1 /**
2 * \file ssl_internal.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9 *
10 * This file is provided under the Apache License 2.0, or the
11 * GNU General Public License v2.0 or later.
12 *
13 * **********
14 * Apache License 2.0:
15 *
16 * Licensed under the Apache License, Version 2.0 (the "License"); you may
17 * not use this file except in compliance with the License.
18 * You may obtain a copy of the License at
19 *
20 * http://www.apache.org/licenses/LICENSE-2.0
21 *
22 * Unless required by applicable law or agreed to in writing, software
23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25 * See the License for the specific language governing permissions and
26 * limitations under the License.
27 *
28 * **********
29 *
30 * **********
31 * GNU General Public License v2.0 or later:
32 *
33 * This program is free software; you can redistribute it and/or modify
34 * it under the terms of the GNU General Public License as published by
35 * the Free Software Foundation; either version 2 of the License, or
36 * (at your option) any later version.
37 *
38 * This program is distributed in the hope that it will be useful,
39 * but WITHOUT ANY WARRANTY; without even the implied warranty of
40 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
41 * GNU General Public License for more details.
42 *
43 * You should have received a copy of the GNU General Public License along
44 * with this program; if not, write to the Free Software Foundation, Inc.,
45 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
46 *
47 * **********
48 */
49 #ifndef MBEDTLS_SSL_INTERNAL_H
50 #define MBEDTLS_SSL_INTERNAL_H
51
52 #if !defined(MBEDTLS_CONFIG_FILE)
53 #include "config.h"
54 #else
55 #include MBEDTLS_CONFIG_FILE
56 #endif
57
58 #include "ssl.h"
59 #include "cipher.h"
60
61 #if defined(MBEDTLS_MD5_C)
62 #include "md5.h"
63 #endif
64
65 #if defined(MBEDTLS_SHA1_C)
66 #include "sha1.h"
67 #endif
68
69 #if defined(MBEDTLS_SHA256_C)
70 #include "sha256.h"
71 #endif
72
73 #if defined(MBEDTLS_SHA512_C)
74 #include "sha512.h"
75 #endif
76
77 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
78 #include "ecjpake.h"
79 #endif
80
81 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
82 !defined(inline) && !defined(__cplusplus)
83 #define inline __inline
84 #endif
85
86 /* Determine minimum supported version */
87 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
88
89 #if defined(MBEDTLS_SSL_PROTO_SSL3)
90 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
91 #else
92 #if defined(MBEDTLS_SSL_PROTO_TLS1)
93 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
94 #else
95 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
96 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
97 #else
98 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
99 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
100 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
101 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
102 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
103 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
104
105 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
106 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
107
108 /* Determine maximum supported version */
109 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
110
111 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
112 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
113 #else
114 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
115 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
116 #else
117 #if defined(MBEDTLS_SSL_PROTO_TLS1)
118 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
119 #else
120 #if defined(MBEDTLS_SSL_PROTO_SSL3)
121 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
122 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
123 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
124 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
125 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
126
127 /* Shorthand for restartable ECC */
128 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
129 defined(MBEDTLS_SSL_CLI_C) && \
130 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
131 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
132 #define MBEDTLS_SSL__ECP_RESTARTABLE
133 #endif
134
135 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
136 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
137 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
138 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
139
140 /*
141 * DTLS retransmission states, see RFC 6347 4.2.4
142 *
143 * The SENDING state is merged in PREPARING for initial sends,
144 * but is distinct for resends.
145 *
146 * Note: initial state is wrong for server, but is not used anyway.
147 */
148 #define MBEDTLS_SSL_RETRANS_PREPARING 0
149 #define MBEDTLS_SSL_RETRANS_SENDING 1
150 #define MBEDTLS_SSL_RETRANS_WAITING 2
151 #define MBEDTLS_SSL_RETRANS_FINISHED 3
152
153 /* This macro determines whether CBC is supported. */
154 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
155 ( defined(MBEDTLS_AES_C) || \
156 defined(MBEDTLS_CAMELLIA_C) || \
157 defined(MBEDTLS_ARIA_C) || \
158 defined(MBEDTLS_DES_C) )
159 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
160 #endif
161
162 /* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
163 * opposed to the very different CBC construct used in SSLv3) is supported. */
164 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
165 ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
166 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
167 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
168 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
169 #endif
170
171 /*
172 * Allow extra bytes for record, authentication and encryption overhead:
173 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
174 * and allow for a maximum of 1024 of compression expansion if
175 * enabled.
