diff --git a/CHANGELOG_LATEST.md b/CHANGELOG_LATEST.md
index 7c69530ce..c26c2890d 100644
--- a/CHANGELOG_LATEST.md
+++ b/CHANGELOG_LATEST.md
@@ -12,6 +12,7 @@ For more details go to [emsesp.org](https://emsesp.org/).
- prometheus metrics for temperature/analog/scheduler/custom [#2962](https://github.com/emsesp/EMS-ESP32/issues/2962)
- boiler pumpkick [#2965](https://github.com/emsesp/EMS-ESP32/discussions/2965)
- heatpump reset [#2933](https://github.com/emsesp/EMS-ESP32/issues/2933)
+- e-mail notification using ReadyMail Client
## Fixed
@@ -27,3 +28,5 @@ For more details go to [emsesp.org](https://emsesp.org/).
- support `minflowtemp` and `baseflowtemp` [#2969](https://github.com/emsesp/EMS-ESP32/discussions/2969)
- update version if it is 00.00 in first read [#2981](https://github.com/emsesp/EMS-ESP32/issues/2981)
- device class for % values [#2980](https://github.com/emsesp/EMS-ESP32/issues/2980)
+- use tasmota core 2026.03.30
+- secure mqtt uses ESP_SSLClient
diff --git a/interface/package.json b/interface/package.json
index e17e29b77..c253f4eb1 100644
--- a/interface/package.json
+++ b/interface/package.json
@@ -50,7 +50,7 @@
"@babel/core": "^7.29.0",
"@eslint/js": "^10.0.1",
"@preact/compat": "^18.3.1",
- "@preact/preset-vite": "^2.10.3",
+ "@preact/preset-vite": "^2.10.4",
"@trivago/prettier-plugin-sort-imports": "^6.0.2",
"@types/node": "^25.5.0",
"@types/react": "^19.2.14",
@@ -61,8 +61,8 @@
"eslint-config-prettier": "^10.1.8",
"prettier": "^3.8.1",
"rollup-plugin-visualizer": "^7.0.1",
- "terser": "^5.46.0",
- "typescript-eslint": "^8.57.0",
+ "terser": "^5.46.1",
+ "typescript-eslint": "^8.57.1",
"vite": "^7.3.1",
"vite-plugin-imagemin": "^0.6.1",
"vite-tsconfig-paths": "^6.1.1"
diff --git a/interface/pnpm-lock.yaml b/interface/pnpm-lock.yaml
index 5b2480896..2eb724f03 100644
--- a/interface/pnpm-lock.yaml
+++ b/interface/pnpm-lock.yaml
@@ -82,8 +82,8 @@ importers:
specifier: ^10.0.1
version: 10.0.1(eslint@10.0.3)
'@preact/preset-vite':
- specifier: ^2.10.3
- version: 2.10.3(@babel/core@7.29.0)(preact@10.29.0)(rollup@4.59.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))
+ specifier: ^2.10.4
+ version: 2.10.4(@babel/core@7.29.0)(preact@10.29.0)(rollup@4.59.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))
'@trivago/prettier-plugin-sort-imports':
specifier: ^6.0.2
version: 6.0.2(prettier@3.8.1)
@@ -115,20 +115,20 @@ importers:
specifier: ^7.0.1
version: 7.0.1(rolldown@1.0.0-rc.9)(rollup@4.59.0)
terser:
- specifier: ^5.46.0
- version: 5.46.0
+ specifier: ^5.46.1
+ version: 5.46.1
typescript-eslint:
- specifier: ^8.57.0
- version: 8.57.0(eslint@10.0.3)(typescript@5.9.3)
+ specifier: ^8.57.1
+ version: 8.57.1(eslint@10.0.3)(typescript@5.9.3)
vite:
specifier: ^7.3.1
- version: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)
+ version: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)
vite-plugin-imagemin:
specifier: ^0.6.1
- version: 0.6.1(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))
+ version: 0.6.1(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))
vite-tsconfig-paths:
specifier: ^6.1.1
- version: 6.1.1(typescript@5.9.3)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))
+ version: 6.1.1(typescript@5.9.3)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))
packages:
@@ -194,12 +194,12 @@ packages:
resolution: {integrity: sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==}
engines: {node: '>=6.9.0'}
- '@babel/helpers@7.28.6':
- resolution: {integrity: sha512-xOBvwq86HHdB7WUDTfKfT/Vuxh7gElQ+Sfti2Cy6yIWNW05P8iUslOVcZ4/sKbE+/jQaukQAdz/gf3724kYdqw==}
+ '@babel/helpers@7.29.2':
+ resolution: {integrity: sha512-HoGuUs4sCZNezVEKdVcwqmZN8GoHirLUcLaYVNBK2J0DadGtdcqgr3BCbvH8+XUo4NGjNl3VOtSjEKNzqfFgKw==}
engines: {node: '>=6.9.0'}
- '@babel/parser@7.29.0':
- resolution: {integrity: sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==}
+ '@babel/parser@7.29.2':
+ resolution: {integrity: sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==}
engines: {node: '>=6.0.0'}
hasBin: true
@@ -221,8 +221,8 @@ packages:
peerDependencies:
'@babel/core': ^7.0.0-0
- '@babel/runtime@7.28.6':
- resolution: {integrity: sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==}
+ '@babel/runtime@7.29.2':
+ resolution: {integrity: sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==}
engines: {node: '>=6.9.0'}
'@babel/template@7.28.6':
@@ -660,11 +660,11 @@ packages:
peerDependencies:
preact: '*'
- '@preact/preset-vite@2.10.3':
- resolution: {integrity: sha512-1SiS+vFItpkNdBs7q585PSAIln0wBeBdcpJYbzPs1qipsb/FssnkUioNXuRsb8ZnU8YEQHr+3v8+/mzWSnTQmg==}
+ '@preact/preset-vite@2.10.4':
+ resolution: {integrity: sha512-L7RQRs2GiG0lLUz7JSg07vU6lhlzdIthH0eqYZmRR70tTB9ikKCq2LHr+PZzhzIOco3Dioi6P6e/fjAmDUMJbQ==}
peerDependencies:
'@babel/core': 7.x
- vite: 2.x || 3.x || 4.x || 5.x || 6.x || 7.x
+ vite: 2.x || 3.x || 4.x || 5.x || 6.x || 7.x || 8.x
'@prefresh/babel-plugin@0.5.3':
resolution: {integrity: sha512-57LX2SHs4BX2s1IwCjNzTE2OJeEepRCNf1VTEpbNcUyHfMO68eeOWGDIt4ob9aYlW6PEWZ1SuwNikuoIXANDtQ==}
@@ -1033,63 +1033,63 @@ packages:
'@types/svgo@2.6.4':
resolution: {integrity: sha512-l4cmyPEckf8moNYHdJ+4wkHvFxjyW6ulm9l4YGaOxeyBWPhBOT0gvni1InpFPdzx1dKf/2s62qGITwxNWnPQng==}
- '@typescript-eslint/eslint-plugin@8.57.0':
- resolution: {integrity: sha512-qeu4rTHR3/IaFORbD16gmjq9+rEs9fGKdX0kF6BKSfi+gCuG3RCKLlSBYzn/bGsY9Tj7KE/DAQStbp8AHJGHEQ==}
+ '@typescript-eslint/eslint-plugin@8.57.1':
+ resolution: {integrity: sha512-Gn3aqnvNl4NGc6x3/Bqk1AOn0thyTU9bqDRhiRnUWezgvr2OnhYCWCgC8zXXRVqBsIL1pSDt7T9nJUe0oM0kDQ==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
- '@typescript-eslint/parser': ^8.57.0
+ '@typescript-eslint/parser': ^8.57.1
eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/parser@8.57.0':
- resolution: {integrity: sha512-XZzOmihLIr8AD1b9hL9ccNMzEMWt/dE2u7NyTY9jJG6YNiNthaD5XtUHVF2uCXZ15ng+z2hT3MVuxnUYhq6k1g==}
+ '@typescript-eslint/parser@8.57.1':
+ resolution: {integrity: sha512-k4eNDan0EIMTT/dUKc/g+rsJ6wcHYhNPdY19VoX/EOtaAG8DLtKCykhrUnuHPYvinn5jhAPgD2Qw9hXBwrahsw==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/project-service@8.57.0':
- resolution: {integrity: sha512-pR+dK0BlxCLxtWfaKQWtYr7MhKmzqZxuii+ZjuFlZlIGRZm22HnXFqa2eY+90MUz8/i80YJmzFGDUsi8dMOV5w==}
+ '@typescript-eslint/project-service@8.57.1':
+ resolution: {integrity: sha512-vx1F37BRO1OftsYlmG9xay1TqnjNVlqALymwWVuYTdo18XuKxtBpCj1QlzNIEHlvlB27osvXFWptYiEWsVdYsg==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/scope-manager@8.57.0':
- resolution: {integrity: sha512-nvExQqAHF01lUM66MskSaZulpPL5pgy5hI5RfrxviLgzZVffB5yYzw27uK/ft8QnKXI2X0LBrHJFr1TaZtAibw==}
+ '@typescript-eslint/scope-manager@8.57.1':
+ resolution: {integrity: sha512-hs/QcpCwlwT2L5S+3fT6gp0PabyGk4Q0Rv2doJXA0435/OpnSR3VRgvrp8Xdoc3UAYSg9cyUjTeFXZEPg/3OKg==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
- '@typescript-eslint/tsconfig-utils@8.57.0':
- resolution: {integrity: sha512-LtXRihc5ytjJIQEH+xqjB0+YgsV4/tW35XKX3GTZHpWtcC8SPkT/d4tqdf1cKtesryHm2bgp6l555NYcT2NLvA==}
+ '@typescript-eslint/tsconfig-utils@8.57.1':
+ resolution: {integrity: sha512-0lgOZB8cl19fHO4eI46YUx2EceQqhgkPSuCGLlGi79L2jwYY1cxeYc1Nae8Aw1xjgW3PKVDLlr3YJ6Bxx8HkWg==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/type-utils@8.57.0':
- resolution: {integrity: sha512-yjgh7gmDcJ1+TcEg8x3uWQmn8ifvSupnPfjP21twPKrDP/pTHlEQgmKcitzF/rzPSmv7QjJ90vRpN4U+zoUjwQ==}
+ '@typescript-eslint/type-utils@8.57.1':
+ resolution: {integrity: sha512-+Bwwm0ScukFdyoJsh2u6pp4S9ktegF98pYUU0hkphOOqdMB+1sNQhIz8y5E9+4pOioZijrkfNO/HUJVAFFfPKA==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/types@8.57.0':
- resolution: {integrity: sha512-dTLI8PEXhjUC7B9Kre+u0XznO696BhXcTlOn0/6kf1fHaQW8+VjJAVHJ3eTI14ZapTxdkOmc80HblPQLaEeJdg==}
+ '@typescript-eslint/types@8.57.1':
+ resolution: {integrity: sha512-S29BOBPJSFUiblEl6RzPPjJt6w25A6XsBqRVDt53tA/tlL8q7ceQNZHTjPeONt/3S7KRI4quk+yP9jK2WjBiPQ==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
- '@typescript-eslint/typescript-estree@8.57.0':
- resolution: {integrity: sha512-m7faHcyVg0BT3VdYTlX8GdJEM7COexXxS6KqGopxdtkQRvBanK377QDHr4W/vIPAR+ah9+B/RclSW5ldVniO1Q==}
+ '@typescript-eslint/typescript-estree@8.57.1':
+ resolution: {integrity: sha512-ybe2hS9G6pXpqGtPli9Gx9quNV0TWLOmh58ADlmZe9DguLq0tiAKVjirSbtM1szG6+QH6rVXyU6GTLQbWnMY+g==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/utils@8.57.0':
- resolution: {integrity: sha512-5iIHvpD3CZe06riAsbNxxreP+MuYgVUsV0n4bwLH//VJmgtt54sQeY2GszntJ4BjYCpMzrfVh2SBnUQTtys2lQ==}
+ '@typescript-eslint/utils@8.57.1':
+ resolution: {integrity: sha512-XUNSJ/lEVFttPMMoDVA2r2bwrl8/oPx8cURtczkSEswY5T3AeLmCy+EKWQNdL4u0MmAHOjcWrqJp2cdvgjn8dQ==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
typescript: '>=4.8.4 <6.0.0'
- '@typescript-eslint/visitor-keys@8.57.0':
- resolution: {integrity: sha512-zm6xx8UT/Xy2oSr2ZXD0pZo7Jx2XsCoID2IUh9YSTFRu7z+WdwYTRk6LhUftm1crwqbuoF6I8zAFeCMw0YjwDg==}
+ '@typescript-eslint/visitor-keys@8.57.1':
+ resolution: {integrity: sha512-YWnmJkXbofiz9KbnbbwuA2rpGkFPLbAIetcCNO6mJ8gdhdZ/v7WDXsoGFAJuM6ikUFKTlSQnjWnVO4ux+UzS6A==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
acorn-jsx@5.3.2:
@@ -1280,8 +1280,8 @@ packages:
resolution: {integrity: sha512-DLIsRzJVBQu72meAKPkWQOLcujdXT32hwdfnkI1frSiSRMK1MofjKHf+MEx0SB6fjEFXL8fBDv1dKymBlOp4Qw==}
engines: {node: '>=0.10.0'}
- caniuse-lite@1.0.30001779:
- resolution: {integrity: sha512-U5og2PN7V4DMgF50YPNtnZJGWVLFjjsN3zb6uMT5VGYIewieDj1upwfuVNXf4Kor+89c3iCRJnSzMD5LmTvsfA==}
+ caniuse-lite@1.0.30001780:
+ resolution: {integrity: sha512-llngX0E7nQci5BPJDqoZSbuZ5Bcs9F5db7EtgfwBerX9XGtkkiO4NwfDDIRzHTTwcYC8vC7bmeUEPGrKlR/TkQ==}
caw@2.0.1:
resolution: {integrity: sha512-Cg8/ZSBEa8ZVY9HspcGUYaK63d/bN7rqS3CYCzEGUxuYv6UlmcjzDUz2fCFFHyTvUW5Pk0I+3hkA3iXlIj6guA==}
@@ -2913,8 +2913,8 @@ packages:
safe-buffer@5.2.1:
resolution: {integrity: sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==}
- sax@1.5.0:
- resolution: {integrity: sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==}
+ sax@1.6.0:
+ resolution: {integrity: sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA==}
engines: {node: '>=11.0.0'}
scheduler@0.27.0:
@@ -3127,8 +3127,8 @@ packages:
resolution: {integrity: sha512-ZOn6nJUgvgC09+doCEF3oB+r3ag7kUvlsXEGX069QRD60p+P3uP7XG9N2/at+EyIRGSN//ZY3LyEotA1YpmjuA==}
engines: {node: '>=4'}
- terser@5.46.0:
- resolution: {integrity: sha512-jTwoImyr/QbOWFFso3YoU3ik0jBBDJ6JTOQiy/J2YxVJdZCc+5u7skhNwiOR3FQIygFqVUPHl7qbbxtjW2K3Qg==}
+ terser@5.46.1:
+ resolution: {integrity: sha512-vzCjQO/rgUuK9sf8VJZvjqiqiHFaZLnOiimmUuOKODxWL8mm/xua7viT7aqX7dgPY60otQjUotzFMmCB4VdmqQ==}
engines: {node: '>=10'}
hasBin: true
@@ -3203,8 +3203,8 @@ packages:
peerDependencies:
typescript: '>=3.5.1'
- typescript-eslint@8.57.0:
- resolution: {integrity: sha512-W8GcigEMEeB07xEZol8oJ26rigm3+bfPHxHvwbYUlu1fUDsGuQ7Hiskx5xGW/xM4USc9Ephe3jtv7ZYPQntHeA==}
+ typescript-eslint@8.57.1:
+ resolution: {integrity: sha512-fLvZWf+cAGw3tqMCYzGIU6yR8K+Y9NT2z23RwOjlNFF2HwSB3KhdEFI5lSBv8tNmFkkBShSjsCjzx1vahZfISA==}
engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
peerDependencies:
eslint: ^8.57.0 || ^9.0.0 || ^10.0.0
@@ -3385,6 +3385,9 @@ packages:
resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
engines: {node: '>=10'}
+ zimmerframe@1.1.4:
+ resolution: {integrity: sha512-B58NGBEoc8Y9MWWCQGl/gq9xBCe4IiKM0a2x7GZdQKOW5Exr8S1W24J6OgM1njK8xCRGvAJIL/MxXHf6SkmQKQ==}
+
snapshots:
'@alova/adapter-xhr@2.3.1(alova@3.5.1)':
@@ -3408,8 +3411,8 @@ snapshots:
'@babel/generator': 7.29.1
'@babel/helper-compilation-targets': 7.28.6
'@babel/helper-module-transforms': 7.28.6(@babel/core@7.29.0)
- '@babel/helpers': 7.28.6
- '@babel/parser': 7.29.0
+ '@babel/helpers': 7.29.2
+ '@babel/parser': 7.29.2
'@babel/template': 7.28.6
'@babel/traverse': 7.29.0
'@babel/types': 7.29.0
@@ -3424,7 +3427,7 @@ snapshots:
'@babel/generator@7.29.1':
dependencies:
- '@babel/parser': 7.29.0
+ '@babel/parser': 7.29.2
'@babel/types': 7.29.0
'@jridgewell/gen-mapping': 0.3.13
'@jridgewell/trace-mapping': 0.3.31
@@ -3468,12 +3471,12 @@ snapshots:
'@babel/helper-validator-option@7.27.1': {}
- '@babel/helpers@7.28.6':
+ '@babel/helpers@7.29.2':
dependencies:
'@babel/template': 7.28.6
'@babel/types': 7.29.0
- '@babel/parser@7.29.0':
+ '@babel/parser@7.29.2':
dependencies:
'@babel/types': 7.29.0
@@ -3500,12 +3503,12 @@ snapshots:
transitivePeerDependencies:
- supports-color
- '@babel/runtime@7.28.6': {}
+ '@babel/runtime@7.29.2': {}
'@babel/template@7.28.6':
dependencies:
'@babel/code-frame': 7.29.0
- '@babel/parser': 7.29.0
+ '@babel/parser': 7.29.2
'@babel/types': 7.29.0
'@babel/traverse@7.29.0':
@@ -3513,7 +3516,7 @@ snapshots:
'@babel/code-frame': 7.29.0
'@babel/generator': 7.29.1
'@babel/helper-globals': 7.28.0
- '@babel/parser': 7.29.0
+ '@babel/parser': 7.29.2
'@babel/template': 7.28.6
'@babel/types': 7.29.0
debug: 4.4.3
@@ -3544,7 +3547,7 @@ snapshots:
'@emotion/babel-plugin@11.13.5':
dependencies:
'@babel/helper-module-imports': 7.28.6
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@emotion/hash': 0.9.2
'@emotion/memoize': 0.9.0
'@emotion/serialize': 1.3.3
@@ -3575,7 +3578,7 @@ snapshots:
'@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@emotion/babel-plugin': 11.13.5
'@emotion/cache': 11.14.0
'@emotion/serialize': 1.3.3
@@ -3601,7 +3604,7 @@ snapshots:
'@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@emotion/babel-plugin': 11.13.5
'@emotion/is-prop-valid': 1.4.0
'@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.2.4)
@@ -3778,7 +3781,7 @@ snapshots:
'@mui/icons-material@7.3.9(@mui/material@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@mui/material': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
react: 19.2.4
optionalDependencies:
@@ -3786,7 +3789,7 @@ snapshots:
'@mui/material@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@mui/core-downloads-tracker': 7.3.9
'@mui/system': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)
'@mui/types': 7.4.12(@types/react@19.2.14)
@@ -3807,7 +3810,7 @@ snapshots:
'@mui/private-theming@7.3.9(@types/react@19.2.14)(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@mui/utils': 7.3.9(@types/react@19.2.14)(react@19.2.4)
prop-types: 15.8.1
react: 19.2.4
@@ -3816,7 +3819,7 @@ snapshots:
'@mui/styled-engine@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@emotion/cache': 11.14.0
'@emotion/serialize': 1.3.3
'@emotion/sheet': 1.4.0
@@ -3829,7 +3832,7 @@ snapshots:
'@mui/system@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@mui/private-theming': 7.3.9(@types/react@19.2.14)(react@19.2.4)
'@mui/styled-engine': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(react@19.2.4)
'@mui/types': 7.4.12(@types/react@19.2.14)
@@ -3845,13 +3848,13 @@ snapshots:
'@mui/types@7.4.12(@types/react@19.2.14)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
optionalDependencies:
'@types/react': 19.2.14
'@mui/utils@7.3.9(@types/react@19.2.14)(react@19.2.4)':
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
'@mui/types': 7.4.12(@types/react@19.2.14)
'@types/prop-types': 15.7.15
clsx: 2.1.1
@@ -3895,18 +3898,20 @@ snapshots:
dependencies:
preact: 10.29.0
- '@preact/preset-vite@2.10.3(@babel/core@7.29.0)(preact@10.29.0)(rollup@4.59.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))':
+ '@preact/preset-vite@2.10.4(@babel/core@7.29.0)(preact@10.29.0)(rollup@4.59.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))':
dependencies:
'@babel/core': 7.29.0
'@babel/plugin-transform-react-jsx': 7.28.6(@babel/core@7.29.0)
'@babel/plugin-transform-react-jsx-development': 7.27.1(@babel/core@7.29.0)
- '@prefresh/vite': 2.4.12(preact@10.29.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))
+ '@prefresh/vite': 2.4.12(preact@10.29.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))
'@rollup/pluginutils': 5.3.0(rollup@4.59.0)
babel-plugin-transform-hook-names: 1.0.2(@babel/core@7.29.0)
debug: 4.4.3
+ magic-string: 0.30.21
picocolors: 1.1.1
- vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)
- vite-prerender-plugin: 0.5.13(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))
+ vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)
+ vite-prerender-plugin: 0.5.13(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))
+ zimmerframe: 1.1.4
transitivePeerDependencies:
- preact
- rollup
@@ -3920,7 +3925,7 @@ snapshots:
'@prefresh/utils@1.2.1': {}
- '@prefresh/vite@2.4.12(preact@10.29.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0))':
+ '@prefresh/vite@2.4.12(preact@10.29.0)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1))':
dependencies:
'@babel/core': 7.29.0
'@prefresh/babel-plugin': 0.5.3
@@ -3928,7 +3933,7 @@ snapshots:
'@prefresh/utils': 1.2.1
'@rollup/pluginutils': 4.2.1
preact: 10.29.0
- vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)
+ vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)
transitivePeerDependencies:
- supports-color
@@ -4084,7 +4089,7 @@ snapshots:
'@trivago/prettier-plugin-sort-imports@6.0.2(prettier@3.8.1)':
dependencies:
'@babel/generator': 7.29.1
- '@babel/parser': 7.29.0
+ '@babel/parser': 7.29.2
'@babel/traverse': 7.29.0
'@babel/types': 7.29.0
javascript-natural-sort: 0.7.1
@@ -4176,14 +4181,14 @@ snapshots:
dependencies:
'@types/node': 25.5.0
- '@typescript-eslint/eslint-plugin@8.57.0(@typescript-eslint/parser@8.57.0(eslint@10.0.3)(typescript@5.9.3))(eslint@10.0.3)(typescript@5.9.3)':
+ '@typescript-eslint/eslint-plugin@8.57.1(@typescript-eslint/parser@8.57.1(eslint@10.0.3)(typescript@5.9.3))(eslint@10.0.3)(typescript@5.9.3)':
dependencies:
'@eslint-community/regexpp': 4.12.2
- '@typescript-eslint/parser': 8.57.0(eslint@10.0.3)(typescript@5.9.3)
- '@typescript-eslint/scope-manager': 8.57.0
- '@typescript-eslint/type-utils': 8.57.0(eslint@10.0.3)(typescript@5.9.3)
- '@typescript-eslint/utils': 8.57.0(eslint@10.0.3)(typescript@5.9.3)
- '@typescript-eslint/visitor-keys': 8.57.0
+ '@typescript-eslint/parser': 8.57.1(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/scope-manager': 8.57.1
+ '@typescript-eslint/type-utils': 8.57.1(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/utils': 8.57.1(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/visitor-keys': 8.57.1
eslint: 10.0.3
ignore: 7.0.5
natural-compare: 1.4.0
@@ -4192,41 +4197,41 @@ snapshots:
transitivePeerDependencies:
- supports-color
- '@typescript-eslint/parser@8.57.0(eslint@10.0.3)(typescript@5.9.3)':
+ '@typescript-eslint/parser@8.57.1(eslint@10.0.3)(typescript@5.9.3)':
dependencies:
- '@typescript-eslint/scope-manager': 8.57.0
- '@typescript-eslint/types': 8.57.0
- '@typescript-eslint/typescript-estree': 8.57.0(typescript@5.9.3)
- '@typescript-eslint/visitor-keys': 8.57.0
+ '@typescript-eslint/scope-manager': 8.57.1
+ '@typescript-eslint/types': 8.57.1
+ '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
+ '@typescript-eslint/visitor-keys': 8.57.1
debug: 4.4.3
eslint: 10.0.3
typescript: 5.9.3
transitivePeerDependencies:
- supports-color
- '@typescript-eslint/project-service@8.57.0(typescript@5.9.3)':
+ '@typescript-eslint/project-service@8.57.1(typescript@5.9.3)':
dependencies:
- '@typescript-eslint/tsconfig-utils': 8.57.0(typescript@5.9.3)
- '@typescript-eslint/types': 8.57.0
+ '@typescript-eslint/tsconfig-utils': 8.57.1(typescript@5.9.3)
+ '@typescript-eslint/types': 8.57.1
debug: 4.4.3
typescript: 5.9.3
transitivePeerDependencies:
- supports-color
- '@typescript-eslint/scope-manager@8.57.0':
+ '@typescript-eslint/scope-manager@8.57.1':
dependencies:
- '@typescript-eslint/types': 8.57.0
- '@typescript-eslint/visitor-keys': 8.57.0
+ '@typescript-eslint/types': 8.57.1
+ '@typescript-eslint/visitor-keys': 8.57.1
- '@typescript-eslint/tsconfig-utils@8.57.0(typescript@5.9.3)':
+ '@typescript-eslint/tsconfig-utils@8.57.1(typescript@5.9.3)':
dependencies:
typescript: 5.9.3
- '@typescript-eslint/type-utils@8.57.0(eslint@10.0.3)(typescript@5.9.3)':
+ '@typescript-eslint/type-utils@8.57.1(eslint@10.0.3)(typescript@5.9.3)':
dependencies:
- '@typescript-eslint/types': 8.57.0
- '@typescript-eslint/typescript-estree': 8.57.0(typescript@5.9.3)
- '@typescript-eslint/utils': 8.57.0(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/types': 8.57.1
+ '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
+ '@typescript-eslint/utils': 8.57.1(eslint@10.0.3)(typescript@5.9.3)
debug: 4.4.3
eslint: 10.0.3
ts-api-utils: 2.4.0(typescript@5.9.3)
@@ -4234,14 +4239,14 @@ snapshots:
transitivePeerDependencies:
- supports-color
- '@typescript-eslint/types@8.57.0': {}
+ '@typescript-eslint/types@8.57.1': {}
- '@typescript-eslint/typescript-estree@8.57.0(typescript@5.9.3)':
+ '@typescript-eslint/typescript-estree@8.57.1(typescript@5.9.3)':
dependencies:
- '@typescript-eslint/project-service': 8.57.0(typescript@5.9.3)
- '@typescript-eslint/tsconfig-utils': 8.57.0(typescript@5.9.3)
- '@typescript-eslint/types': 8.57.0
- '@typescript-eslint/visitor-keys': 8.57.0
+ '@typescript-eslint/project-service': 8.57.1(typescript@5.9.3)
+ '@typescript-eslint/tsconfig-utils': 8.57.1(typescript@5.9.3)
+ '@typescript-eslint/types': 8.57.1
+ '@typescript-eslint/visitor-keys': 8.57.1
debug: 4.4.3
minimatch: 10.2.4
semver: 7.7.4
@@ -4251,20 +4256,20 @@ snapshots:
transitivePeerDependencies:
- supports-color
- '@typescript-eslint/utils@8.57.0(eslint@10.0.3)(typescript@5.9.3)':
+ '@typescript-eslint/utils@8.57.1(eslint@10.0.3)(typescript@5.9.3)':
dependencies:
'@eslint-community/eslint-utils': 4.9.1(eslint@10.0.3)
- '@typescript-eslint/scope-manager': 8.57.0
- '@typescript-eslint/types': 8.57.0
- '@typescript-eslint/typescript-estree': 8.57.0(typescript@5.9.3)
+ '@typescript-eslint/scope-manager': 8.57.1
+ '@typescript-eslint/types': 8.57.1
+ '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
eslint: 10.0.3
typescript: 5.9.3
transitivePeerDependencies:
- supports-color
- '@typescript-eslint/visitor-keys@8.57.0':
+ '@typescript-eslint/visitor-keys@8.57.1':
dependencies:
- '@typescript-eslint/types': 8.57.0
+ '@typescript-eslint/types': 8.57.1
eslint-visitor-keys: 5.0.1
acorn-jsx@5.3.2(acorn@8.16.0):
@@ -4321,7 +4326,7 @@ snapshots:
babel-plugin-macros@3.1.0:
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
cosmiconfig: 7.1.0
resolve: 1.22.11
@@ -4397,7 +4402,7 @@ snapshots:
browserslist@4.28.1:
dependencies:
baseline-browser-mapping: 2.10.8
- caniuse-lite: 1.0.30001779
+ caniuse-lite: 1.0.30001780
electron-to-chromium: 1.5.313
node-releases: 2.0.36
update-browserslist-db: 1.2.3(browserslist@4.28.1)
@@ -4460,7 +4465,7 @@ snapshots:
camelcase@2.1.1: {}
- caniuse-lite@1.0.30001779: {}
+ caniuse-lite@1.0.30001780: {}
caw@2.0.1:
dependencies:
@@ -4689,7 +4694,7 @@ snapshots:
dom-helpers@5.2.1:
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
csstype: 3.2.3
dom-serializer@1.4.1:
@@ -5997,7 +6002,7 @@ snapshots:
react-transition-group@4.4.5(react-dom@19.2.4(react@19.2.4))(react@19.2.4):
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
dom-helpers: 5.2.1
loose-envify: 1.4.0
prop-types: 15.8.1
@@ -6011,7 +6016,7 @@ snapshots:
react-window@1.8.11(react-dom@19.2.4(react@19.2.4))(react@19.2.4):
dependencies:
- '@babel/runtime': 7.28.6
+ '@babel/runtime': 7.29.2
memoize-one: 5.2.1
react: 19.2.4
react-dom: 19.2.4(react@19.2.4)
@@ -6147,7 +6152,7 @@ snapshots:
safe-buffer@5.2.1: {}
- sax@1.5.0: {}
+ sax@1.6.0: {}
scheduler@0.27.0: {}
@@ -6322,7 +6327,7 @@ snapshots:
css-tree: 1.1.3
csso: 4.2.0
picocolors: 1.1.1
- sax: 1.5.0
+ sax: 1.6.0
stable: 0.1.8
tar-stream@1.6.2:
@@ -6342,7 +6347,7 @@ snapshots:
temp-dir: 1.0.0
uuid: 3.4.0
- terser@5.46.0:
+ terser@5.46.1:
dependencies:
'@jridgewell/source-map': 0.3.11
acorn: 8.16.0
@@ -6406,12 +6411,12 @@ snapshots:
dependencies:
typescript: 5.9.3
- typescript-eslint@8.57.0(eslint@10.0.3)(typescript@5.9.3):
+ typescript-eslint@8.57.1(eslint@10.0.3)(typescript@5.9.3):
dependencies:
- '@typescript-eslint/eslint-plugin': 8.57.0(@typescript-eslint/parser@8.57.0(eslint@10.0.3)(typescript@5.9.3))(eslint@10.0.3)(typescript@5.9.3)
- '@typescript-eslint/parser': 8.57.0(eslint@10.0.3)(typescript@5.9.3)
- '@typescript-eslint/typescript-estree': 8.57.0(typescript@5.9.3)
- '@typescript-eslint/utils': 8.57.0(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/eslint-plugin': 8.57.1(@typescript-eslint/parser@8.57.1(eslint@10.0.3)(typescript@5.9.3))(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/parser': 8.57.1(eslint@10.0.3)(typescript@5.9.3)
+ '@typescript-eslint/typescript-estree': 8.57.1(typescript@5.9.3)
+ '@typescript-eslint/utils': 8.57.1(eslint@10.0.3)(typescript@5.9.3)
eslint: 10.0.3
typescript: 5.9.3
transitivePeerDependencies:
@@ -6457,7 +6462,7 @@ snapshots:
spdx-correct: 3.2.0
spdx-expression-parse: 3.0.1
- vite-plugin-imagemin@0.6.1(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)):
+ vite-plugin-imagemin@0.6.1(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)):
dependencies:
'@types/imagemin': 7.0.1
'@types/imagemin-gifsicle': 7.0.4
@@ -6482,11 +6487,11 @@ snapshots:
imagemin-webp: 6.1.0
jpegtran-bin: 6.0.1
pathe: 0.2.0
- vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)
+ vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)
transitivePeerDependencies:
- supports-color
- vite-prerender-plugin@0.5.13(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)):
+ vite-prerender-plugin@0.5.13(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)):
dependencies:
kolorist: 1.8.0
magic-string: 0.30.21
@@ -6494,19 +6499,19 @@ snapshots:
simple-code-frame: 1.3.0
source-map: 0.7.6
stack-trace: 1.0.0-pre2
- vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)
+ vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)
- vite-tsconfig-paths@6.1.1(typescript@5.9.3)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)):
+ vite-tsconfig-paths@6.1.1(typescript@5.9.3)(vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)):
dependencies:
debug: 4.4.3
globrex: 0.1.2
tsconfck: 3.1.6(typescript@5.9.3)
- vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0)
+ vite: 7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1)
transitivePeerDependencies:
- supports-color
- typescript
- vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.0):
+ vite@7.3.1(@types/node@25.5.0)(lightningcss@1.32.0)(terser@5.46.1):
dependencies:
esbuild: 0.27.4
fdir: 6.5.0(picomatch@4.0.3)
@@ -6518,7 +6523,7 @@ snapshots:
'@types/node': 25.5.0
fsevents: 2.3.3
lightningcss: 1.32.0
- terser: 5.46.0
+ terser: 5.46.1
which-typed-array@1.1.20:
dependencies:
@@ -6598,3 +6603,5 @@ snapshots:
fd-slicer: 1.1.0
yocto-queue@0.1.0: {}
+
+ zimmerframe@1.1.4: {}
diff --git a/interface/src/app/main/types.ts b/interface/src/app/main/types.ts
index 492ccc532..d33301dc4 100644
--- a/interface/src/app/main/types.ts
+++ b/interface/src/app/main/types.ts
@@ -43,6 +43,16 @@ export interface Settings {
modbus_port: number;
modbus_max_clients: number;
modbus_timeout: number;
+ email_enabled: boolean;
+ email_ssl?: boolean;
+ email_starttls?: boolean;
+ email_server: string;
+ email_port: number;
+ email_login: string;
+ email_pass: string;
+ email_sender: string;
+ email_recp: string;
+ email_subject: string;
developer_mode: boolean;
}
diff --git a/interface/src/app/settings/ApplicationSettings.tsx b/interface/src/app/settings/ApplicationSettings.tsx
index 61841d305..613a5fbab 100644
--- a/interface/src/app/settings/ApplicationSettings.tsx
+++ b/interface/src/app/settings/ApplicationSettings.tsx
@@ -28,6 +28,7 @@ import {
FormLoader,
MessageBox,
SectionContent,
+ ValidatedPasswordField,
ValidatedTextField,
useLayoutTitle
} from 'components';
@@ -351,6 +352,156 @@ const ApplicationSettings = () => {
)}
+ eMail
+
+ }
+ label={
+
+ Enable eMail notification
+ {!hardwareData.psram && (
+
+ ({LL.IS_REQUIRED('PSRAM')})
+
+ )}
+
+ }
+ />
+ {data.email_enabled && (
+ <>
+
+
+
+
+
+
+
+
+ {!data.email_starttls && (
+
+ }
+ label="SSL/TLS"
+ />
+ )}
+ {!data.email_ssl && (
+
+ }
+ label="STARTTLS"
+ />
+ )}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ )}
{LL.SENSORS()}
diff --git a/lib/espMqttClient/src/Config.h b/lib/espMqttClient/src/Config.h
index 351641db8..af4d84bee 100644
--- a/lib/espMqttClient/src/Config.h
+++ b/lib/espMqttClient/src/Config.h
@@ -49,6 +49,10 @@ the LICENSE file.
#define EMC_CLIENTID_LENGTH 23 + 1
#endif
+#ifdef EMSESP_MQTT_STACKSIZE
+#define EMC_TASK_STACK_SIZE EMSESP_MQTT_STACKSIZE
+#endif
+
#ifndef EMC_TASK_STACK_SIZE
#define EMC_TASK_STACK_SIZE 5120
#endif
diff --git a/lib/espMqttClient/src/MqttClient.cpp b/lib/espMqttClient/src/MqttClient.cpp
index a5d498e2c..745cde1c0 100644
--- a/lib/espMqttClient/src/MqttClient.cpp
+++ b/lib/espMqttClient/src/MqttClient.cpp
@@ -62,7 +62,11 @@ MqttClient::MqttClient(espMqttClientTypes::UseInternalTask useInternalTask, uint
_xSemaphore = xSemaphoreCreateMutex();
EMC_SEMAPHORE_GIVE(); // release before first use
if (_useInternalTask == espMqttClientTypes::UseInternalTask::YES) {
- xTaskCreatePinnedToCore((TaskFunction_t)_loop, "mqttclient", EMC_TASK_STACK_SIZE, this, priority, &_taskHandle, core);
+ if (core > 1) {
+ xTaskCreate((TaskFunction_t)_loop, "mqttclient", EMC_TASK_STACK_SIZE, this, priority, &_taskHandle);
+ } else {
+ xTaskCreatePinnedToCore((TaskFunction_t)_loop, "mqttclient", EMC_TASK_STACK_SIZE, this, priority, &_taskHandle, core);
+ }
}
#else
(void) useInternalTask;
@@ -70,6 +74,7 @@ MqttClient::MqttClient(espMqttClientTypes::UseInternalTask useInternalTask, uint
(void) core;
#endif
_clientId = _generatedClientId;
+ _core = core;
}
MqttClient::~MqttClient() {
diff --git a/lib/espMqttClient/src/MqttClient.h b/lib/espMqttClient/src/MqttClient.h
index eaf9d2d79..5fe7b11a9 100644
--- a/lib/espMqttClient/src/MqttClient.h
+++ b/lib/espMqttClient/src/MqttClient.h
@@ -69,7 +69,17 @@ class MqttClient {
const char* getClientId() const;
size_t queueSize(); // No const because of mutex
void loop();
-
+ uint32_t stack() {
+#ifndef EMSESP_STANDALONE
+ return uxTaskGetStackHighWaterMark(_taskHandle);
+#else
+ return 0;
+#endif
+ }
+ uint8_t core() {
+ return _core;
+ }
+
protected:
explicit MqttClient(espMqttClientTypes::UseInternalTask useInternalTask, uint8_t priority = 1, uint8_t core = 1);
espMqttClientTypes::UseInternalTask _useInternalTask;
@@ -98,6 +108,7 @@ class MqttClient {
uint8_t _willQos;
bool _willRetain;
uint32_t _timeout;
+ uint8_t _core;
// state is protected to allow state changes by the transport system, defined in child classes
// eg. to allow AsyncTCP
diff --git a/lib/espMqttClient/src/Transport/ClientSecureSync.cpp b/lib/espMqttClient/src/Transport/ClientSecureSync.cpp
index f0a9d0fc7..aa9e30f13 100644
--- a/lib/espMqttClient/src/Transport/ClientSecureSync.cpp
+++ b/lib/espMqttClient/src/Transport/ClientSecureSync.cpp
@@ -9,18 +9,16 @@ the LICENSE file.
#ifndef NO_TLS_SUPPORT
#include "ClientSecureSync.h"
-#include "mbedtls_ssl.h" // triggers compilation of mbedtls SSL module (stripped from Tasmota libmbedtls.a)
-
-#include
#include
-#include
+#include "../Config.h"
namespace espMqttClientInternals {
ClientSecureSync::ClientSecureSync()
- : _tls(nullptr)
- , _cfg{}
- , _connected(false) {
+ : client() {
+ client.setClient(&basic_client, true);
+ client.setBufferSizes(EMC_RX_BUFFER_SIZE, EMC_TX_BUFFER_SIZE);
+ client.setSessionTimeout(120); // Set the timeout in seconds (>=120 seconds)
}
ClientSecureSync::~ClientSecureSync() {
@@ -28,133 +26,43 @@ ClientSecureSync::~ClientSecureSync() {
}
bool ClientSecureSync::connect(IPAddress ip, uint16_t port) {
- char host[16];
- sprintf(host, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
- return connect(host, port);
+ bool ret = client.connect(ip, port); // implicit conversion of return code int --> bool
+ if (ret) {
+ // Set TCP option directly to bypass lack of working setNoDelay for WiFiClientSecure
+ int val = true;
+ basic_client.setSocketOption(IPPROTO_TCP, TCP_NODELAY, &val, sizeof(int));
+ }
+ return ret;
}
bool ClientSecureSync::connect(const char * host, uint16_t port) {
- stop(); // clean up any previous connection
-
- _tls = esp_tls_init();
- if (!_tls) {
- return false;
+ bool ret = client.connect(host, port); // implicit conversion of return code int --> bool
+ if (ret) {
+ // Set TCP option directly to bypass lack of working setNoDelay for WiFiClientSecure
+ int val = true;
+ basic_client.setSocketOption(IPPROTO_TCP, TCP_NODELAY, &val, sizeof(int));
}
-
- if (esp_tls_conn_new_sync(host, strlen(host), port, &_cfg, _tls) <= 0) {
- esp_tls_conn_destroy(_tls);
- _tls = nullptr;
- return false;
- }
-
- _connected = true;
-
- // Set TCP_NODELAY and non-blocking mode on the underlying socket
- int fd = -1;
- if (esp_tls_get_conn_sockfd(_tls, &fd) == ESP_OK && fd >= 0) {
- int val = 1;
- setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
- // Make socket non-blocking so reads don't stall the MQTT event loop
- int flags = fcntl(fd, F_GETFL, 0);
- if (flags >= 0) {
- fcntl(fd, F_SETFL, flags | O_NONBLOCK);
- }
- }
-
- return true;
+ return ret;
}
size_t ClientSecureSync::write(const uint8_t * buf, size_t size) {
- if (!_tls || !_connected) {
- return 0;
- }
-
- // Write all data, retrying on WANT_WRITE (non-blocking socket)
- size_t written = 0;
- while (written < size) {
- int ret = esp_tls_conn_write(_tls, buf + written, size - written);
- if (ret > 0) {
- written += ret;
- } else if (ret == ESP_TLS_ERR_SSL_WANT_WRITE || ret == ESP_TLS_ERR_SSL_WANT_READ) {
- continue; // retry
- } else {
- _connected = false;
- break;
- }
- }
- return written;
+ return client.write(buf, size);
}
int ClientSecureSync::read(uint8_t * buf, size_t size) {
- if (!_tls || !_connected) {
- return -1;
- }
-
- int ret = esp_tls_conn_read(_tls, buf, size);
- if (ret > 0) {
- return ret;
- }
- if (ret == ESP_TLS_ERR_SSL_WANT_READ || ret == ESP_TLS_ERR_SSL_WANT_WRITE) {
- return -1; // no data available yet, still connected
- }
- // Connection closed or error
- _connected = false;
- return -1;
+ return client.read(buf, size);
}
void ClientSecureSync::stop() {
- if (_tls) {
- esp_tls_conn_destroy(_tls);
- _tls = nullptr;
- }
- _connected = false;
+ client.stop();
}
bool ClientSecureSync::connected() {
- return _connected && _tls != nullptr;
+ return client.connected();
}
bool ClientSecureSync::disconnected() {
- return !connected();
-}
-
-void ClientSecureSync::setCACert(const char * rootCA) {
- _cfg.cacert_pem_buf = reinterpret_cast(rootCA);
- _cfg.cacert_pem_bytes = strlen(rootCA) + 1;
-}
-
-void ClientSecureSync::setCertificate(const char * clientCert) {
- _cfg.clientcert_pem_buf = reinterpret_cast(clientCert);
- _cfg.clientcert_pem_bytes = strlen(clientCert) + 1;
-}
-
-void ClientSecureSync::setPrivateKey(const char * privateKey) {
- _cfg.clientkey_pem_buf = reinterpret_cast(privateKey);
- _cfg.clientkey_pem_bytes = strlen(privateKey) + 1;
-}
-
-void ClientSecureSync::setPreSharedKey(const char * pskIdent, const char * psKey) {
-#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
- _psk.hint = pskIdent;
- size_t key_len = strlen(psKey) / 2;
- if (key_len > sizeof(_psk_key)) {
- key_len = sizeof(_psk_key);
- }
- for (size_t i = 0; i < key_len; i++) {
- sscanf(psKey + 2 * i, "%2hhx", &_psk_key[i]);
- }
- _psk.key = _psk_key;
- _psk.key_size = key_len;
- _cfg.psk_hint_key = &_psk;
-#endif
-}
-
-void ClientSecureSync::setInsecure() {
- _cfg.cacert_pem_buf = nullptr;
- _cfg.cacert_pem_bytes = 0;
- _cfg.crt_bundle_attach = nullptr;
- _cfg.use_global_ca_store = false;
- _cfg.skip_common_name = true;
+ return !client.connected();
}
} // namespace espMqttClientInternals
diff --git a/lib/espMqttClient/src/Transport/ClientSecureSync.h b/lib/espMqttClient/src/Transport/ClientSecureSync.h
index a9f366e13..84c51f761 100644
--- a/lib/espMqttClient/src/Transport/ClientSecureSync.h
+++ b/lib/espMqttClient/src/Transport/ClientSecureSync.h
@@ -10,7 +10,9 @@ the LICENSE file.
#ifndef NO_TLS_SUPPORT
-#include "esp_tls.h"
+// #include "esp_tls.h"
+#include
+#include
#include "Transport.h"
namespace espMqttClientInternals {
@@ -27,21 +29,8 @@ class ClientSecureSync : public Transport {
bool connected() override;
bool disconnected() override;
- // TLS configuration (call before connect)
- void setCACert(const char * rootCA);
- void setCertificate(const char * clientCert);
- void setPrivateKey(const char * privateKey);
- void setPreSharedKey(const char * pskIdent, const char * psKey);
- void setInsecure();
-
- private:
- esp_tls_t * _tls;
- esp_tls_cfg_t _cfg;
- bool _connected;
-#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
- psk_hint_key_t _psk;
- unsigned char _psk_key[64];
-#endif
+ WiFiClient basic_client;
+ ESP_SSLClient client;
};
} // namespace espMqttClientInternals
diff --git a/lib/espMqttClient/src/espMqttClient.cpp b/lib/espMqttClient/src/espMqttClient.cpp
index ede7aa877..74d0ace67 100644
--- a/lib/espMqttClient/src/espMqttClient.cpp
+++ b/lib/espMqttClient/src/espMqttClient.cpp
@@ -8,50 +8,6 @@ the LICENSE file.
#include "espMqttClient.h"
-#if defined(ARDUINO_ARCH_ESP8266)
-espMqttClient::espMqttClient()
- : MqttClientSetup(espMqttClientTypes::UseInternalTask::NO)
- , _client() {
- _transport = &_client;
-}
-
-espMqttClientSecure::espMqttClientSecure()
- : MqttClientSetup(espMqttClientTypes::UseInternalTask::NO)
- , _client() {
- _transport = &_client;
-}
-
-espMqttClientSecure & espMqttClientSecure::setInsecure() {
- _client.client.setInsecure();
- return *this;
-}
-
-espMqttClientSecure & espMqttClientSecure::setFingerprint(const uint8_t fingerprint[20]) {
- _client.client.setFingerprint(fingerprint);
- return *this;
-}
-
-espMqttClientSecure & espMqttClientSecure::setTrustAnchors(const X509List * ta) {
- _client.client.setTrustAnchors(ta);
- return *this;
-}
-
-espMqttClientSecure & espMqttClientSecure::setClientRSACert(const X509List * cert, const PrivateKey * sk) {
- _client.client.setClientRSACert(cert, sk);
- return *this;
-}
-
-espMqttClientSecure & espMqttClientSecure::setClientECCert(const X509List * cert, const PrivateKey * sk, unsigned allowed_usages, unsigned cert_issuer_key_type) {
- _client.client.setClientECCert(cert, sk, allowed_usages, cert_issuer_key_type);
- return *this;
-}
-
-espMqttClientSecure & espMqttClientSecure::setCertStore(CertStoreBase * certStore) {
- _client.client.setCertStore(certStore);
- return *this;
-}
-#endif
-
#if defined(ARDUINO_ARCH_ESP32)
espMqttClient::espMqttClient(espMqttClientTypes::UseInternalTask useInternalTask)
: MqttClientSetup(useInternalTask)
@@ -79,35 +35,34 @@ espMqttClientSecure::espMqttClientSecure(uint8_t priority, uint8_t core)
espMqttClientSecure & espMqttClientSecure::setInsecure() {
#ifndef NO_TLS_SUPPORT
- _client.setInsecure();
+ _client.client.setInsecure();
#endif
return *this;
}
espMqttClientSecure & espMqttClientSecure::setCACert(const char * rootCA) {
#ifndef NO_TLS_SUPPORT
- _client.setCACert(rootCA);
+ _client.client.setCACert(rootCA);
#endif
return *this;
}
espMqttClientSecure & espMqttClientSecure::setCertificate(const char * clientCa) {
#ifndef NO_TLS_SUPPORT
- _client.setCertificate(clientCa);
+ _client.client.setCertificate(clientCa);
#endif
return *this;
}
espMqttClientSecure & espMqttClientSecure::setPrivateKey(const char * privateKey) {
#ifndef NO_TLS_SUPPORT
- _client.setPrivateKey(privateKey);
+ _client.client.setPrivateKey(privateKey);
#endif
return *this;
}
espMqttClientSecure & espMqttClientSecure::setPreSharedKey(const char * pskIdent, const char * psKey) {
#ifndef NO_TLS_SUPPORT
- _client.setPreSharedKey(pskIdent, psKey);
#endif
return *this;
}
@@ -120,9 +75,4 @@ espMqttClient::espMqttClient()
, _client() {
_transport = &_client;
}
-#elif defined(_WIN32) || defined(__APPLE__)
-// Windows
-espMqttClient::espMqttClient()
- : MqttClientSetup(espMqttClientTypes::UseInternalTask::NO) {
-}
#endif
diff --git a/lib/espMqttClient/src/espMqttClient.h b/lib/espMqttClient/src/espMqttClient.h
index 531dd7ba5..128a801be 100644
--- a/lib/espMqttClient/src/espMqttClient.h
+++ b/lib/espMqttClient/src/espMqttClient.h
@@ -65,10 +65,16 @@ class espMqttClientSecure : public MqttClientSetup {
espMqttClientSecure & setPreSharedKey(const char * pskIdent, const char * psKey);
protected:
+#ifndef NO_TLS_SUPPORT
espMqttClientInternals::ClientSecureSync _client;
+#else
+ espMqttClientInternals::ClientSync _client;
+#endif
};
-#elif defined(__linux__)
+#endif
+
+#if defined(__linux__)
class espMqttClient : public MqttClientSetup {
public:
espMqttClient();
@@ -76,10 +82,4 @@ class espMqttClient : public MqttClientSetup {
protected:
espMqttClientInternals::ClientPosix _client;
};
-#elif defined(_WIN32) || defined(__APPLE__)
-class espMqttClient : public MqttClientSetup {
- public:
- espMqttClient();
-};
-
#endif
diff --git a/lib/mbedtls_ssl/configure.py b/lib/mbedtls_ssl/configure.py
deleted file mode 100644
index ef96c66c2..000000000
--- a/lib/mbedtls_ssl/configure.py
+++ /dev/null
@@ -1,40 +0,0 @@
-Import("env")
-import os
-
-# The Tasmota platform builds with CONFIG_MBEDTLS_TLS_DISABLED=y, stripping the
-# SSL/TLS module from libmbedtls.a. We compile it from source and re-enable the
-# necessary config macros for a minimal TLS 1.2 client.
-try:
- platform = env.PioPlatform()
- framework_dir = platform.get_package_dir("framework-arduinoespressif32")
- mcu = env.BoardConfig().get("build.mcu", "esp32")
- base = os.path.join(framework_dir, "tools", "esp32-arduino-libs", mcu, "include", "mbedtls")
-
- paths = [
- os.path.join(base, "mbedtls", "library"),
- os.path.join(base, "mbedtls", "include"),
- os.path.join(base, "port", "include"),
- ]
- for p in paths:
- if os.path.isdir(p):
- env.Append(CPPPATH=[p])
-
- # Re-enable mbedtls TLS 1.2 client support (disabled by Tasmota sdkconfig)
- env.Append(CPPDEFINES=[
- # Core TLS
- "CONFIG_MBEDTLS_TLS_ENABLED",
- "CONFIG_MBEDTLS_TLS_CLIENT",
- "CONFIG_MBEDTLS_SSL_PROTO_TLS1_2",
- ("CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN", "16384"),
- # Key exchange methods (at least one required)
- "CONFIG_MBEDTLS_KEY_EXCHANGE_RSA",
- "CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA",
- "CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA",
- "CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA",
- "CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA",
- # Optional but useful
- "CONFIG_MBEDTLS_SSL_RENEGOTIATION",
- "CONFIG_MBEDTLS_SSL_ALPN",
- ])
-except Exception:
- pass
diff --git a/lib/mbedtls_ssl/library.json b/lib/mbedtls_ssl/library.json
deleted file mode 100644
index 2122fa599..000000000
--- a/lib/mbedtls_ssl/library.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
- "name": "mbedtls_ssl",
- "version": "3.6.5",
- "description": "mbedtls SSL/TLS module compiled from source (Tasmota platform strips this from libmbedtls.a)",
- "platforms": ["espressif32"],
- "build": {
- "extraScript": "configure.py",
- "libArchive": false
- }
-}
diff --git a/lib/mbedtls_ssl/src/alignment.h b/lib/mbedtls_ssl/src/alignment.h
deleted file mode 100644
index a17001dd9..000000000
--- a/lib/mbedtls_ssl/src/alignment.h
+++ /dev/null
@@ -1,684 +0,0 @@
-/**
- * \file alignment.h
- *
- * \brief Utility code for dealing with unaligned memory accesses
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef MBEDTLS_LIBRARY_ALIGNMENT_H
-#define MBEDTLS_LIBRARY_ALIGNMENT_H
-
-#include
-#include
-#include
-
-/*
- * Define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS for architectures where unaligned memory
- * accesses are known to be efficient.
- *
- * All functions defined here will behave correctly regardless, but might be less
- * efficient when this is not defined.
- */
-#if defined(__ARM_FEATURE_UNALIGNED) \
- || defined(MBEDTLS_ARCH_IS_X86) || defined(MBEDTLS_ARCH_IS_X64) \
- || defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
-/*
- * __ARM_FEATURE_UNALIGNED is defined where appropriate by armcc, gcc 7, clang 9
- * (and later versions) for Arm v7 and later; all x86 platforms should have
- * efficient unaligned access.
- *
- * https://learn.microsoft.com/en-us/cpp/build/arm64-windows-abi-conventions?view=msvc-170#alignment
- * specifies that on Windows-on-Arm64, unaligned access is safe (except for uncached
- * device memory).
- */
-#define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS
-#endif
-
-#if defined(__IAR_SYSTEMS_ICC__) && \
- (defined(MBEDTLS_ARCH_IS_ARM64) || defined(MBEDTLS_ARCH_IS_ARM32) \
- || defined(__ICCRX__) || defined(__ICCRL78__) || defined(__ICCRISCV__))
-#pragma language=save
-#pragma language=extended
-#define MBEDTLS_POP_IAR_LANGUAGE_PRAGMA
-/* IAR recommend this technique for accessing unaligned data in
- * https://www.iar.com/knowledge/support/technical-notes/compiler/accessing-unaligned-data
- * This results in a single load / store instruction (if unaligned access is supported).
