mbed TLS v2.2.0
ssl_internal.h
Go to the documentation of this file.
1 
23 #ifndef MBEDTLS_SSL_INTERNAL_H
24 #define MBEDTLS_SSL_INTERNAL_H
25 
26 #include "ssl.h"
27 
28 #if defined(MBEDTLS_MD5_C)
29 #include "md5.h"
30 #endif
31 
32 #if defined(MBEDTLS_SHA1_C)
33 #include "sha1.h"
34 #endif
35 
36 #if defined(MBEDTLS_SHA256_C)
37 #include "sha256.h"
38 #endif
39 
40 #if defined(MBEDTLS_SHA512_C)
41 #include "sha512.h"
42 #endif
43 
44 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
45 #include "ecjpake.h"
46 #endif
47 
48 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
49  !defined(inline) && !defined(__cplusplus)
50 #define inline __inline
51 #endif
52 
53 /* Determine minimum supported version */
54 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
55 
56 #if defined(MBEDTLS_SSL_PROTO_SSL3)
57 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
58 #else
59 #if defined(MBEDTLS_SSL_PROTO_TLS1)
60 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
61 #else
62 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
63 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
64 #else
65 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
66 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
67 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
68 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
69 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
70 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
71 
72 /* Determine maximum supported version */
73 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
74 
75 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
76 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
77 #else
78 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
79 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
80 #else
81 #if defined(MBEDTLS_SSL_PROTO_TLS1)
82 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
83 #else
84 #if defined(MBEDTLS_SSL_PROTO_SSL3)
85 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
86 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
87 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
88 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
89 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
90 
91 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
92 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
93 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
94 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
95 
96 /*
97  * DTLS retransmission states, see RFC 6347 4.2.4
98  *
99  * The SENDING state is merged in PREPARING for initial sends,
100  * but is distinct for resends.
101  *
102  * Note: initial state is wrong for server, but is not used anyway.
103  */
104 #define MBEDTLS_SSL_RETRANS_PREPARING 0
105 #define MBEDTLS_SSL_RETRANS_SENDING 1
106 #define MBEDTLS_SSL_RETRANS_WAITING 2
107 #define MBEDTLS_SSL_RETRANS_FINISHED 3
108 
109 /*
110  * Allow extra bytes for record, authentication and encryption overhead:
111  * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
112  * and allow for a maximum of 1024 of compression expansion if
113  * enabled.
114  */
115 #if defined(MBEDTLS_ZLIB_SUPPORT)
116 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
117 #else
118 #define MBEDTLS_SSL_COMPRESSION_ADD 0
119 #endif
120 
121 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
122 /* Ciphersuites using HMAC */
123 #if defined(MBEDTLS_SHA512_C)
124 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
125 #elif defined(MBEDTLS_SHA256_C)
126 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
127 #else
128 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
129 #endif
130 #else
131 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
132 #define MBEDTLS_SSL_MAC_ADD 16
133 #endif
134 
135 #if defined(MBEDTLS_CIPHER_MODE_CBC)
136 #define MBEDTLS_SSL_PADDING_ADD 256
137 #else
138 #define MBEDTLS_SSL_PADDING_ADD 0
139 #endif
140 
141 #define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
142  + MBEDTLS_SSL_COMPRESSION_ADD \
143  + 29 /* counter + header + IV */ \
144  + MBEDTLS_SSL_MAC_ADD \
145  + MBEDTLS_SSL_PADDING_ADD \
146  )
147 
148 /*
149  * TLS extension flags (for extensions with outgoing ServerHello content
150  * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
151  * of state of the renegotiation flag, so no indicator is required)
152  */
153 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
154 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
155 
156 #ifdef __cplusplus
157 extern "C" {
158 #endif
159 
160 /*
161  * This structure contains the parameters only needed during handshake.
