blob: c7668eba963a7f4f556430e41f5ee005f066ad7f [file] [log] [blame]
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001/**
Darryl Greena40a1012018-01-05 15:33:17 +00002 * \file ssl_internal.h
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02003 *
4 * \brief Internal functions shared by the SSL modules
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02008 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020021 *
22 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020023 */
24#ifndef MBEDTLS_SSL_INTERNAL_H
25#define MBEDTLS_SSL_INTERNAL_H
26
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050027#if !defined(MBEDTLS_CONFIG_FILE)
28#include "config.h"
29#else
30#include MBEDTLS_CONFIG_FILE
31#endif
32
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020033#include "ssl.h"
Hanno Beckera8434e82017-09-18 10:54:39 +010034#include "cipher.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020035
Andrzej Kurekeb342242019-01-29 09:14:33 -050036#if defined(MBEDTLS_USE_PSA_CRYPTO)
37#include "psa/crypto.h"
38#endif
39
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020040#if defined(MBEDTLS_MD5_C)
41#include "md5.h"
42#endif
43
44#if defined(MBEDTLS_SHA1_C)
45#include "sha1.h"
46#endif
47
48#if defined(MBEDTLS_SHA256_C)
49#include "sha256.h"
50#endif
51
52#if defined(MBEDTLS_SHA512_C)
53#include "sha512.h"
54#endif
55
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +020056#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +020057#include "ecjpake.h"
58#endif
59
Hanno Beckerdf51dbe2019-02-18 16:41:55 +000060#if defined(MBEDTLS_USE_PSA_CRYPTO)
61#include "psa/crypto.h"
62#include "psa_util.h"
63#endif /* MBEDTLS_USE_PSA_CRYPTO */
64
Manuel Pégourié-Gonnard0223ab92015-10-05 11:40:01 +010065#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
66 !defined(inline) && !defined(__cplusplus)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020067#define inline __inline
Manuel Pégourié-Gonnard20af64d2015-07-07 18:33:39 +020068#endif
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020069
70/* Determine minimum supported version */
71#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
72
73#if defined(MBEDTLS_SSL_PROTO_SSL3)
74#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
75#else
76#if defined(MBEDTLS_SSL_PROTO_TLS1)
77#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
78#else
79#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
80#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
81#else
82#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
83#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
84#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
85#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
86#endif /* MBEDTLS_SSL_PROTO_TLS1 */
87#endif /* MBEDTLS_SSL_PROTO_SSL3 */
88
Ron Eldor5e9f14d2017-05-28 10:46:38 +030089#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
90#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
91
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020092/* Determine maximum supported version */
93#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
94
95#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
96#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
97#else
98#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
99#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
100#else
101#if defined(MBEDTLS_SSL_PROTO_TLS1)
102#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
103#else
104#if defined(MBEDTLS_SSL_PROTO_SSL3)
105#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
106#endif /* MBEDTLS_SSL_PROTO_SSL3 */
107#endif /* MBEDTLS_SSL_PROTO_TLS1 */
108#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
109#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
110
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200111/* Shorthand for restartable ECC */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200112#if defined(MBEDTLS_ECP_RESTARTABLE) && \
113 defined(MBEDTLS_SSL_CLI_C) && \
114 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
116#define MBEDTLS_SSL__ECP_RESTARTABLE
117#endif
118
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200119#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
120#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
121#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
122#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
123
124/*
125 * DTLS retransmission states, see RFC 6347 4.2.4
126 *
127 * The SENDING state is merged in PREPARING for initial sends,
128 * but is distinct for resends.
129 *
130 * Note: initial state is wrong for server, but is not used anyway.
131 */
132#define MBEDTLS_SSL_RETRANS_PREPARING 0
133#define MBEDTLS_SSL_RETRANS_SENDING 1
134#define MBEDTLS_SSL_RETRANS_WAITING 2
135#define MBEDTLS_SSL_RETRANS_FINISHED 3
136
137/*
138 * Allow extra bytes for record, authentication and encryption overhead:
139 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
140 * and allow for a maximum of 1024 of compression expansion if
141 * enabled.