- * According to that document, this is only supported on certain architectures.
- */
- #define UINT_UNALIGNED
-typedef uint16_t __packed mbedtls_uint16_unaligned_t;
-typedef uint32_t __packed mbedtls_uint32_unaligned_t;
-typedef uint64_t __packed mbedtls_uint64_unaligned_t;
-#elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \
- ((MBEDTLS_GCC_VERSION < 60300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)))
-/*
- * gcc may generate a branch to memcpy for calls like `memcpy(dest, src, 4)` rather than
- * generating some LDR or LDRB instructions (similar for stores).
- *
- * This is architecture dependent: x86-64 seems fine even with old gcc; 32-bit Arm
- * is affected. To keep it simple, we enable for all architectures.
- *
- * For versions of gcc < 5.4.0 this issue always happens.
- * For gcc < 6.3.0, this issue happens at -O0
- * For all versions, this issue happens iff unaligned access is not supported.
- *
- * For gcc 4.x, this implementation will generate byte-by-byte loads even if unaligned access is
- * supported, which is correct but not optimal.
- *
- * For performance (and code size, in some cases), we want to avoid the branch and just generate
- * some inline load/store instructions since the access is small and constant-size.
- *
- * The manual states:
- * "The packed attribute specifies that a variable or structure field should have the smallest
- * possible alignment—one byte for a variable"
- * https://gcc.gnu.org/onlinedocs/gcc-4.5.4/gcc/Variable-Attributes.html
- *
- * Previous implementations used __attribute__((__aligned__(1)), but had issues with a gcc bug:
- * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94662
- *
- * Tested with several versions of GCC from 4.5.0 up to 13.2.0
- * We don't enable for older than 4.5.0 as this has not been tested.
- */
- #define UINT_UNALIGNED_STRUCT
-typedef struct {
- uint16_t x;
-} __attribute__((packed)) mbedtls_uint16_unaligned_t;
-typedef struct {
- uint32_t x;
-} __attribute__((packed)) mbedtls_uint32_unaligned_t;
-typedef struct {
- uint64_t x;
-} __attribute__((packed)) mbedtls_uint64_unaligned_t;
- #endif
-
-/*
- * We try to force mbedtls_(get|put)_unaligned_uintXX to be always inline, because this results
- * in code that is both smaller and faster. IAR and gcc both benefit from this when optimising
- * for size.
- */
-
-/**
- * Read the unsigned 16 bits integer from the given address, which need not
- * be aligned.
- *
- * \param p pointer to 2 bytes of data
- * \return Data at the given address
- */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-static inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
-{
- uint16_t r;
-#if defined(UINT_UNALIGNED)
- mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
- r = *p16;
-#elif defined(UINT_UNALIGNED_STRUCT)
- mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
- r = p16->x;
-#else
- memcpy(&r, p, sizeof(r));
-#endif
- return r;
-}
-
-/**
- * Write the unsigned 16 bits integer to the given address, which need not
- * be aligned.
- *
- * \param p pointer to 2 bytes of data
- * \param x data to write
- */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
-{
-#if defined(UINT_UNALIGNED)
- mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
- *p16 = x;
-#elif defined(UINT_UNALIGNED_STRUCT)
- mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
- p16->x = x;
-#else
- memcpy(p, &x, sizeof(x));
-#endif
-}
-
-/**
- * Read the unsigned 32 bits integer from the given address, which need not
- * be aligned.
- *
- * \param p pointer to 4 bytes of data
- * \return Data at the given address
- */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-static inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
-{
- uint32_t r;
-#if defined(UINT_UNALIGNED)
- mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
- r = *p32;
-#elif defined(UINT_UNALIGNED_STRUCT)
- mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
- r = p32->x;
-#else
- memcpy(&r, p, sizeof(r));
-#endif
- return r;
-}
-
-/**
- * Write the unsigned 32 bits integer to the given address, which need not
- * be aligned.
- *
- * \param p pointer to 4 bytes of data
- * \param x data to write
- */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
-{
-#if defined(UINT_UNALIGNED)
- mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
- *p32 = x;
-#elif defined(UINT_UNALIGNED_STRUCT)
- mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
- p32->x = x;
-#else
- memcpy(p, &x, sizeof(x));
-#endif
-}
-
-/**
- * Read the unsigned 64 bits integer from the given address, which need not
- * be aligned.
- *
- * \param p pointer to 8 bytes of data
- * \return Data at the given address
- */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-static inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
-{
- uint64_t r;
-#if defined(UINT_UNALIGNED)
- mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
- r = *p64;
-#elif defined(UINT_UNALIGNED_STRUCT)
- mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
- r = p64->x;
-#else
- memcpy(&r, p, sizeof(r));
-#endif
- return r;
-}
-
-/**
- * Write the unsigned 64 bits integer to the given address, which need not
- * be aligned.
- *
- * \param p pointer to 8 bytes of data
- * \param x data to write
- */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
-{
-#if defined(UINT_UNALIGNED)
- mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
- *p64 = x;
-#elif defined(UINT_UNALIGNED_STRUCT)
- mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
- p64->x = x;
-#else
- memcpy(p, &x, sizeof(x));
-#endif
-}
-
-#if defined(MBEDTLS_POP_IAR_LANGUAGE_PRAGMA)
-#pragma language=restore
-#endif
-
-/** Byte Reading Macros
- *
- * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
- * byte from x, where byte 0 is the least significant byte.
- */
-#define MBEDTLS_BYTE_0(x) ((uint8_t) ((x) & 0xff))
-#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >> 8) & 0xff))
-#define MBEDTLS_BYTE_2(x) ((uint8_t) (((x) >> 16) & 0xff))
-#define MBEDTLS_BYTE_3(x) ((uint8_t) (((x) >> 24) & 0xff))
-#define MBEDTLS_BYTE_4(x) ((uint8_t) (((x) >> 32) & 0xff))
-#define MBEDTLS_BYTE_5(x) ((uint8_t) (((x) >> 40) & 0xff))
-#define MBEDTLS_BYTE_6(x) ((uint8_t) (((x) >> 48) & 0xff))
-#define MBEDTLS_BYTE_7(x) ((uint8_t) (((x) >> 56) & 0xff))
-
-/*
- * Detect GCC built-in byteswap routines
- */
-#if defined(__GNUC__) && defined(__GNUC_PREREQ)
-#if __GNUC_PREREQ(4, 8)
-#define MBEDTLS_BSWAP16 __builtin_bswap16
-#endif /* __GNUC_PREREQ(4,8) */
-#if __GNUC_PREREQ(4, 3)
-#define MBEDTLS_BSWAP32 __builtin_bswap32
-#define MBEDTLS_BSWAP64 __builtin_bswap64
-#endif /* __GNUC_PREREQ(4,3) */
-#endif /* defined(__GNUC__) && defined(__GNUC_PREREQ) */
-
-/*
- * Detect Clang built-in byteswap routines
- */
-#if defined(__clang__) && defined(__has_builtin)
-#if __has_builtin(__builtin_bswap16) && !defined(MBEDTLS_BSWAP16)
-#define MBEDTLS_BSWAP16 __builtin_bswap16
-#endif /* __has_builtin(__builtin_bswap16) */
-#if __has_builtin(__builtin_bswap32) && !defined(MBEDTLS_BSWAP32)
-#define MBEDTLS_BSWAP32 __builtin_bswap32
-#endif /* __has_builtin(__builtin_bswap32) */
-#if __has_builtin(__builtin_bswap64) && !defined(MBEDTLS_BSWAP64)
-#define MBEDTLS_BSWAP64 __builtin_bswap64
-#endif /* __has_builtin(__builtin_bswap64) */
-#endif /* defined(__clang__) && defined(__has_builtin) */
-
-/*
- * Detect MSVC built-in byteswap routines
- */
-#if defined(_MSC_VER)
-#if !defined(MBEDTLS_BSWAP16)
-#define MBEDTLS_BSWAP16 _byteswap_ushort
-#endif
-#if !defined(MBEDTLS_BSWAP32)
-#define MBEDTLS_BSWAP32 _byteswap_ulong
-#endif
-#if !defined(MBEDTLS_BSWAP64)
-#define MBEDTLS_BSWAP64 _byteswap_uint64
-#endif
-#endif /* defined(_MSC_VER) */
-
-/* Detect armcc built-in byteswap routine */
-#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32)
-#if defined(__ARM_ACLE) /* ARM Compiler 6 - earlier versions don't need a header */
-#include
-#endif
-#define MBEDTLS_BSWAP32 __rev
-#endif
-
-/* Detect IAR built-in byteswap routine */
-#if defined(__IAR_SYSTEMS_ICC__)
-#if defined(__ARM_ACLE)
-#include
-#define MBEDTLS_BSWAP16(x) ((uint16_t) __rev16((uint32_t) (x)))
-#define MBEDTLS_BSWAP32 __rev
-#define MBEDTLS_BSWAP64 __revll
-#endif
-#endif
-
-/*
- * Where compiler built-ins are not present, fall back to C code that the
- * compiler may be able to detect and transform into the relevant bswap or
- * similar instruction.
- */
-#if !defined(MBEDTLS_BSWAP16)
-static inline uint16_t mbedtls_bswap16(uint16_t x)
-{
- return
- (x & 0x00ff) << 8 |
- (x & 0xff00) >> 8;
-}
-#define MBEDTLS_BSWAP16 mbedtls_bswap16
-#endif /* !defined(MBEDTLS_BSWAP16) */
-
-#if !defined(MBEDTLS_BSWAP32)
-static inline uint32_t mbedtls_bswap32(uint32_t x)
-{
- return
- (x & 0x000000ff) << 24 |
- (x & 0x0000ff00) << 8 |
- (x & 0x00ff0000) >> 8 |
- (x & 0xff000000) >> 24;
-}
-#define MBEDTLS_BSWAP32 mbedtls_bswap32
-#endif /* !defined(MBEDTLS_BSWAP32) */
-
-#if !defined(MBEDTLS_BSWAP64)
-static inline uint64_t mbedtls_bswap64(uint64_t x)
-{
- return
- (x & 0x00000000000000ffULL) << 56 |
- (x & 0x000000000000ff00ULL) << 40 |
- (x & 0x0000000000ff0000ULL) << 24 |
- (x & 0x00000000ff000000ULL) << 8 |
- (x & 0x000000ff00000000ULL) >> 8 |
- (x & 0x0000ff0000000000ULL) >> 24 |
- (x & 0x00ff000000000000ULL) >> 40 |
- (x & 0xff00000000000000ULL) >> 56;
-}
-#define MBEDTLS_BSWAP64 mbedtls_bswap64
-#endif /* !defined(MBEDTLS_BSWAP64) */
-
-#if !defined(__BYTE_ORDER__)
-
-#if defined(__LITTLE_ENDIAN__)
-/* IAR defines __xxx_ENDIAN__, but not __BYTE_ORDER__ */
-#define MBEDTLS_IS_BIG_ENDIAN 0
-#elif defined(__BIG_ENDIAN__)
-#define MBEDTLS_IS_BIG_ENDIAN 1
-#else
-static const uint16_t mbedtls_byte_order_detector = { 0x100 };
-#define MBEDTLS_IS_BIG_ENDIAN (*((unsigned char *) (&mbedtls_byte_order_detector)) == 0x01)
-#endif
-
-#else
-
-#if (__BYTE_ORDER__) == (__ORDER_BIG_ENDIAN__)
-#define MBEDTLS_IS_BIG_ENDIAN 1
-#else
-#define MBEDTLS_IS_BIG_ENDIAN 0
-#endif
-
-#endif /* !defined(__BYTE_ORDER__) */
-
-/**
- * Get the unsigned 32 bits integer corresponding to four bytes in
- * big-endian order (MSB first).
- *
- * \param data Base address of the memory to get the four bytes from.
- * \param offset Offset from \p data of the first and most significant
- * byte of the four bytes to build the 32 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT32_BE(data, offset) \
- ((MBEDTLS_IS_BIG_ENDIAN) \
- ? mbedtls_get_unaligned_uint32((data) + (offset)) \
- : MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
- )
-
-/**
- * Put in memory a 32 bits unsigned integer in big-endian order.
- *
- * \param n 32 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 32
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the most significant
- * byte of the 32 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT32_BE(n, data, offset) \
- { \
- if (MBEDTLS_IS_BIG_ENDIAN) \
- { \
- mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n)); \
- } \
- else \
- { \
- mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
- } \
- }
-
-/**
- * Get the unsigned 32 bits integer corresponding to four bytes in
- * little-endian order (LSB first).
- *
- * \param data Base address of the memory to get the four bytes from.
- * \param offset Offset from \p data of the first and least significant
- * byte of the four bytes to build the 32 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT32_LE(data, offset) \
- ((MBEDTLS_IS_BIG_ENDIAN) \
- ? MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
- : mbedtls_get_unaligned_uint32((data) + (offset)) \
- )
-
-
-/**
- * Put in memory a 32 bits unsigned integer in little-endian order.
- *
- * \param n 32 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 32
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the least significant
- * byte of the 32 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT32_LE(n, data, offset) \
- { \
- if (MBEDTLS_IS_BIG_ENDIAN) \
- { \
- mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
- } \
- else \
- { \
- mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n))); \
- } \
- }
-
-/**
- * Get the unsigned 16 bits integer corresponding to two bytes in
- * little-endian order (LSB first).
- *
- * \param data Base address of the memory to get the two bytes from.
- * \param offset Offset from \p data of the first and least significant
- * byte of the two bytes to build the 16 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT16_LE(data, offset) \
- ((MBEDTLS_IS_BIG_ENDIAN) \
- ? MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
- : mbedtls_get_unaligned_uint16((data) + (offset)) \
- )
-
-/**
- * Put in memory a 16 bits unsigned integer in little-endian order.
- *
- * \param n 16 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 16
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the least significant
- * byte of the 16 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT16_LE(n, data, offset) \
- { \
- if (MBEDTLS_IS_BIG_ENDIAN) \
- { \
- mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
- } \
- else \
- { \
- mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
- } \
- }
-
-/**
- * Get the unsigned 16 bits integer corresponding to two bytes in
- * big-endian order (MSB first).
- *
- * \param data Base address of the memory to get the two bytes from.
- * \param offset Offset from \p data of the first and most significant
- * byte of the two bytes to build the 16 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT16_BE(data, offset) \
- ((MBEDTLS_IS_BIG_ENDIAN) \
- ? mbedtls_get_unaligned_uint16((data) + (offset)) \
- : MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
- )
-
-/**
- * Put in memory a 16 bits unsigned integer in big-endian order.
- *
- * \param n 16 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 16
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the most significant
- * byte of the 16 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT16_BE(n, data, offset) \
- { \
- if (MBEDTLS_IS_BIG_ENDIAN) \
- { \
- mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
- } \
- else \
- { \
- mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
- } \
- }
-
-/**
- * Get the unsigned 24 bits integer corresponding to three bytes in
- * big-endian order (MSB first).
- *
- * \param data Base address of the memory to get the three bytes from.
- * \param offset Offset from \p data of the first and most significant
- * byte of the three bytes to build the 24 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT24_BE(data, offset) \
- ( \
- ((uint32_t) (data)[(offset)] << 16) \
- | ((uint32_t) (data)[(offset) + 1] << 8) \
- | ((uint32_t) (data)[(offset) + 2]) \
- )
-
-/**
- * Put in memory a 24 bits unsigned integer in big-endian order.
- *
- * \param n 24 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 24
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the most significant
- * byte of the 24 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT24_BE(n, data, offset) \
- { \
- (data)[(offset)] = MBEDTLS_BYTE_2(n); \
- (data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \
- (data)[(offset) + 2] = MBEDTLS_BYTE_0(n); \
- }
-
-/**
- * Get the unsigned 24 bits integer corresponding to three bytes in
- * little-endian order (LSB first).
- *
- * \param data Base address of the memory to get the three bytes from.
- * \param offset Offset from \p data of the first and least significant
- * byte of the three bytes to build the 24 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT24_LE(data, offset) \
- ( \
- ((uint32_t) (data)[(offset)]) \
- | ((uint32_t) (data)[(offset) + 1] << 8) \
- | ((uint32_t) (data)[(offset) + 2] << 16) \
- )
-
-/**
- * Put in memory a 24 bits unsigned integer in little-endian order.
- *
- * \param n 24 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 24
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the least significant
- * byte of the 24 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT24_LE(n, data, offset) \
- { \
- (data)[(offset)] = MBEDTLS_BYTE_0(n); \
- (data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \
- (data)[(offset) + 2] = MBEDTLS_BYTE_2(n); \
- }
-
-/**
- * Get the unsigned 64 bits integer corresponding to eight bytes in
- * big-endian order (MSB first).
- *
- * \param data Base address of the memory to get the eight bytes from.
- * \param offset Offset from \p data of the first and most significant
- * byte of the eight bytes to build the 64 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT64_BE(data, offset) \
- ((MBEDTLS_IS_BIG_ENDIAN) \
- ? mbedtls_get_unaligned_uint64((data) + (offset)) \
- : MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
- )
-
-/**
- * Put in memory a 64 bits unsigned integer in big-endian order.
- *
- * \param n 64 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 64
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the most significant
- * byte of the 64 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT64_BE(n, data, offset) \
- { \
- if (MBEDTLS_IS_BIG_ENDIAN) \
- { \
- mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
- } \
- else \
- { \
- mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
- } \
- }
-
-/**
- * Get the unsigned 64 bits integer corresponding to eight bytes in
- * little-endian order (LSB first).
- *
- * \param data Base address of the memory to get the eight bytes from.
- * \param offset Offset from \p data of the first and least significant
- * byte of the eight bytes to build the 64 bits unsigned
- * integer from.
- */
-#define MBEDTLS_GET_UINT64_LE(data, offset) \
- ((MBEDTLS_IS_BIG_ENDIAN) \
- ? MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
- : mbedtls_get_unaligned_uint64((data) + (offset)) \
- )
-
-/**
- * Put in memory a 64 bits unsigned integer in little-endian order.
- *
- * \param n 64 bits unsigned integer to put in memory.
- * \param data Base address of the memory where to put the 64
- * bits unsigned integer in.
- * \param offset Offset from \p data where to put the least significant
- * byte of the 64 bits unsigned integer \p n.
- */
-#define MBEDTLS_PUT_UINT64_LE(n, data, offset) \
- { \
- if (MBEDTLS_IS_BIG_ENDIAN) \
- { \
- mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
- } \
- else \
- { \
- mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
- } \
- }
-
-#endif /* MBEDTLS_LIBRARY_ALIGNMENT_H */
diff --git a/lib/mbedtls_ssl/src/common.h b/lib/mbedtls_ssl/src/common.h
deleted file mode 100644
index 50f2a29a7..000000000
--- a/lib/mbedtls_ssl/src/common.h
+++ /dev/null
@@ -1,453 +0,0 @@
-/**
- * \file common.h
- *
- * \brief Utility macros for internal use in the library
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef MBEDTLS_LIBRARY_COMMON_H
-#define MBEDTLS_LIBRARY_COMMON_H
-
-#include "mbedtls/build_info.h"
-#include "alignment.h"
-
-#include
-#include
-#include
-#include
-
-#if defined(__ARM_NEON)
-#include
-#define MBEDTLS_HAVE_NEON_INTRINSICS
-#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
-#include
-#define MBEDTLS_HAVE_NEON_INTRINSICS
-#endif
-
-/** Helper to define a function as static except when building invasive tests.
- *
- * If a function is only used inside its own source file and should be
- * declared `static` to allow the compiler to optimize for code size,
- * but that function has unit tests, define it with
- * ```
- * MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
- * ```
- * and declare it in a header in the `library/` directory with
- * ```
- * #if defined(MBEDTLS_TEST_HOOKS)
- * int mbedtls_foo(...);
- * #endif
- * ```
- */
-#if defined(MBEDTLS_TEST_HOOKS)
-#define MBEDTLS_STATIC_TESTABLE
-#else
-#define MBEDTLS_STATIC_TESTABLE static
-#endif
-
-#if defined(MBEDTLS_TEST_HOOKS)
-extern void (*mbedtls_test_hook_test_fail)(const char *test, int line, const char *file);
-#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST) \
- do { \
- if ((!(TEST)) && ((*mbedtls_test_hook_test_fail) != NULL)) \
- { \
- (*mbedtls_test_hook_test_fail)( #TEST, __LINE__, __FILE__); \
- } \
- } while (0)
-#else
-#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST)
-#endif /* defined(MBEDTLS_TEST_HOOKS) */
-
-/** \def ARRAY_LENGTH
- * Return the number of elements of a static or stack array.
- *
- * \param array A value of array (not pointer) type.
- *
- * \return The number of elements of the array.
- */
-/* A correct implementation of ARRAY_LENGTH, but which silently gives
- * a nonsensical result if called with a pointer rather than an array. */
-#define ARRAY_LENGTH_UNSAFE(array) \
- (sizeof(array) / sizeof(*(array)))
-
-#if defined(__GNUC__)
-/* Test if arg and &(arg)[0] have the same type. This is true if arg is
- * an array but not if it's a pointer. */
-#define IS_ARRAY_NOT_POINTER(arg) \
- (!__builtin_types_compatible_p(__typeof__(arg), \
- __typeof__(&(arg)[0])))
-/* A compile-time constant with the value 0. If `const_expr` is not a
- * compile-time constant with a nonzero value, cause a compile-time error. */
-#define STATIC_ASSERT_EXPR(const_expr) \
- (0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
-
-/* Return the scalar value `value` (possibly promoted). This is a compile-time
- * constant if `value` is. `condition` must be a compile-time constant.
- * If `condition` is false, arrange to cause a compile-time error. */
-#define STATIC_ASSERT_THEN_RETURN(condition, value) \
- (STATIC_ASSERT_EXPR(condition) ? 0 : (value))
-
-#define ARRAY_LENGTH(array) \
- (STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array), \
- ARRAY_LENGTH_UNSAFE(array)))
-
-#else
-/* If we aren't sure the compiler supports our non-standard tricks,
- * fall back to the unsafe implementation. */
-#define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
-#endif
-/** Allow library to access its structs' private members.
- *
- * Although structs defined in header files are publicly available,
- * their members are private and should not be accessed by the user.
- */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
-/**
- * \brief Securely zeroize a buffer then free it.
- *
- * Similar to making consecutive calls to
- * \c mbedtls_platform_zeroize() and \c mbedtls_free(), but has
- * code size savings, and potential for optimisation in the future.
- *
- * Guaranteed to be a no-op if \p buf is \c NULL and \p len is 0.
- *
- * \param buf Buffer to be zeroized then freed.
- * \param len Length of the buffer in bytes
- */
-void mbedtls_zeroize_and_free(void *buf, size_t len);
-
-/** Return an offset into a buffer.
- *
- * This is just the addition of an offset to a pointer, except that this
- * function also accepts an offset of 0 into a buffer whose pointer is null.
- * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
- * A null pointer is a valid buffer pointer when the size is 0, for example
- * as the result of `malloc(0)` on some platforms.)
- *
- * \param p Pointer to a buffer of at least n bytes.
- * This may be \p NULL if \p n is zero.
- * \param n An offset in bytes.
- * \return Pointer to offset \p n in the buffer \p p.
- * Note that this is only a valid pointer if the size of the
- * buffer is at least \p n + 1.
- */
-static inline unsigned char *mbedtls_buffer_offset(
- unsigned char *p, size_t n)
-{
- return p == NULL ? NULL : p + n;
-}
-
-/** Return an offset into a read-only buffer.
- *
- * Similar to mbedtls_buffer_offset(), but for const pointers.
- *
- * \param p Pointer to a buffer of at least n bytes.
- * This may be \p NULL if \p n is zero.
- * \param n An offset in bytes.
- * \return Pointer to offset \p n in the buffer \p p.
- * Note that this is only a valid pointer if the size of the
- * buffer is at least \p n + 1.
- */
-static inline const unsigned char *mbedtls_buffer_offset_const(
- const unsigned char *p, size_t n)
-{
- return p == NULL ? NULL : p + n;
-}
-
-/* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-/**
- * Perform a fast block XOR operation, such that
- * r[i] = a[i] ^ b[i] where 0 <= i < n
- *
- * \param r Pointer to result (buffer of at least \p n bytes). \p r
- * may be equal to either \p a or \p b, but behaviour when
- * it overlaps in other ways is undefined.
- * \param a Pointer to input (buffer of at least \p n bytes)
- * \param b Pointer to input (buffer of at least \p n bytes)
- * \param n Number of bytes to process.
- *
- * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
- * mbedtls_xor_no_simd() (these are functionally equivalent).
- * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
- * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
- * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
- * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
- * For targets without SIMD support, they will behave the same.
- */
-static inline void mbedtls_xor(unsigned char *r,
- const unsigned char *a,
- const unsigned char *b,
- size_t n)
-{
- size_t i = 0;
-#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
-#if defined(MBEDTLS_HAVE_NEON_INTRINSICS) && \
- (!(defined(MBEDTLS_COMPILER_IS_GCC) && MBEDTLS_GCC_VERSION < 70300))
- /* Old GCC versions generate a warning here, so disable the NEON path for these compilers */
- for (; (i + 16) <= n; i += 16) {
- uint8x16_t v1 = vld1q_u8(a + i);
- uint8x16_t v2 = vld1q_u8(b + i);
- uint8x16_t x = veorq_u8(v1, v2);
- vst1q_u8(r + i, x);
- }
-#if defined(__IAR_SYSTEMS_ICC__)
- /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
- * where n is a constant multiple of 16.
- * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
- * constant, and is a very small perf regression if n is not a compile-time constant. */
- if (n % 16 == 0) {
- return;
- }
-#endif
-#elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
- /* This codepath probably only makes sense on architectures with 64-bit registers */
- for (; (i + 8) <= n; i += 8) {
- uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
- mbedtls_put_unaligned_uint64(r + i, x);
- }
-#if defined(__IAR_SYSTEMS_ICC__)
- if (n % 8 == 0) {
- return;
- }
-#endif
-#else
- for (; (i + 4) <= n; i += 4) {
- uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
- mbedtls_put_unaligned_uint32(r + i, x);
- }
-#if defined(__IAR_SYSTEMS_ICC__)
- if (n % 4 == 0) {
- return;
- }
-#endif
-#endif
-#endif
- for (; i < n; i++) {
- r[i] = a[i] ^ b[i];
- }
-}
-
-/* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
- * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
-#if defined(__IAR_SYSTEMS_ICC__)
-#pragma inline = forced
-#elif defined(__GNUC__)
-__attribute__((always_inline))
-#endif
-/**
- * Perform a fast block XOR operation, such that
- * r[i] = a[i] ^ b[i] where 0 <= i < n
- *
- * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
- * better in AES-CBC).
- *
- * \param r Pointer to result (buffer of at least \p n bytes). \p r
- * may be equal to either \p a or \p b, but behaviour when
- * it overlaps in other ways is undefined.
- * \param a Pointer to input (buffer of at least \p n bytes)
- * \param b Pointer to input (buffer of at least \p n bytes)
- * \param n Number of bytes to process.
- *
- * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
- * mbedtls_xor_no_simd() (these are functionally equivalent).
- * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
- * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
- * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
- * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
- * For targets without SIMD support, they will behave the same.
- */
-static inline void mbedtls_xor_no_simd(unsigned char *r,
- const unsigned char *a,
- const unsigned char *b,
- size_t n)
-{
- size_t i = 0;
-#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
-#if defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
- /* This codepath probably only makes sense on architectures with 64-bit registers */
- for (; (i + 8) <= n; i += 8) {
- uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
- mbedtls_put_unaligned_uint64(r + i, x);
- }
-#if defined(__IAR_SYSTEMS_ICC__)
- /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
- * where n is a constant multiple of 8.
- * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
- * constant, and is a very small perf regression if n is not a compile-time constant. */
- if (n % 8 == 0) {
- return;
- }
-#endif
-#else
- for (; (i + 4) <= n; i += 4) {
- uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
- mbedtls_put_unaligned_uint32(r + i, x);
- }
-#if defined(__IAR_SYSTEMS_ICC__)
- if (n % 4 == 0) {
- return;
- }
-#endif
-#endif
-#endif
- for (; i < n; i++) {
- r[i] = a[i] ^ b[i];
- }
-}
-
-/* Fix MSVC C99 compatible issue
- * MSVC support __func__ from visual studio 2015( 1900 )
- * Use MSVC predefine macro to avoid name check fail.
- */
-#if (defined(_MSC_VER) && (_MSC_VER <= 1900))
-#define /*no-check-names*/ __func__ __FUNCTION__
-#endif
-
-/* Define `asm` for compilers which don't define it. */
-/* *INDENT-OFF* */
-#ifndef asm
-#if defined(__IAR_SYSTEMS_ICC__)
-#define asm __asm
-#else
-#define asm __asm__
-#endif
-#endif
-/* *INDENT-ON* */
-
-/*
- * Define the constraint used for read-only pointer operands to aarch64 asm.
- *
- * This is normally the usual "r", but for aarch64_32 (aka ILP32,
- * as found in watchos), "p" is required to avoid warnings from clang.
- *
- * Note that clang does not recognise '+p' or '=p', and armclang
- * does not recognise 'p' at all. Therefore, to update a pointer from
- * aarch64 assembly, it is necessary to use something like:
- *
- * uintptr_t uptr = (uintptr_t) ptr;
- * asm( "ldr x4, [%x0], #8" ... : "+r" (uptr) : : )
- * ptr = (void*) uptr;
- *
- * Note that the "x" in "%x0" is neccessary; writing "%0" will cause warnings.
- */
-#if defined(__aarch64__) && defined(MBEDTLS_HAVE_ASM)
-#if UINTPTR_MAX == 0xfffffffful
-/* ILP32: Specify the pointer operand slightly differently, as per #7787. */
-#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "p"
-#elif UINTPTR_MAX == 0xfffffffffffffffful
-/* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
-#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
-#else
-#error "Unrecognised pointer size for aarch64"
-#endif
-#endif
-
-/* Always provide a static assert macro, so it can be used unconditionally.
- * It does nothing on systems where we don't know how to define a static assert.
- */
-/* Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
- * defines static_assert even with -std=c99, but then complains about it.
- */
-#if defined(static_assert) && !defined(__FreeBSD__)
-#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg)
-#else
-/* Make sure `MBEDTLS_STATIC_ASSERT(expr, msg);` is valid both inside and
- * outside a function. We choose a struct declaration, which can be repeated
- * any number of times and does not need a matching definition. */
-#define MBEDTLS_STATIC_ASSERT(expr, msg) \
- struct ISO_C_does_not_allow_extra_semicolon_outside_of_a_function
-#endif
-
-#if defined(__has_builtin)
-#define MBEDTLS_HAS_BUILTIN(x) __has_builtin(x)
-#else
-#define MBEDTLS_HAS_BUILTIN(x) 0
-#endif
-
-/* Define compiler branch hints */
-#if MBEDTLS_HAS_BUILTIN(__builtin_expect)
-#define MBEDTLS_LIKELY(x) __builtin_expect(!!(x), 1)
-#define MBEDTLS_UNLIKELY(x) __builtin_expect(!!(x), 0)
-#else
-#define MBEDTLS_LIKELY(x) x
-#define MBEDTLS_UNLIKELY(x) x
-#endif
-
-/* MBEDTLS_ASSUME may be used to provide additional information to the compiler
- * which can result in smaller code-size. */
-#if MBEDTLS_HAS_BUILTIN(__builtin_assume)
-/* clang provides __builtin_assume */
-#define MBEDTLS_ASSUME(x) __builtin_assume(x)
-#elif MBEDTLS_HAS_BUILTIN(__builtin_unreachable)
-/* gcc and IAR can use __builtin_unreachable */
-#define MBEDTLS_ASSUME(x) do { if (!(x)) __builtin_unreachable(); } while (0)
-#elif defined(_MSC_VER)
-/* Supported by MSVC since VS 2005 */
-#define MBEDTLS_ASSUME(x) __assume(x)
-#else
-#define MBEDTLS_ASSUME(x) do { } while (0)
-#endif
-
-/* For gcc -Os, override with -O2 for a given function.
- *
- * This will not affect behaviour for other optimisation settings, e.g. -O0.
- */
-#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__OPTIMIZE_SIZE__)
-#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE __attribute__((optimize("-O2")))
-#else
-#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
-#endif
-
-/* Suppress compiler warnings for unused functions and variables. */
-#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__has_attribute)
-# if __has_attribute(unused)
-# define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
-# endif
-#endif
-#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__GNUC__)
-# define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
-#endif
-#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__)
-/* IAR does support __attribute__((unused)), but only if the -e flag (extended language support)
- * is given; the pragma always works.
- * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless.
- * Check for version 5.2 or later - this pragma may be supported by earlier versions, but I wasn't
- * able to find documentation).
- */
-# if (__VER__ >= 5020000)
-# define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177")
-# endif
-#endif
-#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(_MSC_VER)
-# define MBEDTLS_MAYBE_UNUSED __pragma(warning(suppress:4189))
-#endif
-#if !defined(MBEDTLS_MAYBE_UNUSED)
-# define MBEDTLS_MAYBE_UNUSED
-#endif
-
-/* GCC >= 15 has a warning 'unterminated-string-initialization' which complains if you initialize
- * a string into an array without space for a terminating NULL character. In some places in the
- * codebase this behaviour is intended, so we add the macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
- * to suppress the warning in these places.
- */
-#if defined(__has_attribute)
-#if __has_attribute(nonstring)
-#define MBEDTLS_HAS_ATTRIBUTE_NONSTRING
-#endif /* __has_attribute(nonstring) */
-#endif /* __has_attribute */
-#if defined(MBEDTLS_HAS_ATTRIBUTE_NONSTRING)
-#define MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING __attribute__((nonstring))
-#else
-#define MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
-#endif /* MBEDTLS_HAS_ATTRIBUTE_NONSTRING */
-
-#endif /* MBEDTLS_LIBRARY_COMMON_H */
diff --git a/lib/mbedtls_ssl/src/constant_time_internal.h b/lib/mbedtls_ssl/src/constant_time_internal.h
deleted file mode 100644
index 61a5c6d4e..000000000
--- a/lib/mbedtls_ssl/src/constant_time_internal.h
+++ /dev/null
@@ -1,579 +0,0 @@
-/**
- * Constant-time functions
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H
-#define MBEDTLS_CONSTANT_TIME_INTERNAL_H
-
-#include
-#include
-
-#include "common.h"
-
-#if defined(MBEDTLS_BIGNUM_C)
-#include "mbedtls/bignum.h"
-#endif
-
-/* The constant-time interface provides various operations that are likely
- * to result in constant-time code that does not branch or use conditional
- * instructions for secret data (for secret pointers, this also applies to
- * the data pointed to).
- *
- * It has three main parts:
- *
- * - boolean operations
- * These are all named mbedtls_ct__.
- * They operate over and return mbedtls_ct_condition_t.
- * All arguments are considered secret.
- * example: bool x = y | z => x = mbedtls_ct_bool_or(y, z)
- * example: bool x = y == z => x = mbedtls_ct_uint_eq(y, z)
- *
- * - conditional data selection
- * These are all named mbedtls_ct__if and mbedtls_ct__if_else_0
- * All arguments are considered secret.
- * example: size_t a = x ? b : c => a = mbedtls_ct_size_if(x, b, c)
- * example: unsigned a = x ? b : 0 => a = mbedtls_ct_uint_if_else_0(x, b)
- *
- * - block memory operations
- * Only some arguments are considered secret, as documented for each
- * function.
- * example: if (x) memcpy(...) => mbedtls_ct_memcpy_if(x, ...)
- *
- * mbedtls_ct_condition_t must be treated as opaque and only created and
- * manipulated via the functions in this header. The compiler should never
- * be able to prove anything about its value at compile-time.
- *
- * mbedtls_ct_uint_t is an unsigned integer type over which constant time
- * operations may be performed via the functions in this header. It is as big
- * as the larger of size_t and mbedtls_mpi_uint, i.e. it is safe to cast
- * to/from "unsigned int", "size_t", and "mbedtls_mpi_uint" (and any other
- * not-larger integer types).
- *
- * For Arm (32-bit, 64-bit and Thumb), x86 and x86-64, assembly implementations
- * are used to ensure that the generated code is constant time. For other
- * architectures, it uses a plain C fallback designed to yield constant-time code
- * (this has been observed to be constant-time on latest gcc, clang and MSVC
- * as of May 2023).
- *
- * For readability, the static inline definitions are separated out into
- * constant_time_impl.h.
- */
-
-#if (SIZE_MAX > 0xffffffffffffffffULL)
-/* Pointer size > 64-bit */
-typedef size_t mbedtls_ct_condition_t;
-typedef size_t mbedtls_ct_uint_t;
-typedef ptrdiff_t mbedtls_ct_int_t;
-#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(SIZE_MAX))
-#elif (SIZE_MAX > 0xffffffff) || defined(MBEDTLS_HAVE_INT64)
-/* 32-bit < pointer size <= 64-bit, or 64-bit MPI */
-typedef uint64_t mbedtls_ct_condition_t;
-typedef uint64_t mbedtls_ct_uint_t;
-typedef int64_t mbedtls_ct_int_t;
-#define MBEDTLS_CT_SIZE_64
-#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX))
-#else
-/* Pointer size <= 32-bit, and no 64-bit MPIs */
-typedef uint32_t mbedtls_ct_condition_t;
-typedef uint32_t mbedtls_ct_uint_t;
-typedef int32_t mbedtls_ct_int_t;
-#define MBEDTLS_CT_SIZE_32
-#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX))
-#endif
-#define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0))
-
-/* ============================================================================
- * Boolean operations
- */
-
-/** Convert a number into a mbedtls_ct_condition_t.
- *
- * \param x Number to convert.
- *
- * \return MBEDTLS_CT_TRUE if \p x != 0, or MBEDTLS_CT_FALSE if \p x == 0
- *
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x);
-
-/** Boolean "not equal" operation.
- *
- * Functionally equivalent to:
- *
- * \p x != \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x != \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
-
-/** Boolean "equals" operation.
- *
- * Functionally equivalent to:
- *
- * \p x == \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x == \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
- mbedtls_ct_uint_t y);
-
-/** Boolean "less than" operation.
- *
- * Functionally equivalent to:
- *
- * \p x < \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x < \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
-
-/** Boolean "greater than" operation.
- *
- * Functionally equivalent to:
- *
- * \p x > \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x > \p y, otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
- mbedtls_ct_uint_t y);
-
-/** Boolean "greater or equal" operation.
- *
- * Functionally equivalent to:
- *
- * \p x >= \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x >= \p y,
- * otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
- mbedtls_ct_uint_t y);
-
-/** Boolean "less than or equal" operation.
- *
- * Functionally equivalent to:
- *
- * \p x <= \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x <= \p y,
- * otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
- mbedtls_ct_uint_t y);
-
-/** Boolean not-equals operation.
- *
- * Functionally equivalent to:
- *
- * \p x != \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \note This is more efficient than mbedtls_ct_uint_ne if both arguments are
- * mbedtls_ct_condition_t.
- *
- * \return MBEDTLS_CT_TRUE if \p x != \p y,
- * otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
- mbedtls_ct_condition_t y);
-
-/** Boolean "and" operation.
- *
- * Functionally equivalent to:
- *
- * \p x && \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x && \p y,
- * otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
- mbedtls_ct_condition_t y);
-
-/** Boolean "or" operation.
- *
- * Functionally equivalent to:
- *
- * \p x || \p y
- *
- * \param x The first value to analyze.
- * \param y The second value to analyze.
- *
- * \return MBEDTLS_CT_TRUE if \p x || \p y,
- * otherwise MBEDTLS_CT_FALSE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
- mbedtls_ct_condition_t y);
-
-/** Boolean "not" operation.
- *
- * Functionally equivalent to:
- *
- * ! \p x
- *
- * \param x The value to invert
- *
- * \return MBEDTLS_CT_FALSE if \p x, otherwise MBEDTLS_CT_TRUE.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x);
-
-
-/* ============================================================================
- * Data selection operations
- */
-
-/** Choose between two size_t values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
- size_t if1,
- size_t if0);
-
-/** Choose between two unsigned values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
- unsigned if1,
- unsigned if0);
-
-/** Choose between two mbedtls_ct_condition_t values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
- mbedtls_ct_condition_t if1,
- mbedtls_ct_condition_t if0);
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-/** Choose between two mbedtls_mpi_uint values.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, \
- mbedtls_mpi_uint if1, \
- mbedtls_mpi_uint if0);
-
-#endif
-
-/** Choose between an unsigned value and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_uint_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
-
-/** Choose between an mbedtls_ct_condition_t and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
- mbedtls_ct_condition_t if1);
-
-/** Choose between a size_t value and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_size_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1);
-
-#if defined(MBEDTLS_BIGNUM_C)
-
-/** Choose between an mbedtls_mpi_uint value and 0.
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_mpi_uint_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
- mbedtls_mpi_uint if1);
-
-#endif
-
-/** Constant-flow char selection
- *
- * \param low Secret. Bottom of range
- * \param high Secret. Top of range
- * \param c Secret. Value to compare to range
- * \param t Secret. Value to return, if in range
- *
- * \return \p t if \p low <= \p c <= \p high, 0 otherwise.
- */
-static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
- unsigned char high,
- unsigned char c,
- unsigned char t);
-
-/** Choose between two error values. The values must be in the range [-32767..0].
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : if0.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
- */
-static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
-
-/** Choose between an error value and 0. The error value must be in the range [-32767..0].
- *
- * Functionally equivalent to:
- *
- * condition ? if1 : 0.
- *
- * Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
- * results in smaller code size.
- *
- * \param condition Condition to test.
- * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
- *
- * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
- */
-static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
-
-/* ============================================================================
- * Block memory operations
- */
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
-
-/** Conditionally set a block of memory to zero.
- *
- * Regardless of the condition, every byte will be read once and written to
- * once.
- *
- * \param condition Secret. Condition to test.
- * \param buf Secret. Pointer to the start of the buffer.
- * \param len Number of bytes to set to zero.
- *
- * \warning Unlike mbedtls_platform_zeroize, this does not have the same guarantees
- * about not being optimised away if the memory is never read again.
- */
-void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len);
-
-/** Shift some data towards the left inside a buffer.
- *
- * Functionally equivalent to:
- *
- * memmove(start, start + offset, total - offset);
- * memset(start + (total - offset), 0, offset);
- *
- * Timing independence comes at the expense of performance.
- *
- * \param start Secret. Pointer to the start of the buffer.
- * \param total Total size of the buffer.
- * \param offset Secret. Offset from which to copy \p total - \p offset bytes.
- */
-void mbedtls_ct_memmove_left(void *start,
- size_t total,
- size_t offset);
-
-#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */
-
-/** Conditional memcpy.
- *
- * Functionally equivalent to:
- *
- * if (condition) {
- * memcpy(dest, src1, len);
- * } else {
- * if (src2 != NULL)
- * memcpy(dest, src2, len);
- * }
- *
- * It will always read len bytes from src1.
- * If src2 != NULL, it will always read len bytes from src2.
- * If src2 == NULL, it will instead read len bytes from dest (as if src2 == dest).
- *
- * \param condition The condition
- * \param dest Secret. Destination pointer.
- * \param src1 Secret. Pointer to copy from (if \p condition == MBEDTLS_CT_TRUE).
- * This may be equal to \p dest, but may not overlap in other ways.
- * \param src2 Secret (contents only - may branch to determine if this parameter is NULL).
- * Pointer to copy from (if \p condition == MBEDTLS_CT_FALSE and \p src2 is not NULL). May be NULL.
- * This may be equal to \p dest, but may not overlap it in other ways. It may overlap with \p src1.
- * \param len Number of bytes to copy.
- */
-void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
- unsigned char *dest,
- const unsigned char *src1,
- const unsigned char *src2,
- size_t len
- );
-
-/** Copy data from a secret position.
- *
- * Functionally equivalent to:
- *
- * memcpy(dst, src + offset, len)
- *
- * This function copies \p len bytes from \p src + \p offset to
- * \p dst, with a code flow and memory access pattern that does not depend on
- * \p offset, but only on \p offset_min, \p offset_max and \p len.
- *
- * \note This function reads from \p dest, but the value that
- * is read does not influence the result and this
- * function's behavior is well-defined regardless of the
- * contents of the buffers. This may result in false
- * positives from static or dynamic analyzers, especially
- * if \p dest is not initialized.
- *
- * \param dest Secret. The destination buffer. This must point to a writable
- * buffer of at least \p len bytes.
- * \param src Secret. The base of the source buffer. This must point to a
- * readable buffer of at least \p offset_max + \p len
- * bytes. Shouldn't overlap with \p dest
- * \param offset Secret. The offset in the source buffer from which to copy.
- * This must be no less than \p offset_min and no greater
- * than \p offset_max.
- * \param offset_min The minimal value of \p offset.
- * \param offset_max The maximal value of \p offset.
- * \param len The number of bytes to copy.
- */
-void mbedtls_ct_memcpy_offset(unsigned char *dest,
- const unsigned char *src,
- size_t offset,
- size_t offset_min,
- size_t offset_max,
- size_t len);
-
-/* Documented in include/mbedtls/constant_time.h. a and b are secret.
-
- int mbedtls_ct_memcmp(const void *a,
- const void *b,
- size_t n);
- */
-
-#if defined(MBEDTLS_NIST_KW_C)
-
-/** Constant-time buffer comparison without branches.
- *
- * Similar to mbedtls_ct_memcmp, except that the result only depends on part of
- * the input data - differences in the head or tail are ignored. Functionally equivalent to:
- *
- * memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
- *
- * Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
- *
- * Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
- *
- * \param a Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
- * \param b Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
- * \param n The number of bytes to examine (total size of the buffers).
- * \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
- * These bytes will still be read.
- * \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
- * These bytes will still be read.
- *
- * \return Zero if the contents of the two buffers are the same, otherwise non-zero.
- */
-int mbedtls_ct_memcmp_partial(const void *a,
- const void *b,
- size_t n,
- size_t skip_head,
- size_t skip_tail);
-
-#endif
-
-/* Include the implementation of static inline functions above. */
-#include "constant_time_impl.h"
-
-#endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */
diff --git a/lib/mbedtls_ssl/src/debug_internal.h b/lib/mbedtls_ssl/src/debug_internal.h
deleted file mode 100644
index 4523b4633..000000000
--- a/lib/mbedtls_ssl/src/debug_internal.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/**
- * \file debug_internal.h
- *
- * \brief Internal part of the public "debug.h".
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_DEBUG_INTERNAL_H
-#define MBEDTLS_DEBUG_INTERNAL_H
-
-#include "mbedtls/debug.h"
-
-/**
- * \brief Print a message to the debug output. This function is always used
- * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
- * context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the message has occurred in
- * \param line line number the message has occurred at
- * \param format format specifier, in printf format
- * \param ... variables used by the format specifier
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
-
-/**
- * \brief Print the return value of a function to the debug output. This
- * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
- * which supplies the ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text the name of the function that returned the error
- * \param ret the return code value
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, int ret);
-
-/**
- * \brief Output a buffer of size len bytes to the debug output. This function
- * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
- * which supplies the ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the buffer being dumped. Normally the
- * variable or buffer name
- * \param buf the buffer to be outputted
- * \param len length of the buffer
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line, const char *text,
- const unsigned char *buf, size_t len);
-
-#if defined(MBEDTLS_BIGNUM_C)
-/**
- * \brief Print a MPI variable to the debug output. This function is always
- * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
- * ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the MPI being output. Normally the
- * variable name
- * \param X the MPI variable
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_mpi *X);
-#endif
-
-#if defined(MBEDTLS_ECP_LIGHT)
-/**
- * \brief Print an ECP point to the debug output. This function is always
- * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
- * ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the ECP point being output. Normally the
- * variable name
- * \param X the ECP point
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_ecp_point *X);
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
-/**
- * \brief Print a X.509 certificate structure to the debug output. This
- * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
- * which supplies the ssl context, file and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param text a name or label for the certificate being output
- * \param crt X.509 certificate structure
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_x509_crt *crt);
-#endif
-
-/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function
- only works for the built-in implementation. */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
- defined(MBEDTLS_ECDH_C)
-typedef enum {
- MBEDTLS_DEBUG_ECDH_Q,
- MBEDTLS_DEBUG_ECDH_QP,
- MBEDTLS_DEBUG_ECDH_Z,
-} mbedtls_debug_ecdh_attr;
-
-/**
- * \brief Print a field of the ECDH structure in the SSL context to the debug
- * output. This function is always used through the
- * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
- * and line number parameters.
- *
- * \param ssl SSL context
- * \param level error level of the debug message
- * \param file file the error has occurred in
- * \param line line number the error has occurred in
- * \param ecdh the ECDH context
- * \param attr the identifier of the attribute being output
- *
- * \attention This function is intended for INTERNAL usage within the
- * library only.
- */
-void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const mbedtls_ecdh_context *ecdh,
- mbedtls_debug_ecdh_attr attr);
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
- MBEDTLS_ECDH_C */
-
-#endif /* MBEDTLS_DEBUG_INTERNAL_H */
diff --git a/lib/mbedtls_ssl/src/mbedtls_ssl.h b/lib/mbedtls_ssl/src/mbedtls_ssl.h
deleted file mode 100644
index 854723f6e..000000000
--- a/lib/mbedtls_ssl/src/mbedtls_ssl.h
+++ /dev/null
@@ -1,9 +0,0 @@
-/*
- * Stub header to trigger PlatformIO Library Dependency Finder.
- *
- * The Tasmota Arduino platform ships a stripped libmbedtls.a that is missing
- * the core SSL/TLS implementation (mbedtls_ssl_read, mbedtls_ssl_write, etc.).
- * This library compiles the official mbedtls 3.6.5 SSL source files so that
- * esp_tls and other components that depend on mbedtls SSL can link.
- */
-#pragma once
diff --git a/lib/mbedtls_ssl/src/md_psa.h b/lib/mbedtls_ssl/src/md_psa.h
deleted file mode 100644
index 028ba2409..000000000
--- a/lib/mbedtls_ssl/src/md_psa.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- * Translation between MD and PSA identifiers (algorithms, errors).
- *
- * Note: this internal module will go away when everything becomes based on
- * PSA Crypto; it is a helper for the transition period.
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_MD_PSA_H
-#define MBEDTLS_MD_PSA_H
-
-#include "common.h"
-
-#include "mbedtls/md.h"
-#include "psa/crypto.h"
-
-/** Convert PSA status to MD error code.
- *
- * \param status PSA status.
- *
- * \return The corresponding MD error code,
- */
-int mbedtls_md_error_from_psa(psa_status_t status);
-
-#endif /* MBEDTLS_MD_PSA_H */
diff --git a/lib/mbedtls_ssl/src/psa_util_internal.h b/lib/mbedtls_ssl/src/psa_util_internal.h
deleted file mode 100644
index 70a08a02c..000000000
--- a/lib/mbedtls_ssl/src/psa_util_internal.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * \file psa_util_internal.h
- *
- * \brief Internal utility functions for use of PSA Crypto.
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef MBEDTLS_PSA_UTIL_INTERNAL_H
-#define MBEDTLS_PSA_UTIL_INTERNAL_H
-
-/* Include the public header so that users only need one include. */
-#include "mbedtls/psa_util.h"
-
-#include "psa/crypto.h"
-
-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
-
-/*************************************************************************
- * FFDH
- ************************************************************************/
-
-#define MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH \
- PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
-
-/*************************************************************************
- * ECC
- ************************************************************************/
-
-#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
- PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-
-#define MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH \
- PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
-
-/*************************************************************************
- * Error translation
- ************************************************************************/
-
-typedef struct {
- /* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
- int16_t psa_status;
- /* Error codes used by Mbed TLS are in one of the ranges
- * -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
- * code optionally added), fitting in 16 bits. */
- int16_t mbedtls_error;
-} mbedtls_error_pair_t;
-
-#if defined(MBEDTLS_MD_LIGHT)
-extern const mbedtls_error_pair_t psa_to_md_errors[4];
-#endif
-
-#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
-extern const mbedtls_error_pair_t psa_to_cipher_errors[4];
-#endif
-
-#if defined(MBEDTLS_LMS_C)
-extern const mbedtls_error_pair_t psa_to_lms_errors[3];
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
-#endif
-
-#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
- defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
-extern const mbedtls_error_pair_t psa_to_pk_rsa_errors[8];
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-extern const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[7];
-#endif
-
-/* Generic fallback function for error translation,
- * when the received state was not module-specific. */
-int psa_generic_status_to_mbedtls(psa_status_t status);
-
-/* This function iterates over provided local error translations,
- * and if no match was found - calls the fallback error translation function. */
-int psa_status_to_mbedtls(psa_status_t status,
- const mbedtls_error_pair_t *local_translations,
- size_t local_errors_num,
- int (*fallback_f)(psa_status_t));
-
-/* The second out of three-stage error handling functions of the pk module,
- * acts as a fallback after RSA / ECDSA error translation, and if no match
- * is found, it itself calls psa_generic_status_to_mbedtls. */
-int psa_pk_status_to_mbedtls(psa_status_t status);
-
-/* Utility macro to shorten the defines of error translator in modules. */
-#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f) \
- psa_status_to_mbedtls(status, error_list, \
- sizeof(error_list)/sizeof(error_list[0]), \
- fallback_f)
-
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
-#endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */
diff --git a/lib/mbedtls_ssl/src/ssl_ciphersuites.c b/lib/mbedtls_ssl/src/ssl_ciphersuites.c
deleted file mode 100644
index 23619a26c..000000000
--- a/lib/mbedtls_ssl/src/ssl_ciphersuites.c
+++ /dev/null
@@ -1,2050 +0,0 @@
-/**
- * \file ssl_ciphersuites.c
- *
- * \brief SSL ciphersuites for Mbed TLS
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SSL_TLS_C)
-
-#include "mbedtls/platform.h"
-
-#include "mbedtls/ssl_ciphersuites.h"
-#include "mbedtls/ssl.h"
-#include "ssl_misc.h"
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/psa_util.h"
-#endif
-
-#include
-
-/*
- * Ordered from most preferred to least preferred in terms of security.
