1 /**
2  * \file ssl_misc.h
3  *
4  * \brief Internal functions shared by the SSL modules
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 #ifndef MBEDTLS_SSL_MISC_H
23 #define MBEDTLS_SSL_MISC_H
24 
25 #include "mbedtls/build_info.h"
26 
27 #include "mbedtls/ssl.h"
28 #include "mbedtls/cipher.h"
29 
30 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
31 #include "psa/crypto.h"
32 #include "mbedtls/psa_util.h"
33 #include "hash_info.h"
34 #endif
35 #include "mbedtls/legacy_or_psa.h"
36 
37 #if defined(MBEDTLS_MD5_C)
38 #include "mbedtls/md5.h"
39 #endif
40 
41 #if defined(MBEDTLS_SHA1_C)
42 #include "mbedtls/sha1.h"
43 #endif
44 
45 #if defined(MBEDTLS_SHA256_C)
46 #include "mbedtls/sha256.h"
47 #endif
48 
49 #if defined(MBEDTLS_SHA512_C)
50 #include "mbedtls/sha512.h"
51 #endif
52 
53 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
54     !defined(MBEDTLS_USE_PSA_CRYPTO)
55 #include "mbedtls/ecjpake.h"
56 #endif
57 
58 #include "common.h"
59 
60 /* Shorthand for restartable ECC */
61 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
62     defined(MBEDTLS_SSL_CLI_C) && \
63     defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
64     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
65 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
66 #endif
67 
68 #define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
69 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
70 #define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
71 #define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
72 
73 /* Faked handshake message identity for HelloRetryRequest. */
74 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO )
75 
76 /*
77  * Internal identity of handshake extensions
78  */
79 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED                0
80 #define MBEDTLS_SSL_EXT_ID_SERVERNAME                  1
81 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME         1
82 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH         2
83 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST              3
84 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS            4
85 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES   4
86 #define MBEDTLS_SSL_EXT_ID_SIG_ALG                     5
87 #define MBEDTLS_SSL_EXT_ID_USE_SRTP                    6
88 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT                   7
89 #define MBEDTLS_SSL_EXT_ID_ALPN                        8
90 #define MBEDTLS_SSL_EXT_ID_SCT                         9
91 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE              10
92 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE             11
93 #define MBEDTLS_SSL_EXT_ID_PADDING                    12
94 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY             13
95 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA                 14
96 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS         15
97 #define MBEDTLS_SSL_EXT_ID_COOKIE                     16
98 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES     17
99 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH                  18
100 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS                19
101 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH        20
102 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT               21
103 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE                  22
104 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC             23
105 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS    24
106 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC           25
107 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET     26
108 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET             27
109 
110 /* Utility for translating IANA extension type. */
111 uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type );
112 uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
113 /* Macros used to define mask constants */
114 #define MBEDTLS_SSL_EXT_MASK( id )       ( 1ULL << ( MBEDTLS_SSL_EXT_ID_##id ) )
115 /* Reset value of extension mask */
116 #define MBEDTLS_SSL_EXT_MASK_NONE                                              0
117 
118 /* In messages containing extension requests, we should ignore unrecognized
119  * extensions. In messages containing extension responses, unrecognized
120  * extensions should result in handshake abortion. Messages containing
121  * extension requests include ClientHello, CertificateRequest and
122  * NewSessionTicket. Messages containing extension responses include
123  * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
124  *
125  * RFC 8446 section 4.1.3
126  *
127  * The ServerHello MUST only include extensions which are required to establish
128  * the cryptographic context and negotiate the protocol version.
129  *
130  * RFC 8446 section 4.2
131  *
132  * If an implementation receives an extension which it recognizes and which is
133  * not specified for the message in which it appears, it MUST abort the handshake
134  * with an "illegal_parameter" alert.
135  */
136 
137 /* Extensions that are not recognized by TLS 1.3 */
138 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED                               \
139             ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS )                | \
140               MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC )                       | \
141               MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET )                 | \
142               MBEDTLS_SSL_EXT_MASK( SESSION_TICKET )                         | \
143               MBEDTLS_SSL_EXT_MASK( TRUNCATED_HMAC )                         | \
144               MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
145 
146 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
147 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH                                  \
148             ( MBEDTLS_SSL_EXT_MASK( SERVERNAME )                             | \
149               MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH )                    | \
150               MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST )                         | \
151               MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS )                       | \
152               MBEDTLS_SSL_EXT_MASK( SIG_ALG )                                | \
153               MBEDTLS_SSL_EXT_MASK( USE_SRTP )                               | \
154               MBEDTLS_SSL_EXT_MASK( HEARTBEAT )                              | \
155               MBEDTLS_SSL_EXT_MASK( ALPN )                                   | \
156               MBEDTLS_SSL_EXT_MASK( SCT )                                    | \
157               MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE )                          | \
158               MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE )                         | \
159               MBEDTLS_SSL_EXT_MASK( PADDING )                                | \
160               MBEDTLS_SSL_EXT_MASK( KEY_SHARE )                              | \
161               MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )                         | \
162               MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES )                 | \
163               MBEDTLS_SSL_EXT_MASK( EARLY_DATA )                             | \
164               MBEDTLS_SSL_EXT_MASK( COOKIE )                                 | \
165               MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS )                     | \
166               MBEDTLS_SSL_EXT_MASK( CERT_AUTH )                              | \
167               MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH )                    | \
168               MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT )                           | \
169               MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
170 
171 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
172 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE                                  \
173             ( MBEDTLS_SSL_EXT_MASK( SERVERNAME )                             | \
174               MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH )                    | \
175               MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS )                       | \
176               MBEDTLS_SSL_EXT_MASK( USE_SRTP )                               | \
177               MBEDTLS_SSL_EXT_MASK( HEARTBEAT )                              | \
178               MBEDTLS_SSL_EXT_MASK( ALPN )                                   | \
179               MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE )                          | \
180               MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE )                         | \
181               MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
182 
183 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
184 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR                                  \
185             ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST )                         | \
186               MBEDTLS_SSL_EXT_MASK( SIG_ALG )                                | \
187               MBEDTLS_SSL_EXT_MASK( SCT )                                    | \
188               MBEDTLS_SSL_EXT_MASK( CERT_AUTH )                              | \
189               MBEDTLS_SSL_EXT_MASK( OID_FILTERS )                            | \
190               MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT )                           | \
191               MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
192 
193 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
194 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT                                  \
195             ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST )                         | \
196               MBEDTLS_SSL_EXT_MASK( SCT ) )
197 
198 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
199 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH                                  \
200             ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE )                              | \
201               MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )                         | \
202               MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
203 
204 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
205 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR                                 \
206             ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE )                              | \
207               MBEDTLS_SSL_EXT_MASK( COOKIE )                                 | \
208               MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
209 
210 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
211 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST                                 \
212             ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA )                             | \
213               MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
214 
215 /*
216  * Helper macros for function call with return check.
217  */
218 /*
219  * Exit when return non-zero value
220  */
221 #define MBEDTLS_SSL_PROC_CHK( f )                               \
222     do {                                                        \
223         ret = ( f );                                            \
224         if( ret != 0 )                                          \
225         {                                                       \
226             goto cleanup;                                       \
227         }                                                       \
228     } while( 0 )
229 /*
230  * Exit when return negative value
231  */
232 #define MBEDTLS_SSL_PROC_CHK_NEG( f )                           \
233     do {                                                        \
234         ret = ( f );                                            \
235         if( ret < 0 )                                           \
236         {                                                       \
237             goto cleanup;                                       \
238         }                                                       \
239     } while( 0 )
240 
241 /*
242  * DTLS retransmission states, see RFC 6347 4.2.4
243  *
244  * The SENDING state is merged in PREPARING for initial sends,
245  * but is distinct for resends.
246  *
247  * Note: initial state is wrong for server, but is not used anyway.
248  */
249 #define MBEDTLS_SSL_RETRANS_PREPARING       0
250 #define MBEDTLS_SSL_RETRANS_SENDING         1
251 #define MBEDTLS_SSL_RETRANS_WAITING         2
252 #define MBEDTLS_SSL_RETRANS_FINISHED        3
253 
254 /*
255  * Allow extra bytes for record, authentication and encryption overhead:
256  * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
257  */
258 
259 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
260 
261 /* This macro determines whether CBC is supported. */
262 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
263     ( defined(MBEDTLS_AES_C)      ||                                  \
264       defined(MBEDTLS_CAMELLIA_C) ||                                  \
265       defined(MBEDTLS_ARIA_C)     ||                                  \
266       defined(MBEDTLS_DES_C) )
267 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
268 #endif
269 
270 /* This macro determines whether a ciphersuite using a
271  * stream cipher can be used. */
272 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
273 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
274 #endif
275 
276 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
277 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
278       defined(MBEDTLS_SSL_PROTO_TLS1_2)
279 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
280 #endif
281 
282 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
283     defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
284 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
285 #endif
286 
287 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
288 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
289     defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
290 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
291 #endif
292 
293 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
294 
295 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
296 /* Ciphersuites using HMAC */
297 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
298 #define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
299 #elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
300 #define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
301 #else
302 #define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
303 #endif
304 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
305 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
306 #define MBEDTLS_SSL_MAC_ADD                 16
307 #endif
308 
309 #if defined(MBEDTLS_CIPHER_MODE_CBC)
310 #define MBEDTLS_SSL_PADDING_ADD            256
311 #else
312 #define MBEDTLS_SSL_PADDING_ADD              0
313 #endif
314 
315 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
316 #define MBEDTLS_SSL_MAX_CID_EXPANSION      MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
317 #else
318 #define MBEDTLS_SSL_MAX_CID_EXPANSION        0
319 #endif
320 
321 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH +          \
322                                        MBEDTLS_SSL_MAC_ADD +            \
323                                        MBEDTLS_SSL_PADDING_ADD +        \
324                                        MBEDTLS_SSL_MAX_CID_EXPANSION    \
325                                        )
326 
327 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
328                                      ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
329 
330 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
331                                       ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
332 
333 /* The maximum number of buffered handshake messages. */
334 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
335 
336 /* Maximum length we can advertise as our max content length for
337    RFC 6066 max_fragment_length extension negotiation purposes
338    (the lesser of both sizes, if they are unequal.)
