1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9 */
10 #ifndef MBEDTLS_SSL_MISC_H
11 #define MBEDTLS_SSL_MISC_H
12
13 #include "mbedtls/build_info.h"
14
15 #include "mbedtls/error.h"
16
17 #include "mbedtls/ssl.h"
18 #include "mbedtls/cipher.h"
19
20 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
21 #include "psa/crypto.h"
22 #include "psa_util_internal.h"
23 #endif
24
25 #if defined(MBEDTLS_MD_CAN_MD5)
26 #include "mbedtls/md5.h"
27 #endif
28
29 #if defined(MBEDTLS_MD_CAN_SHA1)
30 #include "mbedtls/sha1.h"
31 #endif
32
33 #if defined(MBEDTLS_MD_CAN_SHA256)
34 #include "mbedtls/sha256.h"
35 #endif
36
37 #if defined(MBEDTLS_MD_CAN_SHA512)
38 #include "mbedtls/sha512.h"
39 #endif
40
41 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
42 !defined(MBEDTLS_USE_PSA_CRYPTO)
43 #include "mbedtls/ecjpake.h"
44 #endif
45
46 #include "mbedtls/pk.h"
47 #include "pk_internal.h"
48 #include "common.h"
49
50 /* Shorthand for restartable ECC */
51 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
52 defined(MBEDTLS_SSL_CLI_C) && \
53 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
54 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
55 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
56 #endif
57
58 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
59 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
60 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
61 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
62
63 /* Faked handshake message identity for HelloRetryRequest. */
64 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
65
66 /*
67 * Internal identity of handshake extensions
68 */
69 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
70 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
71 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
72 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
73 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
74 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
75 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
76 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
77 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
78 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
79 #define MBEDTLS_SSL_EXT_ID_ALPN 8
80 #define MBEDTLS_SSL_EXT_ID_SCT 9
81 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
82 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
83 #define MBEDTLS_SSL_EXT_ID_PADDING 12
84 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
85 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
86 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
87 #define MBEDTLS_SSL_EXT_ID_COOKIE 16
88 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
89 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
90 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
91 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
92 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
93 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
94 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
95 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
96 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
97 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
98 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
99 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
100
101 /* Utility for translating IANA extension type. */
102 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
103 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
104 /* Macros used to define mask constants */
105 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
106 /* Reset value of extension mask */
107 #define MBEDTLS_SSL_EXT_MASK_NONE 0
108
109 /* In messages containing extension requests, we should ignore unrecognized
110 * extensions. In messages containing extension responses, unrecognized
111 * extensions should result in handshake abortion. Messages containing
112 * extension requests include ClientHello, CertificateRequest and
113 * NewSessionTicket. Messages containing extension responses include
114 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
115 *
116 * RFC 8446 section 4.1.3
117 *
118 * The ServerHello MUST only include extensions which are required to establish
119 * the cryptographic context and negotiate the protocol version.
120 *
121 * RFC 8446 section 4.2
122 *
123 * If an implementation receives an extension which it recognizes and which is
124 * not specified for the message in which it appears, it MUST abort the handshake
125 * with an "illegal_parameter" alert.
126 */
127
128 /* Extensions that are not recognized by TLS 1.3 */
129 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
130 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
131 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
132 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
133 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
134 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
135 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
136
137 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
138 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
139 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
140 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
141 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
142 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
143 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
144 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
145 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
146 MBEDTLS_SSL_EXT_MASK(ALPN) | \
147 MBEDTLS_SSL_EXT_MASK(SCT) | \
148 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
149 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
150 MBEDTLS_SSL_EXT_MASK(PADDING) | \
151 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
152 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
153 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
154 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
155 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
156 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
157 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
158 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
159 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
160 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
161 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
162
163 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
164 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
165 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
166 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
167 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
168 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
169 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
170 MBEDTLS_SSL_EXT_MASK(ALPN) | \
171 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
172 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
173 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
174 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
175
176 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
177 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
178 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
179 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
180 MBEDTLS_SSL_EXT_MASK(SCT) | \
181 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
182 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
183 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
184 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
185
186 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
187 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
188 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
189 MBEDTLS_SSL_EXT_MASK(SCT))
190
191 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
192 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
193 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
194 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
195 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
196
197 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
198 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
199 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
200 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
201 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
202
203 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
204 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
205 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
206 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
207
208 /*
209 * Helper macros for function call with return check.
210 */
211 /*
212 * Exit when return non-zero value
213 */
214 #define MBEDTLS_SSL_PROC_CHK(f) \
215 do { \
216 ret = (f); \
217 if (ret != 0) \
218 { \
219 goto cleanup; \
220 } \
221 } while (0)
222 /*
223 * Exit when return negative value
224 */
225 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \
226 do { \
227 ret = (f); \
228 if (ret < 0) \
229 { \
230 goto cleanup; \
231 } \
232 } while (0)
233
234 /*
235 * DTLS retransmission states, see RFC 6347 4.2.4
236 *
237 * The SENDING state is merged in PREPARING for initial sends,
238 * but is distinct for resends.
239 *
240 * Note: initial state is wrong for server, but is not used anyway.
241 */
242 #define MBEDTLS_SSL_RETRANS_PREPARING 0
243 #define MBEDTLS_SSL_RETRANS_SENDING 1
244 #define MBEDTLS_SSL_RETRANS_WAITING 2
245 #define MBEDTLS_SSL_RETRANS_FINISHED 3
246
247 /*
248 * Allow extra bytes for record, authentication and encryption overhead:
249 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
250 */
251
252 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
253
254 /* This macro determines whether CBC is supported. */
255 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
256 (defined(MBEDTLS_AES_C) || \
257 defined(MBEDTLS_CAMELLIA_C) || \
258 defined(MBEDTLS_ARIA_C) || \
259 defined(MBEDTLS_DES_C))
260 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
261 #endif
262
263 /* This macro determines whether a ciphersuite using a
264 * stream cipher can be used. */
265 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
266 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
267 #endif
268
269 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
270 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
271 defined(MBEDTLS_SSL_PROTO_TLS1_2)
272 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
273 #endif
274
275 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
276 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
277 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
278 #endif
279
280 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
281 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
282 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
283 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
284 #endif
285
286 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
287
288 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
289 /* Ciphersuites using HMAC */
290 #if defined(MBEDTLS_MD_CAN_SHA384)
291 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
292 #elif defined(MBEDTLS_MD_CAN_SHA256)
293 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
294 #else
295 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
296 #endif
297 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
298 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
299 #define MBEDTLS_SSL_MAC_ADD 16
300 #endif
301
302 #if defined(MBEDTLS_CIPHER_MODE_CBC)
303 #define MBEDTLS_SSL_PADDING_ADD 256
304 #else
305 #define MBEDTLS_SSL_PADDING_ADD 0
306 #endif
307
308 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
309 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
310 #else
311 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
312 #endif
313
314 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
315 MBEDTLS_SSL_MAC_ADD + \
316 MBEDTLS_SSL_PADDING_ADD + \
317 MBEDTLS_SSL_MAX_CID_EXPANSION \
318 )
319
320 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
321 (MBEDTLS_SSL_IN_CONTENT_LEN))
322
323 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
324 (MBEDTLS_SSL_OUT_CONTENT_LEN))
325
326 /* The maximum number of buffered handshake messages. */
327 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
328
329 /* Maximum length we can advertise as our max content length for
330 RFC 6066 max_fragment_length extension negotiation purposes
331 (the lesser of both sizes, if they are unequal.)
332 */
333 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
334 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
335 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
336 : (MBEDTLS_SSL_IN_CONTENT_LEN) \
337 )
338
339 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
340 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
341
342 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
343 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
344
345 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
346 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
347
348 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
349
350 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
351
352 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
353
354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
355 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
356 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
357 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
358 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
359
360 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
361
362 /*
363 * Check that we obey the standard's message size bounds
364 */
365
366 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
367 #error "Bad configuration - incoming record content too large."
368 #endif
369
370 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
371 #error "Bad configuration - outgoing record content too large."
372 #endif
373
374 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
375 #error "Bad configuration - incoming protected record payload too large."
376 #endif
377
378 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
379 #error "Bad configuration - outgoing protected record payload too large."
380 #endif
381
382 /* Calculate buffer sizes */
383
384 /* Note: Even though the TLS record header is only 5 bytes
385 long, we're internally using 8 bytes to store the
386 implicit sequence number. */
387 #define MBEDTLS_SSL_HEADER_LEN 13
388
389 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
390 #define MBEDTLS_SSL_IN_BUFFER_LEN \
391 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
392 #else
393 #define MBEDTLS_SSL_IN_BUFFER_LEN \
394 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
395 + (MBEDTLS_SSL_CID_IN_LEN_MAX))
396 #endif
397
398 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
399 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
400 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
401 #else
402 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
403 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
404 + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
405 #endif
406
407 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
408 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
409
410 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
411 /**
412 * \brief Return the maximum fragment length (payload, in bytes) for
413 * the output buffer. For the client, this is the configured
414 * value. For the server, it is the minimum of two - the
415 * configured value and the negotiated one.
416 *
417 * \sa mbedtls_ssl_conf_max_frag_len()
418 * \sa mbedtls_ssl_get_max_out_record_payload()
419 *
420 * \param ssl SSL context
421 *
422 * \return Current maximum fragment length for the output buffer.
423 */
424 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
425
426 /**
427 * \brief Return the maximum fragment length (payload, in bytes) for
428 * the input buffer. This is the negotiated maximum fragment
429 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
430 * If it is not defined either, the value is 2^14. This function
431 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
432 *
433 * \sa mbedtls_ssl_conf_max_frag_len()
434 * \sa mbedtls_ssl_get_max_in_record_payload()
435 *
436 * \param ssl SSL context
437 *
438 * \return Current maximum fragment length for the output buffer.
