Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
ssl_internal.h
00001 /** 00002 * \file ssl_internal.h 00003 * 00004 * \brief Internal functions shared by the SSL modules 00005 */ 00006 /* 00007 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00008 * SPDX-License-Identifier: Apache-2.0 00009 * 00010 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00011 * not use this file except in compliance with the License. 00012 * You may obtain a copy of the License at 00013 * 00014 * http://www.apache.org/licenses/LICENSE-2.0 00015 * 00016 * Unless required by applicable law or agreed to in writing, software 00017 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00018 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00019 * See the License for the specific language governing permissions and 00020 * limitations under the License. 00021 * 00022 * This file is part of mbed TLS (https://tls.mbed.org) 00023 */ 00024 #ifndef MBEDTLS_SSL_INTERNAL_H 00025 #define MBEDTLS_SSL_INTERNAL_H 00026 00027 #if !defined(MBEDTLS_CONFIG_FILE) 00028 #include "mbedtls/config.h" 00029 #else 00030 #include MBEDTLS_CONFIG_FILE 00031 #endif 00032 00033 #include "mbedtls/ssl.h" 00034 #include "mbedtls/cipher.h" 00035 00036 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00037 #include "psa/crypto.h" 00038 #endif 00039 00040 #if defined(MBEDTLS_MD5_C) 00041 #include "mbedtls/md5.h" 00042 #endif 00043 00044 #if defined(MBEDTLS_SHA1_C) 00045 #include "mbedtls/sha1.h" 00046 #endif 00047 00048 #if defined(MBEDTLS_SHA256_C) 00049 #include "mbedtls/sha256.h" 00050 #endif 00051 00052 #if defined(MBEDTLS_SHA512_C) 00053 #include "mbedtls/sha512.h" 00054 #endif 00055 00056 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00057 #include "mbedtls/ecjpake.h" 00058 #endif 00059 00060 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00061 #include "psa/crypto.h" 00062 #include "mbedtls/psa_util.h" 00063 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00064 00065 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ 00066 !defined(inline) && !defined(__cplusplus) 00067 #define inline __inline 00068 #endif 00069 00070 /* Determine minimum supported version */ 00071 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 00072 00073 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00074 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0 00075 #else 00076 #if defined(MBEDTLS_SSL_PROTO_TLS1) 00077 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 00078 #else 00079 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) 00080 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 00081 #else 00082 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00083 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 00084 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00085 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ 00086 #endif /* MBEDTLS_SSL_PROTO_TLS1 */ 00087 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00088 00089 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 00090 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 00091 00092 /* Determine maximum supported version */ 00093 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 00094 00095 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00096 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 00097 #else 00098 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) 00099 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 00100 #else 00101 #if defined(MBEDTLS_SSL_PROTO_TLS1) 00102 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 00103 #else 00104 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00105 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0 00106 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00107 #endif /* MBEDTLS_SSL_PROTO_TLS1 */ 00108 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ 00109 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00110 00111 /* Shorthand for restartable ECC */ 00112 #if defined(MBEDTLS_ECP_RESTARTABLE) && \ 00113 defined(MBEDTLS_SSL_CLI_C) && \ 00114 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 00116 #define MBEDTLS_SSL__ECP_RESTARTABLE 00117 #endif 00118 00119 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 00120 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ 00121 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ 00122 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ 00123 00124 /* 00125 * DTLS retransmission states, see RFC 6347 4.2.4 00126 * 00127 * The SENDING state is merged in PREPARING for initial sends, 00128 * but is distinct for resends. 00129 * 00130 * Note: initial state is wrong for server, but is not used anyway. 00131 */ 00132 #define MBEDTLS_SSL_RETRANS_PREPARING 0 00133 #define MBEDTLS_SSL_RETRANS_SENDING 1 00134 #define MBEDTLS_SSL_RETRANS_WAITING 2 00135 #define MBEDTLS_SSL_RETRANS_FINISHED 3 00136 00137 /* 00138 * Allow extra bytes for record, authentication and encryption overhead: 00139 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256) 00140 * and allow for a maximum of 1024 of compression expansion if 00141 * enabled. 