2 * \file ssl_internal.h
\r
4 * \brief Internal functions shared by the SSL modules
\r
7 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
\r
8 * SPDX-License-Identifier: Apache-2.0
\r
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
11 * not use this file except in compliance with the License.
\r
12 * You may obtain a copy of the License at
\r
14 * http://www.apache.org/licenses/LICENSE-2.0
\r
16 * Unless required by applicable law or agreed to in writing, software
\r
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
19 * See the License for the specific language governing permissions and
\r
20 * limitations under the License.
\r
22 * This file is part of mbed TLS (https://tls.mbed.org)
\r
24 #ifndef MBEDTLS_SSL_INTERNAL_H
\r
25 #define MBEDTLS_SSL_INTERNAL_H
\r
27 #if !defined(MBEDTLS_CONFIG_FILE)
\r
30 #include MBEDTLS_CONFIG_FILE
\r
36 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
37 #include "psa/crypto.h"
\r
40 #if defined(MBEDTLS_MD5_C)
\r
44 #if defined(MBEDTLS_SHA1_C)
\r
48 #if defined(MBEDTLS_SHA256_C)
\r
52 #if defined(MBEDTLS_SHA512_C)
\r
56 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
57 #include "ecjpake.h"
\r
60 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
61 #include "psa/crypto.h"
\r
62 #include "psa_util.h"
\r
63 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
65 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
\r
66 !defined(inline) && !defined(__cplusplus)
\r
67 #define inline __inline
\r
70 /* Determine minimum supported version */
\r
71 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
\r
73 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
74 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
\r
76 #if defined(MBEDTLS_SSL_PROTO_TLS1)
\r
77 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
\r
79 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
80 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
\r
82 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
83 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
\r
84 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
85 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
\r
86 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
\r
87 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
\r
89 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
\r
90 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
\r
92 /* Determine maximum supported version */
\r
93 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
\r
95 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
96 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
\r
98 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
99 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
\r
101 #if defined(MBEDTLS_SSL_PROTO_TLS1)
\r
102 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
\r
104 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
105 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
\r
106 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
\r
107 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
\r
108 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
\r
109 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
111 /* Shorthand for restartable ECC */
\r
112 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
\r
113 defined(MBEDTLS_SSL_CLI_C) && \
\r
114 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
\r
116 #define MBEDTLS_SSL__ECP_RESTARTABLE
\r
119 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
\r
120 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
\r
121 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
\r
122 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
\r
125 * DTLS retransmission states, see RFC 6347 4.2.4
\r
127 * The SENDING state is merged in PREPARING for initial sends,
\r
128 * but is distinct for resends.
\r
130 * Note: initial state is wrong for server, but is not used anyway.
\r
132 #define MBEDTLS_SSL_RETRANS_PREPARING 0
\r
133 #define MBEDTLS_SSL_RETRANS_SENDING 1
\r
134 #define MBEDTLS_SSL_RETRANS_WAITING 2
\r
135 #define MBEDTLS_SSL_RETRANS_FINISHED 3
\r
138 * Allow extra bytes for record, authentication and encryption overhead:
\r
139 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
\r
140 * and allow for a maximum of 1024 of compression expansion if
\r
143 #if defined(MBEDTLS_ZLIB_SUPPORT)
\r
144 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
\r
146 #define MBEDTLS_SSL_COMPRESSION_ADD 0
\r
149 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
\r
150 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
\r
151 ( defined(MBEDTLS_AES_C) || \
\r
152 defined(MBEDTLS_CAMELLIA_C) || \
\r
153 defined(MBEDTLS_ARIA_C) || \
\r
154 defined(MBEDTLS_DES_C) ) )
\r
155 #define MBEDTLS_SSL_SOME_MODES_USE_MAC
\r
158 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
\r
159 /* Ciphersuites using HMAC */
\r
160 #if defined(MBEDTLS_SHA512_C)
\r
161 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
\r
162 #elif defined(MBEDTLS_SHA256_C)
\r
163 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
\r
165 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
\r
167 #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
\r
168 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
\r
169 #define MBEDTLS_SSL_MAC_ADD 16
\r
172 #if defined(MBEDTLS_CIPHER_MODE_CBC)
\r
173 #define MBEDTLS_SSL_PADDING_ADD 256
\r
175 #define MBEDTLS_SSL_PADDING_ADD 0
\r
178 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
179 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY
\r
181 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
\r
184 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
\r
185 MBEDTLS_MAX_IV_LENGTH + \
\r
186 MBEDTLS_SSL_MAC_ADD + \
\r
187 MBEDTLS_SSL_PADDING_ADD + \
\r
188 MBEDTLS_SSL_MAX_CID_EXPANSION \
\r
191 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
\r
192 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
\r
194 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
\r
195 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
\r
197 /* The maximum number of buffered handshake messages. */
\r
198 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
\r
200 /* Maximum length we can advertise as our max content length for
\r
201 RFC 6066 max_fragment_length extension negotiation purposes
\r
202 (the lesser of both sizes, if they are unequal.)