176 */
177 #if defined(MBEDTLS_ZLIB_SUPPORT)
178 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
179 #else
180 #define MBEDTLS_SSL_COMPRESSION_ADD 0
181 #endif
182
183 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
184 /* Ciphersuites using HMAC */
185 #if defined(MBEDTLS_SHA512_C)
186 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
187 #elif defined(MBEDTLS_SHA256_C)
188 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
189 #else
190 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
191 #endif
192 #else
193 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
194 #define MBEDTLS_SSL_MAC_ADD 16
195 #endif
196
197 #if defined(MBEDTLS_CIPHER_MODE_CBC)
198 #define MBEDTLS_SSL_PADDING_ADD 256
199 #else
200 #define MBEDTLS_SSL_PADDING_ADD 0
201 #endif
202
203 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
204 MBEDTLS_MAX_IV_LENGTH + \
205 MBEDTLS_SSL_MAC_ADD + \
206 MBEDTLS_SSL_PADDING_ADD \
207 )
208
209 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
210 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
211
212 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
213 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
214
215 /* The maximum number of buffered handshake messages. */
216 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
217
218 /* Maximum length we can advertise as our max content length for
219 RFC 6066 max_fragment_length extension negotiation purposes
220 (the lesser of both sizes, if they are unequal.)
221 */
222 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
223 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
224 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
225 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
226 )
227
228 /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
229 #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
230
231 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
232 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
233
234 /*
235 * Check that we obey the standard's message size bounds
236 */
237
238 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
239 #error "Bad configuration - record content too large."
240 #endif
241
242 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
243 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
244 #endif
245
246 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
247 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
248 #endif
249
250 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
251 #error "Bad configuration - incoming protected record payload too large."
252 #endif
253
254 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
255 #error "Bad configuration - outgoing protected record payload too large."
256 #endif
257
258 /* Calculate buffer sizes */
259
260 /* Note: Even though the TLS record header is only 5 bytes
261 long, we're internally using 8 bytes to store the
262 implicit sequence number. */
263 #define MBEDTLS_SSL_HEADER_LEN 13
264
265 #define MBEDTLS_SSL_IN_BUFFER_LEN \
266 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
267
268 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
269 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
270
271 #ifdef MBEDTLS_ZLIB_SUPPORT
272 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
273 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
274 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
275 ? MBEDTLS_SSL_IN_BUFFER_LEN \
276 : MBEDTLS_SSL_OUT_BUFFER_LEN \
277 )
278 #endif
279
280 /*
281 * TLS extension flags (for extensions with outgoing ServerHello content
282 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
283 * of state of the renegotiation flag, so no indicator is required)
284 */
285 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
286 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
287
288 /**
289 * \brief This function checks if the remaining size in a buffer is
290 * greater or equal than a needed space.
291 *
292 * \param cur Pointer to the current position in the buffer.
293 * \param end Pointer to one past the end of the buffer.
294 * \param need Needed space in bytes.
295 *
296 * \return Zero if the needed space is available in the buffer, non-zero
297 * otherwise.
298 */
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)299 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
300 const uint8_t *end, size_t need )
301 {
302 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
303 }
304
305 /**
306 * \brief This macro checks if the remaining size in a buffer is
307 * greater or equal than a needed space. If it is not the case,
308 * it returns an SSL_BUFFER_TOO_SMALL error.
309 *
310 * \param cur Pointer to the current position in the buffer.
311 * \param end Pointer to one past the end of the buffer.
312 * \param need Needed space in bytes.
313 *
314 */
315 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
316 do { \
317 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
318 { \
319 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
320 } \
321 } while( 0 )
322
323 #ifdef __cplusplus
324 extern "C" {
325 #endif
326
327 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
328 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
329 /*
330 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
331 */
332 struct mbedtls_ssl_sig_hash_set_t
333 {
334 /* At the moment, we only need to remember a single suitable
335 * hash algorithm per signature algorithm. As long as that's
336 * the case - and we don't need a general lookup function -
337 * we can implement the sig-hash-set as a map from signatures
338 * to hash algorithms. */
339 mbedtls_md_type_t rsa;
340 mbedtls_md_type_t ecdsa;
341 };
342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
343 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
344
345 /*
346 * This structure contains the parameters only needed during handshake.