- *
- * Current rule (except weak and null which come last):
- * 1. By key exchange:
- * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
- * 2. By key length and cipher:
- * ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
- * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
- * 4. By hash function used when relevant
- * 5. By key exchange/auth again: EC > non-EC
- */
-static const int ciphersuite_preference[] =
-{
-#if defined(MBEDTLS_SSL_CIPHERSUITES)
- MBEDTLS_SSL_CIPHERSUITES,
-#else
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* TLS 1.3 ciphersuites */
- MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
- MBEDTLS_TLS1_3_AES_128_GCM_SHA256,
- MBEDTLS_TLS1_3_AES_128_CCM_SHA256,
- MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- /* Chacha-Poly ephemeral suites */
- MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-
- /* All AES-256 ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
-
- /* All CAMELLIA-256 ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-
- /* All ARIA-256 ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
- MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
-
- /* All AES-128 ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
- MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
-
- /* All CAMELLIA-128 ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-
- /* All ARIA-128 ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
-
- /* The PSK ephemeral suites */
- MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
- MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
- MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
- MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
-
- MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
- MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
- MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
-
- /* The ECJPAKE suite */
- MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
-
- /* All AES-256 suites */
- MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
- MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
- MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
-
- /* All CAMELLIA-256 suites */
- MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
- MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
-
- /* All ARIA-256 suites */
- MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
- MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
- MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
-
- /* All AES-128 suites */
- MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
- MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
-
- /* All CAMELLIA-128 suites */
- MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
- MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
-
- /* All ARIA-128 suites */
- MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
- MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
-
- /* The RSA PSK suites */
- MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
-
- MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
-
- /* The PSK suites */
- MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
- MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
- MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
- MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
- MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
- MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
- MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
- MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
- MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
-
- MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
- MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
- MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
- MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
- MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
- MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
- MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
-
- /* NULL suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
- MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
- MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
- MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
- MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
- MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
- MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
-
- MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
- MBEDTLS_TLS_RSA_WITH_NULL_SHA,
- MBEDTLS_TLS_RSA_WITH_NULL_MD5,
- MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
- MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384,
- MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA,
- MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
- MBEDTLS_TLS_PSK_WITH_NULL_SHA256,
- MBEDTLS_TLS_PSK_WITH_NULL_SHA,
-
-#endif /* MBEDTLS_SSL_CIPHERSUITES */
- 0
-};
-
-static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
-{
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384,
- MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
- 0,
- MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
- 0,
- MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#if defined(MBEDTLS_SSL_HAVE_CCM) && defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS1_3_AES_128_CCM_SHA256, "TLS1-3-AES-128-CCM-SHA256",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
- 0,
- MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
- { MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, "TLS1-3-AES-128-CCM-8-SHA256",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
-#endif /* MBEDTLS_MD_CAN_SHA256 && MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) && defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
- "TLS1-3-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
- 0,
- MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
-#endif /* MBEDTLS_SSL_HAVE_CHACHAPOLY && MBEDTLS_MD_CAN_SHA256 */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) && \
- defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
- { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
- { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
- { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
- { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
- "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
- MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
- MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#endif /* MBEDTLS_SSL_HAVE_CHACHAPOLY &&
- MBEDTLS_MD_CAN_SHA256 &&
- MBEDTLS_SSL_PROTO_TLS1_2 */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_SSL_HAVE_CCM)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
- "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
- "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
- "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
- "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
- "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
- "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_MD_CAN_SHA384) && \
- defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 && MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_CCM)
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_MD_CAN_SHA384) && \
- defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 && MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_SSL_HAVE_CCM)
- { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
- "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
- "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
- "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_MD_CAN_SHA1)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_GCM)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
- "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
- "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
- "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_CCM)
- { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#if defined(MBEDTLS_SSL_HAVE_CCM)
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
- MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
- { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
- "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
- MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
- MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
- MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-
- { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
- MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_CBC */
-
-#if defined(MBEDTLS_SSL_HAVE_GCM)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_SSL_HAVE_GCM */
-#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_SSL_HAVE_AES)
-#if defined(MBEDTLS_SSL_HAVE_CCM)
- { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
- MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
- MBEDTLS_CIPHERSUITE_SHORT_TAG,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_SSL_HAVE_CCM */
-#endif /* MBEDTLS_SSL_HAVE_AES */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-#if defined(MBEDTLS_MD_CAN_MD5)
- { MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA1 */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
- MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- MBEDTLS_CIPHERSUITE_WEAK,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-
-#if defined(MBEDTLS_SSL_HAVE_ARIA)
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
- "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
- "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
- "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
- "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
- "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
- "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
- "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
- "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
- "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
- "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
- "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
- "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
- "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
- "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
- "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
- "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
- "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
- "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
- "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
- "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
- "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
- "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
- "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
- "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
- "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
- "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
- "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
- "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
- "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
- "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
- "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
- "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
- "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
- "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
- "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
- MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA384))
- { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
- "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
- MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
- "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
- MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
- defined(MBEDTLS_MD_CAN_SHA256))
- { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
- "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
- MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
- 0,
- MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
-#endif
-
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-
-#endif /* MBEDTLS_SSL_HAVE_ARIA */
-
-
- { 0, "",
- MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
- 0, 0, 0 }
-};
-
-#if defined(MBEDTLS_SSL_CIPHERSUITES)
-const int *mbedtls_ssl_list_ciphersuites(void)
-{
- return ciphersuite_preference;
-}
-#else
-#define MAX_CIPHERSUITES sizeof(ciphersuite_definitions) / \
- sizeof(ciphersuite_definitions[0])
-static int supported_ciphersuites[MAX_CIPHERSUITES];
-static int supported_init = 0;
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ciphersuite_is_removed(const mbedtls_ssl_ciphersuite_t *cs_info)
-{
- (void) cs_info;
-
- return 0;
-}
-
-const int *mbedtls_ssl_list_ciphersuites(void)
-{
- /*
- * On initial call filter out all ciphersuites not supported by current
- * build based on presence in the ciphersuite_definitions.
- */
- if (supported_init == 0) {
- const int *p;
- int *q;
-
- for (p = ciphersuite_preference, q = supported_ciphersuites;
- *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
- p++) {
- const mbedtls_ssl_ciphersuite_t *cs_info;
- if ((cs_info = mbedtls_ssl_ciphersuite_from_id(*p)) != NULL &&
- !ciphersuite_is_removed(cs_info)) {
- *(q++) = *p;
- }
- }
- *q = 0;
-
- supported_init = 1;
- }
-
- return supported_ciphersuites;
-}
-#endif /* MBEDTLS_SSL_CIPHERSUITES */
-
-const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
- const char *ciphersuite_name)
-{
- const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
-
- if (NULL == ciphersuite_name) {
- return NULL;
- }
-
- while (cur->id != 0) {
- if (0 == strcmp(cur->name, ciphersuite_name)) {
- return cur;
- }
-
- cur++;
- }
-
- return NULL;
-}
-
-const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite)
-{
- const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
-
- while (cur->id != 0) {
- if (cur->id == ciphersuite) {
- return cur;
- }
-
- cur++;
- }
-
- return NULL;
-}
-
-const char *mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id)
-{
- const mbedtls_ssl_ciphersuite_t *cur;
-
- cur = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
-
- if (cur == NULL) {
- return "unknown";
- }
-
- return cur->name;
-}
-
-int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name)
-{
- const mbedtls_ssl_ciphersuite_t *cur;
-
- cur = mbedtls_ssl_ciphersuite_from_string(ciphersuite_name);
-
- if (cur == NULL) {
- return 0;
- }
-
- return cur->id;
-}
-
-size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_key_type_t key_type;
- psa_algorithm_t alg;
- size_t key_bits;
-
- status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) info->cipher,
- info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16,
- &alg, &key_type, &key_bits);
-
- if (status != PSA_SUCCESS) {
- return 0;
- }
-
- return key_bits;
-#else
- const mbedtls_cipher_info_t * const cipher_info =
- mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) info->cipher);
-
- return mbedtls_cipher_info_get_key_bitlen(cipher_info);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-
-#if defined(MBEDTLS_PK_C)
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- return MBEDTLS_PK_RSA;
-
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return MBEDTLS_PK_ECDSA;
-
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- return MBEDTLS_PK_ECKEY;
-
- default:
- return MBEDTLS_PK_NONE;
- }
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- return PSA_ALG_RSA_PKCS1V15_CRYPT;
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- return PSA_ALG_RSA_PKCS1V15_SIGN(
- mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
-
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
-
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- return PSA_ALG_ECDH;
-
- default:
- return PSA_ALG_NONE;
- }
-}
-
-psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- return PSA_KEY_USAGE_DECRYPT;
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return PSA_KEY_USAGE_SIGN_HASH;
-
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- return PSA_KEY_USAGE_DERIVE;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- return MBEDTLS_PK_RSA;
-
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return MBEDTLS_PK_ECDSA;
-
- default:
- return MBEDTLS_PK_NONE;
- }
-}
-
-#endif /* MBEDTLS_PK_C */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
- * MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
- * MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
-{
- switch (info->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_PSK:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- return 1;
-
- default:
- return 0;
- }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/lib/mbedtls_ssl/src/ssl_client.c b/lib/mbedtls_ssl/src/ssl_client.c
deleted file mode 100644
index 0bd00cd91..000000000
--- a/lib/mbedtls_ssl/src/ssl_client.c
+++ /dev/null
@@ -1,1019 +0,0 @@
-/*
- * TLS 1.2 and 1.3 client-side functions
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SSL_CLI_C)
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
-
-#include
-
-#include "debug_internal.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform.h"
-
-#include "ssl_client.h"
-#include "ssl_misc.h"
-#include "ssl_tls13_keys.h"
-#include "ssl_debug_helpers.h"
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
- const char *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
- size_t hostname_len;
-
- *olen = 0;
-
- if (hostname == NULL) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding server name extension: %s",
- hostname));
-
- hostname_len = strlen(hostname);
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
-
- /*
- * Sect. 3, RFC 6066 (TLS Extensions Definitions)
- *
- * In order to provide any of the server names, clients MAY include an
- * extension of type "server_name" in the (extended) client hello. The
- * "extension_data" field of this extension SHALL contain
- * "ServerNameList" where:
- *
- * struct {
- * NameType name_type;
- * select (name_type) {
- * case host_name: HostName;
- * } name;
- * } ServerName;
- *
- * enum {
- * host_name(0), (255)
- * } NameType;
- *
- * opaque HostName<1..2^16-1>;
- *
- * struct {
- * ServerName server_name_list<1..2^16-1>
- * } ServerNameList;
- *
- */
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0);
- p += 2;
-
- MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0);
- p += 2;
-
- MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0);
- p += 2;
-
- *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME);
-
- MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
- p += 2;
-
- memcpy(p, hostname, hostname_len);
-
- *olen = hostname_len + 9;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SERVERNAME);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
- return 0;
-}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_ALPN)
-/*
- * ssl_write_alpn_ext()
- *
- * Structure of the application_layer_protocol_negotiation extension in
- * ClientHello:
- *
- * opaque ProtocolName<1..2^8-1>;
- *
- * struct {
- * ProtocolName protocol_name_list<2..2^16-1>
- * } ProtocolNameList;
- *
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *out_len)
-{
- unsigned char *p = buf;
-
- *out_len = 0;
-
- if (ssl->conf->alpn_list == NULL) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension"));
-
-
- /* Check we have enough space for the extension type (2 bytes), the
- * extension length (2 bytes) and the protocol_name_list length (2 bytes).
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
- /* Skip writing extension and list length for now */
- p += 6;
-
- /*
- * opaque ProtocolName<1..2^8-1>;
- *
- * struct {
- * ProtocolName protocol_name_list<2..2^16-1>
- * } ProtocolNameList;
- */
- for (const char **cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
- /*
- * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
- * protocol names is less than 255.
- */
- size_t protocol_name_len = strlen(*cur);
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + protocol_name_len);
- *p++ = (unsigned char) protocol_name_len;
- memcpy(p, *cur, protocol_name_len);
- p += protocol_name_len;
- }
-
- *out_len = (size_t) (p - buf);
-
- /* List length = *out_len - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
- MBEDTLS_PUT_UINT16_BE(*out_len - 6, buf, 4);
-
- /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */
- MBEDTLS_PUT_UINT16_BE(*out_len - 4, buf, 2);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
- return 0;
-}
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
- defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
-/*
- * Function for writing a supported groups (TLS 1.3) or supported elliptic
- * curves (TLS 1.2) extension.
- *
- * The "extension_data" field of a supported groups extension contains a
- * "NamedGroupList" value (TLS 1.3 RFC8446):
- * enum {
- * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
- * x25519(0x001D), x448(0x001E),
- * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
- * ffdhe6144(0x0103), ffdhe8192(0x0104),
- * ffdhe_private_use(0x01FC..0x01FF),
- * ecdhe_private_use(0xFE00..0xFEFF),
- * (0xFFFF)
- * } NamedGroup;
- * struct {
- * NamedGroup named_group_list<2..2^16-1>;
- * } NamedGroupList;
- *
- * The "extension_data" field of a supported elliptic curves extension contains
- * a "NamedCurveList" value (TLS 1.2 RFC 8422):
- * enum {
- * deprecated(1..22),
- * secp256r1 (23), secp384r1 (24), secp521r1 (25),
- * x25519(29), x448(30),
- * reserved (0xFE00..0xFEFF),
- * deprecated(0xFF01..0xFF02),
- * (0xFFFF)
- * } NamedCurve;
- * struct {
- * NamedCurve named_curve_list<2..2^16-1>
- * } NamedCurveList;
- *
- * The TLS 1.3 supported groups extension was defined to be a compatible
- * generalization of the TLS 1.2 supported elliptic curves extension. They both
- * share the same extension identifier.
- *
- */
-#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG 1
-#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG 2
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- int flags,
- size_t *out_len)
-{
- unsigned char *p = buf;
- unsigned char *named_group_list; /* Start of named_group_list */
- size_t named_group_list_len; /* Length of named_group_list */
- const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
-
- *out_len = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported_groups extension"));
-
- /* Check if we have space for header and length fields:
- * - extension_type (2 bytes)
- * - extension_data_length (2 bytes)
- * - named_group_list_length (2 bytes)
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
- p += 6;
-
- named_group_list = p;
-
- if (group_list == NULL) {
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
-
- for (; *group_list != 0; group_list++) {
- int propose_group = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("got supported group(%04x)", *group_list));
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
- if (flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG) {
-#if defined(PSA_WANT_ALG_ECDH)
- if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list) &&
- (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
- MBEDTLS_ECP_DP_NONE)) {
- propose_group = 1;
- }
-#endif
-#if defined(PSA_WANT_ALG_FFDH)
- if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
- propose_group = 1;
- }
-#endif
- }
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
-
-#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
- if ((flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG) &&
- mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list) &&
- (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
- MBEDTLS_ECP_DP_NONE)) {
- propose_group = 1;
- }
-#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC */
-
- if (propose_group) {
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
- p += 2;
- MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
- mbedtls_ssl_named_group_to_str(*group_list),
- *group_list));
- }
- }
-
- /* Length of named_group_list */
- named_group_list_len = (size_t) (p - named_group_list);
- if (named_group_list_len == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("No group available."));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* Write extension_type */
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0);
- /* Write extension_data_length */
- MBEDTLS_PUT_UINT16_BE(named_group_list_len + 2, buf, 2);
- /* Write length of named_group_list */
- MBEDTLS_PUT_UINT16_BE(named_group_list_len, buf, 4);
-
- MBEDTLS_SSL_DEBUG_BUF(3, "Supported groups extension",
- buf + 4, named_group_list_len + 2);
-
- *out_len = (size_t) (p - buf);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_tls13_set_hs_sent_ext_mask(
- ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_client_hello_cipher_suites(
- mbedtls_ssl_context *ssl,
- unsigned char *buf,
- unsigned char *end,
- int *tls12_uses_ec,
- size_t *out_len)
-{
- unsigned char *p = buf;
- const int *ciphersuite_list;
- unsigned char *cipher_suites; /* Start of the cipher_suites list */
- size_t cipher_suites_len;
-
- *tls12_uses_ec = 0;
- *out_len = 0;
-
- /*
- * Ciphersuite list
- *
- * This is a list of the symmetric cipher options supported by
- * the client, specifically the record protection algorithm
- * ( including secret key length ) and a hash to be used with
- * HKDF, in descending order of client preference.
- */
- ciphersuite_list = ssl->conf->ciphersuite_list;
-
- /* Check there is space for the cipher suite list length (2 bytes). */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- p += 2;
-
- /* Write cipher_suites
- * CipherSuite cipher_suites<2..2^16-2>;
- */
- cipher_suites = p;
- for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
- int cipher_suite = ciphersuite_list[i];
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
-
- if (mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
- ssl->handshake->min_tls_version,
- ssl->tls_version) != 0) {
- continue;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- (defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
- *tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %04x, %s",
- (unsigned int) cipher_suite,
- ciphersuite_info->name));
-
- /* Check there is space for the cipher suite identifier (2 bytes). */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- MBEDTLS_PUT_UINT16_BE(cipher_suite, p, 0);
- p += 2;
- }
-
- /*
- * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- */
- int renegotiating = 0;
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
-#endif
- if (!renegotiating) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV"));
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0);
- p += 2;
- }
-
- /* Write the cipher_suites length in number of bytes */
- cipher_suites_len = (size_t) (p - cipher_suites);
- MBEDTLS_PUT_UINT16_BE(cipher_suites_len, buf, 0);
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
- cipher_suites_len/2));
-
- /* Output the total length of cipher_suites field. */
- *out_len = (size_t) (p - buf);
-
- return 0;
-}
-
-/*
- * Structure of the TLS 1.3 ClientHello message:
- *
- * struct {
- * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
- * Random random;
- * opaque legacy_session_id<0..32>;
- * CipherSuite cipher_suites<2..2^16-2>;
- * opaque legacy_compression_methods<1..2^8-1>;
- * Extension extensions<8..2^16-1>;
- * } ClientHello;
- *
- * Structure of the (D)TLS 1.2 ClientHello message:
- *
- * struct {
- * ProtocolVersion client_version;
- * Random random;
- * SessionID session_id;
- * opaque cookie<0..2^8-1>; // DTLS 1.2 ONLY
- * CipherSuite cipher_suites<2..2^16-2>;
- * CompressionMethod compression_methods<1..2^8-1>;
- * select (extensions_present) {
- * case false:
- * struct {};
- * case true:
- * Extension extensions<0..2^16-1>;
- * };
- * } ClientHello;
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- unsigned char *end,
- size_t *out_len,
- size_t *binders_len)
-{
- int ret;
- mbedtls_ssl_handshake_params *handshake = ssl->handshake;
- unsigned char *p = buf;
- unsigned char *p_extensions_len; /* Pointer to extensions length */
- size_t output_len; /* Length of buffer used by function */
- size_t extensions_len; /* Length of the list of extensions*/
- int tls12_uses_ec = 0;
-
- *out_len = 0;
- *binders_len = 0;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- unsigned char propose_tls12 =
- (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2)
- &&
- (MBEDTLS_SSL_VERSION_TLS1_2 <= ssl->tls_version);
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- unsigned char propose_tls13 =
- (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3)
- &&
- (MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version);
-#endif
-
- /*
- * Write client_version (TLS 1.2) or legacy_version (TLS 1.3)
- *
- * In all cases this is the TLS 1.2 version.
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- mbedtls_ssl_write_version(p, ssl->conf->transport,
- MBEDTLS_SSL_VERSION_TLS1_2);
- p += 2;
-
- /* ...
- * Random random;
- * ...
- *
- * The random bytes have been prepared by ssl_prepare_client_hello() into
- * the handshake->randbytes buffer and are copied here into the output
- * buffer.
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
- memcpy(p, handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
- MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
- p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
- p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
-
- /* TLS 1.2:
- * ...
- * SessionID session_id;
- * ...
- * with
- * opaque SessionID<0..32>;
- *
- * TLS 1.3:
- * ...
- * opaque legacy_session_id<0..32>;
- * ...
- *
- * The (legacy) session identifier bytes have been prepared by
- * ssl_prepare_client_hello() into the ssl->session_negotiate->id buffer
- * and are copied here into the output buffer.
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, ssl->session_negotiate->id_len + 1);
- *p++ = (unsigned char) ssl->session_negotiate->id_len;
- memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
- p += ssl->session_negotiate->id_len;
-
- MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
- ssl->session_negotiate->id_len);
-
- /* DTLS 1.2 ONLY
- * ...
- * opaque cookie<0..2^8-1>;
- * ...
- */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
- uint8_t cookie_len = 0;
-#else
- uint16_t cookie_len = 0;
-#endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */
-
- if (handshake->cookie != NULL) {
- MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
- handshake->cookie,
- handshake->cookie_len);
- cookie_len = handshake->cookie_len;
- }
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, cookie_len + 1);
- *p++ = (unsigned char) cookie_len;
- if (cookie_len > 0) {
- memcpy(p, handshake->cookie, cookie_len);
- p += cookie_len;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
-
- /* Write cipher_suites */
- ret = ssl_write_client_hello_cipher_suites(ssl, p, end,
- &tls12_uses_ec,
- &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
-
- /* Write legacy_compression_methods (TLS 1.3) or
- * compression_methods (TLS 1.2)
- *
- * For every TLS 1.3 ClientHello, this vector MUST contain exactly
- * one byte set to zero, which corresponds to the 'null' compression
- * method in prior versions of TLS.
- *
- * For TLS 1.2 ClientHello, for security reasons we do not support
- * compression anymore, thus also just the 'null' compression method.
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- *p++ = 1;
- *p++ = MBEDTLS_SSL_COMPRESS_NULL;
-
- /* Write extensions */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* Keeping track of the included extensions */
- handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
-#endif
-
- /* First write extensions, then the total length */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- p_extensions_len = p;
- p += 2;
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- /* Write server name extension */
- ret = ssl_write_hostname_ext(ssl, p, end, &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_ALPN)
- ret = ssl_write_alpn_ext(ssl, p, end, &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (propose_tls13) {
- ret = mbedtls_ssl_tls13_write_client_hello_exts(ssl, p, end,
- &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
- }
-#endif
-
-#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
- defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
- {
- int ssl_write_supported_groups_ext_flags = 0;
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
- if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
- ssl_write_supported_groups_ext_flags |=
- SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
- }
-#endif
-#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
- if (propose_tls12 && tls12_uses_ec) {
- ssl_write_supported_groups_ext_flags |=
- SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG;
- }
-#endif
- if (ssl_write_supported_groups_ext_flags != 0) {
- ret = ssl_write_supported_groups_ext(ssl, p, end,
- ssl_write_supported_groups_ext_flags,
- &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
- }
- }
-#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- int write_sig_alg_ext = 0;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- write_sig_alg_ext = write_sig_alg_ext ||
- (propose_tls13 && mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl));
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
-#endif
-
- if (write_sig_alg_ext) {
- ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
- }
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (propose_tls12) {
- ret = mbedtls_ssl_tls12_write_client_hello_exts(ssl, p, end,
- tls12_uses_ec,
- &output_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
- /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
- * MUST be the last extension in the ClientHello.
- */
- if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
- ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
- ssl, p, end, &output_len, binders_len);
- if (ret != 0) {
- return ret;
- }
- p += output_len;
- }
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
-
- /* Write the length of the list of extensions. */
- extensions_len = (size_t) (p - p_extensions_len) - 2;
-
- if (extensions_len == 0) {
- p = p_extensions_len;
- } else {
- MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" \
- MBEDTLS_PRINTF_SIZET, extensions_len));
- MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions",
- p_extensions_len, extensions_len);
- }
-
- *out_len = (size_t) (p - buf);
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_generate_random(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *randbytes = ssl->handshake->randbytes;
- size_t gmt_unix_time_len = 0;
-
- /*
- * Generate the random bytes
- *
- * TLS 1.2 case:
- * struct {
- * uint32 gmt_unix_time;
- * opaque random_bytes[28];
- * } Random;
- *
- * TLS 1.3 case:
- * opaque Random[32];
- */
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
-#if defined(MBEDTLS_HAVE_TIME)
- mbedtls_time_t gmt_unix_time = mbedtls_time(NULL);
- MBEDTLS_PUT_UINT32_BE(gmt_unix_time, randbytes, 0);
- gmt_unix_time_len = 4;
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
- (long long) gmt_unix_time));
-#endif /* MBEDTLS_HAVE_TIME */
- }
-
- ret = ssl->conf->f_rng(ssl->conf->p_rng,
- randbytes + gmt_unix_time_len,
- MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
- return ret;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
-{
- int ret;
- size_t session_id_len;
- mbedtls_ssl_session *session_negotiate = ssl->session_negotiate;
-
- if (session_negotiate == NULL) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SESSION_TICKETS) && \
- defined(MBEDTLS_HAVE_TIME)
-
- /* Check if a tls13 ticket has been configured. */
- if (ssl->handshake->resume != 0 &&
- session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- session_negotiate->ticket != NULL) {
- mbedtls_ms_time_t now = mbedtls_ms_time();
- mbedtls_ms_time_t age = now - session_negotiate->ticket_reception_time;
- if (age < 0 ||
- age > (mbedtls_ms_time_t) session_negotiate->ticket_lifetime * 1000) {
- /* Without valid ticket, disable session resumption.*/
- MBEDTLS_SSL_DEBUG_MSG(
- 3, ("Ticket expired, disable session resumption"));
- ssl->handshake->resume = 0;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
- MBEDTLS_SSL_SESSION_TICKETS &&
- MBEDTLS_HAVE_TIME */
-
- /* Bet on the highest configured version if we are not in a TLS 1.2
- * renegotiation or session resumption.
- */
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
- ssl->handshake->min_tls_version = ssl->tls_version;
- } else
-#endif
- {
- if (ssl->handshake->resume) {
- ssl->tls_version = session_negotiate->tls_version;
- ssl->handshake->min_tls_version = ssl->tls_version;
- } else {
- ssl->handshake->min_tls_version = ssl->conf->min_tls_version;
- }
- }
-
- /*
- * Generate the random bytes, except when responding to a verify request
- * where we MUST reuse the previously generated random bytes
- * (RFC 6347 4.2.1).
- */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
- (ssl->handshake->cookie == NULL))
-#endif
- {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (!ssl->handshake->hello_retry_request_flag)
-#endif
- {
- ret = ssl_generate_random(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
- return ret;
- }
- }
- }
-
- /*
- * Prepare session identifier. At that point, the length of the session
- * identifier in the SSL context `ssl->session_negotiate->id_len` is equal
- * to zero, except in the case of a TLS 1.2 session renegotiation or
- * session resumption.
- */
- session_id_len = session_negotiate->id_len;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
- if (session_id_len < 16 || session_id_len > 32 ||
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
-#endif
- ssl->handshake->resume == 0) {
- session_id_len = 0;
- }
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- /*
- * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
- * generate and include a Session ID in the TLS ClientHello."
- */
- int renegotiating = 0;
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
- renegotiating = 1;
- }
-#endif
- if (!renegotiating) {
- if ((session_negotiate->ticket != NULL) &&
- (session_negotiate->ticket_len != 0)) {
- session_id_len = 32;
- }
- }
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- /*
- * Create a legacy session identifier for the purpose of middlebox
- * compatibility only if one has not been created already, which is
- * the case if we are here for the TLS 1.3 second ClientHello.
- *
- * Versions of TLS before TLS 1.3 supported a "session resumption"
- * feature which has been merged with pre-shared keys in TLS 1.3
- * version. A client which has a cached session ID set by a pre-TLS 1.3
- * server SHOULD set this field to that value. In compatibility mode,
- * this field MUST be non-empty, so a client not offering a pre-TLS 1.3
- * session MUST generate a new 32-byte value. This value need not be
- * random but SHOULD be unpredictable to avoid implementations fixating
- * on a specific value (also known as ossification). Otherwise, it MUST
- * be set as a zero-length vector ( i.e., a zero-valued single byte
- * length field ).
- */
- session_id_len = 32;
- }
-#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
-
- if (session_id_len != session_negotiate->id_len) {
- session_negotiate->id_len = session_id_len;
- if (session_id_len > 0) {
- ret = ssl->conf->f_rng(ssl->conf->p_rng,
- session_negotiate->id,
- session_id_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret);
- return ret;
- }
- }
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SESSION_TICKETS) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- const char *context_hostname = mbedtls_ssl_get_hostname_pointer(ssl);
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- ssl->handshake->resume) {
- int hostname_mismatch = context_hostname != NULL ||
- session_negotiate->hostname != NULL;
- if (context_hostname != NULL && session_negotiate->hostname != NULL) {
- hostname_mismatch = strcmp(
- context_hostname, session_negotiate->hostname) != 0;
- }
-
- if (hostname_mismatch) {
- MBEDTLS_SSL_DEBUG_MSG(
- 1, ("Hostname mismatch the session ticket, "
- "disable session resumption."));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- } else {
- return mbedtls_ssl_session_set_hostname(session_negotiate,
- context_hostname);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
- MBEDTLS_SSL_SESSION_TICKETS &&
- MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
- return 0;
-}
-/*
- * Write ClientHello handshake message.
- * Handler for MBEDTLS_SSL_CLIENT_HELLO
- */
-int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
-{
- int ret = 0;
- unsigned char *buf;
- size_t buf_len, msg_len, binders_len;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello"));
-
- MBEDTLS_SSL_PROC_CHK(ssl_prepare_client_hello(ssl));
-
- MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
- ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
- &buf, &buf_len));
-
- MBEDTLS_SSL_PROC_CHK(ssl_write_client_hello_body(ssl, buf,
- buf + buf_len,
- &msg_len,
- &binders_len));
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ssl->out_msglen = msg_len + 4;
- mbedtls_ssl_send_flight_completed(ssl);
-
- /*
- * The two functions below may try to send data on the network and
- * can return with the MBEDTLS_ERR_SSL_WANT_READ error code when they
- * fail to do so and the transmission has to be retried later. In that
- * case as in fatal error cases, we return immediately. But we must have
- * set the handshake state to the next state at that point to ensure
- * that we will not write and send again a ClientHello when we
- * eventually succeed in sending the pending data.
- */
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
- if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
- return ret;
- }
- } else
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
- {
-
- ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
- MBEDTLS_SSL_HS_CLIENT_HELLO,
- msg_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret);
- return ret;
- }
- ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
- return ret;
- }
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
- if (binders_len > 0) {
- MBEDTLS_SSL_PROC_CHK(
- mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
- ssl, buf + msg_len - binders_len, buf + msg_len));
- ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
- binders_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
-
- MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl,
- buf_len,
- msg_len));
-
- /*
- * Set next state. Note that if TLS 1.3 is proposed, this may be
- * overwritten by mbedtls_ssl_tls13_finalize_client_hello().
- */
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
- MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version) {
- ret = mbedtls_ssl_tls13_finalize_client_hello(ssl);
- }
-#endif
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- MBEDTLS_SSL_PRINT_EXTS(
- 3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions);
-#endif
-
-cleanup:
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
- return ret;
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_SSL_PROTO_TLS1_2 */
-#endif /* MBEDTLS_SSL_CLI_C */
diff --git a/lib/mbedtls_ssl/src/ssl_client.h b/lib/mbedtls_ssl/src/ssl_client.h
deleted file mode 100644
index 05ee7e4cc..000000000
--- a/lib/mbedtls_ssl/src/ssl_client.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * TLS 1.2 and 1.3 client-side functions
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef MBEDTLS_SSL_CLIENT_H
-#define MBEDTLS_SSL_CLIENT_H
-
-#include "common.h"
-
-#if defined(MBEDTLS_SSL_TLS_C)
-#include "ssl_misc.h"
-#endif
-
-#include
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl);
-
-#endif /* MBEDTLS_SSL_CLIENT_H */
diff --git a/lib/mbedtls_ssl/src/ssl_debug_helpers.h b/lib/mbedtls_ssl/src/ssl_debug_helpers.h
deleted file mode 100644
index 4889e77e0..000000000
--- a/lib/mbedtls_ssl/src/ssl_debug_helpers.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/**
- * \file ssl_debug_helpers.h
- *
- * \brief Automatically generated helper functions for debugging
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef MBEDTLS_SSL_DEBUG_HELPERS_H
-#define MBEDTLS_SSL_DEBUG_HELPERS_H
-
-#include "common.h"
-
-#if defined(MBEDTLS_DEBUG_C)
-
-#include "mbedtls/ssl.h"
-#include "ssl_misc.h"
-
-
-const char *mbedtls_ssl_states_str(mbedtls_ssl_states in);
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-const char *mbedtls_ssl_early_data_status_str(mbedtls_ssl_early_data_status in);
-const char *mbedtls_ssl_early_data_state_str(mbedtls_ssl_early_data_state in);
-#endif
-
-const char *mbedtls_ssl_protocol_version_str(mbedtls_ssl_protocol_version in);
-
-const char *mbedtls_tls_prf_types_str(mbedtls_tls_prf_types in);
-
-const char *mbedtls_ssl_key_export_type_str(mbedtls_ssl_key_export_type in);
-
-const char *mbedtls_ssl_sig_alg_to_str(uint16_t in);
-
-const char *mbedtls_ssl_named_group_to_str(uint16_t in);
-
-const char *mbedtls_ssl_get_extension_name(unsigned int extension_type);
-
-void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
- int level, const char *file, int line,
- int hs_msg_type, uint32_t extensions_mask,
- const char *extra);
-
-void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
- int level, const char *file, int line,
- int hs_msg_type, unsigned int extension_type,
- const char *extra_msg0, const char *extra_msg1);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
- int level, const char *file, int line,
- unsigned int flags);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
-
-#define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \
- mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \
- hs_msg_type, extensions_mask, NULL)
-
-#define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra) \
- mbedtls_ssl_print_extension(ssl, level, __FILE__, __LINE__, \
- hs_msg_type, extension_type, \
- extra, NULL)
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags) \
- mbedtls_ssl_print_ticket_flags(ssl, level, __FILE__, __LINE__, flags)
-#endif
-
-#else
-
-#define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extension_mask)
-
-#define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra)
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags)
-#endif
-
-#endif /* MBEDTLS_DEBUG_C */
-
-#endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */
diff --git a/lib/mbedtls_ssl/src/ssl_debug_helpers_generated.c b/lib/mbedtls_ssl/src/ssl_debug_helpers_generated.c
deleted file mode 100644
index 808fce737..000000000
--- a/lib/mbedtls_ssl/src/ssl_debug_helpers_generated.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/* Automatically generated by generate_ssl_debug_helpers.py. DO NOT EDIT. */
-
-/**
- * \file ssl_debug_helpers_generated.c
- *
- * \brief Automatically generated helper functions for debugging
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- *
- */
-
-#include "ssl_misc.h"
-
-#if defined(MBEDTLS_DEBUG_C)
-
-#include "ssl_debug_helpers.h"
-
-
-const char *mbedtls_ssl_named_group_to_str( uint16_t in )
-{
- switch( in )
- {
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1:
- return "secp192k1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1:
- return "secp192r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1:
- return "secp224k1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1:
- return "secp224r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1:
- return "secp256k1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1:
- return "secp256r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1:
- return "secp384r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1:
- return "secp521r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1:
- return "bp256r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1:
- return "bp384r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1:
- return "bp512r1";
- case MBEDTLS_SSL_IANA_TLS_GROUP_X25519:
- return "x25519";
- case MBEDTLS_SSL_IANA_TLS_GROUP_X448:
- return "x448";
- case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
- return "ffdhe2048";
- case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
- return "ffdhe3072";
- case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
- return "ffdhe4096";
- case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
- return "ffdhe6144";
- case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
- return "ffdhe8192";
- };
-
- return "UNKNOWN";
-}
-const char *mbedtls_ssl_sig_alg_to_str( uint16_t in )
-{
- switch( in )
- {
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
- return "rsa_pkcs1_sha256";
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
- return "rsa_pkcs1_sha384";
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
- return "rsa_pkcs1_sha512";
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
- return "ecdsa_secp256r1_sha256";
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
- return "ecdsa_secp384r1_sha384";
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
- return "ecdsa_secp521r1_sha512";
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
- return "rsa_pss_rsae_sha256";
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
- return "rsa_pss_rsae_sha384";
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
- return "rsa_pss_rsae_sha512";
- case MBEDTLS_TLS1_3_SIG_ED25519:
- return "ed25519";
- case MBEDTLS_TLS1_3_SIG_ED448:
- return "ed448";
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256:
- return "rsa_pss_pss_sha256";
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384:
- return "rsa_pss_pss_sha384";
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512:
- return "rsa_pss_pss_sha512";
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1:
- return "rsa_pkcs1_sha1";
- case MBEDTLS_TLS1_3_SIG_ECDSA_SHA1:
- return "ecdsa_sha1";
- case MBEDTLS_TLS1_3_SIG_NONE:
- return "none";
- };
-
- return "UNKNOWN";
-}
-const char *mbedtls_ssl_states_str( mbedtls_ssl_states in )
-{
- switch (in) {
- case MBEDTLS_SSL_HELLO_REQUEST:
- return "MBEDTLS_SSL_HELLO_REQUEST";
- case MBEDTLS_SSL_CLIENT_HELLO:
- return "MBEDTLS_SSL_CLIENT_HELLO";
- case MBEDTLS_SSL_SERVER_HELLO:
- return "MBEDTLS_SSL_SERVER_HELLO";
- case MBEDTLS_SSL_SERVER_CERTIFICATE:
- return "MBEDTLS_SSL_SERVER_CERTIFICATE";
- case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
- return "MBEDTLS_SSL_SERVER_KEY_EXCHANGE";
- case MBEDTLS_SSL_CERTIFICATE_REQUEST:
- return "MBEDTLS_SSL_CERTIFICATE_REQUEST";
- case MBEDTLS_SSL_SERVER_HELLO_DONE:
- return "MBEDTLS_SSL_SERVER_HELLO_DONE";
- case MBEDTLS_SSL_CLIENT_CERTIFICATE:
- return "MBEDTLS_SSL_CLIENT_CERTIFICATE";
- case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
- return "MBEDTLS_SSL_CLIENT_KEY_EXCHANGE";
- case MBEDTLS_SSL_CERTIFICATE_VERIFY:
- return "MBEDTLS_SSL_CERTIFICATE_VERIFY";
- case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
- return "MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC";
- case MBEDTLS_SSL_CLIENT_FINISHED:
- return "MBEDTLS_SSL_CLIENT_FINISHED";
- case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
- return "MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC";
- case MBEDTLS_SSL_SERVER_FINISHED:
- return "MBEDTLS_SSL_SERVER_FINISHED";
- case MBEDTLS_SSL_FLUSH_BUFFERS:
- return "MBEDTLS_SSL_FLUSH_BUFFERS";
- case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
- return "MBEDTLS_SSL_HANDSHAKE_WRAPUP";
- case MBEDTLS_SSL_NEW_SESSION_TICKET:
- return "MBEDTLS_SSL_NEW_SESSION_TICKET";
- case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
- return "MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT";
- case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
- return "MBEDTLS_SSL_HELLO_RETRY_REQUEST";
- case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
- return "MBEDTLS_SSL_ENCRYPTED_EXTENSIONS";
- case MBEDTLS_SSL_END_OF_EARLY_DATA:
- return "MBEDTLS_SSL_END_OF_EARLY_DATA";
- case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
- return "MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY";
- case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
- return "MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED";
- case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
- return "MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO";
- case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
- return "MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO";
- case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
- return "MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO";
- case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
- return "MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST";
- case MBEDTLS_SSL_HANDSHAKE_OVER:
- return "MBEDTLS_SSL_HANDSHAKE_OVER";
- case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
- return "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET";
- case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
- return "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH";
- default:
- return "UNKNOWN_VALUE";
- }
-}
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-const char *mbedtls_ssl_early_data_status_str( mbedtls_ssl_early_data_status in )
-{
- switch (in) {
- case MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED:
- return "MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED";
- case MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED:
- return "MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED";
- case MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED:
- return "MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED";
- default:
- return "UNKNOWN_VALUE";
- }
-}
-
-#endif /* defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) */
-const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in )
-{
- switch (in) {
- case MBEDTLS_SSL_VERSION_UNKNOWN:
- return "MBEDTLS_SSL_VERSION_UNKNOWN";
- case MBEDTLS_SSL_VERSION_TLS1_2:
- return "MBEDTLS_SSL_VERSION_TLS1_2";
- case MBEDTLS_SSL_VERSION_TLS1_3:
- return "MBEDTLS_SSL_VERSION_TLS1_3";
- default:
- return "UNKNOWN_VALUE";
- }
-}
-
-const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in )
-{
- switch (in) {
- case MBEDTLS_SSL_TLS_PRF_NONE:
- return "MBEDTLS_SSL_TLS_PRF_NONE";
- case MBEDTLS_SSL_TLS_PRF_SHA384:
- return "MBEDTLS_SSL_TLS_PRF_SHA384";
- case MBEDTLS_SSL_TLS_PRF_SHA256:
- return "MBEDTLS_SSL_TLS_PRF_SHA256";
- case MBEDTLS_SSL_HKDF_EXPAND_SHA384:
- return "MBEDTLS_SSL_HKDF_EXPAND_SHA384";
- case MBEDTLS_SSL_HKDF_EXPAND_SHA256:
- return "MBEDTLS_SSL_HKDF_EXPAND_SHA256";
- default:
- return "UNKNOWN_VALUE";
- }
-}
-
-const char *mbedtls_ssl_key_export_type_str( mbedtls_ssl_key_export_type in )
-{
- switch (in) {
- case MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET";
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET";
- case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET";
- case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET";
- case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET";
- case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET";
- case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET:
- return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET";
-#endif
- default:
- return "UNKNOWN_VALUE";
- }
-}
-
-
-
-#endif /* MBEDTLS_DEBUG_C */
-/* End of automatically generated file. */
-
diff --git a/lib/mbedtls_ssl/src/ssl_misc.h b/lib/mbedtls_ssl/src/ssl_misc.h
deleted file mode 100644
index faa1b5ec0..000000000
--- a/lib/mbedtls_ssl/src/ssl_misc.h
+++ /dev/null
@@ -1,3105 +0,0 @@
-/**
- * \file ssl_misc.h
- *
- * \brief Internal functions shared by the SSL modules
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_SSL_MISC_H
-#define MBEDTLS_SSL_MISC_H
-
-#include "mbedtls/build_info.h"
-#include "common.h"
-
-#include "mbedtls/error.h"
-
-#include "mbedtls/ssl.h"
-#include "mbedtls/debug.h"
-#include "debug_internal.h"
-
-#include "mbedtls/cipher.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#include "psa/crypto.h"
-#include "psa_util_internal.h"
-#endif
-
-#if defined(MBEDTLS_MD_CAN_MD5)
-#include "mbedtls/md5.h"
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
-#include "mbedtls/sha1.h"
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#include "mbedtls/sha256.h"
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA512)
-#include "mbedtls/sha512.h"
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
- !defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/ecjpake.h"
-#endif
-
-#include "mbedtls/pk.h"
-#include "ssl_ciphersuites_internal.h"
-#include "x509_internal.h"
-#include "pk_internal.h"
-
-
-/* Shorthand for restartable ECC */
-#if defined(MBEDTLS_ECP_RESTARTABLE) && \
- defined(MBEDTLS_SSL_CLI_C) && \
- defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
-#endif
-
-#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
-#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
-#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
-#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
-
-/* Faked handshake message identity for HelloRetryRequest. */
-#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
-
-/*
- * Internal identity of handshake extensions
- */
-#define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
-#define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
-#define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
-#define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
-#define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
-#define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
-#define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
-#define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
-#define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
-#define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
-#define MBEDTLS_SSL_EXT_ID_ALPN 8
-#define MBEDTLS_SSL_EXT_ID_SCT 9
-#define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
-#define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
-#define MBEDTLS_SSL_EXT_ID_PADDING 12
-#define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
-#define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
-#define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
-#define MBEDTLS_SSL_EXT_ID_COOKIE 16
-#define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
-#define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
-#define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
-#define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
-#define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
-#define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
-#define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
-#define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
-#define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
-#define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
-#define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
-#define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
-
-/* Utility for translating IANA extension type. */
-uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
-uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
-/* Macros used to define mask constants */
-#define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
-/* Reset value of extension mask */
-#define MBEDTLS_SSL_EXT_MASK_NONE 0
-
-/* In messages containing extension requests, we should ignore unrecognized
- * extensions. In messages containing extension responses, unrecognized
- * extensions should result in handshake abortion. Messages containing
- * extension requests include ClientHello, CertificateRequest and
- * NewSessionTicket. Messages containing extension responses include
- * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
- *
- * RFC 8446 section 4.1.3
- *
- * The ServerHello MUST only include extensions which are required to establish
- * the cryptographic context and negotiate the protocol version.
- *
- * RFC 8446 section 4.2
- *
- * If an implementation receives an extension which it recognizes and which is
- * not specified for the message in which it appears, it MUST abort the handshake
- * with an "illegal_parameter" alert.
- */
-
-/* Extensions that are not recognized by TLS 1.3 */
-#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
- (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
- MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
- MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
- MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
- MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
- MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
-
-/* RFC 8446 section 4.2. Allowed extensions for ClientHello */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
- (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
- MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
- MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
- MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
- MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
- MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
- MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
- MBEDTLS_SSL_EXT_MASK(ALPN) | \
- MBEDTLS_SSL_EXT_MASK(SCT) | \
- MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
- MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
- MBEDTLS_SSL_EXT_MASK(PADDING) | \
- MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
- MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
- MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
- MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
- MBEDTLS_SSL_EXT_MASK(COOKIE) | \
- MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
- MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
- MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
- MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
- MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
- MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
-
-/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
- (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
- MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
- MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
- MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
- MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
- MBEDTLS_SSL_EXT_MASK(ALPN) | \
- MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
- MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
- MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
- MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
-
-/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
- (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
- MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
- MBEDTLS_SSL_EXT_MASK(SCT) | \
- MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
- MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
- MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
- MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
-
-/* RFC 8446 section 4.2. Allowed extensions for Certificate */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
- (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
- MBEDTLS_SSL_EXT_MASK(SCT))
-
-/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
- (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
- MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
- MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
-
-/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
- (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
- MBEDTLS_SSL_EXT_MASK(COOKIE) | \
- MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
-
-/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
-#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
- (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
- MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
-
-/*
- * Helper macros for function call with return check.
- */
-/*
- * Exit when return non-zero value
- */
-#define MBEDTLS_SSL_PROC_CHK(f) \
- do { \
- ret = (f); \
- if (ret != 0) \
- { \
- goto cleanup; \
- } \
- } while (0)
-/*
- * Exit when return negative value
- */
-#define MBEDTLS_SSL_PROC_CHK_NEG(f) \
- do { \
- ret = (f); \
- if (ret < 0) \
- { \
- goto cleanup; \
- } \
- } while (0)
-
-/*
- * DTLS retransmission states, see RFC 6347 4.2.4
- *
- * The SENDING state is merged in PREPARING for initial sends,
- * but is distinct for resends.
- *
- * Note: initial state is wrong for server, but is not used anyway.
- */
-#define MBEDTLS_SSL_RETRANS_PREPARING 0
-#define MBEDTLS_SSL_RETRANS_SENDING 1
-#define MBEDTLS_SSL_RETRANS_WAITING 2
-#define MBEDTLS_SSL_RETRANS_FINISHED 3
-
-/*
- * Allow extra bytes for record, authentication and encryption overhead:
- * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
- */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-
-/* This macro determines whether CBC is supported. */
-#if defined(MBEDTLS_SSL_HAVE_CBC) && \
- (defined(MBEDTLS_SSL_HAVE_AES) || \
- defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \
- defined(MBEDTLS_SSL_HAVE_ARIA))
-#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
-#endif
-
-/* This macro determines whether a ciphersuite using a
- * stream cipher can be used. */
-#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
-#endif
-
-/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
- defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
-#endif
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
- defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
-#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
-#endif
-
-/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
- defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
-#endif
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-/* Ciphersuites using HMAC */
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
-#elif defined(MBEDTLS_MD_CAN_SHA256)
-#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
-#else
-#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
-#endif
-#else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
-#define MBEDTLS_SSL_MAC_ADD 16
-#endif
-
-#if defined(MBEDTLS_SSL_HAVE_CBC)
-#define MBEDTLS_SSL_PADDING_ADD 256
-#else
-#define MBEDTLS_SSL_PADDING_ADD 0
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
-#else
-#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
-#endif
-
-#define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
- MBEDTLS_SSL_MAC_ADD + \
- MBEDTLS_SSL_PADDING_ADD + \
- MBEDTLS_SSL_MAX_CID_EXPANSION \
- )
-
-#define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
- (MBEDTLS_SSL_IN_CONTENT_LEN))
-
-#define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
- (MBEDTLS_SSL_OUT_CONTENT_LEN))
-
-/* The maximum number of buffered handshake messages. */
-#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
-
-/* Maximum length we can advertise as our max content length for
- RFC 6066 max_fragment_length extension negotiation purposes
- (the lesser of both sizes, if they are unequal.)
- */
-#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
- (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
- ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
- : (MBEDTLS_SSL_IN_CONTENT_LEN) \
- )
-
-/* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
-#define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
-
-/* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
-#define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
-
-/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
-#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
-
-#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-
-#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
-#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
-#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-/*
- * Check that we obey the standard's message size bounds
- */
-
-#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
-#error "Bad configuration - incoming record content too large."
-#endif
-
-#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
-#error "Bad configuration - outgoing record content too large."
-#endif
-
-#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
-#error "Bad configuration - incoming protected record payload too large."
-#endif
-
-#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
-#error "Bad configuration - outgoing protected record payload too large."
-#endif
-
-/* Calculate buffer sizes */
-
-/* Note: Even though the TLS record header is only 5 bytes
- long, we're internally using 8 bytes to store the
- implicit sequence number. */
-#define MBEDTLS_SSL_HEADER_LEN 13
-
-#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define MBEDTLS_SSL_IN_BUFFER_LEN \
- ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
-#else
-#define MBEDTLS_SSL_IN_BUFFER_LEN \
- ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
- + (MBEDTLS_SSL_CID_IN_LEN_MAX))
-#endif
-
-#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define MBEDTLS_SSL_OUT_BUFFER_LEN \
- ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
-#else
-#define MBEDTLS_SSL_OUT_BUFFER_LEN \
- ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
- + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
-#endif
-
-#define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
-#define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-/**
- * \brief Return the maximum fragment length (payload, in bytes) for
- * the output buffer. For the client, this is the configured
- * value. For the server, it is the minimum of two - the
- * configured value and the negotiated one.
- *
- * \sa mbedtls_ssl_conf_max_frag_len()
- * \sa mbedtls_ssl_get_max_out_record_payload()
- *
- * \param ssl SSL context
- *
- * \return Current maximum fragment length for the output buffer.
- */
-size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
-
-/**
- * \brief Return the maximum fragment length (payload, in bytes) for
- * the input buffer. This is the negotiated maximum fragment
- * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
- * If it is not defined either, the value is 2^14. This function
- * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
- *
- * \sa mbedtls_ssl_conf_max_frag_len()
- * \sa mbedtls_ssl_get_max_in_record_payload()
- *
- * \param ssl SSL context
- *
- * \return Current maximum fragment length for the output buffer.
- */
-size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
-/**
- * \brief Get the size limit in bytes for the protected outgoing records
- * as defined in RFC 8449
- *
- * \param ssl SSL context
- *
- * \return The size limit in bytes for the protected outgoing
- * records as defined in RFC 8449.
- */
-size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
-static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
-{
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- return mbedtls_ssl_get_output_max_frag_len(ctx)
- + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
- + MBEDTLS_SSL_CID_OUT_LEN_MAX;
-#else
- return mbedtls_ssl_get_output_max_frag_len(ctx)
- + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
-#endif
-}
-
-static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
-{
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- return mbedtls_ssl_get_input_max_frag_len(ctx)
- + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
- + MBEDTLS_SSL_CID_IN_LEN_MAX;
-#else
- return mbedtls_ssl_get_input_max_frag_len(ctx)
- + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
-#endif
-}
-#endif
-
-/*
- * TLS extension flags (for extensions with outgoing ServerHello content
- * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
- * of state of the renegotiation flag, so no indicator is required)
- */
-#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
-#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
-
-/**
- * \brief This function checks if the remaining size in a buffer is
- * greater or equal than a needed space.
- *
- * \param cur Pointer to the current position in the buffer.
- * \param end Pointer to one past the end of the buffer.
- * \param need Needed space in bytes.
- *
- * \return Zero if the needed space is available in the buffer, non-zero
- * otherwise.
- */
-#if !defined(MBEDTLS_TEST_HOOKS)
-static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
- const uint8_t *end, size_t need)
-{
- return (cur > end) || (need > (size_t) (end - cur));
-}
-#else
-typedef struct {
- const uint8_t *cur;
- const uint8_t *end;
- size_t need;
-} mbedtls_ssl_chk_buf_ptr_args;
-
-void mbedtls_ssl_set_chk_buf_ptr_fail_args(
- const uint8_t *cur, const uint8_t *end, size_t need);
-void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
-
-static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
- const uint8_t *end, size_t need)
-{
- if ((cur > end) || (need > (size_t) (end - cur))) {
- mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
- return 1;
- }
- return 0;
-}
-#endif /* MBEDTLS_TEST_HOOKS */
-
-/**
- * \brief This macro checks if the remaining size in a buffer is
- * greater or equal than a needed space. If it is not the case,
- * it returns an SSL_BUFFER_TOO_SMALL error.
- *
- * \param cur Pointer to the current position in the buffer.
- * \param end Pointer to one past the end of the buffer.
- * \param need Needed space in bytes.
- *
- */
-#define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
- do { \
- if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
- { \
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
- } \
- } while (0)
-
-/**
- * \brief This macro checks if the remaining length in an input buffer is
- * greater or equal than a needed length. If it is not the case, it
- * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
- * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
- *
- * This is a function-like macro. It is guaranteed to evaluate each
- * argument exactly once.
- *
- * \param cur Pointer to the current position in the buffer.
- * \param end Pointer to one past the end of the buffer.
- * \param need Needed length in bytes.
- *
- */
-#define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
- do { \
- if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
- { \
- MBEDTLS_SSL_DEBUG_MSG(1, \
- ("missing input data in %s", __func__)); \
- MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
- MBEDTLS_ERR_SSL_DECODE_ERROR); \
- return MBEDTLS_ERR_SSL_DECODE_ERROR; \
- } \
- } while (0)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen);
-
-/* cipher.h exports the maximum IV, key and block length from
- * all ciphers enabled in the config, regardless of whether those
- * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
- * in the default configuration and uses 64 Byte keys, but it is
- * not used for record protection in SSL/TLS.
- *
- * In order to prevent unnecessary inflation of key structures,
- * we introduce SSL-specific variants of the max-{key,block,IV}
- * macros here which are meant to only take those ciphers into
- * account which can be negotiated in SSL/TLS.
- *
- * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
- * in cipher.h are rough overapproximations of the real maxima, here
- * we content ourselves with replicating those overapproximations
- * for the maximum block and IV length, and excluding XTS from the
- * computation of the maximum key length. */
-#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
-#define MBEDTLS_SSL_MAX_IV_LENGTH 16
-#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
-
-/**
- * \brief The data structure holding the cryptographic material (key and IV)
- * used for record protection in TLS 1.3.
- */
-struct mbedtls_ssl_key_set {
- /*! The key for client->server records. */
- unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
- /*! The key for server->client records. */
- unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
- /*! The IV for client->server records. */
- unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
- /*! The IV for server->client records. */
- unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
-
- size_t key_len; /*!< The length of client_write_key and
- * server_write_key, in Bytes. */
- size_t iv_len; /*!< The length of client_write_iv and
- * server_write_iv, in Bytes. */
-};
-typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
-
-typedef struct {
- unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
-} mbedtls_ssl_tls13_early_secrets;
-
-typedef struct {
- unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
-} mbedtls_ssl_tls13_handshake_secrets;
-
-/*
- * This structure contains the parameters only needed during handshake.
- */
-struct mbedtls_ssl_handshake_params {
- /* Frequently-used boolean or byte fields (placed early to take
- * advantage of smaller code size for indirect access on Arm Thumb) */
- uint8_t resume; /*!< session resume indicator*/
- uint8_t cli_exts; /*!< client extension presence*/
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- uint8_t sni_authmode; /*!< authmode from SNI callback */
-#endif
-
-#if defined(MBEDTLS_SSL_SRV_C)
- /* Flag indicating if a CertificateRequest message has been sent
- * to the client or not. */
- uint8_t certificate_request_sent;
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- /* Flag indicating if the server has accepted early data or not. */
- uint8_t early_data_accepted;
-#endif
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- uint8_t new_session_ticket; /*!< use NewSessionTicket? */
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- /** Minimum TLS version to be negotiated.
- *
- * It is set up in the ClientHello writing preparation stage and used
- * throughout the ClientHello writing. Not relevant anymore as soon as
- * the protocol version has been negotiated thus as soon as the
- * ServerHello is received.
- * For a fresh handshake not linked to any previous handshake, it is
- * equal to the configured minimum minor version to be negotiated. When
- * renegotiating or resuming a session, it is equal to the previously
- * negotiated minor version.
- *
- * There is no maximum TLS version field in this handshake context.
- * From the start of the handshake, we need to define a current protocol
- * version for the record layer which we define as the maximum TLS
- * version to be negotiated. The `tls_version` field of the SSL context is
- * used to store this maximum value until it contains the actual
- * negotiated value.