\r
204 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
\r
205 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
\r
206 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
\r
207 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
\r
211 * Check that we obey the standard's message size bounds
\r
214 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
\r
215 #error "Bad configuration - record content too large."
\r
218 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
\r
219 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
\r
222 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
\r
223 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
\r
226 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
\r
227 #error "Bad configuration - incoming protected record payload too large."
\r
230 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
\r
231 #error "Bad configuration - outgoing protected record payload too large."
\r
234 /* Calculate buffer sizes */
\r
236 /* Note: Even though the TLS record header is only 5 bytes
\r
237 long, we're internally using 8 bytes to store the
\r
238 implicit sequence number. */
\r
239 #define MBEDTLS_SSL_HEADER_LEN 13
\r
241 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
242 #define MBEDTLS_SSL_IN_BUFFER_LEN \
\r
243 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
\r
245 #define MBEDTLS_SSL_IN_BUFFER_LEN \
\r
246 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
\r
247 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
\r
250 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
251 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
\r
252 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
\r
254 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
\r
255 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
\r
256 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
\r
259 #ifdef MBEDTLS_ZLIB_SUPPORT
\r
260 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
\r
261 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
\r
262 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
\r
263 ? MBEDTLS_SSL_IN_BUFFER_LEN \
\r
264 : MBEDTLS_SSL_OUT_BUFFER_LEN \
\r
269 * TLS extension flags (for extensions with outgoing ServerHello content
\r
270 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
\r
271 * of state of the renegotiation flag, so no indicator is required)
\r
273 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
\r
274 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
\r
280 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
281 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
283 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
\r
285 struct mbedtls_ssl_sig_hash_set_t
\r
287 /* At the moment, we only need to remember a single suitable
\r
288 * hash algorithm per signature algorithm. As long as that's
\r
289 * the case - and we don't need a general lookup function -
\r
290 * we can implement the sig-hash-set as a map from signatures
\r
291 * to hash algorithms. */
\r
292 mbedtls_md_type_t rsa;
\r
293 mbedtls_md_type_t ecdsa;
\r
295 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
\r
296 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
298 typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
\r
300 const unsigned char *random, size_t rlen,
\r
301 unsigned char *dstbuf, size_t dlen );
\r
303 * This structure contains the parameters only needed during handshake.