347 */
348 struct mbedtls_ssl_handshake_params
349 {
350 /*
351 * Handshake specific crypto variables
352 */
353
354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
355 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
356 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
357 #endif
358 #if defined(MBEDTLS_DHM_C)
359 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
360 #endif
361 #if defined(MBEDTLS_ECDH_C)
362 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
363 #endif
364 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
365 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
366 #if defined(MBEDTLS_SSL_CLI_C)
367 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
368 size_t ecjpake_cache_len; /*!< Length of cached data */
369 #endif
370 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
371 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
372 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
373 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
374 #endif
375 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
376 unsigned char *psk; /*!< PSK from the callback */
377 size_t psk_len; /*!< Length of PSK from callback */
378 #endif
379 #if defined(MBEDTLS_X509_CRT_PARSE_C)
380 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
381 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
382 int sni_authmode; /*!< authmode from SNI callback */
383 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
384 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
385 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
386 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
387 #endif /* MBEDTLS_X509_CRT_PARSE_C */
388 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
389 int ecrs_enabled; /*!< Handshake supports EC restart? */
390 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
391 enum { /* this complements ssl->state with info on intra-state operations */
392 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
393 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
394 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
395 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
396 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
397 } ecrs_state; /*!< current (or last) operation */
398 size_t ecrs_n; /*!< place for saving a length */
399 #endif
400 #if defined(MBEDTLS_SSL_PROTO_DTLS)
401 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
402 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
403
404 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
405 Srv: unused */
406 unsigned char verify_cookie_len; /*!< Cli: cookie length
407 Srv: flag for sending a cookie */
408
409 uint32_t retransmit_timeout; /*!< Current value of timeout */
410 unsigned char retransmit_state; /*!< Retransmission state */
411 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
412 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
413 unsigned char *cur_msg_p; /*!< Position in current message */
414 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
415 flight being received */
416 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
417 resending messages */
418 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
419 for resending messages */
420
421 struct
422 {
423 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
424 * buffers used for message buffering. */
425
426 uint8_t seen_ccs; /*!< Indicates if a CCS message has
427 * been seen in the current flight. */
428
429 struct mbedtls_ssl_hs_buffer
430 {
431 unsigned is_valid : 1;
432 unsigned is_fragmented : 1;
433 unsigned is_complete : 1;
434 unsigned char *data;
435 size_t data_len;
436 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
437
438 struct
439 {
440 unsigned char *data;
441 size_t len;
442 unsigned epoch;
443 } future_record;
444
445 } buffering;
446
447 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
448 #endif /* MBEDTLS_SSL_PROTO_DTLS */
449
450 /*
451 * Checksum contexts
452 */
453 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
454 defined(MBEDTLS_SSL_PROTO_TLS1_1)
455 mbedtls_md5_context fin_md5;
456 mbedtls_sha1_context fin_sha1;
457 #endif
458 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
459 #if defined(MBEDTLS_SHA256_C)
460 mbedtls_sha256_context fin_sha256;
461 #endif
462 #if defined(MBEDTLS_SHA512_C)
463 mbedtls_sha512_context fin_sha512;
464 #endif
465 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
466
467 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
468 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
469 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
470 int (*tls_prf)(const unsigned char *, size_t, const char *,
471 const unsigned char *, size_t,
472 unsigned char *, size_t);
473
474 size_t pmslen; /*!< premaster length */
475
476 unsigned char randbytes[64]; /*!< random bytes */
477 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
478 /*!< premaster secret */
479
480 int resume; /*!< session resume indicator*/
481 int max_major_ver; /*!< max. major version client*/
482 int max_minor_ver; /*!< max. minor version client*/
483 int cli_exts; /*!< client extension presence*/
484
485 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
486 int new_session_ticket; /*!< use NewSessionTicket? */
487 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
488 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
489 int extended_ms; /*!< use Extended Master Secret? */
490 #endif
491
492 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
493 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
494 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
495
496 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
497 /** Asynchronous operation context. This field is meant for use by the
498 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
499 * mbedtls_ssl_config::f_async_decrypt_start,
500 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
501 * The library does not use it internally. */
502 void *user_async_ctx;
503 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
504 };
505
506 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
507
508 /*
509 * This structure contains a full set of runtime transform parameters
510 * either in negotiation or active.