339  */
340 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
341         (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
342         ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
343         : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
344         )
345 
346 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
347 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN       65534
348 
349 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
350 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN       2
351 
352 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
353 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
354 
355 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE         20
356 
357 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
358 
359 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
360 
361 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
362 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
363 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
364 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
365 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
366 
367 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
368 
369 /*
370  * Check that we obey the standard's message size bounds
371  */
372 
373 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
374 #error "Bad configuration - incoming record content too large."
375 #endif
376 
377 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
378 #error "Bad configuration - outgoing record content too large."
379 #endif
380 
381 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
382 #error "Bad configuration - incoming protected record payload too large."
383 #endif
384 
385 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
386 #error "Bad configuration - outgoing protected record payload too large."
387 #endif
388 
389 /* Calculate buffer sizes */
390 
391 /* Note: Even though the TLS record header is only 5 bytes
392    long, we're internally using 8 bytes to store the
393    implicit sequence number. */
394 #define MBEDTLS_SSL_HEADER_LEN 13
395 
396 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
397 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
398     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
399 #else
400 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
401     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
402       + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
403 #endif
404 
405 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
406 #define MBEDTLS_SSL_OUT_BUFFER_LEN  \
407     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
408 #else
409 #define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
410     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN )    \
411       + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
412 #endif
413 
414 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
415 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
416 
417 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
418 /**
419  * \brief          Return the maximum fragment length (payload, in bytes) for
420  *                 the output buffer. For the client, this is the configured
421  *                 value. For the server, it is the minimum of two - the
422  *                 configured value and the negotiated one.
423  *
424  * \sa             mbedtls_ssl_conf_max_frag_len()
425  * \sa             mbedtls_ssl_get_max_out_record_payload()
426  *
427  * \param ssl      SSL context
428  *
429  * \return         Current maximum fragment length for the output buffer.
430  */
431 size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
432 
433 /**
434  * \brief          Return the maximum fragment length (payload, in bytes) for
435  *                 the input buffer. This is the negotiated maximum fragment
436  *                 length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
437  *                 If it is not defined either, the value is 2^14. This function
438  *                 works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
439  *
440  * \sa             mbedtls_ssl_conf_max_frag_len()
441  * \sa             mbedtls_ssl_get_max_in_record_payload()
442  *
443  * \param ssl      SSL context
444  *
445  * \return         Current maximum fragment length for the output buffer.
446  */
447 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
448 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
449 
450 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)451 static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
452 {
453 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
454     return mbedtls_ssl_get_output_max_frag_len( ctx )
455                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
456                + MBEDTLS_SSL_CID_OUT_LEN_MAX;
457 #else
458     return mbedtls_ssl_get_output_max_frag_len( ctx )
459                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
460 #endif
461 }
462 
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)463 static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
464 {
465 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
466     return mbedtls_ssl_get_input_max_frag_len( ctx )
467                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
468                + MBEDTLS_SSL_CID_IN_LEN_MAX;
469 #else
470     return mbedtls_ssl_get_input_max_frag_len( ctx )
471                + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
472 #endif
473 }
474 #endif
475 
476 /*
477  * TLS extension flags (for extensions with outgoing ServerHello content
478  * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
479  * of state of the renegotiation flag, so no indicator is required)
480  */
481 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
482 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
483 
484 /**
485  * \brief        This function checks if the remaining size in a buffer is
486  *               greater or equal than a needed space.
487  *
488  * \param cur    Pointer to the current position in the buffer.
489  * \param end    Pointer to one past the end of the buffer.
490  * \param need   Needed space in bytes.
491  *
492  * \return       Zero if the needed space is available in the buffer, non-zero
493  *               otherwise.
494  */
495 #if ! defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)496 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
497                                            const uint8_t *end, size_t need )
498 {
499     return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
500 }
501 #else
502 typedef struct
503 {
504     const uint8_t *cur;
505     const uint8_t *end;
506     size_t need;
507 } mbedtls_ssl_chk_buf_ptr_args;
508 
509 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
510     const uint8_t *cur, const uint8_t *end, size_t need );
511 void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void );
512 
513 MBEDTLS_CHECK_RETURN_CRITICAL
514 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args );
515 
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)516 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
517                                            const uint8_t *end, size_t need )
518 {
519     if( ( cur > end ) || ( need > (size_t)( end - cur ) ) )
520     {
521         mbedtls_ssl_set_chk_buf_ptr_fail_args( cur, end, need );
522         return( 1 );
523     }
524     return( 0 );
525 }
526 #endif /* MBEDTLS_TEST_HOOKS */
527 
528 /**
529  * \brief        This macro checks if the remaining size in a buffer is
530  *               greater or equal than a needed space. If it is not the case,
531  *               it returns an SSL_BUFFER_TOO_SMALL error.
532  *
533  * \param cur    Pointer to the current position in the buffer.
534  * \param end    Pointer to one past the end of the buffer.
535  * \param need   Needed space in bytes.
536  *
537  */
538 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need )                        \
539     do {                                                                 \
540         if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
541         {                                                                \
542             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );                  \
543         }                                                                \
544     } while( 0 )
545 
546 /**
547  * \brief        This macro checks if the remaining length in an input buffer is
548  *               greater or equal than a needed length. If it is not the case, it
549  *               returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
550  *               #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
551  *
552  *               This is a function-like macro. It is guaranteed to evaluate each
553  *               argument exactly once.
554  *
555  * \param cur    Pointer to the current position in the buffer.
556  * \param end    Pointer to one past the end of the buffer.
557  * \param need   Needed length in bytes.
558  *
559  */
560 #define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need )                          \
561     do {                                                                        \
562         if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 )        \
563         {                                                                       \
564             MBEDTLS_SSL_DEBUG_MSG( 1,                                           \
565                                    ( "missing input data in %s", __func__ ) );  \
566             MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,   \
567                                           MBEDTLS_ERR_SSL_DECODE_ERROR );       \
568             return( MBEDTLS_ERR_SSL_DECODE_ERROR );                             \
569         }                                                                       \
570     } while( 0 )
571 
572 #ifdef __cplusplus
573 extern "C" {
574 #endif
575 
576 typedef int  mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
577                                      const char *label,
578                                      const unsigned char *random, size_t rlen,
579                                      unsigned char *dstbuf, size_t dlen );
580 
581 /* cipher.h exports the maximum IV, key and block length from
582  * all ciphers enabled in the config, regardless of whether those
583  * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
584  * in the default configuration and uses 64 Byte keys, but it is
585  * not used for record protection in SSL/TLS.
586  *
587  * In order to prevent unnecessary inflation of key structures,
588  * we introduce SSL-specific variants of the max-{key,block,IV}
589  * macros here which are meant to only take those ciphers into
590  * account which can be negotiated in SSL/TLS.
591  *
592  * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
593  * in cipher.h are rough overapproximations of the real maxima, here
594  * we content ourselves with replicating those overapproximations
595  * for the maximum block and IV length, and excluding XTS from the
596  * computation of the maximum key length. */
597 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
598 #define MBEDTLS_SSL_MAX_IV_LENGTH    16
599 #define MBEDTLS_SSL_MAX_KEY_LENGTH   32
600 
601 /**
602  * \brief   The data structure holding the cryptographic material (key and IV)
603  *          used for record protection in TLS 1.3.
604  */
605 struct mbedtls_ssl_key_set
606 {
607     /*! The key for client->server records. */
608     unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
609     /*! The key for server->client records. */
610     unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
611     /*! The IV  for client->server records. */
612     unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
613     /*! The IV  for server->client records. */
614     unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
615 
616     size_t key_len; /*!< The length of client_write_key and
617                      *   server_write_key, in Bytes. */
618     size_t iv_len;  /*!< The length of client_write_iv and
619                      *   server_write_iv, in Bytes. */
620 };
621 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
622 
623 typedef struct
624 {
625     unsigned char binder_key                  [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
626     unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
627     unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
628 } mbedtls_ssl_tls13_early_secrets;
629 
630 typedef struct
631 {
632     unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
633     unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
634 } mbedtls_ssl_tls13_handshake_secrets;
635 
636 /*
637  * This structure contains the parameters only needed during handshake.
638  */
639 struct mbedtls_ssl_handshake_params
640 {
641     /* Frequently-used boolean or byte fields (placed early to take
642      * advantage of smaller code size for indirect access on Arm Thumb) */
643     uint8_t resume;                     /*!<  session resume indicator*/
644     uint8_t cli_exts;                   /*!< client extension presence*/
645 
646 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
647     uint8_t sni_authmode;               /*!< authmode from SNI callback     */
648 #endif
649 
650 #if defined(MBEDTLS_SSL_SRV_C)
651     /* Flag indicating if a CertificateRequest message has been sent
652      * to the client or not. */
653     uint8_t certificate_request_sent;
654 #endif /* MBEDTLS_SSL_SRV_C */
655 
656 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
657     uint8_t new_session_ticket;         /*!< use NewSessionTicket?    */
658 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
659 
660 #if defined(MBEDTLS_SSL_CLI_C)
661     /** Minimum TLS version to be negotiated.
662      *
663      *  It is set up in the ClientHello writing preparation stage and used
664      *  throughout the ClientHello writing. Not relevant anymore as soon as
665      *  the protocol version has been negotiated thus as soon as the
666      *  ServerHello is received.
667      *  For a fresh handshake not linked to any previous handshake, it is
668      *  equal to the configured minimum minor version to be negotiated. When
669      *  renegotiating or resuming a session, it is equal to the previously
670      *  negotiated minor version.
