Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl_internal.h Source File

ssl_internal.h

Go to the documentation of this file.
00001 /**
00002  * \file ssl_internal.h
00003  *
00004  * \brief Internal functions shared by the SSL modules
00005  */
00006 /*
00007  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00008  *  SPDX-License-Identifier: Apache-2.0
00009  *
00010  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00011  *  not use this file except in compliance with the License.
00012  *  You may obtain a copy of the License at
00013  *
00014  *  http://www.apache.org/licenses/LICENSE-2.0
00015  *
00016  *  Unless required by applicable law or agreed to in writing, software
00017  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00018  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00019  *  See the License for the specific language governing permissions and
00020  *  limitations under the License.
00021  *
00022  *  This file is part of mbed TLS (https://tls.mbed.org)
00023  */
00024 #ifndef MBEDTLS_SSL_INTERNAL_H
00025 #define MBEDTLS_SSL_INTERNAL_H
00026 
00027 #if !defined(MBEDTLS_CONFIG_FILE)
00028 #include "mbedtls/config.h"
00029 #else
00030 #include MBEDTLS_CONFIG_FILE
00031 #endif
00032 
00033 #include "mbedtls/ssl.h"
00034 #include "mbedtls/cipher.h"
00035 
00036 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00037 #include "psa/crypto.h"
00038 #endif
00039 
00040 #if defined(MBEDTLS_MD5_C)
00041 #include "mbedtls/md5.h"
00042 #endif
00043 
00044 #if defined(MBEDTLS_SHA1_C)
00045 #include "mbedtls/sha1.h"
00046 #endif
00047 
00048 #if defined(MBEDTLS_SHA256_C)
00049 #include "mbedtls/sha256.h"
00050 #endif
00051 
00052 #if defined(MBEDTLS_SHA512_C)
00053 #include "mbedtls/sha512.h"
00054 #endif
00055 
00056 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00057 #include "mbedtls/ecjpake.h"
00058 #endif
00059 
00060 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00061 #include "psa/crypto.h"
00062 #include "mbedtls/psa_util.h"
00063 #endif /* MBEDTLS_USE_PSA_CRYPTO */
00064 
00065 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
00066     !defined(inline) && !defined(__cplusplus)
00067 #define inline __inline
00068 #endif
00069 
00070 /* Determine minimum supported version */
00071 #define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
00072 
00073 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00074 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
00075 #else
00076 #if defined(MBEDTLS_SSL_PROTO_TLS1)
00077 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
00078 #else
00079 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
00080 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
00081 #else
00082 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00083 #define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
00084 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00085 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
00086 #endif /* MBEDTLS_SSL_PROTO_TLS1   */
00087 #endif /* MBEDTLS_SSL_PROTO_SSL3   */
00088 
00089 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
00090 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
00091 
00092 /* Determine maximum supported version */
00093 #define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
00094 
00095 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00096 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
00097 #else
00098 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
00099 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
00100 #else
00101 #if defined(MBEDTLS_SSL_PROTO_TLS1)
00102 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
00103 #else
00104 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00105 #define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
00106 #endif /* MBEDTLS_SSL_PROTO_SSL3   */
00107 #endif /* MBEDTLS_SSL_PROTO_TLS1   */
00108 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
00109 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00110 
00111 /* Shorthand for restartable ECC */
00112 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
00113     defined(MBEDTLS_SSL_CLI_C) && \
00114     defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00115     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
00116 #define MBEDTLS_SSL__ECP_RESTARTABLE
00117 #endif
00118 
00119 #define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
00120 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
00121 #define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
00122 #define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
00123 
00124 /*
00125  * DTLS retransmission states, see RFC 6347 4.2.4
00126  *
00127  * The SENDING state is merged in PREPARING for initial sends,
00128  * but is distinct for resends.
00129  *
00130  * Note: initial state is wrong for server, but is not used anyway.
00131  */
00132 #define MBEDTLS_SSL_RETRANS_PREPARING       0
00133 #define MBEDTLS_SSL_RETRANS_SENDING         1
00134 #define MBEDTLS_SSL_RETRANS_WAITING         2
00135 #define MBEDTLS_SSL_RETRANS_FINISHED        3
00136 
00137 /*
00138  * Allow extra bytes for record, authentication and encryption overhead:
00139  * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
00140  * and allow for a maximum of 1024 of compression expansion if
00141  * enabled.