\r
305 struct mbedtls_ssl_handshake_params
\r
308 * Handshake specific crypto variables
\r
311 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
312 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
313 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
\r
315 #if defined(MBEDTLS_DHM_C)
\r
316 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
\r
318 #if defined(MBEDTLS_ECDH_C)
\r
319 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
\r
321 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
322 psa_ecc_curve_t ecdh_psa_curve;
\r
323 psa_key_handle_t ecdh_psa_privkey;
\r
324 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
\r
325 size_t ecdh_psa_peerkey_len;
\r
326 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
327 #endif /* MBEDTLS_ECDH_C */
\r
329 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
330 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
\r
331 #if defined(MBEDTLS_SSL_CLI_C)
\r
332 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
\r
333 size_t ecjpake_cache_len; /*!< Length of cached data */
\r
335 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
336 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
\r
337 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
338 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
\r
340 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
\r
341 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
342 psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
\r
343 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
344 unsigned char *psk; /*!< PSK from the callback */
\r
345 size_t psk_len; /*!< Length of PSK from callback */
\r
346 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
\r
347 #if defined(MBEDTLS_X509_CRT_PARSE_C)
\r
348 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
\r
349 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
\r
350 int sni_authmode; /*!< authmode from SNI callback */
\r
351 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
\r
352 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
\r
353 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
\r
354 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
\r
355 #endif /* MBEDTLS_X509_CRT_PARSE_C */
\r
356 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
\r
357 int ecrs_enabled; /*!< Handshake supports EC restart? */
\r
358 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
\r
359 enum { /* this complements ssl->state with info on intra-state operations */
\r
360 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
\r
361 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
\r
362 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
\r
363 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
\r
364 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
\r
365 } ecrs_state; /*!< current (or last) operation */
\r
366 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
\r
367 size_t ecrs_n; /*!< place for saving a length */
\r
369 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
\r
370 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
\r
371 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
\r
372 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
\r
373 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
374 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
\r
375 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
\r
377 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
\r
379 unsigned char verify_cookie_len; /*!< Cli: cookie length
\r
380 Srv: flag for sending a cookie */
\r
382 uint32_t retransmit_timeout; /*!< Current value of timeout */
\r
383 unsigned char retransmit_state; /*!< Retransmission state */
\r
384 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
\r
385 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
\r
386 unsigned char *cur_msg_p; /*!< Position in current message */
\r
387 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
\r
388 flight being received */
\r
389 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
\r
390 resending messages */
\r
391 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
\r
392 for resending messages */
\r
394 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
395 /* The state of CID configuration in this handshake. */
\r
397 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
\r
398 * has been negotiated. Possible values are
\r
399 * #MBEDTLS_SSL_CID_ENABLED and
\r
400 * #MBEDTLS_SSL_CID_DISABLED. */
\r
401 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
\r
402 uint8_t peer_cid_len; /*!< The length of
\r
404 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
\r
408 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
\r
409 * buffers used for message buffering. */
\r
411 uint8_t seen_ccs; /*!< Indicates if a CCS message has
\r
412 * been seen in the current flight. */
\r
414 struct mbedtls_ssl_hs_buffer
\r
416 unsigned is_valid : 1;
\r
417 unsigned is_fragmented : 1;
\r
418 unsigned is_complete : 1;
\r
419 unsigned char *data;
\r
421 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
\r
425 unsigned char *data;
\r
432 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
\r
433 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
436 * Checksum contexts
\r
438 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
\r
439 defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
440 mbedtls_md5_context fin_md5;
\r
441 mbedtls_sha1_context fin_sha1;
\r
443 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
444 #if defined(MBEDTLS_SHA256_C)
\r
445 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
446 psa_hash_operation_t fin_sha256_psa;
\r
448 mbedtls_sha256_context fin_sha256;
\r
451 #if defined(MBEDTLS_SHA512_C)
\r
452 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
453 psa_hash_operation_t fin_sha384_psa;
\r
455 mbedtls_sha512_context fin_sha512;
\r
458 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
460 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
\r
461 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
\r
462 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
\r
463 mbedtls_ssl_tls_prf_cb *tls_prf;
\r
465 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
\r
467 size_t pmslen; /*!< premaster length */
\r
469 unsigned char randbytes[64]; /*!< random bytes */
\r
470 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
\r
471 /*!< premaster secret */
\r
473 int resume; /*!< session resume indicator*/
\r
474 int max_major_ver; /*!< max. major version client*/
\r
475 int max_minor_ver; /*!< max. minor version client*/
\r
476 int cli_exts; /*!< client extension presence*/
\r
478 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
479 int new_session_ticket; /*!< use NewSessionTicket? */
\r
480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
481 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
\r
482 int extended_ms; /*!< use Extended Master Secret? */
\r
485 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
486 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
\r
487 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
489 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
490 /** Asynchronous operation context. This field is meant for use by the
\r
491 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
\r
492 * mbedtls_ssl_config::f_async_decrypt_start,
\r
493 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
\r
494 * The library does not use it internally. */
\r
495 void *user_async_ctx;
\r
496 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
499 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
\r
502 * Representation of decryption/encryption transformations on records
\r
504 * There are the following general types of record transformations:
\r
505 * - Stream transformations (TLS versions <= 1.2 only)
\r
506 * Transformation adding a MAC and applying a stream-cipher
\r
507 * to the authenticated message.
