1 /**
2  * \file ssl_internal.h
3  *
4  * \brief Internal functions shared by the SSL modules
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  *
10  *  This file is provided under the Apache License 2.0, or the
11  *  GNU General Public License v2.0 or later.
12  *
13  *  **********
14  *  Apache License 2.0:
15  *
16  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
17  *  not use this file except in compliance with the License.
18  *  You may obtain a copy of the License at
19  *
20  *  http://www.apache.org/licenses/LICENSE-2.0
21  *
22  *  Unless required by applicable law or agreed to in writing, software
23  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
24  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25  *  See the License for the specific language governing permissions and
26  *  limitations under the License.
27  *
28  *  **********
29  *
30  *  **********
31  *  GNU General Public License v2.0 or later:
32  *
33  *  This program is free software; you can redistribute it and/or modify
34  *  it under the terms of the GNU General Public License as published by
35  *  the Free Software Foundation; either version 2 of the License, or
36  *  (at your option) any later version.
37  *
38  *  This program is distributed in the hope that it will be useful,
39  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
40  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
41  *  GNU General Public License for more details.
42  *
43  *  You should have received a copy of the GNU General Public License along
44  *  with this program; if not, write to the Free Software Foundation, Inc.,
45  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
46  *
47  *  **********
48  */
49 #ifndef MBEDTLS_SSL_INTERNAL_H
50 #define MBEDTLS_SSL_INTERNAL_H
51 
52 #if !defined(MBEDTLS_CONFIG_FILE)
53 #include "config.h"
54 #else
55 #include MBEDTLS_CONFIG_FILE
56 #endif
57 
58 #include "ssl.h"
59 #include "cipher.h"
60 
61 #if defined(MBEDTLS_MD5_C)
62 #include "md5.h"
63 #endif
64 
65 #if defined(MBEDTLS_SHA1_C)
66 #include "sha1.h"
67 #endif
68 
69 #if defined(MBEDTLS_SHA256_C)
70 #include "sha256.h"
71 #endif
72 
73 #if defined(MBEDTLS_SHA512_C)
74 #include "sha512.h"
75 #endif
76 
77 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
78 #include "ecjpake.h"
79 #endif
80 
81 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
82     !defined(inline) && !defined(__cplusplus)
83 #define inline __inline
84 #endif
85 
86 /* Determine minimum supported version */
87 #define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
88 
89 #if defined(MBEDTLS_SSL_PROTO_SSL3)
90 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
91 #else
92 #if defined(MBEDTLS_SSL_PROTO_TLS1)
93 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
94 #else
95 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
96 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
97 #else
98 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
99 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
100 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
101 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
102 #endif /* MBEDTLS_SSL_PROTO_TLS1   */
103 #endif /* MBEDTLS_SSL_PROTO_SSL3   */
104 
105 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
106 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
107 
108 /* Determine maximum supported version */
109 #define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
110 
111 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
112 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
113 #else
114 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
115 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
116 #else
117 #if defined(MBEDTLS_SSL_PROTO_TLS1)
118 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
119 #else
120 #if defined(MBEDTLS_SSL_PROTO_SSL3)
121 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
122 #endif /* MBEDTLS_SSL_PROTO_SSL3   */
123 #endif /* MBEDTLS_SSL_PROTO_TLS1   */
124 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
125 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
126 
127 /* Shorthand for restartable ECC */
128 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
129     defined(MBEDTLS_SSL_CLI_C) && \
130     defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
131     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
132 #define MBEDTLS_SSL__ECP_RESTARTABLE
133 #endif
134 
135 #define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
136 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
137 #define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
138 #define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
139 
140 /*
141  * DTLS retransmission states, see RFC 6347 4.2.4
142  *
143  * The SENDING state is merged in PREPARING for initial sends,
144  * but is distinct for resends.
145  *
146  * Note: initial state is wrong for server, but is not used anyway.