00142  */
00143 #if defined(MBEDTLS_ZLIB_SUPPORT)
00144 #define MBEDTLS_SSL_COMPRESSION_ADD          1024
00145 #else
00146 #define MBEDTLS_SSL_COMPRESSION_ADD             0
00147 #endif
00148 
00149 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||   \
00150     ( defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
00151       ( defined(MBEDTLS_AES_C)      ||                                  \
00152         defined(MBEDTLS_CAMELLIA_C) ||                                  \
00153         defined(MBEDTLS_ARIA_C)     ||                                  \
00154         defined(MBEDTLS_DES_C) ) )
00155 #define MBEDTLS_SSL_SOME_MODES_USE_MAC
00156 #endif
00157 
00158 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
00159 /* Ciphersuites using HMAC */
00160 #if defined(MBEDTLS_SHA512_C)
00161 #define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
00162 #elif defined(MBEDTLS_SHA256_C)
00163 #define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
00164 #else
00165 #define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
00166 #endif
00167 #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
00168 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
00169 #define MBEDTLS_SSL_MAC_ADD                 16
00170 #endif
00171 
00172 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00173 #define MBEDTLS_SSL_PADDING_ADD            256
00174 #else
00175 #define MBEDTLS_SSL_PADDING_ADD              0
00176 #endif
00177 
00178 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00179 #define MBEDTLS_SSL_MAX_CID_EXPANSION      MBEDTLS_SSL_CID_PADDING_GRANULARITY
00180 #else
00181 #define MBEDTLS_SSL_MAX_CID_EXPANSION        0
00182 #endif
00183 
00184 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
00185                                        MBEDTLS_MAX_IV_LENGTH +          \
00186                                        MBEDTLS_SSL_MAC_ADD +            \
00187                                        MBEDTLS_SSL_PADDING_ADD +        \
00188                                        MBEDTLS_SSL_MAX_CID_EXPANSION    \
00189                                        )
00190 
00191 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
00192                                      ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
00193 
00194 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
00195                                       ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
00196 
00197 /* The maximum number of buffered handshake messages. */
00198 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
00199 
00200 /* Maximum length we can advertise as our max content length for
00201    RFC 6066 max_fragment_length extension negotiation purposes
00202    (the lesser of both sizes, if they are unequal.)
00203  */
00204 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
00205         (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
00206         ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
00207         : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
00208         )
00209 
00210 /*
00211  * Check that we obey the standard's message size bounds
00212  */
00213 
00214 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
00215 #error "Bad configuration - record content too large."
00216 #endif
00217 
00218 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
00219 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
00220 #endif
00221 
00222 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
00223 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
00224 #endif
00225 
00226 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
00227 #error "Bad configuration - incoming protected record payload too large."
00228 #endif
00229 
00230 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
00231 #error "Bad configuration - outgoing protected record payload too large."
00232 #endif
00233 
00234 /* Calculate buffer sizes */
00235 
00236 /* Note: Even though the TLS record header is only 5 bytes
00237    long, we're internally using 8 bytes to store the
00238    implicit sequence number. */
00239 #define MBEDTLS_SSL_HEADER_LEN 13
00240 
00241 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00242 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
00243     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
00244 #else
00245 #define MBEDTLS_SSL_IN_BUFFER_LEN  \
00246     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
00247       + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
00248 #endif
00249 
00250 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00251 #define MBEDTLS_SSL_OUT_BUFFER_LEN  \
00252     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
00253 #else
00254 #define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
00255     ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN )    \
00256       + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
00257 #endif
00258 
00259 #ifdef MBEDTLS_ZLIB_SUPPORT
00260 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
00261 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
00262         ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
00263         ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
00264         : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
00265         )
00266 #endif
00267 
00268 /*
00269  * TLS extension flags (for extensions with outgoing ServerHello content
00270  * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
00271  * of state of the renegotiation flag, so no indicator is required)
00272  */
00273 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
00274 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
00275 
00276 #ifdef __cplusplus
00277 extern "C" {
00278 #endif
00279 
00280 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00281     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00282 /*
00283  * Abstraction for a grid of allowed signature-hash-algorithm pairs.