671      *
672      *  There is no maximum TLS version field in this handshake context.
673      *  From the start of the handshake, we need to define a current protocol
674      *  version for the record layer which we define as the maximum TLS
675      *  version to be negotiated. The `tls_version` field of the SSL context is
676      *  used to store this maximum value until it contains the actual
677      *  negotiated value.
678      */
679     mbedtls_ssl_protocol_version min_tls_version;
680 #endif
681 
682 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
683     uint8_t extended_ms;                /*!< use Extended Master Secret? */
684 #endif
685 
686 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
687     uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
688 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
689 
690 #if defined(MBEDTLS_SSL_PROTO_DTLS)
691     unsigned char retransmit_state;     /*!<  Retransmission state           */
692 #endif
693 
694 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
695     unsigned char group_list_heap_allocated;
696     unsigned char sig_algs_heap_allocated;
697 #endif
698 
699 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
700     uint8_t ecrs_enabled;               /*!< Handshake supports EC restart? */
701     enum { /* this complements ssl->state with info on intra-state operations */
702         ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
703         ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
704         ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
705         ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
706         ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
707     } ecrs_state;                       /*!< current (or last) operation    */
708     mbedtls_x509_crt *ecrs_peer_cert;   /*!< The peer's CRT chain.          */
709     size_t ecrs_n;                      /*!< place for saving a length      */
710 #endif
711 
712     mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
713 
714     void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
715     void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
716     void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
717     mbedtls_ssl_tls_prf_cb *tls_prf;
718 
719     /*
720      * Handshake specific crypto variables
721      */
722 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
723     uint8_t key_exchange_mode; /*!< Selected key exchange mode */
724 
725     /** Number of HelloRetryRequest messages received/sent from/to the server. */
726     int hello_retry_request_count;
727 
728 #if defined(MBEDTLS_SSL_SRV_C)
729     /** selected_group of key_share extension in HelloRetryRequest message. */
730     uint16_t hrr_selected_group;
731 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
732     uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
733 #endif
734 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
735     uint16_t new_session_tickets_count;         /*!< number of session tickets */
736 #endif
737 #endif /* MBEDTLS_SSL_SRV_C */
738 
739 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
740 
741 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
742     uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
743 #endif
744 
745 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
746     const uint16_t *group_list;
747     const uint16_t *sig_algs;
748 #endif
749 
750 #if defined(MBEDTLS_DHM_C)
751     mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
752 #endif
753 
754 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
755  * to guards in client and server code. There is a gap in functionality that
756  * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
757  * seem correct.
758  */
759 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
760 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
761     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
762 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
763 
764 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
765     psa_key_type_t ecdh_psa_type;
766     size_t ecdh_bits;
767     mbedtls_svc_key_id_t ecdh_psa_privkey;
768     uint8_t ecdh_psa_privkey_is_external;
769     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
770     size_t ecdh_psa_peerkey_len;
771 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
772 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
773 
774 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
775 #if defined(MBEDTLS_USE_PSA_CRYPTO)
776     psa_pake_operation_t psa_pake_ctx;        /*!< EC J-PAKE key exchange */
777     mbedtls_svc_key_id_t psa_pake_password;
778     uint8_t psa_pake_ctx_is_ok;
779 #else
780     mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
781 #endif /* MBEDTLS_USE_PSA_CRYPTO */
782 #if defined(MBEDTLS_SSL_CLI_C)
783     unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
784     size_t ecjpake_cache_len;                   /*!< Length of cached data */
785 #endif
786 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
787 
788 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ||      \
789     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
790     const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
791 #endif
792 
793 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
794 #if defined(MBEDTLS_USE_PSA_CRYPTO)
795     mbedtls_svc_key_id_t psk_opaque;            /*!< Opaque PSK from the callback   */
796     uint8_t psk_opaque_is_internal;
797 #else
798     unsigned char *psk;                 /*!<  PSK from the callback         */
799     size_t psk_len;                     /*!<  Length of PSK from callback   */
800 #endif /* MBEDTLS_USE_PSA_CRYPTO */
801     uint16_t    selected_identity;
802 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
803 
804 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
805     mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
806 #endif
807 
808 #if defined(MBEDTLS_X509_CRT_PARSE_C)
809     mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
810 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
811     mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
812     mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
813     mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
814 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
815 #endif /* MBEDTLS_X509_CRT_PARSE_C */
816 
817 #if defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
818     !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
819     mbedtls_pk_context peer_pubkey;     /*!< The public key from the peer.  */
820 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
821 
822     struct
823     {
824         size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
825                                       *   buffers used for message buffering. */
826 
827         uint8_t seen_ccs;               /*!< Indicates if a CCS message has
828                                          *   been seen in the current flight. */
829 
830         struct mbedtls_ssl_hs_buffer
831         {
832             unsigned is_valid      : 1;
833             unsigned is_fragmented : 1;
834             unsigned is_complete   : 1;
835             unsigned char *data;
836             size_t data_len;
837         } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
838 
839         struct
840         {
841             unsigned char *data;
842             size_t len;
843             unsigned epoch;
844         } future_record;
845 
846     } buffering;
847 
848 #if defined(MBEDTLS_SSL_CLI_C) && \
849     ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
850     unsigned char *cookie;              /*!<  HelloVerifyRequest cookie for DTLS
851                                          *    HelloRetryRequest cookie for TLS 1.3 */
852 #endif /* MBEDTLS_SSL_CLI_C &&
853           ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
854 #if defined(MBEDTLS_SSL_PROTO_DTLS)
855     unsigned char verify_cookie_len;    /*!<  Cli: HelloVerifyRequest cookie
856                                          *    length
857                                          *    Srv: flag for sending a cookie */
858 #endif /* MBEDTLS_SSL_PROTO_DTLS */
859 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
860     uint16_t hrr_cookie_len;            /*!<  HelloRetryRequest cookie length */
861 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
862 
863 #if defined(MBEDTLS_SSL_PROTO_DTLS)
864     unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
865     unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
866 
867     uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
868     mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
869     mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
870     unsigned char *cur_msg_p;           /*!<  Position in current message    */
871     unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
872                                               flight being received          */
873     mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
874                                               resending messages             */
875     unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!<  Alternative record epoch/counter
876                                                                       for resending messages         */
877 
878 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
879     /* The state of CID configuration in this handshake. */
880 
881     uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
882                          *   has been negotiated. Possible values are
883                          *   #MBEDTLS_SSL_CID_ENABLED and
884                          *   #MBEDTLS_SSL_CID_DISABLED. */
885     unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
886     uint8_t peer_cid_len;                                  /*!< The length of
887                                                             *   \c peer_cid.  */
888 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
889 
890     uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
891 #endif /* MBEDTLS_SSL_PROTO_DTLS */
892 
893     /*
894      * Checksum contexts
895      */
896 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
897 #if defined(MBEDTLS_USE_PSA_CRYPTO)
898     psa_hash_operation_t fin_sha256_psa;
899 #else
900     mbedtls_sha256_context fin_sha256;
901 #endif
902 #endif
903 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
904 #if defined(MBEDTLS_USE_PSA_CRYPTO)
905     psa_hash_operation_t fin_sha384_psa;
906 #else
907     mbedtls_sha512_context fin_sha384;
908 #endif
909 #endif
910 
911 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
912     uint16_t offered_group_id; /* The NamedGroup value for the group
913                                 * that is being used for ephemeral
914                                 * key exchange.
915                                 *
916                                 * On the client: Defaults to the first
917                                 * entry in the client's group list,
918                                 * but can be overwritten by the HRR. */
919 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
920 
921 #if defined(MBEDTLS_SSL_CLI_C)
922     uint8_t client_auth;       /*!< used to check if CertificateRequest has been
923                                     received from server side. If CertificateRequest
924                                     has been received, Certificate and CertificateVerify
925                                     should be sent to server */
926 #endif /* MBEDTLS_SSL_CLI_C */
927     /*
928      * State-local variables used during the processing
929      * of a specific handshake state.
930      */
931     union
932     {
933         /* Outgoing Finished message */
934         struct
935         {
936             uint8_t preparation_done;
937 
938             /* Buffer holding digest of the handshake up to
939              * but excluding the outgoing finished message. */
940             unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
941             size_t digest_len;
942         } finished_out;
943 
944         /* Incoming Finished message */
945         struct
946         {
947             uint8_t preparation_done;
948 
949             /* Buffer holding digest of the handshake up to but
950              * excluding the peer's incoming finished message. */
951             unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
952             size_t digest_len;
953         } finished_in;
954 
955     } state_local;
956 
957     /* End of state-local variables. */
958 
959     unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
960                             MBEDTLS_SERVER_HELLO_RANDOM_LEN];
961                                         /*!<  random bytes            */
962 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
963     unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
964                                         /*!<  premaster secret        */
965     size_t pmslen;                      /*!<  premaster length        */
966 #endif
967 
968 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
969     uint32_t sent_extensions;       /*!< extensions sent by endpoint */
970     uint32_t received_extensions;   /*!< extensions received by endpoint */
971 
972 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
973     unsigned char certificate_request_context_len;
974     unsigned char *certificate_request_context;
975 #endif
976 
977     /** TLS 1.3 transform for encrypted handshake messages. */
978     mbedtls_ssl_transform *transform_handshake;
979     union
980     {
981         unsigned char early    [MBEDTLS_TLS1_3_MD_MAX_SIZE];
982         unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
983         unsigned char app      [MBEDTLS_TLS1_3_MD_MAX_SIZE];
984     } tls13_master_secrets;
985 
986     mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
987 #if defined(MBEDTLS_SSL_EARLY_DATA)
988     mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
989     /** TLS 1.3 transform for early data and handshake messages. */
990     mbedtls_ssl_transform *transform_earlydata;
991 #endif
992 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
993 
994 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
995     /** Asynchronous operation context. This field is meant for use by the
996      * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
997      * mbedtls_ssl_config::f_async_decrypt_start,
998      * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
999      * The library does not use it internally. */
1000     void *user_async_ctx;
1001 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1002 
1003 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1004     const unsigned char *sni_name;      /*!< raw SNI                        */
1005     size_t sni_name_len;                /*!< raw SNI len                    */
1006 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1007     const mbedtls_x509_crt *dn_hints;   /*!< acceptable client cert issuers */
1008 #endif
1009 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1010 };
1011 
1012 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
1013 
1014 /*
1015  * Representation of decryption/encryption transformations on records
1016  *
1017  * There are the following general types of record transformations:
1018  * - Stream transformations (TLS versions == 1.2 only)
1019  *   Transformation adding a MAC and applying a stream-cipher
1020  *   to the authenticated message.
