1 /**
2  * \file ssl_internal.h
3  *
4  * \brief Internal functions shared by the SSL modules
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 #ifndef MBEDTLS_SSL_INTERNAL_H
23 #define MBEDTLS_SSL_INTERNAL_H
24 
25 #if !defined(MBEDTLS_CONFIG_FILE)
26 #include "mbedtls/config.h"
27 #else
28 #include MBEDTLS_CONFIG_FILE
29 #endif
30 
31 #include "mbedtls/ssl.h"
32 #include "mbedtls/cipher.h"
33 
34 #if defined(MBEDTLS_USE_PSA_CRYPTO)
35 #include "psa/crypto.h"
36 #endif
37 
38 #if defined(MBEDTLS_MD5_C)
39 #include "mbedtls/md5.h"
40 #endif
41 
42 #if defined(MBEDTLS_SHA1_C)
43 #include "mbedtls/sha1.h"
44 #endif
45 
46 #if defined(MBEDTLS_SHA256_C)
47 #include "mbedtls/sha256.h"
48 #endif
49 
50 #if defined(MBEDTLS_SHA512_C)
51 #include "mbedtls/sha512.h"
52 #endif
53 
54 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
55 #include "mbedtls/ecjpake.h"
56 #endif
57 
58 #if defined(MBEDTLS_USE_PSA_CRYPTO)
59 #include "psa/crypto.h"
60 #include "mbedtls/psa_util.h"
61 #endif /* MBEDTLS_USE_PSA_CRYPTO */
62 
63 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
64     !defined(inline) && !defined(__cplusplus)
65 #define inline __inline
66 #endif
67 
68 /* Determine minimum supported version */
69 #define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
70 
71 #if defined(MBEDTLS_SSL_PROTO_SSL3)
72 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
73 #else
74 #if defined(MBEDTLS_SSL_PROTO_TLS1)
75 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
76 #else
77 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
78 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
79 #else
80 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
81 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
82 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
83 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
84 #endif /* MBEDTLS_SSL_PROTO_TLS1   */
85 #endif /* MBEDTLS_SSL_PROTO_SSL3   */
86 
87 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
88 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
89 
90 /* Determine maximum supported version */
91 #define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
92 
93 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
94 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
95 #else
96 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
97 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
98 #else
99 #if defined(MBEDTLS_SSL_PROTO_TLS1)
100 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
101 #else
102 #if defined(MBEDTLS_SSL_PROTO_SSL3)
103 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
104 #endif /* MBEDTLS_SSL_PROTO_SSL3   */
105 #endif /* MBEDTLS_SSL_PROTO_TLS1   */
106 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
107 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
108 
109 /* Shorthand for restartable ECC */
110 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
111     defined(MBEDTLS_SSL_CLI_C) && \
112     defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
113     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
114 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
115 #endif
116 
117 #define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
118 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
119 #define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
120 #define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
121 
122 /*
123  * DTLS retransmission states, see RFC 6347 4.2.4
124  *
125  * The SENDING state is merged in PREPARING for initial sends,
126  * but is distinct for resends.
127  *
128  * Note: initial state is wrong for server, but is not used anyway.
129  */
130 #define MBEDTLS_SSL_RETRANS_PREPARING       0
131 #define MBEDTLS_SSL_RETRANS_SENDING         1
132 #define MBEDTLS_SSL_RETRANS_WAITING         2
133 #define MBEDTLS_SSL_RETRANS_FINISHED        3
134 
135 /*
136  * Allow extra bytes for record, authentication and encryption overhead:
137  * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
138  * and allow for a maximum of 1024 of compression expansion if
139  * enabled.