142 */
143#if defined(MBEDTLS_ZLIB_SUPPORT)
144#define MBEDTLS_SSL_COMPRESSION_ADD 1024
145#else
146#define MBEDTLS_SSL_COMPRESSION_ADD 0
147#endif
148
Hanno Becker52344c22018-01-03 15:24:20 +0000149#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
150 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
151 ( defined(MBEDTLS_AES_C) || \
152 defined(MBEDTLS_CAMELLIA_C) || \
Hanno Becker34f88af2018-07-17 10:19:47 +0100153 defined(MBEDTLS_ARIA_C) || \
154 defined(MBEDTLS_DES_C) ) )
Hanno Becker52344c22018-01-03 15:24:20 +0000155#define MBEDTLS_SSL_SOME_MODES_USE_MAC
156#endif
157
158#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200159/* Ciphersuites using HMAC */
160#if defined(MBEDTLS_SHA512_C)
161#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
162#elif defined(MBEDTLS_SHA256_C)
163#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
164#else
165#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
166#endif
Hanno Becker52344c22018-01-03 15:24:20 +0000167#else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200168/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
169#define MBEDTLS_SSL_MAC_ADD 16
170#endif
171
172#if defined(MBEDTLS_CIPHER_MODE_CBC)
173#define MBEDTLS_SSL_PADDING_ADD 256
174#else
175#define MBEDTLS_SSL_PADDING_ADD 0
176#endif
177
Angus Grattond8213d02016-05-25 20:56:48 +1000178#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
179 MBEDTLS_MAX_IV_LENGTH + \
180 MBEDTLS_SSL_MAC_ADD + \
181 MBEDTLS_SSL_PADDING_ADD \
182 )
183
184#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
185 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
186
187#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
188 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
189
Hanno Becker0271f962018-08-16 13:23:47 +0100190/* The maximum number of buffered handshake messages. */
Hanno Beckerd488b9e2018-08-16 16:35:37 +0100191#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
Hanno Becker0271f962018-08-16 13:23:47 +0100192
Angus Grattond8213d02016-05-25 20:56:48 +1000193/* Maximum length we can advertise as our max content length for
194 RFC 6066 max_fragment_length extension negotiation purposes
195 (the lesser of both sizes, if they are unequal.)
196 */
197#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
198 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
199 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
200 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
201 )
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200202
203/*
Hanno Beckera8434e82017-09-18 10:54:39 +0100204 * Check that we obey the standard's message size bounds
205 */
206
207#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
Angus Grattond8213d02016-05-25 20:56:48 +1000208#error "Bad configuration - record content too large."
Hanno Beckera8434e82017-09-18 10:54:39 +0100209#endif
210
Angus Grattond8213d02016-05-25 20:56:48 +1000211#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
212#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
Hanno Beckera8434e82017-09-18 10:54:39 +0100213#endif
214
Angus Grattond8213d02016-05-25 20:56:48 +1000215#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
216#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
217#endif
218
219#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
220#error "Bad configuration - incoming protected record payload too large."
221#endif
222
223#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
224#error "Bad configuration - outgoing protected record payload too large."
225#endif
226
227/* Calculate buffer sizes */
228
Hanno Becker25d6d1a2017-12-07 08:22:51 +0000229/* Note: Even though the TLS record header is only 5 bytes
230 long, we're internally using 8 bytes to store the
231 implicit sequence number. */
Hanno Beckerd25d4442017-10-04 13:56:42 +0100232#define MBEDTLS_SSL_HEADER_LEN 13
Hanno Beckera8434e82017-09-18 10:54:39 +0100233
Angus Grattond8213d02016-05-25 20:56:48 +1000234#define MBEDTLS_SSL_IN_BUFFER_LEN \
235 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
236
237#define MBEDTLS_SSL_OUT_BUFFER_LEN \
238 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
239
240#ifdef MBEDTLS_ZLIB_SUPPORT
241/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
242#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
243 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
244 ? MBEDTLS_SSL_IN_BUFFER_LEN \
245 : MBEDTLS_SSL_OUT_BUFFER_LEN \
246 )
247#endif
Hanno Beckera8434e82017-09-18 10:54:39 +0100248
249/*
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200250 * TLS extension flags (for extensions with outgoing ServerHello content
251 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
252 * of state of the renegotiation flag, so no indicator is required)
253 */
254#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200255#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200256
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200257#ifdef __cplusplus
258extern "C" {
259#endif
260
Hanno Becker7e5437a2017-04-28 17:15:26 +0100261#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
262 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
263/*
264 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
265 */
266struct mbedtls_ssl_sig_hash_set_t
267{
268 /* At the moment, we only need to remember a single suitable
269 * hash algorithm per signature algorithm. As long as that's
270 * the case - and we don't need a general lookup function -
271 * we can implement the sig-hash-set as a map from signatures
272 * to hash algorithms. */
273 mbedtls_md_type_t rsa;
274 mbedtls_md_type_t ecdsa;
275};
276#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
277 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
278
Ron Eldor51d3ab52019-05-12 14:54:30 +0300279typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
280 const char *label,
281 const unsigned char *random, size_t rlen,
282 unsigned char *dstbuf, size_t dlen );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200283/*
284 * This structure contains the parameters only needed during handshake.