\r
508 * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
\r
509 * In addition to the distinction of the order of encryption and
\r
510 * authentication, there's a fundamental difference between the
\r
511 * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
\r
512 * and TLS 1.0, the final IV after processing a record is used
\r
513 * as the IV for the next record. No explicit IV is contained
\r
514 * in an encrypted record. The IV for the first record is extracted
\r
515 * at key extraction time. In contrast, for TLS 1.1 and 1.2, no
\r
516 * IV is generated at key extraction time, but every encrypted
\r
517 * record is explicitly prefixed by the IV with which it was encrypted.
\r
518 * - AEAD transformations ([D]TLS versions >= 1.2 only)
\r
519 * These come in two fundamentally different versions, the first one
\r
520 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
\r
521 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
\r
522 * In the first transformation, the IV to be used for a record is obtained
\r
523 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
\r
524 * record sequence number, and explicitly prepending this sequence number
\r
525 * to the encrypted record. In contrast, in the second transformation
\r
526 * the IV is obtained by XOR'ing a static IV obtained at key extraction
\r
527 * time with the 8-byte record sequence number, without prepending the
\r
528 * latter to the encrypted record.
\r
530 * In addition to type and version, the following parameters are relevant:
\r
531 * - The symmetric cipher algorithm to be used.
\r
532 * - The (static) encryption/decryption keys for the cipher.
\r
533 * - For stream/CBC, the type of message digest to be used.
\r
534 * - For stream/CBC, (static) encryption/decryption keys for the digest.
\r
535 * - For AEAD transformations, the size (potentially 0) of an explicit,
\r
536 * random initialization vector placed in encrypted records.
\r
537 * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
\r
538 * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
\r
539 * and (if present) is combined with the explicit IV in a transformation-
\r
540 * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
\r
541 * - For stream/CBC, a flag determining the order of encryption and MAC.
\r
542 * - The details of the transformation depend on the SSL/TLS version.
\r
543 * - The length of the authentication tag.
\r
545 * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
\r
546 * constant across multiple encryption/decryption operations.
\r
547 * For CBC, the implicit IV needs to be updated after each
\r
550 * The struct below refines this abstract view as follows:
\r
551 * - The cipher underlying the transformation is managed in
\r
552 * cipher contexts cipher_ctx_{enc/dec}, which must have the
\r
553 * same cipher type. The mode of these cipher contexts determines
\r
554 * the type of the transformation in the sense above: e.g., if
\r
555 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
\r
556 * then the transformation has type CBC resp. AEAD.
\r
557 * - The cipher keys are never stored explicitly but
\r
558 * are maintained within cipher_ctx_{enc/dec}.
\r
559 * - For stream/CBC transformations, the message digest contexts
\r
560 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
\r
561 * are unused for AEAD transformations.
\r
562 * - For stream/CBC transformations and versions > SSL3, the
\r
563 * MAC keys are not stored explicitly but maintained within
\r
564 * md_ctx_{enc/dec}.
\r
565 * - For stream/CBC transformations and version SSL3, the MAC
\r
566 * keys are stored explicitly in mac_enc, mac_dec and have
\r
567 * a fixed size of 20 bytes. These fields are unused for
\r
568 * AEAD transformations or transformations >= TLS 1.0.
\r
569 * - For transformations using an implicit IV maintained within
\r
570 * the transformation context, its contents are stored within
\r
572 * - The value of ivlen indicates the length of the IV.