- */
- mbedtls_ssl_protocol_version min_tls_version;
-#endif
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- uint8_t extended_ms; /*!< use Extended Master Secret? */
-#endif
-
-#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
- uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
-#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- unsigned char retransmit_state; /*!< Retransmission state */
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- unsigned char group_list_heap_allocated;
- unsigned char sig_algs_heap_allocated;
-#endif
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
- enum { /* this complements ssl->state with info on intra-state operations */
- ssl_ecrs_none = 0, /*!< nothing going on (yet) */
- ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
- ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
- ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
- ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
- } ecrs_state; /*!< current (or last) operation */
- mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
- size_t ecrs_n; /*!< place for saving a length */
-#endif
-
- mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
-
- MBEDTLS_CHECK_RETURN_CRITICAL
- int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
- MBEDTLS_CHECK_RETURN_CRITICAL
- int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
- MBEDTLS_CHECK_RETURN_CRITICAL
- int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
- mbedtls_ssl_tls_prf_cb *tls_prf;
-
- /*
- * Handshake specific crypto variables
- */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- uint8_t key_exchange_mode; /*!< Selected key exchange mode */
-
- /**
- * Flag indicating if, in the course of the current handshake, an
- * HelloRetryRequest message has been sent by the server or received by
- * the client (<> 0) or not (0).
- */
- uint8_t hello_retry_request_flag;
-
-#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
- /**
- * Flag indicating if, in the course of the current handshake, a dummy
- * change_cipher_spec (CCS) record has already been sent. Used to send only
- * one CCS per handshake while not complicating the handshake state
- * transitions for that purpose.
- */
- uint8_t ccs_sent;
-#endif
-
-#if defined(MBEDTLS_SSL_SRV_C)
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
- uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
-#endif
- /** selected_group of key_share extension in HelloRetryRequest message. */
- uint16_t hrr_selected_group;
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- uint16_t new_session_tickets_count; /*!< number of session tickets */
-#endif
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- const uint16_t *group_list;
- const uint16_t *sig_algs;
-#endif
-
-#if defined(MBEDTLS_DHM_C)
- mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
-#endif
-
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
- mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
-#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
- MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
- psa_key_type_t xxdh_psa_type;
- size_t xxdh_psa_bits;
- mbedtls_svc_key_id_t xxdh_psa_privkey;
- uint8_t xxdh_psa_privkey_is_external;
- unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
- size_t xxdh_psa_peerkey_len;
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
- mbedtls_svc_key_id_t psa_pake_password;
- uint8_t psa_pake_ctx_is_ok;
-#else
- mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_SSL_CLI_C)
- unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
- size_t ecjpake_cache_len; /*!< Length of cached data */
-#endif
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
-#endif
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
- uint8_t psk_opaque_is_internal;
-#else
- unsigned char *psk; /*!< PSK from the callback */
- size_t psk_len; /*!< Length of PSK from callback */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- uint16_t selected_identity;
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
- mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
- mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
-#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
- struct {
- size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
- * buffers used for message buffering. */
-
- uint8_t seen_ccs; /*!< Indicates if a CCS message has
- * been seen in the current flight. */
-
- struct mbedtls_ssl_hs_buffer {
- unsigned is_valid : 1;
- unsigned is_fragmented : 1;
- unsigned is_complete : 1;
- unsigned char *data;
- size_t data_len;
- } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
-
- struct {
- unsigned char *data;
- size_t len;
- unsigned epoch;
- } future_record;
-
- } buffering;
-
-#if defined(MBEDTLS_SSL_CLI_C) && \
- (defined(MBEDTLS_SSL_PROTO_DTLS) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_3))
- unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
- * HelloRetryRequest cookie for TLS 1.3 */
-#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* RFC 6347 page 15
- ...
- opaque cookie<0..2^8-1>;
- ...
- */
- uint8_t cookie_len;
-#else
- /* RFC 8446 page 39
- ...
- opaque cookie<0..2^16-1>;
- ...
- If TLS1_3 is enabled, the max length is 2^16 - 1
- */
- uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
- * TLS1_3: HelloRetryRequest cookie length */
-#endif
-#endif /* MBEDTLS_SSL_CLI_C &&
- ( MBEDTLS_SSL_PROTO_DTLS ||
- MBEDTLS_SSL_PROTO_TLS1_3 ) */
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
- unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
- unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
-
- uint32_t retransmit_timeout; /*!< Current value of timeout */
- mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
- mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
- unsigned char *cur_msg_p; /*!< Position in current message */
- unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
- flight being received */
- mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
- resending messages */
- unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
- for resending messages */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /* The state of CID configuration in this handshake. */
-
- uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
- * has been negotiated. Possible values are
- * #MBEDTLS_SSL_CID_ENABLED and
- * #MBEDTLS_SSL_CID_DISABLED. */
- unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
- uint8_t peer_cid_len; /*!< The length of
- * \c peer_cid. */
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- /*
- * Checksum contexts
- */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_operation_t fin_sha256_psa;
-#else
- mbedtls_md_context_t fin_sha256;
-#endif
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_operation_t fin_sha384_psa;
-#else
- mbedtls_md_context_t fin_sha384;
-#endif
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- uint16_t offered_group_id; /* The NamedGroup value for the group
- * that is being used for ephemeral
- * key exchange.
- *
- * On the client: Defaults to the first
- * entry in the client's group list,
- * but can be overwritten by the HRR. */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- uint8_t client_auth; /*!< used to check if CertificateRequest has been
- received from server side. If CertificateRequest
- has been received, Certificate and CertificateVerify
- should be sent to server */
-#endif /* MBEDTLS_SSL_CLI_C */
- /*
- * State-local variables used during the processing
- * of a specific handshake state.
- */
- union {
- /* Outgoing Finished message */
- struct {
- uint8_t preparation_done;
-
- /* Buffer holding digest of the handshake up to
- * but excluding the outgoing finished message. */
- unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- size_t digest_len;
- } finished_out;
-
- /* Incoming Finished message */
- struct {
- uint8_t preparation_done;
-
- /* Buffer holding digest of the handshake up to but
- * excluding the peer's incoming finished message. */
- unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- size_t digest_len;
- } finished_in;
-
- } state_local;
-
- /* End of state-local variables. */
-
- unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
- MBEDTLS_SERVER_HELLO_RANDOM_LEN];
- /*!< random bytes */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
- /*!< premaster secret */
- size_t pmslen; /*!< premaster length */
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- uint32_t sent_extensions; /*!< extensions sent by endpoint */
- uint32_t received_extensions; /*!< extensions received by endpoint */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- unsigned char certificate_request_context_len;
- unsigned char *certificate_request_context;
-#endif
-
- /** TLS 1.3 transform for encrypted handshake messages. */
- mbedtls_ssl_transform *transform_handshake;
- union {
- unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
- } tls13_master_secrets;
-
- mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- /** TLS 1.3 transform for early data and handshake messages. */
- mbedtls_ssl_transform *transform_earlydata;
-#endif
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
- /** Asynchronous operation context. This field is meant for use by the
- * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
- * mbedtls_ssl_config::f_async_decrypt_start,
- * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
- * The library does not use it internally. */
- void *user_async_ctx;
-#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- const unsigned char *sni_name; /*!< raw SNI */
- size_t sni_name_len; /*!< raw SNI len */
-#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
- const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
-#endif
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-};
-
-typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
-
-/*
- * Representation of decryption/encryption transformations on records
- *
- * There are the following general types of record transformations:
- * - Stream transformations (TLS versions == 1.2 only)
- * Transformation adding a MAC and applying a stream-cipher
- * to the authenticated message.
- * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
- * For TLS 1.2, no IV is generated at key extraction time, but every
- * encrypted record is explicitly prefixed by the IV with which it was
- * encrypted.
- * - AEAD transformations ([D]TLS versions == 1.2 only)
- * These come in two fundamentally different versions, the first one
- * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
- * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
- * In the first transformation, the IV to be used for a record is obtained
- * as the concatenation of an explicit, static 4-byte IV and the 8-byte
- * record sequence number, and explicitly prepending this sequence number
- * to the encrypted record. In contrast, in the second transformation
- * the IV is obtained by XOR'ing a static IV obtained at key extraction
- * time with the 8-byte record sequence number, without prepending the
- * latter to the encrypted record.
- *
- * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
- * which allows to add flexible length padding and to hide a record's true
- * content type.
- *
- * In addition to type and version, the following parameters are relevant:
- * - The symmetric cipher algorithm to be used.
- * - The (static) encryption/decryption keys for the cipher.
- * - For stream/CBC, the type of message digest to be used.
- * - For stream/CBC, (static) encryption/decryption keys for the digest.
- * - For AEAD transformations, the size (potentially 0) of an explicit,
- * random initialization vector placed in encrypted records.
- * - For some transformations (currently AEAD) an implicit IV. It is static
- * and (if present) is combined with the explicit IV in a transformation-
- * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
- * - For stream/CBC, a flag determining the order of encryption and MAC.
- * - The details of the transformation depend on the SSL/TLS version.
- * - The length of the authentication tag.
- *
- * The struct below refines this abstract view as follows:
- * - The cipher underlying the transformation is managed in
- * cipher contexts cipher_ctx_{enc/dec}, which must have the
- * same cipher type. The mode of these cipher contexts determines
- * the type of the transformation in the sense above: e.g., if
- * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
- * then the transformation has type CBC resp. AEAD.
- * - The cipher keys are never stored explicitly but
- * are maintained within cipher_ctx_{enc/dec}.
- * - For stream/CBC transformations, the message digest contexts
- * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
- * are unused for AEAD transformations.
- * - For stream/CBC transformations, the MAC keys are not stored explicitly
- * but maintained within md_ctx_{enc/dec}.
- * - The mac_enc and mac_dec fields are unused for EAD transformations.
- * - For transformations using an implicit IV maintained within
- * the transformation context, its contents are stored within
- * iv_{enc/dec}.
- * - The value of ivlen indicates the length of the IV.
- * This is redundant in case of stream/CBC transformations
- * which always use 0 resp. the cipher's block length as the
- * IV length, but is needed for AEAD ciphers and may be
- * different from the underlying cipher's block length
- * in this case.
- * - The field fixed_ivlen is nonzero for AEAD transformations only
- * and indicates the length of the static part of the IV which is
- * constant throughout the communication, and which is stored in
- * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
- * - tls_version denotes the 2-byte TLS version
- * - For stream/CBC transformations, maclen denotes the length of the
- * authentication tag, while taglen is unused and 0.
- * - For AEAD transformations, taglen denotes the length of the
- * authentication tag, while maclen is unused and 0.
- * - For CBC transformations, encrypt_then_mac determines the
- * order of encryption and authentication. This field is unused
- * in other transformations.
- *
- */
-struct mbedtls_ssl_transform {
- /*
- * Session specific crypto layer
- */
- size_t minlen; /*!< min. ciphertext length */
- size_t ivlen; /*!< IV length */
- size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
- size_t maclen; /*!< MAC(CBC) len */
- size_t taglen; /*!< TAG(AEAD) len */
-
- unsigned char iv_enc[16]; /*!< IV (encryption) */
- unsigned char iv_dec[16]; /*!< IV (decryption) */
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
- mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
- psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
-#else
- mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
- mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- int encrypt_then_mac; /*!< flag for EtM activation */
-#endif
-
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-
- mbedtls_ssl_protocol_version tls_version;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
- mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
- psa_algorithm_t psa_alg; /*!< psa algorithm */
-#else
- mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
- mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- uint8_t in_cid_len;
- uint8_t out_cid_len;
- unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
- unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
- /* We need the Hello random bytes in order to re-derive keys from the
- * Master Secret and other session info and for the keying material
- * exporter in TLS 1.2.
- * See ssl_tls12_populate_transform() */
- unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
- MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
- /*!< ServerHello.random+ClientHello.random */
-#endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
-};
-
-/*
- * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
- * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
- */
-static inline int mbedtls_ssl_transform_uses_aead(
- const mbedtls_ssl_transform *transform)
-{
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- return transform->maclen == 0 && transform->taglen != 0;
-#else
- (void) transform;
- return 1;
-#endif
-}
-
-/*
- * Internal representation of record frames
- *
- * Instances come in two flavors:
- * (1) Encrypted
- * These always have data_offset = 0
- * (2) Unencrypted
- * These have data_offset set to the amount of
- * pre-expansion during record protection. Concretely,
- * this is the length of the fixed part of the explicit IV
- * used for encryption, or 0 if no explicit IV is used
- * (e.g. for stream ciphers).
- *
- * The reason for the data_offset in the unencrypted case
- * is to allow for in-place conversion of an unencrypted to
- * an encrypted record. If the offset wasn't included, the
- * encrypted content would need to be shifted afterwards to
- * make space for the fixed IV.
- *
- */
-#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
-#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
-#else
-#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
-#endif
-
-typedef struct {
- uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
- * In DTLS: The 2-byte epoch followed by
- * the 6-byte sequence number.
- * This is stored as a raw big endian byte array
- * as opposed to a uint64_t because we rarely
- * need to perform arithmetic on this, but do
- * need it as a Byte array for the purpose of
- * MAC computations. */
- uint8_t type; /* The record content type. */
- uint8_t ver[2]; /* SSL/TLS version as present on the wire.
- * Convert to internal presentation of versions
- * using mbedtls_ssl_read_version() and
- * mbedtls_ssl_write_version().
- * Keep wire-format for MAC computations. */
-
- unsigned char *buf; /* Memory buffer enclosing the record content */
- size_t buf_len; /* Buffer length */
- size_t data_offset; /* Offset of record content */
- size_t data_len; /* Length of record content */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- uint8_t cid_len; /* Length of the CID (0 if not present) */
- unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-} mbedtls_record;
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-/*
- * List of certificate + private key pairs
- */
-struct mbedtls_ssl_key_cert {
- mbedtls_x509_crt *cert; /*!< cert */
- mbedtls_pk_context *key; /*!< private key */
- mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
-};
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-/*
- * List of handshake messages kept around for resending
- */
-struct mbedtls_ssl_flight_item {
- unsigned char *p; /*!< message, including handshake headers */
- size_t len; /*!< length of p */
- unsigned char type; /*!< type of the message: handshake or CCS */
- mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
-};
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-/**
- * \brief Given an SSL context and its associated configuration, write the TLS
- * 1.2 specific extensions of the ClientHello message.
- *
- * \param[in] ssl SSL context
- * \param[in] buf Base address of the buffer where to write the extensions
- * \param[in] end End address of the buffer where to write the extensions
- * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
- * (<> 0) or not ( 0 ).
- * \param[out] out_len Length of the data written into the buffer \p buf
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- int uses_ec,
- size_t *out_len);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
-/**
- * \brief Find the preferred hash for a given signature algorithm.
- *
- * \param[in] ssl SSL context
- * \param[in] sig_alg A signature algorithm identifier as defined in the
- * TLS 1.2 SignatureAlgorithm enumeration.
- *
- * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
- * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
- */
-unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
- mbedtls_ssl_context *ssl,
- unsigned int sig_alg);
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
- MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
-/**
- * \brief Free referenced items in an SSL transform context and clear
- * memory
- *
- * \param transform SSL transform context
- */
-void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
-
-/**
- * \brief Free referenced items in an SSL handshake context and clear
- * memory
- *
- * \param ssl SSL context
- */
-void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
-
-/* set inbound transform of ssl context */
-void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform);
-
-/* set outbound transform of ssl context */
-void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_DEBUG_C)
-/* Declared in "ssl_debug_helpers.h". We can't include this file from
- * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
- * type definitions. TODO: split the type definitions and the helper
- * functions into different headers.
- */
-const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
-#endif
-
-static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
- mbedtls_ssl_states state)
-{
- MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
- ssl->state, mbedtls_ssl_states_str(ssl->state),
- (int) state, mbedtls_ssl_states_str(state)));
- ssl->state = (int) state;
-}
-
-static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
-
-/**
- * \brief Update record layer
- *
- * This function roughly separates the implementation
- * of the logic of (D)TLS from the implementation
- * of the secure transport.
- *
- * \param ssl The SSL context to use.
- * \param update_hs_digest This indicates if the handshake digest
- * should be automatically updated in case
- * a handshake message is found.
- *
- * \return 0 or non-zero error code.
- *
- * \note A clarification on what is called 'record layer' here
- * is in order, as many sensible definitions are possible:
- *
- * The record layer takes as input an untrusted underlying
- * transport (stream or datagram) and transforms it into
- * a serially multiplexed, secure transport, which
- * conceptually provides the following:
- *
- * (1) Three datagram based, content-agnostic transports
- * for handshake, alert and CCS messages.
- * (2) One stream- or datagram-based transport
- * for application data.
- * (3) Functionality for changing the underlying transform
- * securing the contents.
- *
- * The interface to this functionality is given as follows:
- *
- * a Updating
- * [Currently implemented by mbedtls_ssl_read_record]
- *
- * Check if and on which of the four 'ports' data is pending:
- * Nothing, a controlling datagram of type (1), or application
- * data (2). In any case data is present, internal buffers
- * provide access to the data for the user to process it.
- * Consumption of type (1) datagrams is done automatically
- * on the next update, invalidating that the internal buffers
- * for previous datagrams, while consumption of application
- * data (2) is user-controlled.
- *
- * b Reading of application data
- * [Currently manual adaption of ssl->in_offt pointer]
- *
- * As mentioned in the last paragraph, consumption of data
- * is different from the automatic consumption of control
- * datagrams (1) because application data is treated as a stream.
- *
- * c Tracking availability of application data
- * [Currently manually through decreasing ssl->in_msglen]
- *
- * For efficiency and to retain datagram semantics for
- * application data in case of DTLS, the record layer
- * provides functionality for checking how much application
- * data is still available in the internal buffer.
- *
- * d Changing the transformation securing the communication.
- *
- * Given an opaque implementation of the record layer in the
- * above sense, it should be possible to implement the logic
- * of (D)TLS on top of it without the need to know anything
- * about the record layer's internals. This is done e.g.
- * in all the handshake handling functions, and in the
- * application data reading function mbedtls_ssl_read.
- *
- * \note The above tries to give a conceptual picture of the
- * record layer, but the current implementation deviates
- * from it in some places. For example, our implementation of
- * the update functionality through mbedtls_ssl_read_record
- * discards datagrams depending on the current state, which
- * wouldn't fall under the record layer's responsibility
- * following the above definition.
- *
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
- unsigned update_hs_digest);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
-
-/*
- * Write handshake message header
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
- unsigned char **buf, size_t *buf_len);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
- int update_checksum,
- int force_flush);
-static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
-}
-
-/*
- * Write handshake message tail
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
- size_t buf_len, size_t msg_len);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
-
-void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
-
-/*
- * Update checksum of handshake messages.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- unsigned char const *msg,
- size_t msg_len);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- size_t total_hs_len);
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
- mbedtls_key_exchange_type_t key_ex);
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
-#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * Get the first defined opaque PSK by order of precedence:
- * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
- * callback
- * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
- * Return an opaque PSK
- */
-static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
- const mbedtls_ssl_context *ssl)
-{
- if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
- return ssl->handshake->psk_opaque;
- }
-
- if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
- return ssl->conf->psk_opaque;
- }
-
- return MBEDTLS_SVC_KEY_ID_INIT;
-}
-#else
-/**
- * Get the first defined PSK by order of precedence:
- * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
- * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
- * Return a code and update the pair (PSK, PSK length) passed to this function
- */
-static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
- const unsigned char **psk, size_t *psk_len)
-{
- if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
- *psk = ssl->handshake->psk;
- *psk_len = ssl->handshake->psk_len;
- } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
- *psk = ssl->conf->psk;
- *psk_len = ssl->conf->psk_len;
- } else {
- *psk = NULL;
- *psk_len = 0;
- return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
- }
-
- return 0;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-
-#if defined(MBEDTLS_PK_C)
-unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
-unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
-mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
-#endif
-
-mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
-unsigned char mbedtls_ssl_hash_from_md_alg(int md);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
-#endif
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-/**
- * \brief Return PSA EC info for the specified TLS ID.
- *
- * \param tls_id The TLS ID to look for
- * \param type If the TLD ID is supported, then proper \c psa_key_type_t
- * value is returned here. Can be NULL.
- * \param bits If the TLD ID is supported, then proper bit size is returned
- * here. Can be NULL.
- * \return PSA_SUCCESS if the TLS ID is supported,
- * PSA_ERROR_NOT_SUPPORTED otherwise
- *
- * \note If either \c family or \c bits parameters are NULL, then
- * the corresponding value is not returned.
- * The function can be called with both parameters as NULL
- * simply to check if a specific TLS ID is supported.
- */
-int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
- psa_key_type_t *type,
- size_t *bits);
-
-/**
- * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
- *
- * \param tls_id The TLS ID to look for
- * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
- * or MBEDTLS_ECP_DP_NONE otherwise
- */
-mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
-
-/**
- * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
- *
- * \param grp_id The \c mbedtls_ecp_group_id ID to look for
- * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
- * or 0 otherwise
- */
-uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
-
-#if defined(MBEDTLS_DEBUG_C)
-/**
- * \brief Return EC's name for the specified TLS ID.
- *
- * \param tls_id The TLS ID to look for
- * \return A pointer to a const string with the proper name. If TLS
- * ID is not supported, a NULL pointer is returned instead.
- */
-const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
-static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
- (const uint16_t srtp_profile_value)
-{
- switch (srtp_profile_value) {
- case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
- case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
- case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
- case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
- return srtp_profile_value;
- default: break;
- }
- return MBEDTLS_TLS_SRTP_UNSET;
-}
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_key_cert *key_cert;
-
- if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
- key_cert = ssl->handshake->key_cert;
- } else {
- key_cert = ssl->conf->key_cert;
- }
-
- return key_cert == NULL ? NULL : key_cert->key;
-}
-
-static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_key_cert *key_cert;
-
- if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
- key_cert = ssl->handshake->key_cert;
- } else {
- key_cert = ssl->conf->key_cert;
- }
-
- return key_cert == NULL ? NULL : key_cert->cert;
-}
-
-/*
- * Verify a certificate.
- *
- * [in/out] ssl: misc. things read
- * ssl->session_negotiate->verify_result updated
- * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED}
- * [in] chain: the certificate chain to verify (ie the peer's chain)
- * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite;
- * for TLS 1.3, may be left NULL.
- * [in] rs_ctx: restart context if restartable ECC is in use;
- * leave NULL for no restartable behaviour.
- *
- * Return:
- * - 0 if the handshake should continue. Depending on the
- * authmode it means:
- * - REQUIRED: the certificate was found to be valid, trusted & acceptable.
- * ssl->session_negotiate->verify_result is 0.
- * - OPTIONAL: the certificate may or may not be acceptable, but
- * ssl->session_negotiate->verify_result was updated with the result.
- * - NONE: the certificate wasn't even checked.
- * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if
- * the certificate was found to be invalid/untrusted/unacceptable and the
- * handshake should be aborted (can only happen with REQUIRED).
- * - another error code if another error happened (out-of-memory, etc.)
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
- int authmode,
- mbedtls_x509_crt *chain,
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
- void *rs_ctx);
-
-/*
- * Check usage of a certificate wrt usage extensions:
- * keyUsage and extendedKeyUsage.
- * (Note: nSCertType is deprecated and not standard, we don't check it.)
- *
- * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL.
- *
- * Note: recv_endpoint is the receiver's endpoint.
- *
- * Return 0 if everything is OK, -1 if not.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
- const mbedtls_ssl_ciphersuite_t *ciphersuite,
- int recv_endpoint,
- mbedtls_ssl_protocol_version tls_version,
- uint32_t *flags);
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-void mbedtls_ssl_write_version(unsigned char version[2], int transport,
- mbedtls_ssl_protocol_version tls_version);
-uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
- int transport);
-
-static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
-{
-#if !defined(MBEDTLS_SSL_PROTO_DTLS)
- ((void) ssl);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return 13;
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- {
- return 5;
- }
-}
-
-static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
-{
- return (size_t) (ssl->out_iv - ssl->out_hdr);
-}
-
-static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return 12;
- }
-#else
- ((void) ssl);
-#endif
- return 4;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
-#endif
-
-/* Visible for testing purposes only */
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
-void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
-#endif
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
- const mbedtls_ssl_session *src);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
- unsigned char *hash, size_t *hashlen,
- unsigned char *data, size_t data_len,
- mbedtls_md_type_t md_alg);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#ifdef __cplusplus
-}
-#endif
-
-void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform,
- mbedtls_record *rec,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
- mbedtls_ssl_transform *transform,
- mbedtls_record *rec);
-
-/* Length of the "epoch" field in the record header */
-static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return 2;
- }
-#else
- ((void) ssl);
-#endif
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
-
-void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
-void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
- int partial);
-
-/*
- * Send pending alert
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
-
-/*
- * Set pending fatal alert flag.
- */
-void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
- unsigned char alert_type,
- int alert_reason);
-
-/* Alias of mbedtls_ssl_pend_fatal_alert */
-#define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
- mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
-#endif
-
-void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
-void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-/**
- * ssl utils functions for checking configuration.
- */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
-{
- return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
-{
- return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
- conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
-{
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
- conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
-#else
- ((void) conf);
- return 0;
-#endif
-}
-
-static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
-{
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
- conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
-#else
- ((void) conf);
- return 0;
-#endif
-}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
-static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
-{
- return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
- conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-/** \brief Initialize the PSA crypto subsystem if necessary.
- *
- * Call this function before doing any cryptography in a TLS 1.3 handshake.
- *
- * This is necessary in Mbed TLS 3.x for backward compatibility.
- * Up to Mbed TLS 3.5, in the default configuration, you could perform
- * a TLS connection with default parameters without having called
- * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and
- * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if
- * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default
- * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled
- * by default, and the TLS 1.3 layer uses PSA crypto. This means that
- * applications that are not otherwise using PSA crypto and that worked
- * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to
- * a peer that supports TLS 1.3. See
- * https://github.com/Mbed-TLS/mbedtls/issues/9072
- */
-int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl);
-
-extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
- MBEDTLS_SERVER_HELLO_RANDOM_LEN];
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
-
-/**
- * \brief Given an SSL context and its associated configuration, write the TLS
- * 1.3 specific extensions of the ClientHello message.
- *
- * \param[in] ssl SSL context
- * \param[in] buf Base address of the buffer where to write the extensions
- * \param[in] end End address of the buffer where to write the extensions
- * \param[out] out_len Length of the data written into the buffer \p buf
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- unsigned char *end,
- size_t *out_len);
-
-/**
- * \brief TLS 1.3 client side state machine entry
- *
- * \param ssl SSL context
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
-
-/**
- * \brief TLS 1.3 server side state machine entry
- *
- * \param ssl SSL context
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
-
-
-/*
- * Helper functions around key exchange modes.
- */
-static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
- int kex_mode_mask)
-{
- return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
-}
-
-static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
-}
-
-static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
-}
-
-static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
-}
-
-static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
-}
-
-static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
-}
-
-#if defined(MBEDTLS_SSL_SRV_C) && \
- defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
-/**
- * Given a list of key exchange modes, check if at least one of them is
- * supported by peer.
- *
- * \param[in] ssl SSL context
- * \param kex_modes_mask Mask of the key exchange modes to check
- *
- * \return Non-zero if at least one of the key exchange modes is supported by
- * the peer, otherwise \c 0.
- */
-static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
- int kex_modes_mask)
-{
- return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
-}
-
-static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
-}
-
-static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
- mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
-}
-
-static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
-}
-
-static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
-}
-
-static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
-}
-#endif /* MBEDTLS_SSL_SRV_C &&
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
-
-/*
- * Helper functions for extensions checking.
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_check_received_extension(
- mbedtls_ssl_context *ssl,
- int hs_msg_type,
- unsigned int received_extension_type,
- uint32_t hs_msg_allowed_extensions_mask);
-
-static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
- mbedtls_ssl_context *ssl, unsigned int extension_type)
-{
- ssl->handshake->sent_extensions |=
- mbedtls_ssl_get_extension_mask(extension_type);
-}
-
-/*
- * Helper functions to check the selected key exchange mode.
- */
-static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
- mbedtls_ssl_context *ssl, int kex_mask)
-{
- return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
-}
-
-static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
- mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
-}
-
-static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
- mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
-}
-
-/*
- * Fetch TLS 1.3 handshake message header
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- unsigned char **buf,
- size_t *buf_len);
-
-/**
- * \brief Detect if a list of extensions contains a supported_versions
- * extension or not.
- *
- * \param[in] ssl SSL context
- * \param[in] buf Address of the first byte of the extensions vector.
- * \param[in] end End of the buffer containing the list of extensions.
- * \param[out] supported_versions_data If the extension is present, address of
- * its first byte of data, NULL otherwise.
- * \param[out] supported_versions_data_end If the extension is present, address
- * of the first byte immediately
- * following the extension data, NULL
- * otherwise.
- * \return 0 if the list of extensions does not contain a supported_versions
- * extension.
- * \return 1 if the list of extensions contains a supported_versions
- * extension.
- * \return A negative value if an error occurred while parsing the
- * extensions.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
- mbedtls_ssl_context *ssl,
- const unsigned char *buf, const unsigned char *end,
- const unsigned char **supported_versions_data,
- const unsigned char **supported_versions_data_end);
-
-/*
- * Handler of TLS 1.3 server certificate message
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
-/*
- * Handler of TLS 1.3 write Certificate message
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
-
-/*
- * Handler of TLS 1.3 write Certificate Verify message
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
-
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
-
-/*
- * Generic handler of Certificate Verify
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
-
-/*
- * Write of dummy-CCS's for middlebox compatibility
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
-
-#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
- mbedtls_ssl_context *ssl,
- uint16_t named_group,
- unsigned char *buf,
- unsigned char *end,
- size_t *out_len);
-#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
- int in_new_session_ticket,
- unsigned char *buf,
- const unsigned char *end,
- size_t *out_len);
-
-int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
- size_t early_data_len);
-
-typedef enum {
-/*
- * The client has not sent the first ClientHello yet, the negotiation of early
- * data has not started yet.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_IDLE,
-
-/*
- * In its ClientHello, the client has not included an early data indication
- * extension.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT,
-
-/*
- * The client has sent an early data indication extension in its first
- * ClientHello, it has not received the response (ServerHello or
- * HelloRetryRequest) from the server yet. The transform to protect early data
- * is not set either as for middlebox compatibility a dummy CCS may have to be
- * sent in clear. Early data cannot be sent to the server yet.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT,
-
-/*
- * The client has sent an early data indication extension in its first
- * ClientHello, it has not received the response (ServerHello or
- * HelloRetryRequest) from the server yet. The transform to protect early data
- * has been set and early data can be written now.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE,
-
-/*
- * The client has indicated the use of early data and the server has accepted
- * it.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED,
-
-/*
- * The client has indicated the use of early data but the server has rejected
- * it.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED,
-
-/*
- * The client has sent an early data indication extension in its first
- * ClientHello, the server has accepted them and the client has received the
- * server Finished message. It cannot send early data to the server anymore.
- */
- MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED,
-
-} mbedtls_ssl_early_data_state;
-#endif /* MBEDTLS_SSL_EARLY_DATA */
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-/*
- * Write Signature Algorithm extension
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
- const unsigned char *end, size_t *out_len);
-/*
- * Parse TLS Signature Algorithm extension
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end);
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-/* Get handshake transcript */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
- const mbedtls_md_type_t md,
- unsigned char *dst,
- size_t dst_len,
- size_t *olen);
-
-/*
- * Return supported groups.
- *
- * In future, invocations can be changed to ssl->conf->group_list
- * when mbedtls_ssl_conf_curves() is deleted.
- *
- * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
- * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
- * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
- *
- */
-static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
-{
- #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
- return ssl->conf->group_list;
- #else
- if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
- return ssl->handshake->group_list;
- } else {
- return ssl->conf->group_list;
- }
- #endif
-}
-
-/*
- * Helper functions for NamedGroup.
- */
-static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
-{
- /*
- * RFC 8422 section 5.1.1
- */
- return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
- /* Below deprecated curves should be removed with notice to users */
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
-}
-
-static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
-{
- return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
- named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
-}
-
-static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
-{
- return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
- named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
-}
-
-static inline int mbedtls_ssl_named_group_is_offered(
- const mbedtls_ssl_context *ssl, uint16_t named_group)
-{
- const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
-
- if (group_list == NULL) {
- return 0;
- }
-
- for (; *group_list != 0; group_list++) {
- if (*group_list == named_group) {
- return 1;
- }
- }
-
- return 0;
-}
-
-static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
-{
-#if defined(PSA_WANT_ALG_ECDH)
- if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
- if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
- MBEDTLS_ECP_DP_NONE) {
- return 1;
- }
- }
-#endif
-#if defined(PSA_WANT_ALG_FFDH)
- if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
- return 1;
- }
-#endif
-#if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
- (void) named_group;
-#endif
- return 0;
-}
-
-/*
- * Return supported signature algorithms.
- *
- * In future, invocations can be changed to ssl->conf->sig_algs when
- * mbedtls_ssl_conf_sig_hashes() is deleted.
- *
- * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
- * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
- * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
- * been more recently invoked.
- *
- */
-static inline const void *mbedtls_ssl_get_sig_algs(
- const mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- if (ssl->handshake != NULL &&
- ssl->handshake->sig_algs_heap_allocated == 1 &&
- ssl->handshake->sig_algs != NULL) {
- return ssl->handshake->sig_algs;
- }
-#endif
- return ssl->conf->sig_algs;
-
-#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
- ((void) ssl);
- return NULL;
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-}
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
-static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
- uint16_t own_sig_alg)
-{
- const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
- if (sig_alg == NULL) {
- return 0;
- }
-
- for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
- if (*sig_alg == own_sig_alg) {
- return 1;
- }
- }
- return 0;
-}
-
-static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
- const uint16_t sig_alg)
-{
- switch (sig_alg) {
-#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
-#if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
- break;
-#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-#if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
- break;
-#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-#if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
- case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
- break;
-#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
-
-#if defined(MBEDTLS_PKCS1_V21)
-#if defined(PSA_WANT_ALG_SHA_256)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
- break;
-#endif /* PSA_WANT_ALG_SHA_256 */
-#if defined(PSA_WANT_ALG_SHA_384)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
- break;
-#endif /* PSA_WANT_ALG_SHA_384 */
-#if defined(PSA_WANT_ALG_SHA_512)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
- break;
-#endif /* PSA_WANT_ALG_SHA_512 */
-#endif /* MBEDTLS_PKCS1_V21 */
- default:
- return 0;
- }
- return 1;
-
-}
-
-static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
- const uint16_t sig_alg)
-{
- switch (sig_alg) {
-#if defined(MBEDTLS_PKCS1_V15)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
- break;
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
- break;
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_MD_CAN_SHA512)
- case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
- break;
-#endif /* MBEDTLS_MD_CAN_SHA512 */
-#endif /* MBEDTLS_PKCS1_V15 */
- default:
- return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
- sig_alg);
- }
- return 1;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
- mbedtls_pk_context *key);
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
- uint16_t proposed_sig_alg)
-{
- const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
- if (sig_alg == NULL) {
- return 0;
- }
-
- for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
- if (*sig_alg == proposed_sig_alg) {
- return 1;
- }
- }
- return 0;
-}
-
-static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
- uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
-{
- *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
- *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
-
- if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
- return 0;
- }
-
- switch (sig_alg) {
-#if defined(MBEDTLS_PKCS1_V21)
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
- *md_alg = MBEDTLS_MD_SHA256;
- *pk_type = MBEDTLS_PK_RSASSA_PSS;
- break;
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
- *md_alg = MBEDTLS_MD_SHA384;
- *pk_type = MBEDTLS_PK_RSASSA_PSS;
- break;
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-#if defined(MBEDTLS_MD_CAN_SHA512)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
- *md_alg = MBEDTLS_MD_SHA512;
- *pk_type = MBEDTLS_PK_RSASSA_PSS;
- break;
-#endif /* MBEDTLS_MD_CAN_SHA512 */
-#endif /* MBEDTLS_PKCS1_V21 */
- default:
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
- const uint16_t sig_alg)
-{
- /* High byte is hash */
- unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
- unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
-
- switch (hash) {
-#if defined(MBEDTLS_MD_CAN_MD5)
- case MBEDTLS_SSL_HASH_MD5:
- break;
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA1)
- case MBEDTLS_SSL_HASH_SHA1:
- break;
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA224)
- case MBEDTLS_SSL_HASH_SHA224:
- break;
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_SSL_HASH_SHA256:
- break;
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_SSL_HASH_SHA384:
- break;
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA512)
- case MBEDTLS_SSL_HASH_SHA512:
- break;
-#endif
-
- default:
- return 0;
- }
-
- switch (sig) {
-#if defined(MBEDTLS_RSA_C)
- case MBEDTLS_SSL_SIG_RSA:
- break;
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- case MBEDTLS_SSL_SIG_ECDSA:
- break;
-#endif
-
- default:
- return 0;
- }
-
- return 1;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-static inline int mbedtls_ssl_sig_alg_is_supported(
- const mbedtls_ssl_context *ssl,
- const uint16_t sig_alg)
-{
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
- return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
- }
-#endif
- ((void) ssl);
- ((void) sig_alg);
- return 0;
-}
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
- * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
- * guaranteed to not be a valid PSA algorithm identifier.
- */
-#define MBEDTLS_SSL_NULL_CIPHER 0x04000000
-
-/**
- * \brief Translate mbedtls cipher type/taglen pair to psa:
- * algorithm, key type and key size.
- *
- * \param mbedtls_cipher_type [in] given mbedtls cipher type
- * \param taglen [in] given tag length
- * 0 - default tag length
- * \param alg [out] corresponding PSA alg
- * There is no corresponding PSA
- * alg for MBEDTLS_CIPHER_NULL, so
- * in this case MBEDTLS_SSL_NULL_CIPHER
- * is returned via this parameter
- * \param key_type [out] corresponding PSA key type
- * \param key_size [out] corresponding PSA key size
- *
- * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
- * conversion is not supported.
- */
-psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
- size_t taglen,
- psa_algorithm_t *alg,
- psa_key_type_t *key_type,
- size_t *key_size);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/**
- * \brief Convert given PSA status to mbedtls error code.
- *
- * \param status [in] given PSA status
- *
- * \return corresponding mbedtls error code
- */
-static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
-{
- switch (status) {
- case PSA_SUCCESS:
- return 0;
- case PSA_ERROR_INSUFFICIENT_MEMORY:
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- case PSA_ERROR_NOT_SUPPORTED:
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- case PSA_ERROR_INVALID_SIGNATURE:
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- case PSA_ERROR_INVALID_ARGUMENT:
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- case PSA_ERROR_BAD_STATE:
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- case PSA_ERROR_BUFFER_TOO_SMALL:
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- default:
- return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
- }
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
- defined(MBEDTLS_USE_PSA_CRYPTO)
-
-typedef enum {
- MBEDTLS_ECJPAKE_ROUND_ONE,
- MBEDTLS_ECJPAKE_ROUND_TWO
-} mbedtls_ecjpake_rounds_t;
-
-/**
- * \brief Parse the provided input buffer for getting the first round
- * of key exchange. This code is common between server and client
- *
- * \param pake_ctx [in] the PAKE's operation/context structure
- * \param buf [in] input buffer to parse
- * \param len [in] length of the input buffer
- * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
- * MBEDTLS_ECJPAKE_ROUND_TWO
- *
- * \return 0 on success or a negative error code in case of failure
- */
-int mbedtls_psa_ecjpake_read_round(
- psa_pake_operation_t *pake_ctx,
- const unsigned char *buf,
- size_t len, mbedtls_ecjpake_rounds_t round);
-
-/**
- * \brief Write the first round of key exchange into the provided output
- * buffer. This code is common between server and client
- *
- * \param pake_ctx [in] the PAKE's operation/context structure
- * \param buf [out] the output buffer in which data will be written to
- * \param len [in] length of the output buffer
- * \param olen [out] the length of the data really written on the buffer
- * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
- * MBEDTLS_ECJPAKE_ROUND_TWO
- *
- * \return 0 on success or a negative error code in case of failure
- */
-int mbedtls_psa_ecjpake_write_round(
- psa_pake_operation_t *pake_ctx,
- unsigned char *buf,
- size_t len, size_t *olen,
- mbedtls_ecjpake_rounds_t round);
-
-#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
-
-/**
- * \brief TLS record protection modes
- */
-typedef enum {
- MBEDTLS_SSL_MODE_STREAM = 0,
- MBEDTLS_SSL_MODE_CBC,
- MBEDTLS_SSL_MODE_CBC_ETM,
- MBEDTLS_SSL_MODE_AEAD
-} mbedtls_ssl_mode_t;
-
-mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
- const mbedtls_ssl_transform *transform);
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
- int encrypt_then_mac,
- const mbedtls_ssl_ciphersuite_t *suite);
-#else
-mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
- const mbedtls_ssl_ciphersuite_t *suite);
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
-
-#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t buf_len);
-
-#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
-
-static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
- mbedtls_ssl_context *ssl, int cipher_suite)
-{
- const int *ciphersuite_list = ssl->conf->ciphersuite_list;
-
- /* Check whether we have offered this ciphersuite */
- for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
- if (ciphersuite_list[i] == cipher_suite) {
- return 1;
- }
- }
- return 0;
-}
-
-/**
- * \brief Validate cipher suite against config in SSL context.
- *
- * \param ssl SSL context
- * \param suite_info Cipher suite to validate
- * \param min_tls_version Minimal TLS version to accept a cipher suite
- * \param max_tls_version Maximal TLS version to accept a cipher suite
- *
- * \return 0 if valid, negative value otherwise.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_validate_ciphersuite(
- const mbedtls_ssl_context *ssl,
- const mbedtls_ssl_ciphersuite_t *suite_info,
- mbedtls_ssl_protocol_version min_tls_version,
- mbedtls_ssl_protocol_version max_tls_version);
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end);
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
-#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
-#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *out_len);
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_SSL_ALPN)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end);
-
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- unsigned char *end,
- size_t *out_len);
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-int mbedtls_ssl_check_dtls_clihlo_cookie(
- mbedtls_ssl_context *ssl,
- const unsigned char *cli_id, size_t cli_id_len,
- const unsigned char *in, size_t in_len,
- unsigned char *obuf, size_t buf_len, size_t *olen);
-#endif
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
-/**
- * \brief Given an SSL context and its associated configuration, write the TLS
- * 1.3 specific Pre-Shared key extension.
- *
- * \param[in] ssl SSL context
- * \param[in] buf Base address of the buffer where to write the extension
- * \param[in] end End address of the buffer where to write the extension
- * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
- * written into the buffer \p buf by this function plus
- * the length of the binders to be written.
- * \param[out] binders_len Length of the binders to be written at the end of
- * the extension.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
- mbedtls_ssl_context *ssl,
- unsigned char *buf, unsigned char *end,
- size_t *out_len, size_t *binders_len);
-
-/**
- * \brief Given an SSL context and its associated configuration, write the TLS
- * 1.3 specific Pre-Shared key extension binders at the end of the
- * ClientHello.
- *
- * \param[in] ssl SSL context
- * \param[in] buf Base address of the buffer where to write the binders
- * \param[in] end End address of the buffer where to write the binders
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
- mbedtls_ssl_context *ssl,
- unsigned char *buf, unsigned char *end);
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-/** Get the host name from the SSL context.
- *
- * \param[in] ssl SSL context
- *
- * \return The \p hostname pointer from the SSL context.
- * \c NULL if mbedtls_ssl_set_hostname() has never been called on
- * \p ssl or if it was last called with \p NULL.
- */
-const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SESSION_TICKETS) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
- defined(MBEDTLS_SSL_CLI_C)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
- const char *hostname);
-#endif
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
- defined(MBEDTLS_SSL_ALPN)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
- const char *alpn);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-
-#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
-
-static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
- mbedtls_ssl_session *session, unsigned int flags)
-{
- return session->ticket_flags &
- (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
-}
-
-/**
- * Check if at least one of the given flags is set in
- * the session ticket. See the definition of
- * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
- * permitted flags.
- */
-static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
- mbedtls_ssl_session *session, unsigned int flags)
-{
- return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
-}
-
-static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
- mbedtls_ssl_session *session)
-{
- return mbedtls_ssl_tls13_session_ticket_has_flags(
- session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
-}
-
-static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
- mbedtls_ssl_session *session)
-{
- return mbedtls_ssl_tls13_session_ticket_has_flags(
- session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
-}
-
-static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
- mbedtls_ssl_session *session)
-{
- return mbedtls_ssl_tls13_session_ticket_has_flags(
- session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
-}
-
-static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
- mbedtls_ssl_session *session, unsigned int flags)
-{
- session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
-}
-
-static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
- mbedtls_ssl_session *session, unsigned int flags)
-{
- session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
-#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
-#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
-
-#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
- (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
-#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
- (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-static inline int mbedtls_ssl_conf_get_session_tickets(
- const mbedtls_ssl_config *conf)
-{
- return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
- MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
- MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(
- const mbedtls_ssl_config *conf)
-{
- return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
- MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED :
- MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
-int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
-#endif
-
-#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-
-/** Compute the HMAC of variable-length data with constant flow.
- *
- * This function computes the HMAC of the concatenation of \p add_data and \p
- * data, and does with a code flow and memory access pattern that does not
- * depend on \p data_len_secret, but only on \p min_data_len and \p
- * max_data_len. In particular, this function always reads exactly \p
- * max_data_len bytes from \p data.
- *
- * \param ctx The HMAC context. It must have keys configured
- * with mbedtls_md_hmac_starts() and use one of the
- * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
- * It is reset using mbedtls_md_hmac_reset() after
- * the computation is complete to prepare for the
- * next computation.
- * \param add_data The first part of the message whose HMAC is being
- * calculated. This must point to a readable buffer
- * of \p add_data_len bytes.
- * \param add_data_len The length of \p add_data in bytes.
- * \param data The buffer containing the second part of the
- * message. This must point to a readable buffer
- * of \p max_data_len bytes.
- * \param data_len_secret The length of the data to process in \p data.
- * This must be no less than \p min_data_len and no
- * greater than \p max_data_len.
- * \param min_data_len The minimal length of the second part of the
- * message, read from \p data.
- * \param max_data_len The maximal length of the second part of the
- * message, read from \p data.
- * \param output The HMAC will be written here. This must point to
- * a writable buffer of sufficient size to hold the
- * HMAC value.
- *
- * \retval 0 on success.
- * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
- * The hardware accelerator failed.
- */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
- psa_algorithm_t mac_alg,
- const unsigned char *add_data,
- size_t add_data_len,
- const unsigned char *data,
- size_t data_len_secret,
- size_t min_data_len,
- size_t max_data_len,
- unsigned char *output);
-#else
-int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
- const unsigned char *add_data,
- size_t add_data_len,
- const unsigned char *data,
- size_t data_len_secret,
- size_t min_data_len,
- size_t max_data_len,
- unsigned char *output);
-#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
-#endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
-
-#endif /* ssl_misc.h */
diff --git a/lib/mbedtls_ssl/src/ssl_msg.c b/lib/mbedtls_ssl/src/ssl_msg.c
deleted file mode 100644
index 38fd262bc..000000000
--- a/lib/mbedtls_ssl/src/ssl_msg.c
+++ /dev/null
@@ -1,6515 +0,0 @@
-/*
- * Generic SSL/TLS messaging layer functions
- * (record layer + retransmission state machine)
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-/*
- * http://www.ietf.org/rfc/rfc2246.txt
- * http://www.ietf.org/rfc/rfc4346.txt
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SSL_TLS_C)
-
-#include "mbedtls/platform.h"
-
-#include "mbedtls/ssl.h"
-#include "ssl_misc.h"
-#include "debug_internal.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/version.h"
-#include "constant_time_internal.h"
-#include "mbedtls/constant_time.h"
-
-#include
-#include
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa_util_internal.h"
-#include "psa/crypto.h"
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#include "mbedtls/oid.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/* Define a local translating function to save code size by not using too many
- * arguments in each translating place. */
-static int local_err_translation(psa_status_t status)
-{
- return psa_status_to_mbedtls(status, psa_to_ssl_errors,
- ARRAY_LENGTH(psa_to_ssl_errors),
- psa_generic_status_to_mbedtls);
-}
-#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-
-#if defined(PSA_WANT_ALG_SHA_384)
-#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_384)
-#elif defined(PSA_WANT_ALG_SHA_256)
-#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_256)
-#else /* See check_config.h */
-#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_1)
-#endif
-
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
- psa_algorithm_t mac_alg,
- const unsigned char *add_data,
- size_t add_data_len,
- const unsigned char *data,
- size_t data_len_secret,
- size_t min_data_len,
- size_t max_data_len,
- unsigned char *output)
-{
- /*
- * This function breaks the HMAC abstraction and uses psa_hash_clone()
- * extension in order to get constant-flow behaviour.
- *
- * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
- * concatenation, and okey/ikey are the XOR of the key with some fixed bit
- * patterns (see RFC 2104, sec. 2).
- *
- * We'll first compute ikey/okey, then inner_hash = HASH(ikey + msg) by
- * hashing up to minlen, then cloning the context, and for each byte up
- * to maxlen finishing up the hash computation, keeping only the
- * correct result.
- *
- * Then we only need to compute HASH(okey + inner_hash) and we're done.
- */
- psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH(mac_alg);
- const size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
- unsigned char key_buf[MAX_HASH_BLOCK_LENGTH];
- const size_t hash_size = PSA_HASH_LENGTH(hash_alg);
- psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
- size_t hash_length;
-
- unsigned char aux_out[PSA_HASH_MAX_SIZE];
- psa_hash_operation_t aux_operation = PSA_HASH_OPERATION_INIT;
- size_t offset;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
- size_t mac_key_length;
- size_t i;
-
-#define PSA_CHK(func_call) \
- do { \
- status = (func_call); \
- if (status != PSA_SUCCESS) \
- goto cleanup; \
- } while (0)
-
- /* Export MAC key
- * We assume key length is always exactly the output size
- * which is never more than the block size, thus we use block_size
- * as the key buffer size.
- */
- PSA_CHK(psa_export_key(key, key_buf, block_size, &mac_key_length));
-
- /* Calculate ikey */
- for (i = 0; i < mac_key_length; i++) {
- key_buf[i] = (unsigned char) (key_buf[i] ^ 0x36);
- }
- for (; i < block_size; ++i) {
- key_buf[i] = 0x36;
- }
-
- PSA_CHK(psa_hash_setup(&operation, hash_alg));
-
- /* Now compute inner_hash = HASH(ikey + msg) */
- PSA_CHK(psa_hash_update(&operation, key_buf, block_size));
- PSA_CHK(psa_hash_update(&operation, add_data, add_data_len));
- PSA_CHK(psa_hash_update(&operation, data, min_data_len));
-
- /* Fill the hash buffer in advance with something that is
- * not a valid hash (barring an attack on the hash and
- * deliberately-crafted input), in case the caller doesn't
- * check the return status properly. */
- memset(output, '!', hash_size);
-
- /* For each possible length, compute the hash up to that point */
- for (offset = min_data_len; offset <= max_data_len; offset++) {
- PSA_CHK(psa_hash_clone(&operation, &aux_operation));
- PSA_CHK(psa_hash_finish(&aux_operation, aux_out,
- PSA_HASH_MAX_SIZE, &hash_length));
- /* Keep only the correct inner_hash in the output buffer */
- mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offset, data_len_secret),
- output, aux_out, NULL, hash_size);
-
- if (offset < max_data_len) {
- PSA_CHK(psa_hash_update(&operation, data + offset, 1));
- }
- }
-
- /* Abort current operation to prepare for final operation */
- PSA_CHK(psa_hash_abort(&operation));
-
- /* Calculate okey */
- for (i = 0; i < mac_key_length; i++) {
- key_buf[i] = (unsigned char) ((key_buf[i] ^ 0x36) ^ 0x5C);
- }
- for (; i < block_size; ++i) {
- key_buf[i] = 0x5C;
- }
-
- /* Now compute HASH(okey + inner_hash) */
- PSA_CHK(psa_hash_setup(&operation, hash_alg));
- PSA_CHK(psa_hash_update(&operation, key_buf, block_size));
- PSA_CHK(psa_hash_update(&operation, output, hash_size));
- PSA_CHK(psa_hash_finish(&operation, output, hash_size, &hash_length));
-
-#undef PSA_CHK
-
-cleanup:
- mbedtls_platform_zeroize(key_buf, MAX_HASH_BLOCK_LENGTH);
- mbedtls_platform_zeroize(aux_out, PSA_HASH_MAX_SIZE);
-
- psa_hash_abort(&operation);
- psa_hash_abort(&aux_operation);
- return PSA_TO_MBEDTLS_ERR(status);
-}
-
-#undef MAX_HASH_BLOCK_LENGTH
-
-#else
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
- const unsigned char *add_data,
- size_t add_data_len,
- const unsigned char *data,
- size_t data_len_secret,
- size_t min_data_len,
- size_t max_data_len,
- unsigned char *output)
-{
- /*
- * This function breaks the HMAC abstraction and uses the md_clone()
- * extension to the MD API in order to get constant-flow behaviour.
- *
- * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
- * concatenation, and okey/ikey are the XOR of the key with some fixed bit
- * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
- *
- * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
- * minlen, then cloning the context, and for each byte up to maxlen
- * finishing up the hash computation, keeping only the correct result.
- *
- * Then we only need to compute HASH(okey + inner_hash) and we're done.
- */
- const mbedtls_md_type_t md_alg = mbedtls_md_get_type(ctx->md_info);
- /* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
- * all of which have the same block size except SHA-384. */
- const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
- const unsigned char * const ikey = ctx->hmac_ctx;
- const unsigned char * const okey = ikey + block_size;
- const size_t hash_size = mbedtls_md_get_size(ctx->md_info);
-
- unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
- mbedtls_md_context_t aux;
- size_t offset;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- mbedtls_md_init(&aux);
-
-#define MD_CHK(func_call) \
- do { \
- ret = (func_call); \
- if (ret != 0) \
- goto cleanup; \
- } while (0)
-
- MD_CHK(mbedtls_md_setup(&aux, ctx->md_info, 0));
-
- /* After hmac_start() of hmac_reset(), ikey has already been hashed,
- * so we can start directly with the message */
- MD_CHK(mbedtls_md_update(ctx, add_data, add_data_len));
- MD_CHK(mbedtls_md_update(ctx, data, min_data_len));
-
- /* Fill the hash buffer in advance with something that is
- * not a valid hash (barring an attack on the hash and
- * deliberately-crafted input), in case the caller doesn't
- * check the return status properly. */
- memset(output, '!', hash_size);
-
- /* For each possible length, compute the hash up to that point */
- for (offset = min_data_len; offset <= max_data_len; offset++) {
- MD_CHK(mbedtls_md_clone(&aux, ctx));
- MD_CHK(mbedtls_md_finish(&aux, aux_out));
- /* Keep only the correct inner_hash in the output buffer */
- mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offset, data_len_secret),
- output, aux_out, NULL, hash_size);
-
- if (offset < max_data_len) {
- MD_CHK(mbedtls_md_update(ctx, data + offset, 1));
- }
- }
-
- /* The context needs to finish() before it starts() again */
- MD_CHK(mbedtls_md_finish(ctx, aux_out));
-
- /* Now compute HASH(okey + inner_hash) */
- MD_CHK(mbedtls_md_starts(ctx));
- MD_CHK(mbedtls_md_update(ctx, okey, block_size));
- MD_CHK(mbedtls_md_update(ctx, output, hash_size));
- MD_CHK(mbedtls_md_finish(ctx, output));
-
- /* Done, get ready for next time */
- MD_CHK(mbedtls_md_hmac_reset(ctx));
-
-#undef MD_CHK
-
-cleanup:
- mbedtls_md_free(&aux);
- return ret;
-}
-
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-
-static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);
-
-/*
- * Start a timer.
- * Passing millisecs = 0 cancels a running timer.
- */
-void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs)
-{
- if (ssl->f_set_timer == NULL) {
- return;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("set_timer to %d ms", (int) millisecs));
- ssl->f_set_timer(ssl->p_timer, millisecs / 4, millisecs);
-}
-
-/*
- * Return -1 is timer is expired, 0 if it isn't.