162  */
164 {
165  /*
166  * Handshake specific crypto variables
167  */
168  int sig_alg;
169  int cert_type;
171 #if defined(MBEDTLS_DHM_C)
172  mbedtls_dhm_context dhm_ctx;
173 #endif
174 #if defined(MBEDTLS_ECDH_C)
175  mbedtls_ecdh_context ecdh_ctx;
176 #endif
177 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
178  mbedtls_ecjpake_context ecjpake_ctx;
179 #if defined(MBEDTLS_SSL_CLI_C)
180  unsigned char *ecjpake_cache;
181  size_t ecjpake_cache_len;
182 #endif
183 #endif
184 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
185  defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
186  const mbedtls_ecp_curve_info **curves;
187 #endif
188 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
189  unsigned char *psk;
190  size_t psk_len;
191 #endif
192 #if defined(MBEDTLS_X509_CRT_PARSE_C)
193  mbedtls_ssl_key_cert *key_cert;
194 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
195  int sni_authmode;
196  mbedtls_ssl_key_cert *sni_key_cert;
197  mbedtls_x509_crt *sni_ca_chain;
198  mbedtls_x509_crl *sni_ca_crl;
199 #endif
200 #endif /* MBEDTLS_X509_CRT_PARSE_C */
201 #if defined(MBEDTLS_SSL_PROTO_DTLS)
202  unsigned int out_msg_seq;
203  unsigned int in_msg_seq;
205  unsigned char *verify_cookie;
207  unsigned char verify_cookie_len;
210  unsigned char *hs_msg;
212  uint32_t retransmit_timeout;
213  unsigned char retransmit_state;
214  mbedtls_ssl_flight_item *flight;
215  mbedtls_ssl_flight_item *cur_msg;
216  unsigned int in_flight_start_seq;
218  mbedtls_ssl_transform *alt_transform_out;
220  unsigned char alt_out_ctr[8];
222 #endif
223 
224  /*
225  * Checksum contexts
226  */
227 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
228  defined(MBEDTLS_SSL_PROTO_TLS1_1)
229  mbedtls_md5_context fin_md5;
230  mbedtls_sha1_context fin_sha1;
231 #endif
232 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
233 #if defined(MBEDTLS_SHA256_C)
234  mbedtls_sha256_context fin_sha256;
235 #endif
236 #if defined(MBEDTLS_SHA512_C)
237  mbedtls_sha512_context fin_sha512;
238 #endif
239 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
240 
241  void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
242  void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
243  void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
244  int (*tls_prf)(const unsigned char *, size_t, const char *,
245  const unsigned char *, size_t,
246  unsigned char *, size_t);
247 
248  size_t pmslen;
250  unsigned char randbytes[64];
254  int resume;
257  int cli_exts;
259 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
260  int new_session_ticket;
261 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
262 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
263  int extended_ms;
264 #endif
265 };
266 
267 /*
268  * This structure contains a full set of runtime transform parameters
269  * either in negotiation or active.
270  */
272 {
273  /*
274  * Session specific crypto layer
275  */
278  unsigned int keylen;
279  size_t minlen;
280  size_t ivlen;
281  size_t fixed_ivlen;
282  size_t maclen;
284  unsigned char iv_enc[16];
285  unsigned char iv_dec[16];
287 #if defined(MBEDTLS_SSL_PROTO_SSL3)
288  /* Needed only for SSL v3.0 secret */
289  unsigned char mac_enc[20];
290  unsigned char mac_dec[20];
291 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
292 
299  /*
300  * Session specific compression layer
301  */
302 #if defined(MBEDTLS_ZLIB_SUPPORT)
303  z_stream ctx_deflate;
304  z_stream ctx_inflate;
305 #endif
306 };
307 
308 #if defined(MBEDTLS_X509_CRT_PARSE_C)
309 /*
310  * List of certificate + private key pairs
311  */
312 struct mbedtls_ssl_key_cert
313 {
314  mbedtls_x509_crt *cert;
315  mbedtls_pk_context *key;
316  mbedtls_ssl_key_cert *next;
317 };
318 #endif /* MBEDTLS_X509_CRT_PARSE_C */
319 
320 #if defined(MBEDTLS_SSL_PROTO_DTLS)
321 /*
322  * List of handshake messages kept around for resending
323  */
324 struct mbedtls_ssl_flight_item
325 {
326  unsigned char *p;
327  size_t len;
328  unsigned char type;
329  mbedtls_ssl_flight_item *next;
330 };
331 #endif /* MBEDTLS_SSL_PROTO_DTLS */
332 
333 
341 
349 
353 
355 
358 
360 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
361 
364 
367 
370 
373 
375  const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
376 
377 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
378 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
379 #endif
380 
381 #if defined(MBEDTLS_PK_C)
382 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
383 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
384 #endif
385 
386 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
387 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
388 
389 #if defined(MBEDTLS_ECP_C)
390 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
391 #endif
392 
393 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
394 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
396 #endif
397 
398 #if defined(MBEDTLS_X509_CRT_PARSE_C)
399 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
400 {
401  mbedtls_ssl_key_cert *key_cert;
402 
403  if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
404  key_cert = ssl->handshake->key_cert;
405  else
406  key_cert = ssl->conf->key_cert;
407 
408  return( key_cert == NULL ? NULL : key_cert->key );
409 }
410 
411 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
412 {
413  mbedtls_ssl_key_cert *key_cert;
414 
415  if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
416  key_cert = ssl->handshake->key_cert;
417  else
418  key_cert = ssl->conf->key_cert;
419 
420  return( key_cert == NULL ? NULL : key_cert->cert );
421 }
422 
423 /*
424  * Check usage of a certificate wrt extensions:
425  * keyUsage, extendedKeyUsage (later), and nSCertType (later).
426  *
427  * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
428  * check a cert we received from them)!
429  *
430  * Return 0 if everything is OK, -1 if not.
