mbedtls/library/ssl_misc.h

*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \file ssl_misc.h
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \brief Internal functions shared by the SSL modules
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi *  Copyright The Mbed TLS Contributors
*62c56f98SSadaf Ebrahimi *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#ifndef MBEDTLS_SSL_MISC_H
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MISC_H
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "mbedtls/build_info.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "mbedtls/error.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "mbedtls/ssl.h"
*62c56f98SSadaf Ebrahimi#include "mbedtls/cipher.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi#include "psa/crypto.h"
*62c56f98SSadaf Ebrahimi#include "psa_util_internal.h"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_MD5)
*62c56f98SSadaf Ebrahimi#include "mbedtls/md5.h"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA1)
*62c56f98SSadaf Ebrahimi#include "mbedtls/sha1.h"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA256)
*62c56f98SSadaf Ebrahimi#include "mbedtls/sha256.h"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA512)
*62c56f98SSadaf Ebrahimi#include "mbedtls/sha512.h"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
*62c56f98SSadaf Ebrahimi    !defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi#include "mbedtls/ecjpake.h"
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#include "mbedtls/pk.h"
*62c56f98SSadaf Ebrahimi#include "pk_internal.h"
*62c56f98SSadaf Ebrahimi#include "common.h"
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Shorthand for restartable ECC */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_ECP_RESTARTABLE) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_CLI_C) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Faked handshake message identity for HelloRetryRequest. */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Internal identity of handshake extensions
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED                0
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SERVERNAME                  1
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME         1
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH         2
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST              3
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS            4
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES   4
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SIG_ALG                     5
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_USE_SRTP                    6
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_HEARTBEAT                   7
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_ALPN                        8
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SCT                         9
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE              10
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE             11
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_PADDING                    12
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY             13
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_EARLY_DATA                 14
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS         15
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_COOKIE                     16
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES     17
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_CERT_AUTH                  18
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_OID_FILTERS                19
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH        20
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT               21
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_KEY_SHARE                  22
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC             23
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS    24
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC           25
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET     26
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_SESSION_TICKET             27
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT          28
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Utility for translating IANA extension type. */
*62c56f98SSadaf Ebrahimiuint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
*62c56f98SSadaf Ebrahimiuint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
*62c56f98SSadaf Ebrahimi/* Macros used to define mask constants */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_MASK(id)       (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
*62c56f98SSadaf Ebrahimi/* Reset value of extension mask */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_EXT_MASK_NONE                                              0
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* In messages containing extension requests, we should ignore unrecognized
*62c56f98SSadaf Ebrahimi * extensions. In messages containing extension responses, unrecognized
*62c56f98SSadaf Ebrahimi * extensions should result in handshake abortion. Messages containing
*62c56f98SSadaf Ebrahimi * extension requests include ClientHello, CertificateRequest and
*62c56f98SSadaf Ebrahimi * NewSessionTicket. Messages containing extension responses include
*62c56f98SSadaf Ebrahimi * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * RFC 8446 section 4.1.3
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The ServerHello MUST only include extensions which are required to establish
*62c56f98SSadaf Ebrahimi * the cryptographic context and negotiate the protocol version.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * RFC 8446 section 4.2
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * If an implementation receives an extension which it recognizes and which is
*62c56f98SSadaf Ebrahimi * not specified for the message in which it appears, it MUST abort the handshake
*62c56f98SSadaf Ebrahimi * with an "illegal_parameter" alert.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Extensions that are not recognized by TLS 1.3 */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED                               \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS)                | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC)                       | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET)                 | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SESSION_TICKET)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for ClientHello */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH                                  \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(SERVERNAME)                             | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH)                    | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS)                       | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SIG_ALG)                                | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(USE_SRTP)                               | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(HEARTBEAT)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(ALPN)                                   | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SCT)                                    | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE)                          | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(PADDING)                                | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(KEY_SHARE)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)                 | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(EARLY_DATA)                             | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(COOKIE)                                 | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)                     | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(CERT_AUTH)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH)                    | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT)                           | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)                      | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE                                  \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(SERVERNAME)                             | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH)                    | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS)                       | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(USE_SRTP)                               | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(HEARTBEAT)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(ALPN)                                   | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE)                          | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(EARLY_DATA)                             | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR                                  \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SIG_ALG)                                | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SCT)                                    | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(CERT_AUTH)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(OID_FILTERS)                            | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT)                           | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for Certificate */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT                                  \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SCT))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH                                  \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(KEY_SHARE)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)                         | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR                                 \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(KEY_SHARE)                              | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(COOKIE)                                 | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST                                 \
*62c56f98SSadaf Ebrahimi    (MBEDTLS_SSL_EXT_MASK(EARLY_DATA)                             | \
*62c56f98SSadaf Ebrahimi     MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Helper macros for function call with return check.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Exit when return non-zero value
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_PROC_CHK(f)                               \
*62c56f98SSadaf Ebrahimi    do {                                                        \
*62c56f98SSadaf Ebrahimi        ret = (f);                                            \
*62c56f98SSadaf Ebrahimi        if (ret != 0)                                          \
*62c56f98SSadaf Ebrahimi        {                                                       \
*62c56f98SSadaf Ebrahimi            goto cleanup;                                       \
*62c56f98SSadaf Ebrahimi        }                                                       \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Exit when return negative value
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_PROC_CHK_NEG(f)                           \
*62c56f98SSadaf Ebrahimi    do {                                                        \
*62c56f98SSadaf Ebrahimi        ret = (f);                                            \
*62c56f98SSadaf Ebrahimi        if (ret < 0)                                           \
*62c56f98SSadaf Ebrahimi        {                                                       \
*62c56f98SSadaf Ebrahimi            goto cleanup;                                       \
*62c56f98SSadaf Ebrahimi        }                                                       \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * DTLS retransmission states, see RFC 6347 4.2.4
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The SENDING state is merged in PREPARING for initial sends,
*62c56f98SSadaf Ebrahimi * but is distinct for resends.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Note: initial state is wrong for server, but is not used anyway.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RETRANS_PREPARING       0
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RETRANS_SENDING         1
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RETRANS_WAITING         2
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RETRANS_FINISHED        3
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Allow extra bytes for record, authentication and encryption overhead:
*62c56f98SSadaf Ebrahimi * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* This macro determines whether CBC is supported. */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
*62c56f98SSadaf Ebrahimi    (defined(MBEDTLS_AES_C)      ||                                  \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_CAMELLIA_C) ||                                  \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_ARIA_C)     ||                                  \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_DES_C))
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* This macro determines whether a ciphersuite using a
*62c56f98SSadaf Ebrahimi * stream cipher can be used. */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
*62c56f98SSadaf Ebrahimi/* Ciphersuites using HMAC */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA384)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
*62c56f98SSadaf Ebrahimi#elif defined(MBEDTLS_MD_CAN_SHA256)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
*62c56f98SSadaf Ebrahimi/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAC_ADD                 16
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_CIPHER_MODE_CBC)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_PADDING_ADD            256
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_PADDING_ADD              0
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_CID_EXPANSION      MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_CID_EXPANSION        0
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH +          \
*62c56f98SSadaf Ebrahimi                                      MBEDTLS_SSL_MAC_ADD +            \
*62c56f98SSadaf Ebrahimi                                      MBEDTLS_SSL_PADDING_ADD +        \
*62c56f98SSadaf Ebrahimi                                      MBEDTLS_SSL_MAX_CID_EXPANSION    \
*62c56f98SSadaf Ebrahimi                                      )
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
*62c56f98SSadaf Ebrahimi                                    (MBEDTLS_SSL_IN_CONTENT_LEN))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
*62c56f98SSadaf Ebrahimi                                     (MBEDTLS_SSL_OUT_CONTENT_LEN))
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* The maximum number of buffered handshake messages. */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Maximum length we can advertise as our max content length for
*62c56f98SSadaf Ebrahimi   RFC 6066 max_fragment_length extension negotiation purposes
*62c56f98SSadaf Ebrahimi   (the lesser of both sizes, if they are unequal.)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
*62c56f98SSadaf Ebrahimi        (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
*62c56f98SSadaf Ebrahimi        ? (MBEDTLS_SSL_OUT_CONTENT_LEN)                            \
*62c56f98SSadaf Ebrahimi        : (MBEDTLS_SSL_IN_CONTENT_LEN)                             \
*62c56f98SSadaf Ebrahimi        )
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN       65534
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN       2
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE         20
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check that we obey the standard's message size bounds
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
*62c56f98SSadaf Ebrahimi#error "Bad configuration - incoming record content too large."
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
*62c56f98SSadaf Ebrahimi#error "Bad configuration - outgoing record content too large."
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
*62c56f98SSadaf Ebrahimi#error "Bad configuration - incoming protected record payload too large."
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
*62c56f98SSadaf Ebrahimi#error "Bad configuration - outgoing protected record payload too large."
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Calculate buffer sizes */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Note: Even though the TLS record header is only 5 bytes
*62c56f98SSadaf Ebrahimi   long, we're internally using 8 bytes to store the
*62c56f98SSadaf Ebrahimi   implicit sequence number. */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_HEADER_LEN 13
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_IN_BUFFER_LEN  \
*62c56f98SSadaf Ebrahimi    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_IN_BUFFER_LEN  \
*62c56f98SSadaf Ebrahimi    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
*62c56f98SSadaf Ebrahimi     + (MBEDTLS_SSL_CID_IN_LEN_MAX))
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_OUT_BUFFER_LEN  \
*62c56f98SSadaf Ebrahimi    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
*62c56f98SSadaf Ebrahimi    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)    \
*62c56f98SSadaf Ebrahimi     + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief          Return the maximum fragment length (payload, in bytes) for
*62c56f98SSadaf Ebrahimi *                 the output buffer. For the client, this is the configured
*62c56f98SSadaf Ebrahimi *                 value. For the server, it is the minimum of two - the
*62c56f98SSadaf Ebrahimi *                 configured value and the negotiated one.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \sa             mbedtls_ssl_conf_max_frag_len()
*62c56f98SSadaf Ebrahimi * \sa             mbedtls_ssl_get_max_out_record_payload()
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ssl      SSL context
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return         Current maximum fragment length for the output buffer.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimisize_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief          Return the maximum fragment length (payload, in bytes) for
*62c56f98SSadaf Ebrahimi *                 the input buffer. This is the negotiated maximum fragment
*62c56f98SSadaf Ebrahimi *                 length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
*62c56f98SSadaf Ebrahimi *                 If it is not defined either, the value is 2^14. This function
*62c56f98SSadaf Ebrahimi *                 works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \sa             mbedtls_ssl_conf_max_frag_len()
*62c56f98SSadaf Ebrahimi * \sa             mbedtls_ssl_get_max_in_record_payload()
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ssl      SSL context
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return         Current maximum fragment length for the output buffer.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimisize_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
*62c56f98SSadaf Ebrahimistatic inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_get_output_max_frag_len(ctx)
*62c56f98SSadaf Ebrahimi           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
*62c56f98SSadaf Ebrahimi           + MBEDTLS_SSL_CID_OUT_LEN_MAX;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_get_output_max_frag_len(ctx)
*62c56f98SSadaf Ebrahimi           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_get_input_max_frag_len(ctx)
*62c56f98SSadaf Ebrahimi           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
*62c56f98SSadaf Ebrahimi           + MBEDTLS_SSL_CID_IN_LEN_MAX;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_get_input_max_frag_len(ctx)
*62c56f98SSadaf Ebrahimi           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * TLS extension flags (for extensions with outgoing ServerHello content
*62c56f98SSadaf Ebrahimi * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
*62c56f98SSadaf Ebrahimi * of state of the renegotiation flag, so no indicator is required)
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief        This function checks if the remaining size in a buffer is
*62c56f98SSadaf Ebrahimi *               greater or equal than a needed space.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param cur    Pointer to the current position in the buffer.