140  */
141 #if defined(MBEDTLS_ZLIB_SUPPORT)
142 #define MBEDTLS_SSL_COMPRESSION_ADD          1024
143 #else
144 #define MBEDTLS_SSL_COMPRESSION_ADD             0
145 #endif
146 
147 /* This macro determines whether CBC is supported. */
148 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
149     ( defined(MBEDTLS_AES_C)      ||                                  \
150       defined(MBEDTLS_CAMELLIA_C) ||                                  \
151       defined(MBEDTLS_ARIA_C)     ||                                  \
152       defined(MBEDTLS_DES_C) )
153 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
154 #endif
155 
156 /* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
157  * opposed to the very different CBC construct used in SSLv3) is supported. */
158 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
159     ( defined(MBEDTLS_SSL_PROTO_TLS1) ||        \
160       defined(MBEDTLS_SSL_PROTO_TLS1_1) ||      \
161       defined(MBEDTLS_SSL_PROTO_TLS1_2) )
162 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
163 #endif
164 
165 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||   \
166     defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
167 #define MBEDTLS_SSL_SOME_MODES_USE_MAC
168 #endif
169 
170 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
171 /* Ciphersuites using HMAC */
172 #if defined(MBEDTLS_SHA512_C)
173 #define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
174 #elif defined(MBEDTLS_SHA256_C)
175 #define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
176 #else
177 #define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
178 #endif
179 #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
180 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
181 #define MBEDTLS_SSL_MAC_ADD                 16
182 #endif
183 
184 #if defined(MBEDTLS_CIPHER_MODE_CBC)
185 #define MBEDTLS_SSL_PADDING_ADD            256
186 #else
187 #define MBEDTLS_SSL_PADDING_ADD              0
188 #endif
189 
190 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
191 #define MBEDTLS_SSL_MAX_CID_EXPANSION      MBEDTLS_SSL_CID_PADDING_GRANULARITY
192 #else
193 #define MBEDTLS_SSL_MAX_CID_EXPANSION        0
194 #endif
195 
196 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
197                                        MBEDTLS_MAX_IV_LENGTH +          \
198                                        MBEDTLS_SSL_MAC_ADD +            \
199                                        MBEDTLS_SSL_PADDING_ADD +        \
200                                        MBEDTLS_SSL_MAX_CID_EXPANSION    \
201                                        )
202 
203 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
204                                      ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
205 
206 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
207                                       ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
208 
209 /* The maximum number of buffered handshake messages. */
210 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
211 
212 /* Maximum length we can advertise as our max content length for
213    RFC 6066 max_fragment_length extension negotiation purposes
214    (the lesser of both sizes, if they are unequal.)
215  */
216 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
217         (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
218         ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
219         : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
220         )
221 
222 /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
223 #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN  65534
224 
225 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
226 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
227 
228 /*
229  * Check that we obey the standard's message size bounds
230  */
231 
232 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
233 #error "Bad configuration - record content too large."
234 #endif
235 
236 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
237 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
238 #endif
239 
240 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
241 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
242 #endif
243 
244 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
245 #error "Bad configuration - incoming protected record payload too large."
246 #endif
247 
248 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
249 #error "Bad configuration - outgoing protected record payload too large."
250 #endif
251 
252 /* Calculate buffer sizes */
253 
254 /* Note: Even though the TLS record header is only 5 bytes
255    long, we're internally using 8 bytes to store the
256    implicit sequence number. */
257 #define MBEDTLS_SSL_HEADER_LEN 13
258 
259 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
260 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
261     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
262 #else
263 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
264     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
265       + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
266 #endif
267 
268 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
269 #define MBEDTLS_SSL_OUT_BUFFER_LEN  \
270     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
271 #else
272 #define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
273     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN )    \
274       + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
275 #endif
276 
277 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)278 static inline uint32_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
279 {
280 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
281     return (uint32_t) mbedtls_ssl_get_output_max_frag_len( ctx )
282                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
283                + MBEDTLS_SSL_CID_OUT_LEN_MAX;
284 #else
285     return (uint32_t) mbedtls_ssl_get_output_max_frag_len( ctx )
286                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
287 #endif
288 }
289 
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)290 static inline uint32_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
291 {
292 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
293     return (uint32_t) mbedtls_ssl_get_input_max_frag_len( ctx )
294                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
295                + MBEDTLS_SSL_CID_IN_LEN_MAX;
296 #else
297     return (uint32_t) mbedtls_ssl_get_input_max_frag_len( ctx )
298                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
299 #endif
300 }
301 #endif
302 
303 #ifdef MBEDTLS_ZLIB_SUPPORT
304 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
305 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
306         ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
307         ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
308         : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
309         )
310 #endif
311 
312 /*
313  * TLS extension flags (for extensions with outgoing ServerHello content
314  * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
315  * of state of the renegotiation flag, so no indicator is required)
316  */
317 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
318 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
319 
320 /**
321  * \brief        This function checks if the remaining size in a buffer is
322  *               greater or equal than a needed space.
323  *
324  * \param cur    Pointer to the current position in the buffer.
325  * \param end    Pointer to one past the end of the buffer.
326  * \param need   Needed space in bytes.
327  *
328  * \return       Zero if the needed space is available in the buffer, non-zero
329  *               otherwise.
330  */
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)331 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
332                                            const uint8_t *end, size_t need )
333 {
334     return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
335 }
336 
337 /**
338  * \brief        This macro checks if the remaining size in a buffer is
339  *               greater or equal than a needed space. If it is not the case,
340  *               it returns an SSL_BUFFER_TOO_SMALL error.
341  *
342  * \param cur    Pointer to the current position in the buffer.
343  * \param end    Pointer to one past the end of the buffer.
344  * \param need   Needed space in bytes.