439 */
440 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
441 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
442
443 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)444 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
445 {
446 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
447 return mbedtls_ssl_get_output_max_frag_len(ctx)
448 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
449 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
450 #else
451 return mbedtls_ssl_get_output_max_frag_len(ctx)
452 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
453 #endif
454 }
455
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)456 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
457 {
458 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
459 return mbedtls_ssl_get_input_max_frag_len(ctx)
460 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
461 + MBEDTLS_SSL_CID_IN_LEN_MAX;
462 #else
463 return mbedtls_ssl_get_input_max_frag_len(ctx)
464 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
465 #endif
466 }
467 #endif
468
469 /*
470 * TLS extension flags (for extensions with outgoing ServerHello content
471 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
472 * of state of the renegotiation flag, so no indicator is required)
473 */
474 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
475 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
476
477 /**
478 * \brief This function checks if the remaining size in a buffer is
479 * greater or equal than a needed space.
480 *
481 * \param cur Pointer to the current position in the buffer.
482 * \param end Pointer to one past the end of the buffer.
483 * \param need Needed space in bytes.
484 *
485 * \return Zero if the needed space is available in the buffer, non-zero
486 * otherwise.
487 */
488 #if !defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)489 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
490 const uint8_t *end, size_t need)
491 {
492 return (cur > end) || (need > (size_t) (end - cur));
493 }
494 #else
495 typedef struct {
496 const uint8_t *cur;
497 const uint8_t *end;
498 size_t need;
499 } mbedtls_ssl_chk_buf_ptr_args;
500
501 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
502 const uint8_t *cur, const uint8_t *end, size_t need);
503 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
504
505 MBEDTLS_CHECK_RETURN_CRITICAL
506 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
507
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)508 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
509 const uint8_t *end, size_t need)
510 {
511 if ((cur > end) || (need > (size_t) (end - cur))) {
512 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
513 return 1;
514 }
515 return 0;
516 }
517 #endif /* MBEDTLS_TEST_HOOKS */
518
519 /**
520 * \brief This macro checks if the remaining size in a buffer is
521 * greater or equal than a needed space. If it is not the case,
522 * it returns an SSL_BUFFER_TOO_SMALL error.
523 *
524 * \param cur Pointer to the current position in the buffer.
525 * \param end Pointer to one past the end of the buffer.
526 * \param need Needed space in bytes.
527 *
528 */
529 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
530 do { \
531 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
532 { \
533 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
534 } \
535 } while (0)
536
537 /**
538 * \brief This macro checks if the remaining length in an input buffer is
539 * greater or equal than a needed length. If it is not the case, it
540 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
541 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
542 *
543 * This is a function-like macro. It is guaranteed to evaluate each
544 * argument exactly once.
545 *
546 * \param cur Pointer to the current position in the buffer.
547 * \param end Pointer to one past the end of the buffer.
548 * \param need Needed length in bytes.
549 *
550 */
551 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
552 do { \
553 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
554 { \
555 MBEDTLS_SSL_DEBUG_MSG(1, \
556 ("missing input data in %s", __func__)); \
557 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
558 MBEDTLS_ERR_SSL_DECODE_ERROR); \
559 return MBEDTLS_ERR_SSL_DECODE_ERROR; \
560 } \
561 } while (0)
562
563 #ifdef __cplusplus
564 extern "C" {
565 #endif
566
567 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
568 const char *label,
569 const unsigned char *random, size_t rlen,
570 unsigned char *dstbuf, size_t dlen);
571
572 /* cipher.h exports the maximum IV, key and block length from
573 * all ciphers enabled in the config, regardless of whether those
574 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
575 * in the default configuration and uses 64 Byte keys, but it is
576 * not used for record protection in SSL/TLS.
577 *
578 * In order to prevent unnecessary inflation of key structures,
579 * we introduce SSL-specific variants of the max-{key,block,IV}
580 * macros here which are meant to only take those ciphers into
581 * account which can be negotiated in SSL/TLS.
582 *
583 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
584 * in cipher.h are rough overapproximations of the real maxima, here
585 * we content ourselves with replicating those overapproximations
586 * for the maximum block and IV length, and excluding XTS from the
587 * computation of the maximum key length. */
588 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
589 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
590 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
591
592 /**
593 * \brief The data structure holding the cryptographic material (key and IV)
594 * used for record protection in TLS 1.3.
595 */
596 struct mbedtls_ssl_key_set {
597 /*! The key for client->server records. */
598 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
599 /*! The key for server->client records. */
600 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
601 /*! The IV for client->server records. */
602 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
603 /*! The IV for server->client records. */
604 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
605
606 size_t key_len; /*!< The length of client_write_key and
607 * server_write_key, in Bytes. */
608 size_t iv_len; /*!< The length of client_write_iv and
609 * server_write_iv, in Bytes. */
610 };
611 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
612
613 typedef struct {
614 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
615 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
616 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
617 } mbedtls_ssl_tls13_early_secrets;
618
619 typedef struct {
620 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
621 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
622 } mbedtls_ssl_tls13_handshake_secrets;
623
624 /*
625 * This structure contains the parameters only needed during handshake.
626 */
627 struct mbedtls_ssl_handshake_params {
628 /* Frequently-used boolean or byte fields (placed early to take
629 * advantage of smaller code size for indirect access on Arm Thumb) */
630 uint8_t resume; /*!< session resume indicator*/
631 uint8_t cli_exts; /*!< client extension presence*/
632
633 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
634 uint8_t sni_authmode; /*!< authmode from SNI callback */
635 #endif
636
637 #if defined(MBEDTLS_SSL_SRV_C)
638 /* Flag indicating if a CertificateRequest message has been sent
639 * to the client or not. */
640 uint8_t certificate_request_sent;
641 #endif /* MBEDTLS_SSL_SRV_C */
642
643 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
644 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
645 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
646
647 #if defined(MBEDTLS_SSL_CLI_C)
648 /** Minimum TLS version to be negotiated.
649 *
650 * It is set up in the ClientHello writing preparation stage and used
651 * throughout the ClientHello writing. Not relevant anymore as soon as
652 * the protocol version has been negotiated thus as soon as the
653 * ServerHello is received.
654 * For a fresh handshake not linked to any previous handshake, it is
655 * equal to the configured minimum minor version to be negotiated. When
656 * renegotiating or resuming a session, it is equal to the previously
657 * negotiated minor version.
658 *
659 * There is no maximum TLS version field in this handshake context.
660 * From the start of the handshake, we need to define a current protocol
661 * version for the record layer which we define as the maximum TLS
662 * version to be negotiated. The `tls_version` field of the SSL context is
663 * used to store this maximum value until it contains the actual
664 * negotiated value.
665 */
666 mbedtls_ssl_protocol_version min_tls_version;
667 #endif
668
669 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
670 uint8_t extended_ms; /*!< use Extended Master Secret? */
671 #endif
672
673 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
674 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
675 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
676
677 #if defined(MBEDTLS_SSL_PROTO_DTLS)
678 unsigned char retransmit_state; /*!< Retransmission state */
679 #endif
680
681 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
682 unsigned char group_list_heap_allocated;
683 unsigned char sig_algs_heap_allocated;
684 #endif
685
686 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
687 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
688 enum { /* this complements ssl->state with info on intra-state operations */
689 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
690 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
691 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
692 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
693 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
694 } ecrs_state; /*!< current (or last) operation */
695 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
696 size_t ecrs_n; /*!< place for saving a length */
697 #endif
698
699 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
700
701 MBEDTLS_CHECK_RETURN_CRITICAL
702 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
703 MBEDTLS_CHECK_RETURN_CRITICAL
704 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
705 MBEDTLS_CHECK_RETURN_CRITICAL
706 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
707 mbedtls_ssl_tls_prf_cb *tls_prf;
708
709 /*
710 * Handshake specific crypto variables
711 */
712 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
713 uint8_t key_exchange_mode; /*!< Selected key exchange mode */
714
715 /** Number of HelloRetryRequest messages received/sent from/to the server. */
716 int hello_retry_request_count;
717
718 #if defined(MBEDTLS_SSL_SRV_C)
719 /** selected_group of key_share extension in HelloRetryRequest message. */
720 uint16_t hrr_selected_group;
721 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
722 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
723 #endif
724 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
725 uint16_t new_session_tickets_count; /*!< number of session tickets */
726 #endif
727 #endif /* MBEDTLS_SSL_SRV_C */
728
729 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
730
731 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
732 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
733 #endif
734
735 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
736 const uint16_t *group_list;
737 const uint16_t *sig_algs;
738 #endif
739
740 #if defined(MBEDTLS_DHM_C)
741 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
742 #endif
743
744 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
745 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
746 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
747 #endif /* !MBEDTLS_USE_PSA_CRYPTO &&
748 MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
749
750 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
751 psa_key_type_t xxdh_psa_type;
752 size_t xxdh_psa_bits;
753 mbedtls_svc_key_id_t xxdh_psa_privkey;
754 uint8_t xxdh_psa_privkey_is_external;
755 unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
756 size_t xxdh_psa_peerkey_len;
757 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
758
759 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
760 #if defined(MBEDTLS_USE_PSA_CRYPTO)
761 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
762 mbedtls_svc_key_id_t psa_pake_password;
763 uint8_t psa_pake_ctx_is_ok;
764 #else
765 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
766 #endif /* MBEDTLS_USE_PSA_CRYPTO */
767 #if defined(MBEDTLS_SSL_CLI_C)
768 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
769 size_t ecjpake_cache_len; /*!< Length of cached data */
770 #endif
771 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
772
773 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
774 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
775 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
776 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
777 #endif
778
779 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
780 #if defined(MBEDTLS_USE_PSA_CRYPTO)
781 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
782 uint8_t psk_opaque_is_internal;
783 #else
784 unsigned char *psk; /*!< PSK from the callback */
785 size_t psk_len; /*!< Length of PSK from callback */
786 #endif /* MBEDTLS_USE_PSA_CRYPTO */
787 uint16_t selected_identity;
788 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
789
790 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
791 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
792 #endif
793
794 #if defined(MBEDTLS_X509_CRT_PARSE_C)
795 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
796 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
797 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
798 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
799 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
800 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
801 #endif /* MBEDTLS_X509_CRT_PARSE_C */
802
803 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
804 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
805 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
806 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
807
808 struct {
809 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
810 * buffers used for message buffering. */
811
812 uint8_t seen_ccs; /*!< Indicates if a CCS message has
813 * been seen in the current flight. */
814
815 struct mbedtls_ssl_hs_buffer {
816 unsigned is_valid : 1;
817 unsigned is_fragmented : 1;
818 unsigned is_complete : 1;
819 unsigned char *data;
820 size_t data_len;
821 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
822
823 struct {
824 unsigned char *data;
825 size_t len;
826 unsigned epoch;
827 } future_record;
828
829 } buffering;
830
831 #if defined(MBEDTLS_SSL_CLI_C) && \
832 (defined(MBEDTLS_SSL_PROTO_DTLS) || \
833 defined(MBEDTLS_SSL_PROTO_TLS1_3))
834 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
835 * HelloRetryRequest cookie for TLS 1.3 */
836 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
837 /* RFC 6347 page 15
838 ...