285 */
286struct mbedtls_ssl_handshake_params
287{
288 /*
289 * Handshake specific crypto variables
290 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100291
292#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
293 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
294 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
295#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200296#if defined(MBEDTLS_DHM_C)
297 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
298#endif
299#if defined(MBEDTLS_ECDH_C)
300 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
Hanno Beckerdf51dbe2019-02-18 16:41:55 +0000301
302#if defined(MBEDTLS_USE_PSA_CRYPTO)
303 psa_ecc_curve_t ecdh_psa_curve;
304 psa_key_handle_t ecdh_psa_privkey;
305 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
306 size_t ecdh_psa_peerkey_len;
307#endif /* MBEDTLS_USE_PSA_CRYPTO */
308#endif /* MBEDTLS_ECDH_C */
309
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200310#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200311 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200312#if defined(MBEDTLS_SSL_CLI_C)
313 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
314 size_t ecjpake_cache_len; /*!< Length of cached data */
315#endif
Hanno Becker1aa267c2017-04-28 17:08:27 +0100316#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200317#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200318 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200319 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
320#endif
321#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100322#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek2349c4d2019-01-08 09:36:01 -0500323 psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100324#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200325 unsigned char *psk; /*!< PSK from the callback */
326 size_t psk_len; /*!< Length of PSK from callback */
Hanno Beckerd9f7d432018-10-22 15:29:46 +0100327#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200328#if defined(MBEDTLS_X509_CRT_PARSE_C)
329 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
330#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200331 int sni_authmode; /*!< authmode from SNI callback */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200332 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
333 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
334 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100335#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200336#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200337#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200338 int ecrs_enabled; /*!< Handshake supports EC restart? */
Manuel Pégourié-Gonnard6b7301c2017-08-15 12:08:45 +0200339 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200340 enum { /* this complements ssl->state with info on intra-state operations */
341 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
342 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200343 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
344 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200345 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
346 } ecrs_state; /*!< current (or last) operation */
Hanno Becker3fd3f5e2019-02-25 10:08:06 +0000347 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200348 size_t ecrs_n; /*!< place for saving a length */
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200349#endif
Hanno Becker75173122019-02-06 16:18:31 +0000350#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
351 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
352 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
353#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200354#if defined(MBEDTLS_SSL_PROTO_DTLS)
355 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
356 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
357
358 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
359 Srv: unused */
360 unsigned char verify_cookie_len; /*!< Cli: cookie length
361 Srv: flag for sending a cookie */
362
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200363 uint32_t retransmit_timeout; /*!< Current value of timeout */
364 unsigned char retransmit_state; /*!< Retransmission state */
Manuel Pégourié-Gonnard28f4bea2017-09-13 14:00:05 +0200365 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
366 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
367 unsigned char *cur_msg_p; /*!< Position in current message */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200368 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
369 flight being received */
370 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
371 resending messages */
372 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
373 for resending messages */
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100374
Hanno Becker2f28c102019-04-25 15:46:59 +0100375#if defined(MBEDTLS_SSL_CID)
376 /* The state of CID configuration in this handshake. */
377
378 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
379 * has been negotited. Possible values are
380 * #MBEDTLS_SSL_CID_ENABLED and
381 * #MBEDTLS_SSL_CID_DISABLED. */
382 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
383 uint8_t peer_cid_len; /*!< The length of
384 * \c peer_cid. */
385#endif /* MBEDTLS_SSL_CID */
386
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100387 struct
388 {
Hanno Beckere0b150f2018-08-21 15:51:03 +0100389 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
390 * buffers used for message buffering. */
391
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100392 uint8_t seen_ccs; /*!< Indicates if a CCS message has
Hanno Becker2ed6bcc2018-08-15 15:11:57 +0100393 * been seen in the current flight. */
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100394