147  */
148 #define MBEDTLS_SSL_RETRANS_PREPARING       0
149 #define MBEDTLS_SSL_RETRANS_SENDING         1
150 #define MBEDTLS_SSL_RETRANS_WAITING         2
151 #define MBEDTLS_SSL_RETRANS_FINISHED        3
152 
153 /* This macro determines whether CBC is supported. */
154 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
155     ( defined(MBEDTLS_AES_C)      ||                                  \
156       defined(MBEDTLS_CAMELLIA_C) ||                                  \
157       defined(MBEDTLS_ARIA_C)     ||                                  \
158       defined(MBEDTLS_DES_C) )
159 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
160 #endif
161 
162 /* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
163  * opposed to the very different CBC construct used in SSLv3) is supported. */
164 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
165     ( defined(MBEDTLS_SSL_PROTO_TLS1) ||        \
166       defined(MBEDTLS_SSL_PROTO_TLS1_1) ||      \
167       defined(MBEDTLS_SSL_PROTO_TLS1_2) )
168 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
169 #endif
170 
171 /*
172  * Allow extra bytes for record, authentication and encryption overhead:
173  * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
174  * and allow for a maximum of 1024 of compression expansion if
175  * enabled.
176  */
177 #if defined(MBEDTLS_ZLIB_SUPPORT)
178 #define MBEDTLS_SSL_COMPRESSION_ADD          1024
179 #else
180 #define MBEDTLS_SSL_COMPRESSION_ADD             0
181 #endif
182 
183 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
184 /* Ciphersuites using HMAC */
185 #if defined(MBEDTLS_SHA512_C)
186 #define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
187 #elif defined(MBEDTLS_SHA256_C)
188 #define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
189 #else
190 #define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
191 #endif
192 #else
193 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
194 #define MBEDTLS_SSL_MAC_ADD                 16
195 #endif
196 
197 #if defined(MBEDTLS_CIPHER_MODE_CBC)
198 #define MBEDTLS_SSL_PADDING_ADD            256
199 #else
200 #define MBEDTLS_SSL_PADDING_ADD              0
201 #endif
202 
203 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
204                                        MBEDTLS_MAX_IV_LENGTH +          \
205                                        MBEDTLS_SSL_MAC_ADD +            \
206                                        MBEDTLS_SSL_PADDING_ADD          \
207                                        )
208 
209 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
210                                      ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
211 
212 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
213                                       ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
214 
215 /* The maximum number of buffered handshake messages. */
216 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
217 
218 /* Maximum length we can advertise as our max content length for
219    RFC 6066 max_fragment_length extension negotiation purposes
220    (the lesser of both sizes, if they are unequal.)
221  */
222 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
223         (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
224         ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
225         : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
226         )
227 
228 /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
229 #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN  65534
230 
231 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
232 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
233 
234 /*
235  * Check that we obey the standard's message size bounds
236  */
237 
238 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
239 #error "Bad configuration - record content too large."
240 #endif
241 
242 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
243 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
244 #endif
245 
246 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
247 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
248 #endif
249 
250 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
251 #error "Bad configuration - incoming protected record payload too large."
252 #endif
253 
254 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
255 #error "Bad configuration - outgoing protected record payload too large."
256 #endif
257 
258 /* Calculate buffer sizes */
259 
260 /* Note: Even though the TLS record header is only 5 bytes
261    long, we're internally using 8 bytes to store the
262    implicit sequence number. */
263 #define MBEDTLS_SSL_HEADER_LEN 13
264 
265 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
266     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
267 
268 #define MBEDTLS_SSL_OUT_BUFFER_LEN  \
269     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
270 
271 #ifdef MBEDTLS_ZLIB_SUPPORT
272 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
273 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
274         ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
275         ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
276         : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
277         )
278 #endif
279 
280 /*
281  * TLS extension flags (for extensions with outgoing ServerHello content
282  * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
283  * of state of the renegotiation flag, so no indicator is required)
284  */
285 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
286 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
287 
288 /**
289  * \brief        This function checks if the remaining size in a buffer is
290  *               greater or equal than a needed space.