00142 */ 00143 #if defined(MBEDTLS_ZLIB_SUPPORT) 00144 #define MBEDTLS_SSL_COMPRESSION_ADD 1024 00145 #else 00146 #define MBEDTLS_SSL_COMPRESSION_ADD 0 00147 #endif 00148 00149 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 00150 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 00151 ( defined(MBEDTLS_AES_C) || \ 00152 defined(MBEDTLS_CAMELLIA_C) || \ 00153 defined(MBEDTLS_ARIA_C) || \ 00154 defined(MBEDTLS_DES_C) ) ) 00155 #define MBEDTLS_SSL_SOME_MODES_USE_MAC 00156 #endif 00157 00158 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 00159 /* Ciphersuites using HMAC */ 00160 #if defined(MBEDTLS_SHA512_C) 00161 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ 00162 #elif defined(MBEDTLS_SHA256_C) 00163 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ 00164 #else 00165 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ 00166 #endif 00167 #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ 00168 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ 00169 #define MBEDTLS_SSL_MAC_ADD 16 00170 #endif 00171 00172 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00173 #define MBEDTLS_SSL_PADDING_ADD 256 00174 #else 00175 #define MBEDTLS_SSL_PADDING_ADD 0 00176 #endif 00177 00178 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00179 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY 00180 #else 00181 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 00182 #endif 00183 00184 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \ 00185 MBEDTLS_MAX_IV_LENGTH + \ 00186 MBEDTLS_SSL_MAC_ADD + \ 00187 MBEDTLS_SSL_PADDING_ADD + \ 00188 MBEDTLS_SSL_MAX_CID_EXPANSION \ 00189 ) 00190 00191 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 00192 ( MBEDTLS_SSL_IN_CONTENT_LEN ) ) 00193 00194 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 00195 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) ) 00196 00197 /* The maximum number of buffered handshake messages. */ 00198 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 00199 00200 /* Maximum length we can advertise as our max content length for 00201 RFC 6066 max_fragment_length extension negotiation purposes 00202 (the lesser of both sizes, if they are unequal.) 00203 */ 00204 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ 00205 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ 00206 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \ 00207 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \ 00208 ) 00209 00210 /* 00211 * Check that we obey the standard's message size bounds 00212 */ 00213 00214 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384 00215 #error "Bad configuration - record content too large." 00216 #endif 00217 00218 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN 00219 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." 00220 #endif 00221 00222 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN 00223 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN." 00224 #endif 00225 00226 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 00227 #error "Bad configuration - incoming protected record payload too large." 00228 #endif 00229 00230 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048 00231 #error "Bad configuration - outgoing protected record payload too large." 00232 #endif 00233 00234 /* Calculate buffer sizes */ 00235 00236 /* Note: Even though the TLS record header is only 5 bytes 00237 long, we're internally using 8 bytes to store the 00238 implicit sequence number. */ 00239 #define MBEDTLS_SSL_HEADER_LEN 13 00240 00241 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00242 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 00243 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) ) 00244 #else 00245 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 00246 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \ 00247 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) ) 00248 #endif 00249 00250 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00251 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 00252 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) ) 00253 #else 00254 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 00255 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \ 00256 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) 00257 #endif 00258 00259 #ifdef MBEDTLS_ZLIB_SUPPORT 00260 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */ 00261 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \ 00262 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \ 00263 ? MBEDTLS_SSL_IN_BUFFER_LEN \ 00264 : MBEDTLS_SSL_OUT_BUFFER_LEN \ 00265 ) 00266 #endif 00267 00268 /* 00269 * TLS extension flags (for extensions with outgoing ServerHello content 00270 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because 00271 * of state of the renegotiation flag, so no indicator is required) 00272 */ 00273 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) 00274 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) 00275 00276 #ifdef __cplusplus 00277 extern "C" { 00278 #endif 00279 00280 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00281 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00282 /* 00283 * Abstraction for a grid of allowed signature-hash-algorithm pairs. 