blob: f48fe9042587ab79d20095f3a2a56b705b462233 [file] [log] [blame]
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02001/**
Darryl Greena40a1012018-01-05 15:33:17 +00002 * \file ssl_internal.h
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +02003 *
4 * \brief Internal functions shared by the SSL modules
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02008 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020021 *
22 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020023 */
24#ifndef MBEDTLS_SSL_INTERNAL_H
25#define MBEDTLS_SSL_INTERNAL_H
26
27#include "ssl.h"
Hanno Beckera8434e82017-09-18 10:54:39 +010028#include "cipher.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +020029
Manuel Pégourié-Gonnard56273da2015-05-26 12:19:45 +020030#if defined(MBEDTLS_MD5_C)
31#include "md5.h"
32#endif
33
34#if defined(MBEDTLS_SHA1_C)
35#include "sha1.h"
36#endif
37
38#if defined(MBEDTLS_SHA256_C)
39#include "sha256.h"
40#endif
41
42#if defined(MBEDTLS_SHA512_C)
43#include "sha512.h"
44#endif
45
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +020046#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +020047#include "ecjpake.h"
48#endif
49
Manuel Pégourié-Gonnard0223ab92015-10-05 11:40:01 +010050#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
51 !defined(inline) && !defined(__cplusplus)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020052#define inline __inline
Manuel Pégourié-Gonnard20af64d2015-07-07 18:33:39 +020053#endif
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020054
55/* Determine minimum supported version */
56#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
57
58#if defined(MBEDTLS_SSL_PROTO_SSL3)
59#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
60#else
61#if defined(MBEDTLS_SSL_PROTO_TLS1)
62#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
63#else
64#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
65#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
66#else
67#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
68#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
69#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
70#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
71#endif /* MBEDTLS_SSL_PROTO_TLS1 */
72#endif /* MBEDTLS_SSL_PROTO_SSL3 */
73
Ron Eldor5e9f14d2017-05-28 10:46:38 +030074#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
75#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
76
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +020077/* Determine maximum supported version */
78#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
79
80#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
81#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
82#else
83#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
84#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
85#else
86#if defined(MBEDTLS_SSL_PROTO_TLS1)
87#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
88#else
89#if defined(MBEDTLS_SSL_PROTO_SSL3)
90#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
91#endif /* MBEDTLS_SSL_PROTO_SSL3 */
92#endif /* MBEDTLS_SSL_PROTO_TLS1 */
93#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
94#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
95
96#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
97#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
98#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
99#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
100
101/*
102 * DTLS retransmission states, see RFC 6347 4.2.4
103 *
104 * The SENDING state is merged in PREPARING for initial sends,
105 * but is distinct for resends.
106 *
107 * Note: initial state is wrong for server, but is not used anyway.
108 */
109#define MBEDTLS_SSL_RETRANS_PREPARING 0
110#define MBEDTLS_SSL_RETRANS_SENDING 1
111#define MBEDTLS_SSL_RETRANS_WAITING 2
112#define MBEDTLS_SSL_RETRANS_FINISHED 3
113
114/*
115 * Allow extra bytes for record, authentication and encryption overhead:
116 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
117 * and allow for a maximum of 1024 of compression expansion if
118 * enabled.
119 */
120#if defined(MBEDTLS_ZLIB_SUPPORT)
121#define MBEDTLS_SSL_COMPRESSION_ADD 1024
122#else
123#define MBEDTLS_SSL_COMPRESSION_ADD 0
124#endif
125
126#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
127/* Ciphersuites using HMAC */
128#if defined(MBEDTLS_SHA512_C)
129#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
130#elif defined(MBEDTLS_SHA256_C)
131#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
132#else
133#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
134#endif
135#else
136/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
137#define MBEDTLS_SSL_MAC_ADD 16
138#endif
139
140#if defined(MBEDTLS_CIPHER_MODE_CBC)
141#define MBEDTLS_SSL_PADDING_ADD 256
142#else
143#define MBEDTLS_SSL_PADDING_ADD 0
144#endif
145
Hanno Beckera8434e82017-09-18 10:54:39 +0100146#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
147 + MBEDTLS_SSL_COMPRESSION_ADD \
148 + MBEDTLS_MAX_IV_LENGTH \
149 + MBEDTLS_SSL_MAC_ADD \
150 + MBEDTLS_SSL_PADDING_ADD \
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200151 )
152
153/*
Hanno Beckera8434e82017-09-18 10:54:39 +0100154 * Check that we obey the standard's message size bounds
155 */
156
157#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
158#error Bad configuration - record content too large.