291  *
292  * \param cur    Pointer to the current position in the buffer.
293  * \param end    Pointer to one past the end of the buffer.
294  * \param need   Needed space in bytes.
295  *
296  * \return       Zero if the needed space is available in the buffer, non-zero
297  *               otherwise.
298  */
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)299 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
300                                            const uint8_t *end, size_t need )
301 {
302     return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
303 }
304 
305 /**
306  * \brief        This macro checks if the remaining size in a buffer is
307  *               greater or equal than a needed space. If it is not the case,
308  *               it returns an SSL_BUFFER_TOO_SMALL error.
309  *
310  * \param cur    Pointer to the current position in the buffer.
311  * \param end    Pointer to one past the end of the buffer.
312  * \param need   Needed space in bytes.
313  *
314  */
315 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need )                        \
316     do {                                                                 \
317         if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
318         {                                                                \
319             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );                  \
320         }                                                                \
321     } while( 0 )
322 
323 #ifdef __cplusplus
324 extern "C" {
325 #endif
326 
327 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
328     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
329 /*
330  * Abstraction for a grid of allowed signature-hash-algorithm pairs.
331  */
332 struct mbedtls_ssl_sig_hash_set_t
333 {
334     /* At the moment, we only need to remember a single suitable
335      * hash algorithm per signature algorithm. As long as that's
336      * the case - and we don't need a general lookup function -
337      * we can implement the sig-hash-set as a map from signatures
338      * to hash algorithms. */
339     mbedtls_md_type_t rsa;
340     mbedtls_md_type_t ecdsa;
341 };
342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
343           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
344 
345 /*
346  * This structure contains the parameters only needed during handshake.
347  */
348 struct mbedtls_ssl_handshake_params
349 {
350     /*
351      * Handshake specific crypto variables
352      */
353 
354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
355     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
356     mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
357 #endif
358 #if defined(MBEDTLS_DHM_C)
359     mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
360 #endif
361 #if defined(MBEDTLS_ECDH_C)
362     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
363 #endif
364 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
365     mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
366 #if defined(MBEDTLS_SSL_CLI_C)
367     unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
368     size_t ecjpake_cache_len;                   /*!< Length of cached data */
369 #endif
370 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
371 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
372     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
373     const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
374 #endif
375 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
376     unsigned char *psk;                 /*!<  PSK from the callback         */
377     size_t psk_len;                     /*!<  Length of PSK from callback   */
378 #endif
379 #if defined(MBEDTLS_X509_CRT_PARSE_C)
380     mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
381 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
382     int sni_authmode;                   /*!< authmode from SNI callback     */
383     mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
384     mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
385     mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
386 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
387 #endif /* MBEDTLS_X509_CRT_PARSE_C */
388 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
389     int ecrs_enabled;                   /*!< Handshake supports EC restart? */
390     mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
391     enum { /* this complements ssl->state with info on intra-state operations */
392         ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
393         ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
394         ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
395         ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
396         ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
397     } ecrs_state;                       /*!< current (or last) operation    */
398     size_t ecrs_n;                      /*!< place for saving a length      */
399 #endif
400 #if defined(MBEDTLS_SSL_PROTO_DTLS)
401     unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
402     unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
403 
404     unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
405                                               Srv: unused                    */
406     unsigned char verify_cookie_len;    /*!<  Cli: cookie length
407                                               Srv: flag for sending a cookie */
408 
409     uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
410     unsigned char retransmit_state;     /*!<  Retransmission state           */
411     mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
412     mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
413     unsigned char *cur_msg_p;           /*!<  Position in current message    */