00284 */ 00285 struct mbedtls_ssl_sig_hash_set_t 00286 { 00287 /* At the moment, we only need to remember a single suitable 00288 * hash algorithm per signature algorithm. As long as that's 00289 * the case - and we don't need a general lookup function - 00290 * we can implement the sig-hash-set as a map from signatures 00291 * to hash algorithms. */ 00292 mbedtls_md_type_t rsa; 00293 mbedtls_md_type_t ecdsa; 00294 }; 00295 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00296 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00297 00298 typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, 00299 const char *label, 00300 const unsigned char *random, size_t rlen, 00301 unsigned char *dstbuf, size_t dlen ); 00302 /* 00303 * This structure contains the parameters only needed during handshake. 00304 */ 00305 struct mbedtls_ssl_handshake_params 00306 { 00307 /* 00308 * Handshake specific crypto variables 00309 */ 00310 00311 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00312 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00313 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ 00314 #endif 00315 #if defined(MBEDTLS_DHM_C) 00316 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ 00317 #endif 00318 #if defined(MBEDTLS_ECDH_C) 00319 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ 00320 00321 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00322 psa_ecc_curve_t ecdh_psa_curve; 00323 psa_key_handle_t ecdh_psa_privkey; 00324 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; 00325 size_t ecdh_psa_peerkey_len; 00326 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00327 #endif /* MBEDTLS_ECDH_C */ 00328 00329 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00330 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ 00331 #if defined(MBEDTLS_SSL_CLI_C) 00332 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ 00333 size_t ecjpake_cache_len; /*!< Length of cached data */ 00334 #endif 00335 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00336 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00337 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00338 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ 00339 #endif 00340 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00341 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00342 psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */ 00343 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 00344 unsigned char *psk; /*!< PSK from the callback */ 00345 size_t psk_len; /*!< Length of PSK from callback */ 00346 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 00347 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00348 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ 00349 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00350 int sni_authmode; /*!< authmode from SNI callback */ 00351 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ 00352 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ 00353 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ 00354 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00355 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00356 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 00357 int ecrs_enabled; /*!< Handshake supports EC restart? */ 00358 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ 00359 enum { /* this complements ssl->state with info on intra-state operations */ 00360 ssl_ecrs_none = 0, /*!< nothing going on (yet) */ 00361 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ 00362 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ 00363 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ 00364 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ 00365 } ecrs_state; /*!< current (or last) operation */ 00366 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ 00367 size_t ecrs_n; /*!< place for saving a length */ 00368 #endif 00369 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 00370 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 00371 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ 00372 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 00373 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00374 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ 00375 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ 00376 00377 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie 00378 Srv: unused */ 00379 unsigned char verify_cookie_len; /*!< Cli: cookie length 00380 Srv: flag for sending a cookie */ 00381 00382 uint32_t retransmit_timeout; /*!< Current value of timeout */ 00383 unsigned char retransmit_state; /*!< Retransmission state */ 00384 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ 00385 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ 00386 unsigned char *cur_msg_p; /*!< Position in current message */ 00387 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the 00388 flight being received */ 00389 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for 00390 resending messages */ 00391 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter 00392 for resending messages */ 00393 00394 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00395 /* The state of CID configuration in this handshake. */ 00396 00397 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension 00398 * has been negotiated. Possible values are 00399 * #MBEDTLS_SSL_CID_ENABLED and 00400 * #MBEDTLS_SSL_CID_DISABLED. */ 00401 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */ 00402 uint8_t peer_cid_len; /*!< The length of 00403 * \c peer_cid. */ 00404 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 00405 00406 struct 00407 { 00408 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated 00409 * buffers used for message buffering. */ 00410 00411 uint8_t seen_ccs; /*!