*62c56f98SSadaf Ebrahimi * \param end    Pointer to one past the end of the buffer.
*62c56f98SSadaf Ebrahimi * \param need   Needed space in bytes.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return       Zero if the needed space is available in the buffer, non-zero
*62c56f98SSadaf Ebrahimi *               otherwise.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_TEST_HOOKS)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
*62c56f98SSadaf Ebrahimi                                          const uint8_t *end, size_t need)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return (cur > end) || (need > (size_t) (end - cur));
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimitypedef struct {
*62c56f98SSadaf Ebrahimi    const uint8_t *cur;
*62c56f98SSadaf Ebrahimi    const uint8_t *end;
*62c56f98SSadaf Ebrahimi    size_t need;
*62c56f98SSadaf Ebrahimi} mbedtls_ssl_chk_buf_ptr_args;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_set_chk_buf_ptr_fail_args(
*62c56f98SSadaf Ebrahimi    const uint8_t *cur, const uint8_t *end, size_t need);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
*62c56f98SSadaf Ebrahimi                                          const uint8_t *end, size_t need)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if ((cur > end) || (need > (size_t) (end - cur))) {
*62c56f98SSadaf Ebrahimi        mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
*62c56f98SSadaf Ebrahimi        return 1;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_TEST_HOOKS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief        This macro checks if the remaining size in a buffer is
*62c56f98SSadaf Ebrahimi *               greater or equal than a needed space. If it is not the case,
*62c56f98SSadaf Ebrahimi *               it returns an SSL_BUFFER_TOO_SMALL error.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param cur    Pointer to the current position in the buffer.
*62c56f98SSadaf Ebrahimi * \param end    Pointer to one past the end of the buffer.
*62c56f98SSadaf Ebrahimi * \param need   Needed space in bytes.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need)                        \
*62c56f98SSadaf Ebrahimi    do {                                                                 \
*62c56f98SSadaf Ebrahimi        if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
*62c56f98SSadaf Ebrahimi        {                                                                \
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;                  \
*62c56f98SSadaf Ebrahimi        }                                                                \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief        This macro checks if the remaining length in an input buffer is
*62c56f98SSadaf Ebrahimi *               greater or equal than a needed length. If it is not the case, it
*62c56f98SSadaf Ebrahimi *               returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
*62c56f98SSadaf Ebrahimi *               #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *               This is a function-like macro. It is guaranteed to evaluate each
*62c56f98SSadaf Ebrahimi *               argument exactly once.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param cur    Pointer to the current position in the buffer.
*62c56f98SSadaf Ebrahimi * \param end    Pointer to one past the end of the buffer.
*62c56f98SSadaf Ebrahimi * \param need   Needed length in bytes.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need)                          \
*62c56f98SSadaf Ebrahimi    do {                                                                        \
*62c56f98SSadaf Ebrahimi        if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0)        \
*62c56f98SSadaf Ebrahimi        {                                                                       \
*62c56f98SSadaf Ebrahimi            MBEDTLS_SSL_DEBUG_MSG(1,                                           \
*62c56f98SSadaf Ebrahimi                                  ("missing input data in %s", __func__));  \
*62c56f98SSadaf Ebrahimi            MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,   \
*62c56f98SSadaf Ebrahimi                                         MBEDTLS_ERR_SSL_DECODE_ERROR);       \
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_DECODE_ERROR;                             \
*62c56f98SSadaf Ebrahimi        }                                                                       \
*62c56f98SSadaf Ebrahimi    } while (0)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#ifdef __cplusplus
*62c56f98SSadaf Ebrahimiextern "C" {
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimitypedef int  mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
*62c56f98SSadaf Ebrahimi                                    const char *label,
*62c56f98SSadaf Ebrahimi                                    const unsigned char *random, size_t rlen,
*62c56f98SSadaf Ebrahimi                                    unsigned char *dstbuf, size_t dlen);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* cipher.h exports the maximum IV, key and block length from
*62c56f98SSadaf Ebrahimi * all ciphers enabled in the config, regardless of whether those
*62c56f98SSadaf Ebrahimi * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
*62c56f98SSadaf Ebrahimi * in the default configuration and uses 64 Byte keys, but it is
*62c56f98SSadaf Ebrahimi * not used for record protection in SSL/TLS.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * In order to prevent unnecessary inflation of key structures,
*62c56f98SSadaf Ebrahimi * we introduce SSL-specific variants of the max-{key,block,IV}
*62c56f98SSadaf Ebrahimi * macros here which are meant to only take those ciphers into
*62c56f98SSadaf Ebrahimi * account which can be negotiated in SSL/TLS.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
*62c56f98SSadaf Ebrahimi * in cipher.h are rough overapproximations of the real maxima, here
*62c56f98SSadaf Ebrahimi * we content ourselves with replicating those overapproximations
*62c56f98SSadaf Ebrahimi * for the maximum block and IV length, and excluding XTS from the
*62c56f98SSadaf Ebrahimi * computation of the maximum key length. */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_IV_LENGTH    16
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_MAX_KEY_LENGTH   32
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief   The data structure holding the cryptographic material (key and IV)
*62c56f98SSadaf Ebrahimi *          used for record protection in TLS 1.3.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ssl_key_set {
*62c56f98SSadaf Ebrahimi    /*! The key for client->server records. */
*62c56f98SSadaf Ebrahimi    unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
*62c56f98SSadaf Ebrahimi    /*! The key for server->client records. */
*62c56f98SSadaf Ebrahimi    unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
*62c56f98SSadaf Ebrahimi    /*! The IV  for client->server records. */
*62c56f98SSadaf Ebrahimi    unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
*62c56f98SSadaf Ebrahimi    /*! The IV  for server->client records. */
*62c56f98SSadaf Ebrahimi    unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    size_t key_len; /*!< The length of client_write_key and
*62c56f98SSadaf Ebrahimi                     *   server_write_key, in Bytes. */
*62c56f98SSadaf Ebrahimi    size_t iv_len;  /*!< The length of client_write_iv and
*62c56f98SSadaf Ebrahimi                     *   server_write_iv, in Bytes. */
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimitypedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimitypedef struct {
*62c56f98SSadaf Ebrahimi    unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi    unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi    unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi} mbedtls_ssl_tls13_early_secrets;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimitypedef struct {
*62c56f98SSadaf Ebrahimi    unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi    unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi} mbedtls_ssl_tls13_handshake_secrets;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * This structure contains the parameters only needed during handshake.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ssl_handshake_params {
*62c56f98SSadaf Ebrahimi    /* Frequently-used boolean or byte fields (placed early to take
*62c56f98SSadaf Ebrahimi     * advantage of smaller code size for indirect access on Arm Thumb) */
*62c56f98SSadaf Ebrahimi    uint8_t resume;                     /*!<  session resume indicator*/
*62c56f98SSadaf Ebrahimi    uint8_t cli_exts;                   /*!< client extension presence*/
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
*62c56f98SSadaf Ebrahimi    uint8_t sni_authmode;               /*!< authmode from SNI callback     */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SRV_C)
*62c56f98SSadaf Ebrahimi    /* Flag indicating if a CertificateRequest message has been sent
*62c56f98SSadaf Ebrahimi     * to the client or not. */
*62c56f98SSadaf Ebrahimi    uint8_t certificate_request_sent;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SRV_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SESSION_TICKETS)
*62c56f98SSadaf Ebrahimi    uint8_t new_session_ticket;         /*!< use NewSessionTicket?    */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SESSION_TICKETS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CLI_C)
*62c56f98SSadaf Ebrahimi    /** Minimum TLS version to be negotiated.
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     *  It is set up in the ClientHello writing preparation stage and used
*62c56f98SSadaf Ebrahimi     *  throughout the ClientHello writing. Not relevant anymore as soon as
*62c56f98SSadaf Ebrahimi     *  the protocol version has been negotiated thus as soon as the
*62c56f98SSadaf Ebrahimi     *  ServerHello is received.
*62c56f98SSadaf Ebrahimi     *  For a fresh handshake not linked to any previous handshake, it is
*62c56f98SSadaf Ebrahimi     *  equal to the configured minimum minor version to be negotiated. When
*62c56f98SSadaf Ebrahimi     *  renegotiating or resuming a session, it is equal to the previously
*62c56f98SSadaf Ebrahimi     *  negotiated minor version.
*62c56f98SSadaf Ebrahimi     *
*62c56f98SSadaf Ebrahimi     *  There is no maximum TLS version field in this handshake context.