Hanno Becker0271f962018-08-16 13:23:47 +0100395 struct mbedtls_ssl_hs_buffer
396 {
Hanno Becker98081a02018-08-22 13:32:50 +0100397 unsigned is_valid : 1;
398 unsigned is_fragmented : 1;
399 unsigned is_complete : 1;
Hanno Becker0271f962018-08-16 13:23:47 +0100400 unsigned char *data;
Hanno Beckere0b150f2018-08-21 15:51:03 +0100401 size_t data_len;
Hanno Becker0271f962018-08-16 13:23:47 +0100402 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
403
Hanno Becker5f066e72018-08-16 14:56:31 +0100404 struct
405 {
406 unsigned char *data;
407 size_t len;
408 unsigned epoch;
409 } future_record;
410
Hanno Beckerd7f8ae22018-08-16 09:45:56 +0100411 } buffering;
Hanno Becker35462012018-08-22 10:25:40 +0100412
Manuel Pégourié-Gonnardf47a4af2018-08-22 10:38:52 +0200413 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100414#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200415
416 /*
417 * Checksum contexts
418 */
419#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
420 defined(MBEDTLS_SSL_PROTO_TLS1_1)
421 mbedtls_md5_context fin_md5;
422 mbedtls_sha1_context fin_sha1;
423#endif
424#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
425#if defined(MBEDTLS_SHA256_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500426#if defined(MBEDTLS_USE_PSA_CRYPTO)
427 psa_hash_operation_t fin_sha256_psa;
428#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200429 mbedtls_sha256_context fin_sha256;
430#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500431#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200432#if defined(MBEDTLS_SHA512_C)
Andrzej Kurekeb342242019-01-29 09:14:33 -0500433#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek972fba52019-01-30 03:29:12 -0500434 psa_hash_operation_t fin_sha384_psa;
Andrzej Kurekeb342242019-01-29 09:14:33 -0500435#else
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200436 mbedtls_sha512_context fin_sha512;
437#endif
Andrzej Kurekeb342242019-01-29 09:14:33 -0500438#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200439#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
440
441 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
442 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
443 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
Ron Eldor51d3ab52019-05-12 14:54:30 +0300444 mbedtls_ssl_tls_prf_cb *tls_prf;
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200445
Hanno Beckere694c3e2017-12-27 21:34:08 +0000446 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
447
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200448 size_t pmslen; /*!< premaster length */
449
450 unsigned char randbytes[64]; /*!< random bytes */
451 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
452 /*!< premaster secret */
453
454 int resume; /*!< session resume indicator*/
455 int max_major_ver; /*!< max. major version client*/
456 int max_minor_ver; /*!< max. minor version client*/
457 int cli_exts; /*!< client extension presence*/
458
459#if defined(MBEDTLS_SSL_SESSION_TICKETS)
460 int new_session_ticket; /*!< use NewSessionTicket? */
461#endif /* MBEDTLS_SSL_SESSION_TICKETS */
462#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
463 int extended_ms; /*!< use Extended Master Secret? */
464#endif
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200465
466#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine78300732018-04-26 13:03:29 +0200467 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200468#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
469
470#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
471 /** Asynchronous operation context. This field is meant for use by the
472 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
473 * mbedtls_ssl_config::f_async_decrypt_start,
474 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
475 * The library does not use it internally. */
476 void *user_async_ctx;
477#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200478};
479
Hanno Becker0271f962018-08-16 13:23:47 +0100480typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
481
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200482/*
Hanno Beckerd362dc52018-01-03 15:23:11 +0000483 * Representation of decryption/encryption transformations on records
484 *
485 * There are the following general types of record transformations:
486 * - Stream transformations (TLS versions <= 1.2 only)
487 * Transformation adding a MAC and applying a stream-cipher
488 * to the authenticated message.
489 * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
490 * In addition to the distinction of the order of encryption and
491 * authentication, there's a fundamental difference between the
492 * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
493 * and TLS 1.0, the final IV after processing a record is used
494 * as the IV for the next record. No explicit IV is contained
495 * in an encrypted record. The IV for the first record is extracted
496 * at key extraction time. In contrast, for TLS 1.1 and 1.2, no
497 * IV is generated at key extraction time, but every encrypted
498 * record is explicitly prefixed by the IV with which it was encrypted.
499 * - AEAD transformations ([D]TLS versions >= 1.2 only)
500 * These come in two fundamentally different versions, the first one
501 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
502 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
503 * In the first transformation, the IV to be used for a record is obtained
504 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
505 * record sequence number, and explicitly prepending this sequence number
506 * to the encrypted record. In contrast, in the second transformation
507 * the IV is obtained by XOR'ing a static IV obtained at key extraction
508 * time with the 8-byte record sequence number, without prepending the
509 * latter to the encrypted record.