< Indicates if a CCS message has 00412 * been seen in the current flight. */ 00413 00414 struct mbedtls_ssl_hs_buffer 00415 { 00416 unsigned is_valid : 1; 00417 unsigned is_fragmented : 1; 00418 unsigned is_complete : 1; 00419 unsigned char *data; 00420 size_t data_len; 00421 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; 00422 00423 struct 00424 { 00425 unsigned char *data; 00426 size_t len; 00427 unsigned epoch; 00428 } future_record; 00429 00430 } buffering; 00431 00432 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ 00433 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00434 00435 /* 00436 * Checksum contexts 00437 */ 00438 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00439 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00440 mbedtls_md5_context fin_md5; 00441 mbedtls_sha1_context fin_sha1; 00442 #endif 00443 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00444 #if defined(MBEDTLS_SHA256_C) 00445 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00446 psa_hash_operation_t fin_sha256_psa; 00447 #else 00448 mbedtls_sha256_context fin_sha256; 00449 #endif 00450 #endif 00451 #if defined(MBEDTLS_SHA512_C) 00452 #if defined(MBEDTLS_USE_PSA_CRYPTO) 00453 psa_hash_operation_t fin_sha384_psa; 00454 #else 00455 mbedtls_sha512_context fin_sha512; 00456 #endif 00457 #endif 00458 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00459 00460 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); 00461 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); 00462 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); 00463 mbedtls_ssl_tls_prf_cb *tls_prf; 00464 00465 mbedtls_ssl_ciphersuite_t const *ciphersuite_info; 00466 00467 size_t pmslen; /*!< premaster length */ 00468 00469 unsigned char randbytes[64]; /*!< random bytes */ 00470 unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; 00471 /*!< premaster secret */ 00472 00473 int resume; /*!< session resume indicator*/ 00474 int max_major_ver; /*!< max. major version client*/ 00475 int max_minor_ver; /*!< max. minor version client*/ 00476 int cli_exts; /*!< client extension presence*/ 00477 00478 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00479 int new_session_ticket; /*!< use NewSessionTicket? */ 00480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00481 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00482 int extended_ms; /*!< use Extended Master Secret? */ 00483 #endif 00484 00485 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 00486 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */ 00487 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 00488 00489 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 00490 /** Asynchronous operation context. This field is meant for use by the 00491 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, 00492 * mbedtls_ssl_config::f_async_decrypt_start, 00493 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). 00494 * The library does not use it internally. */ 00495 void *user_async_ctx; 00496 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 00497 }; 00498 00499 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; 00500 00501 /* 00502 * Representation of decryption/encryption transformations on records 00503 * 00504 * There are the following general types of record transformations: 00505 * - Stream transformations (TLS versions <= 1.2 only) 00506 * Transformation adding a MAC and applying a stream-cipher 00507 * to the authenticated message. 00508 * - CBC block cipher transformations ([D]TLS versions <= 1.2 only) 00509 * In addition to the distinction of the order of encryption and 00510 * authentication, there's a fundamental difference between the 00511 * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3 00512 * and TLS 1.0, the final IV after processing a record is used 00513 * as the IV for the next record. No explicit IV is contained 00514 * in an encrypted record. The IV for the first record is extracted 00515 * at key extraction time. In contrast, for TLS 1.1 and 1.2, no 00516 * IV is generated at key extraction time, but every encrypted 00517 * record is explicitly prefixed by the IV with which it was encrypted. 00518 * - AEAD transformations ([D]TLS versions >= 1.2 only) 00519 * These come in two fundamentally different versions, the first one 00520 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second 00521 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. 00522 * In the first transformation, the IV to be used for a record is obtained 00523 * as the concatenation of an explicit, static 4-byte IV and the 8-byte 00524 * record sequence number, and explicitly prepending this sequence number 00525 * to the encrypted record. In contrast, in the second transformation 00526 * the IV is obtained by XOR'ing a static IV obtained at key extraction 00527 * time with the 8-byte record sequence number, without prepending the 00528 * latter to the encrypted record. 00529 * 00530 * In addition to type and version, the following parameters are relevant: 00531 * - The symmetric cipher algorithm to be used. 00532 * - The (static) encryption/decryption keys for the cipher. 00533 * - For stream/CBC, the type of message digest to be used. 00534 * - For stream/CBC, (static) encryption/decryption keys for the digest. 