*62c56f98SSadaf Ebrahimi     *  From the start of the handshake, we need to define a current protocol
*62c56f98SSadaf Ebrahimi     *  version for the record layer which we define as the maximum TLS
*62c56f98SSadaf Ebrahimi     *  version to be negotiated. The `tls_version` field of the SSL context is
*62c56f98SSadaf Ebrahimi     *  used to store this maximum value until it contains the actual
*62c56f98SSadaf Ebrahimi     *  negotiated value.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_protocol_version min_tls_version;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
*62c56f98SSadaf Ebrahimi    uint8_t extended_ms;                /*!< use Extended Master Secret? */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
*62c56f98SSadaf Ebrahimi    uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    unsigned char retransmit_state;     /*!<  Retransmission state           */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_DEPRECATED_REMOVED)
*62c56f98SSadaf Ebrahimi    unsigned char group_list_heap_allocated;
*62c56f98SSadaf Ebrahimi    unsigned char sig_algs_heap_allocated;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
*62c56f98SSadaf Ebrahimi    uint8_t ecrs_enabled;               /*!< Handshake supports EC restart? */
*62c56f98SSadaf Ebrahimi    enum { /* this complements ssl->state with info on intra-state operations */
*62c56f98SSadaf Ebrahimi        ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
*62c56f98SSadaf Ebrahimi        ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
*62c56f98SSadaf Ebrahimi        ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
*62c56f98SSadaf Ebrahimi        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
*62c56f98SSadaf Ebrahimi        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
*62c56f98SSadaf Ebrahimi    } ecrs_state;                       /*!< current (or last) operation    */
*62c56f98SSadaf Ebrahimi    mbedtls_x509_crt *ecrs_peer_cert;   /*!< The peer's CRT chain.          */
*62c56f98SSadaf Ebrahimi    size_t ecrs_n;                      /*!< place for saving a length      */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    MBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimi    int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
*62c56f98SSadaf Ebrahimi    MBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimi    int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
*62c56f98SSadaf Ebrahimi    MBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimi    int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_tls_prf_cb *tls_prf;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Handshake specific crypto variables
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi    uint8_t key_exchange_mode; /*!< Selected key exchange mode */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /** Number of HelloRetryRequest messages received/sent from/to the server. */
*62c56f98SSadaf Ebrahimi    int hello_retry_request_count;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SRV_C)
*62c56f98SSadaf Ebrahimi    /** selected_group of key_share extension in HelloRetryRequest message. */
*62c56f98SSadaf Ebrahimi    uint16_t hrr_selected_group;
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
*62c56f98SSadaf Ebrahimi    uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SESSION_TICKETS)
*62c56f98SSadaf Ebrahimi    uint16_t new_session_tickets_count;         /*!< number of session tickets */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SRV_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimi    uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_DEPRECATED_REMOVED)
*62c56f98SSadaf Ebrahimi    const uint16_t *group_list;
*62c56f98SSadaf Ebrahimi    const uint16_t *sig_algs;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_DHM_C)
*62c56f98SSadaf Ebrahimi    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
*62c56f98SSadaf Ebrahimi    mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
*62c56f98SSadaf Ebrahimi#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
*62c56f98SSadaf Ebrahimi          MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
*62c56f98SSadaf Ebrahimi    psa_key_type_t xxdh_psa_type;
*62c56f98SSadaf Ebrahimi    size_t xxdh_psa_bits;
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t xxdh_psa_privkey;
*62c56f98SSadaf Ebrahimi    uint8_t xxdh_psa_privkey_is_external;
*62c56f98SSadaf Ebrahimi    unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
*62c56f98SSadaf Ebrahimi    size_t xxdh_psa_peerkey_len;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi    psa_pake_operation_t psa_pake_ctx;        /*!< EC J-PAKE key exchange */
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t psa_pake_password;
*62c56f98SSadaf Ebrahimi    uint8_t psa_pake_ctx_is_ok;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_USE_PSA_CRYPTO */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CLI_C)
*62c56f98SSadaf Ebrahimi    unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
*62c56f98SSadaf Ebrahimi    size_t ecjpake_cache_len;                   /*!< Length of cached data */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
*62c56f98SSadaf Ebrahimi    uint16_t *curves_tls_id;      /*!<  List of TLS IDs of supported elliptic curves */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t psk_opaque;            /*!< Opaque PSK from the callback   */
*62c56f98SSadaf Ebrahimi    uint8_t psk_opaque_is_internal;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    unsigned char *psk;                 /*!<  PSK from the callback         */
*62c56f98SSadaf Ebrahimi    size_t psk_len;                     /*!<  Length of PSK from callback   */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_USE_PSA_CRYPTO */
*62c56f98SSadaf Ebrahimi    uint16_t    selected_identity;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
*62c56f98SSadaf Ebrahimi    mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_X509_CRT_PARSE_C)
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
*62c56f98SSadaf Ebrahimi    mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
*62c56f98SSadaf Ebrahimi    mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_X509_CRT_PARSE_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
*62c56f98SSadaf Ebrahimi    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
*62c56f98SSadaf Ebrahimi    mbedtls_pk_context peer_pubkey;     /*!< The public key from the peer.  */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    struct {
*62c56f98SSadaf Ebrahimi        size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
*62c56f98SSadaf Ebrahimi                                      *   buffers used for message buffering. */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        uint8_t seen_ccs;               /*!< Indicates if a CCS message has
*62c56f98SSadaf Ebrahimi                                         *   been seen in the current flight. */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        struct mbedtls_ssl_hs_buffer {
*62c56f98SSadaf Ebrahimi            unsigned is_valid      : 1;
*62c56f98SSadaf Ebrahimi            unsigned is_fragmented : 1;
*62c56f98SSadaf Ebrahimi            unsigned is_complete   : 1;
*62c56f98SSadaf Ebrahimi            unsigned char *data;
*62c56f98SSadaf Ebrahimi            size_t data_len;
*62c56f98SSadaf Ebrahimi        } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        struct {
*62c56f98SSadaf Ebrahimi            unsigned char *data;
*62c56f98SSadaf Ebrahimi            size_t len;
*62c56f98SSadaf Ebrahimi            unsigned epoch;
*62c56f98SSadaf Ebrahimi        } future_record;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    } buffering;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CLI_C) && \
*62c56f98SSadaf Ebrahimi    (defined(MBEDTLS_SSL_PROTO_DTLS) || \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_PROTO_TLS1_3))
*62c56f98SSadaf Ebrahimi    unsigned char *cookie;              /*!< HelloVerifyRequest cookie for DTLS
*62c56f98SSadaf Ebrahimi                                         *   HelloRetryRequest cookie for TLS 1.3 */
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi    /* RFC 6347 page 15
*62c56f98SSadaf Ebrahimi       ...
*62c56f98SSadaf Ebrahimi       opaque cookie<0..2^8-1>;
*62c56f98SSadaf Ebrahimi       ...
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    uint8_t cookie_len;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    /* RFC 8446 page 39
*62c56f98SSadaf Ebrahimi       ...
*62c56f98SSadaf Ebrahimi       opaque cookie<0..2^16-1>;
*62c56f98SSadaf Ebrahimi       ...
*62c56f98SSadaf Ebrahimi       If TLS1_3 is enabled, the max length is 2^16 - 1
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    uint16_t cookie_len;                /*!< DTLS: HelloVerifyRequest cookie length
*62c56f98SSadaf Ebrahimi                                         *   TLS1_3: HelloRetryRequest cookie length */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_CLI_C &&
*62c56f98SSadaf Ebrahimi          ( MBEDTLS_SSL_PROTO_DTLS ||
*62c56f98SSadaf Ebrahimi            MBEDTLS_SSL_PROTO_TLS1_3 ) */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
*62c56f98SSadaf Ebrahimi    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
*62c56f98SSadaf Ebrahimi    unsigned char *cur_msg_p;           /*!<  Position in current message    */
*62c56f98SSadaf Ebrahimi    unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
*62c56f98SSadaf Ebrahimi                                              flight being received          */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
*62c56f98SSadaf Ebrahimi                                                   resending messages             */
*62c56f98SSadaf Ebrahimi    unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!<  Alternative record epoch/counter
*62c56f98SSadaf Ebrahimi                                                                      for resending messages         */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi    /* The state of CID configuration in this handshake. */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
*62c56f98SSadaf Ebrahimi                         *   has been negotiated. Possible values are
*62c56f98SSadaf Ebrahimi                         *   #MBEDTLS_SSL_CID_ENABLED and
*62c56f98SSadaf Ebrahimi                         *   #MBEDTLS_SSL_CID_DISABLED. */
*62c56f98SSadaf Ebrahimi    unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];   /*! The peer's CID */
*62c56f98SSadaf Ebrahimi    uint8_t peer_cid_len;                                  /*!< The length of
*62c56f98SSadaf Ebrahimi                                                            *   \c peer_cid.  */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_DTLS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Checksum contexts
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA256)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi    psa_hash_operation_t fin_sha256_psa;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    mbedtls_md_context_t fin_sha256;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA384)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi    psa_hash_operation_t fin_sha384_psa;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    mbedtls_md_context_t fin_sha384;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi    uint16_t offered_group_id; /* The NamedGroup value for the group
*62c56f98SSadaf Ebrahimi                                * that is being used for ephemeral
*62c56f98SSadaf Ebrahimi                                * key exchange.
*62c56f98SSadaf Ebrahimi                                *
*62c56f98SSadaf Ebrahimi                                * On the client: Defaults to the first
*62c56f98SSadaf Ebrahimi                                * entry in the client's group list,
*62c56f98SSadaf Ebrahimi                                * but can be overwritten by the HRR. */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CLI_C)
*62c56f98SSadaf Ebrahimi    uint8_t client_auth;       /*!< used to check if CertificateRequest has been
*62c56f98SSadaf Ebrahimi                                    received from server side. If CertificateRequest
*62c56f98SSadaf Ebrahimi                                    has been received, Certificate and CertificateVerify
*62c56f98SSadaf Ebrahimi                                    should be sent to server */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_CLI_C */
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * State-local variables used during the processing
*62c56f98SSadaf Ebrahimi     * of a specific handshake state.
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    union {
*62c56f98SSadaf Ebrahimi        /* Outgoing Finished message */
*62c56f98SSadaf Ebrahimi        struct {
*62c56f98SSadaf Ebrahimi            uint8_t preparation_done;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Buffer holding digest of the handshake up to
*62c56f98SSadaf Ebrahimi             * but excluding the outgoing finished message. */
*62c56f98SSadaf Ebrahimi            unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi            size_t digest_len;
*62c56f98SSadaf Ebrahimi        } finished_out;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        /* Incoming Finished message */
*62c56f98SSadaf Ebrahimi        struct {
*62c56f98SSadaf Ebrahimi            uint8_t preparation_done;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi            /* Buffer holding digest of the handshake up to but
*62c56f98SSadaf Ebrahimi             * excluding the peer's incoming finished message. */
*62c56f98SSadaf Ebrahimi            unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi            size_t digest_len;
*62c56f98SSadaf Ebrahimi        } finished_in;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    } state_local;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* End of state-local variables. */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
*62c56f98SSadaf Ebrahimi                            MBEDTLS_SERVER_HELLO_RANDOM_LEN];
*62c56f98SSadaf Ebrahimi    /*!<  random bytes            */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
*62c56f98SSadaf Ebrahimi    /*!<  premaster secret        */
*62c56f98SSadaf Ebrahimi    size_t pmslen;                      /*!<  premaster length        */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi    uint32_t sent_extensions;       /*!< extensions sent by endpoint */
*62c56f98SSadaf Ebrahimi    uint32_t received_extensions;   /*!< extensions received by endpoint */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimi    unsigned char certificate_request_context_len;
*62c56f98SSadaf Ebrahimi    unsigned char *certificate_request_context;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /** TLS 1.3 transform for encrypted handshake messages. */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_transform *transform_handshake;
*62c56f98SSadaf Ebrahimi    union {
*62c56f98SSadaf Ebrahimi        unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi        unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi        unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
*62c56f98SSadaf Ebrahimi    } tls13_master_secrets;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_EARLY_DATA)
*62c56f98SSadaf Ebrahimi    /** TLS 1.3 transform for early data and handshake messages. */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_transform *transform_earlydata;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
*62c56f98SSadaf Ebrahimi    /** Asynchronous operation context. This field is meant for use by the
*62c56f98SSadaf Ebrahimi     * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
*62c56f98SSadaf Ebrahimi     * mbedtls_ssl_config::f_async_decrypt_start,
*62c56f98SSadaf Ebrahimi     * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
*62c56f98SSadaf Ebrahimi     * The library does not use it internally. */
*62c56f98SSadaf Ebrahimi    void *user_async_ctx;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
*62c56f98SSadaf Ebrahimi    const unsigned char *sni_name;      /*!< raw SNI                        */
*62c56f98SSadaf Ebrahimi    size_t sni_name_len;                /*!< raw SNI len                    */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
*62c56f98SSadaf Ebrahimi    const mbedtls_x509_crt *dn_hints;   /*!< acceptable client cert issuers */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimitypedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Representation of decryption/encryption transformations on records
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * There are the following general types of record transformations:
*62c56f98SSadaf Ebrahimi * - Stream transformations (TLS versions == 1.2 only)
*62c56f98SSadaf Ebrahimi *   Transformation adding a MAC and applying a stream-cipher
*62c56f98SSadaf Ebrahimi *   to the authenticated message.
