerry Yu80dd5db2022-06-22 19:30:32 +08002231
2232}
2233
2234static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2235 const uint16_t sig_alg )
2236{
2237 switch( sig_alg )
2238 {
Jerry Yu52b7d922022-07-01 18:03:31 +08002239#if defined(MBEDTLS_PKCS1_V15)
Przemek Stekiel153b4422022-09-05 12:36:25 +02002240#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu80dd5db2022-06-22 19:30:32 +08002241 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2242 break;
Przemek Stekiel153b4422022-09-05 12:36:25 +02002243#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2244#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu80dd5db2022-06-22 19:30:32 +08002245 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2246 break;
Przemek Stekiel153b4422022-09-05 12:36:25 +02002247#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2248#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu80dd5db2022-06-22 19:30:32 +08002249 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2250 break;
Przemek Stekiel153b4422022-09-05 12:36:25 +02002251#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
Jerry Yu52b7d922022-07-01 18:03:31 +08002252#endif /* MBEDTLS_PKCS1_V15 */
Jerry Yu80dd5db2022-06-22 19:30:32 +08002253 default:
Jerry Yua1255e62022-06-24 10:10:47 +08002254 return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
Jerry Yu80dd5db2022-06-22 19:30:32 +08002255 sig_alg ) );
2256 }
2257 return( 1 );
Jerry Yu0ebce952022-06-16 13:54:47 +08002258}
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00002259
Ronald Cron928cbd32022-10-04 16:14:26 +02002260MBEDTLS_CHECK_RETURN_CRITICAL
2261int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
2262 mbedtls_pk_context *key );
2263#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2264
Ronald Crone68ab4f2022-10-05 12:46:29 +02002265#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
Ronald Cron928cbd32022-10-04 16:14:26 +02002266static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
2267 uint16_t proposed_sig_alg )
2268{
2269 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
2270 if( sig_alg == NULL )
2271 return( 0 );
2272
2273 for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
2274 {
2275 if( *sig_alg == proposed_sig_alg )
2276 return( 1 );
2277 }
2278 return( 0 );
2279}
2280
2281static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2282 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
2283{
2284 *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
2285 *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
2286
2287 if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
2288 return( 0 );
2289
2290 switch( sig_alg )
2291 {
2292#if defined(MBEDTLS_PKCS1_V21)
2293#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2294 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2295 *md_alg = MBEDTLS_MD_SHA256;
2296 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2297 break;
2298#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2299#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2300 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2301 *md_alg = MBEDTLS_MD_SHA384;
2302 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2303 break;
2304#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2305#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2306 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2307 *md_alg = MBEDTLS_MD_SHA512;
2308 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2309 break;
2310#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2311#endif /* MBEDTLS_PKCS1_V21 */
2312 default:
2313 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2314 }
2315 return( 0 );
2316}
Jerry Yu8c338862022-03-23 13:34:04 +08002317
Jerry Yu0ebce952022-06-16 13:54:47 +08002318#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2319static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2320 const uint16_t sig_alg )
2321{
2322 /* High byte is hash */
2323 unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
2324 unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
2325
2326 switch( hash )
2327 {
Andrzej Kurek25f27152022-08-17 16:09:31 -04002328#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu0ebce952022-06-16 13:54:47 +08002329 case MBEDTLS_SSL_HASH_MD5:
2330 break;
2331#endif
2332
Andrzej Kurek25f27152022-08-17 16:09:31 -04002333#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu0ebce952022-06-16 13:54:47 +08002334 case MBEDTLS_SSL_HASH_SHA1:
2335 break;
2336#endif
2337
Andrzej Kurek25f27152022-08-17 16:09:31 -04002338#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu0ebce952022-06-16 13:54:47 +08002339 case MBEDTLS_SSL_HASH_SHA224:
2340 break;
2341#endif
2342
Andrzej Kurek25f27152022-08-17 16:09:31 -04002343#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu0ebce952022-06-16 13:54:47 +08002344 case MBEDTLS_SSL_HASH_SHA256:
2345 break;
2346#endif
2347
Andrzej Kurek25f27152022-08-17 16:09:31 -04002348#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu0ebce952022-06-16 13:54:47 +08002349 case MBEDTLS_SSL_HASH_SHA384:
2350 break;
2351#endif
2352
Andrzej Kurek25f27152022-08-17 16:09:31 -04002353#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
Jerry Yu0ebce952022-06-16 13:54:47 +08002354 case MBEDTLS_SSL_HASH_SHA512:
2355 break;
2356#endif
2357
2358 default:
2359 return( 0 );
2360 }
2361
2362 switch( sig )
2363 {
2364#if defined(MBEDTLS_RSA_C)
2365 case MBEDTLS_SSL_SIG_RSA:
2366 break;
2367#endif
2368
2369#if defined(MBEDTLS_ECDSA_C)
2370 case MBEDTLS_SSL_SIG_ECDSA:
2371 break;
2372#endif
2373
2374 default:
2375 return( 0 );
2376 }
2377
2378 return( 1 );
2379}
2380#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2381
Jerry Yu1bab3012022-01-19 17:43:22 +08002382static inline int mbedtls_ssl_sig_alg_is_supported(
2383 const mbedtls_ssl_context *ssl,
2384 const uint16_t sig_alg )
2385{
2386
2387#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Glenn Strauss60bfe602022-03-14 19:04:24 -04002388 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yu1bab3012022-01-19 17:43:22 +08002389 {
Jerry Yu0ebce952022-06-16 13:54:47 +08002390 return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) );
Jerry Yu1bab3012022-01-19 17:43:22 +08002391 }
2392#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2393
Ronald Cron928cbd32022-10-04 16:14:26 +02002394#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Glenn Strauss60bfe602022-03-14 19:04:24 -04002395 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yu1bab3012022-01-19 17:43:22 +08002396 {
Jerry Yu7ab7f2b2022-06-16 19:07:10 +08002397 return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
Jerry Yu1bab3012022-01-19 17:43:22 +08002398 }
Ronald Cron928cbd32022-10-04 16:14:26 +02002399#endif
Jerry Yu1bab3012022-01-19 17:43:22 +08002400 ((void) ssl);
2401 ((void) sig_alg);
2402 return( 0 );
2403}
Ronald Crone68ab4f2022-10-05 12:46:29 +02002404#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
Jerry Yu1bab3012022-01-19 17:43:22 +08002405
Neil Armstrong8395d7a2022-05-18 11:44:56 +02002406#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002407/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
Andrzej Kurek5c65c572022-04-13 14:28:52 -04002408 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002409 * guaranteed to not be a valid PSA algorithm identifier.
2410 */
2411#define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2412
2413/**
2414 * \brief Translate mbedtls cipher type/taglen pair to psa:
2415 * algorithm, key type and key size.
2416 *
2417 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2418 * \param taglen [in] given tag length
2419 * 0 - default tag length
2420 * \param alg [out] corresponding PSA alg
2421 * There is no corresponding PSA
Przemyslaw Stekiel8c010eb2022-02-03 10:44:02 +01002422 * alg for MBEDTLS_CIPHER_NULL, so
2423 * in this case MBEDTLS_SSL_NULL_CIPHER
2424 * is returned via this parameter
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002425 * \param key_type [out] corresponding PSA key type
2426 * \param key_size [out] corresponding PSA key size
2427 *
2428 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2429 * conversion is not supported.
2430 */
2431psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
2432 size_t taglen,
2433 psa_algorithm_t *alg,
2434 psa_key_type_t *key_type,
2435 size_t *key_size );
2436
2437/**
2438 * \brief Convert given PSA status to mbedtls error code.