345  *
346  */
347 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need )                        \
348     do {                                                                 \
349         if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
350         {                                                                \
351             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );                  \
352         }                                                                \
353     } while( 0 )
354 
355 #ifdef __cplusplus
356 extern "C" {
357 #endif
358 
359 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
360     defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
361 /*
362  * Abstraction for a grid of allowed signature-hash-algorithm pairs.
363  */
364 struct mbedtls_ssl_sig_hash_set_t
365 {
366     /* At the moment, we only need to remember a single suitable
367      * hash algorithm per signature algorithm. As long as that's
368      * the case - and we don't need a general lookup function -
369      * we can implement the sig-hash-set as a map from signatures
370      * to hash algorithms. */
371     mbedtls_md_type_t rsa;
372     mbedtls_md_type_t ecdsa;
373 };
374 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
375           MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
376 
377 typedef int  mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
378                                      const char *label,
379                                      const unsigned char *random, size_t rlen,
380                                      unsigned char *dstbuf, size_t dlen );
381 
382 /* cipher.h exports the maximum IV, key and block length from
383  * all ciphers enabled in the config, regardless of whether those
384  * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
385  * in the default configuration and uses 64 Byte keys, but it is
386  * not used for record protection in SSL/TLS.
387  *
388  * In order to prevent unnecessary inflation of key structures,
389  * we introduce SSL-specific variants of the max-{key,block,IV}
390  * macros here which are meant to only take those ciphers into
391  * account which can be negotiated in SSL/TLS.
392  *
393  * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
394  * in cipher.h are rough overapproximations of the real maxima, here
395  * we content ourselves with replicating those overapproximations
396  * for the maximum block and IV length, and excluding XTS from the
397  * computation of the maximum key length. */
398 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
399 #define MBEDTLS_SSL_MAX_IV_LENGTH    16
400 #define MBEDTLS_SSL_MAX_KEY_LENGTH   32
401 
402 /**
403  * \brief   The data structure holding the cryptographic material (key and IV)
404  *          used for record protection in TLS 1.3.
405  */
406 struct mbedtls_ssl_key_set
407 {
408     /*! The key for client->server records. */
409     unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
410     /*! The key for server->client records. */
411     unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
412     /*! The IV  for client->server records. */
413     unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
414     /*! The IV  for server->client records. */
415     unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
416 
417     size_t key_len; /*!< The length of client_write_key and
418                      *   server_write_key, in Bytes. */
419     size_t iv_len;  /*!< The length of client_write_iv and
420                      *   server_write_iv, in Bytes. */
421 };
422 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
423 
424 /*
425  * This structure contains the parameters only needed during handshake.
426  */
427 struct mbedtls_ssl_handshake_params
428 {
429     /*
430      * Handshake specific crypto variables
431      */
432 
433 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
434     defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
435     mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
436 #endif
437 #if defined(MBEDTLS_DHM_C)
438     mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
439 #endif
440 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
441  * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
442  * in functionality that access to ecdh_ctx structure is needed for
443  * MBEDTLS_ECDSA_C which does not seem correct.
444  */
445 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
446     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
447 
448 #if defined(MBEDTLS_USE_PSA_CRYPTO)
449     psa_key_type_t ecdh_psa_type;
450     uint16_t ecdh_bits;
451     psa_key_id_t ecdh_psa_privkey;
452     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
453     size_t ecdh_psa_peerkey_len;
454 #endif /* MBEDTLS_USE_PSA_CRYPTO */
455 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
456 
457 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
458     mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
459 #if defined(MBEDTLS_SSL_CLI_C)
460     unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
461     size_t ecjpake_cache_len;                   /*!< Length of cached data */
462 #endif
463 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
464 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
465     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
466     const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
467 #endif
468 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
469 #if defined(MBEDTLS_USE_PSA_CRYPTO)
470     psa_key_id_t psk_opaque;            /*!< Opaque PSK from the callback   */
471 #endif /* MBEDTLS_USE_PSA_CRYPTO */
472     unsigned char *psk;                 /*!<  PSK from the callback         */
473     size_t psk_len;                     /*!<  Length of PSK from callback   */
474 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
475 #if defined(MBEDTLS_X509_CRT_PARSE_C)
476     mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
477 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
478     int sni_authmode;                   /*!< authmode from SNI callback     */
479     mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
480     mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
481     mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
482 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
483 #endif /* MBEDTLS_X509_CRT_PARSE_C */
484 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
485     int ecrs_enabled;                   /*!< Handshake supports EC restart? */
486     mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
487     enum { /* this complements ssl->state with info on intra-state operations */
488         ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
489         ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
490         ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
491         ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
492         ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
493     } ecrs_state;                       /*!< current (or last) operation    */