414     unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
415                                               flight being received          */
416     mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
417                                               resending messages             */
418     unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
419                                               for resending messages         */
420 
421     struct
422     {
423         size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
424                                       *   buffers used for message buffering. */
425 
426         uint8_t seen_ccs;               /*!< Indicates if a CCS message has
427                                          *   been seen in the current flight. */
428 
429         struct mbedtls_ssl_hs_buffer
430         {
431             unsigned is_valid      : 1;
432             unsigned is_fragmented : 1;
433             unsigned is_complete   : 1;
434             unsigned char *data;
435             size_t data_len;
436         } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
437 
438         struct
439         {
440             unsigned char *data;
441             size_t len;
442             unsigned epoch;
443         } future_record;
444 
445     } buffering;
446 
447     uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
448 #endif /* MBEDTLS_SSL_PROTO_DTLS */
449 
450     /*
451      * Checksum contexts
452      */
453 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
454     defined(MBEDTLS_SSL_PROTO_TLS1_1)
455        mbedtls_md5_context fin_md5;
456       mbedtls_sha1_context fin_sha1;
457 #endif
458 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
459 #if defined(MBEDTLS_SHA256_C)
460     mbedtls_sha256_context fin_sha256;
461 #endif
462 #if defined(MBEDTLS_SHA512_C)
463     mbedtls_sha512_context fin_sha512;
464 #endif
465 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
466 
467     void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
468     void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
469     void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
470     int  (*tls_prf)(const unsigned char *, size_t, const char *,
471                     const unsigned char *, size_t,
472                     unsigned char *, size_t);
473 
474     size_t pmslen;                      /*!<  premaster length        */
475 
476     unsigned char randbytes[64];        /*!<  random bytes            */
477     unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
478                                         /*!<  premaster secret        */
479 
480     int resume;                         /*!<  session resume indicator*/
481     int max_major_ver;                  /*!< max. major version client*/
482     int max_minor_ver;                  /*!< max. minor version client*/
483     int cli_exts;                       /*!< client extension presence*/
484 
485 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
486     int new_session_ticket;             /*!< use NewSessionTicket?    */
487 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
488 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
489     int extended_ms;                    /*!< use Extended Master Secret? */
490 #endif
491 
492 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
493     unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
494 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
495 
496 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
497     /** Asynchronous operation context. This field is meant for use by the
498      * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
499      * mbedtls_ssl_config::f_async_decrypt_start,
500      * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
501      * The library does not use it internally. */
502     void *user_async_ctx;
503 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
504 };
505 
506 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
507 
508 /*
509  * This structure contains a full set of runtime transform parameters
510  * either in negotiation or active.
511  */
512 struct mbedtls_ssl_transform
513 {
514     /*
515      * Session specific crypto layer
516      */
517     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
518                                         /*!<  Chosen cipersuite_info  */
519     unsigned int keylen;                /*!<  symmetric key length (bytes)  */
520     size_t minlen;                      /*!<  min. ciphertext length  */
521     size_t ivlen;                       /*!<  IV length               */
522     size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
523     size_t maclen;                      /*!<  MAC length              */
524 
525     unsigned char iv_enc[16];           /*!<  IV (encryption)         */
526     unsigned char iv_dec[16];           /*!<  IV (decryption)         */
527 
528 #if defined(MBEDTLS_SSL_PROTO_SSL3)
529     /* Needed only for SSL v3.0 secret */
530     unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
531     unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
532 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
533 
534     mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
535     mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
536 
537     mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
538     mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
539 
540     /*
541      * Session specific compression layer
542      */
543 #if defined(MBEDTLS_ZLIB_SUPPORT)
544     z_stream ctx_deflate;               /*!<  compression context     */
545     z_stream ctx_inflate;               /*!<  decompression context   */
546 #endif
547 };
548 
549 #if defined(MBEDTLS_X509_CRT_PARSE_C)
550 /*
551  * List of certificate + private key pairs
552  */
553 struct mbedtls_ssl_key_cert
554 {
