1 /**
2 * \file ssl_ticket.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 *
6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23 #ifndef MBEDTLS_SSL_INTERNAL_H
24 #define MBEDTLS_SSL_INTERNAL_H
25
26 #include "ssl.h"
27
28 #if defined(MBEDTLS_MD5_C)
29 #include "md5.h"
30 #endif
31
32 #if defined(MBEDTLS_SHA1_C)
33 #include "sha1.h"
34 #endif
35
36 #if defined(MBEDTLS_SHA256_C)
37 #include "sha256.h"
38 #endif
39
40 #if defined(MBEDTLS_SHA512_C)
41 #include "sha512.h"
42 #endif
43
44 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
45 #include "ecjpake.h"
46 #endif
47
48 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
49 !defined(inline) && !defined(__cplusplus)
50 #define inline __inline
51 #endif
52
53 /* Determine minimum supported version */
54 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
55
56 #if defined(MBEDTLS_SSL_PROTO_SSL3)
57 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
58 #else
59 #if defined(MBEDTLS_SSL_PROTO_TLS1)
60 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
61 #else
62 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
63 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
64 #else
65 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
66 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
67 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
68 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
69 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
70 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
71
72 /* Determine maximum supported version */
73 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
74
75 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
76 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
77 #else
78 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
79 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
80 #else
81 #if defined(MBEDTLS_SSL_PROTO_TLS1)
82 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
83 #else
84 #if defined(MBEDTLS_SSL_PROTO_SSL3)
85 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
86 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
87 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
88 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
89 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
90
91 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
92 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
93 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
94 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
95
96 /*
97 * DTLS retransmission states, see RFC 6347 4.2.4
98 *
99 * The SENDING state is merged in PREPARING for initial sends,
100 * but is distinct for resends.
101 *
102 * Note: initial state is wrong for server, but is not used anyway.
103 */
104 #define MBEDTLS_SSL_RETRANS_PREPARING 0
105 #define MBEDTLS_SSL_RETRANS_SENDING 1
106 #define MBEDTLS_SSL_RETRANS_WAITING 2
107 #define MBEDTLS_SSL_RETRANS_FINISHED 3
108
109 /*
110 * Allow extra bytes for record, authentication and encryption overhead:
111 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
112 * and allow for a maximum of 1024 of compression expansion if
113 * enabled.
114 */
115 #if defined(MBEDTLS_ZLIB_SUPPORT)
116 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
117 #else
118 #define MBEDTLS_SSL_COMPRESSION_ADD 0
119 #endif
120
121 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
122 /* Ciphersuites using HMAC */
123 #if defined(MBEDTLS_SHA512_C)
124 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
125 #elif defined(MBEDTLS_SHA256_C)
126 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
127 #else
128 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
129 #endif
130 #else
131 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
132 #define MBEDTLS_SSL_MAC_ADD 16
133 #endif
134
135 #if defined(MBEDTLS_CIPHER_MODE_CBC)
136 #define MBEDTLS_SSL_PADDING_ADD 256
137 #else
138 #define MBEDTLS_SSL_PADDING_ADD 0
139 #endif
140
141 #define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
142 + MBEDTLS_SSL_COMPRESSION_ADD \
143 + 29 /* counter + header + IV */ \
144 + MBEDTLS_SSL_MAC_ADD \
145 + MBEDTLS_SSL_PADDING_ADD \
146 )
147
148 /*
149 * TLS extension flags (for extensions with outgoing ServerHello content
150 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
151 * of state of the renegotiation flag, so no indicator is required)
152 */
153 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
154 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
155
156 #ifdef __cplusplus
157 extern "C" {
158 #endif
159
160 /*
161 * This structure contains the parameters only needed during handshake.