- */
-int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl)
-{
- if (ssl->f_get_timer == NULL) {
- return 0;
- }
-
- if (ssl->f_get_timer(ssl->p_timer) == 2) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("timer expired"));
- return -1;
- }
-
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
- unsigned char *buf,
- size_t len,
- mbedtls_record *rec);
-
-int mbedtls_ssl_check_record(mbedtls_ssl_context const *ssl,
- unsigned char *buf,
- size_t buflen)
-{
- int ret = 0;
- MBEDTLS_SSL_DEBUG_MSG(1, ("=> mbedtls_ssl_check_record"));
- MBEDTLS_SSL_DEBUG_BUF(3, "record buffer", buf, buflen);
-
- /* We don't support record checking in TLS because
- * there doesn't seem to be a usecase for it.
- */
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
- ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- goto exit;
- }
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- else {
- mbedtls_record rec;
-
- ret = ssl_parse_record_header(ssl, buf, buflen, &rec);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(3, "ssl_parse_record_header", ret);
- goto exit;
- }
-
- if (ssl->transform_in != NULL) {
- ret = mbedtls_ssl_decrypt_buf(ssl, ssl->transform_in, &rec);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(3, "mbedtls_ssl_decrypt_buf", ret);
- goto exit;
- }
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-exit:
- /* On success, we have decrypted the buffer in-place, so make
- * sure we don't leak any plaintext data. */
- mbedtls_platform_zeroize(buf, buflen);
-
- /* For the purpose of this API, treat messages with unexpected CID
- * as well as such from future epochs as unexpected. */
- if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
- ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
- ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("<= mbedtls_ssl_check_record"));
- return ret;
-}
-
-#define SSL_DONT_FORCE_FLUSH 0
-#define SSL_FORCE_FLUSH 1
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
-/* Forward declarations for functions related to message buffering. */
-static void ssl_buffering_free_slot(mbedtls_ssl_context *ssl,
- uint8_t slot);
-static void ssl_free_buffered_record(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_load_buffered_message(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_load_buffered_record(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_buffer_message(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_buffer_future_record(mbedtls_ssl_context *ssl,
- mbedtls_record const *rec);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_next_record_is_in_datagram(mbedtls_ssl_context *ssl);
-
-static size_t ssl_get_maximum_datagram_size(mbedtls_ssl_context const *ssl)
-{
- size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
-
- if (mtu != 0 && mtu < out_buf_len) {
- return mtu;
- }
-
- return out_buf_len;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_remaining_space_in_datagram(mbedtls_ssl_context const *ssl)
-{
- size_t const bytes_written = ssl->out_left;
- size_t const mtu = ssl_get_maximum_datagram_size(ssl);
-
- /* Double-check that the write-index hasn't gone
- * past what we can transmit in a single datagram. */
- if (bytes_written > mtu) {
- /* Should never happen... */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- return (int) (mtu - bytes_written);
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_remaining_payload_in_datagram(mbedtls_ssl_context const *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t remaining, expansion;
- size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
-
- if (max_len > mfl) {
- max_len = mfl;
- }
-
- /* By the standard (RFC 6066 Sect. 4), the MFL extension
- * only limits the maximum record payload size, so in theory
- * we would be allowed to pack multiple records of payload size
- * MFL into a single datagram. However, this would mean that there's
- * no way to explicitly communicate MTU restrictions to the peer.
- *
- * The following reduction of max_len makes sure that we never
- * write datagrams larger than MFL + Record Expansion Overhead.
- */
- if (max_len <= ssl->out_left) {
- return 0;
- }
-
- max_len -= ssl->out_left;
-#endif
-
- ret = ssl_get_remaining_space_in_datagram(ssl);
- if (ret < 0) {
- return ret;
- }
- remaining = (size_t) ret;
-
- ret = mbedtls_ssl_get_record_expansion(ssl);
- if (ret < 0) {
- return ret;
- }
- expansion = (size_t) ret;
-
- if (remaining <= expansion) {
- return 0;
- }
-
- remaining -= expansion;
- if (remaining >= max_len) {
- remaining = max_len;
- }
-
- return (int) remaining;
-}
-
-/*
- * Double the retransmit timeout value, within the allowed range,
- * returning -1 if the maximum value has already been reached.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_double_retransmit_timeout(mbedtls_ssl_context *ssl)
-{
- uint32_t new_timeout;
-
- if (ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max) {
- return -1;
- }
-
- /* Implement the final paragraph of RFC 6347 section 4.1.1.1
- * in the following way: after the initial transmission and a first
- * retransmission, back off to a temporary estimated MTU of 508 bytes.
- * This value is guaranteed to be deliverable (if not guaranteed to be
- * delivered) of any compliant IPv4 (and IPv6) network, and should work
- * on most non-IP stacks too. */
- if (ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min) {
- ssl->handshake->mtu = 508;
- MBEDTLS_SSL_DEBUG_MSG(2, ("mtu autoreduction to %d bytes", ssl->handshake->mtu));
- }
-
- new_timeout = 2 * ssl->handshake->retransmit_timeout;
-
- /* Avoid arithmetic overflow and range overflow */
- if (new_timeout < ssl->handshake->retransmit_timeout ||
- new_timeout > ssl->conf->hs_timeout_max) {
- new_timeout = ssl->conf->hs_timeout_max;
- }
-
- ssl->handshake->retransmit_timeout = new_timeout;
- MBEDTLS_SSL_DEBUG_MSG(3, ("update timeout value to %lu millisecs",
- (unsigned long) ssl->handshake->retransmit_timeout));
-
- return 0;
-}
-
-static void ssl_reset_retransmit_timeout(mbedtls_ssl_context *ssl)
-{
- ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
- MBEDTLS_SSL_DEBUG_MSG(3, ("update timeout value to %lu millisecs",
- (unsigned long) ssl->handshake->retransmit_timeout));
-}
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-/*
- * Encryption/decryption functions
- */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-static size_t ssl_compute_padding_length(size_t len,
- size_t granularity)
-{
- return (granularity - (len + 1) % granularity) % granularity;
-}
-
-/* This functions transforms a (D)TLS plaintext fragment and a record content
- * type into an instance of the (D)TLSInnerPlaintext structure. This is used
- * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
- * a record's content type.
- *
- * struct {
- * opaque content[DTLSPlaintext.length];
- * ContentType real_type;
- * uint8 zeros[length_of_padding];
- * } (D)TLSInnerPlaintext;
- *
- * Input:
- * - `content`: The beginning of the buffer holding the
- * plaintext to be wrapped.
- * - `*content_size`: The length of the plaintext in Bytes.
- * - `max_len`: The number of Bytes available starting from
- * `content`. This must be `>= *content_size`.
- * - `rec_type`: The desired record content type.
- *
- * Output:
- * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
- * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
- *
- * Returns:
- * - `0` on success.
- * - A negative error code if `max_len` didn't offer enough space
- * for the expansion.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_build_inner_plaintext(unsigned char *content,
- size_t *content_size,
- size_t remaining,
- uint8_t rec_type,
- size_t pad)
-{
- size_t len = *content_size;
-
- /* Write real content type */
- if (remaining == 0) {
- return -1;
- }
- content[len] = rec_type;
- len++;
- remaining--;
-
- if (remaining < pad) {
- return -1;
- }
- memset(content + len, 0, pad);
- len += pad;
- remaining -= pad;
-
- *content_size = len;
- return 0;
-}
-
-/* This function parses a (D)TLSInnerPlaintext structure.
- * See ssl_build_inner_plaintext() for details. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_inner_plaintext(unsigned char const *content,
- size_t *content_size,
- uint8_t *rec_type)
-{
- size_t remaining = *content_size;
-
- /* Determine length of padding by skipping zeroes from the back. */
- do {
- if (remaining == 0) {
- return -1;
- }
- remaining--;
- } while (content[remaining] == 0);
-
- *content_size = remaining;
- *rec_type = content[remaining];
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */
-
-/* The size of the `add_data` structure depends on various
- * factors, namely
- *
- * 1) CID functionality disabled
- *
- * additional_data =
- * 8: seq_num +
- * 1: type +
- * 2: version +
- * 2: length of inner plaintext +
- *
- * size = 13 bytes
- *
- * 2) CID functionality based on RFC 9146 enabled
- *
- * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length
- * = 23 + CID-length
- *
- * 3) CID functionality based on legacy CID version
- according to draft-ietf-tls-dtls-connection-id-05
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
- *
- * size = 13 + 1 + CID-length
- *
- * More information about the CID usage:
- *
- * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the
- * size of the additional data structure is calculated as:
- *
- * additional_data =
- * 8: seq_num +
- * 1: tls12_cid +
- * 2: DTLSCipherText.version +
- * n: cid +
- * 1: cid_length +
- * 2: length_of_DTLSInnerPlaintext
- *
- * Per RFC 9146 the size of the add_data structure is calculated as:
- *
- * additional_data =
- * 8: seq_num_placeholder +
- * 1: tls12_cid +
- * 1: cid_length +
- * 1: tls12_cid +
- * 2: DTLSCiphertext.version +
- * 2: epoch +
- * 6: sequence_number +
- * n: cid +
- * 2: length_of_DTLSInnerPlaintext
- *
- */
-static void ssl_extract_add_data_from_record(unsigned char *add_data,
- size_t *add_data_len,
- mbedtls_record *rec,
- mbedtls_ssl_protocol_version
- tls_version,
- size_t taglen)
-{
- /* Several types of ciphers have been defined for use with TLS and DTLS,
- * and the MAC calculations for those ciphers differ slightly. Further
- * variants were added when the CID functionality was added with RFC 9146.
- * This implementations also considers the use of a legacy version of the
- * CID specification published in draft-ietf-tls-dtls-connection-id-05,
- * which is used in deployments.
- *
- * We will distinguish between the non-CID and the CID cases below.
- *
- * --- Non-CID cases ---
- *
- * Quoting RFC 5246 (TLS 1.2):
- *
- * additional_data = seq_num + TLSCompressed.type +
- * TLSCompressed.version + TLSCompressed.length;
- *
- * For TLS 1.3, the record sequence number is dropped from the AAD
- * and encoded within the nonce of the AEAD operation instead.
- * Moreover, the additional data involves the length of the TLS
- * ciphertext, not the TLS plaintext as in earlier versions.
- * Quoting RFC 8446 (TLS 1.3):
- *
- * additional_data = TLSCiphertext.opaque_type ||
- * TLSCiphertext.legacy_record_version ||
- * TLSCiphertext.length
- *
- * We pass the tag length to this function in order to compute the
- * ciphertext length from the inner plaintext length rec->data_len via
- *
- * TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
- *
- * --- CID cases ---
- *
- * RFC 9146 uses a common pattern when constructing the data
- * passed into a MAC / AEAD cipher.
- *
- * Data concatenation for MACs used with block ciphers with
- * Encrypt-then-MAC Processing (with CID):
- *
- * data = seq_num_placeholder +
- * tls12_cid +
- * cid_length +
- * tls12_cid +
- * DTLSCiphertext.version +
- * epoch +
- * sequence_number +
- * cid +
- * DTLSCiphertext.length +
- * IV +
- * ENC(content + padding + padding_length)
- *
- * Data concatenation for MACs used with block ciphers (with CID):
- *
- * data = seq_num_placeholder +
- * tls12_cid +
- * cid_length +
- * tls12_cid +
- * DTLSCiphertext.version +
- * epoch +
- * sequence_number +
- * cid +
- * length_of_DTLSInnerPlaintext +
- * DTLSInnerPlaintext.content +
- * DTLSInnerPlaintext.real_type +
- * DTLSInnerPlaintext.zeros
- *
- * AEAD ciphers use the following additional data calculation (with CIDs):
- *
- * additional_data = seq_num_placeholder +
- * tls12_cid +
- * cid_length +
- * tls12_cid +
- * DTLSCiphertext.version +
- * epoch +
- * sequence_number +
- * cid +
- * length_of_DTLSInnerPlaintext
- *
- * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use)
- * defines the additional data calculation as follows:
- *
- * additional_data = seq_num +
- * tls12_cid +
- * DTLSCipherText.version +
- * cid +
- * cid_length +
- * length_of_DTLSInnerPlaintext
- */
-
- unsigned char *cur = add_data;
- size_t ad_len_field = rec->data_len;
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
- MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
- const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- /* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
- * which differs from the length of the TLSInnerPlaintext
- * by the length of the authentication tag. */
- ad_len_field += taglen;
- } else
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
- {
- ((void) tls_version);
- ((void) taglen);
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
- MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
- if (rec->cid_len != 0) {
- // seq_num_placeholder
- memcpy(cur, seq_num_placeholder, sizeof(seq_num_placeholder));
- cur += sizeof(seq_num_placeholder);
-
- // tls12_cid type
- *cur = rec->type;
- cur++;
-
- // cid_length
- *cur = rec->cid_len;
- cur++;
- } else
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- {
- // epoch + sequence number
- memcpy(cur, rec->ctr, sizeof(rec->ctr));
- cur += sizeof(rec->ctr);
- }
- }
-
- // type
- *cur = rec->type;
- cur++;
-
- // version
- memcpy(cur, rec->ver, sizeof(rec->ver));
- cur += sizeof(rec->ver);
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
- MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1
-
- if (rec->cid_len != 0) {
- // CID
- memcpy(cur, rec->cid, rec->cid_len);
- cur += rec->cid_len;
-
- // cid_length
- *cur = rec->cid_len;
- cur++;
-
- // length of inner plaintext
- MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
- cur += 2;
- } else
-#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
- MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
-
- if (rec->cid_len != 0) {
- // epoch + sequence number
- memcpy(cur, rec->ctr, sizeof(rec->ctr));
- cur += sizeof(rec->ctr);
-
- // CID
- memcpy(cur, rec->cid, rec->cid_len);
- cur += rec->cid_len;
-
- // length of inner plaintext
- MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
- cur += 2;
- } else
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- {
- MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
- cur += 2;
- }
-
- *add_data_len = (size_t) (cur - add_data);
-}
-
-#if defined(MBEDTLS_SSL_HAVE_AEAD)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_transform_aead_dynamic_iv_is_explicit(
- mbedtls_ssl_transform const *transform)
-{
- return transform->ivlen != transform->fixed_ivlen;
-}
-
-/* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
- *
- * Concretely, this occurs in two variants:
- *
- * a) Fixed and dynamic IV lengths add up to total IV length, giving
- * IV = fixed_iv || dynamic_iv
- *
- * This variant is used in TLS 1.2 when used with GCM or CCM.
- *
- * b) Fixed IV lengths matches total IV length, giving
- * IV = fixed_iv XOR ( 0 || dynamic_iv )
- *
- * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
- *
- * See also the documentation of mbedtls_ssl_transform.
- *
- * This function has the precondition that
- *
- * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
- *
- * which has to be ensured by the caller. If this precondition
- * violated, the behavior of this function is undefined.
- */
-static void ssl_build_record_nonce(unsigned char *dst_iv,
- size_t dst_iv_len,
- unsigned char const *fixed_iv,
- size_t fixed_iv_len,
- unsigned char const *dynamic_iv,
- size_t dynamic_iv_len)
-{
- /* Start with Fixed IV || 0 */
- memset(dst_iv, 0, dst_iv_len);
- memcpy(dst_iv, fixed_iv, fixed_iv_len);
-
- dst_iv += dst_iv_len - dynamic_iv_len;
- mbedtls_xor(dst_iv, dst_iv, dynamic_iv, dynamic_iv_len);
-}
-#endif /* MBEDTLS_SSL_HAVE_AEAD */
-
-int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform,
- mbedtls_record *rec,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng)
-{
- mbedtls_ssl_mode_t ssl_mode;
- int auth_done = 0;
- unsigned char *data;
- /* For an explanation of the additional data length see
- * the description of ssl_extract_add_data_from_record().
- */
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX];
-#else
- unsigned char add_data[13];
-#endif
- size_t add_data_len;
- size_t post_avail;
-
- /* The SSL context is only used for debugging purposes! */
-#if !defined(MBEDTLS_DEBUG_C)
- ssl = NULL; /* make sure we don't use it except for debug */
- ((void) ssl);
-#endif
-
- /* The PRNG is used for dynamic IV generation that's used
- * for CBC transformations in TLS 1.2. */
-#if !(defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
- defined(MBEDTLS_SSL_PROTO_TLS1_2))
- ((void) f_rng);
- ((void) p_rng);
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> encrypt buf"));
-
- if (transform == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("no transform provided to encrypt_buf"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- if (rec == NULL
- || rec->buf == NULL
- || rec->buf_len < rec->data_offset
- || rec->buf_len - rec->data_offset < rec->data_len
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- || rec->cid_len != 0
-#endif
- ) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad record structure provided to encrypt_buf"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ssl_mode = mbedtls_ssl_get_mode_from_transform(transform);
-
- data = rec->buf + rec->data_offset;
- post_avail = rec->buf_len - (rec->data_len + rec->data_offset);
- MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
- data, rec->data_len);
-
- if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
- " too large, maximum %" MBEDTLS_PRINTF_SIZET,
- rec->data_len,
- (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* The following two code paths implement the (D)TLSInnerPlaintext
- * structure present in TLS 1.3 and DTLS 1.2 + CID.
- *
- * See ssl_build_inner_plaintext() for more information.
- *
- * Note that this changes `rec->data_len`, and hence
- * `post_avail` needs to be recalculated afterwards.
- *
- * Note also that the two code paths cannot occur simultaneously
- * since they apply to different versions of the protocol. There
- * is hence no risk of double-addition of the inner plaintext.
- */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- size_t padding =
- ssl_compute_padding_length(rec->data_len,
- MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
- if (ssl_build_inner_plaintext(data,
- &rec->data_len,
- post_avail,
- rec->type,
- padding) != 0) {
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /*
- * Add CID information
- */
- rec->cid_len = transform->out_cid_len;
- memcpy(rec->cid, transform->out_cid, transform->out_cid_len);
- MBEDTLS_SSL_DEBUG_BUF(3, "CID", rec->cid, rec->cid_len);
-
- if (rec->cid_len != 0) {
- size_t padding =
- ssl_compute_padding_length(rec->data_len,
- MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
- /*
- * Wrap plaintext into DTLSInnerPlaintext structure.
- * See ssl_build_inner_plaintext() for more information.
- *
- * Note that this changes `rec->data_len`, and hence
- * `post_avail` needs to be recalculated afterwards.
- */
- if (ssl_build_inner_plaintext(data,
- &rec->data_len,
- post_avail,
- rec->type,
- padding) != 0) {
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- rec->type = MBEDTLS_SSL_MSG_CID;
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- post_avail = rec->buf_len - (rec->data_len + rec->data_offset);
-
- /*
- * Add MAC before if needed
- */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
- ssl_mode == MBEDTLS_SSL_MODE_CBC) {
- if (post_avail < transform->maclen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- unsigned char mac[MBEDTLS_SSL_MAC_ADD];
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- size_t sign_mac_length = 0;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
- transform->tls_version,
- transform->taglen);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
- transform->psa_mac_alg);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_disabled;
- }
-
- status = psa_mac_update(&operation, add_data, add_data_len);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_disabled;
- }
-
- status = psa_mac_update(&operation, data, rec->data_len);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_disabled;
- }
-
- status = psa_mac_sign_finish(&operation, mac, MBEDTLS_SSL_MAC_ADD,
- &sign_mac_length);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_disabled;
- }
-#else
- ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
- add_data_len);
- if (ret != 0) {
- goto hmac_failed_etm_disabled;
- }
- ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, data, rec->data_len);
- if (ret != 0) {
- goto hmac_failed_etm_disabled;
- }
- ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
- if (ret != 0) {
- goto hmac_failed_etm_disabled;
- }
- ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
- if (ret != 0) {
- goto hmac_failed_etm_disabled;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- memcpy(data + rec->data_len, mac, transform->maclen);
-#endif
-
- MBEDTLS_SSL_DEBUG_BUF(4, "computed mac", data + rec->data_len,
- transform->maclen);
-
- rec->data_len += transform->maclen;
- post_avail -= transform->maclen;
- auth_done++;
-
-hmac_failed_etm_disabled:
- mbedtls_platform_zeroize(mac, transform->maclen);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- ret = PSA_TO_MBEDTLS_ERR(status);
- status = psa_mac_abort(&operation);
- if (ret == 0 && status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac_xxx", ret);
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-
- /*
- * Encrypt
- */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
- if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
- "including %d bytes of padding",
- rec->data_len, 0));
-
- /* The only supported stream cipher is "NULL",
- * so there's nothing to do here.*/
- } else
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
-
-#if defined(MBEDTLS_SSL_HAVE_AEAD)
- if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
- unsigned char iv[12];
- unsigned char *dynamic_iv;
- size_t dynamic_iv_len;
- int dynamic_iv_is_explicit =
- ssl_transform_aead_dynamic_iv_is_explicit(transform);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* Check that there's space for the authentication tag. */
- if (post_avail < transform->taglen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- /*
- * Build nonce for AEAD encryption.
- *
- * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
- * part of the IV is prepended to the ciphertext and
- * can be chosen freely - in particular, it need not
- * agree with the record sequence number.
- * However, since ChaChaPoly as well as all AEAD modes
- * in TLS 1.3 use the record sequence number as the
- * dynamic part of the nonce, we uniformly use the
- * record sequence number here in all cases.
- */
- dynamic_iv = rec->ctr;
- dynamic_iv_len = sizeof(rec->ctr);
-
- ssl_build_record_nonce(iv, sizeof(iv),
- transform->iv_enc,
- transform->fixed_ivlen,
- dynamic_iv,
- dynamic_iv_len);
-
- /*
- * Build additional data for AEAD encryption.
- * This depends on the TLS version.
- */
- ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
- transform->tls_version,
- transform->taglen);
-
- MBEDTLS_SSL_DEBUG_BUF(4, "IV used (internal)",
- iv, transform->ivlen);
- MBEDTLS_SSL_DEBUG_BUF(4, "IV used (transmitted)",
- dynamic_iv,
- dynamic_iv_is_explicit ? dynamic_iv_len : 0);
- MBEDTLS_SSL_DEBUG_BUF(4, "additional data used for AEAD",
- add_data, add_data_len);
- MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
- "including 0 bytes of padding",
- rec->data_len));
-
- /*
- * Encrypt and authenticate
- */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_aead_encrypt(transform->psa_key_enc,
- transform->psa_alg,
- iv, transform->ivlen,
- add_data, add_data_len,
- data, rec->data_len,
- data, rec->buf_len - (data - rec->buf),
- &rec->data_len);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret);
- return ret;
- }
-#else
- if ((ret = mbedtls_cipher_auth_encrypt_ext(&transform->cipher_ctx_enc,
- iv, transform->ivlen,
- add_data, add_data_len,
- data, rec->data_len, /* src */
- data, rec->buf_len - (size_t) (data - rec->buf), /* dst */
- &rec->data_len,
- transform->taglen)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt_ext", ret);
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- MBEDTLS_SSL_DEBUG_BUF(4, "after encrypt: tag",
- data + rec->data_len - transform->taglen,
- transform->taglen);
- /* Account for authentication tag. */
- post_avail -= transform->taglen;
-
- /*
- * Prefix record content with dynamic IV in case it is explicit.
- */
- if (dynamic_iv_is_explicit != 0) {
- if (rec->data_offset < dynamic_iv_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- memcpy(data - dynamic_iv_len, dynamic_iv, dynamic_iv_len);
- rec->data_offset -= dynamic_iv_len;
- rec->data_len += dynamic_iv_len;
- }
-
- auth_done++;
- } else
-#endif /* MBEDTLS_SSL_HAVE_AEAD */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
- if (ssl_mode == MBEDTLS_SSL_MODE_CBC ||
- ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t padlen, i;
- size_t olen;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- size_t part_len;
- psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /* Currently we're always using minimal padding
- * (up to 255 bytes would be allowed). */
- padlen = transform->ivlen - (rec->data_len + 1) % transform->ivlen;
- if (padlen == transform->ivlen) {
- padlen = 0;
- }
-
- /* Check there's enough space in the buffer for the padding. */
- if (post_avail < padlen + 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- for (i = 0; i <= padlen; i++) {
- data[rec->data_len + i] = (unsigned char) padlen;
- }
-
- rec->data_len += padlen + 1;
- post_avail -= padlen + 1;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /*
- * Prepend per-record IV for block cipher in TLS v1.2 as per
- * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
- */
- if (f_rng == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- if (rec->data_offset < transform->ivlen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- /*
- * Generate IV
- */
- ret = f_rng(p_rng, transform->iv_enc, transform->ivlen);
- if (ret != 0) {
- return ret;
- }
-
- memcpy(data - transform->ivlen, transform->iv_enc, transform->ivlen);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
- "including %"
- MBEDTLS_PRINTF_SIZET
- " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
- rec->data_len, transform->ivlen,
- padlen + 1));
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_cipher_encrypt_setup(&cipher_op,
- transform->psa_key_enc, transform->psa_alg);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_encrypt_setup", ret);
- return ret;
- }
-
- status = psa_cipher_set_iv(&cipher_op, transform->iv_enc, transform->ivlen);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
- return ret;
-
- }
-
- status = psa_cipher_update(&cipher_op,
- data, rec->data_len,
- data, rec->data_len, &olen);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
- return ret;
-
- }
-
- status = psa_cipher_finish(&cipher_op,
- data + olen, rec->data_len - olen,
- &part_len);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
- return ret;
-
- }
-
- olen += part_len;
-#else
- if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
- transform->iv_enc,
- transform->ivlen,
- data, rec->data_len,
- data, &olen)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- if (rec->data_len != olen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- data -= transform->ivlen;
- rec->data_offset -= transform->ivlen;
- rec->data_len += transform->ivlen;
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if (auth_done == 0) {
- unsigned char mac[MBEDTLS_SSL_MAC_ADD];
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
- size_t sign_mac_length = 0;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length))
- */
-
- if (post_avail < transform->maclen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- ssl_extract_add_data_from_record(add_data, &add_data_len,
- rec, transform->tls_version,
- transform->taglen);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
- MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
- add_data_len);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
- transform->psa_mac_alg);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-
- status = psa_mac_update(&operation, add_data, add_data_len);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-
- status = psa_mac_update(&operation, data, rec->data_len);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-
- status = psa_mac_sign_finish(&operation, mac, MBEDTLS_SSL_MAC_ADD,
- &sign_mac_length);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-#else
-
- ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
- add_data_len);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
- ret = mbedtls_md_hmac_update(&transform->md_ctx_enc,
- data, rec->data_len);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
- ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
- ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- memcpy(data + rec->data_len, mac, transform->maclen);
-
- rec->data_len += transform->maclen;
- post_avail -= transform->maclen;
- auth_done++;
-
-hmac_failed_etm_enabled:
- mbedtls_platform_zeroize(mac, transform->maclen);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- ret = PSA_TO_MBEDTLS_ERR(status);
- status = psa_mac_abort(&operation);
- if (ret == 0 && status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "HMAC calculation failed", ret);
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
- } else
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* Make extra sure authentication was performed, exactly once */
- if (auth_done != 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= encrypt buf"));
-
- return 0;
-}
-
-int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
- mbedtls_ssl_transform *transform,
- mbedtls_record *rec)
-{
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) || defined(MBEDTLS_SSL_HAVE_AEAD)
- size_t olen;
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC || MBEDTLS_SSL_HAVE_AEAD */
- mbedtls_ssl_mode_t ssl_mode;
- int ret;
-
- int auth_done = 0;
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- size_t padlen = 0;
- mbedtls_ct_condition_t correct = MBEDTLS_CT_TRUE;
-#endif
- unsigned char *data;
- /* For an explanation of the additional data length see
- * the description of ssl_extract_add_data_from_record().
- */
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX];
-#else
- unsigned char add_data[13];
-#endif
- size_t add_data_len;
-
-#if !defined(MBEDTLS_DEBUG_C)
- ssl = NULL; /* make sure we don't use it except for debug */
- ((void) ssl);
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> decrypt buf"));
- if (rec == NULL ||
- rec->buf == NULL ||
- rec->buf_len < rec->data_offset ||
- rec->buf_len - rec->data_offset < rec->data_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad record structure provided to decrypt_buf"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- data = rec->buf + rec->data_offset;
- ssl_mode = mbedtls_ssl_get_mode_from_transform(transform);
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /*
- * Match record's CID with incoming CID.
- */
- if (rec->cid_len != transform->in_cid_len ||
- memcmp(rec->cid, transform->in_cid, rec->cid_len) != 0) {
- return MBEDTLS_ERR_SSL_UNEXPECTED_CID;
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
- if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
- if (rec->data_len < transform->maclen) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("Record too short for MAC:"
- " %" MBEDTLS_PRINTF_SIZET " < %" MBEDTLS_PRINTF_SIZET,
- rec->data_len, transform->maclen));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
-
- /* The only supported stream cipher is "NULL",
- * so there's no encryption to do here.*/
- } else
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
-#if defined(MBEDTLS_SSL_HAVE_AEAD)
- if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
- unsigned char iv[12];
- unsigned char *dynamic_iv;
- size_t dynamic_iv_len;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /*
- * Extract dynamic part of nonce for AEAD decryption.
- *
- * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
- * part of the IV is prepended to the ciphertext and
- * can be chosen freely - in particular, it need not
- * agree with the record sequence number.
- */
- dynamic_iv_len = sizeof(rec->ctr);
- if (ssl_transform_aead_dynamic_iv_is_explicit(transform) == 1) {
- if (rec->data_len < dynamic_iv_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
- " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
- rec->data_len,
- dynamic_iv_len));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
- dynamic_iv = data;
-
- data += dynamic_iv_len;
- rec->data_offset += dynamic_iv_len;
- rec->data_len -= dynamic_iv_len;
- } else {
- dynamic_iv = rec->ctr;
- }
-
- /* Check that there's space for the authentication tag. */
- if (rec->data_len < transform->taglen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
- ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
- rec->data_len,
- transform->taglen));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
- rec->data_len -= transform->taglen;
-
- /*
- * Prepare nonce from dynamic and static parts.
- */
- ssl_build_record_nonce(iv, sizeof(iv),
- transform->iv_dec,
- transform->fixed_ivlen,
- dynamic_iv,
- dynamic_iv_len);
-
- /*
- * Build additional data for AEAD encryption.
- * This depends on the TLS version.
- */
- ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
- transform->tls_version,
- transform->taglen);
- MBEDTLS_SSL_DEBUG_BUF(4, "additional data used for AEAD",
- add_data, add_data_len);
-
- /* Because of the check above, we know that there are
- * explicit_iv_len Bytes preceding data, and taglen
- * bytes following data + data_len. This justifies
- * the debug message and the invocation of
- * mbedtls_cipher_auth_decrypt_ext() below. */
-
- MBEDTLS_SSL_DEBUG_BUF(4, "IV used", iv, transform->ivlen);
- MBEDTLS_SSL_DEBUG_BUF(4, "TAG used", data + rec->data_len,
- transform->taglen);
-
- /*
- * Decrypt and authenticate
- */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_aead_decrypt(transform->psa_key_dec,
- transform->psa_alg,
- iv, transform->ivlen,
- add_data, add_data_len,
- data, rec->data_len + transform->taglen,
- data, rec->buf_len - (data - rec->buf),
- &olen);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret);
- return ret;
- }
-#else
- if ((ret = mbedtls_cipher_auth_decrypt_ext
- (&transform->cipher_ctx_dec,
- iv, transform->ivlen,
- add_data, add_data_len,
- data, rec->data_len + transform->taglen, /* src */
- data, rec->buf_len - (size_t) (data - rec->buf), &olen, /* dst */
- transform->taglen)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_decrypt_ext", ret);
-
- if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
-
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- auth_done++;
-
- /* Double-check that AEAD decryption doesn't change content length. */
- if (olen != rec->data_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- } else
-#endif /* MBEDTLS_SSL_HAVE_AEAD */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
- if (ssl_mode == MBEDTLS_SSL_MODE_CBC ||
- ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
- size_t minlen = 0;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- size_t part_len;
- psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /*
- * Check immediate ciphertext sanity
- */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /* The ciphertext is prefixed with the CBC IV. */
- minlen += transform->ivlen;
-#endif
-
- /* Size considerations:
- *
- * - The CBC cipher text must not be empty and hence
- * at least of size transform->ivlen.
- *
- * Together with the potential IV-prefix, this explains
- * the first of the two checks below.
- *
- * - The record must contain a MAC, either in plain or
- * encrypted, depending on whether Encrypt-then-MAC
- * is used or not.
- * - If it is, the message contains the IV-prefix,
- * the CBC ciphertext, and the MAC.
- * - If it is not, the padded plaintext, and hence
- * the CBC ciphertext, has at least length maclen + 1
- * because there is at least the padding length byte.
- *
- * As the CBC ciphertext is not empty, both cases give the
- * lower bound minlen + maclen + 1 on the record size, which
- * we test for in the second check below.
- */
- if (rec->data_len < minlen + transform->ivlen ||
- rec->data_len < minlen + transform->maclen + 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
- ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
- "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
- "+ 1 ) ( + expl IV )",
- rec->data_len,
- transform->ivlen,
- transform->maclen));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
-
- /*
- * Authenticate before decrypt if enabled
- */
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
-#else
- unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
-
- /* Update data_len in tandem with add_data.
- *
- * The subtraction is safe because of the previous check
- * data_len >= minlen + maclen + 1.
- *
- * Afterwards, we know that data + data_len is followed by at
- * least maclen Bytes, which justifies the call to
- * mbedtls_ct_memcmp() below.
- *
- * Further, we still know that data_len > minlen */
- rec->data_len -= transform->maclen;
- ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
- transform->tls_version,
- transform->taglen);
-
- /* Calculate expected MAC. */
- MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
- add_data_len);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_mac_verify_setup(&operation, transform->psa_mac_dec,
- transform->psa_mac_alg);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-
- status = psa_mac_update(&operation, add_data, add_data_len);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-
- status = psa_mac_update(&operation, data, rec->data_len);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-
- /* Compare expected MAC with MAC at the end of the record. */
- status = psa_mac_verify_finish(&operation, data + rec->data_len,
- transform->maclen);
- if (status != PSA_SUCCESS) {
- goto hmac_failed_etm_enabled;
- }
-#else
- ret = mbedtls_md_hmac_update(&transform->md_ctx_dec, add_data,
- add_data_len);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
- ret = mbedtls_md_hmac_update(&transform->md_ctx_dec,
- data, rec->data_len);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
- ret = mbedtls_md_hmac_finish(&transform->md_ctx_dec, mac_expect);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
- ret = mbedtls_md_hmac_reset(&transform->md_ctx_dec);
- if (ret != 0) {
- goto hmac_failed_etm_enabled;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(4, "message mac", data + rec->data_len,
- transform->maclen);
- MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect,
- transform->maclen);
-
- /* Compare expected MAC with MAC at the end of the record. */
- if (mbedtls_ct_memcmp(data + rec->data_len, mac_expect,
- transform->maclen) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
- ret = MBEDTLS_ERR_SSL_INVALID_MAC;
- goto hmac_failed_etm_enabled;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- auth_done++;
-
-hmac_failed_etm_enabled:
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- ret = PSA_TO_MBEDTLS_ERR(status);
- status = psa_mac_abort(&operation);
- if (ret == 0 && status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- }
-#else
- mbedtls_platform_zeroize(mac_expect, transform->maclen);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- if (ret != 0) {
- if (ret != MBEDTLS_ERR_SSL_INVALID_MAC) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hmac_xxx", ret);
- }
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
-
- /*
- * Check length sanity
- */
-
- /* We know from above that data_len > minlen >= 0,
- * so the following check in particular implies that
- * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
- if (rec->data_len % transform->ivlen != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
- ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
- rec->data_len, transform->ivlen));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /*
- * Initialize for prepended IV for block cipher in TLS v1.2
- */
- /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
- memcpy(transform->iv_dec, data, transform->ivlen);
-
- data += transform->ivlen;
- rec->data_offset += transform->ivlen;
- rec->data_len -= transform->ivlen;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_cipher_decrypt_setup(&cipher_op,
- transform->psa_key_dec, transform->psa_alg);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_decrypt_setup", ret);
- return ret;
- }
-
- status = psa_cipher_set_iv(&cipher_op, transform->iv_dec, transform->ivlen);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
- return ret;
- }
-
- status = psa_cipher_update(&cipher_op,
- data, rec->data_len,
- data, rec->data_len, &olen);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
- return ret;
- }
-
- status = psa_cipher_finish(&cipher_op,
- data + olen, rec->data_len - olen,
- &part_len);
-
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
- return ret;
- }
-
- olen += part_len;
-#else
-
- if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_dec,
- transform->iv_dec, transform->ivlen,
- data, rec->data_len, data, &olen)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /* Double-check that length hasn't changed during decryption. */
- if (rec->data_len != olen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* Safe since data_len >= minlen + maclen + 1, so after having
- * subtracted at most minlen and maclen up to this point,
- * data_len > 0 (because of data_len % ivlen == 0, it's actually
- * >= ivlen ). */
- padlen = data[rec->data_len - 1];
-
- if (auth_done == 1) {
- const mbedtls_ct_condition_t ge = mbedtls_ct_uint_ge(
- rec->data_len,
- padlen + 1);
- correct = mbedtls_ct_bool_and(ge, correct);
- padlen = mbedtls_ct_size_if_else_0(ge, padlen);
- } else {
-#if defined(MBEDTLS_SSL_DEBUG_ALL)
- if (rec->data_len < transform->maclen + padlen + 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
- ") < maclen (%" MBEDTLS_PRINTF_SIZET
- ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
- rec->data_len,
- transform->maclen,
- padlen + 1));
- }
-#endif
- const mbedtls_ct_condition_t ge = mbedtls_ct_uint_ge(
- rec->data_len,
- transform->maclen + padlen + 1);
- correct = mbedtls_ct_bool_and(ge, correct);
- padlen = mbedtls_ct_size_if_else_0(ge, padlen);
- }
-
- padlen++;
-
- /* Regardless of the validity of the padding,
- * we have data_len >= padlen here. */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /* The padding check involves a series of up to 256
- * consecutive memory reads at the end of the record
- * plaintext buffer. In order to hide the length and
- * validity of the padding, always perform exactly
- * `min(256,plaintext_len)` reads (but take into account
- * only the last `padlen` bytes for the padding check). */
- size_t pad_count = 0;
- volatile unsigned char * const check = data;
-
- /* Index of first padding byte; it has been ensured above
- * that the subtraction is safe. */
- size_t const padding_idx = rec->data_len - padlen;
- size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
- size_t const start_idx = rec->data_len - num_checks;
- size_t idx;
-
- for (idx = start_idx; idx < rec->data_len; idx++) {
- /* pad_count += (idx >= padding_idx) &&
- * (check[idx] == padlen - 1);
- */
- const mbedtls_ct_condition_t a = mbedtls_ct_uint_ge(idx, padding_idx);
- size_t increment = mbedtls_ct_size_if_else_0(a, 1);
- const mbedtls_ct_condition_t b = mbedtls_ct_uint_eq(check[idx], padlen - 1);
- increment = mbedtls_ct_size_if_else_0(b, increment);
- pad_count += increment;
- }
- correct = mbedtls_ct_bool_and(mbedtls_ct_uint_eq(pad_count, padlen), correct);
-
-#if defined(MBEDTLS_SSL_DEBUG_ALL)
- if (padlen > 0 && correct == MBEDTLS_CT_FALSE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad padding byte detected"));
- }
-#endif
- padlen = mbedtls_ct_size_if_else_0(correct, padlen);
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- /* If the padding was found to be invalid, padlen == 0
- * and the subtraction is safe. If the padding was found valid,
- * padlen hasn't been changed and the previous assertion
- * data_len >= padlen still holds. */
- rec->data_len -= padlen;
- } else
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
-#if defined(MBEDTLS_SSL_DEBUG_ALL)
- MBEDTLS_SSL_DEBUG_BUF(4, "raw buffer after decryption",
- data, rec->data_len);
-#endif
-
- /*
- * Authenticate if not done yet.
- * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
- */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- if (auth_done == 0) {
- unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 };
- unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 };
-
- /* For CBC+MAC, If the initial value of padlen was such that
- * data_len < maclen + padlen + 1, then padlen
- * got reset to 1, and the initial check
- * data_len >= minlen + maclen + 1
- * guarantees that at this point we still
- * have at least data_len >= maclen.
- *
- * If the initial value of padlen was such that
- * data_len >= maclen + padlen + 1, then we have
- * subtracted either padlen + 1 (if the padding was correct)
- * or 0 (if the padding was incorrect) since then,
- * hence data_len >= maclen in any case.
- *
- * For stream ciphers, we checked above that
- * data_len >= maclen.
- */
- rec->data_len -= transform->maclen;
- ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
- transform->tls_version,
- transform->taglen);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /*
- * The next two sizes are the minimum and maximum values of
- * data_len over all padlen values.
- *
- * They're independent of padlen, since we previously did
- * data_len -= padlen.
- *
- * Note that max_len + maclen is never more than the buffer
- * length, as we previously did in_msglen -= maclen too.
- */
- const size_t max_len = rec->data_len + padlen;
- const size_t min_len = (max_len > 256) ? max_len - 256 : 0;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- ret = mbedtls_ct_hmac(transform->psa_mac_dec,
- transform->psa_mac_alg,
- add_data, add_data_len,
- data, rec->data_len, min_len, max_len,
- mac_expect);
-#else
- ret = mbedtls_ct_hmac(&transform->md_ctx_dec,
- add_data, add_data_len,
- data, rec->data_len, min_len, max_len,
- mac_expect);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ct_hmac", ret);
- goto hmac_failed_etm_disabled;
- }
-
- mbedtls_ct_memcpy_offset(mac_peer, data,
- rec->data_len,
- min_len, max_len,
- transform->maclen);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_DEBUG_ALL)
- MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect, transform->maclen);
- MBEDTLS_SSL_DEBUG_BUF(4, "message mac", mac_peer, transform->maclen);
-#endif
-
- if (mbedtls_ct_memcmp(mac_peer, mac_expect,
- transform->maclen) != 0) {
-#if defined(MBEDTLS_SSL_DEBUG_ALL)
- MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
-#endif
- correct = MBEDTLS_CT_FALSE;
- }
- auth_done++;
-
-hmac_failed_etm_disabled:
- mbedtls_platform_zeroize(mac_peer, transform->maclen);
- mbedtls_platform_zeroize(mac_expect, transform->maclen);
- if (ret != 0) {
- return ret;
- }
- }
-
- /*
- * Finally check the correct flag
- */
- if (correct == MBEDTLS_CT_FALSE) {
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-
- /* Make extra sure authentication was performed, exactly once */
- if (auth_done != 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- /* Remove inner padding and infer true content type. */
- ret = ssl_parse_inner_plaintext(data, &rec->data_len,
- &rec->type);
-
- if (ret != 0) {
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- if (rec->cid_len != 0) {
- ret = ssl_parse_inner_plaintext(data, &rec->data_len,
- &rec->type);
- if (ret != 0) {
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= decrypt buf"));
-
- return 0;
-}
-
-#undef MAC_NONE
-#undef MAC_PLAINTEXT
-#undef MAC_CIPHERTEXT
-
-/*
- * Fill the input message buffer by appending data to it.
- * The amount of data already fetched is in ssl->in_left.
- *
- * If we return 0, is it guaranteed that (at least) nb_want bytes are
- * available (from this read and/or a previous one). Otherwise, an error code
- * is returned (possibly EOF or WANT_READ).
- *
- * With stream transport (TLS) on success ssl->in_left == nb_want, but
- * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
- * since we always read a whole datagram at once.
- *
- * For DTLS, it is up to the caller to set ssl->next_record_offset when
- * they're done reading a record.
- */
-int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t len;
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> fetch input"));
-
- if (ssl->f_recv == NULL && ssl->f_recv_timeout == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Bad usage of mbedtls_ssl_set_bio() "));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (nb_want > in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("requesting more data than fits"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- uint32_t timeout;
-
- /*
- * The point is, we need to always read a full datagram at once, so we
- * sometimes read more then requested, and handle the additional data.
- * It could be the rest of the current record (while fetching the
- * header) and/or some other records in the same datagram.
- */
-
- /*
- * Move to the next record in the already read datagram if applicable
- */
- if (ssl->next_record_offset != 0) {
- if (ssl->in_left < ssl->next_record_offset) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ssl->in_left -= ssl->next_record_offset;
-
- if (ssl->in_left != 0) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("next record in same datagram, offset: %"
- MBEDTLS_PRINTF_SIZET,
- ssl->next_record_offset));
- memmove(ssl->in_hdr,
- ssl->in_hdr + ssl->next_record_offset,
- ssl->in_left);
- }
-
- ssl->next_record_offset = 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
- ", nb_want: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_left, nb_want));
-
- /*
- * Done if we already have enough data.
- */
- if (nb_want <= ssl->in_left) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= fetch input"));
- return 0;
- }
-
- /*
- * A record can't be split across datagrams. If we need to read but
- * are not at the beginning of a new record, the caller did something
- * wrong.
- */
- if (ssl->in_left != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /*
- * Don't even try to read if time's out already.
- * This avoids by-passing the timer when repeatedly receiving messages
- * that will end up being dropped.
- */
- if (mbedtls_ssl_check_timer(ssl) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("timer has expired"));
- ret = MBEDTLS_ERR_SSL_TIMEOUT;
- } else {
- len = in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf);
-
- if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
- timeout = ssl->handshake->retransmit_timeout;
- } else {
- timeout = ssl->conf->read_timeout;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("f_recv_timeout: %lu ms", (unsigned long) timeout));
-
- if (ssl->f_recv_timeout != NULL) {
- ret = ssl->f_recv_timeout(ssl->p_bio, ssl->in_hdr, len,
- timeout);
- } else {
- ret = ssl->f_recv(ssl->p_bio, ssl->in_hdr, len);
- }
-
- MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_recv(_timeout)", ret);
-
- if (ret == 0) {
- return MBEDTLS_ERR_SSL_CONN_EOF;
- }
- }
-
- if (ret == MBEDTLS_ERR_SSL_TIMEOUT) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("timeout"));
- mbedtls_ssl_set_timer(ssl, 0);
-
- if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
- if (ssl_double_retransmit_timeout(ssl) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("handshake timeout"));
- return MBEDTLS_ERR_SSL_TIMEOUT;
- }
-
- if ((ret = mbedtls_ssl_resend(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend", ret);
- return ret;
- }
-
- return MBEDTLS_ERR_SSL_WANT_READ;
- }
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
- else if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
- ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
- if ((ret = mbedtls_ssl_resend_hello_request(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend_hello_request",
- ret);
- return ret;
- }
-
- return MBEDTLS_ERR_SSL_WANT_READ;
- }
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
- }
-
- if (ret < 0) {
- return ret;
- }
-
- ssl->in_left = ret;
- } else
-#endif
- {
- MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
- ", nb_want: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_left, nb_want));
-
- while (ssl->in_left < nb_want) {
- len = nb_want - ssl->in_left;
-
- if (mbedtls_ssl_check_timer(ssl) != 0) {
- ret = MBEDTLS_ERR_SSL_TIMEOUT;
- } else {
- if (ssl->f_recv_timeout != NULL) {
- ret = ssl->f_recv_timeout(ssl->p_bio,
- ssl->in_hdr + ssl->in_left, len,
- ssl->conf->read_timeout);
- } else {
- ret = ssl->f_recv(ssl->p_bio,
- ssl->in_hdr + ssl->in_left, len);
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
- ", nb_want: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_left, nb_want));
- MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_recv(_timeout)", ret);
-
- if (ret == 0) {
- return MBEDTLS_ERR_SSL_CONN_EOF;
- }
-
- if (ret < 0) {
- return ret;
- }
-
- if ((size_t) ret > len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET
- " were requested",
- ret, len));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ssl->in_left += ret;
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= fetch input"));
-
- return 0;
-}
-
-/*
- * Flush any data not yet written
- */
-int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *buf;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> flush output"));
-
- if (ssl->f_send == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Bad usage of mbedtls_ssl_set_bio() "));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* Avoid incrementing counter if data is flushed */
- if (ssl->out_left == 0) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= flush output"));
- return 0;
- }
-
- while (ssl->out_left > 0) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("message length: %" MBEDTLS_PRINTF_SIZET
- ", out_left: %" MBEDTLS_PRINTF_SIZET,
- mbedtls_ssl_out_hdr_len(ssl) + ssl->out_msglen, ssl->out_left));
-
- buf = ssl->out_hdr - ssl->out_left;
- ret = ssl->f_send(ssl->p_bio, buf, ssl->out_left);
-
- MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", ret);
-
- if (ret <= 0) {
- return ret;
- }
-
- if ((size_t) ret > ssl->out_left) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET
- " bytes were sent",
- ret, ssl->out_left));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ssl->out_left -= ret;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ssl->out_hdr = ssl->out_buf;
- } else
-#endif
- {
- ssl->out_hdr = ssl->out_buf + 8;
- }
- mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= flush output"));
-
- return 0;
-}
-
-/*
- * Functions to handle the DTLS retransmission state machine
- */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-/*
- * Append current handshake message to current outgoing flight
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_flight_append(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_flight_item *msg;
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_flight_append"));
- MBEDTLS_SSL_DEBUG_BUF(4, "message appended to flight",
- ssl->out_msg, ssl->out_msglen);
-
- /* Allocate space for current message */
- if ((msg = mbedtls_calloc(1, sizeof(mbedtls_ssl_flight_item))) == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
- sizeof(mbedtls_ssl_flight_item)));
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- if ((msg->p = mbedtls_calloc(1, ssl->out_msglen)) == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
- ssl->out_msglen));
- mbedtls_free(msg);
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- /* Copy current handshake message with headers */
- memcpy(msg->p, ssl->out_msg, ssl->out_msglen);
- msg->len = ssl->out_msglen;
- msg->type = ssl->out_msgtype;
- msg->next = NULL;
-
- /* Append to the current flight */
- if (ssl->handshake->flight == NULL) {
- ssl->handshake->flight = msg;
- } else {
- mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
- while (cur->next != NULL) {
- cur = cur->next;
- }
- cur->next = msg;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_flight_append"));
- return 0;
-}
-
-/*
- * Free the current flight of handshake messages
- */
-void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight)
-{
- mbedtls_ssl_flight_item *cur = flight;
- mbedtls_ssl_flight_item *next;
-
- while (cur != NULL) {
- next = cur->next;
-
- mbedtls_free(cur->p);
- mbedtls_free(cur);
-
- cur = next;
- }
-}
-
-/*
- * Swap transform_out and out_ctr with the alternative ones
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_swap_epochs(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_transform *tmp_transform;
- unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];
-
- if (ssl->transform_out == ssl->handshake->alt_transform_out) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("skip swap epochs"));
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("swap epochs"));
-
- /* Swap transforms */
- tmp_transform = ssl->transform_out;
- ssl->transform_out = ssl->handshake->alt_transform_out;
- ssl->handshake->alt_transform_out = tmp_transform;
-
- /* Swap epoch + sequence_number */
- memcpy(tmp_out_ctr, ssl->cur_out_ctr, sizeof(tmp_out_ctr));
- memcpy(ssl->cur_out_ctr, ssl->handshake->alt_out_ctr,
- sizeof(ssl->cur_out_ctr));
- memcpy(ssl->handshake->alt_out_ctr, tmp_out_ctr,
- sizeof(ssl->handshake->alt_out_ctr));
-
- /* Adjust to the newly activated transform */
- mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
-
- return 0;
-}
-
-/*
- * Retransmit the current flight of messages.
- */
-int mbedtls_ssl_resend(mbedtls_ssl_context *ssl)
-{
- int ret = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_resend"));
-
- ret = mbedtls_ssl_flight_transmit(ssl);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_resend"));
-
- return ret;
-}
-
-/*
- * Transmit or retransmit the current flight of messages.
- *
- * Need to remember the current message in case flush_output returns
- * WANT_WRITE, causing us to exit this function and come back later.
- * This function must be called until state is no longer SENDING.
- */
-int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_flight_transmit"));
-
- if (ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("initialise flight transmission"));
-
- ssl->handshake->cur_msg = ssl->handshake->flight;
- ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
- ret = ssl_swap_epochs(ssl);
- if (ret != 0) {
- return ret;
- }
-
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
- }
-
- while (ssl->handshake->cur_msg != NULL) {
- size_t max_frag_len;
- const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
-
- int const is_finished =
- (cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
- cur->p[0] == MBEDTLS_SSL_HS_FINISHED);
-
- int const force_flush = ssl->disable_datagram_packing == 1 ?
- SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
-
- /* Swap epochs before sending Finished: we can't do it after
- * sending ChangeCipherSpec, in case write returns WANT_READ.
- * Must be done before copying, may change out_msg pointer */
- if (is_finished && ssl->handshake->cur_msg_p == (cur->p + 12)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("swap epochs to send finished message"));
- ret = ssl_swap_epochs(ssl);
- if (ret != 0) {
- return ret;
- }
- }
-
- ret = ssl_get_remaining_payload_in_datagram(ssl);
- if (ret < 0) {
- return ret;
- }
- max_frag_len = (size_t) ret;
-
- /* CCS is copied as is, while HS messages may need fragmentation */
- if (cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
- if (max_frag_len == 0) {
- if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- return ret;
- }
-
- continue;
- }
-
- memcpy(ssl->out_msg, cur->p, cur->len);
- ssl->out_msglen = cur->len;
- ssl->out_msgtype = cur->type;
-
- /* Update position inside current message */
- ssl->handshake->cur_msg_p += cur->len;
- } else {
- const unsigned char * const p = ssl->handshake->cur_msg_p;
- const size_t hs_len = cur->len - 12;
- const size_t frag_off = (size_t) (p - (cur->p + 12));
- const size_t rem_len = hs_len - frag_off;
- size_t cur_hs_frag_len, max_hs_frag_len;
-
- if ((max_frag_len < 12) || (max_frag_len == 12 && hs_len != 0)) {
- if (is_finished) {
- ret = ssl_swap_epochs(ssl);
- if (ret != 0) {
- return ret;
- }
- }
-
- if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- return ret;
- }
-
- continue;
- }
- max_hs_frag_len = max_frag_len - 12;
-
- cur_hs_frag_len = rem_len > max_hs_frag_len ?
- max_hs_frag_len : rem_len;
-
- if (frag_off == 0 && cur_hs_frag_len != hs_len) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("fragmenting handshake message (%u > %u)",
- (unsigned) cur_hs_frag_len,
- (unsigned) max_hs_frag_len));
- }
-
- /* Messages are stored with handshake headers as if not fragmented,
- * copy beginning of headers then fill fragmentation fields.
- * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
- memcpy(ssl->out_msg, cur->p, 6);
-
- ssl->out_msg[6] = MBEDTLS_BYTE_2(frag_off);
- ssl->out_msg[7] = MBEDTLS_BYTE_1(frag_off);
- ssl->out_msg[8] = MBEDTLS_BYTE_0(frag_off);
-
- ssl->out_msg[9] = MBEDTLS_BYTE_2(cur_hs_frag_len);
- ssl->out_msg[10] = MBEDTLS_BYTE_1(cur_hs_frag_len);
- ssl->out_msg[11] = MBEDTLS_BYTE_0(cur_hs_frag_len);
-
- MBEDTLS_SSL_DEBUG_BUF(3, "handshake header", ssl->out_msg, 12);
-
- /* Copy the handshake message content and set records fields */
- memcpy(ssl->out_msg + 12, p, cur_hs_frag_len);
- ssl->out_msglen = cur_hs_frag_len + 12;
- ssl->out_msgtype = cur->type;
-
- /* Update position inside current message */
- ssl->handshake->cur_msg_p += cur_hs_frag_len;
- }
-
- /* If done with the current message move to the next one if any */
- if (ssl->handshake->cur_msg_p >= cur->p + cur->len) {
- if (cur->next != NULL) {
- ssl->handshake->cur_msg = cur->next;
- ssl->handshake->cur_msg_p = cur->next->p + 12;
- } else {
- ssl->handshake->cur_msg = NULL;
- ssl->handshake->cur_msg_p = NULL;
- }
- }
-
- /* Actually send the message out */
- if ((ret = mbedtls_ssl_write_record(ssl, force_flush)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
- return ret;
- }
- }
-
- if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- return ret;
- }
-
- /* Update state and set timer */
- if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
- } else {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
- mbedtls_ssl_set_timer(ssl, ssl->handshake->retransmit_timeout);
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_flight_transmit"));
-
- return 0;
-}
-
-/*
- * To be called when the last message of an incoming flight is received.