431  */
432 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
433  const mbedtls_ssl_ciphersuite_t *ciphersuite,
434  int cert_endpoint,
435  uint32_t *flags );
436 #endif /* MBEDTLS_X509_CRT_PARSE_C */
437 
438 void mbedtls_ssl_write_version( int major, int minor, int transport,
439  unsigned char ver[2] );
440 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
441  const unsigned char ver[2] );
442 
443 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
444 {
445 #if defined(MBEDTLS_SSL_PROTO_DTLS)
447  return( 13 );
448 #else
449  ((void) ssl);
450 #endif
451  return( 5 );
452 }
453 
454 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
455 {
456 #if defined(MBEDTLS_SSL_PROTO_DTLS)
458  return( 12 );
459 #else
460  ((void) ssl);
461 #endif
462  return( 4 );
463 }
464 
465 #if defined(MBEDTLS_SSL_PROTO_DTLS)
466 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
467 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
468 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
469 #endif
470 
471 /* Visible for testing purposes only */
472 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
473 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
474 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
475 #endif
476 
477 /* constant-time buffer comparison */
478 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
479 {
480  size_t i;
481  const unsigned char *A = (const unsigned char *) a;
482  const unsigned char *B = (const unsigned char *) b;
483  unsigned char diff = 0;
484 
485  for( i = 0; i < n; i++ )
486  diff |= A[i] ^ B[i];
487 
488  return( diff );
489 }
490 
491 #ifdef __cplusplus
492 }
493 #endif
494 
495 #endif /* ssl_internal.h */
unsigned int transport
Definition: ssl.h:605
int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
unsigned char mbedtls_ssl_hash_from_md_alg(int md)
Public key container.
Definition: pk.h:126
void(* update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t)
Definition: ssl_internal.h:241
void mbedtls_ssl_read_version(int *major, int *minor, int transport, const unsigned char ver[2])
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
unsigned char randbytes[64]
Definition: ssl_internal.h:250
int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
Certificate revocation list structure.
Definition: x509_crl.h:69
Generic cipher context.
Definition: cipher.h:213
static int mbedtls_ssl_safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl_internal.h:478
mbedtls_pk_type_t
Public key types.
Definition: pk.h:74
int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
mbedtls_cipher_context_t cipher_ctx_enc
Definition: ssl_internal.h:296
Elliptic curve J-PAKE.
static size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:454
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM
Definition: ssl.h:120
Curve information for use by other modules.
Definition: ecp.h:87
int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
Generic message digest context.
Definition: md.h:66
mbedtls_md_context_t md_ctx_dec
Definition: ssl_internal.h:294
void mbedtls_ssl_handshake_free(mbedtls_ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
const mbedtls_ssl_ciphersuite_t * ciphersuite_info
Definition: ssl_internal.h:276
unsigned char iv_dec[16]
Definition: ssl_internal.h:285
int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want)
mbedtls_ssl_handshake_params * handshake
Definition: ssl.h:680
int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl)
unsigned char iv_enc[16]
Definition: ssl_internal.h:284
void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
SHA-512 context structure.
Definition: sha512.h:46
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
void(* calc_verify)(mbedtls_ssl_context *, unsigned char *)
Definition: ssl_internal.h:242
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl)
mbedtls_key_exchange_type_t
mbedtls_ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:60
DHM context structure.
Definition: dhm.h:149
const mbedtls_ssl_config * conf
Definition: ssl.h:644
SHA-256 context structure.
Definition: sha256_alt.h:58
ECDH context structure.
Definition: ecdh.h:44
int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
This structure is used for storing ciphersuite information.
#define MBEDTLS_PREMASTER_SIZE
Definition: ssl.h:380
int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
void mbedtls_ssl_write_version(int major, int minor, int transport, unsigned char ver[2])
mbedtls_cipher_context_t cipher_ctx_dec
Definition: ssl_internal.h:297
SHA-1 cryptographic hash function.
int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl)
MD5 context structure.
Definition: md5.h:46
void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl)
void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
Container for an X.509 certificate.
Definition: x509_crt.h:52
SHA-1 context structure.
Definition: sha1_alt.h:58
SHA-384 and SHA-512 cryptographic hash function.
SSL/TLS functions.
int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
EC J-PAKE context structure.
Definition: ecjpake.h:69
unsigned char premaster[MBEDTLS_PREMASTER_SIZE]
Definition: ssl_internal.h:251
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
void(* calc_finished)(mbedtls_ssl_context *, unsigned char *, int)
Definition: ssl_internal.h:243
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl_internal.h:244
mbedtls_md_type_t
Definition: md.h:39
mbedtls_md_context_t md_ctx_enc
Definition: ssl_internal.h:293
#define md
Definition: compat-1.3.h:2030
MD5 message digest algorithm (hash function)
SHA-224 and SHA-256 cryptographic hash function.
static size_t mbedtls_ssl_hdr_len(const mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:443