\r
573 * This is redundant in case of stream/CBC transformations
\r
574 * which always use 0 resp. the cipher's block length as the
\r
575 * IV length, but is needed for AEAD ciphers and may be
\r
576 * different from the underlying cipher's block length
\r
578 * - The field fixed_ivlen is nonzero for AEAD transformations only
\r
579 * and indicates the length of the static part of the IV which is
\r
580 * constant throughout the communication, and which is stored in
\r
581 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
\r
582 * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
\r
583 * still store IV's for continued use across multiple transformations,
\r
584 * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
\r
586 * - minor_ver denotes the SSL/TLS version
\r
587 * - For stream/CBC transformations, maclen denotes the length of the
\r
588 * authentication tag, while taglen is unused and 0.
\r
589 * - For AEAD transformations, taglen denotes the length of the
\r
590 * authentication tag, while maclen is unused and 0.
\r
591 * - For CBC transformations, encrypt_then_mac determines the
\r
592 * order of encryption and authentication. This field is unused
\r
593 * in other transformations.
\r
596 struct mbedtls_ssl_transform
\r
599 * Session specific crypto layer
\r
601 size_t minlen; /*!< min. ciphertext length */
\r
602 size_t ivlen; /*!< IV length */
\r
603 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
\r
604 size_t maclen; /*!< MAC(CBC) len */
\r
605 size_t taglen; /*!< TAG(AEAD) len */
\r
607 unsigned char iv_enc[16]; /*!< IV (encryption) */
\r
608 unsigned char iv_dec[16]; /*!< IV (decryption) */
\r
610 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
\r
612 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
613 /* Needed only for SSL v3.0 secret */
\r
614 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
\r
615 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
\r
616 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
\r
618 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
\r
619 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
\r
621 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
\r
622 int encrypt_then_mac; /*!< flag for EtM activation */
\r
625 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
\r
627 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
\r
628 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
\r
631 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
632 uint8_t in_cid_len;
\r
633 uint8_t out_cid_len;
\r
634 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
\r
635 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
\r
636 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
\r
639 * Session specific compression layer
\r
641 #if defined(MBEDTLS_ZLIB_SUPPORT)
\r
642 z_stream ctx_deflate; /*!< compression context */
\r
643 z_stream ctx_inflate; /*!< decompression context */
\r
648 * Internal representation of record frames
\r
650 * Instances come in two flavors:
\r
652 * These always have data_offset = 0
\r
654 * These have data_offset set to the amount of
\r
655 * pre-expansion during record protection. Concretely,
\r
656 * this is the length of the fixed part of the explicit IV
\r
657 * used for encryption, or 0 if no explicit IV is used
\r
658 * (e.g. for CBC in TLS 1.0, or stream ciphers).
\r
660 * The reason for the data_offset in the unencrypted case
\r
661 * is to allow for in-place conversion of an unencrypted to
\r
662 * an encrypted record. If the offset wasn't included, the
\r
663 * encrypted content would need to be shifted afterwards to
\r
664 * make space for the fixed IV.