839 opaque cookie<0..2^8-1>;
840 ...
841 */
842 uint8_t cookie_len;
843 #else
844 /* RFC 8446 page 39
845 ...
846 opaque cookie<0..2^16-1>;
847 ...
848 If TLS1_3 is enabled, the max length is 2^16 - 1
849 */
850 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
851 * TLS1_3: HelloRetryRequest cookie length */
852 #endif
853 #endif /* MBEDTLS_SSL_CLI_C &&
854 ( MBEDTLS_SSL_PROTO_DTLS ||
855 MBEDTLS_SSL_PROTO_TLS1_3 ) */
856 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
857 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
858 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
859
860 #if defined(MBEDTLS_SSL_PROTO_DTLS)
861 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
862 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
863
864 uint32_t retransmit_timeout; /*!< Current value of timeout */
865 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
866 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
867 unsigned char *cur_msg_p; /*!< Position in current message */
868 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
869 flight being received */
870 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
871 resending messages */
872 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
873 for resending messages */
874
875 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
876 /* The state of CID configuration in this handshake. */
877
878 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
879 * has been negotiated. Possible values are
880 * #MBEDTLS_SSL_CID_ENABLED and
881 * #MBEDTLS_SSL_CID_DISABLED. */
882 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
883 uint8_t peer_cid_len; /*!< The length of
884 * \c peer_cid. */
885 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
886
887 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
888 #endif /* MBEDTLS_SSL_PROTO_DTLS */
889
890 /*
891 * Checksum contexts
892 */
893 #if defined(MBEDTLS_MD_CAN_SHA256)
894 #if defined(MBEDTLS_USE_PSA_CRYPTO)
895 psa_hash_operation_t fin_sha256_psa;
896 #else
897 mbedtls_md_context_t fin_sha256;
898 #endif
899 #endif
900 #if defined(MBEDTLS_MD_CAN_SHA384)
901 #if defined(MBEDTLS_USE_PSA_CRYPTO)
902 psa_hash_operation_t fin_sha384_psa;
903 #else
904 mbedtls_md_context_t fin_sha384;
905 #endif
906 #endif
907
908 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
909 uint16_t offered_group_id; /* The NamedGroup value for the group
910 * that is being used for ephemeral
911 * key exchange.
912 *
913 * On the client: Defaults to the first
914 * entry in the client's group list,
915 * but can be overwritten by the HRR. */
916 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
917
918 #if defined(MBEDTLS_SSL_CLI_C)
919 uint8_t client_auth; /*!< used to check if CertificateRequest has been
920 received from server side. If CertificateRequest
921 has been received, Certificate and CertificateVerify
922 should be sent to server */
923 #endif /* MBEDTLS_SSL_CLI_C */
924 /*
925 * State-local variables used during the processing
926 * of a specific handshake state.
927 */
928 union {
929 /* Outgoing Finished message */
930 struct {
931 uint8_t preparation_done;
932
933 /* Buffer holding digest of the handshake up to
934 * but excluding the outgoing finished message. */
935 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
936 size_t digest_len;
937 } finished_out;
938
939 /* Incoming Finished message */
940 struct {
941 uint8_t preparation_done;
942
943 /* Buffer holding digest of the handshake up to but
944 * excluding the peer's incoming finished message. */
945 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
946 size_t digest_len;
947 } finished_in;
948
949 } state_local;
950
951 /* End of state-local variables. */
952
953 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
954 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
955 /*!< random bytes */
956 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
957 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
958 /*!< premaster secret */
959 size_t pmslen; /*!< premaster length */
960 #endif
961
962 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
963 uint32_t sent_extensions; /*!< extensions sent by endpoint */
964 uint32_t received_extensions; /*!< extensions received by endpoint */
965
966 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
967 unsigned char certificate_request_context_len;
968 unsigned char *certificate_request_context;
969 #endif
970
971 /** TLS 1.3 transform for encrypted handshake messages. */
972 mbedtls_ssl_transform *transform_handshake;
973 union {
974 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
975 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
976 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
977 } tls13_master_secrets;
978
979 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
980 #if defined(MBEDTLS_SSL_EARLY_DATA)
981 /** TLS 1.3 transform for early data and handshake messages. */
982 mbedtls_ssl_transform *transform_earlydata;
983 #endif
984 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
985
986 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
987 /** Asynchronous operation context. This field is meant for use by the
988 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
989 * mbedtls_ssl_config::f_async_decrypt_start,
990 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
991 * The library does not use it internally. */
992 void *user_async_ctx;
993 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
994
995 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
996 const unsigned char *sni_name; /*!< raw SNI */
997 size_t sni_name_len; /*!< raw SNI len */
998 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
999 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
1000 #endif
1001 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1002 };
1003
1004 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
1005
1006 /*
1007 * Representation of decryption/encryption transformations on records
1008 *
1009 * There are the following general types of record transformations:
1010 * - Stream transformations (TLS versions == 1.2 only)
1011 * Transformation adding a MAC and applying a stream-cipher
1012 * to the authenticated message.
1013 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
1014 * For TLS 1.2, no IV is generated at key extraction time, but every
1015 * encrypted record is explicitly prefixed by the IV with which it was
1016 * encrypted.
1017 * - AEAD transformations ([D]TLS versions == 1.2 only)
1018 * These come in two fundamentally different versions, the first one
1019 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1020 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1021 * In the first transformation, the IV to be used for a record is obtained
1022 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
1023 * record sequence number, and explicitly prepending this sequence number
1024 * to the encrypted record. In contrast, in the second transformation
1025 * the IV is obtained by XOR'ing a static IV obtained at key extraction
1026 * time with the 8-byte record sequence number, without prepending the
1027 * latter to the encrypted record.
1028 *
1029 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1030 * which allows to add flexible length padding and to hide a record's true
1031 * content type.
1032 *
1033 * In addition to type and version, the following parameters are relevant:
1034 * - The symmetric cipher algorithm to be used.
1035 * - The (static) encryption/decryption keys for the cipher.
1036 * - For stream/CBC, the type of message digest to be used.
1037 * - For stream/CBC, (static) encryption/decryption keys for the digest.
1038 * - For AEAD transformations, the size (potentially 0) of an explicit,
1039 * random initialization vector placed in encrypted records.
1040 * - For some transformations (currently AEAD) an implicit IV. It is static
1041 * and (if present) is combined with the explicit IV in a transformation-
1042 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
1043 * - For stream/CBC, a flag determining the order of encryption and MAC.
1044 * - The details of the transformation depend on the SSL/TLS version.
1045 * - The length of the authentication tag.
1046 *
1047 * The struct below refines this abstract view as follows:
1048 * - The cipher underlying the transformation is managed in
1049 * cipher contexts cipher_ctx_{enc/dec}, which must have the
1050 * same cipher type. The mode of these cipher contexts determines
1051 * the type of the transformation in the sense above: e.g., if
1052 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1053 * then the transformation has type CBC resp. AEAD.
1054 * - The cipher keys are never stored explicitly but
1055 * are maintained within cipher_ctx_{enc/dec}.
1056 * - For stream/CBC transformations, the message digest contexts
1057 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1058 * are unused for AEAD transformations.
1059 * - For stream/CBC transformations, the MAC keys are not stored explicitly
1060 * but maintained within md_ctx_{enc/dec}.
1061 * - The mac_enc and mac_dec fields are unused for EAD transformations.
1062 * - For transformations using an implicit IV maintained within
1063 * the transformation context, its contents are stored within
1064 * iv_{enc/dec}.
1065 * - The value of ivlen indicates the length of the IV.
1066 * This is redundant in case of stream/CBC transformations
1067 * which always use 0 resp. the cipher's block length as the
1068 * IV length, but is needed for AEAD ciphers and may be
1069 * different from the underlying cipher's block length
1070 * in this case.
1071 * - The field fixed_ivlen is nonzero for AEAD transformations only
1072 * and indicates the length of the static part of the IV which is
1073 * constant throughout the communication, and which is stored in
1074 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
1075 * - tls_version denotes the 2-byte TLS version
1076 * - For stream/CBC transformations, maclen denotes the length of the
1077 * authentication tag, while taglen is unused and 0.
1078 * - For AEAD transformations, taglen denotes the length of the
1079 * authentication tag, while maclen is unused and 0.