494     mbedtls_x509_crt *ecrs_peer_cert;   /*!< The peer's CRT chain.          */
495     size_t ecrs_n;                      /*!< place for saving a length      */
496 #endif
497 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
498     !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
499     mbedtls_pk_context peer_pubkey;     /*!< The public key from the peer.  */
500 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
501 #if defined(MBEDTLS_SSL_PROTO_DTLS)
502     unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
503     unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
504 
505     unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
506                                               Srv: unused                    */
507     unsigned char verify_cookie_len;    /*!<  Cli: cookie length
508                                               Srv: flag for sending a cookie */
509 
510     uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
511     unsigned char retransmit_state;     /*!<  Retransmission state           */
512     mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
513     mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
514     unsigned char *cur_msg_p;           /*!<  Position in current message    */
515     unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
516                                               flight being received          */
517     mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
518                                               resending messages             */
519     unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
520                                               for resending messages         */
521 
522 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
523     /* The state of CID configuration in this handshake. */
524 
525     uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
526                          *   has been negotiated. Possible values are
527                          *   #MBEDTLS_SSL_CID_ENABLED and
528                          *   #MBEDTLS_SSL_CID_DISABLED. */
529     unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
530     uint8_t peer_cid_len;                                  /*!< The length of
531                                                             *   \c peer_cid.  */
532 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
533 
534     struct
535     {
536         size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
537                                       *   buffers used for message buffering. */
538 
539         uint8_t seen_ccs;               /*!< Indicates if a CCS message has
540                                          *   been seen in the current flight. */
541 
542         struct mbedtls_ssl_hs_buffer
543         {
544             unsigned is_valid      : 1;
545             unsigned is_fragmented : 1;
546             unsigned is_complete   : 1;
547             unsigned char *data;
548             size_t data_len;
549         } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
550 
551         struct
552         {
553             unsigned char *data;
554             size_t len;
555             unsigned epoch;
556         } future_record;
557 
558     } buffering;
559 
560     uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
561 #endif /* MBEDTLS_SSL_PROTO_DTLS */
562 
563     /*
564      * Checksum contexts
565      */
566 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
567     defined(MBEDTLS_SSL_PROTO_TLS1_1)
568        mbedtls_md5_context fin_md5;
569       mbedtls_sha1_context fin_sha1;
570 #endif
571 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
572 #if defined(MBEDTLS_SHA256_C)
573 #if defined(MBEDTLS_USE_PSA_CRYPTO)
574     psa_hash_operation_t fin_sha256_psa;
575 #else
576     mbedtls_sha256_context fin_sha256;
577 #endif
578 #endif
579 #if defined(MBEDTLS_SHA512_C)
580 #if defined(MBEDTLS_USE_PSA_CRYPTO)
581     psa_hash_operation_t fin_sha384_psa;
582 #else
583     mbedtls_sha512_context fin_sha512;
584 #endif
585 #endif
586 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
587 
588     void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
589     void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
590     void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
591     mbedtls_ssl_tls_prf_cb *tls_prf;
592 
593     mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
594 
595     size_t pmslen;                      /*!<  premaster length        */
596 
597     unsigned char randbytes[64];        /*!<  random bytes            */
598     unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
599                                         /*!<  premaster secret        */
600 
601     int resume;                         /*!<  session resume indicator*/
602     int max_major_ver;                  /*!< max. major version client*/
603     int max_minor_ver;                  /*!< max. minor version client*/
604     int cli_exts;                       /*!< client extension presence*/
605 
606 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
607     int new_session_ticket;             /*!< use NewSessionTicket?    */
608 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
609 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
610     int extended_ms;                    /*!< use Extended Master Secret? */
611 #endif
612 
613 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
614     unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
615 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
616 
617 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
618     /** Asynchronous operation context. This field is meant for use by the
619      * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
620      * mbedtls_ssl_config::f_async_decrypt_start,
621      * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
622      * The library does not use it internally. */
623     void *user_async_ctx;
624 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
625 };
626 
627 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
628 
629 /*
630  * Representation of decryption/encryption transformations on records
631  *
632  * There are the following general types of record transformations:
633  * - Stream transformations (TLS versions <= 1.2 only)
634  *   Transformation adding a MAC and applying a stream-cipher
635  *   to the authenticated message.
636  * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
637  *   In addition to the distinction of the order of encryption and
638  *   authentication, there's a fundamental difference between the
639  *   handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
640  *   and TLS 1.0, the final IV after processing a record is used
641  *   as the IV for the next record. No explicit IV is contained
642  *   in an encrypted record. The IV for the first record is extracted
643  *   at key extraction time. In contrast, for TLS 1.1 and 1.2, no
644  *   IV is generated at key extraction time, but every encrypted
645  *   record is explicitly prefixed by the IV with which it was encrypted.