00284  */
00285 struct mbedtls_ssl_sig_hash_set_t
00286 {
00287     /* At the moment, we only need to remember a single suitable
00288      * hash algorithm per signature algorithm. As long as that's
00289      * the case - and we don't need a general lookup function -
00290      * we can implement the sig-hash-set as a map from signatures
00291      * to hash algorithms. */
00292     mbedtls_md_type_t rsa;
00293     mbedtls_md_type_t ecdsa;
00294 };
00295 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
00296           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00297 
00298 typedef int  mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
00299                                      const char *label,
00300                                      const unsigned char *random, size_t rlen,
00301                                      unsigned char *dstbuf, size_t dlen );
00302 /*
00303  * This structure contains the parameters only needed during handshake.
00304  */
00305 struct mbedtls_ssl_handshake_params
00306 {
00307     /*
00308      * Handshake specific crypto variables
00309      */
00310 
00311 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00312     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00313     mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
00314 #endif
00315 #if defined(MBEDTLS_DHM_C)
00316     mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
00317 #endif
00318 #if defined(MBEDTLS_ECDH_C)
00319     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
00320 
00321 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00322     psa_ecc_curve_t ecdh_psa_curve;
00323     psa_key_handle_t ecdh_psa_privkey;
00324     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
00325     size_t ecdh_psa_peerkey_len;
00326 #endif /* MBEDTLS_USE_PSA_CRYPTO */
00327 #endif /* MBEDTLS_ECDH_C */
00328 
00329 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00330     mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
00331 #if defined(MBEDTLS_SSL_CLI_C)
00332     unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
00333     size_t ecjpake_cache_len;                   /*!< Length of cached data */
00334 #endif
00335 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00336 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
00337     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00338     const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
00339 #endif
00340 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
00341 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00342     psa_key_handle_t psk_opaque;        /*!< Opaque PSK from the callback   */
00343 #endif /* MBEDTLS_USE_PSA_CRYPTO */
00344     unsigned char *psk;                 /*!<  PSK from the callback         */
00345     size_t psk_len;                     /*!<  Length of PSK from callback   */
00346 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
00347 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00348     mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
00349 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00350     int sni_authmode;                   /*!< authmode from SNI callback     */
00351     mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
00352     mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
00353     mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
00354 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
00355 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00356 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
00357     int ecrs_enabled;                   /*!< Handshake supports EC restart? */
00358     mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
00359     enum { /* this complements ssl->state with info on intra-state operations */
00360         ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
00361         ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
00362         ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
00363         ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
00364         ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
00365     } ecrs_state;                       /*!< current (or last) operation    */
00366     mbedtls_x509_crt *ecrs_peer_cert;   /*!< The peer's CRT chain.          */
00367     size_t ecrs_n;                      /*!< place for saving a length      */
00368 #endif
00369 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
00370     !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
00371     mbedtls_pk_context peer_pubkey;     /*!< The public key from the peer.  */
00372 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
00373 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00374     unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
00375     unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
00376 
00377     unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
00378                                               Srv: unused                    */
00379     unsigned char verify_cookie_len;    /*!<  Cli: cookie length
00380                                               Srv: flag for sending a cookie */
00381 
00382     uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
00383     unsigned char retransmit_state;     /*!<  Retransmission state           */
00384     mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
00385     mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
00386     unsigned char *cur_msg_p;           /*!<  Position in current message    */
00387     unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
00388                                               flight being received          */
00389     mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
00390                                               resending messages             */
00391     unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
00392                                               for resending messages         */
00393 
00394 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00395     /* The state of CID configuration in this handshake. */
00396 
00397     uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
00398                          *   has been negotiated. Possible values are
00399                          *   #MBEDTLS_SSL_CID_ENABLED and
00400                          *   #MBEDTLS_SSL_CID_DISABLED. */