159#endif
160
161#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
162#error Bad configuration - protected record payload too large.
163#endif
164
Hanno Becker25d6d1a2017-12-07 08:22:51 +0000165/* Note: Even though the TLS record header is only 5 bytes
166 long, we're internally using 8 bytes to store the
167 implicit sequence number. */
Hanno Beckerd25d4442017-10-04 13:56:42 +0100168#define MBEDTLS_SSL_HEADER_LEN 13
Hanno Beckera8434e82017-09-18 10:54:39 +0100169
Hanno Beckerd25d4442017-10-04 13:56:42 +0100170#define MBEDTLS_SSL_BUFFER_LEN \
171 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
Hanno Beckera8434e82017-09-18 10:54:39 +0100172
173/*
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200174 * TLS extension flags (for extensions with outgoing ServerHello content
175 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
176 * of state of the renegotiation flag, so no indicator is required)
177 */
178#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200179#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
Manuel Pégourié-Gonnard065122c2015-05-26 12:31:46 +0200180
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200181#ifdef __cplusplus
182extern "C" {
183#endif
184
Hanno Becker7e5437a2017-04-28 17:15:26 +0100185#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
186 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
187/*
188 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
189 */
190struct mbedtls_ssl_sig_hash_set_t
191{
192 /* At the moment, we only need to remember a single suitable
193 * hash algorithm per signature algorithm. As long as that's
194 * the case - and we don't need a general lookup function -
195 * we can implement the sig-hash-set as a map from signatures
196 * to hash algorithms. */
197 mbedtls_md_type_t rsa;
198 mbedtls_md_type_t ecdsa;
199};
200#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
201 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
202
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200203/*
204 * This structure contains the parameters only needed during handshake.
205 */
206struct mbedtls_ssl_handshake_params
207{
208 /*
209 * Handshake specific crypto variables
210 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100211
212#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
213 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
214 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
215#endif
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200216#if defined(MBEDTLS_DHM_C)
217 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
218#endif
219#if defined(MBEDTLS_ECDH_C)
220 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
221#endif
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200222#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard76cfd3f2015-09-15 12:10:54 +0200223 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
Manuel Pégourié-Gonnard77c06462015-09-17 13:59:49 +0200224#if defined(MBEDTLS_SSL_CLI_C)
225 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
226 size_t ecjpake_cache_len; /*!< Length of cached data */
227#endif
Hanno Becker1aa267c2017-04-28 17:08:27 +0100228#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200229#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200230 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200231 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
232#endif
233#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
234 unsigned char *psk; /*!< PSK from the callback */
235 size_t psk_len; /*!< Length of PSK from callback */
236#endif
237#if defined(MBEDTLS_X509_CRT_PARSE_C)
238 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
239#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200240 int sni_authmode; /*!< authmode from SNI callback */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200241 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
242 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
243 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100244#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200245#endif /* MBEDTLS_X509_CRT_PARSE_C */
Gilles Peskine8bf79f62018-01-05 21:11:53 +0100246
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200247#if defined(MBEDTLS_SSL_PROTO_DTLS)
248 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
249 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
250
251 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
252 Srv: unused */
253 unsigned char verify_cookie_len; /*!< Cli: cookie length
254 Srv: flag for sending a cookie */
255
256 unsigned char *hs_msg; /*!< Reassembled handshake message */
257
258 uint32_t retransmit_timeout; /*!< Current value of timeout */
259 unsigned char retransmit_state; /*!< Retransmission state */
260 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
261 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
262 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
263 flight being received */
264 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