1021  * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
1022  *   For TLS 1.2, no IV is generated at key extraction time, but every
1023  *   encrypted record is explicitly prefixed by the IV with which it was
1024  *   encrypted.
1025  * - AEAD transformations ([D]TLS versions == 1.2 only)
1026  *   These come in two fundamentally different versions, the first one
1027  *   used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1028  *   one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1029  *   In the first transformation, the IV to be used for a record is obtained
1030  *   as the concatenation of an explicit, static 4-byte IV and the 8-byte
1031  *   record sequence number, and explicitly prepending this sequence number
1032  *   to the encrypted record. In contrast, in the second transformation
1033  *   the IV is obtained by XOR'ing a static IV obtained at key extraction
1034  *   time with the 8-byte record sequence number, without prepending the
1035  *   latter to the encrypted record.
1036  *
1037  * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1038  * which allows to add flexible length padding and to hide a record's true
1039  * content type.
1040  *
1041  * In addition to type and version, the following parameters are relevant:
1042  * - The symmetric cipher algorithm to be used.
1043  * - The (static) encryption/decryption keys for the cipher.
1044  * - For stream/CBC, the type of message digest to be used.
1045  * - For stream/CBC, (static) encryption/decryption keys for the digest.
1046  * - For AEAD transformations, the size (potentially 0) of an explicit,
1047  *   random initialization vector placed in encrypted records.
1048  * - For some transformations (currently AEAD) an implicit IV. It is static
1049  *   and (if present) is combined with the explicit IV in a transformation-
1050  *   -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
1051  * - For stream/CBC, a flag determining the order of encryption and MAC.
1052  * - The details of the transformation depend on the SSL/TLS version.
1053  * - The length of the authentication tag.
1054  *
1055  * The struct below refines this abstract view as follows:
1056  * - The cipher underlying the transformation is managed in
1057  *   cipher contexts cipher_ctx_{enc/dec}, which must have the
1058  *   same cipher type. The mode of these cipher contexts determines
1059  *   the type of the transformation in the sense above: e.g., if
1060  *   the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1061  *   then the transformation has type CBC resp. AEAD.
1062  * - The cipher keys are never stored explicitly but
1063  *   are maintained within cipher_ctx_{enc/dec}.
1064  * - For stream/CBC transformations, the message digest contexts
1065  *   used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1066  *   are unused for AEAD transformations.
1067  * - For stream/CBC transformations, the MAC keys are not stored explicitly
1068  *   but maintained within md_ctx_{enc/dec}.
1069  * - The mac_enc and mac_dec fields are unused for EAD transformations.
1070  * - For transformations using an implicit IV maintained within
1071  *   the transformation context, its contents are stored within
1072  *   iv_{enc/dec}.
1073  * - The value of ivlen indicates the length of the IV.
1074  *   This is redundant in case of stream/CBC transformations
1075  *   which always use 0 resp. the cipher's block length as the
1076  *   IV length, but is needed for AEAD ciphers and may be
1077  *   different from the underlying cipher's block length
1078  *   in this case.
1079  * - The field fixed_ivlen is nonzero for AEAD transformations only
1080  *   and indicates the length of the static part of the IV which is
1081  *   constant throughout the communication, and which is stored in
1082  *   the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
1083  * - tls_version denotes the 2-byte TLS version
1084  * - For stream/CBC transformations, maclen denotes the length of the
1085  *   authentication tag, while taglen is unused and 0.
1086  * - For AEAD transformations, taglen denotes the length of the
1087  *   authentication tag, while maclen is unused and 0.
1088  * - For CBC transformations, encrypt_then_mac determines the
1089  *   order of encryption and authentication. This field is unused
1090  *   in other transformations.
1091  *
1092  */
1093 struct mbedtls_ssl_transform
1094 {
1095     /*
1096      * Session specific crypto layer
1097      */
1098     size_t minlen;                      /*!<  min. ciphertext length  */
1099     size_t ivlen;                       /*!<  IV length               */
1100     size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
1101     size_t maclen;                      /*!<  MAC(CBC) len            */
1102     size_t taglen;                      /*!<  TAG(AEAD) len           */
1103 
1104     unsigned char iv_enc[16];           /*!<  IV (encryption)         */
1105     unsigned char iv_dec[16];           /*!<  IV (decryption)         */
1106 
1107 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1108 
1109 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1110     mbedtls_svc_key_id_t psa_mac_enc;           /*!<  MAC (encryption)        */
1111     mbedtls_svc_key_id_t psa_mac_dec;           /*!<  MAC (decryption)        */
1112     psa_algorithm_t psa_mac_alg;                /*!<  psa MAC algorithm       */
1113 #else
1114     mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
1115     mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
1116 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1117 
1118 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1119     int encrypt_then_mac;       /*!< flag for EtM activation                */
1120 #endif
1121 
1122 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1123 
1124     mbedtls_ssl_protocol_version tls_version;
1125 
1126 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1127     mbedtls_svc_key_id_t psa_key_enc;           /*!<  psa encryption key      */
1128     mbedtls_svc_key_id_t psa_key_dec;           /*!<  psa decryption key      */
1129     psa_algorithm_t psa_alg;                    /*!<  psa algorithm           */
1130 #else
1131     mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
1132     mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
1133 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1134 
1135 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1136     uint8_t in_cid_len;
1137     uint8_t out_cid_len;
1138     unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ];
1139     unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
1140 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1141 
1142 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
1143     /* We need the Hello random bytes in order to re-derive keys from the
1144      * Master Secret and other session info,
1145      * see ssl_tls12_populate_transform() */
1146     unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1147                             MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1148                             /*!< ServerHello.random+ClientHello.random */
1149 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
1150 };
1151 
1152 /*
1153  * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1154  * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1155  */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)1156 static inline int mbedtls_ssl_transform_uses_aead(
1157         const mbedtls_ssl_transform *transform )
1158 {
1159 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1160     return( transform->maclen == 0 && transform->taglen != 0 );
1161 #else
1162     (void) transform;
1163     return( 1 );
1164 #endif
1165 }
1166 
1167 /*
1168  * Internal representation of record frames
1169  *
1170  * Instances come in two flavors:
1171  * (1) Encrypted
1172  *     These always have data_offset = 0
1173  * (2) Unencrypted
1174  *     These have data_offset set to the amount of
1175  *     pre-expansion during record protection. Concretely,
1176  *     this is the length of the fixed part of the explicit IV
1177  *     used for encryption, or 0 if no explicit IV is used
1178  *     (e.g. for stream ciphers).
1179  *
1180  * The reason for the data_offset in the unencrypted case
1181  * is to allow for in-place conversion of an unencrypted to
1182  * an encrypted record. If the offset wasn't included, the
1183  * encrypted content would need to be shifted afterwards to
1184  * make space for the fixed IV.
1185  *
1186  */
1187 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
1188 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
1189 #else
1190 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
1191 #endif
1192 
1193 typedef struct
1194 {
1195     uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];  /* In TLS:  The implicit record sequence number.
1196                                                     * In DTLS: The 2-byte epoch followed by
1197                                                     *          the 6-byte sequence number.
1198                                                     * This is stored as a raw big endian byte array
1199                                                     * as opposed to a uint64_t because we rarely
1200                                                     * need to perform arithmetic on this, but do
1201                                                     * need it as a Byte array for the purpose of
1202                                                     * MAC computations.                             */
1203     uint8_t type;           /* The record content type.                      */
1204     uint8_t ver[2];         /* SSL/TLS version as present on the wire.
1205                              * Convert to internal presentation of versions
1206                              * using mbedtls_ssl_read_version() and
1207                              * mbedtls_ssl_write_version().
1208                              * Keep wire-format for MAC computations.        */
1209 
1210     unsigned char *buf;     /* Memory buffer enclosing the record content    */
1211     size_t buf_len;         /* Buffer length                                 */
1212     size_t data_offset;     /* Offset of record content                      */
1213     size_t data_len;        /* Length of record content                      */
1214 
1215 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1216     uint8_t cid_len;        /* Length of the CID (0 if not present)          */
1217     unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID                 */
1218 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1219 } mbedtls_record;
1220 
1221 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1222 /*
1223  * List of certificate + private key pairs
1224  */
1225 struct mbedtls_ssl_key_cert
1226 {
1227     mbedtls_x509_crt *cert;                 /*!< cert                       */
1228     mbedtls_pk_context *key;                /*!< private key                */
1229     mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
1230 };
1231 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1232 
1233 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1234 /*
1235  * List of handshake messages kept around for resending
1236  */
1237 struct mbedtls_ssl_flight_item
1238 {
1239     unsigned char *p;       /*!< message, including handshake headers   */
1240     size_t len;             /*!< length of p                            */
1241     unsigned char type;     /*!< type of the message: handshake or CCS  */
1242     mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
1243 };
1244 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1245 
1246 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1247 /**
1248  * \brief Given an SSL context and its associated configuration, write the TLS
1249  *        1.2 specific extensions of the ClientHello message.
1250  *
1251  * \param[in]   ssl     SSL context
1252  * \param[in]   buf     Base address of the buffer where to write the extensions
1253  * \param[in]   end     End address of the buffer where to write the extensions
1254  * \param       uses_ec Whether one proposed ciphersuite uses an elliptic curve
1255  *                      (<> 0) or not ( 0 ).