511 */
512 struct mbedtls_ssl_transform
513 {
514 /*
515 * Session specific crypto layer
516 */
517 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
518 /*!< Chosen cipersuite_info */
519 unsigned int keylen; /*!< symmetric key length (bytes) */
520 size_t minlen; /*!< min. ciphertext length */
521 size_t ivlen; /*!< IV length */
522 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
523 size_t maclen; /*!< MAC length */
524
525 unsigned char iv_enc[16]; /*!< IV (encryption) */
526 unsigned char iv_dec[16]; /*!< IV (decryption) */
527
528 #if defined(MBEDTLS_SSL_PROTO_SSL3)
529 /* Needed only for SSL v3.0 secret */
530 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
531 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
532 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
533
534 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
535 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
536
537 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
538 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
539
540 /*
541 * Session specific compression layer
542 */
543 #if defined(MBEDTLS_ZLIB_SUPPORT)
544 z_stream ctx_deflate; /*!< compression context */
545 z_stream ctx_inflate; /*!< decompression context */
546 #endif
547 };
548
549 #if defined(MBEDTLS_X509_CRT_PARSE_C)
550 /*
551 * List of certificate + private key pairs
552 */
553 struct mbedtls_ssl_key_cert
554 {
555 mbedtls_x509_crt *cert; /*!< cert */
556 mbedtls_pk_context *key; /*!< private key */
557 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
558 };
559 #endif /* MBEDTLS_X509_CRT_PARSE_C */
560
561 #if defined(MBEDTLS_SSL_PROTO_DTLS)
562 /*
563 * List of handshake messages kept around for resending
564 */
565 struct mbedtls_ssl_flight_item
566 {
567 unsigned char *p; /*!< message, including handshake headers */
568 size_t len; /*!< length of p */
569 unsigned char type; /*!< type of the message: handshake or CCS */
570 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
571 };
572 #endif /* MBEDTLS_SSL_PROTO_DTLS */
573
574 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
575 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
576
577 /* Find an entry in a signature-hash set matching a given hash algorithm. */
578 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
579 mbedtls_pk_type_t sig_alg );
580 /* Add a signature-hash-pair to a signature-hash set */
581 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
582 mbedtls_pk_type_t sig_alg,
583 mbedtls_md_type_t md_alg );
584 /* Allow exactly one hash algorithm for each signature. */
585 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
586 mbedtls_md_type_t md_alg );
587
588 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)589 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
590 {
591 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
592 }
593
594 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
595 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
596
597 /**
598 * \brief Free referenced items in an SSL transform context and clear
599 * memory
600 *
601 * \param transform SSL transform context
602 */
603 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
604
605 /**
606 * \brief Free referenced items in an SSL handshake context and clear
607 * memory
608 *
609 * \param ssl SSL context
610 */
611 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
612
613 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
614 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
615 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
616
617 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
618
619 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
620 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
621
622 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
623 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
624 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
625
626 /**
627 * \brief Update record layer
628 *
629 * This function roughly separates the implementation
630 * of the logic of (D)TLS from the implementation
631 * of the secure transport.
632 *
633 * \param ssl The SSL context to use.
634 * \param update_hs_digest This indicates if the handshake digest
635 * should be automatically updated in case
636 * a handshake message is found.
637 *
638 * \return 0 or non-zero error code.
639 *
640 * \note A clarification on what is called 'record layer' here
641 * is in order, as many sensible definitions are possible:
642 *
643 * The record layer takes as input an untrusted underlying
644 * transport (stream or datagram) and transforms it into
645 * a serially multiplexed, secure transport, which
646 * conceptually provides the following:
647 *
648 * (1) Three datagram based, content-agnostic transports
649 * for handshake, alert and CCS messages.
650 * (2) One stream- or datagram-based transport
651 * for application data.