510 *
511 * In addition to type and version, the following parameters are relevant:
512 * - The symmetric cipher algorithm to be used.
513 * - The (static) encryption/decryption keys for the cipher.
514 * - For stream/CBC, the type of message digest to be used.
515 * - For stream/CBC, (static) encryption/decryption keys for the digest.
Hanno Becker0db7e0c2018-10-18 15:39:53 +0100516 * - For AEAD transformations, the size (potentially 0) of an explicit,
517 * random initialization vector placed in encrypted records.
Hanno Beckerd362dc52018-01-03 15:23:11 +0000518 * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
519 * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
520 * and (if present) is combined with the explicit IV in a transformation-
521 * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
522 * - For stream/CBC, a flag determining the order of encryption and MAC.
523 * - The details of the transformation depend on the SSL/TLS version.
524 * - The length of the authentication tag.
525 *
Hanno Becker0db7e0c2018-10-18 15:39:53 +0100526 * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
527 * constant across multiple encryption/decryption operations.
528 * For CBC, the implicit IV needs to be updated after each
529 * operation.
530 *
Hanno Beckerd362dc52018-01-03 15:23:11 +0000531 * The struct below refines this abstract view as follows:
532 * - The cipher underlying the transformation is managed in
533 * cipher contexts cipher_ctx_{enc/dec}, which must have the
534 * same cipher type. The mode of these cipher contexts determines
535 * the type of the transformation in the sense above: e.g., if
536 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
537 * then the transformation has type CBC resp. AEAD.
538 * - The cipher keys are never stored explicitly but
539 * are maintained within cipher_ctx_{enc/dec}.
540 * - For stream/CBC transformations, the message digest contexts
541 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
542 * are unused for AEAD transformations.
543 * - For stream/CBC transformations and versions > SSL3, the
544 * MAC keys are not stored explicitly but maintained within
545 * md_ctx_{enc/dec}.
546 * - For stream/CBC transformations and version SSL3, the MAC
547 * keys are stored explicitly in mac_enc, mac_dec and have
548 * a fixed size of 20 bytes. These fields are unused for
549 * AEAD transformations or transformations >= TLS 1.0.
550 * - For transformations using an implicit IV maintained within
551 * the transformation context, its contents are stored within
552 * iv_{enc/dec}.
553 * - The value of ivlen indicates the length of the IV.
554 * This is redundant in case of stream/CBC transformations
555 * which always use 0 resp. the cipher's block length as the
556 * IV length, but is needed for AEAD ciphers and may be
557 * different from the underlying cipher's block length
558 * in this case.
559 * - The field fixed_ivlen is nonzero for AEAD transformations only
560 * and indicates the length of the static part of the IV which is
561 * constant throughout the communication, and which is stored in
562 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
563 * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
564 * still store IV's for continued use across multiple transformations,
565 * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
566 * not being used!
567 * - minor_ver denotes the SSL/TLS version
568 * - For stream/CBC transformations, maclen denotes the length of the
569 * authentication tag, while taglen is unused and 0.
570 * - For AEAD transformations, taglen denotes the length of the
571 * authentication tag, while maclen is unused and 0.
572 * - For CBC transformations, encrypt_then_mac determines the
573 * order of encryption and authentication. This field is unused
574 * in other transformations.