*62c56f98SSadaf Ebrahimi * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
*62c56f98SSadaf Ebrahimi *   For TLS 1.2, no IV is generated at key extraction time, but every
*62c56f98SSadaf Ebrahimi *   encrypted record is explicitly prefixed by the IV with which it was
*62c56f98SSadaf Ebrahimi *   encrypted.
*62c56f98SSadaf Ebrahimi * - AEAD transformations ([D]TLS versions == 1.2 only)
*62c56f98SSadaf Ebrahimi *   These come in two fundamentally different versions, the first one
*62c56f98SSadaf Ebrahimi *   used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
*62c56f98SSadaf Ebrahimi *   one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
*62c56f98SSadaf Ebrahimi *   In the first transformation, the IV to be used for a record is obtained
*62c56f98SSadaf Ebrahimi *   as the concatenation of an explicit, static 4-byte IV and the 8-byte
*62c56f98SSadaf Ebrahimi *   record sequence number, and explicitly prepending this sequence number
*62c56f98SSadaf Ebrahimi *   to the encrypted record. In contrast, in the second transformation
*62c56f98SSadaf Ebrahimi *   the IV is obtained by XOR'ing a static IV obtained at key extraction
*62c56f98SSadaf Ebrahimi *   time with the 8-byte record sequence number, without prepending the
*62c56f98SSadaf Ebrahimi *   latter to the encrypted record.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
*62c56f98SSadaf Ebrahimi * which allows to add flexible length padding and to hide a record's true
*62c56f98SSadaf Ebrahimi * content type.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * In addition to type and version, the following parameters are relevant:
*62c56f98SSadaf Ebrahimi * - The symmetric cipher algorithm to be used.
*62c56f98SSadaf Ebrahimi * - The (static) encryption/decryption keys for the cipher.
*62c56f98SSadaf Ebrahimi * - For stream/CBC, the type of message digest to be used.
*62c56f98SSadaf Ebrahimi * - For stream/CBC, (static) encryption/decryption keys for the digest.
*62c56f98SSadaf Ebrahimi * - For AEAD transformations, the size (potentially 0) of an explicit,
*62c56f98SSadaf Ebrahimi *   random initialization vector placed in encrypted records.
*62c56f98SSadaf Ebrahimi * - For some transformations (currently AEAD) an implicit IV. It is static
*62c56f98SSadaf Ebrahimi *   and (if present) is combined with the explicit IV in a transformation-
*62c56f98SSadaf Ebrahimi *   -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
*62c56f98SSadaf Ebrahimi * - For stream/CBC, a flag determining the order of encryption and MAC.
*62c56f98SSadaf Ebrahimi * - The details of the transformation depend on the SSL/TLS version.
*62c56f98SSadaf Ebrahimi * - The length of the authentication tag.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The struct below refines this abstract view as follows:
*62c56f98SSadaf Ebrahimi * - The cipher underlying the transformation is managed in
*62c56f98SSadaf Ebrahimi *   cipher contexts cipher_ctx_{enc/dec}, which must have the
*62c56f98SSadaf Ebrahimi *   same cipher type. The mode of these cipher contexts determines
*62c56f98SSadaf Ebrahimi *   the type of the transformation in the sense above: e.g., if
*62c56f98SSadaf Ebrahimi *   the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
*62c56f98SSadaf Ebrahimi *   then the transformation has type CBC resp. AEAD.
*62c56f98SSadaf Ebrahimi * - The cipher keys are never stored explicitly but
*62c56f98SSadaf Ebrahimi *   are maintained within cipher_ctx_{enc/dec}.
*62c56f98SSadaf Ebrahimi * - For stream/CBC transformations, the message digest contexts
*62c56f98SSadaf Ebrahimi *   used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
*62c56f98SSadaf Ebrahimi *   are unused for AEAD transformations.
*62c56f98SSadaf Ebrahimi * - For stream/CBC transformations, the MAC keys are not stored explicitly
*62c56f98SSadaf Ebrahimi *   but maintained within md_ctx_{enc/dec}.
*62c56f98SSadaf Ebrahimi * - The mac_enc and mac_dec fields are unused for EAD transformations.
*62c56f98SSadaf Ebrahimi * - For transformations using an implicit IV maintained within
*62c56f98SSadaf Ebrahimi *   the transformation context, its contents are stored within
*62c56f98SSadaf Ebrahimi *   iv_{enc/dec}.
*62c56f98SSadaf Ebrahimi * - The value of ivlen indicates the length of the IV.
*62c56f98SSadaf Ebrahimi *   This is redundant in case of stream/CBC transformations
*62c56f98SSadaf Ebrahimi *   which always use 0 resp. the cipher's block length as the
*62c56f98SSadaf Ebrahimi *   IV length, but is needed for AEAD ciphers and may be
*62c56f98SSadaf Ebrahimi *   different from the underlying cipher's block length
*62c56f98SSadaf Ebrahimi *   in this case.
*62c56f98SSadaf Ebrahimi * - The field fixed_ivlen is nonzero for AEAD transformations only
*62c56f98SSadaf Ebrahimi *   and indicates the length of the static part of the IV which is
*62c56f98SSadaf Ebrahimi *   constant throughout the communication, and which is stored in
*62c56f98SSadaf Ebrahimi *   the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
*62c56f98SSadaf Ebrahimi * - tls_version denotes the 2-byte TLS version
*62c56f98SSadaf Ebrahimi * - For stream/CBC transformations, maclen denotes the length of the
*62c56f98SSadaf Ebrahimi *   authentication tag, while taglen is unused and 0.
*62c56f98SSadaf Ebrahimi * - For AEAD transformations, taglen denotes the length of the
*62c56f98SSadaf Ebrahimi *   authentication tag, while maclen is unused and 0.
*62c56f98SSadaf Ebrahimi * - For CBC transformations, encrypt_then_mac determines the
*62c56f98SSadaf Ebrahimi *   order of encryption and authentication. This field is unused
*62c56f98SSadaf Ebrahimi *   in other transformations.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ssl_transform {
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * Session specific crypto layer
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    size_t minlen;                      /*!<  min. ciphertext length  */
*62c56f98SSadaf Ebrahimi    size_t ivlen;                       /*!<  IV length               */
*62c56f98SSadaf Ebrahimi    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
*62c56f98SSadaf Ebrahimi    size_t maclen;                      /*!<  MAC(CBC) len            */
*62c56f98SSadaf Ebrahimi    size_t taglen;                      /*!<  TAG(AEAD) len           */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
*62c56f98SSadaf Ebrahimi    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t psa_mac_enc;           /*!<  MAC (encryption)        */
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t psa_mac_dec;           /*!<  MAC (decryption)        */
*62c56f98SSadaf Ebrahimi    psa_algorithm_t psa_mac_alg;                /*!<  psa MAC algorithm       */
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
*62c56f98SSadaf Ebrahimi    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_USE_PSA_CRYPTO */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
*62c56f98SSadaf Ebrahimi    int encrypt_then_mac;       /*!< flag for EtM activation                */
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_protocol_version tls_version;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t psa_key_enc;           /*!<  psa encryption key      */
*62c56f98SSadaf Ebrahimi    mbedtls_svc_key_id_t psa_key_dec;           /*!<  psa decryption key      */
*62c56f98SSadaf Ebrahimi    psa_algorithm_t psa_alg;                    /*!<  psa algorithm           */
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
*62c56f98SSadaf Ebrahimi    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_USE_PSA_CRYPTO */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi    uint8_t in_cid_len;
*62c56f98SSadaf Ebrahimi    uint8_t out_cid_len;
*62c56f98SSadaf Ebrahimi    unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
*62c56f98SSadaf Ebrahimi    unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
*62c56f98SSadaf Ebrahimi    /* We need the Hello random bytes in order to re-derive keys from the
*62c56f98SSadaf Ebrahimi     * Master Secret and other session info,
*62c56f98SSadaf Ebrahimi     * see ssl_tls12_populate_transform() */
*62c56f98SSadaf Ebrahimi    unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
*62c56f98SSadaf Ebrahimi                            MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
*62c56f98SSadaf Ebrahimi    /*!< ServerHello.random+ClientHello.random */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
*62c56f98SSadaf Ebrahimi * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_transform_uses_aead(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_transform *transform)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
*62c56f98SSadaf Ebrahimi    return transform->maclen == 0 && transform->taglen != 0;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    (void) transform;
*62c56f98SSadaf Ebrahimi    return 1;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Internal representation of record frames
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Instances come in two flavors:
*62c56f98SSadaf Ebrahimi * (1) Encrypted
*62c56f98SSadaf Ebrahimi *     These always have data_offset = 0
*62c56f98SSadaf Ebrahimi * (2) Unencrypted
*62c56f98SSadaf Ebrahimi *     These have data_offset set to the amount of
*62c56f98SSadaf Ebrahimi *     pre-expansion during record protection. Concretely,
*62c56f98SSadaf Ebrahimi *     this is the length of the fixed part of the explicit IV
*62c56f98SSadaf Ebrahimi *     used for encryption, or 0 if no explicit IV is used
*62c56f98SSadaf Ebrahimi *     (e.g. for stream ciphers).
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * The reason for the data_offset in the unencrypted case
*62c56f98SSadaf Ebrahimi * is to allow for in-place conversion of an unencrypted to
*62c56f98SSadaf Ebrahimi * an encrypted record. If the offset wasn't included, the
*62c56f98SSadaf Ebrahimi * encrypted content would need to be shifted afterwards to
*62c56f98SSadaf Ebrahimi * make space for the fixed IV.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimitypedef struct {
*62c56f98SSadaf Ebrahimi    uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];  /* In TLS:  The implicit record sequence number.
*62c56f98SSadaf Ebrahimi                                                    * In DTLS: The 2-byte epoch followed by
*62c56f98SSadaf Ebrahimi                                                    *          the 6-byte sequence number.