265 resending messages */
266 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
267 for resending messages */
Hanno Becker1aa267c2017-04-28 17:08:27 +0100268#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200269
270 /*
271 * Checksum contexts
272 */
273#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
274 defined(MBEDTLS_SSL_PROTO_TLS1_1)
275 mbedtls_md5_context fin_md5;
276 mbedtls_sha1_context fin_sha1;
277#endif
278#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
279#if defined(MBEDTLS_SHA256_C)
280 mbedtls_sha256_context fin_sha256;
281#endif
282#if defined(MBEDTLS_SHA512_C)
283 mbedtls_sha512_context fin_sha512;
284#endif
285#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
286
287 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
288 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
289 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
290 int (*tls_prf)(const unsigned char *, size_t, const char *,
291 const unsigned char *, size_t,
292 unsigned char *, size_t);
293
294 size_t pmslen; /*!< premaster length */
295
296 unsigned char randbytes[64]; /*!< random bytes */
297 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
298 /*!< premaster secret */
299
300 int resume; /*!< session resume indicator*/
301 int max_major_ver; /*!< max. major version client*/
302 int max_minor_ver; /*!< max. minor version client*/
303 int cli_exts; /*!< client extension presence*/
304
305#if defined(MBEDTLS_SSL_SESSION_TICKETS)
306 int new_session_ticket; /*!< use NewSessionTicket? */
307#endif /* MBEDTLS_SSL_SESSION_TICKETS */
308#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
309 int extended_ms; /*!< use Extended Master Secret? */
310#endif
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200311
312#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine78300732018-04-26 13:03:29 +0200313 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200314#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
315
316#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
317 /** Asynchronous operation context. This field is meant for use by the
318 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
319 * mbedtls_ssl_config::f_async_decrypt_start,
320 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
321 * The library does not use it internally. */
322 void *user_async_ctx;
323#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200324};
325
326/*
327 * This structure contains a full set of runtime transform parameters
328 * either in negotiation or active.
329 */
330struct mbedtls_ssl_transform
331{
332 /*
333 * Session specific crypto layer
334 */
335 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
336 /*!< Chosen cipersuite_info */
Manuel Pégourié-Gonnard39a48f42015-06-18 16:06:55 +0200337 unsigned int keylen; /*!< symmetric key length (bytes) */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200338 size_t minlen; /*!< min. ciphertext length */
339 size_t ivlen; /*!< IV length */
340 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
341 size_t maclen; /*!< MAC length */
342
343 unsigned char iv_enc[16]; /*!< IV (encryption) */
344 unsigned char iv_dec[16]; /*!< IV (decryption) */
345
346#if defined(MBEDTLS_SSL_PROTO_SSL3)
347 /* Needed only for SSL v3.0 secret */
348 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
349 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
350#endif /* MBEDTLS_SSL_PROTO_SSL3 */
351
352 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
353 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
354
355 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
356 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
357
358 /*
359 * Session specific compression layer
360 */
361#if defined(MBEDTLS_ZLIB_SUPPORT)
362 z_stream ctx_deflate; /*!< compression context */
363 z_stream ctx_inflate; /*!< decompression context */
364#endif
365};
366
367#if defined(MBEDTLS_X509_CRT_PARSE_C)
368/*
369 * List of certificate + private key pairs
370 */
371struct mbedtls_ssl_key_cert
372{
373 mbedtls_x509_crt *cert; /*!< cert */
374 mbedtls_pk_context *key; /*!< private key */
375 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
376};
377#endif /* MBEDTLS_X509_CRT_PARSE_C */
378
379#if defined(MBEDTLS_SSL_PROTO_DTLS)
380/*
381 * List of handshake messages kept around for resending
382 */
383struct mbedtls_ssl_flight_item
384{
385 unsigned char *p; /*!< message, including handshake headers */
386 size_t len; /*!< length of p */
387 unsigned char type; /*!< type of the message: handshake or CCS */
388 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
389};
390#endif /* MBEDTLS_SSL_PROTO_DTLS */
391
Hanno Becker7e5437a2017-04-28 17:15:26 +0100392#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
393 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
394
395/* Find an entry in a signature-hash set matching a given hash algorithm. */
396mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
397 mbedtls_pk_type_t sig_alg );
398/* Add a signature-hash-pair to a signature-hash set */