00535 * - For AEAD transformations, the size (potentially 0) of an explicit, 00536 * random initialization vector placed in encrypted records. 00537 * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0) 00538 * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC) 00539 * and (if present) is combined with the explicit IV in a transformation- 00540 * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). 00541 * - For stream/CBC, a flag determining the order of encryption and MAC. 00542 * - The details of the transformation depend on the SSL/TLS version. 00543 * - The length of the authentication tag. 00544 * 00545 * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are 00546 * constant across multiple encryption/decryption operations. 00547 * For CBC, the implicit IV needs to be updated after each 00548 * operation. 00549 * 00550 * The struct below refines this abstract view as follows: 00551 * - The cipher underlying the transformation is managed in 00552 * cipher contexts cipher_ctx_{enc/dec}, which must have the 00553 * same cipher type. The mode of these cipher contexts determines 00554 * the type of the transformation in the sense above: e.g., if 00555 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM 00556 * then the transformation has type CBC resp. AEAD. 00557 * - The cipher keys are never stored explicitly but 00558 * are maintained within cipher_ctx_{enc/dec}. 00559 * - For stream/CBC transformations, the message digest contexts 00560 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts 00561 * are unused for AEAD transformations. 00562 * - For stream/CBC transformations and versions > SSL3, the 00563 * MAC keys are not stored explicitly but maintained within 00564 * md_ctx_{enc/dec}. 00565 * - For stream/CBC transformations and version SSL3, the MAC 00566 * keys are stored explicitly in mac_enc, mac_dec and have 00567 * a fixed size of 20 bytes. These fields are unused for 00568 * AEAD transformations or transformations >= TLS 1.0. 00569 * - For transformations using an implicit IV maintained within 00570 * the transformation context, its contents are stored within 00571 * iv_{enc/dec}. 00572 * - The value of ivlen indicates the length of the IV. 00573 * This is redundant in case of stream/CBC transformations 00574 * which always use 0 resp. the cipher's block length as the 00575 * IV length, but is needed for AEAD ciphers and may be 00576 * different from the underlying cipher's block length 00577 * in this case. 00578 * - The field fixed_ivlen is nonzero for AEAD transformations only 00579 * and indicates the length of the static part of the IV which is 00580 * constant throughout the communication, and which is stored in 00581 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. 00582 * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec} 00583 * still store IV's for continued use across multiple transformations, 00584 * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are 00585 * not being used! 00586 * - minor_ver denotes the SSL/TLS version 00587 * - For stream/CBC transformations, maclen denotes the length of the 00588 * authentication tag, while taglen is unused and 0. 00589 * - For AEAD transformations, taglen denotes the length of the 00590 * authentication tag, while maclen is unused and 0. 00591 * - For CBC transformations, encrypt_then_mac determines the 00592 * order of encryption and authentication. This field is unused 00593 * in other transformations. 00594 * 00595 */ 00596 struct mbedtls_ssl_transform 00597 { 00598 /* 00599 * Session specific crypto layer 00600 */ 00601 size_t minlen; /*!< min. ciphertext length */ 00602 size_t ivlen; /*!< IV length */ 00603 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ 00604 size_t maclen; /*!< MAC(CBC) len */ 00605 size_t taglen; /*!< TAG(AEAD) len */ 00606 00607 unsigned char iv_enc[16]; /*!< IV (encryption) */ 00608 unsigned char iv_dec[16]; /*!< IV (decryption) */ 00609 00610 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 00611 00612 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00613 /* Needed only for SSL v3.0 secret */ 00614 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */ 00615 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */ 00616 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00617 00618 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ 00619 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ 00620 00621 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00622 int encrypt_then_mac; /*!< flag for EtM activation */ 00623 #endif 00624 00625 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ 00626 00627 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ 00628 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ 00629 int minor_ver; 00630 00631 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00632 uint8_t in_cid_len; 00633 uint8_t out_cid_len; 00634 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; 00635 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; 00636 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 00637 00638 /* 00639 * Session specific compression layer 00640 */ 00641 #if defined(MBEDTLS_ZLIB_SUPPORT) 00642 z_stream ctx_deflate; /*!< compression context */ 00643 z_stream ctx_inflate; /*!