*62c56f98SSadaf Ebrahimi                                                    * This is stored as a raw big endian byte array
*62c56f98SSadaf Ebrahimi                                                    * as opposed to a uint64_t because we rarely
*62c56f98SSadaf Ebrahimi                                                    * need to perform arithmetic on this, but do
*62c56f98SSadaf Ebrahimi                                                    * need it as a Byte array for the purpose of
*62c56f98SSadaf Ebrahimi                                                    * MAC computations.                             */
*62c56f98SSadaf Ebrahimi    uint8_t type;           /* The record content type.                      */
*62c56f98SSadaf Ebrahimi    uint8_t ver[2];         /* SSL/TLS version as present on the wire.
*62c56f98SSadaf Ebrahimi                             * Convert to internal presentation of versions
*62c56f98SSadaf Ebrahimi                             * using mbedtls_ssl_read_version() and
*62c56f98SSadaf Ebrahimi                             * mbedtls_ssl_write_version().
*62c56f98SSadaf Ebrahimi                             * Keep wire-format for MAC computations.        */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    unsigned char *buf;     /* Memory buffer enclosing the record content    */
*62c56f98SSadaf Ebrahimi    size_t buf_len;         /* Buffer length                                 */
*62c56f98SSadaf Ebrahimi    size_t data_offset;     /* Offset of record content                      */
*62c56f98SSadaf Ebrahimi    size_t data_len;        /* Length of record content                      */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
*62c56f98SSadaf Ebrahimi    uint8_t cid_len;        /* Length of the CID (0 if not present)          */
*62c56f98SSadaf Ebrahimi    unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX];   /* The CID                 */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
*62c56f98SSadaf Ebrahimi} mbedtls_record;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_X509_CRT_PARSE_C)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * List of certificate + private key pairs
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ssl_key_cert {
*62c56f98SSadaf Ebrahimi    mbedtls_x509_crt *cert;                 /*!< cert                       */
*62c56f98SSadaf Ebrahimi    mbedtls_pk_context *key;                /*!< private key                */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_X509_CRT_PARSE_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * List of handshake messages kept around for resending
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistruct mbedtls_ssl_flight_item {
*62c56f98SSadaf Ebrahimi    unsigned char *p;       /*!< message, including handshake headers   */
*62c56f98SSadaf Ebrahimi    size_t len;             /*!< length of p                            */
*62c56f98SSadaf Ebrahimi    unsigned char type;     /*!< type of the message: handshake or CCS  */
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
*62c56f98SSadaf Ebrahimi};
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_DTLS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Given an SSL context and its associated configuration, write the TLS
*62c56f98SSadaf Ebrahimi *        1.2 specific extensions of the ClientHello message.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in]   ssl     SSL context
*62c56f98SSadaf Ebrahimi * \param[in]   buf     Base address of the buffer where to write the extensions
*62c56f98SSadaf Ebrahimi * \param[in]   end     End address of the buffer where to write the extensions
*62c56f98SSadaf Ebrahimi * \param       uses_ec Whether one proposed ciphersuite uses an elliptic curve
*62c56f98SSadaf Ebrahimi *                      (<> 0) or not ( 0 ).
*62c56f98SSadaf Ebrahimi * \param[out]  out_len Length of the data written into the buffer \p buf
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                              unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                              const unsigned char *end,
*62c56f98SSadaf Ebrahimi                                              int uses_ec,
*62c56f98SSadaf Ebrahimi                                              size_t *out_len);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Find the preferred hash for a given signature algorithm.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in]   ssl     SSL context
*62c56f98SSadaf Ebrahimi * \param[in]   sig_alg A signature algorithm identifier as defined in the
*62c56f98SSadaf Ebrahimi *                      TLS 1.2 SignatureAlgorithm enumeration.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return  The preferred hash algorithm for \p sig_alg. It is a hash algorithm
*62c56f98SSadaf Ebrahimi *          identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiunsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    unsigned int sig_alg);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
*62c56f98SSadaf Ebrahimi          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief           Free referenced items in an SSL transform context and clear
*62c56f98SSadaf Ebrahimi *                  memory
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param transform SSL transform context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief           Free referenced items in an SSL handshake context and clear
*62c56f98SSadaf Ebrahimi *                  memory
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ssl       SSL context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* set inbound transform of ssl context */
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                       mbedtls_ssl_transform *transform);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* set outbound transform of ssl context */
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                        mbedtls_ssl_transform *transform);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimistatic inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                                   mbedtls_ssl_states state)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    ssl->state = (int) state;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2  */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief       Update record layer
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              This function roughly separates the implementation
*62c56f98SSadaf Ebrahimi *              of the logic of (D)TLS from the implementation
*62c56f98SSadaf Ebrahimi *              of the secure transport.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param  ssl              The SSL context to use.
*62c56f98SSadaf Ebrahimi * \param  update_hs_digest This indicates if the handshake digest
*62c56f98SSadaf Ebrahimi *                          should be automatically updated in case
*62c56f98SSadaf Ebrahimi *                          a handshake message is found.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return      0 or non-zero error code.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \note        A clarification on what is called 'record layer' here
*62c56f98SSadaf Ebrahimi *              is in order, as many sensible definitions are possible:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              The record layer takes as input an untrusted underlying
*62c56f98SSadaf Ebrahimi *              transport (stream or datagram) and transforms it into
*62c56f98SSadaf Ebrahimi *              a serially multiplexed, secure transport, which
*62c56f98SSadaf Ebrahimi *              conceptually provides the following:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              (1) Three datagram based, content-agnostic transports
*62c56f98SSadaf Ebrahimi *                  for handshake, alert and CCS messages.
*62c56f98SSadaf Ebrahimi *              (2) One stream- or datagram-based transport
*62c56f98SSadaf Ebrahimi *                  for application data.
*62c56f98SSadaf Ebrahimi *              (3) Functionality for changing the underlying transform
*62c56f98SSadaf Ebrahimi *                  securing the contents.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              The interface to this functionality is given as follows:
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              a Updating
*62c56f98SSadaf Ebrahimi *                [Currently implemented by mbedtls_ssl_read_record]
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *                Check if and on which of the four 'ports' data is pending:
*62c56f98SSadaf Ebrahimi *                Nothing, a controlling datagram of type (1), or application
*62c56f98SSadaf Ebrahimi *                data (2). In any case data is present, internal buffers
*62c56f98SSadaf Ebrahimi *                provide access to the data for the user to process it.
*62c56f98SSadaf Ebrahimi *                Consumption of type (1) datagrams is done automatically
*62c56f98SSadaf Ebrahimi *                on the next update, invalidating that the internal buffers
*62c56f98SSadaf Ebrahimi *                for previous datagrams, while consumption of application
*62c56f98SSadaf Ebrahimi *                data (2) is user-controlled.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              b Reading of application data
*62c56f98SSadaf Ebrahimi *                [Currently manual adaption of ssl->in_offt pointer]
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *                As mentioned in the last paragraph, consumption of data
*62c56f98SSadaf Ebrahimi *                is different from the automatic consumption of control
*62c56f98SSadaf Ebrahimi *                datagrams (1) because application data is treated as a stream.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              c Tracking availability of application data
*62c56f98SSadaf Ebrahimi *                [Currently manually through decreasing ssl->in_msglen]
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *                For efficiency and to retain datagram semantics for
*62c56f98SSadaf Ebrahimi *                application data in case of DTLS, the record layer
*62c56f98SSadaf Ebrahimi *                provides functionality for checking how much application
*62c56f98SSadaf Ebrahimi *                data is still available in the internal buffer.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              d Changing the transformation securing the communication.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi *              Given an opaque implementation of the record layer in the
*62c56f98SSadaf Ebrahimi *              above sense, it should be possible to implement the logic
*62c56f98SSadaf Ebrahimi *              of (D)TLS on top of it without the need to know anything
*62c56f98SSadaf Ebrahimi *              about the record layer's internals. This is done e.g.
*62c56f98SSadaf Ebrahimi *              in all the handshake handling functions, and in the
*62c56f98SSadaf Ebrahimi *              application data reading function mbedtls_ssl_read.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \note        The above tries to give a conceptual picture of the
*62c56f98SSadaf Ebrahimi *              record layer, but the current implementation deviates
*62c56f98SSadaf Ebrahimi *              from it in some places. For example, our implementation of
*62c56f98SSadaf Ebrahimi *              the update functionality through mbedtls_ssl_read_record
*62c56f98SSadaf Ebrahimi *              discards datagrams depending on the current state, which
*62c56f98SSadaf Ebrahimi *              wouldn't fall under the record layer's responsibility
*62c56f98SSadaf Ebrahimi *              following the above definition.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                            unsigned update_hs_digest);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Write handshake message header
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type,
*62c56f98SSadaf Ebrahimi                                    unsigned char **buf, size_t *buf_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                        int update_checksum,
*62c56f98SSadaf Ebrahimi                                        int force_flush);
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Write handshake message tail
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                     size_t buf_len, size_t msg_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                   const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Update checksum of handshake messages.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                       unsigned hs_type,
*62c56f98SSadaf Ebrahimi                                       unsigned char const *msg,
*62c56f98SSadaf Ebrahimi                                       size_t msg_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                       unsigned hs_type,
*62c56f98SSadaf Ebrahimi                                       size_t total_hs_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                     mbedtls_key_exchange_type_t key_ex);
*62c56f98SSadaf Ebrahimi#endif /* !MBEDTLS_USE_PSA_CRYPTO */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CLI_C)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * Get the first defined opaque PSK by order of precedence:
*62c56f98SSadaf Ebrahimi * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
*62c56f98SSadaf Ebrahimi *    callback
*62c56f98SSadaf Ebrahimi * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
*62c56f98SSadaf Ebrahimi * Return an opaque PSK
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
*62c56f98SSadaf Ebrahimi        return ssl->handshake->psk_opaque;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
*62c56f98SSadaf Ebrahimi        return ssl->conf->psk_opaque;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return MBEDTLS_SVC_KEY_ID_INIT;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * Get the first defined PSK by order of precedence:
*62c56f98SSadaf Ebrahimi * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
*62c56f98SSadaf Ebrahimi * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
*62c56f98SSadaf Ebrahimi * Return a code and update the pair (PSK, PSK length) passed to this function
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                      const unsigned char **psk, size_t *psk_len)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
*62c56f98SSadaf Ebrahimi        *psk = ssl->handshake->psk;
*62c56f98SSadaf Ebrahimi        *psk_len = ssl->handshake->psk_len;
*62c56f98SSadaf Ebrahimi    } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
*62c56f98SSadaf Ebrahimi        *psk = ssl->conf->psk;
*62c56f98SSadaf Ebrahimi        *psk_len = ssl->conf->psk_len;
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        *psk = NULL;
*62c56f98SSadaf Ebrahimi        *psk_len = 0;
*62c56f98SSadaf Ebrahimi        return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_USE_PSA_CRYPTO */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_PK_C)
*62c56f98SSadaf Ebrahimiunsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
*62c56f98SSadaf Ebrahimiunsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
*62c56f98SSadaf Ebrahimimbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimimbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
*62c56f98SSadaf Ebrahimiunsigned char mbedtls_ssl_hash_from_md_alg(int md);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Return PSA EC info for the specified TLS ID.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param tls_id    The TLS ID to look for
*62c56f98SSadaf Ebrahimi * \param type      If the TLD ID is supported, then proper \c psa_key_type_t
*62c56f98SSadaf Ebrahimi *                  value is returned here. Can be NULL.