162 */
163 struct mbedtls_ssl_handshake_params
164 {
165 /*
166 * Handshake specific crypto variables
167 */
168 int sig_alg; /*!< Hash algorithm for signature */
169 int verify_sig_alg; /*!< Signature algorithm for verify */
170 #if defined(MBEDTLS_DHM_C)
171 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
172 #endif
173 #if defined(MBEDTLS_ECDH_C)
174 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
175 #endif
176 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
177 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
178 #if defined(MBEDTLS_SSL_CLI_C)
179 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
180 size_t ecjpake_cache_len; /*!< Length of cached data */
181 #endif
182 #endif
183 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
184 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
185 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
186 #endif
187 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
188 unsigned char *psk; /*!< PSK from the callback */
189 size_t psk_len; /*!< Length of PSK from callback */
190 #endif
191 #if defined(MBEDTLS_X509_CRT_PARSE_C)
192 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
193 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
194 int sni_authmode; /*!< authmode from SNI callback */
195 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
196 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
197 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
198 #endif
199 #endif /* MBEDTLS_X509_CRT_PARSE_C */
200 #if defined(MBEDTLS_SSL_PROTO_DTLS)
201 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
202 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
203
204 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
205 Srv: unused */
206 unsigned char verify_cookie_len; /*!< Cli: cookie length
207 Srv: flag for sending a cookie */
208
209 unsigned char *hs_msg; /*!< Reassembled handshake message */
210
211 uint32_t retransmit_timeout; /*!< Current value of timeout */
212 unsigned char retransmit_state; /*!< Retransmission state */
213 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
214 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
215 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
216 flight being received */
217 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
218 resending messages */
219 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
220 for resending messages */
221 #endif
222
223 /*
224 * Checksum contexts
225 */
226 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
227 defined(MBEDTLS_SSL_PROTO_TLS1_1)
228 mbedtls_md5_context fin_md5;
229 mbedtls_sha1_context fin_sha1;
230 #endif
231 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
232 #if defined(MBEDTLS_SHA256_C)
233 mbedtls_sha256_context fin_sha256;
234 #endif
235 #if defined(MBEDTLS_SHA512_C)
236 mbedtls_sha512_context fin_sha512;
237 #endif
238 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
239
240 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
241 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
242 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
243 int (*tls_prf)(const unsigned char *, size_t, const char *,
244 const unsigned char *, size_t,
245 unsigned char *, size_t);
246
247 size_t pmslen; /*!< premaster length */
248
249 unsigned char randbytes[64]; /*!< random bytes */
250 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
251 /*!< premaster secret */
252
253 int resume; /*!< session resume indicator*/
254 int max_major_ver; /*!< max. major version client*/
255 int max_minor_ver; /*!< max. minor version client*/
256 int cli_exts; /*!< client extension presence*/
257
258 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
259 int new_session_ticket; /*!< use NewSessionTicket? */
260 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
261 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
262 int extended_ms; /*!< use Extended Master Secret? */
263 #endif
264 };
265
266 /*
267 * This structure contains a full set of runtime transform parameters
268 * either in negotiation or active.
269 */
270 struct mbedtls_ssl_transform
271 {
272 /*
273 * Session specific crypto layer
274 */
275 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
276 /*!< Chosen cipersuite_info */
277 unsigned int keylen; /*!< symmetric key length (bytes) */
278 size_t minlen; /*!< min. ciphertext length */
279 size_t ivlen; /*!< IV length */
280 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
281 size_t maclen; /*!< MAC length */
282
283 unsigned char iv_enc[16]; /*!< IV (encryption) */
284 unsigned char iv_dec[16]; /*!< IV (decryption) */
285
286 #if defined(MBEDTLS_SSL_PROTO_SSL3)
287 /* Needed only for SSL v3.0 secret */
288 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
289 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
290 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
291
292 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
293 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
294
295 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
296 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
297
298 /*
299 * Session specific compression layer
300 */
301 #if defined(MBEDTLS_ZLIB_SUPPORT)
302 z_stream ctx_deflate; /*!< compression context */
303 z_stream ctx_inflate; /*!< decompression context */
304 #endif
305 };
306
307 #if defined(MBEDTLS_X509_CRT_PARSE_C)
308 /*
309 * List of certificate + private key pairs
310 */
311 struct mbedtls_ssl_key_cert
312 {
313 mbedtls_x509_crt *cert; /*!< cert */
314 mbedtls_pk_context *key; /*!< private key */
315 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
316 };
317 #endif /* MBEDTLS_X509_CRT_PARSE_C */
318
319 #if defined(MBEDTLS_SSL_PROTO_DTLS)
320 /*
