4 * \brief Internal functions shared by the SSL modules
6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: Apache-2.0
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
21 * This file is part of mbed TLS (https://tls.mbed.org)
23 #ifndef MBEDTLS_SSL_INTERNAL_H
24 #define MBEDTLS_SSL_INTERNAL_H
28 #if defined(MBEDTLS_MD5_C)
32 #if defined(MBEDTLS_SHA1_C)
36 #if defined(MBEDTLS_SHA256_C)
40 #if defined(MBEDTLS_SHA512_C)
44 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
45 !defined(inline) && !defined(__cplusplus)
46 #define inline __inline
49 /* Determine minimum supported version */
50 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
52 #if defined(MBEDTLS_SSL_PROTO_SSL3)
53 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
55 #if defined(MBEDTLS_SSL_PROTO_TLS1)
56 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
58 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
59 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
61 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
62 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
63 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
64 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
65 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
66 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
68 /* Determine maximum supported version */
69 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
71 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
72 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
74 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
75 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
77 #if defined(MBEDTLS_SSL_PROTO_TLS1)
78 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
80 #if defined(MBEDTLS_SSL_PROTO_SSL3)
81 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
82 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
83 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
84 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
85 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
87 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
88 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
89 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
90 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
93 * DTLS retransmission states, see RFC 6347 4.2.4
95 * The SENDING state is merged in PREPARING for initial sends,
96 * but is distinct for resends.
98 * Note: initial state is wrong for server, but is not used anyway.
100 #define MBEDTLS_SSL_RETRANS_PREPARING 0
101 #define MBEDTLS_SSL_RETRANS_SENDING 1
102 #define MBEDTLS_SSL_RETRANS_WAITING 2
103 #define MBEDTLS_SSL_RETRANS_FINISHED 3
106 * Allow extra bytes for record, authentication and encryption overhead:
107 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
108 * and allow for a maximum of 1024 of compression expansion if
111 #if defined(MBEDTLS_ZLIB_SUPPORT)
112 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
114 #define MBEDTLS_SSL_COMPRESSION_ADD 0
117 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
118 /* Ciphersuites using HMAC */
119 #if defined(MBEDTLS_SHA512_C)
120 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
121 #elif defined(MBEDTLS_SHA256_C)
122 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
124 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
127 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
128 #define MBEDTLS_SSL_MAC_ADD 16
131 #if defined(MBEDTLS_CIPHER_MODE_CBC)
132 #define MBEDTLS_SSL_PADDING_ADD 256
134 #define MBEDTLS_SSL_PADDING_ADD 0
137 #define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
138 + MBEDTLS_SSL_COMPRESSION_ADD \
139 + 29 /* counter + header + IV */ \
140 + MBEDTLS_SSL_MAC_ADD \
141 + MBEDTLS_SSL_PADDING_ADD \
145 * TLS extension flags (for extensions with outgoing ServerHello content
146 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
147 * of state of the renegotiation flag, so no indicator is required)
149 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
156 * This structure contains the parameters only needed during handshake.
158 struct mbedtls_ssl_handshake_params
161 * Handshake specific crypto variables
163 int sig_alg
; /*!< Hash algorithm for signature */
164 int cert_type
; /*!< Requested cert type */
165 int verify_sig_alg
; /*!< Signature algorithm for verify */
166 #if defined(MBEDTLS_DHM_C)
167 mbedtls_dhm_context dhm_ctx
; /*!< DHM key exchange */
169 #if defined(MBEDTLS_ECDH_C)
170 mbedtls_ecdh_context ecdh_ctx
; /*!< ECDH key exchange */
172 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
173 const mbedtls_ecp_curve_info
**curves
; /*!< Supported elliptic curves */
175 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
176 unsigned char *psk
; /*!< PSK from the callback */
177 size_t psk_len
; /*!< Length of PSK from callback */
179 #if defined(MBEDTLS_X509_CRT_PARSE_C)
180 mbedtls_ssl_key_cert
*key_cert