1256  * \param[out]  out_len Length of the data written into the buffer \p buf
1257  */
1258 MBEDTLS_CHECK_RETURN_CRITICAL
1259 int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
1260                                                unsigned char *buf,
1261                                                const unsigned char *end,
1262                                                int uses_ec,
1263                                                size_t *out_len );
1264 #endif
1265 
1266 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1267     defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1268 
1269 /**
1270  * \brief Find the preferred hash for a given signature algorithm.
1271  *
1272  * \param[in]   ssl     SSL context
1273  * \param[in]   sig_alg A signature algorithm identifier as defined in the
1274  *                      TLS 1.2 SignatureAlgorithm enumeration.
1275  *
1276  * \return  The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1277  *          identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1278  */
1279 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1280                 mbedtls_ssl_context *ssl,
1281                 unsigned int sig_alg );
1282 
1283 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1284           MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1285 
1286 /**
1287  * \brief           Free referenced items in an SSL transform context and clear
1288  *                  memory
1289  *
1290  * \param transform SSL transform context
1291  */
1292 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1293 
1294 /**
1295  * \brief           Free referenced items in an SSL handshake context and clear
1296  *                  memory
1297  *
1298  * \param ssl       SSL context
1299  */
1300 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
1301 
1302 /* set inbound transform of ssl context */
1303 void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1304                                         mbedtls_ssl_transform *transform );
1305 
1306 /* set outbound transform of ssl context */
1307 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1308                                          mbedtls_ssl_transform *transform );
1309 
1310 MBEDTLS_CHECK_RETURN_CRITICAL
1311 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
1312 MBEDTLS_CHECK_RETURN_CRITICAL
1313 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1314 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1315 static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1316                                                     mbedtls_ssl_states state )
1317 {
1318     ssl->state = ( int ) state;
1319 }
1320 
1321 MBEDTLS_CHECK_RETURN_CRITICAL
1322 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1323 
1324 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
1325 
1326 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1327 MBEDTLS_CHECK_RETURN_CRITICAL
1328 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
1329 #endif /* MBEDTLS_SSL_PROTO_TLS1_2  */
1330 
1331 MBEDTLS_CHECK_RETURN_CRITICAL
1332 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
1333 MBEDTLS_CHECK_RETURN_CRITICAL
1334 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1335 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1336 
1337 /**
1338  * \brief       Update record layer
1339  *
1340  *              This function roughly separates the implementation
1341  *              of the logic of (D)TLS from the implementation
1342  *              of the secure transport.
1343  *
1344  * \param  ssl              The SSL context to use.
1345  * \param  update_hs_digest This indicates if the handshake digest
1346  *                          should be automatically updated in case
1347  *                          a handshake message is found.
1348  *
1349  * \return      0 or non-zero error code.
1350  *
1351  * \note        A clarification on what is called 'record layer' here
1352  *              is in order, as many sensible definitions are possible:
1353  *
1354  *              The record layer takes as input an untrusted underlying
1355  *              transport (stream or datagram) and transforms it into
1356  *              a serially multiplexed, secure transport, which
1357  *              conceptually provides the following:
1358  *
1359  *              (1) Three datagram based, content-agnostic transports
1360  *                  for handshake, alert and CCS messages.
1361  *              (2) One stream- or datagram-based transport
1362  *                  for application data.
1363  *              (3) Functionality for changing the underlying transform
1364  *                  securing the contents.
1365  *
1366  *              The interface to this functionality is given as follows:
1367  *
1368  *              a Updating
1369  *                [Currently implemented by mbedtls_ssl_read_record]
1370  *
1371  *                Check if and on which of the four 'ports' data is pending:
1372  *                Nothing, a controlling datagram of type (1), or application
1373  *                data (2). In any case data is present, internal buffers
1374  *                provide access to the data for the user to process it.
1375  *                Consumption of type (1) datagrams is done automatically
1376  *                on the next update, invalidating that the internal buffers
1377  *                for previous datagrams, while consumption of application
1378  *                data (2) is user-controlled.
1379  *
1380  *              b Reading of application data
1381  *                [Currently manual adaption of ssl->in_offt pointer]
1382  *
1383  *                As mentioned in the last paragraph, consumption of data
1384  *                is different from the automatic consumption of control
1385  *                datagrams (1) because application data is treated as a stream.
1386  *
1387  *              c Tracking availability of application data
1388  *                [Currently manually through decreasing ssl->in_msglen]
1389  *
1390  *                For efficiency and to retain datagram semantics for
1391  *                application data in case of DTLS, the record layer
1392  *                provides functionality for checking how much application
1393  *                data is still available in the internal buffer.
1394  *
1395  *              d Changing the transformation securing the communication.
1396  *
1397  *              Given an opaque implementation of the record layer in the
1398  *              above sense, it should be possible to implement the logic
1399  *              of (D)TLS on top of it without the need to know anything
1400  *              about the record layer's internals. This is done e.g.
1401  *              in all the handshake handling functions, and in the
1402  *              application data reading function mbedtls_ssl_read.
1403  *
1404  * \note        The above tries to give a conceptual picture of the
1405  *              record layer, but the current implementation deviates
1406  *              from it in some places. For example, our implementation of
1407  *              the update functionality through mbedtls_ssl_read_record
1408  *              discards datagrams depending on the current state, which
1409  *              wouldn't fall under the record layer's responsibility
1410  *              following the above definition.
1411  *
1412  */
1413 MBEDTLS_CHECK_RETURN_CRITICAL
1414 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1415                              unsigned update_hs_digest );
1416 MBEDTLS_CHECK_RETURN_CRITICAL
1417 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1418 
1419 /*
1420  * Write handshake message header
1421  */
1422 MBEDTLS_CHECK_RETURN_CRITICAL
1423 int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
1424                                      unsigned char **buf, size_t *buf_len );
1425 
1426 MBEDTLS_CHECK_RETURN_CRITICAL
1427 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
1428                                          int update_checksum,
1429                                          int force_flush );
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1430 static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1431 {
1432     return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */, 1 /* force flush */ ) );
1433 }
1434 
1435 /*
1436  * Write handshake message tail
1437  */
1438 MBEDTLS_CHECK_RETURN_CRITICAL
1439 int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
1440                                       size_t buf_len, size_t msg_len );
1441 
1442 MBEDTLS_CHECK_RETURN_CRITICAL
1443 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
1444 MBEDTLS_CHECK_RETURN_CRITICAL
1445 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1446 
1447 MBEDTLS_CHECK_RETURN_CRITICAL
1448 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1449 MBEDTLS_CHECK_RETURN_CRITICAL
1450 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1451 
1452 MBEDTLS_CHECK_RETURN_CRITICAL
1453 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1454 MBEDTLS_CHECK_RETURN_CRITICAL
1455 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1456 
1457 MBEDTLS_CHECK_RETURN_CRITICAL
1458 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1459 MBEDTLS_CHECK_RETURN_CRITICAL
1460 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1461 
1462 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1463                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1464 
1465 /*
1466  * Update checksum of handshake messages.
1467  */
1468 void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1469                                          unsigned hs_type,
1470                                          unsigned char const *msg,
1471                                          size_t msg_len );
1472 
1473 void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
1474                                          unsigned hs_type,
1475                                          size_t total_hs_len );
1476 
1477 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1478 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
1479 MBEDTLS_CHECK_RETURN_CRITICAL
1480 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
1481                                       mbedtls_key_exchange_type_t key_ex );
1482 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1483 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1484 
1485 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1486 #if defined(MBEDTLS_SSL_CLI_C)
1487 MBEDTLS_CHECK_RETURN_CRITICAL
1488 int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
1489 #endif
1490 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1491 /**
1492  * Get the first defined opaque PSK by order of precedence:
1493  * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1494  *    callback
1495  * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1496  * Return an opaque PSK
1497  */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1498 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1499     const mbedtls_ssl_context *ssl )
1500 {
1501     if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1502         return( ssl->handshake->psk_opaque );
1503 
1504     if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1505         return( ssl->conf->psk_opaque );
1506 
1507     return( MBEDTLS_SVC_KEY_ID_INIT );
1508 }
1509 #else
1510 /**
1511  * Get the first defined PSK by order of precedence:
1512  * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1513  * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1514  * Return a code and update the pair (PSK, PSK length) passed to this function
1515  */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1516 static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1517     const unsigned char **psk, size_t *psk_len )
1518 {
1519     if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1520     {
1521         *psk = ssl->handshake->psk;
1522         *psk_len = ssl->handshake->psk_len;
1523     }
1524 
1525     else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1526     {
1527         *psk = ssl->conf->psk;
1528         *psk_len = ssl->conf->psk_len;
1529     }
1530 
1531     else
1532     {
1533         *psk = NULL;
1534         *psk_len = 0;
1535         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1536     }
1537 
1538     return( 0 );
1539 }
1540 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1541 
1542 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1543 
1544 #if defined(MBEDTLS_PK_C)
1545 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
1546 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
1547 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1548 #endif
1549 
1550 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
1551 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
1552 
1553 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1554 MBEDTLS_CHECK_RETURN_CRITICAL
1555 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
1556 #endif
1557 
1558 MBEDTLS_CHECK_RETURN_CRITICAL
1559 int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
1560 #if defined(MBEDTLS_ECP_C)
1561 MBEDTLS_CHECK_RETURN_CRITICAL
1562 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
1563 #endif
1564 
1565 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1566 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1567                                                     ( const uint16_t srtp_profile_value )
1568 {
1569     switch( srtp_profile_value )
1570     {
1571         case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1572         case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1573         case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1574         case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1575             return srtp_profile_value;
1576         default: break;
1577     }
1578     return( MBEDTLS_TLS_SRTP_UNSET );
1579 }
1580 #endif
1581 
1582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1583 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1584 {
1585     mbedtls_ssl_key_cert *key_cert;
1586 
1587     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1588         key_cert = ssl->handshake->key_cert;
1589     else
1590         key_cert = ssl->conf->key_cert;
1591 
1592     return( key_cert == NULL ? NULL : key_cert->key );
1593 }
1594 
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1595 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1596 {
1597     mbedtls_ssl_key_cert *key_cert;
1598 
1599     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1600         key_cert = ssl->handshake->key_cert;
1601     else
1602         key_cert = ssl->conf->key_cert;
1603 
1604     return( key_cert == NULL ? NULL : key_cert->cert );
1605 }
1606 
1607 /*
1608  * Check usage of a certificate wrt extensions:
1609  * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1610  *
1611  * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1612  * check a cert we received from them)!