1080 * - For CBC transformations, encrypt_then_mac determines the
1081 * order of encryption and authentication. This field is unused
1082 * in other transformations.
1083 *
1084 */
1085 struct mbedtls_ssl_transform {
1086 /*
1087 * Session specific crypto layer
1088 */
1089 size_t minlen; /*!< min. ciphertext length */
1090 size_t ivlen; /*!< IV length */
1091 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
1092 size_t maclen; /*!< MAC(CBC) len */
1093 size_t taglen; /*!< TAG(AEAD) len */
1094
1095 unsigned char iv_enc[16]; /*!< IV (encryption) */
1096 unsigned char iv_dec[16]; /*!< IV (decryption) */
1097
1098 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1099
1100 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1101 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
1102 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
1103 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
1104 #else
1105 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
1106 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
1107 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1108
1109 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1110 int encrypt_then_mac; /*!< flag for EtM activation */
1111 #endif
1112
1113 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1114
1115 mbedtls_ssl_protocol_version tls_version;
1116
1117 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1118 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
1119 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
1120 psa_algorithm_t psa_alg; /*!< psa algorithm */
1121 #else
1122 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
1123 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
1124 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1125
1126 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1127 uint8_t in_cid_len;
1128 uint8_t out_cid_len;
1129 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
1130 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
1131 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1132
1133 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
1134 /* We need the Hello random bytes in order to re-derive keys from the
1135 * Master Secret and other session info,
1136 * see ssl_tls12_populate_transform() */
1137 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1138 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1139 /*!< ServerHello.random+ClientHello.random */
1140 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
1141 };
1142
1143 /*
1144 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1145 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1146 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)1147 static inline int mbedtls_ssl_transform_uses_aead(
1148 const mbedtls_ssl_transform *transform)
1149 {
1150 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1151 return transform->maclen == 0 && transform->taglen != 0;
1152 #else
1153 (void) transform;
1154 return 1;
1155 #endif
1156 }
1157
1158 /*
1159 * Internal representation of record frames
1160 *
1161 * Instances come in two flavors:
1162 * (1) Encrypted
1163 * These always have data_offset = 0
1164 * (2) Unencrypted
1165 * These have data_offset set to the amount of
1166 * pre-expansion during record protection. Concretely,
1167 * this is the length of the fixed part of the explicit IV
1168 * used for encryption, or 0 if no explicit IV is used
1169 * (e.g. for stream ciphers).
1170 *
1171 * The reason for the data_offset in the unencrypted case
1172 * is to allow for in-place conversion of an unencrypted to
1173 * an encrypted record. If the offset wasn't included, the
1174 * encrypted content would need to be shifted afterwards to
1175 * make space for the fixed IV.
1176 *
1177 */
1178 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
1179 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
1180 #else
1181 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
1182 #endif
1183
1184 typedef struct {
1185 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1186 * In DTLS: The 2-byte epoch followed by
1187 * the 6-byte sequence number.
1188 * This is stored as a raw big endian byte array
1189 * as opposed to a uint64_t because we rarely
1190 * need to perform arithmetic on this, but do
1191 * need it as a Byte array for the purpose of
1192 * MAC computations. */
1193 uint8_t type; /* The record content type. */
1194 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1195 * Convert to internal presentation of versions
1196 * using mbedtls_ssl_read_version() and
1197 * mbedtls_ssl_write_version().
1198 * Keep wire-format for MAC computations. */
1199
1200 unsigned char *buf; /* Memory buffer enclosing the record content */
1201 size_t buf_len; /* Buffer length */
1202 size_t data_offset; /* Offset of record content */
1203 size_t data_len; /* Length of record content */
1204
1205 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1206 uint8_t cid_len; /* Length of the CID (0 if not present) */
1207 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
1208 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1209 } mbedtls_record;
1210
1211 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1212 /*
1213 * List of certificate + private key pairs
1214 */
1215 struct mbedtls_ssl_key_cert {
1216 mbedtls_x509_crt *cert; /*!< cert */
1217 mbedtls_pk_context *key; /*!< private key */
1218 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1219 };
1220 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1221
1222 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1223 /*
1224 * List of handshake messages kept around for resending
1225 */
1226 struct mbedtls_ssl_flight_item {
1227 unsigned char *p; /*!< message, including handshake headers */
1228 size_t len; /*!< length of p */
1229 unsigned char type; /*!< type of the message: handshake or CCS */
1230 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1231 };
1232 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1233
1234 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1235 /**
1236 * \brief Given an SSL context and its associated configuration, write the TLS
1237 * 1.2 specific extensions of the ClientHello message.
1238 *
1239 * \param[in] ssl SSL context
1240 * \param[in] buf Base address of the buffer where to write the extensions
1241 * \param[in] end End address of the buffer where to write the extensions
1242 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1243 * (<> 0) or not ( 0 ).
1244 * \param[out] out_len Length of the data written into the buffer \p buf
1245 */
1246 MBEDTLS_CHECK_RETURN_CRITICAL
1247 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
1248 unsigned char *buf,
1249 const unsigned char *end,
1250 int uses_ec,
1251 size_t *out_len);
1252 #endif
1253
1254 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1255 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1256
1257 /**
1258 * \brief Find the preferred hash for a given signature algorithm.
1259 *
1260 * \param[in] ssl SSL context
1261 * \param[in] sig_alg A signature algorithm identifier as defined in the
1262 * TLS 1.2 SignatureAlgorithm enumeration.
1263 *
1264 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1265 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1266 */
1267 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1268 mbedtls_ssl_context *ssl,
1269 unsigned int sig_alg);
1270
1271 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1272 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1273
1274 /**
1275 * \brief Free referenced items in an SSL transform context and clear
1276 * memory
1277 *
1278 * \param transform SSL transform context
1279 */
1280 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
1281
1282 /**
1283 * \brief Free referenced items in an SSL handshake context and clear
1284 * memory
1285 *
1286 * \param ssl SSL context
1287 */
1288 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
1289
1290 /* set inbound transform of ssl context */
1291 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
1292 mbedtls_ssl_transform *transform);
1293
1294 /* set outbound transform of ssl context */
1295 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
1296 mbedtls_ssl_transform *transform);
1297
1298 MBEDTLS_CHECK_RETURN_CRITICAL
1299 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
1300 MBEDTLS_CHECK_RETURN_CRITICAL
1301 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
1302 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1303 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
1304 mbedtls_ssl_states state)
1305 {
1306 ssl->state = (int) state;
1307 }
1308
1309 MBEDTLS_CHECK_RETURN_CRITICAL
1310 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
1311
1312 MBEDTLS_CHECK_RETURN_CRITICAL
1313 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
1314
1315 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1316 MBEDTLS_CHECK_RETURN_CRITICAL
1317 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
1318 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1319
1320 MBEDTLS_CHECK_RETURN_CRITICAL
1321 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
1322 MBEDTLS_CHECK_RETURN_CRITICAL
1323 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
1324 MBEDTLS_CHECK_RETURN_CRITICAL
1325 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
1326
1327 /**
1328 * \brief Update record layer
1329 *
1330 * This function roughly separates the implementation
1331 * of the logic of (D)TLS from the implementation
1332 * of the secure transport.
1333 *
1334 * \param ssl The SSL context to use.
1335 * \param update_hs_digest This indicates if the handshake digest
1336 * should be automatically updated in case
1337 * a handshake message is found.
1338 *
1339 * \return 0 or non-zero error code.
1340 *
1341 * \note A clarification on what is called 'record layer' here
1342 * is in order, as many sensible definitions are possible:
1343 *
1344 * The record layer takes as input an untrusted underlying
1345 * transport (stream or datagram) and transforms it into
1346 * a serially multiplexed, secure transport, which
1347 * conceptually provides the following:
1348 *
1349 * (1) Three datagram based, content-agnostic transports
1350 * for handshake, alert and CCS messages.
1351 * (2) One stream- or datagram-based transport
1352 * for application data.
1353 * (3) Functionality for changing the underlying transform
1354 * securing the contents.
1355 *
1356 * The interface to this functionality is given as follows:
1357 *
1358 * a Updating
1359 * [Currently implemented by mbedtls_ssl_read_record]
1360 *
1361 * Check if and on which of the four 'ports' data is pending:
1362 * Nothing, a controlling datagram of type (1), or application
1363 * data (2). In any case data is present, internal buffers
1364 * provide access to the data for the user to process it.
1365 * Consumption of type (1) datagrams is done automatically
1366 * on the next update, invalidating that the internal buffers
1367 * for previous datagrams, while consumption of application
1368 * data (2) is user-controlled.
1369 *
1370 * b Reading of application data
1371 * [Currently manual adaption of ssl->in_offt pointer]
1372 *
1373 * As mentioned in the last paragraph, consumption of data
1374 * is different from the automatic consumption of control
1375 * datagrams (1) because application data is treated as a stream.
1376 *
1377 * c Tracking availability of application data
1378 * [Currently manually through decreasing ssl->in_msglen]
1379 *
1380 * For efficiency and to retain datagram semantics for
1381 * application data in case of DTLS, the record layer
1382 * provides functionality for checking how much application
1383 * data is still available in the internal buffer.
1384 *
1385 * d Changing the transformation securing the communication.
1386 *
1387 * Given an opaque implementation of the record layer in the
1388 * above sense, it should be possible to implement the logic
1389 * of (D)TLS on top of it without the need to know anything
1390 * about the record layer's internals. This is done e.g.
1391 * in all the handshake handling functions, and in the
1392 * application data reading function mbedtls_ssl_read.
1393 *
1394 * \note The above tries to give a conceptual picture of the
1395 * record layer, but the current implementation deviates
1396 * from it in some places. For example, our implementation of
1397 * the update functionality through mbedtls_ssl_read_record
1398 * discards datagrams depending on the current state, which
1399 * wouldn't fall under the record layer's responsibility
1400 * following the above definition.