< decompression context */ 00644 #endif 00645 00646 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 00647 /* We need the Hello random bytes in order to re-derive keys from the 00648 * Master Secret and other session info, see ssl_populate_transform() */ 00649 unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */ 00650 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 00651 }; 00652 00653 /* 00654 * Return 1 if the transform uses an AEAD cipher, 0 otherwise. 00655 * Equivalently, return 0 if a separate MAC is used, 1 otherwise. 00656 */ 00657 static inline int mbedtls_ssl_transform_uses_aead( 00658 const mbedtls_ssl_transform *transform ) 00659 { 00660 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 00661 return( transform->maclen == 0 && transform->taglen != 0 ); 00662 #else 00663 (void) transform; 00664 return( 1 ); 00665 #endif 00666 } 00667 00668 /* 00669 * Internal representation of record frames 00670 * 00671 * Instances come in two flavors: 00672 * (1) Encrypted 00673 * These always have data_offset = 0 00674 * (2) Unencrypted 00675 * These have data_offset set to the amount of 00676 * pre-expansion during record protection. Concretely, 00677 * this is the length of the fixed part of the explicit IV 00678 * used for encryption, or 0 if no explicit IV is used 00679 * (e.g. for CBC in TLS 1.0, or stream ciphers). 00680 * 00681 * The reason for the data_offset in the unencrypted case 00682 * is to allow for in-place conversion of an unencrypted to 00683 * an encrypted record. If the offset wasn't included, the 00684 * encrypted content would need to be shifted afterwards to 00685 * make space for the fixed IV. 00686 * 00687 */ 00688 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX 00689 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX 00690 #else 00691 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX 00692 #endif 00693 00694 typedef struct 00695 { 00696 uint8_t ctr[8]; /* In TLS: The implicit record sequence number. 00697 * In DTLS: The 2-byte epoch followed by 00698 * the 6-byte sequence number. 00699 * This is stored as a raw big endian byte array 00700 * as opposed to a uint64_t because we rarely 00701 * need to perform arithmetic on this, but do 00702 * need it as a Byte array for the purpose of 00703 * MAC computations. */ 00704 uint8_t type; /* The record content type. */ 00705 uint8_t ver[2]; /* SSL/TLS version as present on the wire. 00706 * Convert to internal presentation of versions 00707 * using mbedtls_ssl_read_version() and 00708 * mbedtls_ssl_write_version(). 00709 * Keep wire-format for MAC computations. */ 00710 00711 unsigned char *buf; /* Memory buffer enclosing the record content */ 00712 size_t buf_len; /* Buffer length */ 00713 size_t data_offset; /* Offset of record content */ 00714 size_t data_len; /* Length of record content */ 00715 00716 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 00717 uint8_t cid_len; /* Length of the CID (0 if not present) */ 00718 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */ 00719 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 00720 } mbedtls_record; 00721 00722 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00723 /* 00724 * List of certificate + private key pairs 00725 */ 00726 struct mbedtls_ssl_key_cert 00727 { 00728 mbedtls_x509_crt *cert; /*!< cert */ 00729 mbedtls_pk_context *key; /*!< private key */ 00730 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ 00731 }; 00732 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00733 00734 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00735 /* 00736 * List of handshake messages kept around for resending 00737 */ 00738 struct mbedtls_ssl_flight_item 00739 { 00740 unsigned char *p; /*!< message, including handshake headers */ 00741 size_t len; /*!< length of p */ 00742 unsigned char type; /*!< type of the message: handshake or CCS */ 00743 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ 00744 }; 00745 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00746 00747 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00748 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00749 00750 /* Find an entry in a signature-hash set matching a given hash algorithm. */ 00751 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, 00752 mbedtls_pk_type_t sig_alg ); 00753 /* Add a signature-hash-pair to a signature-hash set */ 00754 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set, 00755 mbedtls_pk_type_t sig_alg, 00756 mbedtls_md_type_t md_alg ); 00757 /* Allow exactly one hash algorithm for each signature. */ 00758 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set, 00759 mbedtls_md_type_t md_alg ); 00760 00761 /* Setup an empty signature-hash set */ 00762 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set ) 00763 { 00764 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE ); 00765 } 00766 00767 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) && 00768 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00769 00770 /** 00771 * \brief Free referenced items in an SSL transform context and clear 00772 * memory 00773 * 00774 * \param transform SSL transform context 00775 */ 00776 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ); 00777 00778 /** 00779 * \brief Free referenced items in an SSL handshake context and clear 00780 * memory 00781 * 00782 * \param ssl SSL context 00783 */ 00784 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ); 