1613  *
1614  * Return 0 if everything is OK, -1 if not.
1615  */
1616 MBEDTLS_CHECK_RETURN_CRITICAL
1617 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1618                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
1619                           int cert_endpoint,
1620                           uint32_t *flags );
1621 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1622 
1623 void mbedtls_ssl_write_version( unsigned char version[2], int transport,
1624                                 mbedtls_ssl_protocol_version tls_version );
1625 uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
1626                                    int transport );
1627 
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1628 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
1629 {
1630 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1631     ((void) ssl);
1632 #endif
1633 
1634 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1635     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1636     {
1637         return( 13 );
1638     }
1639     else
1640 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1641     {
1642         return( 5 );
1643     }
1644 }
1645 
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1646 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1647 {
1648     return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
1649 }
1650 
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1651 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1652 {
1653 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1654     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1655         return( 12 );
1656 #else
1657     ((void) ssl);
1658 #endif
1659     return( 4 );
1660 }
1661 
1662 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1663 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1664 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1665 MBEDTLS_CHECK_RETURN_CRITICAL
1666 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
1667 MBEDTLS_CHECK_RETURN_CRITICAL
1668 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
1669 #endif
1670 
1671 /* Visible for testing purposes only */
1672 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1673 MBEDTLS_CHECK_RETURN_CRITICAL
1674 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
1675 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1676 #endif
1677 
1678 MBEDTLS_CHECK_RETURN_CRITICAL
1679 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1680                               const mbedtls_ssl_session *src );
1681 
1682 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1683 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1684 MBEDTLS_CHECK_RETURN_CRITICAL
1685 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
1686                                             unsigned char *hash, size_t *hashlen,
1687                                             unsigned char *data, size_t data_len,
1688                                             mbedtls_md_type_t md_alg );
1689 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1690 
1691 #ifdef __cplusplus
1692 }
1693 #endif
1694 
1695 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1696 MBEDTLS_CHECK_RETURN_CRITICAL
1697 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1698                              mbedtls_ssl_transform *transform,
1699                              mbedtls_record *rec,
1700                              int (*f_rng)(void *, unsigned char *, size_t),
1701                              void *p_rng );
1702 MBEDTLS_CHECK_RETURN_CRITICAL
1703 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1704                              mbedtls_ssl_transform *transform,
1705                              mbedtls_record *rec );
1706 
1707 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1708 static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1709 {
1710 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1711     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1712         return( 2 );
1713 #else
1714     ((void) ssl);
1715 #endif
1716     return( 0 );
1717 }
1718 
1719 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1720 MBEDTLS_CHECK_RETURN_CRITICAL
1721 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
1722 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1723 
1724 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
1725 MBEDTLS_CHECK_RETURN_CRITICAL
1726 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1727 
1728 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1729 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1730                               mbedtls_ssl_transform *transform );
1731 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1732 
1733 MBEDTLS_CHECK_RETURN_CRITICAL
1734 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
1735 void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
1736                                           int partial );
1737 
1738 /*
1739  * Send pending alert
1740  */
1741 MBEDTLS_CHECK_RETURN_CRITICAL
1742 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1743 
1744 /*
1745  * Set pending fatal alert flag.
1746  */
1747 void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1748                                    unsigned char alert_type,
1749                                    int alert_reason );
1750 
1751 /* Alias of mbedtls_ssl_pend_fatal_alert */
1752 #define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value )         \
1753             mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1754 
1755 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1756 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1757 #endif
1758 
1759 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1760 
1761 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1762 MBEDTLS_CHECK_RETURN_CRITICAL
1763 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
1764 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1765 
1766 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1767 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
1768 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1769 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1770 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1771 
1772 /**
1773  * ssl utils functions for checking configuration.
1774  */
1775 
1776 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1777 static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1778 {
1779     return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1780             conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
1781 }
1782 
1783 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1784 
1785 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1786 static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1787 {
1788     return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1789             conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 );
1790 }
1791 
1792 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1793 
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)1794 static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
1795 {
1796 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1797     return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1798             conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3 );
1799 #else
1800     ((void) conf);
1801     return( 0 );
1802 #endif
1803 }
1804 
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)1805 static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
1806 {
1807 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1808     return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1809             conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2 );
1810 #else
1811     ((void) conf);
1812     return( 0 );
1813 #endif
1814 }
1815 
1816 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1817 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1818 {
1819     return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1820             conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
1821 }
1822 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1823 
1824 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1825 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1826                         MBEDTLS_SERVER_HELLO_RANDOM_LEN ];
1827 MBEDTLS_CHECK_RETURN_CRITICAL
1828 int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
1829 MBEDTLS_CHECK_RETURN_CRITICAL
1830 int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
1831 void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
1832 
1833 /**
1834  * \brief Given an SSL context and its associated configuration, write the TLS
1835  *        1.3 specific extensions of the ClientHello message.
1836  *
1837  * \param[in]   ssl     SSL context
1838  * \param[in]   buf     Base address of the buffer where to write the extensions
1839  * \param[in]   end     End address of the buffer where to write the extensions
1840  * \param[out]  out_len Length of the data written into the buffer \p buf
1841  */
1842 MBEDTLS_CHECK_RETURN_CRITICAL
1843 int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1844                                                unsigned char *buf,
1845                                                unsigned char *end,
1846                                                size_t *out_len );
1847 
1848 /**
1849  * \brief           TLS 1.3 client side state machine entry
1850  *
1851  * \param ssl       SSL context
1852  */
1853 MBEDTLS_CHECK_RETURN_CRITICAL
1854 int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1855 
1856 /**
1857  * \brief           TLS 1.3 server side state machine entry
1858  *
1859  * \param ssl       SSL context
1860  */
1861 MBEDTLS_CHECK_RETURN_CRITICAL
1862 int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1863 
1864 
1865 /*
1866  * Helper functions around key exchange modes.
1867  */
mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_mode_mask)1868 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1869                                                                int kex_mode_mask )
1870 {
1871     return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1872 }
1873 
mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context * ssl)1874 static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1875 {
1876     return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1877                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
1878 }
1879 
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1880 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1881 {
1882     return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1883                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1884 }
1885 
mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1886 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1887 {
1888     return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1889                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1890 }
1891 
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1892 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1893 {
1894     return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1895                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1896 }
1897 
mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1898 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1899 {
1900     return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1901                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1902 }
1903 
1904 #if defined(MBEDTLS_SSL_SRV_C) && \
1905     defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1906 /**
1907  * Given a list of key exchange modes, check if at least one of them is
1908  * supported.
1909  *
1910  * \param[in] ssl  SSL context
1911  * \param kex_modes_mask  Mask of the key exchange modes to check
1912  *
1913  * \return 0 if at least one of the key exchange modes is supported,
1914  *         !=0 otherwise.
1915  */
mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_modes_mask)1916 static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1917                                                           int kex_modes_mask )
1918 {
1919     return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 );
1920 }
1921 
mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context * ssl)1922 static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1923 {
1924     return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1925                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
1926 }
1927 
mbedtls_ssl_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1928 static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
1929                                                     mbedtls_ssl_context *ssl )
1930 {
1931     return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1932                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1933 }
1934 
mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1935 static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1936 {
1937     return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1938                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1939 }
1940 
mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1941 static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1942 {
1943     return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1944                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1945 }
1946 
mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1947 static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1948 {
1949     return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1950                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1951 }
1952 #endif /* MBEDTLS_SSL_SRV_C &&
1953           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1954 
1955 /*
1956  * Helper functions for extensions checking.
1957  */
1958 
1959 MBEDTLS_CHECK_RETURN_CRITICAL
1960 int mbedtls_ssl_tls13_check_received_extension(
1961         mbedtls_ssl_context *ssl,
1962         int hs_msg_type,
1963         unsigned int received_extension_type,
1964         uint32_t hs_msg_allowed_extensions_mask );
1965 
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)1966 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1967                        mbedtls_ssl_context *ssl, unsigned int extension_type )
1968 {
1969     ssl->handshake->sent_extensions |=
1970         mbedtls_ssl_get_extension_mask( extension_type );
1971 }
1972 
1973 /*
1974  * Helper functions to check the selected key exchange mode.