1401 *
1402 */
1403 MBEDTLS_CHECK_RETURN_CRITICAL
1404 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
1405 unsigned update_hs_digest);
1406 MBEDTLS_CHECK_RETURN_CRITICAL
1407 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
1408
1409 /*
1410 * Write handshake message header
1411 */
1412 MBEDTLS_CHECK_RETURN_CRITICAL
1413 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type,
1414 unsigned char **buf, size_t *buf_len);
1415
1416 MBEDTLS_CHECK_RETURN_CRITICAL
1417 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
1418 int update_checksum,
1419 int force_flush);
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1420 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
1421 {
1422 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
1423 }
1424
1425 /*
1426 * Write handshake message tail
1427 */
1428 MBEDTLS_CHECK_RETURN_CRITICAL
1429 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
1430 size_t buf_len, size_t msg_len);
1431
1432 MBEDTLS_CHECK_RETURN_CRITICAL
1433 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
1434 MBEDTLS_CHECK_RETURN_CRITICAL
1435 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
1436
1437 MBEDTLS_CHECK_RETURN_CRITICAL
1438 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
1439 MBEDTLS_CHECK_RETURN_CRITICAL
1440 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
1441
1442 MBEDTLS_CHECK_RETURN_CRITICAL
1443 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
1444 MBEDTLS_CHECK_RETURN_CRITICAL
1445 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
1446
1447 MBEDTLS_CHECK_RETURN_CRITICAL
1448 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
1449 MBEDTLS_CHECK_RETURN_CRITICAL
1450 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
1451
1452 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
1453 const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
1454
1455 /*
1456 * Update checksum of handshake messages.
1457 */
1458 MBEDTLS_CHECK_RETURN_CRITICAL
1459 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
1460 unsigned hs_type,
1461 unsigned char const *msg,
1462 size_t msg_len);
1463
1464 MBEDTLS_CHECK_RETURN_CRITICAL
1465 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
1466 unsigned hs_type,
1467 size_t total_hs_len);
1468
1469 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1470 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
1471 MBEDTLS_CHECK_RETURN_CRITICAL
1472 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
1473 mbedtls_key_exchange_type_t key_ex);
1474 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1475 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1476
1477 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1478 #if defined(MBEDTLS_SSL_CLI_C)
1479 MBEDTLS_CHECK_RETURN_CRITICAL
1480 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
1481 #endif
1482 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1483 /**
1484 * Get the first defined opaque PSK by order of precedence:
1485 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1486 * callback
1487 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1488 * Return an opaque PSK
1489 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1490 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1491 const mbedtls_ssl_context *ssl)
1492 {
1493 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1494 return ssl->handshake->psk_opaque;
1495 }
1496
1497 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
1498 return ssl->conf->psk_opaque;
1499 }
1500
1501 return MBEDTLS_SVC_KEY_ID_INIT;
1502 }
1503 #else
1504 /**
1505 * Get the first defined PSK by order of precedence:
1506 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1507 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1508 * Return a code and update the pair (PSK, PSK length) passed to this function
1509 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1510 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
1511 const unsigned char **psk, size_t *psk_len)
1512 {
1513 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
1514 *psk = ssl->handshake->psk;
1515 *psk_len = ssl->handshake->psk_len;
1516 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
1517 *psk = ssl->conf->psk;
1518 *psk_len = ssl->conf->psk_len;
1519 } else {
1520 *psk = NULL;
1521 *psk_len = 0;
1522 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
1523 }
1524
1525 return 0;
1526 }
1527 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1528
1529 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1530
1531 #if defined(MBEDTLS_PK_C)
1532 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
1533 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
1534 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
1535 #endif
1536
1537 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
1538 unsigned char mbedtls_ssl_hash_from_md_alg(int md);
1539
1540 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1541 MBEDTLS_CHECK_RETURN_CRITICAL
1542 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
1543 #endif
1544
1545 MBEDTLS_CHECK_RETURN_CRITICAL
1546 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1547 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
1548 MBEDTLS_CHECK_RETURN_CRITICAL
1549 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1550 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1551
1552 /**
1553 * \brief Return PSA EC info for the specified TLS ID.
1554 *
1555 * \param tls_id The TLS ID to look for
1556 * \param type If the TLD ID is supported, then proper \c psa_key_type_t
1557 * value is returned here. Can be NULL.
1558 * \param bits If the TLD ID is supported, then proper bit size is returned
1559 * here. Can be NULL.
1560 * \return PSA_SUCCESS if the TLS ID is supported,
1561 * PSA_ERROR_NOT_SUPPORTED otherwise
1562 *
1563 * \note If either \c family or \c bits parameters are NULL, then
1564 * the corresponding value is not returned.
1565 * The function can be called with both parameters as NULL
1566 * simply to check if a specific TLS ID is supported.
1567 */
1568 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
1569 psa_key_type_t *type,
1570 size_t *bits);
1571
1572 /**
1573 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
1574 *
1575 * \param tls_id The TLS ID to look for
1576 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
1577 * or MBEDTLS_ECP_DP_NONE otherwise
1578 */
1579 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
1580
1581 /**
1582 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
1583 *
1584 * \param grp_id The \c mbedtls_ecp_group_id ID to look for
1585 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
1586 * or 0 otherwise
1587 */
1588 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
1589
1590 #if defined(MBEDTLS_DEBUG_C)
1591 /**
1592 * \brief Return EC's name for the specified TLS ID.
1593 *
1594 * \param tls_id The TLS ID to look for
1595 * \return A pointer to a const string with the proper name. If TLS
1596 * ID is not supported, a NULL pointer is returned instead.
1597 */
1598 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
1599 #endif
1600
1601 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1602 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1603 (const uint16_t srtp_profile_value)
1604 {
1605 switch (srtp_profile_value) {
1606 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1607 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1608 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1609 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1610 return srtp_profile_value;
1611 default: break;
1612 }
1613 return MBEDTLS_TLS_SRTP_UNSET;
1614 }
1615 #endif
1616
1617 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1618 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
1619 {
1620 mbedtls_ssl_key_cert *key_cert;
1621
1622 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1623 key_cert = ssl->handshake->key_cert;
1624 } else {
1625 key_cert = ssl->conf->key_cert;
1626 }
1627
1628 return key_cert == NULL ? NULL : key_cert->key;
1629 }
1630
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1631 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
1632 {
1633 mbedtls_ssl_key_cert *key_cert;
1634
1635 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1636 key_cert = ssl->handshake->key_cert;
1637 } else {
1638 key_cert = ssl->conf->key_cert;
1639 }
1640
1641 return key_cert == NULL ? NULL : key_cert->cert;
1642 }
1643
1644 /*
1645 * Check usage of a certificate wrt extensions:
1646 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1647 *
1648 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1649 * check a cert we received from them)!
1650 *
1651 * Return 0 if everything is OK, -1 if not.
1652 */
1653 MBEDTLS_CHECK_RETURN_CRITICAL
1654 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
1655 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1656 int cert_endpoint,
1657 uint32_t *flags);
1658 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1659
1660 void mbedtls_ssl_write_version(unsigned char version[2], int transport,
1661 mbedtls_ssl_protocol_version tls_version);
1662 uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
1663 int transport);
1664
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1665 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
1666 {
1667 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1668 ((void) ssl);
1669 #endif
1670
1671 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1672 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1673 return 13;
1674 } else
1675 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1676 {
1677 return 5;
1678 }
1679 }
1680
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1681 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
1682 {
1683 return (size_t) (ssl->out_iv - ssl->out_hdr);
1684 }
1685
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1686 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
1687 {
1688 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1689 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1690 return 12;
1691 }
1692 #else
1693 ((void) ssl);
1694 #endif
1695 return 4;
1696 }
1697
1698 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1699 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
1700 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
1701 MBEDTLS_CHECK_RETURN_CRITICAL
1702 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
1703 MBEDTLS_CHECK_RETURN_CRITICAL
1704 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
1705 #endif
1706
1707 /* Visible for testing purposes only */
1708 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1709 MBEDTLS_CHECK_RETURN_CRITICAL
1710 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
1711 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
1712 #endif
1713
1714 MBEDTLS_CHECK_RETURN_CRITICAL
1715 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
1716 const mbedtls_ssl_session *src);
1717
1718 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1719 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1720 MBEDTLS_CHECK_RETURN_CRITICAL
1721 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
1722 unsigned char *hash, size_t *hashlen,
1723 unsigned char *data, size_t data_len,
1724 mbedtls_md_type_t md_alg);
1725 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1726
1727 #ifdef __cplusplus
1728 }
1729 #endif
1730
1731 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
1732 MBEDTLS_CHECK_RETURN_CRITICAL
1733 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
1734 mbedtls_ssl_transform *transform,
1735 mbedtls_record *rec,
1736 int (*f_rng)(void *, unsigned char *, size_t),
1737 void *p_rng);
1738 MBEDTLS_CHECK_RETURN_CRITICAL
1739 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
1740 mbedtls_ssl_transform *transform,
1741 mbedtls_record *rec);
1742
1743 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1744 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
1745 {
1746 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1747 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1748 return 2;
1749 }
1750 #else
1751 ((void) ssl);
1752 #endif
1753 return 0;
1754 }
1755
1756 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1757 MBEDTLS_CHECK_RETURN_CRITICAL
1758 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
1759 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1760
1761 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
1762 MBEDTLS_CHECK_RETURN_CRITICAL
1763 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
1764
1765 void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
1766 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
1767 mbedtls_ssl_transform *transform);
1768 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1769
1770 MBEDTLS_CHECK_RETURN_CRITICAL
1771 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
1772 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1773 int partial);
1774
1775 /*
1776 * Send pending alert
1777 */
1778 MBEDTLS_CHECK_RETURN_CRITICAL
1779 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
1780
1781 /*
1782 * Set pending fatal alert flag.