00401     unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
00402     uint8_t peer_cid_len;                                  /*!< The length of
00403                                                             *   \c peer_cid.  */
00404 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
00405 
00406     struct
00407     {
00408         size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
00409                                       *   buffers used for message buffering. */
00410 
00411         uint8_t seen_ccs;               /*!< Indicates if a CCS message has
00412                                          *   been seen in the current flight. */
00413 
00414         struct mbedtls_ssl_hs_buffer
00415         {
00416             unsigned is_valid      : 1;
00417             unsigned is_fragmented : 1;
00418             unsigned is_complete   : 1;
00419             unsigned char *data;
00420             size_t data_len;
00421         } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
00422 
00423         struct
00424         {
00425             unsigned char *data;
00426             size_t len;
00427             unsigned epoch;
00428         } future_record;
00429 
00430     } buffering;
00431 
00432     uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
00433 #endif /* MBEDTLS_SSL_PROTO_DTLS */
00434 
00435     /*
00436      * Checksum contexts
00437      */
00438 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
00439     defined(MBEDTLS_SSL_PROTO_TLS1_1)
00440        mbedtls_md5_context fin_md5;
00441       mbedtls_sha1_context fin_sha1;
00442 #endif
00443 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00444 #if defined(MBEDTLS_SHA256_C)
00445 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00446     psa_hash_operation_t fin_sha256_psa;
00447 #else
00448     mbedtls_sha256_context fin_sha256;
00449 #endif
00450 #endif
00451 #if defined(MBEDTLS_SHA512_C)
00452 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00453     psa_hash_operation_t fin_sha384_psa;
00454 #else
00455     mbedtls_sha512_context fin_sha512;
00456 #endif
00457 #endif
00458 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00459 
00460     void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
00461     void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
00462     void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
00463     mbedtls_ssl_tls_prf_cb *tls_prf;
00464 
00465     mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
00466 
00467     size_t pmslen;                      /*!<  premaster length        */
00468 
00469     unsigned char randbytes[64];        /*!<  random bytes            */
00470     unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
00471                                         /*!<  premaster secret        */
00472 
00473     int resume;                         /*!<  session resume indicator*/
00474     int max_major_ver;                  /*!< max. major version client*/
00475     int max_minor_ver;                  /*!< max. minor version client*/
00476     int cli_exts;                       /*!< client extension presence*/
00477 
00478 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
00479     int new_session_ticket;             /*!< use NewSessionTicket?    */
00480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
00481 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
00482     int extended_ms;                    /*!< use Extended Master Secret? */
00483 #endif
00484 
00485 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
00486     unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
00487 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
00488 
00489 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
00490     /** Asynchronous operation context. This field is meant for use by the
00491      * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
00492      * mbedtls_ssl_config::f_async_decrypt_start,
00493      * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
00494      * The library does not use it internally. */
00495     void *user_async_ctx;
00496 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
00497 };
00498 
00499 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
00500 
00501 /*
00502  * Representation of decryption/encryption transformations on records
00503  *
00504  * There are the following general types of record transformations:
00505  * - Stream transformations (TLS versions <= 1.2 only)
00506  *   Transformation adding a MAC and applying a stream-cipher
00507  *   to the authenticated message.
00508  * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
00509  *   In addition to the distinction of the order of encryption and
00510  *   authentication, there's a fundamental difference between the
00511  *   handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
00512  *   and TLS 1.0, the final IV after processing a record is used
00513  *   as the IV for the next record. No explicit IV is contained
00514  *   in an encrypted record. The IV for the first record is extracted
00515  *   at key extraction time. In contrast, for TLS 1.1 and 1.2, no
00516  *   IV is generated at key extraction time, but every encrypted
00517  *   record is explicitly prefixed by the IV with which it was encrypted.
00518  * - AEAD transformations ([D]TLS versions >= 1.2 only)
00519  *   These come in two fundamentally different versions, the first one
00520  *   used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
00521  *   one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
00522  *   In the first transformation, the IV to be used for a record is obtained
00523  *   as the concatenation of an explicit, static 4-byte IV and the 8-byte
00524  *   record sequence number, and explicitly prepending this sequence number
00525  *   to the encrypted record. In contrast, in the second transformation
00526  *   the IV is obtained by XOR'ing a static IV obtained at key extraction
00527  *   time with the 8-byte record sequence number, without prepending the
00528  *   latter to the encrypted record.
00529  *
00530  * In addition to type and version, the following parameters are relevant:
00531  * - The symmetric cipher algorithm to be used.
00532  * - The (static) encryption/decryption keys for the cipher.
00533  * - For stream/CBC, the type of message digest to be used.