555     mbedtls_x509_crt *cert;                 /*!< cert                       */
556     mbedtls_pk_context *key;                /*!< private key                */
557     mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
558 };
559 #endif /* MBEDTLS_X509_CRT_PARSE_C */
560 
561 #if defined(MBEDTLS_SSL_PROTO_DTLS)
562 /*
563  * List of handshake messages kept around for resending
564  */
565 struct mbedtls_ssl_flight_item
566 {
567     unsigned char *p;       /*!< message, including handshake headers   */
568     size_t len;             /*!< length of p                            */
569     unsigned char type;     /*!< type of the message: handshake or CCS  */
570     mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
571 };
572 #endif /* MBEDTLS_SSL_PROTO_DTLS */
573 
574 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
575     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
576 
577 /* Find an entry in a signature-hash set matching a given hash algorithm. */
578 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
579                                                  mbedtls_pk_type_t sig_alg );
580 /* Add a signature-hash-pair to a signature-hash set */
581 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
582                                    mbedtls_pk_type_t sig_alg,
583                                    mbedtls_md_type_t md_alg );
584 /* Allow exactly one hash algorithm for each signature. */
585 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
586                                           mbedtls_md_type_t md_alg );
587 
588 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)589 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
590 {
591     mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
592 }
593 
594 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
595           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
596 
597 /**
598  * \brief           Free referenced items in an SSL transform context and clear
599  *                  memory
600  *
601  * \param transform SSL transform context
602  */
603 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
604 
605 /**
606  * \brief           Free referenced items in an SSL handshake context and clear
607  *                  memory
608  *
609  * \param ssl       SSL context
610  */
611 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
612 
613 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
614 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
615 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
616 
617 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
618 
619 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
620 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
621 
622 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
623 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
624 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
625 
626 /**
627  * \brief       Update record layer
628  *
629  *              This function roughly separates the implementation
630  *              of the logic of (D)TLS from the implementation
631  *              of the secure transport.
632  *
633  * \param  ssl              The SSL context to use.
634  * \param  update_hs_digest This indicates if the handshake digest
635  *                          should be automatically updated in case
636  *                          a handshake message is found.
637  *
638  * \return      0 or non-zero error code.
639  *
640  * \note        A clarification on what is called 'record layer' here
641  *              is in order, as many sensible definitions are possible:
642  *
643  *              The record layer takes as input an untrusted underlying
644  *              transport (stream or datagram) and transforms it into
645  *              a serially multiplexed, secure transport, which
646  *              conceptually provides the following:
647  *
648  *              (1) Three datagram based, content-agnostic transports
649  *                  for handshake, alert and CCS messages.
650  *              (2) One stream- or datagram-based transport
651  *                  for application data.
652  *              (3) Functionality for changing the underlying transform
653  *                  securing the contents.
654  *
655  *              The interface to this functionality is given as follows:
656  *
657  *              a Updating
658  *                [Currently implemented by mbedtls_ssl_read_record]
659  *
660  *                Check if and on which of the four 'ports' data is pending:
661  *                Nothing, a controlling datagram of type (1), or application
662  *                data (2). In any case data is present, internal buffers
663  *                provide access to the data for the user to process it.
664  *                Consumption of type (1) datagrams is done automatically
665  *                on the next update, invalidating that the internal buffers
666  *                for previous datagrams, while consumption of application
667  *                data (2) is user-controlled.
668  *
669  *              b Reading of application data
670  *                [Currently manual adaption of ssl->in_offt pointer]
671  *
672  *                As mentioned in the last paragraph, consumption of data
673  *                is different from the automatic consumption of control
674  *                datagrams (1) because application data is treated as a stream.
675  *
676  *              c Tracking availability of application data
677  *                [Currently manually through decreasing ssl->in_msglen]
678  *
679  *                For efficiency and to retain datagram semantics for
680  *                application data in case of DTLS, the record layer
681  *                provides functionality for checking how much application
682  *                data is still available in the internal buffer.