321 * List of handshake messages kept around for resending
322 */
323 struct mbedtls_ssl_flight_item
324 {
325 unsigned char *p; /*!< message, including handshake headers */
326 size_t len; /*!< length of p */
327 unsigned char type; /*!< type of the message: handshake or CCS */
328 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
329 };
330 #endif /* MBEDTLS_SSL_PROTO_DTLS */
331
332
333 /**
334 * \brief Free referenced items in an SSL transform context and clear
335 * memory
336 *
337 * \param transform SSL transform context
338 */
339 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
340
341 /**
342 * \brief Free referenced items in an SSL handshake context and clear
343 * memory
344 *
345 * \param handshake SSL handshake context
346 */
347 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake );
348
349 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
350 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
351 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
352
353 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
354
355 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
356 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
357
358 int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
359 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
360 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
361 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
362
363 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
364 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
365
366 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl );
367 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
368
369 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
370 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
371
372 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
373 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
374
375 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
376 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
377
378 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
379 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
380
381 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
382 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
383 #endif
384
385 #if defined(MBEDTLS_PK_C)
386 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
387 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
388 #endif
389
390 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
391 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
392 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
393
394 #if defined(MBEDTLS_ECP_C)
395 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
396 #endif
397
398 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
399 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
400 mbedtls_md_type_t md );
401 #endif
402
403 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)404 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
405 {
406 mbedtls_ssl_key_cert *key_cert;
407
408 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
409 key_cert = ssl->handshake->key_cert;
410 else
411 key_cert = ssl->conf->key_cert;
412
413 return( key_cert == NULL ? NULL : key_cert->key );
414 }
415
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)416 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
417 {
418 mbedtls_ssl_key_cert *key_cert;
419
420 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
421 key_cert = ssl->handshake->key_cert;
422 else
423 key_cert = ssl->conf->key_cert;
424
425 return( key_cert == NULL ? NULL : key_cert->cert );
426 }
427
428 /*
429 * Check usage of a certificate wrt extensions:
430 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
431 *
432 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
433 * check a cert we received from them)!
434 *
435 * Return 0 if everything is OK, -1 if not.
436 */
437 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
438 const mbedtls_ssl_ciphersuite_t *ciphersuite,
439 int cert_endpoint,
440 uint32_t *flags );
441 #endif /* MBEDTLS_X509_CRT_PARSE_C */
442
443 void mbedtls_ssl_write_version( int major, int minor, int transport,
444 unsigned char ver[2] );
445 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
446 const unsigned char ver[2] );
447
mbedtls_ssl_hdr_len(const mbedtls_ssl_context * ssl)448 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
449 {
450 #if defined(MBEDTLS_SSL_PROTO_DTLS)
451 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
452 return( 13 );
453 #else
454 ((void) ssl);
455 #endif
456 return( 5 );
457 }
458
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)459 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
460 {
461 #if defined(MBEDTLS_SSL_PROTO_DTLS)
462 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
463 return( 12 );
464 #else
465 ((void) ssl);
466 #endif
467 return( 4 );
468 }
469
470 #if defined(MBEDTLS_SSL_PROTO_DTLS)
471 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
472 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
473 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
474 #endif
475
476 /* Visible for testing purposes only */
477 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
478 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
479 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
480 #endif
481
482 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)483 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
484 {
485 size_t i;
486 const unsigned char *A = (const unsigned char *) a;
487 const unsigned char *B = (const unsigned char *) b;
488 unsigned char diff = 0;
489
490 for( i = 0; i < n; i++ )
491 diff |= A[i] ^ B[i];
492
493 return( diff );
494 }
495
496 #ifdef __cplusplus
497 }
498 #endif
499
500 #endif /* ssl_internal.h */
501