00534  * - For stream/CBC, (static) encryption/decryption keys for the digest.
00535  * - For AEAD transformations, the size (potentially 0) of an explicit,
00536  *   random initialization vector placed in encrypted records.
00537  * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
00538  *   an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
00539  *   and (if present) is combined with the explicit IV in a transformation-
00540  *   dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
00541  * - For stream/CBC, a flag determining the order of encryption and MAC.
00542  * - The details of the transformation depend on the SSL/TLS version.
00543  * - The length of the authentication tag.
00544  *
00545  * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
00546  *       constant across multiple encryption/decryption operations.
00547  *       For CBC, the implicit IV needs to be updated after each
00548  *       operation.
00549  *
00550  * The struct below refines this abstract view as follows:
00551  * - The cipher underlying the transformation is managed in
00552  *   cipher contexts cipher_ctx_{enc/dec}, which must have the
00553  *   same cipher type. The mode of these cipher contexts determines
00554  *   the type of the transformation in the sense above: e.g., if
00555  *   the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
00556  *   then the transformation has type CBC resp. AEAD.
00557  * - The cipher keys are never stored explicitly but
00558  *   are maintained within cipher_ctx_{enc/dec}.
00559  * - For stream/CBC transformations, the message digest contexts
00560  *   used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
00561  *   are unused for AEAD transformations.
00562  * - For stream/CBC transformations and versions > SSL3, the
00563  *   MAC keys are not stored explicitly but maintained within
00564  *   md_ctx_{enc/dec}.
00565  * - For stream/CBC transformations and version SSL3, the MAC
00566  *   keys are stored explicitly in mac_enc, mac_dec and have
00567  *   a fixed size of 20 bytes. These fields are unused for
00568  *   AEAD transformations or transformations >= TLS 1.0.
00569  * - For transformations using an implicit IV maintained within
00570  *   the transformation context, its contents are stored within
00571  *   iv_{enc/dec}.
00572  * - The value of ivlen indicates the length of the IV.
00573  *   This is redundant in case of stream/CBC transformations
00574  *   which always use 0 resp. the cipher's block length as the
00575  *   IV length, but is needed for AEAD ciphers and may be
00576  *   different from the underlying cipher's block length
00577  *   in this case.
00578  * - The field fixed_ivlen is nonzero for AEAD transformations only
00579  *   and indicates the length of the static part of the IV which is
00580  *   constant throughout the communication, and which is stored in
00581  *   the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
00582  *   Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
00583  *   still store IV's for continued use across multiple transformations,
00584  *   so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
00585  *   not being used!
00586  * - minor_ver denotes the SSL/TLS version
00587  * - For stream/CBC transformations, maclen denotes the length of the
00588  *   authentication tag, while taglen is unused and 0.
00589  * - For AEAD transformations, taglen denotes the length of the
00590  *   authentication tag, while maclen is unused and 0.
00591  * - For CBC transformations, encrypt_then_mac determines the
00592  *   order of encryption and authentication. This field is unused
00593  *   in other transformations.