683  *
684  *              d Changing the transformation securing the communication.
685  *
686  *              Given an opaque implementation of the record layer in the
687  *              above sense, it should be possible to implement the logic
688  *              of (D)TLS on top of it without the need to know anything
689  *              about the record layer's internals. This is done e.g.
690  *              in all the handshake handling functions, and in the
691  *              application data reading function mbedtls_ssl_read.
692  *
693  * \note        The above tries to give a conceptual picture of the
694  *              record layer, but the current implementation deviates
695  *              from it in some places. For example, our implementation of
696  *              the update functionality through mbedtls_ssl_read_record
697  *              discards datagrams depending on the current state, which
698  *              wouldn't fall under the record layer's responsibility
699  *              following the above definition.
700  *
701  */
702 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
703                              unsigned update_hs_digest );
704 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
705 
706 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
707 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
708 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
709 
710 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
711 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
712 
713 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
714 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
715 
716 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
717 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
718 
719 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
720                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
721 
722 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
723 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
724 #endif
725 
726 #if defined(MBEDTLS_PK_C)
727 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
728 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
729 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
730 #endif
731 
732 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
733 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
734 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
735 
736 #if defined(MBEDTLS_ECP_C)
737 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
738 #endif
739 
740 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
741 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
742                                 mbedtls_md_type_t md );
743 #endif
744 
745 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)746 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
747 {
748     mbedtls_ssl_key_cert *key_cert;
749 
750     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
751         key_cert = ssl->handshake->key_cert;
752     else
753         key_cert = ssl->conf->key_cert;
754 
755     return( key_cert == NULL ? NULL : key_cert->key );
756 }
757 
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)758 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
759 {
760     mbedtls_ssl_key_cert *key_cert;
761 
762     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
763         key_cert = ssl->handshake->key_cert;
764     else
765         key_cert = ssl->conf->key_cert;
766 
767     return( key_cert == NULL ? NULL : key_cert->cert );
768 }
769 
770 /*
771  * Check usage of a certificate wrt extensions:
772  * keyUsage, extendedKeyUsage (later), and nSCertType (later).
773  *
774  * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
775  * check a cert we received from them)!
776  *
777  * Return 0 if everything is OK, -1 if not.
778  */
779 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
780                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
781                           int cert_endpoint,
782                           uint32_t *flags );
783 #endif /* MBEDTLS_X509_CRT_PARSE_C */
784 
785 void mbedtls_ssl_write_version( int major, int minor, int transport,
786                         unsigned char ver[2] );
787 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
788                        const unsigned char ver[2] );
789 
mbedtls_ssl_hdr_len(const mbedtls_ssl_context * ssl)790 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
791 {
792 #if defined(MBEDTLS_SSL_PROTO_DTLS)
793     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
794         return( 13 );
795 #else
796     ((void) ssl);
797 #endif
798     return( 5 );
799 }
800 
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)801 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
802 {
803 #if defined(MBEDTLS_SSL_PROTO_DTLS)
804     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
805         return( 12 );
806 #else
807     ((void) ssl);
808 #endif
809     return( 4 );
810 }
811 
812 #if defined(MBEDTLS_SSL_PROTO_DTLS)
813 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
814 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
815 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
816 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
817 #endif
818 
819 /* Visible for testing purposes only */
820 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
821 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
822 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
823 #endif
824 
825 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)826 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
827 {
828     size_t i;
829     volatile const unsigned char *A = (volatile const unsigned char *) a;
830     volatile const unsigned char *B = (volatile const unsigned char *) b;
831     volatile unsigned char diff = 0;
832 
833     for( i = 0; i < n; i++ )
834     {
835         /* Read volatile data in order before computing diff.