399void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
400 mbedtls_pk_type_t sig_alg,
401 mbedtls_md_type_t md_alg );
402/* Allow exactly one hash algorithm for each signature. */
403void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
404 mbedtls_md_type_t md_alg );
405
406/* Setup an empty signature-hash set */
407static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
408{
409 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
410}
411
412#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
413 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200414
415/**
416 * \brief Free referenced items in an SSL transform context and clear
417 * memory
418 *
419 * \param transform SSL transform context
420 */
421void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
422
423/**
424 * \brief Free referenced items in an SSL handshake context and clear
425 * memory
426 *
Gilles Peskine9b562d52018-04-25 20:32:43 +0200427 * \param ssl SSL context
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200428 */
Gilles Peskine9b562d52018-04-25 20:32:43 +0200429void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
Manuel Pégourié-Gonnardcd4fcc62015-05-26 12:11:48 +0200430
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200431int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
432int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
433void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
434
435int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
436
437void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
438int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
439
Simon Butcher99000142016-10-13 17:21:01 +0100440int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
441int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
442int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
443void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
444
Hanno Becker4a810fb2017-05-24 16:27:30 +0100445/**
446 * \brief Update record layer
447 *
448 * This function roughly separates the implementation
449 * of the logic of (D)TLS from the implementation
450 * of the secure transport.
451 *
452 * \param ssl SSL context to use
453 *
454 * \return 0 or non-zero error code.
455 *
456 * \note A clarification on what is called 'record layer' here
457 * is in order, as many sensible definitions are possible:
458 *
459 * The record layer takes as input an untrusted underlying
460 * transport (stream or datagram) and transforms it into
461 * a serially multiplexed, secure transport, which
462 * conceptually provides the following:
463 *
464 * (1) Three datagram based, content-agnostic transports
465 * for handshake, alert and CCS messages.
466 * (2) One stream- or datagram-based transport
467 * for application data.
468 * (3) Functionality for changing the underlying transform
469 * securing the contents.
470 *
471 * The interface to this functionality is given as follows:
472 *
473 * a Updating
474 * [Currently implemented by mbedtls_ssl_read_record]
475 *
476 * Check if and on which of the four 'ports' data is pending:
477 * Nothing, a controlling datagram of type (1), or application
478 * data (2). In any case data is present, internal buffers
479 * provide access to the data for the user to process it.
480 * Consumption of type (1) datagrams is done automatically
481 * on the next update, invalidating that the internal buffers
482 * for previous datagrams, while consumption of application
483 * data (2) is user-controlled.
484 *
485 * b Reading of application data
486 * [Currently manual adaption of ssl->in_offt pointer]
487 *
488 * As mentioned in the last paragraph, consumption of data
489 * is different from the automatic consumption of control
490 * datagrams (1) because application data is treated as a stream.
491 *
492 * c Tracking availability of application data
493 * [Currently manually through decreasing ssl->in_msglen]
494 *
495 * For efficiency and to retain datagram semantics for
496 * application data in case of DTLS, the record layer
497 * provides functionality for checking how much application
498 * data is still available in the internal buffer.
499 *
500 * d Changing the transformation securing the communication.
501 *
502 * Given an opaque implementation of the record layer in the
503 * above sense, it should be possible to implement the logic
504 * of (D)TLS on top of it without the need to know anything
505 * about the record layer's internals. This is done e.g.
506 * in all the handshake handling functions, and in the
507 * application data reading function mbedtls_ssl_read.
508 *
509 * \note The above tries to give a conceptual picture of the
510 * record layer, but the current implementation deviates
511 * from it in some places. For example, our implementation of
512 * the update functionality through mbedtls_ssl_read_record
513 * discards datagrams depending on the current state, which
514 * wouldn't fall under the record layer's responsibility
515 * following the above definition.