00594  *
00595  */
00596 struct mbedtls_ssl_transform
00597 {
00598     /*
00599      * Session specific crypto layer
00600      */
00601     size_t minlen;                      /*!<  min. ciphertext length  */
00602     size_t ivlen;                       /*!<  IV length               */
00603     size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
00604     size_t maclen;                      /*!<  MAC(CBC) len            */
00605     size_t taglen;                      /*!<  TAG(AEAD) len           */
00606 
00607     unsigned char iv_enc[16];           /*!<  IV (encryption)         */
00608     unsigned char iv_dec[16];           /*!<  IV (decryption)         */
00609 
00610 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
00611 
00612 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00613     /* Needed only for SSL v3.0 secret */
00614     unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
00615     unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
00616 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
00617 
00618     mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
00619     mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
00620 
00621 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00622     int encrypt_then_mac;       /*!< flag for EtM activation                */
00623 #endif
00624 
00625 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
00626 
00627     mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
00628     mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
00629     int minor_ver;
00630 
00631 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00632     uint8_t in_cid_len;
00633     uint8_t out_cid_len;
00634     unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
00635     unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
00636 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
00637 
00638     /*
00639      * Session specific compression layer
00640      */
00641 #if defined(MBEDTLS_ZLIB_SUPPORT)
00642     z_stream ctx_deflate;               /*!<  compression context     */
00643     z_stream ctx_inflate;               /*!<  decompression context   */
00644 #endif
00645 
00646 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
00647     /* We need the Hello random bytes in order to re-derive keys from the
00648      * Master Secret and other session info, see ssl_populate_transform() */
00649     unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
00650 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
00651 };
00652 
00653 /*
00654  * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
00655  * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
00656  */
00657 static inline int mbedtls_ssl_transform_uses_aead(
00658         const mbedtls_ssl_transform *transform )
00659 {
00660 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
00661     return( transform->maclen == 0 && transform->taglen != 0 );
00662 #else
00663     (void) transform;
00664     return( 1 );
00665 #endif
00666 }
00667 
00668 /*
00669  * Internal representation of record frames
00670  *
00671  * Instances come in two flavors:
00672  * (1) Encrypted
00673  *     These always have data_offset = 0
00674  * (2) Unencrypted
00675  *     These have data_offset set to the amount of
00676  *     pre-expansion during record protection. Concretely,
00677  *     this is the length of the fixed part of the explicit IV
00678  *     used for encryption, or 0 if no explicit IV is used
00679  *     (e.g. for CBC in TLS 1.0, or stream ciphers).
00680  *
00681  * The reason for the data_offset in the unencrypted case
00682  * is to allow for in-place conversion of an unencrypted to
00683  * an encrypted record. If the offset wasn't included, the
00684  * encrypted content would need to be shifted afterwards to
00685  * make space for the fixed IV.
00686  *
00687  */
00688 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
00689 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
00690 #else
00691 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
00692 #endif
00693 
00694 typedef struct
00695 {
00696     uint8_t ctr[8];         /* In TLS:  The implicit record sequence number.
00697                              * In DTLS: The 2-byte epoch followed by
00698                              *          the 6-byte sequence number.
00699                              * This is stored as a raw big endian byte array
00700                              * as opposed to a uint64_t because we rarely
00701                              * need to perform arithmetic on this, but do
00702                              * need it as a Byte array for the purpose of
00703                              * MAC computations.                             */
00704     uint8_t type;           /* The record content type.                      */
00705     uint8_t ver[2];         /* SSL/TLS version as present on the wire.
00706                              * Convert to internal presentation of versions
00707                              * using mbedtls_ssl_read_version() and
00708                              * mbedtls_ssl_write_version().
00709                              * Keep wire-format for MAC computations.        */
00710 
00711     unsigned char *buf;     /* Memory buffer enclosing the record content    */
00712     size_t buf_len;         /* Buffer length                                 */
00713     size_t data_offset;     /* Offset of record content                      */
00714     size_t data_len;        /* Length of record content                      */
00715 
00716 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00717     uint8_t cid_len;        /* Length of the CID (0 if not present)          */
00718     unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID                 */
00719 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
00720 } mbedtls_record;
00721 
00722 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00723 /*
00724  * List of certificate + private key pairs
00725  */
00726 struct mbedtls_ssl_key_cert
00727 {
00728     mbedtls_x509_crt *cert;                 /*!< cert                       */
00729     mbedtls_pk_context *key;                /*!< private key                */
00730     mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
00731 };
00732 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00733 
00734 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00735 /*
00736  * List of handshake messages kept around for resending
00737  */
00738 struct mbedtls_ssl_flight_item
00739 {
00740     unsigned char *p;       /*!< message, including handshake headers   */
00741     size_t len;             /*!< length of p                            */
00742     unsigned char type;     /*!< type of the message: handshake or CCS  */
00743     mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
00744 };
00745 #endif /* MBEDTLS_SSL_PROTO_DTLS */
00746 
00747 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00748     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00749 
00750 /* Find an entry in a signature-hash set matching a given hash algorithm. */
00751 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
00752                                                  mbedtls_pk_type_t sig_alg );
00753 /* Add a signature-hash-pair to a signature-hash set */
00754 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
00755                                    mbedtls_pk_type_t sig_alg,
00756                                    mbedtls_md_type_t md_alg );
00757 /* Allow exactly one hash algorithm for each signature. */
00758 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
00759                                           mbedtls_md_type_t md_alg );
00760 
00761 /* Setup an empty signature-hash set */
00762 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
00763 {
00764     mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
00765 }
00766 
00767 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
00768           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00769 
00770 /**
00771  * \brief           Free referenced items in an SSL transform context and clear
00772  *                  memory
00773  *
00774  * \param transform SSL transform context
00775  */
00776 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
00777 
00778 /**
00779  * \brief           Free referenced items in an SSL handshake context and clear
00780  *                  memory
00781  *
00782  * \param ssl       SSL context
00783  */
00784 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
00785 
00786 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
00787 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
00788 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
00789 
00790 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
00791 
00792 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
00793 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
00794 
00795 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
00796 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
00797 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
00798 
00799 /**
00800  * \brief       Update record layer
00801  *
00802  *              This function roughly separates the implementation
00803  *              of the logic of (D)TLS from the implementation
00804  *              of the secure transport.