646  * - AEAD transformations ([D]TLS versions >= 1.2 only)
647  *   These come in two fundamentally different versions, the first one
648  *   used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
649  *   one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
650  *   In the first transformation, the IV to be used for a record is obtained
651  *   as the concatenation of an explicit, static 4-byte IV and the 8-byte
652  *   record sequence number, and explicitly prepending this sequence number
653  *   to the encrypted record. In contrast, in the second transformation
654  *   the IV is obtained by XOR'ing a static IV obtained at key extraction
655  *   time with the 8-byte record sequence number, without prepending the
656  *   latter to the encrypted record.
657  *
658  * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
659  * which allows to add flexible length padding and to hide a record's true
660  * content type.
661  *
662  * In addition to type and version, the following parameters are relevant:
663  * - The symmetric cipher algorithm to be used.
664  * - The (static) encryption/decryption keys for the cipher.
665  * - For stream/CBC, the type of message digest to be used.
666  * - For stream/CBC, (static) encryption/decryption keys for the digest.
667  * - For AEAD transformations, the size (potentially 0) of an explicit,
668  *   random initialization vector placed in encrypted records.
669  * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
670  *   an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
671  *   and (if present) is combined with the explicit IV in a transformation-
672  *   dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
673  * - For stream/CBC, a flag determining the order of encryption and MAC.
674  * - The details of the transformation depend on the SSL/TLS version.
675  * - The length of the authentication tag.
676  *
677  * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
678  *       constant across multiple encryption/decryption operations.
679  *       For CBC, the implicit IV needs to be updated after each
680  *       operation.
681  *
682  * The struct below refines this abstract view as follows:
683  * - The cipher underlying the transformation is managed in
684  *   cipher contexts cipher_ctx_{enc/dec}, which must have the
685  *   same cipher type. The mode of these cipher contexts determines
686  *   the type of the transformation in the sense above: e.g., if
687  *   the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
688  *   then the transformation has type CBC resp. AEAD.
689  * - The cipher keys are never stored explicitly but
690  *   are maintained within cipher_ctx_{enc/dec}.
691  * - For stream/CBC transformations, the message digest contexts
692  *   used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
693  *   are unused for AEAD transformations.
694  * - For stream/CBC transformations and versions > SSL3, the
695  *   MAC keys are not stored explicitly but maintained within
696  *   md_ctx_{enc/dec}.
697  * - For stream/CBC transformations and version SSL3, the MAC
698  *   keys are stored explicitly in mac_enc, mac_dec and have
699  *   a fixed size of 20 bytes. These fields are unused for
700  *   AEAD transformations or transformations >= TLS 1.0.
701  * - For transformations using an implicit IV maintained within
702  *   the transformation context, its contents are stored within
703  *   iv_{enc/dec}.
704  * - The value of ivlen indicates the length of the IV.
705  *   This is redundant in case of stream/CBC transformations
706  *   which always use 0 resp. the cipher's block length as the
707  *   IV length, but is needed for AEAD ciphers and may be
708  *   different from the underlying cipher's block length
709  *   in this case.
710  * - The field fixed_ivlen is nonzero for AEAD transformations only
711  *   and indicates the length of the static part of the IV which is
712  *   constant throughout the communication, and which is stored in
713  *   the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
714  *   Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
715  *   still store IV's for continued use across multiple transformations,
716  *   so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
717  *   not being used!
718  * - minor_ver denotes the SSL/TLS version
719  * - For stream/CBC transformations, maclen denotes the length of the
720  *   authentication tag, while taglen is unused and 0.
721  * - For AEAD transformations, taglen denotes the length of the
722  *   authentication tag, while maclen is unused and 0.
723  * - For CBC transformations, encrypt_then_mac determines the
724  *   order of encryption and authentication. This field is unused
725  *   in other transformations.