- */
-void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl)
-{
- /* We won't need to resend that one any more */
- mbedtls_ssl_flight_free(ssl->handshake->flight);
- ssl->handshake->flight = NULL;
- ssl->handshake->cur_msg = NULL;
-
- /* The next incoming flight will start with this msg_seq */
- ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
-
- /* We don't want to remember CCS's across flight boundaries. */
- ssl->handshake->buffering.seen_ccs = 0;
-
- /* Clear future message buffering structure. */
- mbedtls_ssl_buffering_free(ssl);
-
- /* Cancel timer */
- mbedtls_ssl_set_timer(ssl, 0);
-
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED) {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
- } else {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
- }
-}
-
-/*
- * To be called when the last message of an outgoing flight is send.
- */
-void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl)
-{
- ssl_reset_retransmit_timeout(ssl);
- mbedtls_ssl_set_timer(ssl, ssl->handshake->retransmit_timeout);
-
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED) {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
- } else {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
- }
-}
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-/*
- * Handshake layer functions
- */
-int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
- unsigned char **buf, size_t *buf_len)
-{
- /*
- * Reserve 4 bytes for handshake header. ( Section 4,RFC 8446 )
- * ...
- * HandshakeType msg_type;
- * uint24 length;
- * ...
- */
- *buf = ssl->out_msg + 4;
- *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
-
- ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->out_msg[0] = hs_type;
-
- return 0;
-}
-
-/*
- * Write (DTLS: or queue) current handshake (including CCS) message.
- *
- * - fill in handshake headers
- * - update handshake checksum
- * - DTLS: save message for resending
- * - then pass to the record layer
- *
- * DTLS: except for HelloRequest, messages are only queued, and will only be
- * actually sent when calling flight_transmit() or resend().
- *
- * Inputs:
- * - ssl->out_msglen: 4 + actual handshake message len
- * (4 is the size of handshake headers for TLS)
- * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
- * - ssl->out_msg + 4: the handshake message body
- *
- * Outputs, ie state before passing to flight_append() or write_record():
- * - ssl->out_msglen: the length of the record contents
- * (including handshake headers but excluding record headers)
- * - ssl->out_msg: the record contents (handshake headers + content)
- */
-int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
- int update_checksum,
- int force_flush)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const size_t hs_len = ssl->out_msglen - 4;
- const unsigned char hs_type = ssl->out_msg[0];
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));
-
- /*
- * Sanity checks
- */
- if (ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
- ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* Whenever we send anything different from a
- * HelloRequest we should be in a handshake - double check. */
- if (!(ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST) &&
- ssl->handshake == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->handshake != NULL &&
- ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-#endif
-
- /* Double-check that we did not exceed the bounds
- * of the outgoing record buffer.
- * This should never fail as the various message
- * writing functions must obey the bounds of the
- * outgoing record buffer, but better be safe.
- *
- * Note: We deliberately do not check for the MTU or MFL here.
- */
- if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
- "size %" MBEDTLS_PRINTF_SIZET
- ", maximum %" MBEDTLS_PRINTF_SIZET,
- ssl->out_msglen,
- (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /*
- * Fill handshake headers
- */
- if (ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
- ssl->out_msg[1] = MBEDTLS_BYTE_2(hs_len);
- ssl->out_msg[2] = MBEDTLS_BYTE_1(hs_len);
- ssl->out_msg[3] = MBEDTLS_BYTE_0(hs_len);
-
- /*
- * DTLS has additional fields in the Handshake layer,
- * between the length field and the actual payload:
- * uint16 message_seq;
- * uint24 fragment_offset;
- * uint24 fragment_length;
- */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- /* Make room for the additional DTLS fields */
- if (MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS handshake message too large: "
- "size %" MBEDTLS_PRINTF_SIZET ", maximum %"
- MBEDTLS_PRINTF_SIZET,
- hs_len,
- (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN - 12)));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- memmove(ssl->out_msg + 12, ssl->out_msg + 4, hs_len);
- ssl->out_msglen += 8;
-
- /* Write message_seq and update it, except for HelloRequest */
- if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST) {
- MBEDTLS_PUT_UINT16_BE(ssl->handshake->out_msg_seq, ssl->out_msg, 4);
- ++(ssl->handshake->out_msg_seq);
- } else {
- ssl->out_msg[4] = 0;
- ssl->out_msg[5] = 0;
- }
-
- /* Handshake hashes are computed without fragmentation,
- * so set frag_offset = 0 and frag_len = hs_len for now */
- memset(ssl->out_msg + 6, 0x00, 3);
- memcpy(ssl->out_msg + 9, ssl->out_msg + 1, 3);
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- /* Update running hashes of handshake messages seen */
- if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0) {
- ret = ssl->handshake->update_checksum(ssl, ssl->out_msg,
- ssl->out_msglen);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
- return ret;
- }
- }
- }
-
- /* Either send now, or just save to be sent (and resent) later */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- !(ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST)) {
- if ((ret = ssl_flight_append(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_flight_append", ret);
- return ret;
- }
- } else
-#endif
- {
- if ((ret = mbedtls_ssl_write_record(ssl, force_flush)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_record", ret);
- return ret;
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write handshake message"));
-
- return 0;
-}
-
-int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
- size_t buf_len, size_t msg_len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t msg_with_header_len;
- ((void) buf_len);
-
- /* Add reserved 4 bytes for handshake header */
- msg_with_header_len = msg_len + 4;
- ssl->out_msglen = msg_with_header_len;
- MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_handshake_msg_ext(ssl, 0, 0));
-
-cleanup:
- return ret;
-}
-
-/*
- * Record layer functions
- */
-
-/*
- * Write current record.
- *
- * Uses:
- * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
- * - ssl->out_msglen: length of the record content (excl headers)
- * - ssl->out_msg: record content
- */
-int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush)
-{
- int ret, done = 0;
- size_t len = ssl->out_msglen;
- int flush = force_flush;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write record"));
-
- if (!done) {
- unsigned i;
- size_t protected_record_size;
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
- /* Skip writing the record content type to after the encryption,
- * as it may change when using the CID extension. */
- mbedtls_ssl_protocol_version tls_ver = ssl->tls_version;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* TLS 1.3 still uses the TLS 1.2 version identifier
- * for backwards compatibility. */
- if (tls_ver == MBEDTLS_SSL_VERSION_TLS1_3) {
- tls_ver = MBEDTLS_SSL_VERSION_TLS1_2;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
- mbedtls_ssl_write_version(ssl->out_hdr + 1, ssl->conf->transport,
- tls_ver);
-
- memcpy(ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
- MBEDTLS_PUT_UINT16_BE(len, ssl->out_len, 0);
-
- if (ssl->transform_out != NULL) {
- mbedtls_record rec;
-
- rec.buf = ssl->out_iv;
- rec.buf_len = out_buf_len - (size_t) (ssl->out_iv - ssl->out_buf);
- rec.data_len = ssl->out_msglen;
- rec.data_offset = (size_t) (ssl->out_msg - rec.buf);
-
- memcpy(&rec.ctr[0], ssl->out_ctr, sizeof(rec.ctr));
- mbedtls_ssl_write_version(rec.ver, ssl->conf->transport, tls_ver);
- rec.type = ssl->out_msgtype;
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /* The CID is set by mbedtls_ssl_encrypt_buf(). */
- rec.cid_len = 0;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec,
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
- return ret;
- }
-
- if (rec.data_offset != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* Update the record content type and CID. */
- ssl->out_msgtype = rec.type;
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- memcpy(ssl->out_cid, rec.cid, rec.cid_len);
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->out_msglen = len = rec.data_len;
- MBEDTLS_PUT_UINT16_BE(rec.data_len, ssl->out_len, 0);
- }
-
- protected_record_size = len + mbedtls_ssl_out_hdr_len(ssl);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- /* In case of DTLS, double-check that we don't exceed
- * the remaining space in the datagram. */
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ret = ssl_get_remaining_space_in_datagram(ssl);
- if (ret < 0) {
- return ret;
- }
-
- if (protected_record_size > (size_t) ret) {
- /* Should never happen */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- /* Now write the potentially updated record content type. */
- ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("output record: msgtype = %u, "
- "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
- ssl->out_hdr[0], ssl->out_hdr[1],
- ssl->out_hdr[2], len));
-
- MBEDTLS_SSL_DEBUG_BUF(4, "output record sent to network",
- ssl->out_hdr, protected_record_size);
-
- ssl->out_left += protected_record_size;
- ssl->out_hdr += protected_record_size;
- mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
-
- for (i = 8; i > mbedtls_ssl_ep_len(ssl); i--) {
- if (++ssl->cur_out_ctr[i - 1] != 0) {
- break;
- }
- }
-
- /* The loop goes to its end if the counter is wrapping */
- if (i == mbedtls_ssl_ep_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("outgoing message counter would wrap"));
- return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
- }
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- flush == SSL_DONT_FORCE_FLUSH) {
- size_t remaining;
- ret = ssl_get_remaining_payload_in_datagram(ssl);
- if (ret < 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_remaining_payload_in_datagram",
- ret);
- return ret;
- }
-
- remaining = (size_t) ret;
- if (remaining == 0) {
- flush = SSL_FORCE_FLUSH;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("Still %u bytes available in current datagram",
- (unsigned) remaining));
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- if ((flush == SSL_FORCE_FLUSH) &&
- (ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write record"));
-
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_hs_is_proper_fragment(mbedtls_ssl_context *ssl)
-{
- if (ssl->in_msglen < ssl->in_hslen ||
- memcmp(ssl->in_msg + 6, "\0\0\0", 3) != 0 ||
- memcmp(ssl->in_msg + 9, ssl->in_msg + 1, 3) != 0) {
- return 1;
- }
- return 0;
-}
-
-static uint32_t ssl_get_hs_frag_len(mbedtls_ssl_context const *ssl)
-{
- return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
-}
-
-static uint32_t ssl_get_hs_frag_off(mbedtls_ssl_context const *ssl)
-{
- return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_hs_header(mbedtls_ssl_context const *ssl)
-{
- uint32_t msg_len, frag_off, frag_len;
-
- msg_len = ssl_get_hs_total_len(ssl);
- frag_off = ssl_get_hs_frag_off(ssl);
- frag_len = ssl_get_hs_frag_len(ssl);
-
- if (frag_off > msg_len) {
- return -1;
- }
-
- if (frag_len > msg_len - frag_off) {
- return -1;
- }
-
- if (frag_len + 12 > ssl->in_msglen) {
- return -1;
- }
-
- return 0;
-}
-
-/*
- * Mark bits in bitmask (used for DTLS HS reassembly)
- */
-static void ssl_bitmask_set(unsigned char *mask, size_t offset, size_t len)
-{
- unsigned int start_bits, end_bits;
-
- start_bits = 8 - (offset % 8);
- if (start_bits != 8) {
- size_t first_byte_idx = offset / 8;
-
- /* Special case */
- if (len <= start_bits) {
- for (; len != 0; len--) {
- mask[first_byte_idx] |= 1 << (start_bits - len);
- }
-
- /* Avoid potential issues with offset or len becoming invalid */
- return;
- }
-
- offset += start_bits; /* Now offset % 8 == 0 */
- len -= start_bits;
-
- for (; start_bits != 0; start_bits--) {
- mask[first_byte_idx] |= 1 << (start_bits - 1);
- }
- }
-
- end_bits = len % 8;
- if (end_bits != 0) {
- size_t last_byte_idx = (offset + len) / 8;
-
- len -= end_bits; /* Now len % 8 == 0 */
-
- for (; end_bits != 0; end_bits--) {
- mask[last_byte_idx] |= 1 << (8 - end_bits);
- }
- }
-
- memset(mask + offset / 8, 0xFF, len / 8);
-}
-
-/*
- * Check that bitmask is full
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_bitmask_check(unsigned char *mask, size_t len)
-{
- size_t i;
-
- for (i = 0; i < len / 8; i++) {
- if (mask[i] != 0xFF) {
- return -1;
- }
- }
-
- for (i = 0; i < len % 8; i++) {
- if ((mask[len / 8] & (1 << (7 - i))) == 0) {
- return -1;
- }
- }
-
- return 0;
-}
-
-/* msg_len does not include the handshake header */
-static size_t ssl_get_reassembly_buffer_size(size_t msg_len,
- unsigned add_bitmap)
-{
- size_t alloc_len;
-
- alloc_len = 12; /* Handshake header */
- alloc_len += msg_len; /* Content buffer */
-
- if (add_bitmap) {
- alloc_len += msg_len / 8 + (msg_len % 8 != 0); /* Bitmap */
-
- }
- return alloc_len;
-}
-
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
-{
- return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
-}
-
-int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
-{
- if (ssl->badmac_seen_or_in_hsfraglen == 0) {
- /* The handshake message must at least include the header.
- * We may not have the full message yet in case of fragmentation.
- * To simplify the code, we insist on having the header (and in
- * particular the handshake message length) in the first
- * fragment. */
- if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_msglen));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
- " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
- MBEDTLS_PRINTF_SIZET,
- ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
-
- if (ssl->transform_in != NULL) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:"
- " iv-buf=%d hdr-buf=%d hdr-buf=%d",
- (int) (ssl->in_iv - ssl->in_buf),
- (int) (ssl->in_hdr - ssl->in_buf),
- (int) (ssl->in_msg - ssl->in_buf)));
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned int recv_msg_seq = MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
-
- if (ssl_check_hs_header(ssl) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid handshake header"));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- if (ssl->handshake != NULL &&
- ((mbedtls_ssl_is_handshake_over(ssl) == 0 &&
- recv_msg_seq != ssl->handshake->in_msg_seq) ||
- (mbedtls_ssl_is_handshake_over(ssl) == 1 &&
- ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO))) {
- if (recv_msg_seq > ssl->handshake->in_msg_seq) {
- MBEDTLS_SSL_DEBUG_MSG(2,
- (
- "received future handshake message of sequence number %u (next %u)",
- recv_msg_seq,
- ssl->handshake->in_msg_seq));
- return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
- }
-
- /* Retransmit only on last message from previous flight, to avoid
- * too many retransmissions.
- * Besides, No sane server ever retransmits HelloVerifyRequest */
- if (recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
- ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("received message from last flight, "
- "message_seq = %u, start_of_flight = %u",
- recv_msg_seq,
- ssl->handshake->in_flight_start_seq));
-
- if ((ret = mbedtls_ssl_resend(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend", ret);
- return ret;
- }
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2, ("dropping out-of-sequence message: "
- "message_seq = %u, expected = %u",
- recv_msg_seq,
- ssl->handshake->in_msg_seq));
- }
-
- return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- }
- /* Wait until message completion to increment in_msg_seq */
-
- /* Message reassembly is handled alongside buffering of future
- * messages; the commonality is that both handshake fragments and
- * future messages cannot be forwarded immediately to the
- * handshake logic layer. */
- if (ssl_hs_is_proper_fragment(ssl) == 1) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("found fragmented DTLS handshake message"));
- return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
- }
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- {
- unsigned char *const reassembled_record_start =
- ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- unsigned char *const payload_start =
- reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl);
- unsigned char *payload_end = payload_start + ssl->badmac_seen_or_in_hsfraglen;
- /* How many more bytes we want to have a complete handshake message. */
- const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen;
- /* How many bytes of the current record are part of the first
- * handshake message. There may be more handshake messages (possibly
- * incomplete) in the same record; if so, we leave them after the
- * current record, and ssl_consume_current_message() will take
- * care of consuming the next handshake message. */
- const size_t hs_this_fragment_len =
- ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen;
- (void) hs_this_fragment_len;
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET
- ", %u..%u of %" MBEDTLS_PRINTF_SIZET,
- (ssl->badmac_seen_or_in_hsfraglen != 0 ?
- "subsequent" :
- hs_this_fragment_len == ssl->in_hslen ?
- "sole" :
- "initial"),
- ssl->in_msglen,
- ssl->badmac_seen_or_in_hsfraglen,
- ssl->badmac_seen_or_in_hsfraglen +
- (unsigned) hs_this_fragment_len,
- ssl->in_hslen));
-
- /* Move the received handshake fragment to have the whole message
- * (at least the part received so far) in a single segment at a
- * known offset in the input buffer.
- * - When receiving a non-initial handshake fragment, append it to
- * the initial segment.
- * - Even the initial handshake fragment is moved, if it was
- * encrypted with an explicit IV: decryption leaves the payload
- * after the explicit IV, but here we move it to start where the
- * IV was.
- */
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t const in_buf_len = ssl->in_buf_len;
-#else
- size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
-#endif
- if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("Shouldn't happen: no room to move handshake fragment %"
- MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%"
- MBEDTLS_PRINTF_SIZET ")",
- ssl->in_msglen,
- (void *) ssl->in_msg, (void *) payload_end,
- (void *) ssl->in_buf, in_buf_len));
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
- memmove(payload_end, ssl->in_msg, ssl->in_msglen);
-
- ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
- payload_end += ssl->in_msglen;
-
- if (ssl->badmac_seen_or_in_hsfraglen < ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments "
- "%u/%" MBEDTLS_PRINTF_SIZET,
- ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen));
- ssl->in_hdr = payload_end;
- ssl->in_msglen = 0;
- mbedtls_ssl_update_in_pointers(ssl);
- return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- } else {
- ssl->in_msglen = ssl->badmac_seen_or_in_hsfraglen;
- ssl->badmac_seen_or_in_hsfraglen = 0;
- ssl->in_hdr = reassembled_record_start;
- mbedtls_ssl_update_in_pointers(ssl);
-
- /* Update the record length in the fully reassembled record */
- if (ssl->in_msglen > 0xffff) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("Shouldn't happen: in_msglen=%"
- MBEDTLS_PRINTF_SIZET " > 0xffff",
- ssl->in_msglen));
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
- MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
-
- size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen;
- (void) record_len;
- MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
- ssl->in_hdr, record_len);
- if (ssl->in_hslen < ssl->in_msglen) {
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("More handshake messages in the record: "
- "%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET,
- ssl->in_hslen,
- ssl->in_msglen - ssl->in_hslen));
- }
- }
- }
-
- return 0;
-}
-
-int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
-
- if (mbedtls_ssl_is_handshake_over(ssl) == 0 && hs != NULL) {
- ret = ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
- return ret;
- }
- }
-
- /* Handshake message is complete, increment counter */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->handshake != NULL) {
- unsigned offset;
- mbedtls_ssl_hs_buffer *hs_buf;
-
- /* Increment handshake sequence number */
- hs->in_msg_seq++;
-
- /*
- * Clear up handshake buffering and reassembly structure.
- */
-
- /* Free first entry */
- ssl_buffering_free_slot(ssl, 0);
-
- /* Shift all other entries */
- for (offset = 0, hs_buf = &hs->buffering.hs[0];
- offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
- offset++, hs_buf++) {
- *hs_buf = *(hs_buf + 1);
- }
-
- /* Create a fresh last entry */
- memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
- }
-#endif
- return 0;
-}
-
-/*
- * DTLS anti-replay: RFC 6347 4.1.2.6
- *
- * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
- * Bit n is set iff record number in_window_top - n has been seen.
- *
- * Usually, in_window_top is the last record number seen and the lsb of
- * in_window is set. The only exception is the initial state (record number 0
- * not seen yet).
- */
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl)
-{
- ssl->in_window_top = 0;
- ssl->in_window = 0;
-}
-
-static inline uint64_t ssl_load_six_bytes(unsigned char *buf)
-{
- return ((uint64_t) buf[0] << 40) |
- ((uint64_t) buf[1] << 32) |
- ((uint64_t) buf[2] << 24) |
- ((uint64_t) buf[3] << 16) |
- ((uint64_t) buf[4] << 8) |
- ((uint64_t) buf[5]);
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int mbedtls_ssl_dtls_record_replay_check(mbedtls_ssl_context *ssl, uint8_t *record_in_ctr)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *original_in_ctr;
-
- // save original in_ctr
- original_in_ctr = ssl->in_ctr;
-
- // use counter from record
- ssl->in_ctr = record_in_ctr;
-
- ret = mbedtls_ssl_dtls_replay_check((mbedtls_ssl_context const *) ssl);
-
- // restore the counter
- ssl->in_ctr = original_in_ctr;
-
- return ret;
-}
-
-/*
- * Return 0 if sequence number is acceptable, -1 otherwise
- */
-int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl)
-{
- uint64_t rec_seqnum = ssl_load_six_bytes(ssl->in_ctr + 2);
- uint64_t bit;
-
- if (ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED) {
- return 0;
- }
-
- if (rec_seqnum > ssl->in_window_top) {
- return 0;
- }
-
- bit = ssl->in_window_top - rec_seqnum;
-
- if (bit >= 64) {
- return -1;
- }
-
- if ((ssl->in_window & ((uint64_t) 1 << bit)) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-/*
- * Update replay window on new validated record
- */
-void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl)
-{
- uint64_t rec_seqnum = ssl_load_six_bytes(ssl->in_ctr + 2);
-
- if (ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED) {
- return;
- }
-
- if (rec_seqnum > ssl->in_window_top) {
- /* Update window_top and the contents of the window */
- uint64_t shift = rec_seqnum - ssl->in_window_top;
-
- if (shift >= 64) {
- ssl->in_window = 1;
- } else {
- ssl->in_window <<= shift;
- ssl->in_window |= 1;
- }
-
- ssl->in_window_top = rec_seqnum;
- } else {
- /* Mark that number as seen in the current window */
- uint64_t bit = ssl->in_window_top - rec_seqnum;
-
- if (bit < 64) { /* Always true, but be extra sure */
- ssl->in_window |= (uint64_t) 1 << bit;
- }
- }
-}
-#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
-
-#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
-/*
- * Check if a datagram looks like a ClientHello with a valid cookie,
- * and if it doesn't, generate a HelloVerifyRequest message.
- * Both input and output include full DTLS headers.
- *
- * - if cookie is valid, return 0
- * - if ClientHello looks superficially valid but cookie is not,
- * fill obuf and set olen, then
- * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
- * - otherwise return a specific error code
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-MBEDTLS_STATIC_TESTABLE
-int mbedtls_ssl_check_dtls_clihlo_cookie(
- mbedtls_ssl_context *ssl,
- const unsigned char *cli_id, size_t cli_id_len,
- const unsigned char *in, size_t in_len,
- unsigned char *obuf, size_t buf_len, size_t *olen)
-{
- size_t sid_len, cookie_len, epoch, fragment_offset;
- unsigned char *p;
-
- /*
- * Structure of ClientHello with record and handshake headers,
- * and expected values. We don't need to check a lot, more checks will be
- * done when actually parsing the ClientHello - skipping those checks
- * avoids code duplication and does not make cookie forging any easier.
- *
- * 0-0 ContentType type; copied, must be handshake
- * 1-2 ProtocolVersion version; copied
- * 3-4 uint16 epoch; copied, must be 0
- * 5-10 uint48 sequence_number; copied
- * 11-12 uint16 length; (ignored)
- *
- * 13-13 HandshakeType msg_type; (ignored)
- * 14-16 uint24 length; (ignored)
- * 17-18 uint16 message_seq; copied
- * 19-21 uint24 fragment_offset; copied, must be 0
- * 22-24 uint24 fragment_length; (ignored)
- *
- * 25-26 ProtocolVersion client_version; (ignored)
- * 27-58 Random random; (ignored)
- * 59-xx SessionID session_id; 1 byte len + sid_len content
- * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
- * ...
- *
- * Minimum length is 61 bytes.
- */
- MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: in_len=%u",
- (unsigned) in_len));
- MBEDTLS_SSL_DEBUG_BUF(4, "cli_id", cli_id, cli_id_len);
- if (in_len < 61) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: record too short"));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- epoch = MBEDTLS_GET_UINT16_BE(in, 3);
- fragment_offset = MBEDTLS_GET_UINT24_BE(in, 19);
-
- if (in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || epoch != 0 ||
- fragment_offset != 0) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: not a good ClientHello"));
- MBEDTLS_SSL_DEBUG_MSG(4, (" type=%u epoch=%u fragment_offset=%u",
- in[0], (unsigned) epoch,
- (unsigned) fragment_offset));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- sid_len = in[59];
- if (59 + 1 + sid_len + 1 > in_len) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: sid_len=%u > %u",
- (unsigned) sid_len,
- (unsigned) in_len - 61));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- MBEDTLS_SSL_DEBUG_BUF(4, "sid received from network",
- in + 60, sid_len);
-
- cookie_len = in[60 + sid_len];
- if (59 + 1 + sid_len + 1 + cookie_len > in_len) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: cookie_len=%u > %u",
- (unsigned) cookie_len,
- (unsigned) (in_len - sid_len - 61)));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(4, "cookie received from network",
- in + sid_len + 61, cookie_len);
- if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
- in + sid_len + 61, cookie_len,
- cli_id, cli_id_len) == 0) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: valid"));
- return 0;
- }
-
- /*
- * If we get here, we've got an invalid cookie, let's prepare HVR.
- *
- * 0-0 ContentType type; copied
- * 1-2 ProtocolVersion version; copied
- * 3-4 uint16 epoch; copied
- * 5-10 uint48 sequence_number; copied
- * 11-12 uint16 length; olen - 13
- *
- * 13-13 HandshakeType msg_type; hello_verify_request
- * 14-16 uint24 length; olen - 25
- * 17-18 uint16 message_seq; copied
- * 19-21 uint24 fragment_offset; copied
- * 22-24 uint24 fragment_length; olen - 25
- *
- * 25-26 ProtocolVersion server_version; 0xfe 0xff
- * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
- *
- * Minimum length is 28.
- */
- if (buf_len < 28) {
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- /* Copy most fields and adapt others */
- memcpy(obuf, in, 25);
- obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
- obuf[25] = 0xfe;
- obuf[26] = 0xff;
-
- /* Generate and write actual cookie */
- p = obuf + 28;
- if (ssl->conf->f_cookie_write(ssl->conf->p_cookie,
- &p, obuf + buf_len,
- cli_id, cli_id_len) != 0) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- *olen = (size_t) (p - obuf);
-
- /* Go back and fill length fields */
- obuf[27] = (unsigned char) (*olen - 28);
-
- obuf[14] = obuf[22] = MBEDTLS_BYTE_2(*olen - 25);
- obuf[15] = obuf[23] = MBEDTLS_BYTE_1(*olen - 25);
- obuf[16] = obuf[24] = MBEDTLS_BYTE_0(*olen - 25);
-
- MBEDTLS_PUT_UINT16_BE(*olen - 13, obuf, 11);
-
- return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
-}
-
-/*
- * Handle possible client reconnect with the same UDP quadruplet
- * (RFC 6347 Section 4.2.8).
- *
- * Called by ssl_parse_record_header() in case we receive an epoch 0 record
- * that looks like a ClientHello.
- *
- * - if the input looks like a ClientHello without cookies,
- * send back HelloVerifyRequest, then return 0
- * - if the input looks like a ClientHello with a valid cookie,
- * reset the session of the current context, and
- * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
- * - if anything goes wrong, return a specific error code
- *
- * This function is called (through ssl_check_client_reconnect()) when an
- * unexpected record is found in ssl_get_next_record(), which will discard the
- * record if we return 0, and bubble up the return value otherwise (this
- * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
- * errors, and is the right thing to do in both cases).
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_handle_possible_reconnect(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t len = 0;
-
- if (ssl->conf->f_cookie_write == NULL ||
- ssl->conf->f_cookie_check == NULL) {
- /* If we can't use cookies to verify reachability of the peer,
- * drop the record. */
- MBEDTLS_SSL_DEBUG_MSG(1, ("no cookie callbacks, "
- "can't check reconnect validity"));
- return 0;
- }
-
- ret = mbedtls_ssl_check_dtls_clihlo_cookie(
- ssl,
- ssl->cli_id, ssl->cli_id_len,
- ssl->in_buf, ssl->in_left,
- ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len);
-
- MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_ssl_check_dtls_clihlo_cookie", ret);
-
- if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
- int send_ret;
- MBEDTLS_SSL_DEBUG_MSG(1, ("sending HelloVerifyRequest"));
- MBEDTLS_SSL_DEBUG_BUF(4, "output record sent to network",
- ssl->out_buf, len);
- /* Don't check write errors as we can't do anything here.
- * If the error is permanent we'll catch it later,
- * if it's not, then hopefully it'll work next time. */
- send_ret = ssl->f_send(ssl->p_bio, ssl->out_buf, len);
- MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", send_ret);
- (void) send_ret;
-
- return 0;
- }
-
- if (ret == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("cookie is valid, resetting context"));
- if ((ret = mbedtls_ssl_session_reset_int(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "reset", ret);
- return ret;
- }
-
- return MBEDTLS_ERR_SSL_CLIENT_RECONNECT;
- }
-
- return ret;
-}
-#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_record_type(uint8_t record_type)
-{
- if (record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
- record_type != MBEDTLS_SSL_MSG_ALERT &&
- record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
- record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- return 0;
-}
-
-/*
- * ContentType type;
- * ProtocolVersion version;
- * uint16 epoch; // DTLS only
- * uint48 sequence_number; // DTLS only
- * uint16 length;
- *
- * Return 0 if header looks sane (and, for DTLS, the record is expected)
- * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
- * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
- *
- * With DTLS, mbedtls_ssl_read_record() will:
- * 1. proceed with the record if this function returns 0
- * 2. drop only the current record if this function returns UNEXPECTED_RECORD
- * 3. return CLIENT_RECONNECT if this function return that value
- * 4. drop the whole datagram if this function returns anything else.
- * Point 2 is needed when the peer is resending, and we have already received
- * the first record from a datagram but are still waiting for the others.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
- unsigned char *buf,
- size_t len,
- mbedtls_record *rec)
-{
- mbedtls_ssl_protocol_version tls_version;
-
- size_t const rec_hdr_type_offset = 0;
- size_t const rec_hdr_type_len = 1;
-
- size_t const rec_hdr_version_offset = rec_hdr_type_offset +
- rec_hdr_type_len;
- size_t const rec_hdr_version_len = 2;
-
- size_t const rec_hdr_ctr_len = 8;
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- uint32_t rec_epoch;
- size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
- rec_hdr_version_len;
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
- rec_hdr_ctr_len;
- size_t rec_hdr_cid_len = 0;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- size_t rec_hdr_len_offset; /* To be determined */
- size_t const rec_hdr_len_len = 2;
-
- /*
- * Check minimum lengths for record header.
- */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- {
- rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
- }
-
- if (len < rec_hdr_len_offset + rec_hdr_len_len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- (
- "datagram of length %u too small to hold DTLS record header of length %u",
- (unsigned) len,
- (unsigned) (rec_hdr_len_len + rec_hdr_len_len)));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- /*
- * Parse and validate record content type
- */
-
- rec->type = buf[rec_hdr_type_offset];
-
- /* Check record content type */
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- rec->cid_len = 0;
-
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->conf->cid_len != 0 &&
- rec->type == MBEDTLS_SSL_MSG_CID) {
- /* Shift pointers to account for record header including CID
- * struct {
- * ContentType outer_type = tls12_cid;
- * ProtocolVersion version;
- * uint16 epoch;
- * uint48 sequence_number;
- * opaque cid[cid_length]; // Additional field compared to
- * // default DTLS record format
- * uint16 length;
- * opaque enc_content[DTLSCiphertext.length];
- * } DTLSCiphertext;
- */
-
- /* So far, we only support static CID lengths
- * fixed in the configuration. */
- rec_hdr_cid_len = ssl->conf->cid_len;
- rec_hdr_len_offset += rec_hdr_cid_len;
-
- if (len < rec_hdr_len_offset + rec_hdr_len_len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- (
- "datagram of length %u too small to hold DTLS record header including CID, length %u",
- (unsigned) len,
- (unsigned) (rec_hdr_len_offset + rec_hdr_len_len)));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- /* configured CID len is guaranteed at most 255, see
- * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
- rec->cid_len = (uint8_t) rec_hdr_cid_len;
- memcpy(rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len);
- } else
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- {
- if (ssl_check_record_type(rec->type)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type %u",
- (unsigned) rec->type));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
- }
-
- /*
- * Parse and validate record version
- */
- rec->ver[0] = buf[rec_hdr_version_offset + 0];
- rec->ver[1] = buf[rec_hdr_version_offset + 1];
- tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(
- buf + rec_hdr_version_offset,
- ssl->conf->transport);
-
- if (tls_version > ssl->conf->max_tls_version) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("TLS version mismatch: got %u, expected max %u",
- (unsigned) tls_version,
- (unsigned) ssl->conf->max_tls_version));
-
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
- /*
- * Parse/Copy record sequence number.
- */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- /* Copy explicit record sequence number from input buffer. */
- memcpy(&rec->ctr[0], buf + rec_hdr_ctr_offset,
- rec_hdr_ctr_len);
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- {
- /* Copy implicit record sequence number from SSL context structure. */
- memcpy(&rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len);
- }
-
- /*
- * Parse record length.
- */
-
- rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
- rec->data_len = MBEDTLS_GET_UINT16_BE(buf, rec_hdr_len_offset);
- MBEDTLS_SSL_DEBUG_BUF(4, "input record header", buf, rec->data_offset);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("input record: msgtype = %u, "
- "version = [0x%x], msglen = %" MBEDTLS_PRINTF_SIZET,
- rec->type, (unsigned) tls_version, rec->data_len));
-
- rec->buf = buf;
- rec->buf_len = rec->data_offset + rec->data_len;
-
- if (rec->data_len == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("rejecting empty record"));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- /*
- * DTLS-related tests.
- * Check epoch before checking length constraint because
- * the latter varies with the epoch. E.g., if a ChangeCipherSpec
- * message gets duplicated before the corresponding Finished message,
- * the second ChangeCipherSpec should be discarded because it belongs
- * to an old epoch, but not because its length is shorter than
- * the minimum record length for packets using the new record transform.
- * Note that these two kinds of failures are handled differently,
- * as an unexpected record is silently skipped but an invalid
- * record leads to the entire datagram being dropped.
- */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- rec_epoch = MBEDTLS_GET_UINT16_BE(rec->ctr, 0);
-
- /* Check that the datagram is large enough to contain a record
- * of the advertised length. */
- if (len < rec->data_offset + rec->data_len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- (
- "Datagram of length %u too small to contain record of advertised length %u.",
- (unsigned) len,
- (unsigned) (rec->data_offset + rec->data_len)));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- /* Records from other, non-matching epochs are silently discarded.
- * (The case of same-port Client reconnects must be considered in
- * the caller). */
- if (rec_epoch != ssl->in_epoch) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("record from another epoch: "
- "expected %u, received %lu",
- ssl->in_epoch, (unsigned long) rec_epoch));
-
- /* Records from the next epoch are considered for buffering
- * (concretely: early Finished messages). */
- if (rec_epoch == (unsigned) ssl->in_epoch + 1) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Consider record for buffering"));
- return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
- }
-
- return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
- }
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- /* For records from the correct epoch, check whether their
- * sequence number has been seen before. */
- else if (mbedtls_ssl_dtls_record_replay_check((mbedtls_ssl_context *) ssl,
- &rec->ctr[0]) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
- }
-#endif
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- return 0;
-}
-
-
-#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_client_reconnect(mbedtls_ssl_context *ssl)
-{
- unsigned int rec_epoch = MBEDTLS_GET_UINT16_BE(ssl->in_ctr, 0);
-
- /*
- * Check for an epoch 0 ClientHello. We can't use in_msg here to
- * access the first byte of record content (handshake type), as we
- * have an active transform (possibly iv_len != 0), so use the
- * fact that the record header len is 13 instead.
- */
- if (rec_epoch == 0 &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
- mbedtls_ssl_is_handshake_over(ssl) == 1 &&
- ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- ssl->in_left > 13 &&
- ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("possible client reconnect "
- "from the same port"));
- return ssl_handle_possible_reconnect(ssl);
- }
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
-
-/*
- * If applicable, decrypt record content
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
- mbedtls_record *rec)
-{
- int ret, done = 0;
-
- MBEDTLS_SSL_DEBUG_BUF(4, "input record from network",
- rec->buf, rec->buf_len);
-
- /*
- * In TLS 1.3, always treat ChangeCipherSpec records
- * as unencrypted. The only thing we do with them is
- * check the length and content and ignore them.
- */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->transform_in != NULL &&
- ssl->transform_in->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- if (rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
- done = 1;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- if (!done && ssl->transform_in != NULL) {
- unsigned char const old_msg_type = rec->type;
-
- if ((ret = mbedtls_ssl_decrypt_buf(ssl, ssl->transform_in,
- rec)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
- /*
- * Although the server rejected early data, it might receive early
- * data as long as it has not received the client Finished message.
- * It is encrypted with early keys and should be ignored as stated
- * in section 4.2.10 of RFC 8446:
- *
- * "Ignore the extension and return a regular 1-RTT response. The
- * server then skips past early data by attempting to deprotect
- * received records using the handshake traffic key, discarding
- * records which fail deprotection (up to the configured
- * max_early_data_size). Once a record is deprotected successfully,
- * it is treated as the start of the client's second flight and the
- * server proceeds as with an ordinary 1-RTT handshake."
- */
- if ((old_msg_type == MBEDTLS_SSL_MSG_APPLICATION_DATA) &&
- (ssl->discard_early_data_record ==
- MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
- MBEDTLS_SSL_DEBUG_MSG(
- 3, ("EarlyData: deprotect and discard app data records."));
-
- ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
- if (ret != 0) {
- return ret;
- }
- ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- }
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
- ssl->conf->ignore_unexpected_cid
- == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("ignoring unexpected CID"));
- ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- /*
- * The decryption of the record failed, no reason to ignore it,
- * return in error with the decryption error code.
- */
- return ret;
- }
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
- /*
- * If the server were discarding protected records that it fails to
- * deprotect because it has rejected early data, as we have just
- * deprotected successfully a record, the server has to resume normal
- * operation and fail the connection if the deprotection of a record
- * fails.
- */
- if (ssl->discard_early_data_record ==
- MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD) {
- ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
- }
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
-
- if (old_msg_type != rec->type) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d",
- old_msg_type, rec->type));
- }
-
- MBEDTLS_SSL_DEBUG_BUF(4, "input payload after decrypt",
- rec->buf + rec->data_offset, rec->data_len);
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /* We have already checked the record content type
- * in ssl_parse_record_header(), failing or silently
- * dropping the record in the case of an unknown type.
- *
- * Since with the use of CIDs, the record content type
- * might change during decryption, re-check the record
- * content type, but treat a failure as fatal this time. */
- if (ssl_check_record_type(rec->type)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type"));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- if (rec->data_len == 0) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2
- && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
- /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid zero-length message type: %d", ssl->in_msgtype));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- ssl->nb_zero++;
-
- /*
- * Three or more empty messages may be a DoS attack
- * (excessive CPU consumption).
- */
- if (ssl->nb_zero > 3) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("received four consecutive empty "
- "messages, possible DoS attack"));
- /* Treat the records as if they were not properly authenticated,
- * thereby failing the connection if we see more than allowed
- * by the configured bad MAC threshold. */
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
- } else {
- ssl->nb_zero = 0;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ; /* in_ctr read from peer, not maintained internally */
- } else
-#endif
- {
- unsigned i;
- for (i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- i > mbedtls_ssl_ep_len(ssl); i--) {
- if (++ssl->in_ctr[i - 1] != 0) {
- break;
- }
- }
-
- /* The loop goes to its end iff the counter is wrapping */
- if (i == mbedtls_ssl_ep_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("incoming message counter would wrap"));
- return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
- }
- }
-
- }
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
- /*
- * Although the server rejected early data because it needed to send an
- * HelloRetryRequest message, it might receive early data as long as it has
- * not received the client Finished message.
- * The early data is encrypted with early keys and should be ignored as
- * stated in section 4.2.10 of RFC 8446 (second case):
- *
- * "The server then ignores early data by skipping all records with an
- * external content type of "application_data" (indicating that they are
- * encrypted), up to the configured max_early_data_size. Ignore application
- * data message before 2nd ClientHello when early_data was received in 1st
- * ClientHello."
- */
- if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
- if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
-
- ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
- if (ret != 0) {
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(
- 3, ("EarlyData: Ignore application message before 2nd ClientHello"));
-
- return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
- ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
- }
- }
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- mbedtls_ssl_dtls_replay_update(ssl);
- }
-#endif
-
- /* Check actual (decrypted) record content length against
- * configured maximum. */
- if (rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad message length"));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- return 0;
-}
-
-/*
- * Read a record.
- *
- * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
- * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
- *
- */
-
-/* Helper functions for mbedtls_ssl_read_record(). */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_consume_current_message(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_next_record(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_record_is_in_progress(mbedtls_ssl_context *ssl);
-
-int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
- unsigned update_hs_digest)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> read record"));
-
- if (ssl->keep_current_message == 0) {
- do {
-
- ret = ssl_consume_current_message(ssl);
- if (ret != 0) {
- return ret;
- }
-
- if (ssl_record_is_in_progress(ssl) == 0) {
- int dtls_have_buffered = 0;
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
- /* We only check for buffered messages if the
- * current datagram is fully consumed. */
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl_next_record_is_in_datagram(ssl) == 0) {
- if (ssl_load_buffered_message(ssl) == 0) {
- dtls_have_buffered = 1;
- }
- }
-
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- if (dtls_have_buffered == 0) {
- ret = ssl_get_next_record(ssl);
- if (ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) {
- continue;
- }
-
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, ("ssl_get_next_record"), ret);
- return ret;
- }
- }
- }
-
- ret = mbedtls_ssl_handle_message_type(ssl);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
- /* Buffer future message */
- ret = ssl_buffer_message(ssl);
- if (ret != 0) {
- return ret;
- }
-
- ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- } while (MBEDTLS_ERR_SSL_NON_FATAL == ret ||
- MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret);
-
- if (0 != ret) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_handle_message_type"), ret);
- return ret;
- }
-
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- update_hs_digest == 1) {
- ret = mbedtls_ssl_update_handshake_status(ssl);
- if (0 != ret) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
- return ret;
- }
- }
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2, ("reuse previously read message"));
- ssl->keep_current_message = 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= read record"));
-
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_next_record_is_in_datagram(mbedtls_ssl_context *ssl)
-{
- if (ssl->in_left > ssl->next_record_offset) {
- return 1;
- }
-
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_load_buffered_message(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
- mbedtls_ssl_hs_buffer *hs_buf;
- int ret = 0;
-
- if (hs == NULL) {
- return -1;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_load_buffered_message"));
-
- if (ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
- ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC) {
- /* Check if we have seen a ChangeCipherSpec before.
- * If yes, synthesize a CCS record. */
- if (!hs->buffering.seen_ccs) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("CCS not seen in the current flight"));
- ret = -1;
- goto exit;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("Injecting buffered CCS message"));
- ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
- ssl->in_msglen = 1;
- ssl->in_msg[0] = 1;
-
- /* As long as they are equal, the exact value doesn't matter. */
- ssl->in_left = 0;
- ssl->next_record_offset = 0;
-
- hs->buffering.seen_ccs = 0;
- goto exit;
- }
-
-#if defined(MBEDTLS_DEBUG_C)
- /* Debug only */
- {
- unsigned offset;
- for (offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++) {
- hs_buf = &hs->buffering.hs[offset];
- if (hs_buf->is_valid == 1) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Future message with sequence number %u %s buffered.",
- hs->in_msg_seq + offset,
- hs_buf->is_complete ? "fully" : "partially"));
- }
- }
- }
-#endif /* MBEDTLS_DEBUG_C */
-
- /* Check if we have buffered and/or fully reassembled the
- * next handshake message. */
- hs_buf = &hs->buffering.hs[0];
- if ((hs_buf->is_valid == 1) && (hs_buf->is_complete == 1)) {
- /* Synthesize a record containing the buffered HS message. */
- size_t msg_len = MBEDTLS_GET_UINT24_BE(hs_buf->data, 1);
-
- /* Double-check that we haven't accidentally buffered
- * a message that doesn't fit into the input buffer. */
- if (msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message has been buffered - load"));
- MBEDTLS_SSL_DEBUG_BUF(3, "Buffered handshake message (incl. header)",
- hs_buf->data, msg_len + 12);
-
- ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->in_hslen = msg_len + 12;
- ssl->in_msglen = msg_len + 12;
- memcpy(ssl->in_msg, hs_buf->data, ssl->in_hslen);
-
- ret = 0;
- goto exit;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message %u not or only partially buffered",
- hs->in_msg_seq));
- }
-
- ret = -1;
-
-exit:
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_load_buffered_message"));
- return ret;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_buffer_make_space(mbedtls_ssl_context *ssl,
- size_t desired)
-{
- int offset;
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
- MBEDTLS_SSL_DEBUG_MSG(2, ("Attempt to free buffered messages to have %u bytes available",
- (unsigned) desired));
-
- /* Get rid of future records epoch first, if such exist. */
- ssl_free_buffered_record(ssl);
-
- /* Check if we have enough space available now. */
- if (desired <= (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
- hs->buffering.total_bytes_buffered)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Enough space available after freeing future epoch record"));
- return 0;
- }
-
- /* We don't have enough space to buffer the next expected handshake
- * message. Remove buffers used for future messages to gain space,
- * starting with the most distant one. */
- for (offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
- offset >= 0; offset--) {
- MBEDTLS_SSL_DEBUG_MSG(2,
- (
- "Free buffering slot %d to make space for reassembly of next handshake message",
- offset));
-
- ssl_buffering_free_slot(ssl, (uint8_t) offset);
-
- /* Check if we have enough space available now. */
- if (desired <= (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
- hs->buffering.total_bytes_buffered)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Enough space available after freeing buffered HS messages"));
- return 0;
- }
- }
-
- return -1;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_buffer_message(mbedtls_ssl_context *ssl)
-{
- int ret = 0;
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
-
- if (hs == NULL) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_buffer_message"));
-
- switch (ssl->in_msgtype) {
- case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
- MBEDTLS_SSL_DEBUG_MSG(2, ("Remember CCS message"));
-
- hs->buffering.seen_ccs = 1;
- break;
-
- case MBEDTLS_SSL_MSG_HANDSHAKE:
- {
- unsigned recv_msg_seq_offset;
- unsigned recv_msg_seq = MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
- mbedtls_ssl_hs_buffer *hs_buf;
- size_t msg_len = ssl->in_hslen - 12;
-
- /* We should never receive an old handshake
- * message - double-check nonetheless. */
- if (recv_msg_seq < ssl->handshake->in_msg_seq) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
- if (recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS) {
- /* Silently ignore -- message too far in the future */
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("Ignore future HS message with sequence number %u, "
- "buffering window %u - %u",
- recv_msg_seq, ssl->handshake->in_msg_seq,
- ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS -
- 1));
-
- goto exit;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering HS message with sequence number %u, offset %u ",
- recv_msg_seq, recv_msg_seq_offset));
-
- hs_buf = &hs->buffering.hs[recv_msg_seq_offset];
-
- /* Check if the buffering for this seq nr has already commenced. */
- if (!hs_buf->is_valid) {
- size_t reassembly_buf_sz;
-
- hs_buf->is_fragmented =
- (ssl_hs_is_proper_fragment(ssl) == 1);
-
- /* We copy the message back into the input buffer
- * after reassembly, so check that it's not too large.
- * This is an implementation-specific limitation
- * and not one from the standard, hence it is not
- * checked in ssl_check_hs_header(). */
- if (msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN) {
- /* Ignore message */
- goto exit;
- }
-
- /* Check if we have enough space to buffer the message. */
- if (hs->buffering.total_bytes_buffered >
- MBEDTLS_SSL_DTLS_MAX_BUFFERING) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- reassembly_buf_sz = ssl_get_reassembly_buffer_size(msg_len,
- hs_buf->is_fragmented);
-
- if (reassembly_buf_sz > (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
- hs->buffering.total_bytes_buffered)) {
- if (recv_msg_seq_offset > 0) {
- /* If we can't buffer a future message because
- * of space limitations -- ignore. */
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("Buffering of future message of size %"
- MBEDTLS_PRINTF_SIZET
- " would exceed the compile-time limit %"
- MBEDTLS_PRINTF_SIZET
- " (already %" MBEDTLS_PRINTF_SIZET
- " bytes buffered) -- ignore\n",
- msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- hs->buffering.total_bytes_buffered));
- goto exit;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("Buffering of future message of size %"
- MBEDTLS_PRINTF_SIZET
- " would exceed the compile-time limit %"
- MBEDTLS_PRINTF_SIZET
- " (already %" MBEDTLS_PRINTF_SIZET
- " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
- msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- hs->buffering.total_bytes_buffered));
- }
-
- if (ssl_buffer_make_space(ssl, reassembly_buf_sz) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("Reassembly of next message of size %"
- MBEDTLS_PRINTF_SIZET
- " (%" MBEDTLS_PRINTF_SIZET
- " with bitmap) would exceed"
- " the compile-time limit %"
- MBEDTLS_PRINTF_SIZET
- " (already %" MBEDTLS_PRINTF_SIZET
- " bytes buffered) -- fail\n",
- msg_len,
- reassembly_buf_sz,
- (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- hs->buffering.total_bytes_buffered));
- ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- goto exit;
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("initialize reassembly, total length = %"
- MBEDTLS_PRINTF_SIZET,
- msg_len));
-
- hs_buf->data = mbedtls_calloc(1, reassembly_buf_sz);
- if (hs_buf->data == NULL) {
- ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
- goto exit;
- }
- hs_buf->data_len = reassembly_buf_sz;
-
- /* Prepare final header: copy msg_type, length and message_seq,
- * then add standardised fragment_offset and fragment_length */
- memcpy(hs_buf->data, ssl->in_msg, 6);
- memset(hs_buf->data + 6, 0, 3);
- memcpy(hs_buf->data + 9, hs_buf->data + 1, 3);
-
- hs_buf->is_valid = 1;
-
- hs->buffering.total_bytes_buffered += reassembly_buf_sz;
- } else {
- /* Make sure msg_type and length are consistent */
- if (memcmp(hs_buf->data, ssl->in_msg, 4) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Fragment header mismatch - ignore"));
- /* Ignore */
- goto exit;
- }
- }
-
- if (!hs_buf->is_complete) {
- size_t frag_len, frag_off;
- unsigned char * const msg = hs_buf->data + 12;
-
- /*
- * Check and copy current fragment
- */
-
- /* Validation of header fields already done in
- * mbedtls_ssl_prepare_handshake_record(). */
- frag_off = ssl_get_hs_frag_off(ssl);
- frag_len = ssl_get_hs_frag_len(ssl);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
- ", length = %" MBEDTLS_PRINTF_SIZET,
- frag_off, frag_len));
- memcpy(msg + frag_off, ssl->in_msg + 12, frag_len);
-
- if (hs_buf->is_fragmented) {
- unsigned char * const bitmask = msg + msg_len;
- ssl_bitmask_set(bitmask, frag_off, frag_len);
- hs_buf->is_complete = (ssl_bitmask_check(bitmask,
- msg_len) == 0);
- } else {
- hs_buf->is_complete = 1;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("message %scomplete",
- hs_buf->is_complete ? "" : "not yet "));
- }
-
- break;
- }
-
- default:
- /* We don't buffer other types of messages. */
- break;
- }
-
-exit:
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_buffer_message"));
- return ret;
-}
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
-{
- /*
- * Consume last content-layer message and potentially
- * update in_msglen which keeps track of the contents'
- * consumption state.
- *
- * (1) Handshake messages:
- * Remove last handshake message, move content
- * and adapt in_msglen.
- *
- * (2) Alert messages:
- * Consume whole record content, in_msglen = 0.
- *
- * (3) Change cipher spec:
- * Consume whole record content, in_msglen = 0.
- *
- * (4) Application data:
- * Don't do anything - the record layer provides
- * the application data as a stream transport
- * and consumes through mbedtls_ssl_read only.
- *
- */
-
- /* Case (1): Handshake messages */
- if (ssl->in_hslen != 0) {
- /* Hard assertion to be sure that no application data
- * is in flight, as corrupting ssl->in_msglen during
- * ssl->in_offt != NULL is fatal. */
- if (ssl->in_offt != NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- if (ssl->badmac_seen_or_in_hsfraglen != 0) {
- /* Not all handshake fragments have arrived, do not consume. */
- MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments "
- "%u/%" MBEDTLS_PRINTF_SIZET,
- ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen));
- return 0;
- }
-
- /*
- * Get next Handshake message in the current record
- */
-
- /* Notes:
- * (1) in_hslen is not necessarily the size of the
- * current handshake content: If DTLS handshake
- * fragmentation is used, that's the fragment
- * size instead. Using the total handshake message
- * size here is faulty and should be changed at
- * some point.
- * (2) While it doesn't seem to cause problems, one
- * has to be very careful not to assume that in_hslen
- * is always <= in_msglen in a sensible communication.
- * Again, it's wrong for DTLS handshake fragmentation.
- * The following check is therefore mandatory, and
- * should not be treated as a silently corrected assertion.
- * Additionally, ssl->in_hslen might be arbitrarily out of
- * bounds after handling a DTLS message with an unexpected
- * sequence number, see mbedtls_ssl_prepare_handshake_record.
- */
- if (ssl->in_hslen < ssl->in_msglen) {
- ssl->in_msglen -= ssl->in_hslen;
- memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
- ssl->in_msglen);
- MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
-
- MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
- ssl->in_msg, ssl->in_msglen);
- } else {
- ssl->in_msglen = 0;
- }
-
- ssl->in_hslen = 0;
- }
- /* Case (4): Application data */
- else if (ssl->in_offt != NULL) {
- return 0;
- }
- /* Everything else (CCS & Alerts) */
- else {
- ssl->in_msglen = 0;
- }
-
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_record_is_in_progress(mbedtls_ssl_context *ssl)
-{
- if (ssl->in_msglen > 0) {
- return 1;
- }
-
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
-static void ssl_free_buffered_record(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
- if (hs == NULL) {
- return;
- }
-
- if (hs->buffering.future_record.data != NULL) {
- hs->buffering.total_bytes_buffered -=
- hs->buffering.future_record.len;
-
- mbedtls_free(hs->buffering.future_record.data);
- hs->buffering.future_record.data = NULL;
- }
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_load_buffered_record(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
- unsigned char *rec;
- size_t rec_len;
- unsigned rec_epoch;
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
-#endif
- if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return 0;
- }
-
- if (hs == NULL) {
- return 0;
- }
-
- rec = hs->buffering.future_record.data;
- rec_len = hs->buffering.future_record.len;
- rec_epoch = hs->buffering.future_record.epoch;
-
- if (rec == NULL) {
- return 0;
- }
-
- /* Only consider loading future records if the
- * input buffer is empty. */
- if (ssl_next_record_is_in_datagram(ssl) == 1) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_load_buffered_record"));
-
- if (rec_epoch != ssl->in_epoch) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Buffered record not from current epoch."));
- goto exit;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("Found buffered record from current epoch - load"));
-
- /* Double-check that the record is not too large */
- if (rec_len > in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- memcpy(ssl->in_hdr, rec, rec_len);
- ssl->in_left = rec_len;
- ssl->next_record_offset = 0;
-
- ssl_free_buffered_record(ssl);
-
-exit:
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_load_buffered_record"));
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_buffer_future_record(mbedtls_ssl_context *ssl,
- mbedtls_record const *rec)
-{
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
-
- /* Don't buffer future records outside handshakes. */
- if (hs == NULL) {
- return 0;
- }
-
- /* Only buffer handshake records (we are only interested
- * in Finished messages). */
- if (rec->type != MBEDTLS_SSL_MSG_HANDSHAKE) {
- return 0;
- }
-
- /* Don't buffer more than one future epoch record. */
- if (hs->buffering.future_record.data != NULL) {
- return 0;
- }
-
- /* Don't buffer record if there's not enough buffering space remaining. */
- if (rec->buf_len > (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
- hs->buffering.total_bytes_buffered)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
- " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
- " (already %" MBEDTLS_PRINTF_SIZET
- " bytes buffered) -- ignore\n",
- rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- hs->buffering.total_bytes_buffered));
- return 0;
- }
-
- /* Buffer record */
- MBEDTLS_SSL_DEBUG_MSG(2, ("Buffer record from epoch %u",
- ssl->in_epoch + 1U));
- MBEDTLS_SSL_DEBUG_BUF(3, "Buffered record", rec->buf, rec->buf_len);
-
- /* ssl_parse_record_header() only considers records
- * of the next epoch as candidates for buffering. */
- hs->buffering.future_record.epoch = ssl->in_epoch + 1;
- hs->buffering.future_record.len = rec->buf_len;
-
- hs->buffering.future_record.data =
- mbedtls_calloc(1, hs->buffering.future_record.len);
- if (hs->buffering.future_record.data == NULL) {
- /* If we run out of RAM trying to buffer a
- * record from the next epoch, just ignore. */
- return 0;
- }
-
- memcpy(hs->buffering.future_record.data, rec->buf, rec->buf_len);
-
- hs->buffering.total_bytes_buffered += rec->buf_len;
- return 0;
-}
-
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_next_record(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_record rec;
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- /* We might have buffered a future record; if so,
- * and if the epoch matches now, load it.