00805  *
00806  * \param  ssl              The SSL context to use.
00807  * \param  update_hs_digest This indicates if the handshake digest
00808  *                          should be automatically updated in case
00809  *                          a handshake message is found.
00810  *
00811  * \return      0 or non-zero error code.
00812  *
00813  * \note        A clarification on what is called 'record layer' here
00814  *              is in order, as many sensible definitions are possible:
00815  *
00816  *              The record layer takes as input an untrusted underlying
00817  *              transport (stream or datagram) and transforms it into
00818  *              a serially multiplexed, secure transport, which
00819  *              conceptually provides the following:
00820  *
00821  *              (1) Three datagram based, content-agnostic transports
00822  *                  for handshake, alert and CCS messages.
00823  *              (2) One stream- or datagram-based transport
00824  *                  for application data.
00825  *              (3) Functionality for changing the underlying transform
00826  *                  securing the contents.
00827  *
00828  *              The interface to this functionality is given as follows:
00829  *
00830  *              a Updating
00831  *                [Currently implemented by mbedtls_ssl_read_record]
00832  *
00833  *                Check if and on which of the four 'ports' data is pending:
00834  *                Nothing, a controlling datagram of type (1), or application
00835  *                data (2). In any case data is present, internal buffers
00836  *                provide access to the data for the user to process it.
00837  *                Consumption of type (1) datagrams is done automatically
00838  *                on the next update, invalidating that the internal buffers
00839  *                for previous datagrams, while consumption of application
00840  *                data (2) is user-controlled.
00841  *
00842  *              b Reading of application data
00843  *                [Currently manual adaption of ssl->in_offt pointer]
00844  *
00845  *                As mentioned in the last paragraph, consumption of data
00846  *                is different from the automatic consumption of control
00847  *                datagrams (1) because application data is treated as a stream.
00848  *
00849  *              c Tracking availability of application data
00850  *                [Currently manually through decreasing ssl->in_msglen]
00851  *
00852  *                For efficiency and to retain datagram semantics for
00853  *                application data in case of DTLS, the record layer
00854  *                provides functionality for checking how much application
00855  *                data is still available in the internal buffer.
00856  *
00857  *              d Changing the transformation securing the communication.
00858  *
00859  *              Given an opaque implementation of the record layer in the
00860  *              above sense, it should be possible to implement the logic
00861  *              of (D)TLS on top of it without the need to know anything
00862  *              about the record layer's internals. This is done e.g.
00863  *              in all the handshake handling functions, and in the
00864  *              application data reading function mbedtls_ssl_read.
00865  *
00866  * \note        The above tries to give a conceptual picture of the
00867  *              record layer, but the current implementation deviates
00868  *              from it in some places. For example, our implementation of
00869  *              the update functionality through mbedtls_ssl_read_record
00870  *              discards datagrams depending on the current state, which
00871  *              wouldn't fall under the record layer's responsibility
00872  *              following the above definition.