00785 00786 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); 00787 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); 00788 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); 00789 00790 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); 00791 00792 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ); 00793 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ); 00794 00795 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ); 00796 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ); 00797 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ); 00798 00799 /** 00800 * \brief Update record layer 00801 * 00802 * This function roughly separates the implementation 00803 * of the logic of (D)TLS from the implementation 00804 * of the secure transport. 00805 * 00806 * \param ssl The SSL context to use. 00807 * \param update_hs_digest This indicates if the handshake digest 00808 * should be automatically updated in case 00809 * a handshake message is found. 00810 * 00811 * \return 0 or non-zero error code. 00812 * 00813 * \note A clarification on what is called 'record layer' here 00814 * is in order, as many sensible definitions are possible: 00815 * 00816 * The record layer takes as input an untrusted underlying 00817 * transport (stream or datagram) and transforms it into 00818 * a serially multiplexed, secure transport, which 00819 * conceptually provides the following: 00820 * 00821 * (1) Three datagram based, content-agnostic transports 00822 * for handshake, alert and CCS messages. 00823 * (2) One stream- or datagram-based transport 00824 * for application data. 00825 * (3) Functionality for changing the underlying transform 00826 * securing the contents. 00827 * 00828 * The interface to this functionality is given as follows: 00829 * 00830 * a Updating 00831 * [Currently implemented by mbedtls_ssl_read_record] 00832 * 00833 * Check if and on which of the four 'ports' data is pending: 00834 * Nothing, a controlling datagram of type (1), or application 00835 * data (2). In any case data is present, internal buffers 00836 * provide access to the data for the user to process it. 00837 * Consumption of type (1) datagrams is done automatically 00838 * on the next update, invalidating that the internal buffers 00839 * for previous datagrams, while consumption of application 00840 * data (2) is user-controlled. 00841 * 00842 * b Reading of application data 00843 * [Currently manual adaption of ssl->in_offt pointer] 00844 * 00845 * As mentioned in the last paragraph, consumption of data 00846 * is different from the automatic consumption of control 00847 * datagrams (1) because application data is treated as a stream. 00848 * 00849 * c Tracking availability of application data 00850 * [Currently manually through decreasing ssl->in_msglen] 00851 * 00852 * For efficiency and to retain datagram semantics for 00853 * application data in case of DTLS, the record layer 00854 * provides functionality for checking how much application 00855 * data is still available in the internal buffer. 00856 * 00857 * d Changing the transformation securing the communication. 00858 * 00859 * Given an opaque implementation of the record layer in the 00860 * above sense, it should be possible to implement the logic 00861 * of (D)TLS on top of it without the need to know anything 00862 * about the record layer's internals. This is done e.g. 00863 * in all the handshake handling functions, and in the 00864 * application data reading function mbedtls_ssl_read. 00865 * 00866 * \note The above tries to give a conceptual picture of the 00867 * record layer, but the current implementation deviates 00868 * from it in some places. For example, our implementation of 00869 * the update functionality through mbedtls_ssl_read_record 00870 * discards datagrams depending on the current state, which 00871 * wouldn't fall under the record layer's responsibility 00872 * following the above definition. 00873 * 00874 */ 00875 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, 00876 unsigned update_hs_digest ); 00877 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ); 00878 00879 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ); 00880 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ); 00881 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ); 00882 00883 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ); 00884 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ); 00885 00886 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ); 00887 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ); 00888 00889 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ); 00890 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ); 00891 00892 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 00893 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ); 00894 00895 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00896 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ); 00897 #endif 00898 00899 #if defined(MBEDTLS_PK_C) 00900 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ); 00901 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type ); 00902 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ); 00903 #endif 00904 00905 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ); 00906 unsigned char mbedtls_ssl_hash_from_md_alg( int