836          * This avoids IAR compiler warning:
837          * 'the order of volatile accesses is undefined ..' */
838         unsigned char x = A[i], y = B[i];
839         diff |= x ^ y;
840     }
841 
842     return( diff );
843 }
844 
845 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
846     defined(MBEDTLS_SSL_PROTO_TLS1_1)
847 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
848                                         unsigned char *output,
849                                         unsigned char *data, size_t data_len );
850 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
851           MBEDTLS_SSL_PROTO_TLS1_1 */
852 
853 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
854     defined(MBEDTLS_SSL_PROTO_TLS1_2)
855 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
856                                             unsigned char *hash, size_t *hashlen,
857                                             unsigned char *data, size_t data_len,
858                                             mbedtls_md_type_t md_alg );
859 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
860           MBEDTLS_SSL_PROTO_TLS1_2 */
861 
862 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
863 /** \brief Compute the HMAC of variable-length data with constant flow.
864  *
865  * This function computes the HMAC of the concatenation of \p add_data and \p
866  * data, and does with a code flow and memory access pattern that does not
867  * depend on \p data_len_secret, but only on \p min_data_len and \p
868  * max_data_len. In particular, this function always reads exactly \p
869  * max_data_len bytes from \p data.
870  *
871  * \param ctx               The HMAC context. It must have keys configured
872  *                          with mbedtls_md_hmac_starts() and use one of the
873  *                          following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
874  *                          It is reset using mbedtls_md_hmac_reset() after
875  *                          the computation is complete to prepare for the
876  *                          next computation.
877  * \param add_data          The additional data prepended to \p data. This
878  *                          must point to a readable buffer of \p add_data_len
879  *                          bytes.
880  * \param add_data_len      The length of \p add_data in bytes.
881  * \param data              The data appended to \p add_data. This must point
882  *                          to a readable buffer of \p max_data_len bytes.
883  * \param data_len_secret   The length of the data to process in \p data.
884  *                          This must be no less than \p min_data_len and no
885  *                          greater than \p max_data_len.
886  * \param min_data_len      The minimal length of \p data in bytes.
887  * \param max_data_len      The maximal length of \p data in bytes.
888  * \param output            The HMAC will be written here. This must point to
889  *                          a writable buffer of sufficient size to hold the
890  *                          HMAC value.
891  *
892  * \retval 0
893  *         Success.
894  * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
895  *         The hardware accelerator failed.
896  */
897 int mbedtls_ssl_cf_hmac(
898         mbedtls_md_context_t *ctx,
899         const unsigned char *add_data, size_t add_data_len,
900         const unsigned char *data, size_t data_len_secret,
901         size_t min_data_len, size_t max_data_len,
902         unsigned char *output );
903 
904 /** \brief Copy data from a secret position with constant flow.
905  *
906  * This function copies \p len bytes from \p src_base + \p offset_secret to \p
907  * dst, with a code flow and memory access pattern that does not depend on \p
908  * offset_secret, but only on \p offset_min, \p offset_max and \p len.
909  *
910  * \param dst           The destination buffer. This must point to a writable
911  *                      buffer of at least \p len bytes.
912  * \param src_base      The base of the source buffer. This must point to a
913  *                      readable buffer of at least \p offset_max + \p len
914  *                      bytes.
915  * \param offset_secret The offset in the source buffer from which to copy.
916  *                      This must be no less than \p offset_min and no greater
917  *                      than \p offset_max.
918  * \param offset_min    The minimal value of \p offset_secret.
919  * \param offset_max    The maximal value of \p offset_secret.
920  * \param len           The number of bytes to copy.
921  */
922 void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
923                                    const unsigned char *src_base,
924                                    size_t offset_secret,
925                                    size_t offset_min, size_t offset_max,
926                                    size_t len );
927 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
928 
929 #ifdef __cplusplus
930 }
931 #endif
932 
933 #endif /* ssl_internal.h */
934