\r
667 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
\r
668 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
\r
670 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
\r
675 uint8_t ctr[8]; /* Record sequence number */
\r
676 uint8_t type; /* Record type */
\r
677 uint8_t ver[2]; /* SSL/TLS version */
\r
679 unsigned char *buf; /* Memory buffer enclosing the record content */
\r
680 size_t buf_len; /* Buffer length */
\r
681 size_t data_offset; /* Offset of record content */
\r
682 size_t data_len; /* Length of record content */
\r
684 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
685 uint8_t cid_len; /* Length of the CID (0 if not present) */
\r
686 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
\r
687 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
\r
690 #if defined(MBEDTLS_X509_CRT_PARSE_C)
\r
692 * List of certificate + private key pairs
\r
694 struct mbedtls_ssl_key_cert
\r
696 mbedtls_x509_crt *cert; /*!< cert */
\r
697 mbedtls_pk_context *key; /*!< private key */
\r
698 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
\r
700 #endif /* MBEDTLS_X509_CRT_PARSE_C */
\r
702 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
704 * List of handshake messages kept around for resending
\r
706 struct mbedtls_ssl_flight_item
\r
708 unsigned char *p; /*!< message, including handshake headers */
\r
709 size_t len; /*!< length of p */
\r
710 unsigned char type; /*!< type of the message: handshake or CCS */
\r
711 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
\r
713 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
715 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
716 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
718 /* Find an entry in a signature-hash set matching a given hash algorithm. */
\r
719 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
\r
720 mbedtls_pk_type_t sig_alg );
\r
721 /* Add a signature-hash-pair to a signature-hash set */
\r
722 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
\r
723 mbedtls_pk_type_t sig_alg,
\r
724 mbedtls_md_type_t md_alg );
\r
725 /* Allow exactly one hash algorithm for each signature. */
\r
726 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
\r
727 mbedtls_md_type_t md_alg );
\r
729 /* Setup an empty signature-hash set */
\r
730 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
\r
732 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
\r
735 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
\r
736 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
739 * \brief Free referenced items in an SSL transform context and clear
\r
742 * \param transform SSL transform context
\r
744 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
\r
747 * \brief Free referenced items in an SSL handshake context and clear
\r
750 * \param ssl SSL context
\r
752 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
\r
754 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
\r
755 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
\r
756 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
\r
758 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
\r
760 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
\r
761 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
\r
763 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
\r
764 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
\r
765 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
\r
768 * \brief Update record layer
\r
770 * This function roughly separates the implementation
\r
771 * of the logic of (D)TLS from the implementation
\r
772 * of the secure transport.
\r
774 * \param ssl The SSL context to use.
\r
775 * \param update_hs_digest This indicates if the handshake digest
\r
776 * should be automatically updated in case
\r
777 * a handshake message is found.
\r
779 * \return 0 or non-zero error code.
\r
781 * \note A clarification on what is called 'record layer' here
\r
782 * is in order, as many sensible definitions are possible:
\r
784 * The record layer takes as input an untrusted underlying
\r
785 * transport (stream or datagram) and transforms it into
\r
786 * a serially multiplexed, secure transport, which
\r
787 * conceptually provides the following:
\r
789 * (1) Three datagram based, content-agnostic transports
\r
790 * for handshake, alert and CCS messages.
\r
791 * (2) One stream- or datagram-based transport
\r
792 * for application data.
\r
793 * (3) Functionality for changing the underlying transform
\r
794 * securing the contents.
\r
796 * The interface to this functionality is given as follows:
\r
799 * [Currently implemented by mbedtls_ssl_read_record]
\r
801 * Check if and on which of the four 'ports' data is pending:
\r
802 * Nothing, a controlling datagram of type (1), or application
\r
803 * data (2). In any case data is present, internal buffers
\r
804 * provide access to the data for the user to process it.
\r
805 * Consumption of type (1) datagrams is done automatically
\r
806 * on the next update, invalidating that the internal buffers
\r
807 * for previous datagrams, while consumption of application
\r
808 * data (2) is user-controlled.
\r
810 * b Reading of application data
\r
811 * [Currently manual adaption of ssl->in_offt pointer]
\r
813 * As mentioned in the last paragraph, consumption of data
\r
814 * is different from the automatic consumption of control
\r
815 * datagrams (1) because application data is treated as a stream.
\r
817 * c Tracking availability of application data
\r
818 * [Currently manually through decreasing ssl->in_msglen]
\r
820 * For efficiency and to retain datagram semantics for
\r
821 * application data in case of DTLS, the record layer
\r
822 * provides functionality for checking how much application
\r
823 * data is still available in the internal buffer.
\r
825 * d Changing the transformation securing the communication.
\r
827 * Given an opaque implementation of the record layer in the
\r
828 * above sense, it should be possible to implement the logic
\r
829 * of (D)TLS on top of it without the need to know anything
\r
830 * about the record layer's internals. This is done e.g.
\r
831 * in all the handshake handling functions, and in the
\r
832 * application data reading function mbedtls_ssl_read.
\r
834 * \note The above tries to give a conceptual picture of the
\r
835 * record layer, but the current implementation deviates
\r
836 * from it in some places. For example, our implementation of
\r
837 * the update functionality through mbedtls_ssl_read_record
\r
838 * discards datagrams depending on the current state, which
\r
839 * wouldn't fall under the record layer's responsibility
\r
840 * following the above definition.