726  *
727  */
728 struct mbedtls_ssl_transform
729 {
730     /*
731      * Session specific crypto layer
732      */
733     size_t minlen;                      /*!<  min. ciphertext length  */
734     size_t ivlen;                       /*!<  IV length               */
735     size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
736     size_t maclen;                      /*!<  MAC(CBC) len            */
737     size_t taglen;                      /*!<  TAG(AEAD) len           */
738 
739     unsigned char iv_enc[16];           /*!<  IV (encryption)         */
740     unsigned char iv_dec[16];           /*!<  IV (decryption)         */
741 
742 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
743 
744 #if defined(MBEDTLS_SSL_PROTO_SSL3)
745     /* Needed only for SSL v3.0 secret */
746     unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
747     unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
748 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
749 
750     mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
751     mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
752 
753 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
754     int encrypt_then_mac;       /*!< flag for EtM activation                */
755 #endif
756 
757 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
758 
759     mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
760     mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
761     int minor_ver;
762 
763 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
764     uint8_t in_cid_len;
765     uint8_t out_cid_len;
766     unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
767     unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
768 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
769 
770     /*
771      * Session specific compression layer
772      */
773 #if defined(MBEDTLS_ZLIB_SUPPORT)
774     z_stream ctx_deflate;               /*!<  compression context     */
775     z_stream ctx_inflate;               /*!<  decompression context   */
776 #endif
777 
778 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
779     /* We need the Hello random bytes in order to re-derive keys from the
780      * Master Secret and other session info, see ssl_populate_transform() */
781     unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
782 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
783 };
784 
785 /*
786  * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
787  * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
788  */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)789 static inline int mbedtls_ssl_transform_uses_aead(
790         const mbedtls_ssl_transform *transform )
791 {
792 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
793     return( transform->maclen == 0 && transform->taglen != 0 );
794 #else
795     (void) transform;
796     return( 1 );
797 #endif
798 }
799 
800 /*
801  * Internal representation of record frames
802  *
803  * Instances come in two flavors:
804  * (1) Encrypted
805  *     These always have data_offset = 0
806  * (2) Unencrypted
807  *     These have data_offset set to the amount of
808  *     pre-expansion during record protection. Concretely,
809  *     this is the length of the fixed part of the explicit IV
810  *     used for encryption, or 0 if no explicit IV is used
811  *     (e.g. for CBC in TLS 1.0, or stream ciphers).
812  *
813  * The reason for the data_offset in the unencrypted case
814  * is to allow for in-place conversion of an unencrypted to
815  * an encrypted record. If the offset wasn't included, the
816  * encrypted content would need to be shifted afterwards to
817  * make space for the fixed IV.
818  *
819  */
820 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
821 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
822 #else
823 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
824 #endif
825 
826 typedef struct
827 {
828     uint8_t ctr[8];         /* In TLS:  The implicit record sequence number.
829                              * In DTLS: The 2-byte epoch followed by
830                              *          the 6-byte sequence number.
831                              * This is stored as a raw big endian byte array
832                              * as opposed to a uint64_t because we rarely
833                              * need to perform arithmetic on this, but do
834                              * need it as a Byte array for the purpose of
835                              * MAC computations.                             */
836     uint8_t type;           /* The record content type.                      */
837     uint8_t ver[2];         /* SSL/TLS version as present on the wire.
838                              * Convert to internal presentation of versions
839                              * using mbedtls_ssl_read_version() and
840                              * mbedtls_ssl_write_version().
841                              * Keep wire-format for MAC computations.        */
842 
843     unsigned char *buf;     /* Memory buffer enclosing the record content    */
844     size_t buf_len;         /* Buffer length                                 */
845     size_t data_offset;     /* Offset of record content                      */
846     size_t data_len;        /* Length of record content                      */
847 
848 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
849     uint8_t cid_len;        /* Length of the CID (0 if not present)          */
850     unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID                 */
851 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
852 } mbedtls_record;
853 
854 #if defined(MBEDTLS_X509_CRT_PARSE_C)
855 /*
856  * List of certificate + private key pairs
857  */
858 struct mbedtls_ssl_key_cert
859 {
860     mbedtls_x509_crt *cert;                 /*!< cert                       */
861     mbedtls_pk_context *key;                /*!< private key                */
862     mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
863 };
864 #endif /* MBEDTLS_X509_CRT_PARSE_C */
865 
866 #if defined(MBEDTLS_SSL_PROTO_DTLS)
867 /*
868  * List of handshake messages kept around for resending
869  */
870 struct mbedtls_ssl_flight_item
871 {
872     unsigned char *p;       /*!< message, including handshake headers   */
873     size_t len;             /*!< length of p                            */
874     unsigned char type;     /*!< type of the message: handshake or CCS  */
875     mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
876 };
877 #endif /* MBEDTLS_SSL_PROTO_DTLS */
878 
879 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
880     defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
881 
882 /* Find an entry in a signature-hash set matching a given hash algorithm. */
883 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
884                                                  mbedtls_pk_type_t sig_alg );
885 /* Add a signature-hash-pair to a signature-hash set */
886 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
887                                    mbedtls_pk_type_t sig_alg,
888                                    mbedtls_md_type_t md_alg );
889 /* Allow exactly one hash algorithm for each signature. */
890 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
891                                           mbedtls_md_type_t md_alg );
892 
893 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)894 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
895 {
896     mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
897 }
898 
899 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
900           MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
901 
902 /**
903  * \brief           Free referenced items in an SSL transform context and clear
904  *                  memory
905  *
906  * \param transform SSL transform context
907  */
908 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
909 
910 /**
911  * \brief           Free referenced items in an SSL handshake context and clear
912  *                  memory
913  *
914  * \param ssl       SSL context
915  */
916 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
917 
918 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
919 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
920 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
921 
922 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
923 
924 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
925 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
926 
927 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
928 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
929 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
930 
931 /**
932  * \brief       Update record layer
933  *
934  *              This function roughly separates the implementation
935  *              of the logic of (D)TLS from the implementation
936  *              of the secure transport.