1975  */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)1976 static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
1977     mbedtls_ssl_context *ssl, int kex_mask )
1978 {
1979     return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 );
1980 }
1981 
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)1982 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
1983     mbedtls_ssl_context *ssl )
1984 {
1985     return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
1986                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1987 }
1988 
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)1989 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
1990     mbedtls_ssl_context *ssl )
1991 {
1992     return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
1993                    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1994 }
1995 
1996 /*
1997  * Fetch TLS 1.3 handshake message header
1998  */
1999 MBEDTLS_CHECK_RETURN_CRITICAL
2000 int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
2001                                            unsigned hs_type,
2002                                            unsigned char **buf,
2003                                            size_t *buf_len );
2004 
2005 /*
2006  * Handler of TLS 1.3 server certificate message
2007  */
2008 MBEDTLS_CHECK_RETURN_CRITICAL
2009 int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
2010 
2011 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2012 /*
2013  * Handler of TLS 1.3 write Certificate message
2014  */
2015 MBEDTLS_CHECK_RETURN_CRITICAL
2016 int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
2017 
2018 /*
2019  * Handler of TLS 1.3 write Certificate Verify message
2020  */
2021 MBEDTLS_CHECK_RETURN_CRITICAL
2022 int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
2023 
2024 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2025 
2026 /*
2027  * Generic handler of Certificate Verify
2028  */
2029 MBEDTLS_CHECK_RETURN_CRITICAL
2030 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
2031 
2032 /*
2033  * Write of dummy-CCS's for middlebox compatibility
2034  */
2035 MBEDTLS_CHECK_RETURN_CRITICAL
2036 int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
2037 
2038 MBEDTLS_CHECK_RETURN_CRITICAL
2039 int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
2040 
2041 #if defined(MBEDTLS_ECDH_C)
2042 MBEDTLS_CHECK_RETURN_CRITICAL
2043 int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
2044                 mbedtls_ssl_context *ssl,
2045                 uint16_t named_group,
2046                 unsigned char *buf,
2047                 unsigned char *end,
2048                 size_t *out_len );
2049 #endif /* MBEDTLS_ECDH_C */
2050 
2051 #if defined(MBEDTLS_SSL_EARLY_DATA)
2052 int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
2053                                             unsigned char *buf,
2054                                             const unsigned char *end,
2055                                             size_t *out_len );
2056 #endif /* MBEDTLS_SSL_EARLY_DATA */
2057 
2058 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2059 
2060 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2061 /*
2062  * Parse TLS Signature Algorithm extension
2063  */
2064 MBEDTLS_CHECK_RETURN_CRITICAL
2065 int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
2066                                    const unsigned char *buf,
2067                                    const unsigned char *end );
2068 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2069 
2070 /* Get handshake transcript */
2071 MBEDTLS_CHECK_RETURN_CRITICAL
2072 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
2073                                           const mbedtls_md_type_t md,
2074                                           unsigned char *dst,
2075                                           size_t dst_len,
2076                                           size_t *olen );
2077 
2078 /*
2079  * Return supported groups.
2080  *
2081  * In future, invocations can be changed to ssl->conf->group_list
2082  * when mbedtls_ssl_conf_curves() is deleted.
2083  *
2084  * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
2085  * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
2086  * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
2087  *
2088  */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)2089 static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
2090 {
2091     #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
2092     return( ssl->conf->group_list );
2093     #else
2094     if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) )
2095         return( ssl->handshake->group_list );
2096     else
2097         return( ssl->conf->group_list );
2098     #endif
2099 }
2100 
2101 /*
2102  * Helper functions for NamedGroup.
2103  */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)2104 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe( uint16_t named_group )
2105 {
2106     /*
2107      * RFC 8422 section 5.1.1
2108      */
2109     return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519    ||
2110             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1   ||
2111             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1   ||
2112             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1   ||
2113             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448      ||
2114             /* Below deprecated curves should be removed with notice to users */
2115             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
2116             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
2117             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
2118             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
2119             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2120             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2121             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2122             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 );
2123 }
2124 
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)2125 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
2126 {
2127     return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519    ||
2128             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2129             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2130             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
2131             named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
2132 }
2133 
mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)2134 static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
2135 {
2136     return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2137             named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
2138 }
2139 
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)2140 static inline int mbedtls_ssl_named_group_is_offered(
2141                         const mbedtls_ssl_context *ssl, uint16_t named_group )
2142 {
2143     const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
2144 
2145     if( group_list == NULL )
2146         return( 0 );
2147 
2148     for( ; *group_list != 0; group_list++ )
2149     {
2150         if( *group_list == named_group )
2151             return( 1 );
2152     }
2153 
2154     return( 0 );
2155 }
2156 
mbedtls_ssl_named_group_is_supported(uint16_t named_group)2157 static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group )
2158 {
2159 #if defined(MBEDTLS_ECDH_C)
2160     if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
2161     {
2162         const mbedtls_ecp_curve_info *curve_info =
2163             mbedtls_ecp_curve_info_from_tls_id( named_group );
2164         if( curve_info != NULL )
2165             return( 1 );
2166     }
2167 #else
2168     ((void) named_group);
2169 #endif /* MBEDTLS_ECDH_C */
2170     return( 0 );
2171 }
2172 
2173 /*
2174  * Return supported signature algorithms.
2175  *
2176  * In future, invocations can be changed to ssl->conf->sig_algs when
2177  * mbedtls_ssl_conf_sig_hashes() is deleted.
2178  *
2179  * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
2180  * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
2181  * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
2182  * been more recently invoked.
2183  *
2184  */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)2185 static inline const void *mbedtls_ssl_get_sig_algs(
2186                                                 const mbedtls_ssl_context *ssl )
2187 {
2188 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2189 
2190 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2191     if( ssl->handshake != NULL &&
2192         ssl->handshake->sig_algs_heap_allocated == 1 &&
2193         ssl->handshake->sig_algs != NULL )
2194     {
2195         return( ssl->handshake->sig_algs );
2196     }
2197 #endif
2198     return( ssl->conf->sig_algs );
2199 
2200 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2201 
2202     ((void) ssl);
2203     return( NULL );
2204 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2205 }
2206 
2207 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)2208 static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
2209                                                    uint16_t own_sig_alg )
2210 {
2211     const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
2212     if( sig_alg == NULL )
2213         return( 0 );
2214 
2215     for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
2216     {
2217         if( *sig_alg == own_sig_alg )
2218             return( 1 );
2219     }
2220     return( 0 );
2221 }
2222 
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)2223 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2224                                                     const uint16_t sig_alg )
2225 {
2226     switch( sig_alg )
2227     {
2228 #if defined(MBEDTLS_ECDSA_C)
2229 #if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
2230         case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2231             break;
2232 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2233 #if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
2234         case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2235             break;
2236 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2237 #if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
2238         case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2239             break;
2240 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
2241 #endif /* MBEDTLS_ECDSA_C */
2242 
2243 #if defined(MBEDTLS_PKCS1_V21)
2244 #if defined(PSA_WANT_ALG_SHA_256)
2245         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2246             break;
2247 #endif /* PSA_WANT_ALG_SHA_256  */
2248 #if defined(PSA_WANT_ALG_SHA_384)
2249         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2250             break;
2251 #endif /* PSA_WANT_ALG_SHA_384 */
2252 #if defined(PSA_WANT_ALG_SHA_512)
2253         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2254             break;
2255 #endif /* PSA_WANT_ALG_SHA_512 */
2256 #endif /* MBEDTLS_PKCS1_V21 */
2257         default:
2258             return( 0 );
2259     }
2260     return( 1 );
2261 
2262 }
2263 
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)2264 static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2265                                                     const uint16_t sig_alg )
2266 {
2267     switch( sig_alg )
2268     {
2269 #if defined(MBEDTLS_PKCS1_V15)
2270 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2271         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2272             break;
2273 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2274 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2275         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2276             break;
2277 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2278 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2279         case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2280             break;
2281 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2282 #endif /* MBEDTLS_PKCS1_V15 */
2283         default:
2284             return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2285                                                                     sig_alg ) );
2286     }
2287     return( 1 );
2288 }
2289 
2290 MBEDTLS_CHECK_RETURN_CRITICAL
2291 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
2292                                                     mbedtls_pk_context *key );
2293 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2294 
2295 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)2296 static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
2297                                                   uint16_t proposed_sig_alg )
2298 {
2299     const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
2300     if( sig_alg == NULL )
2301         return( 0 );
2302 
2303     for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
2304     {
2305         if( *sig_alg == proposed_sig_alg )
2306             return( 1 );
2307     }
2308     return( 0 );
2309 }
2310 
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)2311 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2312     uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
2313 {
2314     *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
2315     *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
2316 
2317     if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
2318         return( 0 );
2319 
2320     switch( sig_alg )
2321     {
2322 #if defined(MBEDTLS_PKCS1_V21)
2323 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2324         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2325             *md_alg = MBEDTLS_MD_SHA256;
2326             *pk_type = MBEDTLS_PK_RSASSA_PSS;
2327             break;
2328 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA  */
2329 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2330         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2331             *md_alg = MBEDTLS_MD_SHA384;
2332             *pk_type = MBEDTLS_PK_RSASSA_PSS;
2333             break;
2334 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2335 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2336         case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2337             *md_alg = MBEDTLS_MD_SHA512;
2338             *pk_type = MBEDTLS_PK_RSASSA_PSS;
2339             break;
2340 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2341 #endif /* MBEDTLS_PKCS1_V21 */
2342             default:
2343                 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2344         }
2345         return( 0 );
2346 }
2347 
2348 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)2349 static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2350                                                     const uint16_t sig_alg )
2351 {
2352     /* High byte is hash */
2353     unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
2354     unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
2355 
2356     switch( hash )
2357     {
2358 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2359         case MBEDTLS_SSL_HASH_MD5:
2360             break;
2361 #endif
2362 
2363 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2364         case MBEDTLS_SSL_HASH_SHA1:
2365             break;
2366 #endif
2367 
2368 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2369         case MBEDTLS_SSL_HASH_SHA224:
2370             break;
2371 #endif
2372 
2373 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2374         case MBEDTLS_SSL_HASH_SHA256:
2375             break;
2376 #endif
2377 
2378 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2379         case MBEDTLS_SSL_HASH_SHA384:
2380             break;
2381 #endif
2382 
2383 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2384         case MBEDTLS_SSL_HASH_SHA512:
2385             break;
2386 #endif
2387 
2388         default:
2389             return( 0 );
2390     }
2391 
2392     switch( sig )
2393     {
2394 #if defined(MBEDTLS_RSA_C)
2395         case MBEDTLS_SSL_SIG_RSA:
2396             break;
2397 #endif
2398 
2399 #if defined(MBEDTLS_ECDSA_C)
2400         case MBEDTLS_SSL_SIG_ECDSA:
2401             break;
2402 #endif
2403 
2404     default:
2405         return( 0 );
2406     }
2407 
2408     return( 1 );
2409 }
2410 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2411 
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)2412 static inline int mbedtls_ssl_sig_alg_is_supported(
2413                                                 const mbedtls_ssl_context *ssl,
2414                                                 const uint16_t sig_alg )
2415 {
2416 
2417 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2418     if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
2419     {
2420         return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) );
2421     }
2422 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2423 
2424 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2425     if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
2426     {
2427        return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
2428     }
2429 #endif
2430     ((void) ssl);
2431     ((void) sig_alg);
2432     return( 0 );
2433 }
2434 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2435 
2436 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2437 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2438  * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
2439  * guaranteed to not be a valid PSA algorithm identifier.