2439 *
2440 * \param status [in] given PSA status
2441 *
2442 * \return corresponding mbedtls error code
2443 */
Przemyslaw Stekiel77aec8d2022-01-31 20:22:53 +01002444static inline int psa_ssl_status_to_mbedtls( psa_status_t status )
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002445{
2446 switch( status )
2447 {
2448 case PSA_SUCCESS:
2449 return( 0 );
2450 case PSA_ERROR_INSUFFICIENT_MEMORY:
Gabor Mezei1bf075f2022-03-21 12:19:52 +01002451 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002452 case PSA_ERROR_NOT_SUPPORTED:
Gabor Mezei1bf075f2022-03-21 12:19:52 +01002453 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Przemyslaw Stekiel89dad932022-01-31 09:18:07 +01002454 case PSA_ERROR_INVALID_SIGNATURE:
2455 return( MBEDTLS_ERR_SSL_INVALID_MAC );
Gabor Mezeiadfeadc2022-03-21 12:17:49 +01002456 case PSA_ERROR_INVALID_ARGUMENT:
2457 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2458 case PSA_ERROR_BAD_STATE:
2459 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Przemek Stekiel85836272022-04-05 10:50:53 +02002460 case PSA_ERROR_BUFFER_TOO_SMALL:
2461 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Przemyslaw Stekiele5c22382022-01-25 00:56:34 +01002462 default:
2463 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
2464 }
2465}
Przemyslaw Stekielb15f33d2022-02-10 10:12:12 +01002466#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu1bab3012022-01-19 17:43:22 +08002467
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002468/**
2469 * \brief TLS record protection modes
2470 */
2471typedef enum {
2472 MBEDTLS_SSL_MODE_STREAM = 0,
2473 MBEDTLS_SSL_MODE_CBC,
2474 MBEDTLS_SSL_MODE_CBC_ETM,
2475 MBEDTLS_SSL_MODE_AEAD
2476} mbedtls_ssl_mode_t;
2477
Neil Armstrongab555e02022-04-04 11:07:59 +02002478mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
Neil Armstrong8a0f3e82022-03-30 10:57:37 +02002479 const mbedtls_ssl_transform *transform );
2480
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002481#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Neil Armstrongab555e02022-04-04 11:07:59 +02002482mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002483 int encrypt_then_mac,
2484 const mbedtls_ssl_ciphersuite_t *suite );
2485#else
Neil Armstrongab555e02022-04-04 11:07:59 +02002486mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002487 const mbedtls_ssl_ciphersuite_t *suite );
Neil Armstrongf2c82f02022-04-05 11:16:53 +02002488#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Neil Armstrong4bf4c862022-04-01 10:35:48 +02002489
XiaokangQian9b5d04b2022-04-10 10:20:43 +00002490#if defined(MBEDTLS_ECDH_C)
2491
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002492MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian9b5d04b2022-04-10 10:20:43 +00002493int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
2494 const unsigned char *buf,
2495 size_t buf_len );
2496
2497#endif /* MBEDTLS_ECDH_C */
2498
XiaokangQian0a1b54e2022-04-21 03:01:38 +00002499static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2500 mbedtls_ssl_context *ssl, int cipher_suite )
2501{
2502 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2503
2504 /* Check whether we have offered this ciphersuite */
2505 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
2506 {
2507 if( ciphersuite_list[i] == cipher_suite )
2508 {
2509 return( 1 );
2510 }
2511 }
2512 return( 0 );
2513}
2514
2515/**
2516 * \brief Validate cipher suite against config in SSL context.
2517 *
2518 * \param ssl SSL context
2519 * \param suite_info Cipher suite to validate
2520 * \param min_tls_version Minimal TLS version to accept a cipher suite
2521 * \param max_tls_version Maximal TLS version to accept a cipher suite
2522 *
2523 * \return 0 if valid, negative value otherwise.