1783 */
1784 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
1785 unsigned char alert_type,
1786 int alert_reason);
1787
1788 /* Alias of mbedtls_ssl_pend_fatal_alert */
1789 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
1790 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
1791
1792 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1793 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
1794 #endif
1795
1796 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
1797
1798 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1799 MBEDTLS_CHECK_RETURN_CRITICAL
1800 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
1801 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1802
1803 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1804 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
1805 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
1806 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
1807 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1808
1809 /**
1810 * ssl utils functions for checking configuration.
1811 */
1812
1813 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1814 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
1815 {
1816 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1817 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
1818 }
1819
1820 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1821
1822 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1823 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
1824 {
1825 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1826 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
1827 }
1828
1829 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1830
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)1831 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
1832 {
1833 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1834 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1835 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
1836 #else
1837 ((void) conf);
1838 return 0;
1839 #endif
1840 }
1841
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)1842 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
1843 {
1844 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1845 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1846 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
1847 #else
1848 ((void) conf);
1849 return 0;
1850 #endif
1851 }
1852
1853 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1854 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
1855 {
1856 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1857 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
1858 }
1859 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1860
1861 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1862 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1863 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1864 MBEDTLS_CHECK_RETURN_CRITICAL
1865 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
1866 MBEDTLS_CHECK_RETURN_CRITICAL
1867 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
1868 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
1869
1870 /**
1871 * \brief Given an SSL context and its associated configuration, write the TLS
1872 * 1.3 specific extensions of the ClientHello message.
1873 *
1874 * \param[in] ssl SSL context
1875 * \param[in] buf Base address of the buffer where to write the extensions
1876 * \param[in] end End address of the buffer where to write the extensions
1877 * \param[out] out_len Length of the data written into the buffer \p buf
1878 */
1879 MBEDTLS_CHECK_RETURN_CRITICAL
1880 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1881 unsigned char *buf,
1882 unsigned char *end,
1883 size_t *out_len);
1884
1885 /**
1886 * \brief TLS 1.3 client side state machine entry
1887 *
1888 * \param ssl SSL context
1889 */
1890 MBEDTLS_CHECK_RETURN_CRITICAL
1891 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
1892
1893 /**
1894 * \brief TLS 1.3 server side state machine entry
1895 *
1896 * \param ssl SSL context
1897 */
1898 MBEDTLS_CHECK_RETURN_CRITICAL
1899 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
1900
1901
1902 /*
1903 * Helper functions around key exchange modes.
1904 */
mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_mode_mask)1905 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
1906 int kex_mode_mask)
1907 {
1908 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
1909 }
1910
mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context * ssl)1911 static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl)
1912 {
1913 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1914 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
1915 }
1916
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1917 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
1918 {
1919 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1920 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
1921 }
1922
mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1923 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
1924 {
1925 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1926 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
1927 }
1928
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1929 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
1930 {
1931 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1932 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
1933 }
1934
mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1935 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
1936 {
1937 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1938 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
1939 }
1940
1941 #if defined(MBEDTLS_SSL_SRV_C) && \
1942 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1943 /**
1944 * Given a list of key exchange modes, check if at least one of them is
1945 * supported.
1946 *
1947 * \param[in] ssl SSL context
1948 * \param kex_modes_mask Mask of the key exchange modes to check
1949 *
1950 * \return 0 if at least one of the key exchange modes is supported,
1951 * !=0 otherwise.
1952 */
mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_modes_mask)1953 static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
1954 int kex_modes_mask)
1955 {
1956 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0;
1957 }
1958
mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context * ssl)1959 static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl)
1960 {
1961 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1962 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
1963 }
1964
mbedtls_ssl_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1965 static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
1966 mbedtls_ssl_context *ssl)
1967 {
1968 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1969 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
1970 }
1971
mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1972 static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
1973 {
1974 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1975 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
1976 }
1977
mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1978 static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
1979 {
1980 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1981 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
1982 }
1983
mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1984 static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
1985 {
1986 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1987 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
1988 }
1989 #endif /* MBEDTLS_SSL_SRV_C &&
1990 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1991
1992 /*
1993 * Helper functions for extensions checking.
1994 */
1995
1996 MBEDTLS_CHECK_RETURN_CRITICAL
1997 int mbedtls_ssl_tls13_check_received_extension(
1998 mbedtls_ssl_context *ssl,
1999 int hs_msg_type,
2000 unsigned int received_extension_type,
2001 uint32_t hs_msg_allowed_extensions_mask);
2002
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)2003 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
2004 mbedtls_ssl_context *ssl, unsigned int extension_type)
2005 {
2006 ssl->handshake->sent_extensions |=
2007 mbedtls_ssl_get_extension_mask(extension_type);
2008 }
2009
2010 /*
2011 * Helper functions to check the selected key exchange mode.
2012 */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)2013 static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
2014 mbedtls_ssl_context *ssl, int kex_mask)
2015 {
2016 return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
2017 }
2018
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)2019 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
2020 mbedtls_ssl_context *ssl)
2021 {
2022 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2023 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2024 }
2025
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)2026 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
2027 mbedtls_ssl_context *ssl)
2028 {
2029 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2030 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2031 }
2032
2033 /*
2034 * Fetch TLS 1.3 handshake message header
2035 */
2036 MBEDTLS_CHECK_RETURN_CRITICAL
2037 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
2038 unsigned hs_type,
2039 unsigned char **buf,
2040 size_t *buf_len);
2041
2042 /**
2043 * \brief Detect if a list of extensions contains a supported_versions
2044 * extension or not.
2045 *
2046 * \param[in] ssl SSL context
2047 * \param[in] buf Address of the first byte of the extensions vector.
2048 * \param[in] end End of the buffer containing the list of extensions.
2049 * \param[out] supported_versions_data If the extension is present, address of
2050 * its first byte of data, NULL otherwise.
2051 * \param[out] supported_versions_data_end If the extension is present, address
2052 * of the first byte immediately
2053 * following the extension data, NULL
2054 * otherwise.
2055 * \return 0 if the list of extensions does not contain a supported_versions
2056 * extension.
2057 * \return 1 if the list of extensions contains a supported_versions
2058 * extension.
2059 * \return A negative value if an error occurred while parsing the
2060 * extensions.
2061 */
2062 MBEDTLS_CHECK_RETURN_CRITICAL
2063 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
2064 mbedtls_ssl_context *ssl,
2065 const unsigned char *buf, const unsigned char *end,
2066 const unsigned char **supported_versions_data,
2067 const unsigned char **supported_versions_data_end);
2068
2069 /*
2070 * Handler of TLS 1.3 server certificate message
2071 */
2072 MBEDTLS_CHECK_RETURN_CRITICAL
2073 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
2074
2075 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2076 /*
2077 * Handler of TLS 1.3 write Certificate message
2078 */
2079 MBEDTLS_CHECK_RETURN_CRITICAL
2080 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
2081
2082 /*
2083 * Handler of TLS 1.3 write Certificate Verify message
2084 */
2085 MBEDTLS_CHECK_RETURN_CRITICAL
2086 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
2087
2088 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2089
2090 /*
2091 * Generic handler of Certificate Verify
2092 */
2093 MBEDTLS_CHECK_RETURN_CRITICAL
2094 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
2095
2096 /*
2097 * Write of dummy-CCS's for middlebox compatibility
2098 */
2099 MBEDTLS_CHECK_RETURN_CRITICAL
2100 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
2101
2102 MBEDTLS_CHECK_RETURN_CRITICAL
2103 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
2104
2105 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
2106 MBEDTLS_CHECK_RETURN_CRITICAL
2107 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
2108 mbedtls_ssl_context *ssl,
2109 uint16_t named_group,
2110 unsigned char *buf,
2111 unsigned char *end,
2112 size_t *out_len);
2113 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
2114
2115 #if defined(MBEDTLS_SSL_EARLY_DATA)
2116 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
2117 unsigned char *buf,
2118 const unsigned char *end,
2119 size_t *out_len);
2120 #endif /* MBEDTLS_SSL_EARLY_DATA */
2121
2122 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2123
2124 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2125 /*
2126 * Write Signature Algorithm extension
2127 */
2128 MBEDTLS_CHECK_RETURN_CRITICAL
2129 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
2130 const unsigned char *end, size_t *out_len);
2131 /*
2132 * Parse TLS Signature Algorithm extension
2133 */
2134 MBEDTLS_CHECK_RETURN_CRITICAL
2135 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
2136 const unsigned char *buf,
2137 const unsigned char *end);
2138 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2139
2140 /* Get handshake transcript */
2141 MBEDTLS_CHECK_RETURN_CRITICAL
2142 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
2143 const mbedtls_md_type_t md,
2144 unsigned char *dst,
2145 size_t dst_len,
2146 size_t *olen);
2147
2148 /*
2149 * Return supported groups.
2150 *
2151 * In future, invocations can be changed to ssl->conf->group_list
2152 * when mbedtls_ssl_conf_curves() is deleted.
2153 *
2154 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
2155 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
2156 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
2157 *
2158 */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)2159 static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
2160 {
2161 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
2162 return ssl->conf->group_list;
2163 #else
2164 if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
2165 return ssl->handshake->group_list;
2166 } else {
2167 return ssl->conf->group_list;
2168 }
2169 #endif
2170 }
2171
2172 /*
2173 * Helper functions for NamedGroup.