*62c56f98SSadaf Ebrahimi * \param bits      If the TLD ID is supported, then proper bit size is returned
*62c56f98SSadaf Ebrahimi *                  here. Can be NULL.
*62c56f98SSadaf Ebrahimi * \return          PSA_SUCCESS if the TLS ID is supported,
*62c56f98SSadaf Ebrahimi *                  PSA_ERROR_NOT_SUPPORTED otherwise
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \note            If either \c family or \c bits parameters are NULL, then
*62c56f98SSadaf Ebrahimi *                  the corresponding value is not returned.
*62c56f98SSadaf Ebrahimi *                  The function can be called with both parameters as NULL
*62c56f98SSadaf Ebrahimi *                  simply to check if a specific TLS ID is supported.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
*62c56f98SSadaf Ebrahimi                                               psa_key_type_t *type,
*62c56f98SSadaf Ebrahimi                                               size_t *bits);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param tls_id    The TLS ID to look for
*62c56f98SSadaf Ebrahimi * \return          Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
*62c56f98SSadaf Ebrahimi *                  or MBEDTLS_ECP_DP_NONE otherwise
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimimbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param grp_id    The \c mbedtls_ecp_group_id ID to look for
*62c56f98SSadaf Ebrahimi * \return          Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
*62c56f98SSadaf Ebrahimi *                  or 0 otherwise
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiuint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_DEBUG_C)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Return EC's name for the specified TLS ID.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param tls_id    The TLS ID to look for
*62c56f98SSadaf Ebrahimi * \return          A pointer to a const string with the proper name. If TLS
*62c56f98SSadaf Ebrahimi *                  ID is not supported, a NULL pointer is returned instead.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiconst char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_SRTP)
*62c56f98SSadaf Ebrahimistatic inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
*62c56f98SSadaf Ebrahimi    (const uint16_t srtp_profile_value)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    switch (srtp_profile_value) {
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
*62c56f98SSadaf Ebrahimi            return srtp_profile_value;
*62c56f98SSadaf Ebrahimi        default: break;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return MBEDTLS_TLS_SRTP_UNSET;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_X509_CRT_PARSE_C)
*62c56f98SSadaf Ebrahimistatic inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_key_cert *key_cert;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
*62c56f98SSadaf Ebrahimi        key_cert = ssl->handshake->key_cert;
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        key_cert = ssl->conf->key_cert;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return key_cert == NULL ? NULL : key_cert->key;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_key_cert *key_cert;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
*62c56f98SSadaf Ebrahimi        key_cert = ssl->handshake->key_cert;
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        key_cert = ssl->conf->key_cert;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return key_cert == NULL ? NULL : key_cert->cert;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Check usage of a certificate wrt extensions:
*62c56f98SSadaf Ebrahimi * keyUsage, extendedKeyUsage (later), and nSCertType (later).
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
*62c56f98SSadaf Ebrahimi * check a cert we received from them)!
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * Return 0 if everything is OK, -1 if not.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
*62c56f98SSadaf Ebrahimi                                 const mbedtls_ssl_ciphersuite_t *ciphersuite,
*62c56f98SSadaf Ebrahimi                                 int cert_endpoint,
*62c56f98SSadaf Ebrahimi                                 uint32_t *flags);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_X509_CRT_PARSE_C */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_write_version(unsigned char version[2], int transport,
*62c56f98SSadaf Ebrahimi                               mbedtls_ssl_protocol_version tls_version);
*62c56f98SSadaf Ebrahimiuint16_t mbedtls_ssl_read_version(const unsigned char version[2],
*62c56f98SSadaf Ebrahimi                                  int transport);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    ((void) ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
*62c56f98SSadaf Ebrahimi        return 13;
*62c56f98SSadaf Ebrahimi    } else
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_DTLS */
*62c56f98SSadaf Ebrahimi    {
*62c56f98SSadaf Ebrahimi        return 5;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return (size_t) (ssl->out_iv - ssl->out_hdr);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
*62c56f98SSadaf Ebrahimi        return 12;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    ((void) ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    return 4;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Visible for testing purposes only */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
*62c56f98SSadaf Ebrahimi                             const mbedtls_ssl_session *src);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                           unsigned char *hash, size_t *hashlen,
*62c56f98SSadaf Ebrahimi                                           unsigned char *data, size_t data_len,
*62c56f98SSadaf Ebrahimi                                           mbedtls_md_type_t md_alg);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#ifdef __cplusplus
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                            mbedtls_ssl_transform *transform,
*62c56f98SSadaf Ebrahimi                            mbedtls_record *rec,
*62c56f98SSadaf Ebrahimi                            int (*f_rng)(void *, unsigned char *, size_t),
*62c56f98SSadaf Ebrahimi                            void *p_rng);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
*62c56f98SSadaf Ebrahimi                            mbedtls_ssl_transform *transform,
*62c56f98SSadaf Ebrahimi                            mbedtls_record *rec);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Length of the "epoch" field in the record header */
*62c56f98SSadaf Ebrahimistatic inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimi    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
*62c56f98SSadaf Ebrahimi        return 2;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    ((void) ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_DTLS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                     mbedtls_ssl_transform *transform);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                         int partial);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Send pending alert
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Set pending fatal alert flag.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                  unsigned char alert_type,
*62c56f98SSadaf Ebrahimi                                  int alert_reason);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Alias of mbedtls_ssl_pend_fatal_alert */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value)         \
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_RENEGOTIATION)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_RENEGOTIATION */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_DTLS)
*62c56f98SSadaf Ebrahimisize_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_DTLS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * ssl utils functions for checking configuration.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
*62c56f98SSadaf Ebrahimi           conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
*62c56f98SSadaf Ebrahimi           conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi    return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
*62c56f98SSadaf Ebrahimi           conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    ((void) conf);
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi    return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
*62c56f98SSadaf Ebrahimi           conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimi    ((void) conf);
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
*62c56f98SSadaf Ebrahimi           conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimiextern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
*62c56f98SSadaf Ebrahimi    MBEDTLS_SERVER_HELLO_RANDOM_LEN];
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimivoid mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Given an SSL context and its associated configuration, write the TLS
*62c56f98SSadaf Ebrahimi *        1.3 specific extensions of the ClientHello message.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in]   ssl     SSL context
*62c56f98SSadaf Ebrahimi * \param[in]   buf     Base address of the buffer where to write the extensions
*62c56f98SSadaf Ebrahimi * \param[in]   end     End address of the buffer where to write the extensions
*62c56f98SSadaf Ebrahimi * \param[out]  out_len Length of the data written into the buffer \p buf
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                              unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                              unsigned char *end,
*62c56f98SSadaf Ebrahimi                                              size_t *out_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief           TLS 1.3 client side state machine entry
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ssl       SSL context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief           TLS 1.3 server side state machine entry
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ssl       SSL context
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Helper functions around key exchange modes.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                                              int kex_mode_mask)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                                  MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SRV_C) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * Given a list of key exchange modes, check if at least one of them is
*62c56f98SSadaf Ebrahimi * supported.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in] ssl  SSL context
*62c56f98SSadaf Ebrahimi * \param kex_modes_mask  Mask of the key exchange modes to check
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return 0 if at least one of the key exchange modes is supported,
*62c56f98SSadaf Ebrahimi *         !=0 otherwise.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                                         int kex_modes_mask)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return !mbedtls_ssl_tls13_check_kex_modes(ssl,
*62c56f98SSadaf Ebrahimi                                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SRV_C &&
*62c56f98SSadaf Ebrahimi          MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Helper functions for extensions checking.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_check_received_extension(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    int hs_msg_type,
*62c56f98SSadaf Ebrahimi    unsigned int received_extension_type,
*62c56f98SSadaf Ebrahimi    uint32_t hs_msg_allowed_extensions_mask);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl, unsigned int extension_type)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    ssl->handshake->sent_extensions |=
*62c56f98SSadaf Ebrahimi        mbedtls_ssl_get_extension_mask(extension_type);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Helper functions to check the selected key exchange mode.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_key_exchange_mode_check(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl, int kex_mask)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
*62c56f98SSadaf Ebrahimi                                                     MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
*62c56f98SSadaf Ebrahimi                                                     MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Fetch TLS 1.3 handshake message header
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                          unsigned hs_type,
*62c56f98SSadaf Ebrahimi                                          unsigned char **buf,
*62c56f98SSadaf Ebrahimi                                          size_t *buf_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Detect if a list of extensions contains a supported_versions
*62c56f98SSadaf Ebrahimi *        extension or not.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in] ssl  SSL context
*62c56f98SSadaf Ebrahimi * \param[in] buf  Address of the first byte of the extensions vector.
*62c56f98SSadaf Ebrahimi * \param[in] end  End of the buffer containing the list of extensions.
*62c56f98SSadaf Ebrahimi * \param[out] supported_versions_data  If the extension is present, address of
*62c56f98SSadaf Ebrahimi *                                      its first byte of data, NULL otherwise.
*62c56f98SSadaf Ebrahimi * \param[out] supported_versions_data_end  If the extension is present, address
*62c56f98SSadaf Ebrahimi *                                          of the first byte immediately
*62c56f98SSadaf Ebrahimi *                                          following the extension data, NULL
*62c56f98SSadaf Ebrahimi *                                          otherwise.
*62c56f98SSadaf Ebrahimi * \return 0  if the list of extensions does not contain a supported_versions
*62c56f98SSadaf Ebrahimi *            extension.
*62c56f98SSadaf Ebrahimi * \return 1  if the list of extensions contains a supported_versions
*62c56f98SSadaf Ebrahimi *            extension.