2524 */
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002525MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0a1b54e2022-04-21 03:01:38 +00002526int mbedtls_ssl_validate_ciphersuite(
2527 const mbedtls_ssl_context *ssl,
2528 const mbedtls_ssl_ciphersuite_t *suite_info,
2529 mbedtls_ssl_protocol_version min_tls_version,
2530 mbedtls_ssl_protocol_version max_tls_version );
XiaokangQian08037552022-04-20 07:16:41 +00002531
Manuel Pégourié-Gonnarda82a8b92022-06-17 10:53:58 +02002532MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianeaf36512022-04-24 09:07:44 +00002533int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
2534 const unsigned char *end, size_t *out_len );
2535
XiaokangQian40a35232022-05-07 09:02:40 +00002536#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Ronald Cronce7d76e2022-07-08 18:56:49 +02002537MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian9b2b7712022-05-17 02:57:00 +00002538int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
2539 const unsigned char *buf,
2540 const unsigned char *end );
XiaokangQian40a35232022-05-07 09:02:40 +00002541#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2542
XiaokangQianacb39922022-06-17 10:18:48 +00002543#if defined(MBEDTLS_SSL_ALPN)
Ronald Cronce7d76e2022-07-08 18:56:49 +02002544MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianacb39922022-06-17 10:18:48 +00002545int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
2546 const unsigned char *buf,
2547 const unsigned char *end );
2548
2549
Ronald Cronce7d76e2022-07-08 18:56:49 +02002550MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianacb39922022-06-17 10:18:48 +00002551int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2552 unsigned char *buf,
2553 unsigned char *end,
XiaokangQianc7403452022-06-23 03:24:12 +00002554 size_t *out_len );
XiaokangQianacb39922022-06-17 10:18:48 +00002555#endif /* MBEDTLS_SSL_ALPN */
2556
Andrzej Kurekcfb01942022-06-06 13:08:23 -04002557#if defined(MBEDTLS_TEST_HOOKS)
Andrzej Kurek078e9bc2022-06-08 11:47:33 -04002558int mbedtls_ssl_check_dtls_clihlo_cookie(
Andrzej Kurekcfb01942022-06-06 13:08:23 -04002559 mbedtls_ssl_context *ssl,
2560 const unsigned char *cli_id, size_t cli_id_len,
2561 const unsigned char *in, size_t in_len,
2562 unsigned char *obuf, size_t buf_len, size_t *olen );
2563#endif
2564
Ronald Cron41a443a2022-10-04 16:38:25 +02002565#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +00002566/**
2567 * \brief Given an SSL context and its associated configuration, write the TLS
2568 * 1.3 specific Pre-Shared key extension.
2569 *
2570 * \param[in] ssl SSL context
2571 * \param[in] buf Base address of the buffer where to write the extension
2572 * \param[in] end End address of the buffer where to write the extension
XiaokangQian008d2bf2022-07-14 07:54:01 +00002573 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
2574 * written into the buffer \p buf by this function plus
2575 * the length of the binders to be written.
XiaokangQianeb69aee2022-07-05 08:21:43 +00002576 * \param[out] binders_len Length of the binders to be written at the end of
XiaokangQian008d2bf2022-07-14 07:54:01 +00002577 * the extension.
XiaokangQianeb69aee2022-07-05 08:21:43 +00002578 */
XiaokangQian86981952022-07-19 09:51:50 +00002579MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian3ad67bf2022-07-21 02:26:21 +00002580int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
XiaokangQianeb69aee2022-07-05 08:21:43 +00002581 mbedtls_ssl_context *ssl,
2582 unsigned char *buf, unsigned char *end,
2583 size_t *out_len, size_t *binders_len );
2584
2585/**
2586 * \brief Given an SSL context and its associated configuration, write the TLS
2587 * 1.3 specific Pre-Shared key extension binders at the end of the
2588 * ClientHello.
2589 *
2590 * \param[in] ssl SSL context
XiaokangQian008d2bf2022-07-14 07:54:01 +00002591 * \param[in] buf Base address of the buffer where to write the binders
2592 * \param[in] end End address of the buffer where to write the binders
XiaokangQianeb69aee2022-07-05 08:21:43 +00002593 */
XiaokangQian86981952022-07-19 09:51:50 +00002594MBEDTLS_CHECK_RETURN_CRITICAL
2595int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
XiaokangQianeb69aee2022-07-05 08:21:43 +00002596 mbedtls_ssl_context *ssl,
2597 unsigned char *buf, unsigned char *end );
Ronald Cron41a443a2022-10-04 16:38:25 +02002598#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +00002599
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00002600#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
Xiaokang Qian03409292022-10-12 02:49:52 +00002601 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
Xiaokang Qianed0620c2022-10-12 06:58:13 +00002602 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
Xiaokang Qianed3afcd2022-10-12 08:31:11 +00002603 defined(MBEDTLS_SSL_CLI_C)
Xiaokang Qian03409292022-10-12 02:49:52 +00002604MBEDTLS_CHECK_RETURN_CRITICAL
Xiaokang Qiana3b451f2022-10-11 06:20:56 +00002605int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
2606 const char *hostname );
2607#endif
2608
Chris Jones84a773f2021-03-05 18:38:47 +00002609#endif /* ssl_misc.h */