md ); 00907 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ); 00908 00909 #if defined(MBEDTLS_ECP_C) 00910 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); 00911 #endif 00912 00913 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00914 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 00915 mbedtls_md_type_t md ); 00916 #endif 00917 00918 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00919 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl ) 00920 { 00921 mbedtls_ssl_key_cert *key_cert; 00922 00923 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) 00924 key_cert = ssl->handshake->key_cert; 00925 else 00926 key_cert = ssl->conf->key_cert; 00927 00928 return( key_cert == NULL ? NULL : key_cert->key ); 00929 } 00930 00931 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl ) 00932 { 00933 mbedtls_ssl_key_cert *key_cert; 00934 00935 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) 00936 key_cert = ssl->handshake->key_cert; 00937 else 00938 key_cert = ssl->conf->key_cert; 00939 00940 return( key_cert == NULL ? NULL : key_cert->cert ); 00941 } 00942 00943 /* 00944 * Check usage of a certificate wrt extensions: 00945 * keyUsage, extendedKeyUsage (later), and nSCertType (later). 00946 * 00947 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we 00948 * check a cert we received from them)! 00949 * 00950 * Return 0 if everything is OK, -1 if not. 00951 */ 00952 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 00953 const mbedtls_ssl_ciphersuite_t *ciphersuite, 00954 int cert_endpoint, 00955 uint32_t *flags ); 00956 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00957 00958 void mbedtls_ssl_write_version( int major, int minor, int transport, 00959 unsigned char ver[2] ); 00960 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 00961 const unsigned char ver[2] ); 00962 00963 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl ) 00964 { 00965 #if !defined(MBEDTLS_SSL_PROTO_DTLS) 00966 ((void) ssl); 00967 #endif 00968 00969 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00970 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00971 { 00972 return( 13 ); 00973 } 00974 else 00975 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00976 { 00977 return( 5 ); 00978 } 00979 } 00980 00981 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl ) 00982 { 00983 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) ); 00984 } 00985 00986 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl ) 00987 { 00988 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00989 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00990 return( 12 ); 00991 #else 00992 ((void) ssl); 00993 #endif 00994 return( 4 ); 00995 } 00996 00997 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00998 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ); 00999 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ); 01000 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ); 01001 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ); 01002 #endif 01003 01004 /* Visible for testing purposes only */ 01005 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01006 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl ); 01007 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ); 01008 #endif 01009 01010 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, 01011 const mbedtls_ssl_session *src ); 01012 01013 /* constant-time buffer comparison */ 01014 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n ) 01015 { 01016 size_t i; 01017 volatile const unsigned char *A = (volatile const unsigned char *) a; 01018 volatile const unsigned char *B = (volatile const unsigned char *) b; 01019 volatile unsigned char diff = 0; 01020 01021 for( i = 0; i < n; i++ ) 01022 { 01023 /* Read volatile data in order before computing diff. 01024 * This avoids IAR compiler warning: 01025 * 'the order of volatile accesses is undefined ..' */ 01026 unsigned char x = A[i], y = B[i]; 01027 diff |= x ^ y; 01028 } 01029 01030 return( diff ); 01031 } 01032 01033 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 01034 defined(MBEDTLS_SSL_PROTO_TLS1_1) 01035 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, 01036 unsigned char *output, 01037 unsigned char *data, size_t data_len ); 01038 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 01039 MBEDTLS_SSL_PROTO_TLS1_1 */ 01040 01041 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01042 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01043 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ 01044 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, 01045 unsigned char *hash, size_t *hashlen, 01046 unsigned char *data, size_t data_len, 01047 mbedtls_md_type_t md_alg ); 01048 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01049 MBEDTLS_SSL_PROTO_TLS1_2 */ 01050 01051 #ifdef __cplusplus 01052 } 01053 #endif 01054 01055 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform ); 01056 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, 01057 mbedtls_ssl_transform *transform, 01058 mbedtls_record *rec, 01059 int (*f_rng)(void *, unsigned char *, size_t), 01060 void *p_rng ); 01061 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, 01062 mbedtls_ssl_transform *transform, 01063 mbedtls_record *rec ); 01064 01065 #endif /* ssl_internal.h */
Generated on Tue Jul 12 2022 13:54:53 by