*62c56f98SSadaf Ebrahimi * \return    A negative value if an error occurred while parsing the
*62c56f98SSadaf Ebrahimi *            extensions.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    const unsigned char *buf, const unsigned char *end,
*62c56f98SSadaf Ebrahimi    const unsigned char **supported_versions_data,
*62c56f98SSadaf Ebrahimi    const unsigned char **supported_versions_data_end);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Handler of TLS 1.3 server certificate message
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Handler of TLS 1.3 write Certificate message
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Handler of TLS 1.3 write Certificate Verify message
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Generic handler of Certificate Verify
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Write of dummy-CCS's for middlebox compatibility
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    uint16_t named_group,
*62c56f98SSadaf Ebrahimi    unsigned char *buf,
*62c56f98SSadaf Ebrahimi    unsigned char *end,
*62c56f98SSadaf Ebrahimi    size_t *out_len);
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_EARLY_DATA)
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                           unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                           const unsigned char *end,
*62c56f98SSadaf Ebrahimi                                           size_t *out_len);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_EARLY_DATA */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Write Signature Algorithm extension
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                  const unsigned char *end, size_t *out_len);
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Parse TLS Signature Algorithm extension
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                  const unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                  const unsigned char *end);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/* Get handshake transcript */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                         const mbedtls_md_type_t md,
*62c56f98SSadaf Ebrahimi                                         unsigned char *dst,
*62c56f98SSadaf Ebrahimi                                         size_t dst_len,
*62c56f98SSadaf Ebrahimi                                         size_t *olen);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Return supported groups.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * In future, invocations can be changed to ssl->conf->group_list
*62c56f98SSadaf Ebrahimi * when mbedtls_ssl_conf_curves() is deleted.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
*62c56f98SSadaf Ebrahimi * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
*62c56f98SSadaf Ebrahimi * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
*62c56f98SSadaf Ebrahimi    return ssl->conf->group_list;
*62c56f98SSadaf Ebrahimi    #else
*62c56f98SSadaf Ebrahimi    if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
*62c56f98SSadaf Ebrahimi        return ssl->handshake->group_list;
*62c56f98SSadaf Ebrahimi    } else {
*62c56f98SSadaf Ebrahimi        return ssl->conf->group_list;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    #endif
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Helper functions for NamedGroup.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    /*
*62c56f98SSadaf Ebrahimi     * RFC 8422 section 5.1.1
*62c56f98SSadaf Ebrahimi     */
*62c56f98SSadaf Ebrahimi    return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519    ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1   ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1   ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1   ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448      ||
*62c56f98SSadaf Ebrahimi           /* Below deprecated curves should be removed with notice to users */
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519    ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
*62c56f98SSadaf Ebrahimi           named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
*62c56f98SSadaf Ebrahimi           named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_named_group_is_offered(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_context *ssl, uint16_t named_group)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (group_list == NULL) {
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (; *group_list != 0; group_list++) {
*62c56f98SSadaf Ebrahimi        if (*group_list == named_group) {
*62c56f98SSadaf Ebrahimi            return 1;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_ECDH)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
*62c56f98SSadaf Ebrahimi        if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
*62c56f98SSadaf Ebrahimi            MBEDTLS_ECP_DP_NONE) {
*62c56f98SSadaf Ebrahimi            return 1;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_FFDH)
*62c56f98SSadaf Ebrahimi    if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
*62c56f98SSadaf Ebrahimi        return 1;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi#if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
*62c56f98SSadaf Ebrahimi    (void) named_group;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/*
*62c56f98SSadaf Ebrahimi * Return supported signature algorithms.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * In future, invocations can be changed to ssl->conf->sig_algs when
*62c56f98SSadaf Ebrahimi * mbedtls_ssl_conf_sig_hashes() is deleted.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
*62c56f98SSadaf Ebrahimi * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
*62c56f98SSadaf Ebrahimi * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
*62c56f98SSadaf Ebrahimi * been more recently invoked.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline const void *mbedtls_ssl_get_sig_algs(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_context *ssl)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_DEPRECATED_REMOVED)
*62c56f98SSadaf Ebrahimi    if (ssl->handshake != NULL &&
*62c56f98SSadaf Ebrahimi        ssl->handshake->sig_algs_heap_allocated == 1 &&
*62c56f98SSadaf Ebrahimi        ssl->handshake->sig_algs != NULL) {
*62c56f98SSadaf Ebrahimi        return ssl->handshake->sig_algs;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    return ssl->conf->sig_algs;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    ((void) ssl);
*62c56f98SSadaf Ebrahimi    return NULL;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                                  uint16_t own_sig_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
*62c56f98SSadaf Ebrahimi    if (sig_alg == NULL) {
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
*62c56f98SSadaf Ebrahimi        if (*sig_alg == own_sig_alg) {
*62c56f98SSadaf Ebrahimi            return 1;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
*62c56f98SSadaf Ebrahimi    const uint16_t sig_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    switch (sig_alg) {
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_PKCS1_V21)
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_SHA_256)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_SHA_256  */
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_SHA_384)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_SHA_384 */
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_SHA_512)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_SHA_512 */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_PKCS1_V21 */
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 1;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_sig_alg_is_supported(
*62c56f98SSadaf Ebrahimi    const uint16_t sig_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    switch (sig_alg) {
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_PKCS1_V15)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA256)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_MD_CAN_SHA256 */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA384)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_MD_CAN_SHA384 */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA512)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_MD_CAN_SHA512 */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_PKCS1_V15 */
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
*62c56f98SSadaf Ebrahimi                sig_alg);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 1;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
*62c56f98SSadaf Ebrahimi                                                   mbedtls_pk_context *key);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                                 uint16_t proposed_sig_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
*62c56f98SSadaf Ebrahimi    if (sig_alg == NULL) {
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
*62c56f98SSadaf Ebrahimi        if (*sig_alg == proposed_sig_alg) {
*62c56f98SSadaf Ebrahimi            return 1;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
*62c56f98SSadaf Ebrahimi    uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
*62c56f98SSadaf Ebrahimi    *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
*62c56f98SSadaf Ebrahimi        return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    switch (sig_alg) {
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_PKCS1_V21)
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA256)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*62c56f98SSadaf Ebrahimi            *md_alg = MBEDTLS_MD_SHA256;
*62c56f98SSadaf Ebrahimi            *pk_type = MBEDTLS_PK_RSASSA_PSS;
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_MD_CAN_SHA256  */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA384)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*62c56f98SSadaf Ebrahimi            *md_alg = MBEDTLS_MD_SHA384;
*62c56f98SSadaf Ebrahimi            *pk_type = MBEDTLS_PK_RSASSA_PSS;
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_MD_CAN_SHA384 */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA512)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*62c56f98SSadaf Ebrahimi            *md_alg = MBEDTLS_MD_SHA512;
*62c56f98SSadaf Ebrahimi            *pk_type = MBEDTLS_PK_RSASSA_PSS;
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_MD_CAN_SHA512 */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_PKCS1_V21 */
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls12_sig_alg_is_supported(
*62c56f98SSadaf Ebrahimi    const uint16_t sig_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    /* High byte is hash */
*62c56f98SSadaf Ebrahimi    unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
*62c56f98SSadaf Ebrahimi    unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    switch (hash) {
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_MD5)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_HASH_MD5:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA1)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_HASH_SHA1:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA224)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_HASH_SHA224:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA256)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_HASH_SHA256:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA384)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_HASH_SHA384:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_MD_CAN_SHA512)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_HASH_SHA512:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    switch (sig) {
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_RSA_C)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_SIG_RSA:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
*62c56f98SSadaf Ebrahimi        case MBEDTLS_SSL_SIG_ECDSA:
*62c56f98SSadaf Ebrahimi            break;
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return 0;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    return 1;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_sig_alg_is_supported(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    const uint16_t sig_alg)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*62c56f98SSadaf Ebrahimi    if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
*62c56f98SSadaf Ebrahimi        return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
*62c56f98SSadaf Ebrahimi    if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
*62c56f98SSadaf Ebrahimi        return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi    ((void) ssl);
*62c56f98SSadaf Ebrahimi    ((void) sig_alg);
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimi/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
*62c56f98SSadaf Ebrahimi * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
*62c56f98SSadaf Ebrahimi * guaranteed to not be a valid PSA algorithm identifier.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_NULL_CIPHER 0x04000000
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief       Translate mbedtls cipher type/taglen pair to psa:
*62c56f98SSadaf Ebrahimi *              algorithm, key type and key size.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param  mbedtls_cipher_type [in] given mbedtls cipher type
*62c56f98SSadaf Ebrahimi * \param  taglen              [in] given tag length
*62c56f98SSadaf Ebrahimi *                                  0 - default tag length
*62c56f98SSadaf Ebrahimi * \param  alg                 [out] corresponding PSA alg
*62c56f98SSadaf Ebrahimi *                                   There is no corresponding PSA
*62c56f98SSadaf Ebrahimi *                                   alg for MBEDTLS_CIPHER_NULL, so
*62c56f98SSadaf Ebrahimi *                                   in this case MBEDTLS_SSL_NULL_CIPHER
*62c56f98SSadaf Ebrahimi *                                   is returned via this parameter
*62c56f98SSadaf Ebrahimi * \param  key_type            [out] corresponding PSA key type
*62c56f98SSadaf Ebrahimi * \param  key_size            [out] corresponding PSA key size
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return                     PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
*62c56f98SSadaf Ebrahimi *                             conversion is not supported.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimipsa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
*62c56f98SSadaf Ebrahimi                                       size_t taglen,
*62c56f98SSadaf Ebrahimi                                       psa_algorithm_t *alg,
*62c56f98SSadaf Ebrahimi                                       psa_key_type_t *key_type,
*62c56f98SSadaf Ebrahimi                                       size_t *key_size);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if !defined(MBEDTLS_DEPRECATED_REMOVED)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief       Convert given PSA status to mbedtls error code.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param  status      [in] given PSA status
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return             corresponding mbedtls error code
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimistatic inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    switch (status) {