575 *
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200576 */
577struct mbedtls_ssl_transform
578{
579 /*
580 * Session specific crypto layer
581 */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200582 size_t minlen; /*!< min. ciphertext length */
583 size_t ivlen; /*!< IV length */
584 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
Hanno Beckere694c3e2017-12-27 21:34:08 +0000585 size_t maclen; /*!< MAC(CBC) len */
586 size_t taglen; /*!< TAG(AEAD) len */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200587
588 unsigned char iv_enc[16]; /*!< IV (encryption) */
589 unsigned char iv_dec[16]; /*!< IV (decryption) */
590
Hanno Beckerd56ed242018-01-03 15:32:51 +0000591#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
592
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200593#if defined(MBEDTLS_SSL_PROTO_SSL3)
594 /* Needed only for SSL v3.0 secret */
595 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
596 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
597#endif /* MBEDTLS_SSL_PROTO_SSL3 */
598
599 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
600 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
601
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000602#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
603 int encrypt_then_mac; /*!< flag for EtM activation */
604#endif
605
Hanno Beckerd56ed242018-01-03 15:32:51 +0000606#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
607
608 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
609 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
Hanno Becker9eddaeb2017-12-27 21:37:21 +0000610 int minor_ver;
611
Hanno Becker1327fa72019-04-25 15:54:02 +0100612#if defined(MBEDTLS_SSL_CID)
613 uint8_t in_cid_len;
614 uint8_t out_cid_len;
615 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
616 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
617#endif /* MBEDTLS_SSL_CID */
618
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200619 /*
620 * Session specific compression layer
621 */
622#if defined(MBEDTLS_ZLIB_SUPPORT)
623 z_stream ctx_deflate; /*!< compression context */
624 z_stream ctx_inflate; /*!< decompression context */
625#endif
626};
627
Hanno Becker12a3a862018-01-05 15:42:50 +0000628/*
629 * Internal representation of record frames
630 *
Hanno Becker12a3a862018-01-05 15:42:50 +0000631 * Instances come in two flavors:
632 * (1) Encrypted
633 * These always have data_offset = 0
634 * (2) Unencrypted
Hanno Beckercd430bc2019-04-04 16:29:48 +0100635 * These have data_offset set to the amount of
636 * pre-expansion during record protection. Concretely,
637 * this is the length of the fixed part of the explicit IV
638 * used for encryption, or 0 if no explicit IV is used
639 * (e.g. for CBC in TLS 1.0, or stream ciphers).
Hanno Becker12a3a862018-01-05 15:42:50 +0000640 *
641 * The reason for the data_offset in the unencrypted case
642 * is to allow for in-place conversion of an unencrypted to
643 * an encrypted record. If the offset wasn't included, the
644 * encrypted content would need to be shifted afterwards to
645 * make space for the fixed IV.
646 *
647 */
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100648#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Becker75f080f2019-04-30 15:01:51 +0100649#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100650#else
Hanno Becker75f080f2019-04-30 15:01:51 +0100651#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100652#endif
653
Hanno Becker12a3a862018-01-05 15:42:50 +0000654typedef struct
655{
Hanno Beckerfe6bb8c2019-05-20 14:49:02 +0100656 uint8_t ctr[8]; /* Record sequence number */
657 uint8_t type; /* Record type */
658 uint8_t ver[2]; /* SSL/TLS version */
Hanno Becker12a3a862018-01-05 15:42:50 +0000659
Hanno Beckerfe6bb8c2019-05-20 14:49:02 +0100660 unsigned char *buf; /* Memory buffer enclosing the record content */
661 size_t buf_len; /* Buffer length */
662 size_t data_offset; /* Offset of record content */
663 size_t data_len; /* Length of record content */
Hanno Becker12a3a862018-01-05 15:42:50 +0000664
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100665#if defined(MBEDTLS_SSL_CID)
Hanno Beckerfe6bb8c2019-05-20 14:49:02 +0100666 uint8_t cid_len; /* Length of the CID (0 if not present) */
667 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
Hanno Beckerf2ed4482019-04-29 13:45:54 +0100668#endif /* MBEDTLS_SSL_CID */
669
Hanno Becker12a3a862018-01-05 15:42:50 +0000670} mbedtls_record;
671
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200672#if defined(MBEDTLS_X509_CRT_PARSE_C)
673/*
674 * List of certificate + private key pairs
675 */
676struct mbedtls_ssl_key_cert
677{
678 mbedtls_x509_crt *cert; /*!< cert */
679 mbedtls_pk_context *key; /*!< private key */
680 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
681};
682#endif /* MBEDTLS_X509_CRT_PARSE_C */
683
684#if defined(MBEDTLS_SSL_PROTO_DTLS)
685/*
686 * List of handshake messages kept around for resending
687 */
688struct mbedtls_ssl_flight_item
689{
690 unsigned char *p; /*!< message, including handshake headers */
691 size_t len; /*!< length of p */
692 unsigned char type; /*!< type of the message: handshake or CCS */
693 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
694};
695#endif /* MBEDTLS_SSL_PROTO_DTLS */
696
Hanno Becker7e5437a2017-04-28 17:15:26 +0100697#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
698 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
699
700/* Find an entry in a signature-hash set matching a given hash algorithm. */
701mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
702 mbedtls_pk_type_t sig_alg );
703/* Add a signature-hash-pair to a signature-hash set */
704void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
705 mbedtls_pk_type_t sig_alg,
706 mbedtls_md_type_t md_alg );
707/* Allow exactly one hash algorithm for each signature. */
708void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
709 mbedtls_md_type_t md_alg );
710
711/* Setup an empty signature-hash set */
712static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
713{
714 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
715}
716
717#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
718 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200719
720/**
721 * \brief Free referenced items in an SSL transform context and clear
722 * memory
723 *
724 * \param transform SSL transform context
725 */
726void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
727
728/**
729 * \brief Free referenced items in an SSL handshake context and clear
730 * memory
731 *
Gilles Peskine9b562d52018-04-25 20:32:43 +0200732 * \param ssl SSL context
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200733 */
Gilles Peskine9b562d52018-04-25 20:32:43 +0200734void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200735
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200736int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
737int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
738void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
739
740int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
741
742void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
743int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
744
Simon Butcher99000142016-10-13 17:21:01 +0100745int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
746int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
747void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
748
Hanno Becker4a810fb2017-05-24 16:27:30 +0100749/**
750 * \brief Update record layer
751 *
752 * This function roughly separates the implementation
753 * of the logic of (D)TLS from the implementation
754 * of the secure transport.