652 * (3) Functionality for changing the underlying transform
653 * securing the contents.
654 *
655 * The interface to this functionality is given as follows:
656 *
657 * a Updating
658 * [Currently implemented by mbedtls_ssl_read_record]
659 *
660 * Check if and on which of the four 'ports' data is pending:
661 * Nothing, a controlling datagram of type (1), or application
662 * data (2). In any case data is present, internal buffers
663 * provide access to the data for the user to process it.
664 * Consumption of type (1) datagrams is done automatically
665 * on the next update, invalidating that the internal buffers
666 * for previous datagrams, while consumption of application
667 * data (2) is user-controlled.
668 *
669 * b Reading of application data
670 * [Currently manual adaption of ssl->in_offt pointer]
671 *
672 * As mentioned in the last paragraph, consumption of data
673 * is different from the automatic consumption of control
674 * datagrams (1) because application data is treated as a stream.
675 *
676 * c Tracking availability of application data
677 * [Currently manually through decreasing ssl->in_msglen]
678 *
679 * For efficiency and to retain datagram semantics for
680 * application data in case of DTLS, the record layer
681 * provides functionality for checking how much application
682 * data is still available in the internal buffer.
683 *
684 * d Changing the transformation securing the communication.
685 *
686 * Given an opaque implementation of the record layer in the
687 * above sense, it should be possible to implement the logic
688 * of (D)TLS on top of it without the need to know anything
689 * about the record layer's internals. This is done e.g.
690 * in all the handshake handling functions, and in the
691 * application data reading function mbedtls_ssl_read.
692 *
693 * \note The above tries to give a conceptual picture of the
694 * record layer, but the current implementation deviates
695 * from it in some places. For example, our implementation of
696 * the update functionality through mbedtls_ssl_read_record
697 * discards datagrams depending on the current state, which
698 * wouldn't fall under the record layer's responsibility
699 * following the above definition.
700 *
701 */
702 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
703 unsigned update_hs_digest );
704 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
705
706 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
707 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
708 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
709
710 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
711 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
712
713 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
714 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
715
716 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
717 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
718
719 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
720 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
721
722 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
723 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
724 #endif
725
726 #if defined(MBEDTLS_PK_C)
727 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
728 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
729 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
730 #endif
731
732 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
733 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
734 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
735
736 #if defined(MBEDTLS_ECP_C)
737 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
738 #endif
739
740 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
741 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
742 mbedtls_md_type_t md );
743 #endif
744
745 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)746 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
747 {
748 mbedtls_ssl_key_cert *key_cert;
749
750 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
751 key_cert = ssl->handshake->key_cert;
752 else
753 key_cert = ssl->conf->key_cert;
754
755 return( key_cert == NULL ? NULL : key_cert->key );
756 }
757
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)758 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
759 {
760 mbedtls_ssl_key_cert *key_cert;
761
762 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
763 key_cert = ssl->handshake->key_cert;
764 else
765 key_cert = ssl->conf->key_cert;
766
767 return( key_cert == NULL ? NULL : key_cert->cert );
768 }
769
770 /*
771 * Check usage of a certificate wrt extensions:
772 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
773 *
774 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
775 * check a cert we received from them)!
776 *
777 * Return 0 if everything is OK, -1 if not.
778 */
779 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
780 const mbedtls_ssl_ciphersuite_t *ciphersuite,
781 int cert_endpoint,
782 uint32_t *flags );
783 #endif /* MBEDTLS_X509_CRT_PARSE_C */
784
785 void mbedtls_ssl_write_version( int major, int minor, int transport,
786 unsigned char ver[2] );
787 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
788 const unsigned char ver[2] );
789
mbedtls_ssl_hdr_len(const mbedtls_ssl_context * ssl)790 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
791 {
792 #if defined(MBEDTLS_SSL_PROTO_DTLS)
793 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
794 return( 13 );
795 #else
796 ((void) ssl);
797 #endif
798 return( 5 );
799 }
800
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)801 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
802 {
803 #if defined(MBEDTLS_SSL_PROTO_DTLS)
804 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
805 return( 12 );
806 #else
807 ((void) ssl);
808 #endif
809 return( 4 );
810 }
811
812 #if defined(MBEDTLS_SSL_PROTO_DTLS)
813 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
814 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
815 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
816 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
817 #endif
818
819 /* Visible for testing purposes only */
820 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
821 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
822 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
823 #endif
824
825 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)826 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
827 {
828 size_t i;
829 volatile const unsigned char *A = (volatile const unsigned char *) a;
830 volatile const unsigned char *B = (volatile const unsigned char *) b;
831 volatile unsigned char diff = 0;
832
833 for( i = 0; i < n; i++ )
834 {
835 /* Read volatile data in order before computing diff.