937  *
938  * \param  ssl              The SSL context to use.
939  * \param  update_hs_digest This indicates if the handshake digest
940  *                          should be automatically updated in case
941  *                          a handshake message is found.
942  *
943  * \return      0 or non-zero error code.
944  *
945  * \note        A clarification on what is called 'record layer' here
946  *              is in order, as many sensible definitions are possible:
947  *
948  *              The record layer takes as input an untrusted underlying
949  *              transport (stream or datagram) and transforms it into
950  *              a serially multiplexed, secure transport, which
951  *              conceptually provides the following:
952  *
953  *              (1) Three datagram based, content-agnostic transports
954  *                  for handshake, alert and CCS messages.
955  *              (2) One stream- or datagram-based transport
956  *                  for application data.
957  *              (3) Functionality for changing the underlying transform
958  *                  securing the contents.
959  *
960  *              The interface to this functionality is given as follows:
961  *
962  *              a Updating
963  *                [Currently implemented by mbedtls_ssl_read_record]
964  *
965  *                Check if and on which of the four 'ports' data is pending:
966  *                Nothing, a controlling datagram of type (1), or application
967  *                data (2). In any case data is present, internal buffers
968  *                provide access to the data for the user to process it.
969  *                Consumption of type (1) datagrams is done automatically
970  *                on the next update, invalidating that the internal buffers
971  *                for previous datagrams, while consumption of application
972  *                data (2) is user-controlled.
973  *
974  *              b Reading of application data
975  *                [Currently manual adaption of ssl->in_offt pointer]
976  *
977  *                As mentioned in the last paragraph, consumption of data
978  *                is different from the automatic consumption of control
979  *                datagrams (1) because application data is treated as a stream.
980  *
981  *              c Tracking availability of application data
982  *                [Currently manually through decreasing ssl->in_msglen]
983  *
984  *                For efficiency and to retain datagram semantics for
985  *                application data in case of DTLS, the record layer
986  *                provides functionality for checking how much application
987  *                data is still available in the internal buffer.
988  *
989  *              d Changing the transformation securing the communication.
990  *
991  *              Given an opaque implementation of the record layer in the
992  *              above sense, it should be possible to implement the logic
993  *              of (D)TLS on top of it without the need to know anything
994  *              about the record layer's internals. This is done e.g.
995  *              in all the handshake handling functions, and in the
996  *              application data reading function mbedtls_ssl_read.
997  *
998  * \note        The above tries to give a conceptual picture of the
999  *              record layer, but the current implementation deviates
1000  *              from it in some places. For example, our implementation of
1001  *              the update functionality through mbedtls_ssl_read_record
1002  *              discards datagrams depending on the current state, which
1003  *              wouldn't fall under the record layer's responsibility
1004  *              following the above definition.
1005  *
1006  */
1007 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1008                              unsigned update_hs_digest );
1009 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1010 
1011 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
1012 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
1013 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1014 
1015 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1016 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1017 
1018 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1019 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1020 
1021 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1022 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1023 
1024 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1025                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1026 
1027 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1028 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
1029 
1030 /**
1031  * Get the first defined PSK by order of precedence:
1032  * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1033  * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1034  * Return a code and update the pair (PSK, PSK length) passed to this function
1035  */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1036 static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1037     const unsigned char **psk, size_t *psk_len )
1038 {
1039     if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1040     {
1041         *psk = ssl->handshake->psk;
1042         *psk_len = ssl->handshake->psk_len;
1043     }
1044 
1045     else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1046     {
1047         *psk = ssl->conf->psk;
1048         *psk_len = ssl->conf->psk_len;
1049     }
1050 
1051     else
1052     {
1053         *psk = NULL;
1054         *psk_len = 0;
1055         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1056     }
1057 
1058     return( 0 );
1059 }
1060 
1061 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1062 /**
1063  * Get the first defined opaque PSK by order of precedence:
1064  * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1065  *    callback
1066  * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1067  * Return an opaque PSK
1068  */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1069 static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
1070     const mbedtls_ssl_context *ssl )
1071 {
1072     if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1073         return( ssl->handshake->psk_opaque );
1074 
1075     if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1076         return( ssl->conf->psk_opaque );
1077 
1078     return( MBEDTLS_SVC_KEY_ID_INIT );
1079 }
1080 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1081 
1082 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1083 
1084 #if defined(MBEDTLS_PK_C)
1085 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
1086 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
1087 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1088 #endif
1089 
1090 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
1091 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
1092 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
1093 
1094 #if defined(MBEDTLS_ECP_C)
1095 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
1096 #endif
1097 
1098 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1099 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
1100                                 mbedtls_md_type_t md );
1101 #endif
1102 
1103 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1104 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1105                                                     ( const uint16_t srtp_profile_value )
1106 {
1107     switch( srtp_profile_value )
1108     {
1109         case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1110         case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1111         case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1112         case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1113             return srtp_profile_value;
1114         default: break;
1115     }
1116     return( MBEDTLS_TLS_SRTP_UNSET );
1117 }
1118 #endif
1119 
1120 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1121 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1122 {
1123     mbedtls_ssl_key_cert *key_cert;
1124 
1125     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1126         key_cert = ssl->handshake->key_cert;
1127     else
1128         key_cert = ssl->conf->key_cert;
1129 
1130     return( key_cert == NULL ? NULL : key_cert->key );
1131 }
1132 
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1133 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1134 {
1135     mbedtls_ssl_key_cert *key_cert;
1136 
1137     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1138         key_cert = ssl->handshake->key_cert;
1139     else
1140         key_cert = ssl->conf->key_cert;
1141 
1142     return( key_cert == NULL ? NULL : key_cert->cert );
1143 }
1144 
1145 /*
1146  * Check usage of a certificate wrt extensions:
1147  * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1148  *
1149  * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1150  * check a cert we received from them)!