2440  */
2441 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2442 
2443 /**
2444  * \brief       Translate mbedtls cipher type/taglen pair to psa:
2445  *              algorithm, key type and key size.
2446  *
2447  * \param  mbedtls_cipher_type [in] given mbedtls cipher type
2448  * \param  taglen              [in] given tag length
2449  *                                  0 - default tag length
2450  * \param  alg                 [out] corresponding PSA alg
2451  *                                   There is no corresponding PSA
2452  *                                   alg for MBEDTLS_CIPHER_NULL, so
2453  *                                   in this case MBEDTLS_SSL_NULL_CIPHER
2454  *                                   is returned via this parameter
2455  * \param  key_type            [out] corresponding PSA key type
2456  * \param  key_size            [out] corresponding PSA key size
2457  *
2458  * \return                     PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2459  *                             conversion is not supported.
2460  */
2461 psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
2462                                     size_t taglen,
2463                                     psa_algorithm_t *alg,
2464                                     psa_key_type_t *key_type,
2465                                     size_t *key_size );
2466 
2467 /**
2468  * \brief       Convert given PSA status to mbedtls error code.
2469  *
2470  * \param  status      [in] given PSA status
2471  *
2472  * \return             corresponding mbedtls error code
2473  */
psa_ssl_status_to_mbedtls(psa_status_t status)2474 static inline int psa_ssl_status_to_mbedtls( psa_status_t status )
2475 {
2476     switch( status )
2477     {
2478         case PSA_SUCCESS:
2479             return( 0 );
2480         case PSA_ERROR_INSUFFICIENT_MEMORY:
2481             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2482         case PSA_ERROR_NOT_SUPPORTED:
2483             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2484         case PSA_ERROR_INVALID_SIGNATURE:
2485             return( MBEDTLS_ERR_SSL_INVALID_MAC );
2486         case PSA_ERROR_INVALID_ARGUMENT:
2487             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2488         case PSA_ERROR_BAD_STATE:
2489             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2490         case PSA_ERROR_BUFFER_TOO_SMALL:
2491             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2492         default:
2493             return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
2494     }
2495 }
2496 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2497 
2498 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
2499     defined(MBEDTLS_USE_PSA_CRYPTO)
2500 
2501 typedef enum {
2502     MBEDTLS_ECJPAKE_ROUND_ONE,
2503     MBEDTLS_ECJPAKE_ROUND_TWO
2504 } mbedtls_ecjpake_rounds_t;
2505 
2506 /**
2507  * \brief       Parse the provided input buffer for getting the first round
2508  *              of key exchange. This code is common between server and client
2509  *
2510  * \param  pake_ctx [in] the PAKE's operation/context structure
2511  * \param  buf      [in] input buffer to parse
2512  * \param  len      [in] length of the input buffer
2513  * \param  round    [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2514  *                       MBEDTLS_ECJPAKE_ROUND_TWO
2515  *
2516  * \return               0 on success or a negative error code in case of failure
2517  */
2518 int mbedtls_psa_ecjpake_read_round(
2519                                     psa_pake_operation_t *pake_ctx,
2520                                     const unsigned char *buf,
2521                                     size_t len, mbedtls_ecjpake_rounds_t round );
2522 
2523 /**
2524  * \brief       Write the first round of key exchange into the provided output
2525  *              buffer. This code is common between server and client
2526  *
2527  * \param  pake_ctx [in] the PAKE's operation/context structure
2528  * \param  buf      [out] the output buffer in which data will be written to
2529  * \param  len      [in] length of the output buffer
2530  * \param  olen     [out] the length of the data really written on the buffer
2531  * \param  round    [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2532  *                       MBEDTLS_ECJPAKE_ROUND_TWO
2533  *
2534  * \return               0 on success or a negative error code in case of failure
2535  */
2536 int mbedtls_psa_ecjpake_write_round(
2537                                     psa_pake_operation_t *pake_ctx,
2538                                     unsigned char *buf,
2539                                     size_t len, size_t *olen,
2540                                     mbedtls_ecjpake_rounds_t round );
2541 
2542 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
2543 
2544 /**
2545  * \brief       TLS record protection modes
2546  */
2547 typedef enum {
2548     MBEDTLS_SSL_MODE_STREAM = 0,
2549     MBEDTLS_SSL_MODE_CBC,
2550     MBEDTLS_SSL_MODE_CBC_ETM,
2551     MBEDTLS_SSL_MODE_AEAD
2552 } mbedtls_ssl_mode_t;
2553 
2554 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2555         const mbedtls_ssl_transform *transform );
2556 
2557 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2558 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2559         int encrypt_then_mac,
2560         const mbedtls_ssl_ciphersuite_t *suite );
2561 #else
2562 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2563         const mbedtls_ssl_ciphersuite_t *suite );
2564 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2565 
2566 #if defined(MBEDTLS_ECDH_C)
2567 
2568 MBEDTLS_CHECK_RETURN_CRITICAL
2569 int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
2570                                                const unsigned char *buf,
2571                                                size_t buf_len );
2572 
2573 #endif /* MBEDTLS_ECDH_C */
2574 
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)2575 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2576         mbedtls_ssl_context *ssl, int cipher_suite )
2577 {
2578     const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2579 
2580     /* Check whether we have offered this ciphersuite */
2581     for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
2582     {
2583         if( ciphersuite_list[i] == cipher_suite )
2584         {
2585             return( 1 );
2586         }
2587     }
2588     return( 0 );
2589 }
2590 
2591 /**
2592  * \brief Validate cipher suite against config in SSL context.
2593  *
2594  * \param ssl              SSL context
2595  * \param suite_info       Cipher suite to validate
2596  * \param min_tls_version  Minimal TLS version to accept a cipher suite
2597  * \param max_tls_version  Maximal TLS version to accept a cipher suite
2598  *
2599  * \return 0 if valid, negative value otherwise.
2600  */
2601 MBEDTLS_CHECK_RETURN_CRITICAL
2602 int mbedtls_ssl_validate_ciphersuite(
2603     const mbedtls_ssl_context *ssl,
2604     const mbedtls_ssl_ciphersuite_t *suite_info,
2605     mbedtls_ssl_protocol_version min_tls_version,
2606     mbedtls_ssl_protocol_version max_tls_version );
2607 
2608 MBEDTLS_CHECK_RETURN_CRITICAL
2609 int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
2610                                    const unsigned char *end, size_t *out_len );
2611 
2612 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2613 MBEDTLS_CHECK_RETURN_CRITICAL
2614 int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
2615                                        const unsigned char *buf,
2616                                        const unsigned char *end );
2617 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2618 
2619 #if defined(MBEDTLS_SSL_ALPN)
2620 MBEDTLS_CHECK_RETURN_CRITICAL
2621 int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
2622                                 const unsigned char *buf,
2623                                 const unsigned char *end );
2624 
2625 
2626 MBEDTLS_CHECK_RETURN_CRITICAL
2627 int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2628                                 unsigned char *buf,
2629                                 unsigned char *end,
2630                                 size_t *out_len );
2631 #endif /* MBEDTLS_SSL_ALPN */
2632 
2633 #if defined(MBEDTLS_TEST_HOOKS)
2634 int mbedtls_ssl_check_dtls_clihlo_cookie(
2635                            mbedtls_ssl_context *ssl,
2636                            const unsigned char *cli_id, size_t cli_id_len,
2637                            const unsigned char *in, size_t in_len,
2638                            unsigned char *obuf, size_t buf_len, size_t *olen );
2639 #endif
2640 
2641 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2642 /**
2643  * \brief Given an SSL context and its associated configuration, write the TLS
2644  *        1.3 specific Pre-Shared key extension.
2645  *
2646  * \param[in]   ssl     SSL context
2647  * \param[in]   buf     Base address of the buffer where to write the extension
2648  * \param[in]   end     End address of the buffer where to write the extension
2649  * \param[out]  out_len Length in bytes of the Pre-Shared key extension: data
2650  *                      written into the buffer \p buf by this function plus
2651  *                      the length of the binders to be written.
2652  * \param[out]  binders_len Length of the binders to be written at the end of
2653  *                          the extension.
2654  */
2655 MBEDTLS_CHECK_RETURN_CRITICAL
2656 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
2657     mbedtls_ssl_context *ssl,
2658     unsigned char *buf, unsigned char *end,
2659     size_t *out_len, size_t *binders_len );
2660 
2661 /**
2662  * \brief Given an SSL context and its associated configuration, write the TLS
2663  *        1.3 specific Pre-Shared key extension binders at the end of the
2664  *        ClientHello.
2665  *
2666  * \param[in]   ssl     SSL context
2667  * \param[in]   buf     Base address of the buffer where to write the binders
2668  * \param[in]   end     End address of the buffer where to write the binders
2669  */
2670 MBEDTLS_CHECK_RETURN_CRITICAL
2671 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
2672     mbedtls_ssl_context *ssl,
2673     unsigned char *buf, unsigned char *end );
2674 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2675 
2676 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
2677     defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2678     defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2679     defined(MBEDTLS_SSL_CLI_C)
2680 MBEDTLS_CHECK_RETURN_CRITICAL
2681 int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
2682                                       const char *hostname );
2683 #endif
2684 
2685 #endif /* ssl_misc.h */
2686