; /*!< chosen key/cert pair (server) */
181 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
182 int sni_authmode
; /*!< authmode from SNI callback */
183 mbedtls_ssl_key_cert
*sni_key_cert
; /*!< key/cert list from SNI */
184 mbedtls_x509_crt
*sni_ca_chain
; /*!< trusted CAs from SNI callback */
185 mbedtls_x509_crl
*sni_ca_crl
; /*!< trusted CAs CRLs from SNI */
187 #endif /* MBEDTLS_X509_CRT_PARSE_C */
188 #if defined(MBEDTLS_SSL_PROTO_DTLS)
189 unsigned int out_msg_seq
; /*!< Outgoing handshake sequence number */
190 unsigned int in_msg_seq
; /*!< Incoming handshake sequence number */
192 unsigned char *verify_cookie
; /*!< Cli: HelloVerifyRequest cookie
194 unsigned char verify_cookie_len
; /*!< Cli: cookie length
195 Srv: flag for sending a cookie */
197 unsigned char *hs_msg
; /*!< Reassembled handshake message */
199 uint32_t retransmit_timeout
; /*!< Current value of timeout */
200 unsigned char retransmit_state
; /*!< Retransmission state */
201 mbedtls_ssl_flight_item
*flight
; /*!< Current outgoing flight */
202 mbedtls_ssl_flight_item
*cur_msg
; /*!< Current message in flight */
203 unsigned int in_flight_start_seq
; /*!< Minimum message sequence in the
204 flight being received */
205 mbedtls_ssl_transform
*alt_transform_out
; /*!< Alternative transform for
206 resending messages */
207 unsigned char alt_out_ctr
[8]; /*!< Alternative record epoch/counter
208 for resending messages */
214 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
215 defined(MBEDTLS_SSL_PROTO_TLS1_1)
216 mbedtls_md5_context fin_md5
;
217 mbedtls_sha1_context fin_sha1
;
219 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
220 #if defined(MBEDTLS_SHA256_C)
221 mbedtls_sha256_context fin_sha256
;
223 #if defined(MBEDTLS_SHA512_C)
224 mbedtls_sha512_context fin_sha512
;
226 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
228 void (*update_checksum
)(mbedtls_ssl_context
*, const unsigned char *, size_t);
229 void (*calc_verify
)(mbedtls_ssl_context
*, unsigned char *);
230 void (*calc_finished
)(mbedtls_ssl_context
*, unsigned char *, int);
231 int (*tls_prf
)(const unsigned char *, size_t, const char *,
232 const unsigned char *, size_t,
233 unsigned char *, size_t);
235 size_t pmslen
; /*!< premaster length */
237 unsigned char randbytes
[64]; /*!< random bytes */
238 unsigned char premaster
[MBEDTLS_PREMASTER_SIZE
];
239 /*!< premaster secret */
241 int resume
; /*!< session resume indicator*/
242 int max_major_ver
; /*!< max. major version client*/
243 int max_minor_ver
; /*!< max. minor version client*/
244 int cli_exts
; /*!< client extension presence*/
246 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
247 int new_session_ticket
; /*!< use NewSessionTicket? */
248 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
249 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
250 int extended_ms
; /*!< use Extended Master Secret? */
255 * This structure contains a full set of runtime transform parameters
256 * either in negotiation or active.
258 struct mbedtls_ssl_transform
261 * Session specific crypto layer
263 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
264 /*!< Chosen cipersuite_info */
265 unsigned int keylen
; /*!< symmetric key length (bytes) */
266 size_t minlen
; /*!< min. ciphertext length */
267 size_t ivlen
; /*!< IV length */
268 size_t fixed_ivlen
; /*!< Fixed part of IV (AEAD) */
269 size_t maclen
; /*!< MAC length */
271 unsigned char iv_enc
[16]; /*!< IV (encryption) */
272 unsigned char iv_dec
[16]; /*!< IV (decryption) */
274 #if defined(MBEDTLS_SSL_PROTO_SSL3)
275 /* Needed only for SSL v3.0 secret */
276 unsigned char mac_enc
[20]; /*!< SSL v3.0 secret (enc) */
277 unsigned char mac_dec
[20]; /*!< SSL v3.0 secret (dec) */
278 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
280 mbedtls_md_context_t md_ctx_enc
; /*!< MAC (encryption) */
281 mbedtls_md_context_t md_ctx_dec
; /*!< MAC (decryption) */
283 mbedtls_cipher_context_t cipher_ctx_enc
; /*!< encryption context */
284 mbedtls_cipher_context_t cipher_ctx_dec
; /*!< decryption context */
287 * Session specific compression layer
289 #if defined(MBEDTLS_ZLIB_SUPPORT)
290 z_stream ctx_deflate
; /*!< compression context */
291 z_stream ctx_inflate
; /*!< decompression context */
295 #if defined(MBEDTLS_X509_CRT_PARSE_C)
297 * List of certificate + private key pairs
299 struct mbedtls_ssl_key_cert
301 mbedtls_x509_crt
*cert
; /*!< cert */
302 mbedtls_pk_context
*key
; /*!< private key */
303 mbedtls_ssl_key_cert
*next
; /*!< next key/cert pair */
305 #endif /* MBEDTLS_X509_CRT_PARSE_C */
307 #if defined(MBEDTLS_SSL_PROTO_DTLS)
309 * List of handshake messages kept around for resending
311 struct mbedtls_ssl_flight_item
313 unsigned char *p
; /*!< message, including handshake headers */
314 size_t len
; /*!< length of p */
315 unsigned char type
; /*!< type of the message: handshake or CCS */
316 mbedtls_ssl_flight_item
*next
; /*!< next handshake message(s) */