1151  *
1152  * Return 0 if everything is OK, -1 if not.
1153  */
1154 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1155                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
1156                           int cert_endpoint,
1157                           uint32_t *flags );
1158 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1159 
1160 void mbedtls_ssl_write_version( int major, int minor, int transport,
1161                         unsigned char ver[2] );
1162 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
1163                        const unsigned char ver[2] );
1164 
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1165 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
1166 {
1167 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1168     ((void) ssl);
1169 #endif
1170 
1171 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1172     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1173     {
1174         return( 13 );
1175     }
1176     else
1177 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1178     {
1179         return( 5 );
1180     }
1181 }
1182 
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1183 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1184 {
1185     return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
1186 }
1187 
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1188 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1189 {
1190 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1191     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1192         return( 12 );
1193 #else
1194     ((void) ssl);
1195 #endif
1196     return( 4 );
1197 }
1198 
1199 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1200 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1201 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1202 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
1203 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
1204 #endif
1205 
1206 /* Visible for testing purposes only */
1207 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1208 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
1209 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1210 #endif
1211 
1212 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1213                               const mbedtls_ssl_session *src );
1214 
1215 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)1216 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
1217 {
1218     size_t i;
1219     volatile const unsigned char *A = (volatile const unsigned char *) a;
1220     volatile const unsigned char *B = (volatile const unsigned char *) b;
1221     volatile unsigned char diff = 0;
1222 
1223     for( i = 0; i < n; i++ )
1224     {
1225         /* Read volatile data in order before computing diff.
1226          * This avoids IAR compiler warning:
1227          * 'the order of volatile accesses is undefined ..' */
1228         unsigned char x = A[i], y = B[i];
1229         diff |= x ^ y;
1230     }
1231 
1232     return( diff );
1233 }
1234 
1235 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
1236     defined(MBEDTLS_SSL_PROTO_TLS1_1)
1237 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
1238                                         unsigned char *output,
1239                                         unsigned char *data, size_t data_len );
1240 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
1241           MBEDTLS_SSL_PROTO_TLS1_1 */
1242 
1243 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1244     defined(MBEDTLS_SSL_PROTO_TLS1_2)
1245 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1246 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
1247                                             unsigned char *hash, size_t *hashlen,
1248                                             unsigned char *data, size_t data_len,
1249                                             mbedtls_md_type_t md_alg );
1250 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1251           MBEDTLS_SSL_PROTO_TLS1_2 */
1252 
1253 #ifdef __cplusplus
1254 }
1255 #endif
1256 
1257 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1258 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1259                              mbedtls_ssl_transform *transform,
1260                              mbedtls_record *rec,
1261                              int (*f_rng)(void *, unsigned char *, size_t),
1262                              void *p_rng );
1263 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1264                              mbedtls_ssl_transform *transform,
1265                              mbedtls_record *rec );
1266 
1267 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1268 static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1269 {
1270 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1271     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1272         return( 2 );
1273 #else
1274     ((void) ssl);
1275 #endif
1276     return( 0 );
1277 }
1278 
1279 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1280 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
1281 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1282 
1283 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
1284 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1285 
1286 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1287 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1288                               mbedtls_ssl_transform *transform );
1289 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1290 
1291 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
1292 
1293 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1294 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1295 #endif
1296 
1297 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1298 
1299 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1300 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
1301 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1302 
1303 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1304 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
1305 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1306 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1307 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1308 
1309 #endif /* ssl_internal.h */
1310