2174 */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)2175 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
2176 {
2177 /*
2178 * RFC 8422 section 5.1.1
2179 */
2180 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2181 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
2182 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
2183 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
2184 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
2185 /* Below deprecated curves should be removed with notice to users */
2186 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
2187 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
2188 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
2189 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
2190 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2191 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2192 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2193 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
2194 }
2195
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)2196 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
2197 {
2198 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2199 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2200 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2201 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
2202 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
2203 }
2204
mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)2205 static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
2206 {
2207 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2208 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
2209 }
2210
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)2211 static inline int mbedtls_ssl_named_group_is_offered(
2212 const mbedtls_ssl_context *ssl, uint16_t named_group)
2213 {
2214 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2215
2216 if (group_list == NULL) {
2217 return 0;
2218 }
2219
2220 for (; *group_list != 0; group_list++) {
2221 if (*group_list == named_group) {
2222 return 1;
2223 }
2224 }
2225
2226 return 0;
2227 }
2228
mbedtls_ssl_named_group_is_supported(uint16_t named_group)2229 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
2230 {
2231 #if defined(PSA_WANT_ALG_ECDH)
2232 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
2233 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
2234 MBEDTLS_ECP_DP_NONE) {
2235 return 1;
2236 }
2237 }
2238 #endif
2239 #if defined(PSA_WANT_ALG_FFDH)
2240 if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
2241 return 1;
2242 }
2243 #endif
2244 #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
2245 (void) named_group;
2246 #endif
2247 return 0;
2248 }
2249
2250 /*
2251 * Return supported signature algorithms.
2252 *
2253 * In future, invocations can be changed to ssl->conf->sig_algs when
2254 * mbedtls_ssl_conf_sig_hashes() is deleted.
2255 *
2256 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
2257 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
2258 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
2259 * been more recently invoked.
2260 *
2261 */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)2262 static inline const void *mbedtls_ssl_get_sig_algs(
2263 const mbedtls_ssl_context *ssl)
2264 {
2265 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2266
2267 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2268 if (ssl->handshake != NULL &&
2269 ssl->handshake->sig_algs_heap_allocated == 1 &&
2270 ssl->handshake->sig_algs != NULL) {
2271 return ssl->handshake->sig_algs;
2272 }
2273 #endif
2274 return ssl->conf->sig_algs;
2275
2276 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2277
2278 ((void) ssl);
2279 return NULL;
2280 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2281 }
2282
2283 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)2284 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
2285 uint16_t own_sig_alg)
2286 {
2287 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
2288 if (sig_alg == NULL) {
2289 return 0;
2290 }
2291
2292 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2293 if (*sig_alg == own_sig_alg) {
2294 return 1;
2295 }
2296 }
2297 return 0;
2298 }
2299
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)2300 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2301 const uint16_t sig_alg)
2302 {
2303 switch (sig_alg) {
2304 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
2305 #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
2306 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2307 break;
2308 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2309 #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
2310 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2311 break;
2312 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2313 #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
2314 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2315 break;
2316 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
2317 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
2318
2319 #if defined(MBEDTLS_PKCS1_V21)
2320 #if defined(PSA_WANT_ALG_SHA_256)
2321 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2322 break;
2323 #endif /* PSA_WANT_ALG_SHA_256 */
2324 #if defined(PSA_WANT_ALG_SHA_384)
2325 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2326 break;
2327 #endif /* PSA_WANT_ALG_SHA_384 */
2328 #if defined(PSA_WANT_ALG_SHA_512)
2329 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2330 break;
2331 #endif /* PSA_WANT_ALG_SHA_512 */
2332 #endif /* MBEDTLS_PKCS1_V21 */
2333 default:
2334 return 0;
2335 }
2336 return 1;
2337
2338 }
2339
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)2340 static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2341 const uint16_t sig_alg)
2342 {
2343 switch (sig_alg) {
2344 #if defined(MBEDTLS_PKCS1_V15)
2345 #if defined(MBEDTLS_MD_CAN_SHA256)
2346 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2347 break;
2348 #endif /* MBEDTLS_MD_CAN_SHA256 */
2349 #if defined(MBEDTLS_MD_CAN_SHA384)
2350 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2351 break;
2352 #endif /* MBEDTLS_MD_CAN_SHA384 */
2353 #if defined(MBEDTLS_MD_CAN_SHA512)
2354 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2355 break;
2356 #endif /* MBEDTLS_MD_CAN_SHA512 */
2357 #endif /* MBEDTLS_PKCS1_V15 */
2358 default:
2359 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2360 sig_alg);
2361 }
2362 return 1;
2363 }
2364
2365 MBEDTLS_CHECK_RETURN_CRITICAL
2366 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
2367 mbedtls_pk_context *key);
2368 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2369
2370 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)2371 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
2372 uint16_t proposed_sig_alg)
2373 {
2374 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2375 if (sig_alg == NULL) {
2376 return 0;
2377 }
2378
2379 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2380 if (*sig_alg == proposed_sig_alg) {
2381 return 1;
2382 }
2383 }
2384 return 0;
2385 }
2386
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)2387 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2388 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
2389 {
2390 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
2391 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
2392
2393 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
2394 return 0;
2395 }
2396
2397 switch (sig_alg) {
2398 #if defined(MBEDTLS_PKCS1_V21)
2399 #if defined(MBEDTLS_MD_CAN_SHA256)
2400 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2401 *md_alg = MBEDTLS_MD_SHA256;
2402 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2403 break;
2404 #endif /* MBEDTLS_MD_CAN_SHA256 */
2405 #if defined(MBEDTLS_MD_CAN_SHA384)
2406 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2407 *md_alg = MBEDTLS_MD_SHA384;
2408 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2409 break;
2410 #endif /* MBEDTLS_MD_CAN_SHA384 */
2411 #if defined(MBEDTLS_MD_CAN_SHA512)
2412 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2413 *md_alg = MBEDTLS_MD_SHA512;
2414 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2415 break;
2416 #endif /* MBEDTLS_MD_CAN_SHA512 */
2417 #endif /* MBEDTLS_PKCS1_V21 */
2418 default:
2419 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2420 }
2421 return 0;
2422 }
2423
2424 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)2425 static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2426 const uint16_t sig_alg)
2427 {
2428 /* High byte is hash */
2429 unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
2430 unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
2431
2432 switch (hash) {
2433 #if defined(MBEDTLS_MD_CAN_MD5)
2434 case MBEDTLS_SSL_HASH_MD5:
2435 break;
2436 #endif
2437
2438 #if defined(MBEDTLS_MD_CAN_SHA1)
2439 case MBEDTLS_SSL_HASH_SHA1:
2440 break;
2441 #endif
2442
2443 #if defined(MBEDTLS_MD_CAN_SHA224)
2444 case MBEDTLS_SSL_HASH_SHA224:
2445 break;
2446 #endif
2447
2448 #if defined(MBEDTLS_MD_CAN_SHA256)
2449 case MBEDTLS_SSL_HASH_SHA256:
2450 break;
2451 #endif
2452
2453 #if defined(MBEDTLS_MD_CAN_SHA384)
2454 case MBEDTLS_SSL_HASH_SHA384:
2455 break;
2456 #endif
2457
2458 #if defined(MBEDTLS_MD_CAN_SHA512)
2459 case MBEDTLS_SSL_HASH_SHA512:
2460 break;
2461 #endif
2462
2463 default:
2464 return 0;
2465 }
2466
2467 switch (sig) {
2468 #if defined(MBEDTLS_RSA_C)
2469 case MBEDTLS_SSL_SIG_RSA:
2470 break;
2471 #endif
2472
2473 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
2474 case MBEDTLS_SSL_SIG_ECDSA:
2475 break;
2476 #endif
2477
2478 default:
2479 return 0;
2480 }
2481
2482 return 1;
2483 }
2484 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2485
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)2486 static inline int mbedtls_ssl_sig_alg_is_supported(
2487 const mbedtls_ssl_context *ssl,
2488 const uint16_t sig_alg)
2489 {
2490
2491 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2492 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2493 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
2494 }
2495 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2496
2497 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2498 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2499 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
2500 }
2501 #endif
2502 ((void) ssl);
2503 ((void) sig_alg);
2504 return 0;
2505 }
2506 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2507
2508 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2509 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2510 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
2511 * guaranteed to not be a valid PSA algorithm identifier.
2512 */
2513 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2514
2515 /**
2516 * \brief Translate mbedtls cipher type/taglen pair to psa:
2517 * algorithm, key type and key size.
2518 *
2519 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2520 * \param taglen [in] given tag length
2521 * 0 - default tag length
2522 * \param alg [out] corresponding PSA alg
2523 * There is no corresponding PSA
2524 * alg for MBEDTLS_CIPHER_NULL, so
2525 * in this case MBEDTLS_SSL_NULL_CIPHER
2526 * is returned via this parameter
2527 * \param key_type [out] corresponding PSA key type
2528 * \param key_size [out] corresponding PSA key size
2529 *
2530 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2531 * conversion is not supported.
2532 */
2533 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2534 size_t taglen,
2535 psa_algorithm_t *alg,
2536 psa_key_type_t *key_type,
2537 size_t *key_size);
2538
2539 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2540 /**
2541 * \brief Convert given PSA status to mbedtls error code.