*62c56f98SSadaf Ebrahimi        case PSA_SUCCESS:
*62c56f98SSadaf Ebrahimi            return 0;
*62c56f98SSadaf Ebrahimi        case PSA_ERROR_INSUFFICIENT_MEMORY:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
*62c56f98SSadaf Ebrahimi        case PSA_ERROR_NOT_SUPPORTED:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
*62c56f98SSadaf Ebrahimi        case PSA_ERROR_INVALID_SIGNATURE:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_INVALID_MAC;
*62c56f98SSadaf Ebrahimi        case PSA_ERROR_INVALID_ARGUMENT:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
*62c56f98SSadaf Ebrahimi        case PSA_ERROR_BAD_STATE:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
*62c56f98SSadaf Ebrahimi        case PSA_ERROR_BUFFER_TOO_SMALL:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
*62c56f98SSadaf Ebrahimi        default:
*62c56f98SSadaf Ebrahimi            return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* !MBEDTLS_DEPRECATED_REMOVED */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimitypedef enum {
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECJPAKE_ROUND_ONE,
*62c56f98SSadaf Ebrahimi    MBEDTLS_ECJPAKE_ROUND_TWO
*62c56f98SSadaf Ebrahimi} mbedtls_ecjpake_rounds_t;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief       Parse the provided input buffer for getting the first round
*62c56f98SSadaf Ebrahimi *              of key exchange. This code is common between server and client
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param  pake_ctx [in] the PAKE's operation/context structure
*62c56f98SSadaf Ebrahimi * \param  buf      [in] input buffer to parse
*62c56f98SSadaf Ebrahimi * \param  len      [in] length of the input buffer
*62c56f98SSadaf Ebrahimi * \param  round    [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
*62c56f98SSadaf Ebrahimi *                       MBEDTLS_ECJPAKE_ROUND_TWO
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return               0 on success or a negative error code in case of failure
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_psa_ecjpake_read_round(
*62c56f98SSadaf Ebrahimi    psa_pake_operation_t *pake_ctx,
*62c56f98SSadaf Ebrahimi    const unsigned char *buf,
*62c56f98SSadaf Ebrahimi    size_t len, mbedtls_ecjpake_rounds_t round);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief       Write the first round of key exchange into the provided output
*62c56f98SSadaf Ebrahimi *              buffer. This code is common between server and client
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param  pake_ctx [in] the PAKE's operation/context structure
*62c56f98SSadaf Ebrahimi * \param  buf      [out] the output buffer in which data will be written to
*62c56f98SSadaf Ebrahimi * \param  len      [in] length of the output buffer
*62c56f98SSadaf Ebrahimi * \param  olen     [out] the length of the data really written on the buffer
*62c56f98SSadaf Ebrahimi * \param  round    [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
*62c56f98SSadaf Ebrahimi *                       MBEDTLS_ECJPAKE_ROUND_TWO
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return               0 on success or a negative error code in case of failure
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimiint mbedtls_psa_ecjpake_write_round(
*62c56f98SSadaf Ebrahimi    psa_pake_operation_t *pake_ctx,
*62c56f98SSadaf Ebrahimi    unsigned char *buf,
*62c56f98SSadaf Ebrahimi    size_t len, size_t *olen,
*62c56f98SSadaf Ebrahimi    mbedtls_ecjpake_rounds_t round);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief       TLS record protection modes
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimitypedef enum {
*62c56f98SSadaf Ebrahimi    MBEDTLS_SSL_MODE_STREAM = 0,
*62c56f98SSadaf Ebrahimi    MBEDTLS_SSL_MODE_CBC,
*62c56f98SSadaf Ebrahimi    MBEDTLS_SSL_MODE_CBC_ETM,
*62c56f98SSadaf Ebrahimi    MBEDTLS_SSL_MODE_AEAD
*62c56f98SSadaf Ebrahimi} mbedtls_ssl_mode_t;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimimbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_transform *transform);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
*62c56f98SSadaf Ebrahimimbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
*62c56f98SSadaf Ebrahimi    int encrypt_then_mac,
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_ciphersuite_t *suite);
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimimbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_ciphersuite_t *suite);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                              const unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                              size_t buf_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl, int cipher_suite)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    const int *ciphersuite_list = ssl->conf->ciphersuite_list;
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi    /* Check whether we have offered this ciphersuite */
*62c56f98SSadaf Ebrahimi    for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
*62c56f98SSadaf Ebrahimi        if (ciphersuite_list[i] == cipher_suite) {
*62c56f98SSadaf Ebrahimi            return 1;
*62c56f98SSadaf Ebrahimi        }
*62c56f98SSadaf Ebrahimi    }
*62c56f98SSadaf Ebrahimi    return 0;
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Validate cipher suite against config in SSL context.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ssl              SSL context
*62c56f98SSadaf Ebrahimi * \param suite_info       Cipher suite to validate
*62c56f98SSadaf Ebrahimi * \param min_tls_version  Minimal TLS version to accept a cipher suite
*62c56f98SSadaf Ebrahimi * \param max_tls_version  Maximal TLS version to accept a cipher suite
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \return 0 if valid, negative value otherwise.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_validate_ciphersuite(
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    const mbedtls_ssl_ciphersuite_t *suite_info,
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_protocol_version min_tls_version,
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_protocol_version max_tls_version);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                      const unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                      const unsigned char *end);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
*62c56f98SSadaf Ebrahimi#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                                                  const unsigned char *buf,
*62c56f98SSadaf Ebrahimi                                                  const unsigned char *end);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_ALPN)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                               const unsigned char *buf,
*62c56f98SSadaf Ebrahimi                               const unsigned char *end);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi                               unsigned char *buf,
*62c56f98SSadaf Ebrahimi                               unsigned char *end,
*62c56f98SSadaf Ebrahimi                               size_t *out_len);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_ALPN */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_TEST_HOOKS)
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_check_dtls_clihlo_cookie(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    const unsigned char *cli_id, size_t cli_id_len,
*62c56f98SSadaf Ebrahimi    const unsigned char *in, size_t in_len,
*62c56f98SSadaf Ebrahimi    unsigned char *obuf, size_t buf_len, size_t *olen);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Given an SSL context and its associated configuration, write the TLS
*62c56f98SSadaf Ebrahimi *        1.3 specific Pre-Shared key extension.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in]   ssl     SSL context
*62c56f98SSadaf Ebrahimi * \param[in]   buf     Base address of the buffer where to write the extension
*62c56f98SSadaf Ebrahimi * \param[in]   end     End address of the buffer where to write the extension
*62c56f98SSadaf Ebrahimi * \param[out]  out_len Length in bytes of the Pre-Shared key extension: data
*62c56f98SSadaf Ebrahimi *                      written into the buffer \p buf by this function plus
*62c56f98SSadaf Ebrahimi *                      the length of the binders to be written.
*62c56f98SSadaf Ebrahimi * \param[out]  binders_len Length of the binders to be written at the end of
*62c56f98SSadaf Ebrahimi *                          the extension.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    unsigned char *buf, unsigned char *end,
*62c56f98SSadaf Ebrahimi    size_t *out_len, size_t *binders_len);
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/**
*62c56f98SSadaf Ebrahimi * \brief Given an SSL context and its associated configuration, write the TLS
*62c56f98SSadaf Ebrahimi *        1.3 specific Pre-Shared key extension binders at the end of the
*62c56f98SSadaf Ebrahimi *        ClientHello.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param[in]   ssl     SSL context
*62c56f98SSadaf Ebrahimi * \param[in]   buf     Base address of the buffer where to write the binders
*62c56f98SSadaf Ebrahimi * \param[in]   end     End address of the buffer where to write the binders
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_context *ssl,
*62c56f98SSadaf Ebrahimi    unsigned char *buf, unsigned char *end);
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_SESSION_TICKETS) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
*62c56f98SSadaf Ebrahimi    defined(MBEDTLS_SSL_CLI_C)
*62c56f98SSadaf EbrahimiMBEDTLS_CHECK_RETURN_CRITICAL
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
*62c56f98SSadaf Ebrahimi                                     const char *hostname);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
*62c56f98SSadaf Ebrahimistatic inline unsigned int mbedtls_ssl_session_get_ticket_flags(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_session *session, unsigned int flags)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    return session->ticket_flags &
*62c56f98SSadaf Ebrahimi           (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline void mbedtls_ssl_session_set_ticket_flags(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_session *session, unsigned int flags)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimistatic inline void mbedtls_ssl_session_clear_ticket_flags(
*62c56f98SSadaf Ebrahimi    mbedtls_ssl_session *session, unsigned int flags)
*62c56f98SSadaf Ebrahimi{
*62c56f98SSadaf Ebrahimi    session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
*62c56f98SSadaf Ebrahimi}
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
*62c56f98SSadaf Ebrahimiint mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
*62c56f98SSadaf Ebrahimi#endif
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi/** Compute the HMAC of variable-length data with constant flow.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * This function computes the HMAC of the concatenation of \p add_data and \p
*62c56f98SSadaf Ebrahimi * data, and does with a code flow and memory access pattern that does not
*62c56f98SSadaf Ebrahimi * depend on \p data_len_secret, but only on \p min_data_len and \p
*62c56f98SSadaf Ebrahimi * max_data_len. In particular, this function always reads exactly \p
*62c56f98SSadaf Ebrahimi * max_data_len bytes from \p data.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \param ctx               The HMAC context. It must have keys configured
*62c56f98SSadaf Ebrahimi *                          with mbedtls_md_hmac_starts() and use one of the
*62c56f98SSadaf Ebrahimi *                          following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
*62c56f98SSadaf Ebrahimi *                          It is reset using mbedtls_md_hmac_reset() after
*62c56f98SSadaf Ebrahimi *                          the computation is complete to prepare for the
*62c56f98SSadaf Ebrahimi *                          next computation.
*62c56f98SSadaf Ebrahimi * \param add_data          The first part of the message whose HMAC is being
*62c56f98SSadaf Ebrahimi *                          calculated. This must point to a readable buffer
*62c56f98SSadaf Ebrahimi *                          of \p add_data_len bytes.
*62c56f98SSadaf Ebrahimi * \param add_data_len      The length of \p add_data in bytes.
*62c56f98SSadaf Ebrahimi * \param data              The buffer containing the second part of the
*62c56f98SSadaf Ebrahimi *                          message. This must point to a readable buffer
*62c56f98SSadaf Ebrahimi *                          of \p max_data_len bytes.
*62c56f98SSadaf Ebrahimi * \param data_len_secret   The length of the data to process in \p data.
*62c56f98SSadaf Ebrahimi *                          This must be no less than \p min_data_len and no
*62c56f98SSadaf Ebrahimi *                          greater than \p max_data_len.
*62c56f98SSadaf Ebrahimi * \param min_data_len      The minimal length of the second part of the
*62c56f98SSadaf Ebrahimi *                          message, read from \p data.
*62c56f98SSadaf Ebrahimi * \param max_data_len      The maximal length of the second part of the
*62c56f98SSadaf Ebrahimi *                          message, read from \p data.
*62c56f98SSadaf Ebrahimi * \param output            The HMAC will be written here. This must point to
*62c56f98SSadaf Ebrahimi *                          a writable buffer of sufficient size to hold the
*62c56f98SSadaf Ebrahimi *                          HMAC value.
*62c56f98SSadaf Ebrahimi *
*62c56f98SSadaf Ebrahimi * \retval 0 on success.
*62c56f98SSadaf Ebrahimi * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
*62c56f98SSadaf Ebrahimi *         The hardware accelerator failed.
*62c56f98SSadaf Ebrahimi */
*62c56f98SSadaf Ebrahimi#if defined(MBEDTLS_USE_PSA_CRYPTO)
*62c56f98SSadaf Ebrahimiint mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
*62c56f98SSadaf Ebrahimi                    psa_algorithm_t mac_alg,
*62c56f98SSadaf Ebrahimi                    const unsigned char *add_data,
*62c56f98SSadaf Ebrahimi                    size_t add_data_len,
*62c56f98SSadaf Ebrahimi                    const unsigned char *data,
*62c56f98SSadaf Ebrahimi                    size_t data_len_secret,
*62c56f98SSadaf Ebrahimi                    size_t min_data_len,
*62c56f98SSadaf Ebrahimi                    size_t max_data_len,
*62c56f98SSadaf Ebrahimi                    unsigned char *output);
*62c56f98SSadaf Ebrahimi#else
*62c56f98SSadaf Ebrahimiint mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
*62c56f98SSadaf Ebrahimi                    const unsigned char *add_data,
*62c56f98SSadaf Ebrahimi                    size_t add_data_len,
*62c56f98SSadaf Ebrahimi                    const unsigned char *data,
*62c56f98SSadaf Ebrahimi                    size_t data_len_secret,
*62c56f98SSadaf Ebrahimi                    size_t min_data_len,
*62c56f98SSadaf Ebrahimi                    size_t max_data_len,
*62c56f98SSadaf Ebrahimi                    unsigned char *output);
*62c56f98SSadaf Ebrahimi#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
*62c56f98SSadaf Ebrahimi#endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
*62c56f98SSadaf Ebrahimi
*62c56f98SSadaf Ebrahimi#endif /* ssl_misc.h */