318 #endif /* MBEDTLS_SSL_PROTO_DTLS */
322 * \brief Free referenced items in an SSL transform context and clear
325 * \param transform SSL transform context
327 void mbedtls_ssl_transform_free( mbedtls_ssl_transform
*transform
);
330 * \brief Free referenced items in an SSL handshake context and clear
333 * \param handshake SSL handshake context
335 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params
*handshake
);
337 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context
*ssl
);
338 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context
*ssl
);
339 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context
*ssl
);
341 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context
*ssl
);
343 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context
*ssl
);
344 int mbedtls_ssl_derive_keys( mbedtls_ssl_context
*ssl
);
346 int mbedtls_ssl_read_record( mbedtls_ssl_context
*ssl
);
347 int mbedtls_ssl_fetch_input( mbedtls_ssl_context
*ssl
, size_t nb_want
);
349 int mbedtls_ssl_write_record( mbedtls_ssl_context
*ssl
);
350 int mbedtls_ssl_flush_output( mbedtls_ssl_context
*ssl
);
352 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context
*ssl
);
353 int mbedtls_ssl_write_certificate( mbedtls_ssl_context
*ssl
);
355 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context
*ssl
);
356 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context
*ssl
);
358 int mbedtls_ssl_parse_finished( mbedtls_ssl_context
*ssl
);
359 int mbedtls_ssl_write_finished( mbedtls_ssl_context
*ssl
);
361 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context
*ssl
,
362 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
);
364 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
365 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context
*ssl
, mbedtls_key_exchange_type_t key_ex
);
368 #if defined(MBEDTLS_PK_C)
369 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context
*pk
);
370 mbedtls_pk_type_t
mbedtls_ssl_pk_alg_from_sig( unsigned char sig
);
373 mbedtls_md_type_t
mbedtls_ssl_md_alg_from_hash( unsigned char hash
);
374 unsigned char mbedtls_ssl_hash_from_md_alg( int md
);
376 #if defined(MBEDTLS_ECP_C)
377 int mbedtls_ssl_check_curve( const mbedtls_ssl_context
*ssl
, mbedtls_ecp_group_id grp_id
);
380 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
381 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context
*ssl
,
382 mbedtls_md_type_t md
);
385 #if defined(MBEDTLS_X509_CRT_PARSE_C)
386 static inline mbedtls_pk_context
*mbedtls_ssl_own_key( mbedtls_ssl_context
*ssl
)
388 mbedtls_ssl_key_cert
*key_cert
;
390 if( ssl
->handshake
!= NULL
&& ssl
->handshake
->key_cert
!= NULL
)
391 key_cert
= ssl
->handshake
->key_cert
;
393 key_cert
= ssl
->conf
->key_cert
;
395 return( key_cert
== NULL
? NULL
: key_cert
->key
);
398 static inline mbedtls_x509_crt
*mbedtls_ssl_own_cert( mbedtls_ssl_context
*ssl
)
400 mbedtls_ssl_key_cert
*key_cert
;
402 if( ssl
->handshake
!= NULL
&& ssl
->handshake
->key_cert
!= NULL
)
403 key_cert
= ssl
->handshake
->key_cert
;
405 key_cert
= ssl
->conf
->key_cert
;
407 return( key_cert
== NULL
? NULL
: key_cert
->cert
);
411 * Check usage of a certificate wrt extensions:
412 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
414 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
415 * check a cert we received from them)!
417 * Return 0 if everything is OK, -1 if not.
419 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt
*cert
,
420 const mbedtls_ssl_ciphersuite_t
*ciphersuite
,
423 #endif /* MBEDTLS_X509_CRT_PARSE_C */
425 void mbedtls_ssl_write_version( int major
, int minor
, int transport
,
426 unsigned char ver
[2] );
427 void mbedtls_ssl_read_version( int *major
, int *minor
, int transport
,
428 const unsigned char ver
[2] );
430 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context
*ssl
)
432 #if defined(MBEDTLS_SSL_PROTO_DTLS)
433 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
441 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context
*ssl
)
443 #if defined(MBEDTLS_SSL_PROTO_DTLS)
444 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
452 #if defined(MBEDTLS_SSL_PROTO_DTLS)
453 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context
*ssl
);
454 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context
*ssl
);
455 int mbedtls_ssl_resend( mbedtls_ssl_context
*ssl
);
458 /* Visible for testing purposes only */
459 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
460 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context
*ssl
);
461 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context
*ssl
);
464 /* constant-time buffer comparison */
465 static inline int mbedtls_ssl_safer_memcmp( const void *a
, const void *b
, size_t n
)
468 const unsigned char *A
= (const unsigned char *) a
;
469 const unsigned char *B
= (const unsigned char *) b
;
470 unsigned char diff
= 0;
472 for( i
= 0; i
< n
; i
++ )
482 #endif /* ssl_internal.h */