00873  *
00874  */
00875 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
00876                              unsigned update_hs_digest );
00877 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
00878 
00879 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
00880 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
00881 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
00882 
00883 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
00884 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
00885 
00886 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
00887 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
00888 
00889 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
00890 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
00891 
00892 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
00893                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
00894 
00895 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
00896 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
00897 #endif
00898 
00899 #if defined(MBEDTLS_PK_C)
00900 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
00901 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
00902 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
00903 #endif
00904 
00905 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
00906 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
00907 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
00908 
00909 #if defined(MBEDTLS_ECP_C)
00910 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
00911 #endif
00912 
00913 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00914 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
00915                                 mbedtls_md_type_t md );
00916 #endif
00917 
00918 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00919 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
00920 {
00921     mbedtls_ssl_key_cert *key_cert;
00922 
00923     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
00924         key_cert = ssl->handshake->key_cert;
00925     else
00926         key_cert = ssl->conf->key_cert;
00927 
00928     return( key_cert == NULL ? NULL : key_cert->key );
00929 }
00930 
00931 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
00932 {
00933     mbedtls_ssl_key_cert *key_cert;
00934 
00935     if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
00936         key_cert = ssl->handshake->key_cert;
00937     else
00938         key_cert = ssl->conf->key_cert;
00939 
00940     return( key_cert == NULL ? NULL : key_cert->cert );
00941 }
00942 
00943 /*
00944  * Check usage of a certificate wrt extensions:
00945  * keyUsage, extendedKeyUsage (later), and nSCertType (later).
00946  *
00947  * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
00948  * check a cert we received from them)!
00949  *
00950  * Return 0 if everything is OK, -1 if not.
00951  */
00952 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
00953                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
00954                           int cert_endpoint,
00955                           uint32_t *flags );
00956 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00957 
00958 void mbedtls_ssl_write_version( int major, int minor, int transport,
00959                         unsigned char ver[2] );
00960 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
00961                        const unsigned char ver[2] );
00962 
00963 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
00964 {
00965 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
00966     ((void) ssl);
00967 #endif
00968 
00969 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00970     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
00971     {
00972         return( 13 );
00973     }
00974     else
00975 #endif /* MBEDTLS_SSL_PROTO_DTLS */
00976     {
00977         return( 5 );
00978     }
00979 }
00980 
00981 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
00982 {
00983     return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
00984 }
00985 
00986 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
00987 {
00988 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00989     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
00990         return( 12 );
00991 #else
00992     ((void) ssl);
00993 #endif
00994     return( 4 );
00995 }
00996 
00997 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00998 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
00999 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
01000 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
01001 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
01002 #endif
01003 
01004 /* Visible for testing purposes only */
01005 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01006 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
01007 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
01008 #endif
01009 
01010 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
01011                               const mbedtls_ssl_session *src );
01012 
01013 /* constant-time buffer comparison */
01014 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
01015 {
01016     size_t i;
01017     volatile const unsigned char *A = (volatile const unsigned char *) a;
01018     volatile const unsigned char *B = (volatile const unsigned char *) b;
01019     volatile unsigned char diff = 0;
01020 
01021     for( i = 0; i < n; i++ )
01022     {
01023         /* Read volatile data in order before computing diff.
01024          * This avoids IAR compiler warning:
01025          * 'the order of volatile accesses is undefined ..' */
01026         unsigned char x = A[i], y = B[i];
01027         diff |= x ^ y;
01028     }
01029 
01030     return( diff );
01031 }
01032 
01033 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
01034     defined(MBEDTLS_SSL_PROTO_TLS1_1)
01035 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
01036                                         unsigned char *output,
01037                                         unsigned char *data, size_t data_len );
01038 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
01039           MBEDTLS_SSL_PROTO_TLS1_1 */
01040 
01041 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01042     defined(MBEDTLS_SSL_PROTO_TLS1_2)
01043 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
01044 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
01045                                             unsigned char *hash, size_t *hashlen,
01046                                             unsigned char *data, size_t data_len,
01047                                             mbedtls_md_type_t md_alg );
01048 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
01049           MBEDTLS_SSL_PROTO_TLS1_2 */
01050 
01051 #ifdef __cplusplus
01052 }
01053 #endif
01054 
01055 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
01056 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
01057                              mbedtls_ssl_transform *transform,
01058                              mbedtls_record *rec,
01059                              int (*f_rng)(void *, unsigned char *, size_t),
01060                              void *p_rng );
01061 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
01062                              mbedtls_ssl_transform *transform,
01063                              mbedtls_record *rec );
01064 
01065 #endif /* ssl_internal.h */