755 *
Hanno Becker3a0aad12018-08-20 09:44:02 +0100756 * \param ssl The SSL context to use.
757 * \param update_hs_digest This indicates if the handshake digest
758 * should be automatically updated in case
759 * a handshake message is found.
Hanno Becker4a810fb2017-05-24 16:27:30 +0100760 *
761 * \return 0 or non-zero error code.
762 *
763 * \note A clarification on what is called 'record layer' here
764 * is in order, as many sensible definitions are possible:
765 *
766 * The record layer takes as input an untrusted underlying
767 * transport (stream or datagram) and transforms it into
768 * a serially multiplexed, secure transport, which
769 * conceptually provides the following:
770 *
771 * (1) Three datagram based, content-agnostic transports
772 * for handshake, alert and CCS messages.
773 * (2) One stream- or datagram-based transport
774 * for application data.
775 * (3) Functionality for changing the underlying transform
776 * securing the contents.
777 *
778 * The interface to this functionality is given as follows:
779 *
780 * a Updating
781 * [Currently implemented by mbedtls_ssl_read_record]
782 *
783 * Check if and on which of the four 'ports' data is pending:
784 * Nothing, a controlling datagram of type (1), or application
785 * data (2). In any case data is present, internal buffers
786 * provide access to the data for the user to process it.
787 * Consumption of type (1) datagrams is done automatically
788 * on the next update, invalidating that the internal buffers
789 * for previous datagrams, while consumption of application
790 * data (2) is user-controlled.
791 *
792 * b Reading of application data
793 * [Currently manual adaption of ssl->in_offt pointer]
794 *
795 * As mentioned in the last paragraph, consumption of data
796 * is different from the automatic consumption of control
797 * datagrams (1) because application data is treated as a stream.
798 *
799 * c Tracking availability of application data
800 * [Currently manually through decreasing ssl->in_msglen]
801 *
802 * For efficiency and to retain datagram semantics for
803 * application data in case of DTLS, the record layer
804 * provides functionality for checking how much application
805 * data is still available in the internal buffer.
806 *
807 * d Changing the transformation securing the communication.
808 *
809 * Given an opaque implementation of the record layer in the
810 * above sense, it should be possible to implement the logic
811 * of (D)TLS on top of it without the need to know anything
812 * about the record layer's internals. This is done e.g.
813 * in all the handshake handling functions, and in the
814 * application data reading function mbedtls_ssl_read.
815 *
816 * \note The above tries to give a conceptual picture of the
817 * record layer, but the current implementation deviates
818 * from it in some places. For example, our implementation of
819 * the update functionality through mbedtls_ssl_read_record
820 * discards datagrams depending on the current state, which
821 * wouldn't fall under the record layer's responsibility
822 * following the above definition.