- * On success, this call will set ssl->in_left to
- * the length of the buffered record, so that
- * the calls to ssl_fetch_input() below will
- * essentially be no-ops. */
- ret = ssl_load_buffered_record(ssl);
- if (ret != 0) {
- return ret;
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- /* Ensure that we have enough space available for the default form
- * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
- * with no space for CIDs counted in). */
- ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_in_hdr_len(ssl));
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
- return ret;
- }
-
- ret = ssl_parse_record_header(ssl, ssl->in_hdr, ssl->in_left, &rec);
- if (ret != 0) {
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- if (ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
- ret = ssl_buffer_future_record(ssl, &rec);
- if (ret != 0) {
- return ret;
- }
-
- /* Fall through to handling of unexpected records */
- ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
- }
-
- if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
-#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
- /* Reset in pointers to default state for TLS/DTLS records,
- * assuming no CID and no offset between record content and
- * record plaintext. */
- mbedtls_ssl_update_in_pointers(ssl);
-
- /* Setup internal message pointers from record structure. */
- ssl->in_msgtype = rec.type;
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl->in_len = ssl->in_cid + rec.cid_len;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
- ssl->in_msglen = rec.data_len;
-
- ret = ssl_check_client_reconnect(ssl);
- MBEDTLS_SSL_DEBUG_RET(2, "ssl_check_client_reconnect", ret);
- if (ret != 0) {
- return ret;
- }
-#endif
-
- /* Skip unexpected record (but not whole datagram) */
- ssl->next_record_offset = rec.buf_len;
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("discarding unexpected record "
- "(header)"));
- } else {
- /* Skip invalid record and the rest of the datagram */
- ssl->next_record_offset = 0;
- ssl->in_left = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("discarding invalid record "
- "(header)"));
- }
-
- /* Get next record */
- return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- } else
-#endif
- {
- return ret;
- }
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- /* Remember offset of next record within datagram. */
- ssl->next_record_offset = rec.buf_len;
- if (ssl->next_record_offset < ssl->in_left) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("more than one record within datagram"));
- }
- } else
-#endif
- {
- /*
- * Fetch record contents from underlying transport.
- */
- ret = mbedtls_ssl_fetch_input(ssl, rec.buf_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
- return ret;
- }
-
- ssl->in_left = 0;
- }
-
- /*
- * Decrypt record contents.
- */
-
- if ((ret = ssl_prepare_record_content(ssl, &rec)) != 0) {
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- /* Silently discard invalid records */
- if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
- /* Except when waiting for Finished as a bad mac here
- * probably means something went wrong in the handshake
- * (eg wrong psk used, mitm downgrade attempt, etc.) */
- if (ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
- ssl->state == MBEDTLS_SSL_SERVER_FINISHED) {
-#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
- if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC);
- }
-#endif
- return ret;
- }
-
- if (ssl->conf->badmac_limit != 0) {
- ++ssl->badmac_seen_or_in_hsfraglen;
- if (ssl->badmac_seen_or_in_hsfraglen >= ssl->conf->badmac_limit) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
- }
- }
-
- /* As above, invalid records cause
- * dismissal of the whole datagram. */
-
- ssl->next_record_offset = 0;
- ssl->in_left = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("discarding invalid record (mac)"));
- return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- }
-
- return ret;
- } else
-#endif
- {
- /* Error out (and send alert) on invalid records */
-#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
- if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC);
- }
-#endif
- return ret;
- }
- }
-
-
- /* Reset in pointers to default state for TLS/DTLS records,
- * assuming no CID and no offset between record content and
- * record plaintext. */
- mbedtls_ssl_update_in_pointers(ssl);
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl->in_len = ssl->in_cid + rec.cid_len;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->in_iv = ssl->in_len + 2;
-
- /* The record content type may change during decryption,
- * so re-read it. */
- ssl->in_msgtype = rec.type;
- /* Also update the input buffer, because unfortunately
- * the server-side ssl_parse_client_hello() reparses the
- * record header when receiving a ClientHello initiating
- * a renegotiation. */
- ssl->in_hdr[0] = rec.type;
- ssl->in_msg = rec.buf + rec.data_offset;
- ssl->in_msglen = rec.data_len;
- MBEDTLS_PUT_UINT16_BE(rec.data_len, ssl->in_len, 0);
-
- return 0;
-}
-
-int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* If we're in the middle of a fragmented TLS handshake message,
- * we don't accept any other message type. For TLS 1.3, the spec forbids
- * interleaving other message types between handshake fragments. For TLS
- * 1.2, the spec does not forbid it but we do. */
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM &&
- ssl->badmac_seen_or_in_hsfraglen != 0 &&
- ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle"
- " of a fragmented handshake message"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- /*
- * Handle particular types of records
- */
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
- if ((ret = mbedtls_ssl_prepare_handshake_record(ssl)) != 0) {
- return ret;
- }
- }
-
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
- if (ssl->in_msglen != 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_msglen));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- if (ssl->in_msg[0] != 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid CCS message, content: %02x",
- ssl->in_msg[0]));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
- ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC) {
- if (ssl->handshake == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("dropping ChangeCipherSpec outside handshake"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("received out-of-order ChangeCipherSpec - remember"));
- return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
- }
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"));
- return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
- }
-
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) {
- if (ssl->in_msglen != 2) {
- /* Note: Standard allows for more than one 2 byte alert
- to be packed in a single message, but Mbed TLS doesn't
- currently support this. */
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_msglen));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("got an alert message, type: [%u:%u]",
- ssl->in_msg[0], ssl->in_msg[1]));
-
- /*
- * Ignore non-fatal alerts, except close_notify and no_renegotiation
- */
- if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("is a fatal alert message (msg %d)",
- ssl->in_msg[1]));
- return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
- }
-
- if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
- ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("is a close notify message"));
- return MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY;
- }
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
- if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
- ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("is a no renegotiation alert"));
- /* Will be handled when trying to parse ServerHello */
- return 0;
- }
-#endif
- /* Silently ignore: fetch new message */
- return MBEDTLS_ERR_SSL_NON_FATAL;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- /* Drop unexpected ApplicationData records,
- * except at the beginning of renegotiations */
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
- mbedtls_ssl_is_handshake_over(ssl) == 0
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- && !(ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
- ssl->state == MBEDTLS_SSL_SERVER_HELLO)
-#endif
- ) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("dropping unexpected ApplicationData"));
- return MBEDTLS_ERR_SSL_NON_FATAL;
- }
-
- if (ssl->handshake != NULL &&
- mbedtls_ssl_is_handshake_over(ssl) == 1) {
- mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- return 0;
-}
-
-int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
-}
-
-int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl,
- unsigned char level,
- unsigned char message)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (ssl == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (ssl->out_left != 0) {
- return mbedtls_ssl_flush_output(ssl);
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> send alert message"));
- MBEDTLS_SSL_DEBUG_MSG(3, ("send alert level=%u message=%u", level, message));
-
- ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
- ssl->out_msglen = 2;
- ssl->out_msg[0] = level;
- ssl->out_msg[1] = message;
-
- if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
- return ret;
- }
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= send alert message"));
-
- return 0;
-}
-
-int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
-
- ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
- ssl->out_msglen = 1;
- ssl->out_msg[0] = 1;
-
- mbedtls_ssl_handshake_increment_state(ssl);
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
-
- return 0;
-}
-
-int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse change cipher spec"));
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- /* CCS records are only accepted if they have length 1 and content '1',
- * so we don't need to check this here. */
-
- /*
- * Switch to our negotiated transform and session parameters for inbound
- * data.
- */
- MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for inbound data"));
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- ssl->transform_in = ssl->transform_negotiate;
-#endif
- ssl->session_in = ssl->session_negotiate;
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- mbedtls_ssl_dtls_replay_reset(ssl);
-#endif
-
- /* Increment epoch */
- if (++ssl->in_epoch == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
- /* This is highly unlikely to happen for legitimate reasons, so
- treat it as an attack and don't send an alert. */
- return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
- }
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- memset(ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
-
- mbedtls_ssl_update_in_pointers(ssl);
-
- mbedtls_ssl_handshake_increment_state(ssl);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
-
- return 0;
-}
-
-/* Once ssl->out_hdr as the address of the beginning of the
- * next outgoing record is set, deduce the other pointers.
- *
- * Note: For TLS, we save the implicit record sequence number
- * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
- * and the caller has to make sure there's space for this.
- */
-
-static size_t ssl_transform_get_explicit_iv_len(
- mbedtls_ssl_transform const *transform)
-{
- return transform->ivlen - transform->fixed_ivlen;
-}
-
-void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ssl->out_ctr = ssl->out_hdr + 3;
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- ssl->out_len = ssl->out_cid;
- if (transform != NULL) {
- ssl->out_len += transform->out_cid_len;
- }
-#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->out_iv = ssl->out_len + 2;
- } else
-#endif
- {
- ssl->out_len = ssl->out_hdr + 3;
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl->out_cid = ssl->out_len;
-#endif
- ssl->out_iv = ssl->out_hdr + 5;
- }
-
- ssl->out_msg = ssl->out_iv;
- /* Adjust out_msg to make space for explicit IV, if used. */
- if (transform != NULL) {
- ssl->out_msg += ssl_transform_get_explicit_iv_len(transform);
- }
-}
-
-/* Once ssl->in_hdr as the address of the beginning of the
- * next incoming record is set, deduce the other pointers.
- *
- * Note: For TLS, we save the implicit record sequence number
- * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
- * and the caller has to make sure there's space for this.
- */
-
-void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
-{
- /* This function sets the pointers to match the case
- * of unprotected TLS/DTLS records, with both ssl->in_iv
- * and ssl->in_msg pointing to the beginning of the record
- * content.
- *
- * When decrypting a protected record, ssl->in_msg
- * will be shifted to point to the beginning of the
- * record plaintext.
- */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- /* This sets the header pointers to match records
- * without CID. When we receive a record containing
- * a CID, the fields are shifted accordingly in
- * ssl_parse_record_header(). */
- ssl->in_ctr = ssl->in_hdr + 3;
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- ssl->in_len = ssl->in_cid; /* Default: no CID */
-#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
- ssl->in_iv = ssl->in_len + 2;
- } else
-#endif
- {
- ssl->in_ctr = ssl->in_buf;
- ssl->in_len = ssl->in_hdr + 3;
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl->in_cid = ssl->in_len;
-#endif
- ssl->in_iv = ssl->in_hdr + 5;
- }
-
- /* This will be adjusted at record decryption time. */
- ssl->in_msg = ssl->in_iv;
-}
-
-/*
- * Setup an SSL context
- */
-
-void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ssl->in_hdr = ssl->in_buf;
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- {
- ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- }
-
- /* Derive other internal pointers. */
- mbedtls_ssl_update_in_pointers(ssl);
-}
-
-void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl)
-{
- /* Set the incoming and outgoing record pointers. */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ssl->out_hdr = ssl->out_buf;
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- {
- ssl->out_ctr = ssl->out_buf;
- ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- }
- /* Derive other internal pointers. */
- mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
-}
-
-/*
- * SSL get accessors
- */
-size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl)
-{
- return ssl->in_offt == NULL ? 0 : ssl->in_msglen;
-}
-
-int mbedtls_ssl_check_pending(const mbedtls_ssl_context *ssl)
-{
- /*
- * Case A: We're currently holding back
- * a message for further processing.
- */
-
- if (ssl->keep_current_message == 1) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: record held back for processing"));
- return 1;
- }
-
- /*
- * Case B: Further records are pending in the current datagram.
- */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->in_left > ssl->next_record_offset) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: more records within current datagram"));
- return 1;
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- /*
- * Case C: A handshake message is being processed.
- */
-
- if (ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen) {
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("ssl_check_pending: more handshake messages within current record"));
- return 1;
- }
-
- /*
- * Case D: An application data message is being processed
- */
- if (ssl->in_offt != NULL) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: application data record is being processed"));
- return 1;
- }
-
- /*
- * In all other cases, the rest of the message can be dropped.
- * As in ssl_get_next_record, this needs to be adapted if
- * we implement support for multiple alerts in single records.
- */
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: nothing pending"));
- return 0;
-}
-
-
-int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
-{
- size_t transform_expansion = 0;
- const mbedtls_ssl_transform *transform = ssl->transform_out;
- unsigned block_size;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_type_t key_type;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- size_t out_hdr_len = mbedtls_ssl_out_hdr_len(ssl);
-
- if (transform == NULL) {
- return (int) out_hdr_len;
- }
-
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (transform->psa_alg == PSA_ALG_GCM ||
- transform->psa_alg == PSA_ALG_CCM ||
- transform->psa_alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8) ||
- transform->psa_alg == PSA_ALG_CHACHA20_POLY1305 ||
- transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) {
- transform_expansion = transform->minlen;
- } else if (transform->psa_alg == PSA_ALG_CBC_NO_PADDING) {
- (void) psa_get_key_attributes(transform->psa_key_enc, &attr);
- key_type = psa_get_key_type(&attr);
-
- block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
-
- /* Expansion due to the addition of the MAC. */
- transform_expansion += transform->maclen;
-
- /* Expansion due to the addition of CBC padding;
- * Theoretically up to 256 bytes, but we never use
- * more than the block size of the underlying cipher. */
- transform_expansion += block_size;
-
- /* For TLS 1.2 or higher, an explicit IV is added
- * after the record header. */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- transform_expansion += block_size;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- } else {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("Unsupported psa_alg spotted in mbedtls_ssl_get_record_expansion()"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-#else
- switch (mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)) {
- case MBEDTLS_MODE_GCM:
- case MBEDTLS_MODE_CCM:
- case MBEDTLS_MODE_CHACHAPOLY:
- case MBEDTLS_MODE_STREAM:
- transform_expansion = transform->minlen;
- break;
-
- case MBEDTLS_MODE_CBC:
-
- block_size = mbedtls_cipher_get_block_size(
- &transform->cipher_ctx_enc);
-
- /* Expansion due to the addition of the MAC. */
- transform_expansion += transform->maclen;
-
- /* Expansion due to the addition of CBC padding;
- * Theoretically up to 256 bytes, but we never use
- * more than the block size of the underlying cipher. */
- transform_expansion += block_size;
-
- /* For TLS 1.2 or higher, an explicit IV is added
- * after the record header. */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- transform_expansion += block_size;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- break;
-
- default:
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- if (transform->out_cid_len != 0) {
- transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- return (int) (out_hdr_len + transform_expansion);
-}
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-/*
- * Check record counters and renegotiate if they're above the limit.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl)
-{
- size_t ep_len = mbedtls_ssl_ep_len(ssl);
- int in_ctr_cmp;
- int out_ctr_cmp;
-
- if (mbedtls_ssl_is_handshake_over(ssl) == 0 ||
- ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
- ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
- return 0;
- }
-
- in_ctr_cmp = memcmp(ssl->in_ctr + ep_len,
- &ssl->conf->renego_period[ep_len],
- MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len);
- out_ctr_cmp = memcmp(&ssl->cur_out_ctr[ep_len],
- &ssl->conf->renego_period[ep_len],
- sizeof(ssl->cur_out_ctr) - ep_len);
-
- if (in_ctr_cmp <= 0 && out_ctr_cmp <= 0) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("record counter limit reached: renegotiate"));
- return mbedtls_ssl_renegotiate(ssl);
-}
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-#if defined(MBEDTLS_SSL_CLI_C)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_is_new_session_ticket(mbedtls_ssl_context *ssl)
-{
-
- if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) ||
- (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET)) {
- return 0;
- }
-
- return 1;
-}
-#endif /* MBEDTLS_SSL_CLI_C */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
-{
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message"));
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- if (ssl_tls13_is_new_session_ticket(ssl)) {
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
- if (mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(ssl->conf) ==
- MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED) {
- ssl->keep_current_message = 1;
-
- mbedtls_ssl_handshake_set_state(ssl,
- MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
- return MBEDTLS_ERR_SSL_WANT_READ;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, handling disabled."));
- return 0;
- }
-#else
- MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, not supported."));
- return 0;
-#endif
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
- /* Fail in all other cases. */
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-/* This function is called from mbedtls_ssl_read() when a handshake message is
- * received after the initial handshake. In this context, handshake messages
- * may only be sent for the purpose of initiating renegotiations.
- *
- * This function is introduced as a separate helper since the handling
- * of post-handshake handshake messages changes significantly in TLS 1.3,
- * and having a helper function allows to distinguish between TLS <= 1.2 and
- * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls12_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /*
- * - For client-side, expect SERVER_HELLO_REQUEST.
- * - For server-side, expect CLIENT_HELLO.
- * - Fail (TLS) or silently drop record (DTLS) in other cases.
- */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- (ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
- ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl))) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("handshake received (not HelloRequest)"));
-
- /* With DTLS, drop the packet (probably from last handshake) */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return 0;
- }
-#endif
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
- ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("handshake received (not ClientHello)"));
-
- /* With DTLS, drop the packet (probably from last handshake) */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return 0;
- }
-#endif
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- /* Determine whether renegotiation attempt should be accepted */
- if (!(ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
- (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation ==
- MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION))) {
- /*
- * Accept renegotiation request
- */
-
- /* DTLS clients need to know renego is server-initiated */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
- }
-#endif
- ret = mbedtls_ssl_start_renegotiation(ssl);
- if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
- ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation",
- ret);
- return ret;
- }
- } else
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
- {
- /*
- * Refuse renegotiation
- */
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("refusing renegotiation, sending alert"));
-
- if ((ret = mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_WARNING,
- MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION)) != 0) {
- return ret;
- }
- }
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
-{
- /* Check protocol version and dispatch accordingly. */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- return ssl_tls13_handle_hs_message_post_handshake(ssl);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
- return ssl_tls12_handle_hs_message_post_handshake(ssl);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- /* Should never happen */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-}
-
-/*
- * brief Read at most 'len' application data bytes from the input
- * buffer.
- *
- * param ssl SSL context:
- * - First byte of application data not read yet in the input
- * buffer located at address `in_offt`.
- * - The number of bytes of data not read yet is `in_msglen`.
- * param buf buffer that will hold the data
- * param len maximum number of bytes to read
- *
- * note The function updates the fields `in_offt` and `in_msglen`
- * according to the number of bytes read.
- *
- * return The number of bytes read.
- */
-static int ssl_read_application_data(
- mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
-{
- size_t n = (len < ssl->in_msglen) ? len : ssl->in_msglen;
-
- if (len != 0) {
- memcpy(buf, ssl->in_offt, n);
- ssl->in_msglen -= n;
- }
-
- /* Zeroising the plaintext buffer to erase unused application data
- from the memory. */
- mbedtls_platform_zeroize(ssl->in_offt, n);
-
- if (ssl->in_msglen == 0) {
- /* all bytes consumed */
- ssl->in_offt = NULL;
- ssl->keep_current_message = 0;
- } else {
- /* more data available */
- ssl->in_offt += n;
- }
-
- return (int) n;
-}
-
-/*
- * Receive application data decrypted from the SSL layer
- */
-int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (ssl == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> read"));
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- return ret;
- }
-
- if (ssl->handshake != NULL &&
- ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
- if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
- return ret;
- }
- }
- }
-#endif
-
- /*
- * Check if renegotiation is necessary and/or handshake is
- * in process. If yes, perform/continue, and fall through
- * if an unexpected packet is received while the client
- * is waiting for the ServerHello.
- *
- * (There is no equivalent to the last condition on
- * the server-side as it is not treated as within
- * a handshake while waiting for the ClientHello
- * after a renegotiation request.)
- */
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ret = ssl_check_ctr_renegotiate(ssl);
- if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
- ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_check_ctr_renegotiate", ret);
- return ret;
- }
-#endif
-
- if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
- ret = mbedtls_ssl_handshake(ssl);
- if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
- ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
- return ret;
- }
- }
-
- /* Loop as long as no application data record is available */
- while (ssl->in_offt == NULL) {
- /* Start timer if not already running */
- if (ssl->f_get_timer != NULL &&
- ssl->f_get_timer(ssl->p_timer) == -1) {
- mbedtls_ssl_set_timer(ssl, ssl->conf->read_timeout);
- }
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- if (ret == MBEDTLS_ERR_SSL_CONN_EOF) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- if (ssl->in_msglen == 0 &&
- ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
- /*
- * OpenSSL sends empty messages to randomize the IV
- */
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- if (ret == MBEDTLS_ERR_SSL_CONN_EOF) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
- }
-
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
- ret = ssl_handle_hs_message_post_handshake(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_handle_hs_message_post_handshake",
- ret);
- return ret;
- }
-
- /* At this point, we don't know whether the renegotiation triggered
- * by the post-handshake message has been completed or not. The cases
- * to consider are the following:
- * 1) The renegotiation is complete. In this case, no new record
- * has been read yet.
- * 2) The renegotiation is incomplete because the client received
- * an application data record while awaiting the ServerHello.
- * 3) The renegotiation is incomplete because the client received
- * a non-handshake, non-application data message while awaiting
- * the ServerHello.
- *
- * In each of these cases, looping will be the proper action:
- * - For 1), the next iteration will read a new record and check
- * if it's application data.
- * - For 2), the loop condition isn't satisfied as application data
- * is present, hence continue is the same as break
- * - For 3), the loop condition is satisfied and read_record
- * will re-deliver the message that was held back by the client
- * when expecting the ServerHello.
- */
-
- continue;
- }
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
- if (ssl->conf->renego_max_records >= 0) {
- if (++ssl->renego_records_seen > ssl->conf->renego_max_records) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation requested, "
- "but not honored by client"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
- }
- }
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
- /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
- if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("ignoring non-fatal non-closure alert"));
- return MBEDTLS_ERR_SSL_WANT_READ;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad application data message"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- ssl->in_offt = ssl->in_msg;
-
- /* We're going to return something now, cancel timer,
- * except if handshake (renegotiation) is in progress */
- if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
- mbedtls_ssl_set_timer(ssl, 0);
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- /* If we requested renego but received AppData, resend HelloRequest.
- * Do it now, after setting in_offt, to avoid taking this branch
- * again if ssl_write_hello_request() returns WANT_WRITE */
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
- ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
- if ((ret = mbedtls_ssl_resend_hello_request(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend_hello_request",
- ret);
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- }
-
- ret = ssl_read_application_data(ssl, buf, len);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
-
- return ret;
-}
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA)
-int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t len)
-{
- if (ssl == NULL || (ssl->conf == NULL)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /*
- * The server may receive early data only while waiting for the End of
- * Early Data handshake message.
- */
- if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) ||
- (ssl->in_offt == NULL)) {
- return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA;
- }
-
- return ssl_read_application_data(ssl, buf, len);
-}
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */
-
-/*
- * Send application data to be encrypted by the SSL layer, taking care of max
- * fragment length and buffer size.
- *
- * According to RFC 5246 Section 6.2.1:
- *
- * Zero-length fragments of Application data MAY be sent as they are
- * potentially useful as a traffic analysis countermeasure.
- *
- * Therefore, it is possible that the input message length is 0 and the
- * corresponding return code is 0 on success.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_real(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
-{
- int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
- const size_t max_len = (size_t) ret;
-
- if (ret < 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_max_out_record_payload", ret);
- return ret;
- }
-
- if (len > max_len) {
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("fragment larger than the (negotiated) "
- "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
- " > %" MBEDTLS_PRINTF_SIZET,
- len, max_len));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- } else
-#endif
- len = max_len;
- }
-
- if (ssl->out_left != 0) {
- /*
- * The user has previously tried to send the data and
- * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
- * written. In this case, we expect the high-level write function
- * (e.g. mbedtls_ssl_write()) to be called with the same parameters
- */
- if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
- return ret;
- }
- } else {
- /*
- * The user is trying to send a message the first time, so we need to
- * copy the data into the internal buffers and setup the data structure
- * to keep track of partial writes
- */
- ssl->out_msglen = len;
- ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
- if (len > 0) {
- memcpy(ssl->out_msg, buf, len);
- }
-
- if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
- return ret;
- }
- }
-
- return (int) len;
-}
-
-/*
- * Write application data (public-facing wrapper)
- */
-int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write"));
-
- if (ssl == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if ((ret = ssl_check_ctr_renegotiate(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_check_ctr_renegotiate", ret);
- return ret;
- }
-#endif
-
- if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
- if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
- return ret;
- }
- }
-
- ret = ssl_write_real(ssl, buf, len);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write"));
-
- return ret;
-}
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const struct mbedtls_ssl_config *conf;
- uint32_t remaining;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write early_data"));
-
- if (ssl == NULL || (conf = ssl->conf) == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) ||
- (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
- (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) {
- return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
- }
-
- if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) {
- return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
- }
-
- /*
- * If we are at the beginning of the handshake, the early data state being
- * equal to MBEDTLS_SSL_EARLY_DATA_STATE_IDLE or
- * MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT advance the handshake just
- * enough to be able to send early data if possible. That way, we can
- * guarantee that when starting the handshake with this function we will
- * send at least one record of early data. Note that when the state is
- * MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT and not yet
- * MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE, we cannot send early data
- * as the early data outbound transform has not been set as we may have to
- * first send a dummy CCS in clear.
- */
- if ((ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IDLE) ||
- (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT)) {
- while ((ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IDLE) ||
- (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT)) {
- ret = mbedtls_ssl_handshake_step(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake_step", ret);
- return ret;
- }
-
- ret = mbedtls_ssl_flush_output(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
- return ret;
- }
- }
- remaining = ssl->session_negotiate->max_early_data_size;
- } else {
- /*
- * If we are past the point where we can send early data or we have
- * already reached the maximum early data size, return immediately.
- * Otherwise, progress the handshake as much as possible to not delay
- * it too much. If we reach a point where we can still send early data,
- * then we will send some.
- */
- if ((ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE) &&
- (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED)) {
- return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
- }
-
- remaining = ssl->session_negotiate->max_early_data_size -
- ssl->total_early_data_size;
-
- if (remaining == 0) {
- return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
- }
-
- ret = mbedtls_ssl_handshake(ssl);
- if ((ret != 0) && (ret != MBEDTLS_ERR_SSL_WANT_READ)) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
- return ret;
- }
- }
-
- if (((ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE) &&
- (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED))
- || (remaining == 0)) {
- return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
- }
-
- if (len > remaining) {
- len = remaining;
- }
-
- ret = ssl_write_real(ssl, buf, len);
- if (ret >= 0) {
- ssl->total_early_data_size += ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write early_data, ret=%d", ret));
-
- return ret;
-}
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
-
-/*
- * Notify the peer that the connection is being closed
- */
-int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (ssl == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write close notify"));
-
- if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
- if ((ret = mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_WARNING,
- MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_send_alert_message", ret);
- return ret;
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write close notify"));
-
- return 0;
-}
-
-void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform)
-{
- if (transform == NULL) {
- return;
- }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_destroy_key(transform->psa_key_enc);
- psa_destroy_key(transform->psa_key_dec);
-#else
- mbedtls_cipher_free(&transform->cipher_ctx_enc);
- mbedtls_cipher_free(&transform->cipher_ctx_dec);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_destroy_key(transform->psa_mac_enc);
- psa_destroy_key(transform->psa_mac_dec);
-#else
- mbedtls_md_free(&transform->md_ctx_enc);
- mbedtls_md_free(&transform->md_ctx_dec);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif
-
- mbedtls_platform_zeroize(transform, sizeof(mbedtls_ssl_transform));
-}
-
-void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform)
-{
- ssl->transform_in = transform;
- memset(ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
-}
-
-void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
- mbedtls_ssl_transform *transform)
-{
- ssl->transform_out = transform;
- memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
-void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl)
-{
- unsigned offset;
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
-
- if (hs == NULL) {
- return;
- }
-
- ssl_free_buffered_record(ssl);
-
- for (offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++) {
- ssl_buffering_free_slot(ssl, offset);
- }
-}
-
-static void ssl_buffering_free_slot(mbedtls_ssl_context *ssl,
- uint8_t slot)
-{
- mbedtls_ssl_handshake_params * const hs = ssl->handshake;
- mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
-
- if (slot >= MBEDTLS_SSL_MAX_BUFFERED_HS) {
- return;
- }
-
- if (hs_buf->is_valid == 1) {
- hs->buffering.total_bytes_buffered -= hs_buf->data_len;
- mbedtls_zeroize_and_free(hs_buf->data, hs_buf->data_len);
- memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
- }
-}
-
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-/*
- * Convert version numbers to/from wire format
- * and, for DTLS, to/from TLS equivalent.
- *
- * For TLS this is the identity.
- * For DTLS, map as follows, then use 1's complement (v -> ~v):
- * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
- * DTLS 1.0 is stored as TLS 1.1 internally
- */
-void mbedtls_ssl_write_version(unsigned char version[2], int transport,
- mbedtls_ssl_protocol_version tls_version)
-{
- uint16_t tls_version_formatted;
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- tls_version_formatted =
- ~(tls_version - (tls_version == 0x0302 ? 0x0202 : 0x0201));
- } else
-#else
- ((void) transport);
-#endif
- {
- tls_version_formatted = (uint16_t) tls_version;
- }
- MBEDTLS_PUT_UINT16_BE(tls_version_formatted, version, 0);
-}
-
-uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
- int transport)
-{
- uint16_t tls_version = MBEDTLS_GET_UINT16_BE(version, 0);
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- tls_version =
- ~(tls_version - (tls_version == 0xfeff ? 0x0202 : 0x0201));
- }
-#else
- ((void) transport);
-#endif
- return tls_version;
-}
-
-/*
- * Send pending fatal alert.
- * 0, No alert message.
- * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it
- * returned, ssl->alert_reason otherwise.
- */
-int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl)
-{
- int ret;
-
- /* No pending alert, return success*/
- if (ssl->send_alert == 0) {
- return 0;
- }
-
- ret = mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- ssl->alert_type);
-
- /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE,
- * do not clear the alert to be able to send it later.
- */
- if (ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
- ssl->send_alert = 0;
- }
-
- if (ret != 0) {
- return ret;
- }
-
- return ssl->alert_reason;
-}
-
-/*
- * Set pending fatal alert flag.
- */
-void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
- unsigned char alert_type,
- int alert_reason)
-{
- ssl->send_alert = 1;
- ssl->alert_type = alert_type;
- ssl->alert_reason = alert_reason;
-}
-
-#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/lib/mbedtls_ssl/src/ssl_tls.c b/lib/mbedtls_ssl/src/ssl_tls.c
deleted file mode 100644
index 30cde2792..000000000
--- a/lib/mbedtls_ssl/src/ssl_tls.c
+++ /dev/null
@@ -1,10187 +0,0 @@
-/*
- * TLS shared functions
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-/*
- * http://www.ietf.org/rfc/rfc2246.txt
- * http://www.ietf.org/rfc/rfc4346.txt
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SSL_TLS_C)
-
-#include "mbedtls/platform.h"
-
-#include "mbedtls/ssl.h"
-#include "ssl_client.h"
-#include "ssl_debug_helpers.h"
-#include "ssl_misc.h"
-#include "ssl_tls13_keys.h"
-
-#include "debug_internal.h"
-#include "mbedtls/error.h"
-#include "mbedtls/platform_util.h"
-#include "mbedtls/version.h"
-#include "mbedtls/constant_time.h"
-
-#include
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "mbedtls/psa_util.h"
-#include "md_psa.h"
-#include "psa_util_internal.h"
-#include "psa/crypto.h"
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#include "mbedtls/oid.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/* Define local translating functions to save code size by not using too many
- * arguments in each translating place. */
-static int local_err_translation(psa_status_t status)
-{
- return psa_status_to_mbedtls(status, psa_to_ssl_errors,
- ARRAY_LENGTH(psa_to_ssl_errors),
- psa_generic_status_to_mbedtls);
-}
-#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif
-
-#if defined(MBEDTLS_TEST_HOOKS)
-static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
-
-void mbedtls_ssl_set_chk_buf_ptr_fail_args(
- const uint8_t *cur, const uint8_t *end, size_t need)
-{
- chk_buf_ptr_fail_args.cur = cur;
- chk_buf_ptr_fail_args.end = end;
- chk_buf_ptr_fail_args.need = need;
-}
-
-void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
-{
- memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
-}
-
-int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
-{
- return (chk_buf_ptr_fail_args.cur != args->cur) ||
- (chk_buf_ptr_fail_args.end != args->end) ||
- (chk_buf_ptr_fail_args.need != args->need);
-}
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-/* Top-level Connection ID API */
-
-int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
- size_t len,
- int ignore_other_cid)
-{
- if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
- ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- conf->ignore_unexpected_cid = ignore_other_cid;
- conf->cid_len = len;
- return 0;
-}
-
-int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
- int enable,
- unsigned char const *own_cid,
- size_t own_cid_len)
-{
- if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->negotiate_cid = enable;
- if (enable == MBEDTLS_SSL_CID_DISABLED) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
- return 0;
- }
- MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
- MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
-
- if (own_cid_len != ssl->conf->cid_len) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
- (unsigned) own_cid_len,
- (unsigned) ssl->conf->cid_len));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- memcpy(ssl->own_cid, own_cid, own_cid_len);
- /* Truncation is not an issue here because
- * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
- ssl->own_cid_len = (uint8_t) own_cid_len;
-
- return 0;
-}
-
-int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
- int *enabled,
- unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
- size_t *own_cid_len)
-{
- *enabled = MBEDTLS_SSL_CID_DISABLED;
-
- if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
- * zero as this is indistinguishable from not requesting to use
- * the CID extension. */
- if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
- return 0;
- }
-
- if (own_cid_len != NULL) {
- *own_cid_len = ssl->own_cid_len;
- if (own_cid != NULL) {
- memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
- }
- }
-
- *enabled = MBEDTLS_SSL_CID_ENABLED;
-
- return 0;
-}
-
-int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
- int *enabled,
- unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
- size_t *peer_cid_len)
-{
- *enabled = MBEDTLS_SSL_CID_DISABLED;
-
- if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
- mbedtls_ssl_is_handshake_over(ssl) == 0) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
- * were used, but client and server requested the empty CID.
- * This is indistinguishable from not using the CID extension
- * in the first place. */
- if (ssl->transform_in->in_cid_len == 0 &&
- ssl->transform_in->out_cid_len == 0) {
- return 0;
- }
-
- if (peer_cid_len != NULL) {
- *peer_cid_len = ssl->transform_in->out_cid_len;
- if (peer_cid != NULL) {
- memcpy(peer_cid, ssl->transform_in->out_cid,
- ssl->transform_in->out_cid_len);
- }
- }
-
- *enabled = MBEDTLS_SSL_CID_ENABLED;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-/*
- * Convert max_fragment_length codes to length.
- * RFC 6066 says:
- * enum{
- * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
- * } MaxFragmentLength;
- * and we add 0 -> extension unused
- */
-static unsigned int ssl_mfl_code_to_length(int mfl)
-{
- switch (mfl) {
- case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
- return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
- case MBEDTLS_SSL_MAX_FRAG_LEN_512:
- return 512;
- case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
- return 1024;
- case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
- return 2048;
- case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
- return 4096;
- default:
- return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
- }
-}
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
- const mbedtls_ssl_session *src)
-{
- mbedtls_ssl_session_free(dst);
- memcpy(dst, src, sizeof(mbedtls_ssl_session));
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
- dst->ticket = NULL;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- dst->hostname = NULL;
-#endif
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
- defined(MBEDTLS_SSL_EARLY_DATA)
- dst->ticket_alpn = NULL;
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- if (src->peer_cert != NULL) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
- if (dst->peer_cert == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- mbedtls_x509_crt_init(dst->peer_cert);
-
- if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
- src->peer_cert->raw.len)) != 0) {
- mbedtls_free(dst->peer_cert);
- dst->peer_cert = NULL;
- return ret;
- }
- }
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if (src->peer_cert_digest != NULL) {
- dst->peer_cert_digest =
- mbedtls_calloc(1, src->peer_cert_digest_len);
- if (dst->peer_cert_digest == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(dst->peer_cert_digest, src->peer_cert_digest,
- src->peer_cert_digest_len);
- dst->peer_cert_digest_type = src->peer_cert_digest_type;
- dst->peer_cert_digest_len = src->peer_cert_digest_len;
- }
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
- defined(MBEDTLS_SSL_EARLY_DATA)
- {
- int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
- if (ret != 0) {
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
- if (src->ticket != NULL) {
- dst->ticket = mbedtls_calloc(1, src->ticket_len);
- if (dst->ticket == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(dst->ticket, src->ticket, src->ticket_len);
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
- if (ret != 0) {
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
- MBEDTLS_SSL_SERVER_NAME_INDICATION */
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
-{
- unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
- if (resized_buffer == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- /* We want to copy len_new bytes when downsizing the buffer, and
- * len_old bytes when upsizing, so we choose the smaller of two sizes,
- * to fit one buffer into another. Size checks, ensuring that no data is
- * lost, are done outside of this function. */
- memcpy(resized_buffer, *buffer,
- (len_new < *len_old) ? len_new : *len_old);
- mbedtls_zeroize_and_free(*buffer, *len_old);
-
- *buffer = resized_buffer;
- *len_old = len_new;
-
- return 0;
-}
-
-static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
- size_t in_buf_new_len,
- size_t out_buf_new_len)
-{
- int modified = 0;
- size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
- size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
- if (ssl->in_buf != NULL) {
- written_in = ssl->in_msg - ssl->in_buf;
- iv_offset_in = ssl->in_iv - ssl->in_buf;
- len_offset_in = ssl->in_len - ssl->in_buf;
- hdr_in = ssl->in_hdr - ssl->in_buf;
- if (downsizing ?
- ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
- ssl->in_buf_len < in_buf_new_len) {
- if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
- in_buf_new_len));
- modified = 1;
- }
- }
- }
-
- if (ssl->out_buf != NULL) {
- written_out = ssl->out_msg - ssl->out_buf;
- iv_offset_out = ssl->out_iv - ssl->out_buf;
- len_offset_out = ssl->out_len - ssl->out_buf;
- if (downsizing ?
- ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
- ssl->out_buf_len < out_buf_new_len) {
- if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
- } else {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
- out_buf_new_len));
- modified = 1;
- }
- }
- }
- if (modified) {
- /* Update pointers here to avoid doing it twice. */
- ssl->in_hdr = ssl->in_buf + hdr_in;
- mbedtls_ssl_update_in_pointers(ssl);
- mbedtls_ssl_reset_out_pointers(ssl);
-
- /* Fields below might not be properly updated with record
- * splitting or with CID, so they are manually updated here. */
- ssl->out_msg = ssl->out_buf + written_out;
- ssl->out_len = ssl->out_buf + len_offset_out;
- ssl->out_iv = ssl->out_buf + iv_offset_out;
-
- ssl->in_msg = ssl->in_buf + written_in;
- ssl->in_len = ssl->in_buf + len_offset_in;
- ssl->in_iv = ssl->in_buf + iv_offset_in;
- }
-}
-#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
-typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen);
-
-static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
-
-#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
-
-/* Type for the TLS PRF */
-typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
- const unsigned char *, size_t,
- unsigned char *, size_t);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
- int ciphersuite,
- const unsigned char master[48],
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- int encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- ssl_tls_prf_t tls_prf,
- const unsigned char randbytes[64],
- mbedtls_ssl_protocol_version tls_version,
- unsigned endpoint,
- const mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int tls_prf_sha256(const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen);
-static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
-static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
-
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int tls_prf_sha384(const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen);
-
-static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
-static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls12_session_load(mbedtls_ssl_session *session,
- const unsigned char *buf,
- size_t len);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-
-int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
- const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen)
-{
- mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
-
- switch (prf) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_SSL_TLS_PRF_SHA384:
- tls_prf = tls_prf_sha384;
- break;
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_SSL_TLS_PRF_SHA256:
- tls_prf = tls_prf_sha256;
- break;
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- default:
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
-}
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
-{
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- if (session->peer_cert != NULL) {
- mbedtls_x509_crt_free(session->peer_cert);
- mbedtls_free(session->peer_cert);
- session->peer_cert = NULL;
- }
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if (session->peer_cert_digest != NULL) {
- /* Zeroization is not necessary. */
- mbedtls_free(session->peer_cert_digest);
- session->peer_cert_digest = NULL;
- session->peer_cert_digest_type = MBEDTLS_MD_NONE;
- session->peer_cert_digest_len = 0;
- }
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
-{
- switch (extension_type) {
- case MBEDTLS_TLS_EXT_SERVERNAME:
- return MBEDTLS_SSL_EXT_ID_SERVERNAME;
-
- case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
- return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
-
- case MBEDTLS_TLS_EXT_STATUS_REQUEST:
- return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
-
- case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
- return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
-
- case MBEDTLS_TLS_EXT_SIG_ALG:
- return MBEDTLS_SSL_EXT_ID_SIG_ALG;
-
- case MBEDTLS_TLS_EXT_USE_SRTP:
- return MBEDTLS_SSL_EXT_ID_USE_SRTP;
-
- case MBEDTLS_TLS_EXT_HEARTBEAT:
- return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
-
- case MBEDTLS_TLS_EXT_ALPN:
- return MBEDTLS_SSL_EXT_ID_ALPN;
-
- case MBEDTLS_TLS_EXT_SCT:
- return MBEDTLS_SSL_EXT_ID_SCT;
-
- case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
- return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
-
- case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
- return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
-
- case MBEDTLS_TLS_EXT_PADDING:
- return MBEDTLS_SSL_EXT_ID_PADDING;
-
- case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
- return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
-
- case MBEDTLS_TLS_EXT_EARLY_DATA:
- return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
-
- case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
- return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
-
- case MBEDTLS_TLS_EXT_COOKIE:
- return MBEDTLS_SSL_EXT_ID_COOKIE;
-
- case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
- return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
-
- case MBEDTLS_TLS_EXT_CERT_AUTH:
- return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
-
- case MBEDTLS_TLS_EXT_OID_FILTERS:
- return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
-
- case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
- return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
-
- case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
- return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
-
- case MBEDTLS_TLS_EXT_KEY_SHARE:
- return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
-
- case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
- return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
-
- case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
- return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
-
- case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
- return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
-
- case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
- return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
-
- case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
- return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
-
- case MBEDTLS_TLS_EXT_SESSION_TICKET:
- return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
-
- }
-
- return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
-}
-
-uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
-{
- return 1 << mbedtls_ssl_get_extension_id(extension_type);
-}
-
-#if defined(MBEDTLS_DEBUG_C)
-static const char *extension_name_table[] = {
- [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
- [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
- [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
- [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
- [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
- [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
- [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
- [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
- [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
- [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
- [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
- [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
- [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
- [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
- [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
- [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
- [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
- [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
- [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
- [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
- [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
- [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
- [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
- [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
- [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
- [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
- [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
- [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
- [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
-};
-
-static const unsigned int extension_type_table[] = {
- [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
- [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
- [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
- [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
- [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
- [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
- [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
- [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
- [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
- [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
- [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
- [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
- [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
- [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
- [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
- [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
- [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
- [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
- [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
- [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
- [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
- [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
- [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
- [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
- [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
- [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
- [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
- [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
- [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
-};
-
-const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
-{
- return extension_name_table[
- mbedtls_ssl_get_extension_id(extension_type)];
-}
-
-static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
-{
- switch (hs_msg_type) {
- case MBEDTLS_SSL_HS_CLIENT_HELLO:
- return "ClientHello";
- case MBEDTLS_SSL_HS_SERVER_HELLO:
- return "ServerHello";
- case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
- return "HelloRetryRequest";
- case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
- return "NewSessionTicket";
- case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
- return "EncryptedExtensions";
- case MBEDTLS_SSL_HS_CERTIFICATE:
- return "Certificate";
- case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
- return "CertificateRequest";
- }
- return "Unknown";
-}
-
-void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
- int level, const char *file, int line,
- int hs_msg_type, unsigned int extension_type,
- const char *extra_msg0, const char *extra_msg1)
-{
- const char *extra_msg;
- if (extra_msg0 && extra_msg1) {
- mbedtls_debug_print_msg(
- ssl, level, file, line,
- "%s: %s(%u) extension %s %s.",
- ssl_tls13_get_hs_msg_name(hs_msg_type),
- mbedtls_ssl_get_extension_name(extension_type),
- extension_type,
- extra_msg0, extra_msg1);
- return;
- }
-
- extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
- if (extra_msg) {
- mbedtls_debug_print_msg(
- ssl, level, file, line,
- "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
- mbedtls_ssl_get_extension_name(extension_type), extension_type,
- extra_msg);
- return;
- }
-
- mbedtls_debug_print_msg(
- ssl, level, file, line,
- "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
- mbedtls_ssl_get_extension_name(extension_type), extension_type);
-}
-
-void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
- int level, const char *file, int line,
- int hs_msg_type, uint32_t extensions_mask,
- const char *extra)
-{
-
- for (unsigned i = 0;
- i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
- i++) {
- mbedtls_ssl_print_extension(
- ssl, level, file, line, hs_msg_type, extension_type_table[i],
- extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
- }
-}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-static const char *ticket_flag_name_table[] =
-{
- [0] = "ALLOW_PSK_RESUMPTION",
- [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
- [3] = "ALLOW_EARLY_DATA",
-};
-
-void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
- int level, const char *file, int line,
- unsigned int flags)
-{
- size_t i;
-
- mbedtls_debug_print_msg(ssl, level, file, line,
- "print ticket_flags (0x%02x)", flags);
-
- flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
-
- for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
- if ((flags & (1 << i))) {
- mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
- ticket_flag_name_table[i]);
- }
- }
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
-
-#endif /* MBEDTLS_DEBUG_C */
-
-void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
-{
- ((void) ciphersuite_info);
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
- ssl->handshake->update_checksum = ssl_update_checksum_sha384;
- } else
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
- ssl->handshake->update_checksum = ssl_update_checksum_sha256;
- } else
-#endif
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return;
- }
-}
-
-int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- size_t total_hs_len)
-{
- unsigned char hs_hdr[4];
-
- /* Build HS header for checksum update. */
- hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
- hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
- hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
- hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
-
- return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
-}
-
-int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- unsigned char const *msg,
- size_t msg_len)
-{
- int ret;
- ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
- if (ret != 0) {
- return ret;
- }
- return ssl->handshake->update_checksum(ssl, msg, msg_len);
-}
-
-int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_MD_CAN_SHA256) || \
- defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status;
-#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#endif
-#else /* SHA-256 or SHA-384 */
- ((void) ssl);
-#endif /* SHA-256 or SHA-384 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
- if (status != PSA_SUCCESS) {
- return mbedtls_md_error_from_psa(status);
- }
- status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
- if (status != PSA_SUCCESS) {
- return mbedtls_md_error_from_psa(status);
- }
-#else
- mbedtls_md_free(&ssl->handshake->fin_sha256);
- mbedtls_md_init(&ssl->handshake->fin_sha256);
- ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
- mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
- 0);
- if (ret != 0) {
- return ret;
- }
- ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
- if (ret != 0) {
- return ret;
- }
-#endif
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
- if (status != PSA_SUCCESS) {
- return mbedtls_md_error_from_psa(status);
- }
- status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
- if (status != PSA_SUCCESS) {
- return mbedtls_md_error_from_psa(status);
- }
-#else
- mbedtls_md_free(&ssl->handshake->fin_sha384);
- mbedtls_md_init(&ssl->handshake->fin_sha384);
- ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
- mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
- if (ret != 0) {
- return ret;
- }
- ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
- if (ret != 0) {
- return ret;
- }
-#endif
-#endif
- return 0;
-}
-
-static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
-{
-#if defined(MBEDTLS_MD_CAN_SHA256) || \
- defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status;
-#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#endif
-#else /* SHA-256 or SHA-384 */
- ((void) ssl);
- (void) buf;
- (void) len;
-#endif /* SHA-256 or SHA-384 */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
- if (status != PSA_SUCCESS) {
- return mbedtls_md_error_from_psa(status);
- }
-#else
- ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
- if (ret != 0) {
- return ret;
- }
-#endif
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
- if (status != PSA_SUCCESS) {
- return mbedtls_md_error_from_psa(status);
- }
-#else
- ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
- if (ret != 0) {
- return ret;
- }
-#endif
-#endif
- return 0;
-}
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return mbedtls_md_error_from_psa(psa_hash_update(
- &ssl->handshake->fin_sha256_psa, buf, len));
-#else
- return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
-#endif
-}
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return mbedtls_md_error_from_psa(psa_hash_update(
- &ssl->handshake->fin_sha384_psa, buf, len));
-#else
- return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
-#endif
-}
-#endif
-
-static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
-{
- memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- handshake->fin_sha256_psa = psa_hash_operation_init();
-#else
- mbedtls_md_init(&handshake->fin_sha256);
-#endif
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- handshake->fin_sha384_psa = psa_hash_operation_init();
-#else
- mbedtls_md_init(&handshake->fin_sha384);
-#endif
-#endif
-
- handshake->update_checksum = ssl_update_checksum_start;
-
-#if defined(MBEDTLS_DHM_C)
- mbedtls_dhm_init(&handshake->dhm_ctx);
-#endif
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
- mbedtls_ecdh_init(&handshake->ecdh_ctx);
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- handshake->psa_pake_ctx = psa_pake_operation_init();
- handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
-#else
- mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_SSL_CLI_C)
- handshake->ecjpake_cache = NULL;
- handshake->ecjpake_cache_len = 0;
-#endif
-#endif
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
-#endif
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- mbedtls_pk_init(&handshake->peer_pubkey);
-#endif
-}
-
-void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
-{
- memset(transform, 0, sizeof(mbedtls_ssl_transform));
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
- transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
-#else
- mbedtls_cipher_init(&transform->cipher_ctx_enc);
- mbedtls_cipher_init(&transform->cipher_ctx_dec);
-#endif
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
- transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
-#else
- mbedtls_md_init(&transform->md_ctx_enc);
- mbedtls_md_init(&transform->md_ctx_dec);
-#endif
-#endif
-}
-
-void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
-{
- memset(session, 0, sizeof(mbedtls_ssl_session));
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_handshake_init(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* Clear old handshake information if present */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->transform_negotiate) {
- mbedtls_ssl_transform_free(ssl->transform_negotiate);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- if (ssl->session_negotiate) {
- mbedtls_ssl_session_free(ssl->session_negotiate);
- }
- if (ssl->handshake) {
- mbedtls_ssl_handshake_free(ssl);
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /*
- * Either the pointers are now NULL or cleared properly and can be freed.
- * Now allocate missing structures.
- */
- if (ssl->transform_negotiate == NULL) {
- ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- if (ssl->session_negotiate == NULL) {
- ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
- }
-
- if (ssl->handshake == NULL) {
- ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
- }
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- /* If the buffers are too small - reallocate */
-
- handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
- MBEDTLS_SSL_OUT_BUFFER_LEN);
-#endif
-
- /* All pointers should exist and can be directly freed without issue */
- if (ssl->handshake == NULL ||
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- ssl->transform_negotiate == NULL ||
-#endif
- ssl->session_negotiate == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
-
- mbedtls_free(ssl->handshake);
- ssl->handshake = NULL;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- mbedtls_free(ssl->transform_negotiate);
- ssl->transform_negotiate = NULL;
-#endif
-
- mbedtls_free(ssl->session_negotiate);
- ssl->session_negotiate = NULL;
-
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-#if defined(MBEDTLS_SSL_CLI_C)
- ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
-#endif
-#if defined(MBEDTLS_SSL_SRV_C)
- ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
-#endif
- ssl->total_early_data_size = 0;
-#endif /* MBEDTLS_SSL_EARLY_DATA */
-
- /* Initialize structures */
- mbedtls_ssl_session_init(ssl->session_negotiate);
- ssl_handshake_params_init(ssl->handshake);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- mbedtls_ssl_transform_init(ssl->transform_negotiate);
-#endif
-
- /* Setup handshake checksums */
- ret = mbedtls_ssl_reset_checksum(ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
- return ret;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SRV_C) && \
- defined(MBEDTLS_SSL_SESSION_TICKETS)
- ssl->handshake->new_session_tickets_count =
- ssl->conf->new_session_tickets_count;
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- ssl->handshake->alt_transform_out = ssl->transform_out;
-
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
- } else {
- ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
- }
-
- mbedtls_ssl_set_timer(ssl, 0);
- }
-#endif
-
-/*
- * curve_list is translated to IANA TLS group identifiers here because
- * mbedtls_ssl_conf_curves returns void and so can't return
- * any error codes.
- */
-#if defined(MBEDTLS_ECP_C)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- /* Heap allocate and translate curve_list from internal to IANA group ids */
- if (ssl->conf->curve_list != NULL) {
- size_t length;
- const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
-
- for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
- }
-
- /* Leave room for zero termination */
- uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
- if (group_list == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- for (size_t i = 0; i < length; i++) {
- uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
- curve_list[i]);
- if (tls_id == 0) {
- mbedtls_free(group_list);
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
- group_list[i] = tls_id;
- }
-
- group_list[length] = 0;
-
- ssl->handshake->group_list = group_list;
- ssl->handshake->group_list_heap_allocated = 1;
- } else {
- ssl->handshake->group_list = ssl->conf->group_list;
- ssl->handshake->group_list_heap_allocated = 0;
- }
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /* Heap allocate and translate sig_hashes from internal hash identifiers to
- signature algorithms IANA identifiers. */
- if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
- ssl->conf->sig_hashes != NULL) {
- const int *md;
- const int *sig_hashes = ssl->conf->sig_hashes;
- size_t sig_algs_len = 0;
- uint16_t *p;
-
- MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
- <= (SIZE_MAX - (2 * sizeof(uint16_t))),
- "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
-
- for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
- if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
- continue;
- }
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- sig_algs_len += sizeof(uint16_t);
-#endif
-
-#if defined(MBEDTLS_RSA_C)
- sig_algs_len += sizeof(uint16_t);
-#endif
- if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
- }
-
- if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
-
- ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
- sizeof(uint16_t));
- if (ssl->handshake->sig_algs == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- p = (uint16_t *) ssl->handshake->sig_algs;
- for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
- unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
- if (hash == MBEDTLS_SSL_HASH_NONE) {
- continue;
- }
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
- p++;
-#endif
-#if defined(MBEDTLS_RSA_C)
- *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
- p++;
-#endif
- }
- *p = MBEDTLS_TLS_SIG_NONE;
- ssl->handshake->sig_algs_heap_allocated = 1;
- } else
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- {
- ssl->handshake->sig_algs_heap_allocated = 0;
- }
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
-/* Dummy cookie callbacks for defaults */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_cookie_write_dummy(void *ctx,
- unsigned char **p, unsigned char *end,
- const unsigned char *cli_id, size_t cli_id_len)
-{
- ((void) ctx);
- ((void) p);
- ((void) end);
- ((void) cli_id);
- ((void) cli_id_len);
-
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_cookie_check_dummy(void *ctx,
- const unsigned char *cookie, size_t cookie_len,
- const unsigned char *cli_id, size_t cli_id_len)
-{
- ((void) ctx);
- ((void) cookie);
- ((void) cookie_len);
- ((void) cli_id);
- ((void) cli_id_len);
-
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-}
-#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
-
-/*
- * Initialize an SSL context
- */
-void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
-{
- memset(ssl, 0, sizeof(mbedtls_ssl_context));
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
-{
- const mbedtls_ssl_config *conf = ssl->conf;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (mbedtls_ssl_conf_is_tls13_only(conf)) {
- if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
- return 0;
- }
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (mbedtls_ssl_conf_is_tls12_only(conf)) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
- return 0;
- }
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
- return 0;
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_conf_check(const mbedtls_ssl_context *ssl)
-{
- int ret;
- ret = ssl_conf_version_check(ssl);
- if (ret != 0) {
- return ret;
- }
-
- if (ssl->conf->f_rng == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
- return MBEDTLS_ERR_SSL_NO_RNG;
- }
-
- /* Space for further checks */
-
- return 0;
-}
-
-/*
- * Setup an SSL context
- */
-
-int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
- const mbedtls_ssl_config *conf)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-
- ssl->conf = conf;
-
- if ((ret = ssl_conf_check(ssl)) != 0) {
- return ret;
- }
- ssl->tls_version = ssl->conf->max_tls_version;
-
- /*
- * Prepare base structures
- */
-
- /* Set to NULL in case of an error condition */
- ssl->out_buf = NULL;
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- ssl->in_buf_len = in_buf_len;
-#endif
- ssl->in_buf = mbedtls_calloc(1, in_buf_len);
- if (ssl->in_buf == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
- ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
- goto error;
- }
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- ssl->out_buf_len = out_buf_len;
-#endif
- ssl->out_buf = mbedtls_calloc(1, out_buf_len);
- if (ssl->out_buf == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
- ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
- goto error;
- }
-
- mbedtls_ssl_reset_in_pointers(ssl);
- mbedtls_ssl_reset_out_pointers(ssl);
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
- memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
-#endif
-
- if ((ret = ssl_handshake_init(ssl)) != 0) {
- goto error;
- }
-
- return 0;
-
-error:
- mbedtls_free(ssl->in_buf);
- mbedtls_free(ssl->out_buf);
-
- ssl->conf = NULL;
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- ssl->in_buf_len = 0;
- ssl->out_buf_len = 0;
-#endif
- ssl->in_buf = NULL;
- ssl->out_buf = NULL;
-
- ssl->in_hdr = NULL;
- ssl->in_ctr = NULL;
- ssl->in_len = NULL;
- ssl->in_iv = NULL;
- ssl->in_msg = NULL;
-
- ssl->out_hdr = NULL;
- ssl->out_ctr = NULL;
- ssl->out_len = NULL;
- ssl->out_iv = NULL;
- ssl->out_msg = NULL;
-
- return ret;
-}
-
-/*
- * Reset an initialized and used SSL context for re-use while retaining
- * all application-set variables, function pointers and data.