836 * This avoids IAR compiler warning:
837 * 'the order of volatile accesses is undefined ..' */
838 unsigned char x = A[i], y = B[i];
839 diff |= x ^ y;
840 }
841
842 return( diff );
843 }
844
845 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
846 defined(MBEDTLS_SSL_PROTO_TLS1_1)
847 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
848 unsigned char *output,
849 unsigned char *data, size_t data_len );
850 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
851 MBEDTLS_SSL_PROTO_TLS1_1 */
852
853 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
854 defined(MBEDTLS_SSL_PROTO_TLS1_2)
855 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
856 unsigned char *hash, size_t *hashlen,
857 unsigned char *data, size_t data_len,
858 mbedtls_md_type_t md_alg );
859 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
860 MBEDTLS_SSL_PROTO_TLS1_2 */
861
862 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
863 /** \brief Compute the HMAC of variable-length data with constant flow.
864 *
865 * This function computes the HMAC of the concatenation of \p add_data and \p
866 * data, and does with a code flow and memory access pattern that does not
867 * depend on \p data_len_secret, but only on \p min_data_len and \p
868 * max_data_len. In particular, this function always reads exactly \p
869 * max_data_len bytes from \p data.
870 *
871 * \param ctx The HMAC context. It must have keys configured
872 * with mbedtls_md_hmac_starts() and use one of the
873 * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
874 * It is reset using mbedtls_md_hmac_reset() after
875 * the computation is complete to prepare for the
876 * next computation.
877 * \param add_data The additional data prepended to \p data. This
878 * must point to a readable buffer of \p add_data_len
879 * bytes.
880 * \param add_data_len The length of \p add_data in bytes.
881 * \param data The data appended to \p add_data. This must point
882 * to a readable buffer of \p max_data_len bytes.
883 * \param data_len_secret The length of the data to process in \p data.
884 * This must be no less than \p min_data_len and no
885 * greater than \p max_data_len.
886 * \param min_data_len The minimal length of \p data in bytes.
887 * \param max_data_len The maximal length of \p data in bytes.
888 * \param output The HMAC will be written here. This must point to
889 * a writable buffer of sufficient size to hold the
890 * HMAC value.
891 *
892 * \retval 0
893 * Success.
894 * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
895 * The hardware accelerator failed.
896 */
897 int mbedtls_ssl_cf_hmac(
898 mbedtls_md_context_t *ctx,
899 const unsigned char *add_data, size_t add_data_len,
900 const unsigned char *data, size_t data_len_secret,
901 size_t min_data_len, size_t max_data_len,
902 unsigned char *output );
903
904 /** \brief Copy data from a secret position with constant flow.
905 *
906 * This function copies \p len bytes from \p src_base + \p offset_secret to \p
907 * dst, with a code flow and memory access pattern that does not depend on \p
908 * offset_secret, but only on \p offset_min, \p offset_max and \p len.
909 *
910 * \param dst The destination buffer. This must point to a writable
911 * buffer of at least \p len bytes.
912 * \param src_base The base of the source buffer. This must point to a
913 * readable buffer of at least \p offset_max + \p len
914 * bytes.
915 * \param offset_secret The offset in the source buffer from which to copy.
916 * This must be no less than \p offset_min and no greater
917 * than \p offset_max.
918 * \param offset_min The minimal value of \p offset_secret.
919 * \param offset_max The maximal value of \p offset_secret.
920 * \param len The number of bytes to copy.
921 */
922 void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
923 const unsigned char *src_base,
924 size_t offset_secret,
925 size_t offset_min, size_t offset_max,
926 size_t len );
927 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
928
929 #ifdef __cplusplus
930 }
931 #endif
932
933 #endif /* ssl_internal.h */
934