823 *
824 */
Hanno Becker3a0aad12018-08-20 09:44:02 +0100825int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
826 unsigned update_hs_digest );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200827int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
828
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200829int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
Hanno Becker67bc7c32018-08-06 11:33:50 +0100830int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200831int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
832
833int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
834int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
835
836int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
837int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
838
839int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
840int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
841
842void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
843 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
844
845#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
846int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
847#endif
848
849#if defined(MBEDTLS_PK_C)
850unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
Hanno Becker7e5437a2017-04-28 17:15:26 +0100851unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200852mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
853#endif
854
855mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200856unsigned char mbedtls_ssl_hash_from_md_alg( int md );
Simon Butcher99000142016-10-13 17:21:01 +0100857int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200858
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200859#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200860int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200861#endif
862
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200863#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200864int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
865 mbedtls_md_type_t md );
866#endif
867
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200868#if defined(MBEDTLS_X509_CRT_PARSE_C)
869static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
870{
871 mbedtls_ssl_key_cert *key_cert;
872
873 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
874 key_cert = ssl->handshake->key_cert;
875 else
876 key_cert = ssl->conf->key_cert;
877
878 return( key_cert == NULL ? NULL : key_cert->key );
879}
880
881static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
882{
883 mbedtls_ssl_key_cert *key_cert;
884
885 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
886 key_cert = ssl->handshake->key_cert;
887 else
888 key_cert = ssl->conf->key_cert;
889
890 return( key_cert == NULL ? NULL : key_cert->cert );
891}
892
893/*
894 * Check usage of a certificate wrt extensions:
895 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
896 *
897 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
898 * check a cert we received from them)!
899 *
900 * Return 0 if everything is OK, -1 if not.
901 */
902int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
903 const mbedtls_ssl_ciphersuite_t *ciphersuite,
904 int cert_endpoint,
905 uint32_t *flags );
906#endif /* MBEDTLS_X509_CRT_PARSE_C */
907
908void mbedtls_ssl_write_version( int major, int minor, int transport,
909 unsigned char ver[2] );
910void mbedtls_ssl_read_version( int *major, int *minor, int transport,
911 const unsigned char ver[2] );
912
Hanno Becker5903de42019-05-03 14:46:38 +0100913static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200914{
Hanno Becker3b154c12019-05-03 15:05:27 +0100915 return( (size_t) ( ssl->in_iv - ssl->in_hdr ) );
Hanno Becker5903de42019-05-03 14:46:38 +0100916}
917
918static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
919{
Hanno Becker3b154c12019-05-03 15:05:27 +0100920 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200921}
922
923static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
924{
925#if defined(MBEDTLS_SSL_PROTO_DTLS)
926 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
927 return( 12 );
928#else
929 ((void) ssl);
930#endif
931 return( 4 );
932}
933
934#if defined(MBEDTLS_SSL_PROTO_DTLS)
935void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
936void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
937int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200938int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200939#endif
940
941/* Visible for testing purposes only */
942#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
943int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
944void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
945#endif
946
Hanno Becker52055ae2019-02-06 14:30:46 +0000947int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
948 const mbedtls_ssl_session *src );
949
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200950/* constant-time buffer comparison */
951static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
952{
953 size_t i;
Hanno Becker59e69632017-06-26 13:26:58 +0100954 volatile const unsigned char *A = (volatile const unsigned char *) a;
955 volatile const unsigned char *B = (volatile const unsigned char *) b;
956 volatile unsigned char diff = 0;
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200957
958 for( i = 0; i < n; i++ )
Azim Khan45b79cf2018-05-23 16:55:16 +0100959 {
960 /* Read volatile data in order before computing diff.
961 * This avoids IAR compiler warning:
962 * 'the order of volatile accesses is undefined ..' */
963 unsigned char x = A[i], y = B[i];
964 diff |= x ^ y;
965 }
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200966
967 return( diff );
968}
969
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100970#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
971 defined(MBEDTLS_SSL_PROTO_TLS1_1)
972int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
973 unsigned char *output,
974 unsigned char *data, size_t data_len );
975#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
976 MBEDTLS_SSL_PROTO_TLS1_1 */
977
978#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
979 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Andrzej Kurek814feff2019-01-14 04:35:19 -0500980/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100981int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +0200982 unsigned char *hash, size_t *hashlen,
983 unsigned char *data, size_t data_len,
984 mbedtls_md_type_t md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100985#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
986 MBEDTLS_SSL_PROTO_TLS1_2 */
987
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200988#ifdef __cplusplus
989}
990#endif
991
Hanno Beckera18d1322018-01-03 14:27:32 +0000992void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
993int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
994 mbedtls_ssl_transform *transform,
995 mbedtls_record *rec,
996 int (*f_rng)(void *, unsigned char *, size_t),
997 void *p_rng );
998int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
999 mbedtls_ssl_transform *transform,
1000 mbedtls_record *rec );
1001
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001002#endif /* ssl_internal.h */