516 *
517 */
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200518int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
519int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
520
521int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl );
522int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
523
524int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
525int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
526
527int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
528int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
529
530int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
531int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
532
533void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
534 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
535
536#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
537int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
538#endif
539
540#if defined(MBEDTLS_PK_C)
541unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
Hanno Becker7e5437a2017-04-28 17:15:26 +0100542unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200543mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
544#endif
545
546mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200547unsigned char mbedtls_ssl_hash_from_md_alg( int md );
Simon Butcher99000142016-10-13 17:21:01 +0100548int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200549
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200550#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200551int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200552#endif
553
Manuel Pégourié-Gonnarde5f30722015-10-22 17:01:15 +0200554#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200555int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
556 mbedtls_md_type_t md );
557#endif
558
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200559#if defined(MBEDTLS_X509_CRT_PARSE_C)
560static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
561{
562 mbedtls_ssl_key_cert *key_cert;
563
564 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
565 key_cert = ssl->handshake->key_cert;
566 else
567 key_cert = ssl->conf->key_cert;
568
569 return( key_cert == NULL ? NULL : key_cert->key );
570}
571
572static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
573{
574 mbedtls_ssl_key_cert *key_cert;
575
576 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
577 key_cert = ssl->handshake->key_cert;
578 else
579 key_cert = ssl->conf->key_cert;
580
581 return( key_cert == NULL ? NULL : key_cert->cert );
582}
583
584/*
585 * Check usage of a certificate wrt extensions:
586 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
587 *
588 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
589 * check a cert we received from them)!
590 *
591 * Return 0 if everything is OK, -1 if not.
592 */
593int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
594 const mbedtls_ssl_ciphersuite_t *ciphersuite,
595 int cert_endpoint,
596 uint32_t *flags );
597#endif /* MBEDTLS_X509_CRT_PARSE_C */
598
599void mbedtls_ssl_write_version( int major, int minor, int transport,
600 unsigned char ver[2] );
601void mbedtls_ssl_read_version( int *major, int *minor, int transport,
602 const unsigned char ver[2] );
603
604static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
605{
606#if defined(MBEDTLS_SSL_PROTO_DTLS)
607 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
608 return( 13 );
609#else
610 ((void) ssl);
611#endif
612 return( 5 );
613}
614
615static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
616{
617#if defined(MBEDTLS_SSL_PROTO_DTLS)
618 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
619 return( 12 );
620#else
621 ((void) ssl);
622#endif
623 return( 4 );
624}
625
626#if defined(MBEDTLS_SSL_PROTO_DTLS)
627void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
628void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
629int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
630#endif
631
632/* Visible for testing purposes only */
633#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
634int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
635void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
636#endif
637
638/* constant-time buffer comparison */
639static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
640{
641 size_t i;
Hanno Becker59e69632017-06-26 13:26:58 +0100642 volatile const unsigned char *A = (volatile const unsigned char *) a;
643 volatile const unsigned char *B = (volatile const unsigned char *) b;
644 volatile unsigned char diff = 0;
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200645
646 for( i = 0; i < n; i++ )
Azim Khan45b79cf2018-05-23 16:55:16 +0100647 {
648 /* Read volatile data in order before computing diff.
649 * This avoids IAR compiler warning:
650 * 'the order of volatile accesses is undefined ..' */
651 unsigned char x = A[i], y = B[i];
652 diff |= x ^ y;
653 }
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200654
655 return( diff );
656}
657
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100658#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
659 defined(MBEDTLS_SSL_PROTO_TLS1_1)
660int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
661 unsigned char *output,
662 unsigned char *data, size_t data_len );
663#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
664 MBEDTLS_SSL_PROTO_TLS1_1 */
665
666#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
667 defined(MBEDTLS_SSL_PROTO_TLS1_2)
668int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
Gilles Peskineca1d7422018-04-24 11:53:22 +0200669 unsigned char *hash, size_t *hashlen,
670 unsigned char *data, size_t data_len,
671 mbedtls_md_type_t md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100672#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
673 MBEDTLS_SSL_PROTO_TLS1_2 */
674
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200675#ifdef __cplusplus
676}
677#endif
678
679#endif /* ssl_internal.h */