2542 *
2543 * \param status [in] given PSA status
2544 *
2545 * \return corresponding mbedtls error code
2546 */
psa_ssl_status_to_mbedtls(psa_status_t status)2547 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
2548 {
2549 switch (status) {
2550 case PSA_SUCCESS:
2551 return 0;
2552 case PSA_ERROR_INSUFFICIENT_MEMORY:
2553 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2554 case PSA_ERROR_NOT_SUPPORTED:
2555 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2556 case PSA_ERROR_INVALID_SIGNATURE:
2557 return MBEDTLS_ERR_SSL_INVALID_MAC;
2558 case PSA_ERROR_INVALID_ARGUMENT:
2559 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2560 case PSA_ERROR_BAD_STATE:
2561 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2562 case PSA_ERROR_BUFFER_TOO_SMALL:
2563 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2564 default:
2565 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
2566 }
2567 }
2568 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2569 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2570
2571 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
2572 defined(MBEDTLS_USE_PSA_CRYPTO)
2573
2574 typedef enum {
2575 MBEDTLS_ECJPAKE_ROUND_ONE,
2576 MBEDTLS_ECJPAKE_ROUND_TWO
2577 } mbedtls_ecjpake_rounds_t;
2578
2579 /**
2580 * \brief Parse the provided input buffer for getting the first round
2581 * of key exchange. This code is common between server and client
2582 *
2583 * \param pake_ctx [in] the PAKE's operation/context structure
2584 * \param buf [in] input buffer to parse
2585 * \param len [in] length of the input buffer
2586 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2587 * MBEDTLS_ECJPAKE_ROUND_TWO
2588 *
2589 * \return 0 on success or a negative error code in case of failure
2590 */
2591 int mbedtls_psa_ecjpake_read_round(
2592 psa_pake_operation_t *pake_ctx,
2593 const unsigned char *buf,
2594 size_t len, mbedtls_ecjpake_rounds_t round);
2595
2596 /**
2597 * \brief Write the first round of key exchange into the provided output
2598 * buffer. This code is common between server and client
2599 *
2600 * \param pake_ctx [in] the PAKE's operation/context structure
2601 * \param buf [out] the output buffer in which data will be written to
2602 * \param len [in] length of the output buffer
2603 * \param olen [out] the length of the data really written on the buffer
2604 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2605 * MBEDTLS_ECJPAKE_ROUND_TWO
2606 *
2607 * \return 0 on success or a negative error code in case of failure
2608 */
2609 int mbedtls_psa_ecjpake_write_round(
2610 psa_pake_operation_t *pake_ctx,
2611 unsigned char *buf,
2612 size_t len, size_t *olen,
2613 mbedtls_ecjpake_rounds_t round);
2614
2615 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
2616
2617 /**
2618 * \brief TLS record protection modes
2619 */
2620 typedef enum {
2621 MBEDTLS_SSL_MODE_STREAM = 0,
2622 MBEDTLS_SSL_MODE_CBC,
2623 MBEDTLS_SSL_MODE_CBC_ETM,
2624 MBEDTLS_SSL_MODE_AEAD
2625 } mbedtls_ssl_mode_t;
2626
2627 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2628 const mbedtls_ssl_transform *transform);
2629
2630 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2631 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2632 int encrypt_then_mac,
2633 const mbedtls_ssl_ciphersuite_t *suite);
2634 #else
2635 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2636 const mbedtls_ssl_ciphersuite_t *suite);
2637 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2638
2639 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
2640
2641 MBEDTLS_CHECK_RETURN_CRITICAL
2642 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
2643 const unsigned char *buf,
2644 size_t buf_len);
2645
2646 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
2647
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)2648 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2649 mbedtls_ssl_context *ssl, int cipher_suite)
2650 {
2651 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2652
2653 /* Check whether we have offered this ciphersuite */
2654 for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
2655 if (ciphersuite_list[i] == cipher_suite) {
2656 return 1;
2657 }
2658 }
2659 return 0;
2660 }
2661
2662 /**
2663 * \brief Validate cipher suite against config in SSL context.
2664 *
2665 * \param ssl SSL context
2666 * \param suite_info Cipher suite to validate
2667 * \param min_tls_version Minimal TLS version to accept a cipher suite
2668 * \param max_tls_version Maximal TLS version to accept a cipher suite
2669 *
2670 * \return 0 if valid, negative value otherwise.
2671 */
2672 MBEDTLS_CHECK_RETURN_CRITICAL
2673 int mbedtls_ssl_validate_ciphersuite(
2674 const mbedtls_ssl_context *ssl,
2675 const mbedtls_ssl_ciphersuite_t *suite_info,
2676 mbedtls_ssl_protocol_version min_tls_version,
2677 mbedtls_ssl_protocol_version max_tls_version);
2678
2679 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2680 MBEDTLS_CHECK_RETURN_CRITICAL
2681 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
2682 const unsigned char *buf,
2683 const unsigned char *end);
2684 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2685
2686 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2687 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
2688 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
2689
2690 MBEDTLS_CHECK_RETURN_CRITICAL
2691 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
2692 const unsigned char *buf,
2693 const unsigned char *end);
2694 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2695
2696 #if defined(MBEDTLS_SSL_ALPN)
2697 MBEDTLS_CHECK_RETURN_CRITICAL
2698 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
2699 const unsigned char *buf,
2700 const unsigned char *end);
2701
2702
2703 MBEDTLS_CHECK_RETURN_CRITICAL
2704 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
2705 unsigned char *buf,
2706 unsigned char *end,
2707 size_t *out_len);
2708 #endif /* MBEDTLS_SSL_ALPN */
2709
2710 #if defined(MBEDTLS_TEST_HOOKS)
2711 int mbedtls_ssl_check_dtls_clihlo_cookie(
2712 mbedtls_ssl_context *ssl,
2713 const unsigned char *cli_id, size_t cli_id_len,
2714 const unsigned char *in, size_t in_len,
2715 unsigned char *obuf, size_t buf_len, size_t *olen);
2716 #endif
2717
2718 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2719 /**
2720 * \brief Given an SSL context and its associated configuration, write the TLS
2721 * 1.3 specific Pre-Shared key extension.
2722 *
2723 * \param[in] ssl SSL context
2724 * \param[in] buf Base address of the buffer where to write the extension
2725 * \param[in] end End address of the buffer where to write the extension
2726 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
2727 * written into the buffer \p buf by this function plus
2728 * the length of the binders to be written.
2729 * \param[out] binders_len Length of the binders to be written at the end of
2730 * the extension.
2731 */
2732 MBEDTLS_CHECK_RETURN_CRITICAL
2733 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
2734 mbedtls_ssl_context *ssl,
2735 unsigned char *buf, unsigned char *end,
2736 size_t *out_len, size_t *binders_len);
2737
2738 /**
2739 * \brief Given an SSL context and its associated configuration, write the TLS
2740 * 1.3 specific Pre-Shared key extension binders at the end of the
2741 * ClientHello.
2742 *
2743 * \param[in] ssl SSL context
2744 * \param[in] buf Base address of the buffer where to write the binders
2745 * \param[in] end End address of the buffer where to write the binders
2746 */
2747 MBEDTLS_CHECK_RETURN_CRITICAL
2748 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
2749 mbedtls_ssl_context *ssl,
2750 unsigned char *buf, unsigned char *end);
2751 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2752
2753 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
2754 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2755 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2756 defined(MBEDTLS_SSL_CLI_C)
2757 MBEDTLS_CHECK_RETURN_CRITICAL
2758 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
2759 const char *hostname);
2760 #endif
2761
2762 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_session_get_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2763 static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
2764 mbedtls_ssl_session *session, unsigned int flags)
2765 {
2766 return session->ticket_flags &
2767 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2768 }
2769
mbedtls_ssl_session_set_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2770 static inline void mbedtls_ssl_session_set_ticket_flags(
2771 mbedtls_ssl_session *session, unsigned int flags)
2772 {
2773 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2774 }
2775
mbedtls_ssl_session_clear_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2776 static inline void mbedtls_ssl_session_clear_ticket_flags(
2777 mbedtls_ssl_session *session, unsigned int flags)
2778 {
2779 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2780 }
2781 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
2782
2783 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
2784 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
2785 #endif
2786
2787 #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2788
2789 /** Compute the HMAC of variable-length data with constant flow.
2790 *
2791 * This function computes the HMAC of the concatenation of \p add_data and \p
2792 * data, and does with a code flow and memory access pattern that does not
2793 * depend on \p data_len_secret, but only on \p min_data_len and \p
2794 * max_data_len. In particular, this function always reads exactly \p
2795 * max_data_len bytes from \p data.
2796 *
2797 * \param ctx The HMAC context. It must have keys configured
2798 * with mbedtls_md_hmac_starts() and use one of the
2799 * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
2800 * It is reset using mbedtls_md_hmac_reset() after
2801 * the computation is complete to prepare for the
2802 * next computation.
2803 * \param add_data The first part of the message whose HMAC is being
2804 * calculated. This must point to a readable buffer
2805 * of \p add_data_len bytes.
2806 * \param add_data_len The length of \p add_data in bytes.
2807 * \param data The buffer containing the second part of the
2808 * message. This must point to a readable buffer
2809 * of \p max_data_len bytes.
2810 * \param data_len_secret The length of the data to process in \p data.
2811 * This must be no less than \p min_data_len and no
2812 * greater than \p max_data_len.
2813 * \param min_data_len The minimal length of the second part of the
2814 * message, read from \p data.
2815 * \param max_data_len The maximal length of the second part of the
2816 * message, read from \p data.
2817 * \param output The HMAC will be written here. This must point to
2818 * a writable buffer of sufficient size to hold the
2819 * HMAC value.
2820 *
2821 * \retval 0 on success.
2822 * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
2823 * The hardware accelerator failed.
2824 */
2825 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2826 int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
2827 psa_algorithm_t mac_alg,
2828 const unsigned char *add_data,
2829 size_t add_data_len,
2830 const unsigned char *data,
2831 size_t data_len_secret,
2832 size_t min_data_len,
2833 size_t max_data_len,
2834 unsigned char *output);
2835 #else
2836 int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
2837 const unsigned char *add_data,
2838 size_t add_data_len,
2839 const unsigned char *data,
2840 size_t data_len_secret,
2841 size_t min_data_len,
2842 size_t max_data_len,
2843 unsigned char *output);
2844 #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
2845 #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
2846
2847 #endif /* ssl_misc.h */
2848