\r
843 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
\r
844 unsigned update_hs_digest );
\r
845 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
\r
847 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
\r
848 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
\r
849 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
\r
851 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
\r
852 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
\r
854 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
\r
855 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
\r
857 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
\r
858 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
\r
860 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
\r
861 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
\r
863 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
\r
864 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
\r
867 #if defined(MBEDTLS_PK_C)
\r
868 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
\r
869 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
\r
870 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
\r
873 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
\r
874 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
\r
875 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
\r
877 #if defined(MBEDTLS_ECP_C)
\r
878 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
\r
881 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
882 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
\r
883 mbedtls_md_type_t md );
\r
886 #if defined(MBEDTLS_X509_CRT_PARSE_C)
\r
887 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
\r
889 mbedtls_ssl_key_cert *key_cert;
\r
891 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
\r
892 key_cert = ssl->handshake->key_cert;
\r
894 key_cert = ssl->conf->key_cert;
\r
896 return( key_cert == NULL ? NULL : key_cert->key );
\r
899 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
\r
901 mbedtls_ssl_key_cert *key_cert;
\r
903 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
\r
904 key_cert = ssl->handshake->key_cert;
\r
906 key_cert = ssl->conf->key_cert;
\r
908 return( key_cert == NULL ? NULL : key_cert->cert );
\r
912 * Check usage of a certificate wrt extensions:
\r
913 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
\r
915 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
\r
916 * check a cert we received from them)!
\r
918 * Return 0 if everything is OK, -1 if not.
\r
920 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
\r
921 const mbedtls_ssl_ciphersuite_t *ciphersuite,
\r
924 #endif /* MBEDTLS_X509_CRT_PARSE_C */
\r
926 void mbedtls_ssl_write_version( int major, int minor, int transport,
\r
927 unsigned char ver[2] );
\r
928 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
\r
929 const unsigned char ver[2] );
\r
931 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
\r
933 return( (size_t) ( ssl->in_iv - ssl->in_hdr ) );
\r
936 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
\r
938 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
\r
941 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
\r
943 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
944 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
952 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
953 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
\r
954 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
\r
955 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
\r
956 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
\r
959 /* Visible for testing purposes only */
\r
960 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
\r
961 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
\r
962 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
\r
965 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
\r
966 const mbedtls_ssl_session *src );
\r
968 /* constant-time buffer comparison */
\r
969 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
\r
972 volatile const unsigned char *A = (volatile const unsigned char *) a;
\r
973 volatile const unsigned char *B = (volatile const unsigned char *) b;
\r
974 volatile unsigned char diff = 0;
\r
976 for( i = 0; i < n; i++ )
\r
978 /* Read volatile data in order before computing diff.
\r
979 * This avoids IAR compiler warning:
\r
980 * 'the order of volatile accesses is undefined ..' */
\r
981 unsigned char x = A[i], y = B[i];
\r
988 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
\r
989 defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
990 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
\r
991 unsigned char *output,
\r
992 unsigned char *data, size_t data_len );
\r
993 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
\r
994 MBEDTLS_SSL_PROTO_TLS1_1 */
\r
996 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
\r
997 defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
998 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
\r
999 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
\r
1000 unsigned char *hash, size_t *hashlen,
\r
1001 unsigned char *data, size_t data_len,
\r
1002 mbedtls_md_type_t md_alg );
\r
1003 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
\r
1004 MBEDTLS_SSL_PROTO_TLS1_2 */
\r
1006 #ifdef __cplusplus
\r
1010 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
\r
1011 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
\r
1012 mbedtls_ssl_transform *transform,
\r
1013 mbedtls_record *rec,
\r
1014 int (*f_rng)(void *, unsigned char *, size_t),
\r
1016 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
\r
1017 mbedtls_ssl_transform *transform,
\r
1018 mbedtls_record *rec );
\r
1020 #endif /* ssl_internal.h */
\r