- *
- * If partial is non-zero, keep data in the input buffer and client ID.
- * (Use when a DTLS client reconnects from the same port.)
- */
-void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
- int partial)
-{
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
-
-#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
- partial = 0;
-#endif
-
- /* Cancel any possibly running timer */
- mbedtls_ssl_set_timer(ssl, 0);
-
- mbedtls_ssl_reset_in_pointers(ssl);
- mbedtls_ssl_reset_out_pointers(ssl);
-
- /* Reset incoming message parsing */
- ssl->in_offt = NULL;
- ssl->nb_zero = 0;
- ssl->in_msgtype = 0;
- ssl->in_msglen = 0;
- ssl->in_hslen = 0;
- ssl->keep_current_message = 0;
- ssl->transform_in = NULL;
-
- /* TLS: reset in_hsfraglen, which is part of message parsing.
- * DTLS: on a client reconnect, don't reset badmac_seen. */
- if (!partial) {
- ssl->badmac_seen_or_in_hsfraglen = 0;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- ssl->next_record_offset = 0;
- ssl->in_epoch = 0;
-#endif
-
- /* Keep current datagram if partial == 1 */
- if (partial == 0) {
- ssl->in_left = 0;
- memset(ssl->in_buf, 0, in_buf_len);
- }
-
- ssl->send_alert = 0;
-
- /* Reset outgoing message writing */
- ssl->out_msgtype = 0;
- ssl->out_msglen = 0;
- ssl->out_left = 0;
- memset(ssl->out_buf, 0, out_buf_len);
- memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
- ssl->transform_out = NULL;
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- mbedtls_ssl_dtls_replay_reset(ssl);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->transform) {
- mbedtls_ssl_transform_free(ssl->transform);
- mbedtls_free(ssl->transform);
- ssl->transform = NULL;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_transform_free(ssl->transform_application);
- mbedtls_free(ssl->transform_application);
- ssl->transform_application = NULL;
-
- if (ssl->handshake != NULL) {
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
- mbedtls_free(ssl->handshake->transform_earlydata);
- ssl->handshake->transform_earlydata = NULL;
-#endif
-
- mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
- mbedtls_free(ssl->handshake->transform_handshake);
- ssl->handshake->transform_handshake = NULL;
- }
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-}
-
-int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
- ssl->tls_version = ssl->conf->max_tls_version;
-
- mbedtls_ssl_session_reset_msg_layer(ssl, partial);
-
- /* Reset renegotiation state */
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
- ssl->renego_records_seen = 0;
-
- ssl->verify_data_len = 0;
- memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
- memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
-#endif
- ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
-
- ssl->session_in = NULL;
- ssl->session_out = NULL;
- if (ssl->session) {
- mbedtls_ssl_session_free(ssl->session);
- mbedtls_free(ssl->session);
- ssl->session = NULL;
- }
-
-#if defined(MBEDTLS_SSL_ALPN)
- ssl->alpn_chosen = NULL;
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
- int free_cli_id = 1;
-#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
- free_cli_id = (partial == 0);
-#endif
- if (free_cli_id) {
- mbedtls_free(ssl->cli_id);
- ssl->cli_id = NULL;
- ssl->cli_id_len = 0;
- }
-#endif
-
- if ((ret = ssl_handshake_init(ssl)) != 0) {
- return ret;
- }
-
- return 0;
-}
-
-/*
- * Reset an initialized and used SSL context for re-use while retaining
- * all application-set variables, function pointers and data.
- */
-int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
-{
- return mbedtls_ssl_session_reset_int(ssl, 0);
-}
-
-/*
- * SSL set accessors
- */
-void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
-{
- conf->endpoint = endpoint;
-}
-
-void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
-{
- conf->transport = transport;
-}
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
-{
- conf->anti_replay = mode;
-}
-#endif
-
-void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
-{
- conf->badmac_limit = limit;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-
-void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
- unsigned allow_packing)
-{
- ssl->disable_datagram_packing = !allow_packing;
-}
-
-void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
- uint32_t min, uint32_t max)
-{
- conf->hs_timeout_min = min;
- conf->hs_timeout_max = max;
-}
-#endif
-
-void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
-{
- conf->authmode = authmode;
-}
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
- void *p_vrfy)
-{
- conf->f_vrfy = f_vrfy;
- conf->p_vrfy = p_vrfy;
-}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng)
-{
- conf->f_rng = f_rng;
- conf->p_rng = p_rng;
-}
-
-void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
- void (*f_dbg)(void *, int, const char *, int, const char *),
- void *p_dbg)
-{
- conf->f_dbg = f_dbg;
- conf->p_dbg = p_dbg;
-}
-
-void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
- void *p_bio,
- mbedtls_ssl_send_t *f_send,
- mbedtls_ssl_recv_t *f_recv,
- mbedtls_ssl_recv_timeout_t *f_recv_timeout)
-{
- ssl->p_bio = p_bio;
- ssl->f_send = f_send;
- ssl->f_recv = f_recv;
- ssl->f_recv_timeout = f_recv_timeout;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
-{
- ssl->mtu = mtu;
-}
-#endif
-
-void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
-{
- conf->read_timeout = timeout;
-}
-
-void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
- void *p_timer,
- mbedtls_ssl_set_timer_t *f_set_timer,
- mbedtls_ssl_get_timer_t *f_get_timer)
-{
- ssl->p_timer = p_timer;
- ssl->f_set_timer = f_set_timer;
- ssl->f_get_timer = f_get_timer;
-
- /* Make sure we start with no timer running */
- mbedtls_ssl_set_timer(ssl, 0);
-}
-
-#if defined(MBEDTLS_SSL_SRV_C)
-void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
- void *p_cache,
- mbedtls_ssl_cache_get_t *f_get_cache,
- mbedtls_ssl_cache_set_t *f_set_cache)
-{
- conf->p_cache = p_cache;
- conf->f_get_cache = f_get_cache;
- conf->f_set_cache = f_set_cache;
-}
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_CLI_C)
-int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (ssl == NULL ||
- session == NULL ||
- ssl->session_negotiate == NULL ||
- ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (ssl->handshake->resume == 1) {
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
-
- if (mbedtls_ssl_validate_ciphersuite(
- ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
- MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
- session->ciphersuite));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-#else
- /*
- * If session tickets are not enabled, it is not possible to resume a
- * TLS 1.3 session, thus do not make any change to the SSL context in
- * the first place.
- */
- return 0;
-#endif
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
- session)) != 0) {
- return ret;
- }
-
- ssl->handshake->resume = 1;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_CLI_C */
-
-void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
- const int *ciphersuites)
-{
- conf->ciphersuite_list = ciphersuites;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
- const int kex_modes)
-{
- conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
-}
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
- int early_data_enabled)
-{
- conf->early_data_enabled = early_data_enabled;
-}
-
-#if defined(MBEDTLS_SSL_SRV_C)
-void mbedtls_ssl_conf_max_early_data_size(
- mbedtls_ssl_config *conf, uint32_t max_early_data_size)
-{
- conf->max_early_data_size = max_early_data_size;
-}
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#endif /* MBEDTLS_SSL_EARLY_DATA */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
- const mbedtls_x509_crt_profile *profile)
-{
- conf->cert_profile = profile;
-}
-
-static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
-{
- mbedtls_ssl_key_cert *cur = key_cert, *next;
-
- while (cur != NULL) {
- next = cur->next;
- mbedtls_free(cur);
- cur = next;
- }
-}
-
-/* Append a new keycert entry to a (possibly empty) list */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
- mbedtls_x509_crt *cert,
- mbedtls_pk_context *key)
-{
- mbedtls_ssl_key_cert *new_cert;
-
- if (cert == NULL) {
- /* Free list if cert is null */
- ssl_key_cert_free(*head);
- *head = NULL;
- return 0;
- }
-
- new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
- if (new_cert == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- new_cert->cert = cert;
- new_cert->key = key;
- new_cert->next = NULL;
-
- /* Update head if the list was null, else add to the end */
- if (*head == NULL) {
- *head = new_cert;
- } else {
- mbedtls_ssl_key_cert *cur = *head;
- while (cur->next != NULL) {
- cur = cur->next;
- }
- cur->next = new_cert;
- }
-
- return 0;
-}
-
-int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
- mbedtls_x509_crt *own_cert,
- mbedtls_pk_context *pk_key)
-{
- return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
-}
-
-void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
- mbedtls_x509_crt *ca_chain,
- mbedtls_x509_crl *ca_crl)
-{
- conf->ca_chain = ca_chain;
- conf->ca_crl = ca_crl;
-
-#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
- /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
- * cannot be used together. */
- conf->f_ca_cb = NULL;
- conf->p_ca_cb = NULL;
-#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
-}
-
-#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
-void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
- mbedtls_x509_crt_ca_cb_t f_ca_cb,
- void *p_ca_cb)
-{
- conf->f_ca_cb = f_ca_cb;
- conf->p_ca_cb = p_ca_cb;
-
- /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
- * cannot be used together. */
- conf->ca_chain = NULL;
- conf->ca_crl = NULL;
-}
-#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
- size_t *name_len)
-{
- *name_len = ssl->handshake->sni_name_len;
- return ssl->handshake->sni_name;
-}
-
-int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
- mbedtls_x509_crt *own_cert,
- mbedtls_pk_context *pk_key)
-{
- return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
- own_cert, pk_key);
-}
-
-void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
- mbedtls_x509_crt *ca_chain,
- mbedtls_x509_crl *ca_crl)
-{
- ssl->handshake->sni_ca_chain = ca_chain;
- ssl->handshake->sni_ca_crl = ca_crl;
-}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
-void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
- const mbedtls_x509_crt *crt)
-{
- ssl->handshake->dn_hints = crt;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
-
-void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
- int authmode)
-{
- ssl->handshake->sni_authmode = authmode;
-}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
- void *p_vrfy)
-{
- ssl->f_vrfy = f_vrfy;
- ssl->p_vrfy = p_vrfy;
-}
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
-static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
-
-static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
- mbedtls_ssl_context *ssl,
- mbedtls_svc_key_id_t pwd)
-{
- psa_status_t status;
- psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
- const uint8_t *user = NULL;
- size_t user_len = 0;
- const uint8_t *peer = NULL;
- size_t peer_len = 0;
- psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
- psa_pake_cs_set_primitive(&cipher_suite,
- PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
- PSA_ECC_FAMILY_SECP_R1,
- 256));
- psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
-
- status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- user = jpake_server_id;
- user_len = sizeof(jpake_server_id);
- peer = jpake_client_id;
- peer_len = sizeof(jpake_client_id);
- } else {
- user = jpake_client_id;
- user_len = sizeof(jpake_client_id);
- peer = jpake_server_id;
- peer_len = sizeof(jpake_server_id);
- }
-
- status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- ssl->handshake->psa_pake_ctx_is_ok = 1;
-
- return PSA_SUCCESS;
-}
-
-int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
- const unsigned char *pw,
- size_t pw_len)
-{
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_status_t status;
-
- if (ssl->handshake == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* Empty password is not valid */
- if ((pw == NULL) || (pw_len == 0)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
- psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
- psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
-
- status = psa_import_key(&attributes, pw, pw_len,
- &ssl->handshake->psa_pake_password);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
- ssl->handshake->psa_pake_password);
- if (status != PSA_SUCCESS) {
- psa_destroy_key(ssl->handshake->psa_pake_password);
- psa_pake_abort(&ssl->handshake->psa_pake_ctx);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- return 0;
-}
-
-int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
- mbedtls_svc_key_id_t pwd)
-{
- psa_status_t status;
-
- if (ssl->handshake == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (mbedtls_svc_key_id_is_null(pwd)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
- if (status != PSA_SUCCESS) {
- psa_pake_abort(&ssl->handshake->psa_pake_ctx);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- return 0;
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
- const unsigned char *pw,
- size_t pw_len)
-{
- mbedtls_ecjpake_role role;
-
- if (ssl->handshake == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* Empty password is not valid */
- if ((pw == NULL) || (pw_len == 0)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- role = MBEDTLS_ECJPAKE_SERVER;
- } else {
- role = MBEDTLS_ECJPAKE_CLIENT;
- }
-
- return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
- role,
- MBEDTLS_MD_SHA256,
- MBEDTLS_ECP_DP_SECP256R1,
- pw, pw_len);
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
-{
- if (conf->psk_identity == NULL ||
- conf->psk_identity_len == 0) {
- return 0;
- }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
- return 1;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- if (conf->psk != NULL && conf->psk_len != 0) {
- return 1;
- }
-
- return 0;
-}
-
-static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
-{
- /* Remove reference to existing PSK, if any. */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
- /* The maintenance of the PSK key slot is the
- * user's responsibility. */
- conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- if (conf->psk != NULL) {
- mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
- conf->psk = NULL;
- conf->psk_len = 0;
- }
-
- /* Remove reference to PSK identity, if any. */
- if (conf->psk_identity != NULL) {
- mbedtls_free(conf->psk_identity);
- conf->psk_identity = NULL;
- conf->psk_identity_len = 0;
- }
-}
-
-/* This function assumes that PSK identity in the SSL config is unset.
- * It checks that the provided identity is well-formed and attempts
- * to make a copy of it in the SSL config.
- * On failure, the PSK identity in the config remains unset. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
- unsigned char const *psk_identity,
- size_t psk_identity_len)
-{
- /* Identity len will be encoded on two bytes */
- if (psk_identity == NULL ||
- psk_identity_len == 0 ||
- (psk_identity_len >> 16) != 0 ||
- psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
- if (conf->psk_identity == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- conf->psk_identity_len = psk_identity_len;
- memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
-
- return 0;
-}
-
-int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
- const unsigned char *psk, size_t psk_len,
- const unsigned char *psk_identity, size_t psk_identity_len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* We currently only support one PSK, raw or opaque. */
- if (mbedtls_ssl_conf_has_static_psk(conf)) {
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- /* Check and set raw PSK */
- if (psk == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (psk_len == 0) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (psk_len > MBEDTLS_PSK_MAX_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
- conf->psk_len = psk_len;
- memcpy(conf->psk, psk, conf->psk_len);
-
- /* Check and set PSK Identity */
- ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
- if (ret != 0) {
- ssl_conf_remove_psk(conf);
- }
-
- return ret;
-}
-
-static void ssl_remove_psk(mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
- /* The maintenance of the external PSK key slot is the
- * user's responsibility. */
- if (ssl->handshake->psk_opaque_is_internal) {
- psa_destroy_key(ssl->handshake->psk_opaque);
- ssl->handshake->psk_opaque_is_internal = 0;
- }
- ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
- }
-#else
- if (ssl->handshake->psk != NULL) {
- mbedtls_zeroize_and_free(ssl->handshake->psk,
- ssl->handshake->psk_len);
- ssl->handshake->psk_len = 0;
- ssl->handshake->psk = NULL;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-
-int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
- const unsigned char *psk, size_t psk_len)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_attributes_t key_attributes = psa_key_attributes_init();
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_algorithm_t alg = PSA_ALG_NONE;
- mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- if (psk == NULL || ssl->handshake == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (psk_len > MBEDTLS_PSK_MAX_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl_remove_psk(ssl);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
- if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
- alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
- } else {
- alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
- }
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
- psa_set_key_usage_flags(&key_attributes,
- PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- psa_set_key_algorithm(&key_attributes, alg);
- psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
-
- status = psa_import_key(&key_attributes, psk, psk_len, &key);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- /* Allow calling psa_destroy_key() on psk remove */
- ssl->handshake->psk_opaque_is_internal = 1;
- return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
-#else
- if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- ssl->handshake->psk_len = psk_len;
- memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
-
- return 0;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
- mbedtls_svc_key_id_t psk,
- const unsigned char *psk_identity,
- size_t psk_identity_len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* We currently only support one PSK, raw or opaque. */
- if (mbedtls_ssl_conf_has_static_psk(conf)) {
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- /* Check and set opaque PSK */
- if (mbedtls_svc_key_id_is_null(psk)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- conf->psk_opaque = psk;
-
- /* Check and set PSK Identity */
- ret = ssl_conf_set_psk_identity(conf, psk_identity,
- psk_identity_len);
- if (ret != 0) {
- ssl_conf_remove_psk(conf);
- }
-
- return ret;
-}
-
-int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
- mbedtls_svc_key_id_t psk)
-{
- if ((mbedtls_svc_key_id_is_null(psk)) ||
- (ssl->handshake == NULL)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl_remove_psk(ssl);
- ssl->handshake->psk_opaque = psk;
- return 0;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_SRV_C)
-void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
- int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
- size_t),
- void *p_psk)
-{
- conf->f_psk = f_psk;
- conf->p_psk = p_psk;
-}
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
- psa_algorithm_t alg)
-{
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- if (alg == PSA_ALG_CBC_NO_PADDING) {
- return MBEDTLS_SSL_MODE_CBC;
- }
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
- if (PSA_ALG_IS_AEAD(alg)) {
- return MBEDTLS_SSL_MODE_AEAD;
- }
- return MBEDTLS_SSL_MODE_STREAM;
-}
-
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-
-static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
- mbedtls_cipher_mode_t mode)
-{
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- if (mode == MBEDTLS_MODE_CBC) {
- return MBEDTLS_SSL_MODE_CBC;
- }
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-
-#if defined(MBEDTLS_GCM_C) || \
- defined(MBEDTLS_CCM_C) || \
- defined(MBEDTLS_CHACHAPOLY_C)
- if (mode == MBEDTLS_MODE_GCM ||
- mode == MBEDTLS_MODE_CCM ||
- mode == MBEDTLS_MODE_CHACHAPOLY) {
- return MBEDTLS_SSL_MODE_AEAD;
- }
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
-
- return MBEDTLS_SSL_MODE_STREAM;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
- mbedtls_ssl_mode_t base_mode,
- int encrypt_then_mac)
-{
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
- base_mode == MBEDTLS_SSL_MODE_CBC) {
- return MBEDTLS_SSL_MODE_CBC_ETM;
- }
-#else
- (void) encrypt_then_mac;
-#endif
- return base_mode;
-}
-
-mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
- const mbedtls_ssl_transform *transform)
-{
- mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- transform->psa_alg
-#else
- mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
-#endif
- );
-
- int encrypt_then_mac = 0;
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- encrypt_then_mac = transform->encrypt_then_mac;
-#endif
- return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
-}
-
-mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- int encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- const mbedtls_ssl_ciphersuite_t *suite)
-{
- mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status;
- psa_algorithm_t alg;
- psa_key_type_t type;
- size_t size;
- status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
- 0, &alg, &type, &size);
- if (status == PSA_SUCCESS) {
- base_mode = mbedtls_ssl_get_base_mode(alg);
- }
-#else
- const mbedtls_cipher_info_t *cipher =
- mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
- if (cipher != NULL) {
- base_mode =
- mbedtls_ssl_get_base_mode(
- mbedtls_cipher_info_get_mode(cipher));
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- int encrypt_then_mac = 0;
-#endif
- return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
- size_t taglen,
- psa_algorithm_t *alg,
- psa_key_type_t *key_type,
- size_t *key_size)
-{
-#if !defined(MBEDTLS_SSL_HAVE_CCM)
- (void) taglen;
-#endif
- switch (mbedtls_cipher_type) {
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
- case MBEDTLS_CIPHER_AES_128_CBC:
- *alg = PSA_ALG_CBC_NO_PADDING;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_AES_128_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_AES_128_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_AES_192_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 192;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_AES_192_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 192;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
- case MBEDTLS_CIPHER_AES_256_CBC:
- *alg = PSA_ALG_CBC_NO_PADDING;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_AES_256_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_AES_256_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_AES;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
- case MBEDTLS_CIPHER_ARIA_128_CBC:
- *alg = PSA_ALG_CBC_NO_PADDING;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_ARIA_128_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_ARIA_128_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_ARIA_192_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 192;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_ARIA_192_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 192;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
- case MBEDTLS_CIPHER_ARIA_256_CBC:
- *alg = PSA_ALG_CBC_NO_PADDING;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_ARIA_256_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_ARIA_256_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_ARIA;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
- case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
- *alg = PSA_ALG_CBC_NO_PADDING;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 128;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 192;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 192;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
- case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
- *alg = PSA_ALG_CBC_NO_PADDING;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
- case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
- *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
- case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
- *alg = PSA_ALG_GCM;
- *key_type = PSA_KEY_TYPE_CAMELLIA;
- *key_size = 256;
- break;
-#endif
-#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
- case MBEDTLS_CIPHER_CHACHA20_POLY1305:
- *alg = PSA_ALG_CHACHA20_POLY1305;
- *key_type = PSA_KEY_TYPE_CHACHA20;
- *key_size = 256;
- break;
-#endif
- case MBEDTLS_CIPHER_NULL:
- *alg = MBEDTLS_SSL_NULL_CIPHER;
- *key_type = 0;
- *key_size = 0;
- break;
- default:
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- return PSA_SUCCESS;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
- const unsigned char *dhm_P, size_t P_len,
- const unsigned char *dhm_G, size_t G_len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- mbedtls_mpi_free(&conf->dhm_P);
- mbedtls_mpi_free(&conf->dhm_G);
-
- if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
- (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
- mbedtls_mpi_free(&conf->dhm_P);
- mbedtls_mpi_free(&conf->dhm_G);
- return ret;
- }
-
- return 0;
-}
-
-int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- mbedtls_mpi_free(&conf->dhm_P);
- mbedtls_mpi_free(&conf->dhm_G);
-
- if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
- &conf->dhm_P)) != 0 ||
- (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
- &conf->dhm_G)) != 0) {
- mbedtls_mpi_free(&conf->dhm_P);
- mbedtls_mpi_free(&conf->dhm_G);
- return ret;
- }
-
- return 0;
-}
-#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
-/*
- * Set the minimum length for Diffie-Hellman parameters
- */
-void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
- unsigned int bitlen)
-{
- conf->dhm_min_bitlen = bitlen;
-}
-#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
-/*
- * Set allowed/preferred hashes for handshake signatures
- */
-void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
- const int *hashes)
-{
- conf->sig_hashes = hashes;
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
-
-/* Configure allowed signature algorithms for handshake */
-void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
- const uint16_t *sig_algs)
-{
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- conf->sig_hashes = NULL;
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
- conf->sig_algs = sig_algs;
-}
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_ECP_C)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/*
- * Set the allowed elliptic curves
- *
- * mbedtls_ssl_setup() takes the provided list
- * and translates it to a list of IANA TLS group identifiers,
- * stored in ssl->handshake->group_list.
- *
- */
-void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
- const mbedtls_ecp_group_id *curve_list)
-{
- conf->curve_list = curve_list;
- conf->group_list = NULL;
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_ECP_C */
-
-/*
- * Set the allowed groups
- */
-void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
- const uint16_t *group_list)
-{
-#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
- conf->curve_list = NULL;
-#endif
- conf->group_list = group_list;
-}
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-
-/* A magic value for `ssl->hostname` indicating that
- * mbedtls_ssl_set_hostname() has been called with `NULL`.
- * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
- * `ssl->hostname == NULL`. */
-static const char *const ssl_hostname_skip_cn_verification = "";
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-/** Whether mbedtls_ssl_set_hostname() has been called.
- *
- * \param[in] ssl SSL context
- *
- * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
- * (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
- * otherwise \c 0.
- */
-static int mbedtls_ssl_has_set_hostname_been_called(
- const mbedtls_ssl_context *ssl)
-{
- return ssl->hostname != NULL;
-}
-#endif
-
-/* Micro-optimization: don't export this function if it isn't needed outside
- * of this source file. */
-#if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-static
-#endif
-const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
-{
- if (ssl->hostname == ssl_hostname_skip_cn_verification) {
- return NULL;
- }
- return ssl->hostname;
-}
-
-static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
-{
- if (ssl->hostname != NULL &&
- ssl->hostname != ssl_hostname_skip_cn_verification) {
- mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
- }
- ssl->hostname = NULL;
-}
-
-int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
-{
- /* Initialize to suppress unnecessary compiler warning */
- size_t hostname_len = 0;
-
- /* Check if new hostname is valid before
- * making any change to current one */
- if (hostname != NULL) {
- hostname_len = strlen(hostname);
-
- if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- }
-
- /* Now it's clear that we will overwrite the old hostname,
- * so we can free it safely */
- mbedtls_ssl_free_hostname(ssl);
-
- if (hostname == NULL) {
- /* Passing NULL as hostname clears the old one, but leaves a
- * special marker to indicate that mbedtls_ssl_set_hostname()
- * has been called. */
- /* ssl->hostname should be const, but isn't. We won't actually
- * write to the buffer, so it's ok to cast away the const. */
- ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
- } else {
- ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
- if (ssl->hostname == NULL) {
- /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
- * Leave ssl->hostname in the same state as if the function had
- * not been called, i.e. a null pointer. */
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(ssl->hostname, hostname, hostname_len);
-
- ssl->hostname[hostname_len] = '\0';
- }
-
- return 0;
-}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
- int (*f_sni)(void *, mbedtls_ssl_context *,
- const unsigned char *, size_t),
- void *p_sni)
-{
- conf->f_sni = f_sni;
- conf->p_sni = p_sni;
-}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_ALPN)
-int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
-{
- size_t cur_len, tot_len;
- const char **p;
-
- /*
- * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
- * MUST NOT be truncated."
- * We check lengths now rather than later.
- */
- tot_len = 0;
- for (p = protos; *p != NULL; p++) {
- cur_len = strlen(*p);
- tot_len += cur_len;
-
- if ((cur_len == 0) ||
- (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
- (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- }
-
- conf->alpn_list = protos;
-
- return 0;
-}
-
-const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
-{
- return ssl->alpn_chosen;
-}
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
-void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
- int support_mki_value)
-{
- conf->dtls_srtp_mki_support = support_mki_value;
-}
-
-int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
- unsigned char *mki_value,
- uint16_t mki_len)
-{
- if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
- ssl->dtls_srtp_info.mki_len = mki_len;
- return 0;
-}
-
-int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
- const mbedtls_ssl_srtp_profile *profiles)
-{
- const mbedtls_ssl_srtp_profile *p;
- size_t list_size = 0;
-
- /* check the profiles list: all entry must be valid,
- * its size cannot be more than the total number of supported profiles, currently 4 */
- for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
- list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
- p++) {
- if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
- list_size++;
- } else {
- /* unsupported value, stop parsing and set the size to an error value */
- list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
- }
- }
-
- if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
- conf->dtls_srtp_profile_list = NULL;
- conf->dtls_srtp_profile_list_len = 0;
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- conf->dtls_srtp_profile_list = profiles;
- conf->dtls_srtp_profile_list_len = list_size;
-
- return 0;
-}
-
-void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
- mbedtls_dtls_srtp_info *dtls_srtp_info)
-{
- dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
- /* do not copy the mki value if there is no chosen profile */
- if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
- dtls_srtp_info->mki_len = 0;
- } else {
- dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
- memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
- ssl->dtls_srtp_info.mki_len);
- }
-}
-#endif /* MBEDTLS_SSL_DTLS_SRTP */
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
-{
- conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
-}
-
-void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
-{
- conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_SSL_SRV_C)
-void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
- char cert_req_ca_list)
-{
- conf->cert_req_ca_list = cert_req_ca_list;
-}
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
-{
- conf->encrypt_then_mac = etm;
-}
-#endif
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
-{
- conf->extended_ms = ems;
-}
-#endif
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
-{
- if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
- ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- conf->mfl_code = mfl_code;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
-{
- conf->allow_legacy_renegotiation = allow_legacy;
-}
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
-{
- conf->disable_renegotiation = renegotiation;
-}
-
-void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
-{
- conf->renego_max_records = max_records;
-}
-
-void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
- const unsigned char period[8])
-{
- memcpy(conf->renego_period, period, 8);
-}
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-#if defined(MBEDTLS_SSL_CLI_C)
-
-void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
-{
- conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
- conf->session_tickets |= (use_tickets != 0) <<
- MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
- mbedtls_ssl_config *conf, int signal_new_session_tickets)
-{
- conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
- conf->session_tickets |= (signal_new_session_tickets != 0) <<
- MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-#endif /* MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_SRV_C)
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
- uint16_t num_tickets)
-{
- conf->new_session_tickets_count = num_tickets;
-}
-#endif
-
-void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
- mbedtls_ssl_ticket_write_t *f_ticket_write,
- mbedtls_ssl_ticket_parse_t *f_ticket_parse,
- void *p_ticket)
-{
- conf->f_ticket_write = f_ticket_write;
- conf->f_ticket_parse = f_ticket_parse;
- conf->p_ticket = p_ticket;
-}
-#endif
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
- mbedtls_ssl_export_keys_t *f_export_keys,
- void *p_export_keys)
-{
- ssl->f_export_keys = f_export_keys;
- ssl->p_export_keys = p_export_keys;
-}
-
-#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
-void mbedtls_ssl_conf_async_private_cb(
- mbedtls_ssl_config *conf,
- mbedtls_ssl_async_sign_t *f_async_sign,
- mbedtls_ssl_async_decrypt_t *f_async_decrypt,
- mbedtls_ssl_async_resume_t *f_async_resume,
- mbedtls_ssl_async_cancel_t *f_async_cancel,
- void *async_config_data)
-{
- conf->f_async_sign_start = f_async_sign;
- conf->f_async_decrypt_start = f_async_decrypt;
- conf->f_async_resume = f_async_resume;
- conf->f_async_cancel = f_async_cancel;
- conf->p_async_config_data = async_config_data;
-}
-
-void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
-{
- return conf->p_async_config_data;
-}
-
-void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
-{
- if (ssl->handshake == NULL) {
- return NULL;
- } else {
- return ssl->handshake->user_async_ctx;
- }
-}
-
-void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
- void *ctx)
-{
- if (ssl->handshake != NULL) {
- ssl->handshake->user_async_ctx = ctx;
- }
-}
-#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-
-/*
- * SSL get accessors
- */
-uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
-{
- if (ssl->session != NULL) {
- return ssl->session->verify_result;
- }
-
- if (ssl->session_negotiate != NULL) {
- return ssl->session_negotiate->verify_result;
- }
-
- return 0xFFFFFFFF;
-}
-
-int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
-{
- if (ssl == NULL || ssl->session == NULL) {
- return 0;
- }
-
- return ssl->session->ciphersuite;
-}
-
-const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
-{
- if (ssl == NULL || ssl->session == NULL) {
- return NULL;
- }
-
- return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
-}
-
-const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- switch (ssl->tls_version) {
- case MBEDTLS_SSL_VERSION_TLS1_2:
- return "DTLSv1.2";
- default:
- return "unknown (DTLS)";
- }
- }
-#endif
-
- switch (ssl->tls_version) {
- case MBEDTLS_SSL_VERSION_TLS1_2:
- return "TLSv1.2";
- case MBEDTLS_SSL_VERSION_TLS1_3:
- return "TLSv1.3";
- default:
- return "unknown";
- }
-}
-
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
-
-size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
-{
- const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
- size_t record_size_limit = max_len;
-
- if (ssl->session != NULL &&
- ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
- ssl->session->record_size_limit < max_len) {
- record_size_limit = ssl->session->record_size_limit;
- }
-
- // TODO: this is currently untested
- /* During a handshake, use the value being negotiated */
- if (ssl->session_negotiate != NULL &&
- ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
- ssl->session_negotiate->record_size_limit < max_len) {
- record_size_limit = ssl->session_negotiate->record_size_limit;
- }
-
- return record_size_limit;
-}
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
-{
- size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
- size_t read_mfl;
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
- return ssl_mfl_code_to_length(ssl->conf->mfl_code);
- }
-#endif
-
- /* Check if a smaller max length was negotiated */
- if (ssl->session_out != NULL) {
- read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
- if (read_mfl < max_len) {
- max_len = read_mfl;
- }
- }
-
- /* During a handshake, use the value being negotiated */
- if (ssl->session_negotiate != NULL) {
- read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
- if (read_mfl < max_len) {
- max_len = read_mfl;
- }
- }
-
- return max_len;
-}
-
-size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
-{
- size_t max_len;
-
- /*
- * Assume mfl_code is correct since it was checked when set
- */
- max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
-
- /* Check if a smaller max length was negotiated */
- if (ssl->session_out != NULL &&
- ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
- max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
- }
-
- /* During a handshake, use the value being negotiated */
- if (ssl->session_negotiate != NULL &&
- ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
- max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
- }
-
- return max_len;
-}
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
-{
- /* Return unlimited mtu for client hello messages to avoid fragmentation. */
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
- ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
- return 0;
- }
-
- if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
- return ssl->mtu;
- }
-
- if (ssl->mtu == 0) {
- return ssl->handshake->mtu;
- }
-
- return ssl->mtu < ssl->handshake->mtu ?
- ssl->mtu : ssl->handshake->mtu;
-}
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
-{
- size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
-
-#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
- !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
- !defined(MBEDTLS_SSL_PROTO_DTLS)
- (void) ssl;
-#endif
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
-
- if (max_len > mfl) {
- max_len = mfl;
- }
-#endif
-
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
- const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
-
- if (max_len > record_size_limit) {
- max_len = record_size_limit;
- }
-#endif
-
- if (ssl->transform_out != NULL &&
- ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- /*
- * In TLS 1.3 case, when records are protected, `max_len` as computed
- * above is the maximum length of the TLSInnerPlaintext structure that
- * along the plaintext payload contains the inner content type (one byte)
- * and some zero padding. Given the algorithm used for padding
- * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
- * the plaintext payload. Round down to a multiple of
- * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
- * subtract 1.
- */
- max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
- MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
- const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
- const int ret = mbedtls_ssl_get_record_expansion(ssl);
- const size_t overhead = (size_t) ret;
-
- if (ret < 0) {
- return ret;
- }
-
- if (mtu <= overhead) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- if (max_len > mtu - overhead) {
- max_len = mtu - overhead;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
- !defined(MBEDTLS_SSL_PROTO_DTLS) && \
- !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
- ((void) ssl);
-#endif
-
- return (int) max_len;
-}
-
-int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
-{
- size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
-
-#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- (void) ssl;
-#endif
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
-
- if (max_len > mfl) {
- max_len = mfl;
- }
-#endif
-
- return (int) max_len;
-}
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
-{
- if (ssl == NULL || ssl->session == NULL) {
- return NULL;
- }
-
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- return ssl->session->peer_cert;
-#else
- return NULL;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_CLI_C)
-int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
- mbedtls_ssl_session *dst)
-{
- int ret;
-
- if (ssl == NULL ||
- dst == NULL ||
- ssl->session == NULL ||
- ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
- * idempotent: Each session can only be exported once.
- *
- * (This is in preparation for TLS 1.3 support where we will
- * need the ability to export multiple sessions (aka tickets),
- * which will be achieved by calling mbedtls_ssl_get_session()
- * multiple times until it fails.)
- *
- * Check whether we have already exported the current session,
- * and fail if so.
- */
- if (ssl->session->exported == 1) {
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- ret = mbedtls_ssl_session_copy(dst, ssl->session);
- if (ret != 0) {
- return ret;
- }
-
- /* Remember that we've exported the session. */
- ssl->session->exported = 1;
- return 0;
-}
-#endif /* MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-
-/* Serialization of TLS 1.2 sessions
- *
- * For more detail, see the description of ssl_session_save().
- */
-static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
- unsigned char *buf,
- size_t buf_len)
-{
- unsigned char *p = buf;
- size_t used = 0;
-
-#if defined(MBEDTLS_HAVE_TIME)
- uint64_t start;
-#endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- size_t cert_len;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
- /*
- * Time
- */
-#if defined(MBEDTLS_HAVE_TIME)
- used += 8;
-
- if (used <= buf_len) {
- start = (uint64_t) session->start;
-
- MBEDTLS_PUT_UINT64_BE(start, p, 0);
- p += 8;
- }
-#endif /* MBEDTLS_HAVE_TIME */
-
- /*
- * Basic mandatory fields
- */
- used += 1 /* id_len */
- + sizeof(session->id)
- + sizeof(session->master)
- + 4; /* verify_result */
-
- if (used <= buf_len) {
- *p++ = MBEDTLS_BYTE_0(session->id_len);
- memcpy(p, session->id, 32);
- p += 32;
-
- memcpy(p, session->master, 48);
- p += 48;
-
- MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
- p += 4;
- }
-
- /*
- * Peer's end-entity certificate
- */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- if (session->peer_cert == NULL) {
- cert_len = 0;
- } else {
- cert_len = session->peer_cert->raw.len;
- }
-
- used += 3 + cert_len;
-
- if (used <= buf_len) {
- *p++ = MBEDTLS_BYTE_2(cert_len);
- *p++ = MBEDTLS_BYTE_1(cert_len);
- *p++ = MBEDTLS_BYTE_0(cert_len);
-
- if (session->peer_cert != NULL) {
- memcpy(p, session->peer_cert->raw.p, cert_len);
- p += cert_len;
- }
- }
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if (session->peer_cert_digest != NULL) {
- used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
- if (used <= buf_len) {
- *p++ = (unsigned char) session->peer_cert_digest_type;
- *p++ = (unsigned char) session->peer_cert_digest_len;
- memcpy(p, session->peer_cert_digest,
- session->peer_cert_digest_len);
- p += session->peer_cert_digest_len;
- }
- } else {
- used += 2;
- if (used <= buf_len) {
- *p++ = (unsigned char) MBEDTLS_MD_NONE;
- *p++ = 0;
- }
- }
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
- /*
- * Session ticket if any, plus associated data
- */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-#if defined(MBEDTLS_SSL_CLI_C)
- if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
-
- if (used <= buf_len) {
- *p++ = MBEDTLS_BYTE_2(session->ticket_len);
- *p++ = MBEDTLS_BYTE_1(session->ticket_len);
- *p++ = MBEDTLS_BYTE_0(session->ticket_len);
-
- if (session->ticket != NULL) {
- memcpy(p, session->ticket, session->ticket_len);
- p += session->ticket_len;
- }
-
- MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
- p += 4;
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
- if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
- used += 8;
-
- if (used <= buf_len) {
- MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
- p += 8;
- }
- }
-#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
- /*
- * Misc extension-related info
- */
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- used += 1;
-
- if (used <= buf_len) {
- *p++ = session->mfl_code;
- }
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- used += 1;
-
- if (used <= buf_len) {
- *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
- }
-#endif
-
- return used;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls12_session_load(mbedtls_ssl_session *session,
- const unsigned char *buf,
- size_t len)
-{
-#if defined(MBEDTLS_HAVE_TIME)
- uint64_t start;
-#endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- size_t cert_len;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
- const unsigned char *p = buf;
- const unsigned char * const end = buf + len;
-
- /*
- * Time
- */
-#if defined(MBEDTLS_HAVE_TIME)
- if (8 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- start = MBEDTLS_GET_UINT64_BE(p, 0);
- p += 8;
-
- session->start = (mbedtls_time_t) start;
-#endif /* MBEDTLS_HAVE_TIME */
-
- /*
- * Basic mandatory fields
- */
- if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->id_len = *p++;
- memcpy(session->id, p, 32);
- p += 32;
-
- memcpy(session->master, p, 48);
- p += 48;
-
- session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
- p += 4;
-
- /* Immediately clear invalid pointer values that have been read, in case
- * we exit early before we replaced them with valid ones. */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- session->peer_cert = NULL;
-#else
- session->peer_cert_digest = NULL;
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
- session->ticket = NULL;
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
-
- /*
- * Peer certificate
- */
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- /* Deserialize CRT from the end of the ticket. */
- if (3 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
- p += 3;
-
- if (cert_len != 0) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (cert_len > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
-
- if (session->peer_cert == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- mbedtls_x509_crt_init(session->peer_cert);
-
- if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
- p, cert_len)) != 0) {
- mbedtls_x509_crt_free(session->peer_cert);
- mbedtls_free(session->peer_cert);
- session->peer_cert = NULL;
- return ret;
- }
-
- p += cert_len;
- }
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- /* Deserialize CRT digest from the end of the ticket. */
- if (2 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
- session->peer_cert_digest_len = (size_t) *p++;
-
- if (session->peer_cert_digest_len != 0) {
- const mbedtls_md_info_t *md_info =
- mbedtls_md_info_from_type(session->peer_cert_digest_type);
- if (md_info == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (session->peer_cert_digest_len > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->peer_cert_digest =
- mbedtls_calloc(1, session->peer_cert_digest_len);
- if (session->peer_cert_digest == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(session->peer_cert_digest, p,
- session->peer_cert_digest_len);
- p += session->peer_cert_digest_len;
- }
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
- /*
- * Session ticket and associated data
- */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-#if defined(MBEDTLS_SSL_CLI_C)
- if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- if (3 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
- p += 3;
-
- if (session->ticket_len != 0) {
- if (session->ticket_len > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->ticket = mbedtls_calloc(1, session->ticket_len);
- if (session->ticket == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(session->ticket, p, session->ticket_len);
- p += session->ticket_len;
- }
-
- if (4 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
- p += 4;
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
- if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
- if (8 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
- p += 8;
- }
-#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
- /*
- * Misc extension-related info
- */
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- if (1 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->mfl_code = *p++;
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if (1 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session->encrypt_then_mac = *p++;
-#endif
-
- /* Done, should have consumed entire buffer */
- if (p != end) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- return 0;
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-/* Serialization of TLS 1.3 sessions:
- *
- * For more detail, see the description of ssl_session_save().
- */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
- unsigned char *buf,
- size_t buf_len,
- size_t *olen)
-{
- unsigned char *p = buf;
-#if defined(MBEDTLS_SSL_CLI_C) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- size_t hostname_len = (session->hostname == NULL) ?
- 0 : strlen(session->hostname) + 1;
-#endif
-
-#if defined(MBEDTLS_SSL_SRV_C) && \
- defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
- const size_t alpn_len = (session->ticket_alpn == NULL) ?
- 0 : strlen(session->ticket_alpn) + 1;
-#endif
- size_t needed = 4 /* ticket_age_add */
- + 1 /* ticket_flags */
- + 1; /* resumption_key length */
-
- *olen = 0;
-
- if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- needed += session->resumption_key_len; /* resumption_key */
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- needed += 4; /* max_early_data_size */
-#endif
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
- needed += 2; /* record_size_limit */
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_HAVE_TIME)
- needed += 8; /* ticket_creation_time or ticket_reception_time */
-#endif
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
- needed += 2 /* alpn_len */
- + alpn_len; /* alpn */
-#endif
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- needed += 2 /* hostname_len */
- + hostname_len; /* hostname */
-#endif
-
- needed += 4 /* ticket_lifetime */
- + 2; /* ticket_len */
-
- /* Check size_t overflow */
- if (session->ticket_len > SIZE_MAX - needed) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- needed += session->ticket_len; /* ticket */
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
- *olen = needed;
- if (needed > buf_len) {
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
- p[4] = session->ticket_flags;
-
- /* save resumption_key */
- p[5] = session->resumption_key_len;
- p += 6;
- memcpy(p, session->resumption_key, session->resumption_key_len);
- p += session->resumption_key_len;
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
- p += 4;
-#endif
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
- MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
- p += 2;
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
-#if defined(MBEDTLS_HAVE_TIME)
- MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
- p += 8;
-#endif /* MBEDTLS_HAVE_TIME */
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
- MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
- p += 2;
-
- if (alpn_len > 0) {
- /* save chosen alpn */
- memcpy(p, session->ticket_alpn, alpn_len);
- p += alpn_len;
- }
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
- p += 2;
- if (hostname_len > 0) {
- /* save host name */
- memcpy(p, session->hostname, hostname_len);
- p += hostname_len;
- }
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_HAVE_TIME)
- MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
- p += 8;
-#endif
- MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
- p += 4;
-
- MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
- p += 2;
-
- if (session->ticket != NULL && session->ticket_len > 0) {
- memcpy(p, session->ticket, session->ticket_len);
- p += session->ticket_len;
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_session_load(mbedtls_ssl_session *session,
- const unsigned char *buf,
- size_t len)
-{
- const unsigned char *p = buf;
- const unsigned char *end = buf + len;
-
- if (end - p < 6) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
- session->ticket_flags = p[4];
-
- /* load resumption_key */
- session->resumption_key_len = p[5];
- p += 6;
-
- if (end - p < session->resumption_key_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (sizeof(session->resumption_key) < session->resumption_key_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- memcpy(session->resumption_key, p, session->resumption_key_len);
- p += session->resumption_key_len;
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- if (end - p < 4) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
- p += 4;
-#endif
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
-#if defined(MBEDTLS_HAVE_TIME)
- if (end - p < 8) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
- p += 8;
-#endif /* MBEDTLS_HAVE_TIME */
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
- size_t alpn_len;
-
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- if (end - p < (long int) alpn_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (alpn_len > 0) {
- int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
- if (ret != 0) {
- return ret;
- }
- p += alpn_len;
- }
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- size_t hostname_len;
- /* load host name */
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- if (end - p < (long int) hostname_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (hostname_len > 0) {
- session->hostname = mbedtls_calloc(1, hostname_len);
- if (session->hostname == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
- memcpy(session->hostname, p, hostname_len);
- p += hostname_len;
- }
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_HAVE_TIME)
- if (end - p < 8) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
- p += 8;
-#endif
- if (end - p < 4) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
- p += 4;
-
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- if (end - p < (long int) session->ticket_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (session->ticket_len > 0) {
- session->ticket = mbedtls_calloc(1, session->ticket_len);
- if (session->ticket == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
- memcpy(session->ticket, p, session->ticket_len);
- p += session->ticket_len;
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
- return 0;
-
-}
-#else /* MBEDTLS_SSL_SESSION_TICKETS */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
- unsigned char *buf,
- size_t buf_len,
- size_t *olen)
-{
- ((void) session);
- ((void) buf);
- ((void) buf_len);
- *olen = 0;
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-}
-
-static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
- const unsigned char *buf,
- size_t buf_len)
-{
- ((void) session);
- ((void) buf);
- ((void) buf_len);
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-}
-#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-/*
- * Define ticket header determining Mbed TLS version
- * and structure of the ticket.
- */
-
-/*
- * Define bitflag determining compile-time settings influencing
- * structure of serialized SSL sessions.
- */
-
-#if defined(MBEDTLS_HAVE_TIME)
-#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
-#endif /* MBEDTLS_HAVE_TIME */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
-#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
-#endif /* MBEDTLS_SSL_EARLY_DATA */
-
-#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
-#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
-#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
-
-#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
- defined(MBEDTLS_SSL_EARLY_DATA)
-#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
-#else
-#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
-#endif /* MBEDTLS_SSL_ALPN */
-
-#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
-#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
-#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
-#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
-#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
-#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
-#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
-#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
-#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
-#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
-#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
-
-#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
- ((uint16_t) ( \
- (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
- SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
- SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
- SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
- SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
- (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
- SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
-
-static const unsigned char ssl_serialized_session_header[] = {
- MBEDTLS_VERSION_MAJOR,
- MBEDTLS_VERSION_MINOR,
- MBEDTLS_VERSION_PATCH,
- MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
- MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
-};
-
-/*
- * Serialize a session in the following format:
- * (in the presentation language of TLS, RFC 8446 section 3)
- *
- * TLS 1.2 session:
- *
- * struct {
- * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
- * opaque ticket<0..2^24-1>; // length 0 means no ticket
- * uint32 ticket_lifetime;
- * #endif
- * } ClientOnlyData;
- *
- * struct {
- * #if defined(MBEDTLS_HAVE_TIME)
- * uint64 start_time;
- * #endif
- * uint8 session_id_len; // at most 32
- * opaque session_id[32];
- * opaque master[48]; // fixed length in the standard
- * uint32 verify_result;
- * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
- * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
- * #else
- * uint8 peer_cert_digest_type;
- * opaque peer_cert_digest<0..2^8-1>
- * #endif
- * select (endpoint) {
- * case client: ClientOnlyData;
- * case server: uint64 ticket_creation_time;
- * };
- * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- * uint8 mfl_code; // up to 255 according to standard
- * #endif
- * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- * uint8 encrypt_then_mac; // 0 or 1
- * #endif
- * } serialized_session_tls12;
- *
- *
- * TLS 1.3 Session:
- *
- * struct {
- * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- * opaque hostname<0..2^16-1>;
- * #endif
- * #if defined(MBEDTLS_HAVE_TIME)
- * uint64 ticket_reception_time;
- * #endif
- * uint32 ticket_lifetime;
- * opaque ticket<1..2^16-1>;
- * } ClientOnlyData;
- *
- * struct {
- * uint32 ticket_age_add;
- * uint8 ticket_flags;
- * opaque resumption_key<0..255>;
- * #if defined(MBEDTLS_SSL_EARLY_DATA)
- * uint32 max_early_data_size;
- * #endif
- * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
- * uint16 record_size_limit;
- * #endif
- * select ( endpoint ) {
- * case client: ClientOnlyData;
- * case server:
- * #if defined(MBEDTLS_HAVE_TIME)
- * uint64 ticket_creation_time;
- * #endif
- * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
- * opaque ticket_alpn<0..256>;
- * #endif
- * };
- * } serialized_session_tls13;
- *
- *
- * SSL session:
- *
- * struct {
- *
- * opaque mbedtls_version[3]; // library version: major, minor, patch
- * opaque session_format[2]; // library-version specific 16-bit field
- * // determining the format of the remaining
- * // serialized data.
- *
- * Note: When updating the format, remember to keep
- * these version+format bytes.
- *
- * // In this version, `session_format` determines
- * // the setting of those compile-time
- * // configuration options which influence
- * // the structure of mbedtls_ssl_session.
- *
- * uint8_t minor_ver; // Protocol minor version. Possible values:
- * // - TLS 1.2 (0x0303)
- * // - TLS 1.3 (0x0304)
- * uint8_t endpoint;
- * uint16_t ciphersuite;
- *
- * select (serialized_session.tls_version) {
- *
- * case MBEDTLS_SSL_VERSION_TLS1_2:
- * serialized_session_tls12 data;
- * case MBEDTLS_SSL_VERSION_TLS1_3:
- * serialized_session_tls13 data;
- *
- * };
- *
- * } serialized_session;
- *
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_session_save(const mbedtls_ssl_session *session,
- unsigned char omit_header,
- unsigned char *buf,
- size_t buf_len,
- size_t *olen)
-{
- unsigned char *p = buf;
- size_t used = 0;
- size_t remaining_len;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- size_t out_len;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#endif
- if (session == NULL) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- if (!omit_header) {
- /*
- * Add Mbed TLS version identifier
- */
- used += sizeof(ssl_serialized_session_header);
-
- if (used <= buf_len) {
- memcpy(p, ssl_serialized_session_header,
- sizeof(ssl_serialized_session_header));
- p += sizeof(ssl_serialized_session_header);
- }
- }
-
- /*
- * TLS version identifier, endpoint, ciphersuite
- */
- used += 1 /* TLS version */
- + 1 /* endpoint */
- + 2; /* ciphersuite */
- if (used <= buf_len) {
- *p++ = MBEDTLS_BYTE_0(session->tls_version);
- *p++ = session->endpoint;
- MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
- p += 2;
- }
-
- /* Forward to version-specific serialization routine. */
- remaining_len = (buf_len >= used) ? buf_len - used : 0;
- switch (session->tls_version) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- case MBEDTLS_SSL_VERSION_TLS1_2:
- used += ssl_tls12_session_save(session, p, remaining_len);
- break;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- case MBEDTLS_SSL_VERSION_TLS1_3:
- ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
- if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
- return ret;
- }
- used += out_len;
- break;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- default:
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- *olen = used;
- if (used > buf_len) {
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- return 0;
-}
-
-/*
- * Public wrapper for ssl_session_save()
- */
-int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
- unsigned char *buf,
- size_t buf_len,
- size_t *olen)
-{
- return ssl_session_save(session, 0, buf, buf_len, olen);
-}
-
-/*
- * Deserialize session, see mbedtls_ssl_session_save() for format.
- *
- * This internal version is wrapped by a public function that cleans up in
- * case of error, and has an extra option omit_header.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_session_load(mbedtls_ssl_session *session,
- unsigned char omit_header,
- const unsigned char *buf,
- size_t len)
-{
- const unsigned char *p = buf;
- const unsigned char * const end = buf + len;
- size_t remaining_len;
-
-
- if (session == NULL) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- if (!omit_header) {
- /*
- * Check Mbed TLS version identifier
- */
-
- if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (memcmp(p, ssl_serialized_session_header,
- sizeof(ssl_serialized_session_header)) != 0) {
- return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
- }
- p += sizeof(ssl_serialized_session_header);
- }
-
- /*
- * TLS version identifier, endpoint, ciphersuite
- */
- if (4 > (size_t) (end - p)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
- session->endpoint = *p++;
- session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- /* Dispatch according to TLS version. */
- remaining_len = (size_t) (end - p);
- switch (session->tls_version) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- case MBEDTLS_SSL_VERSION_TLS1_2:
- return ssl_tls12_session_load(session, p, remaining_len);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- case MBEDTLS_SSL_VERSION_TLS1_3:
- return ssl_tls13_session_load(session, p, remaining_len);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- default:
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-}
-
-/*
- * Deserialize session: public wrapper for error cleaning
- */
-int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
- const unsigned char *buf,
- size_t len)
-{
- int ret = ssl_session_load(session, 0, buf, len);
-
- if (ret != 0) {
- mbedtls_ssl_session_free(session);
- }
-
- return ret;
-}
-
-/*
- * Perform a single step of the SSL handshake
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /*
- * We may have not been able to send to the peer all the handshake data
- * that were written into the output buffer by the previous handshake step,
- * if the write to the network callback returned with the
- * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
- * We proceed to the next handshake step only when all data from the
- * previous one have been sent to the peer, thus we make sure that this is
- * the case here by calling `mbedtls_ssl_flush_output()`. The function may
- * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
- * we have to wait before to go ahead.
- * In the case of TLS 1.3, handshake step handlers do not send data to the
- * peer. Data are only sent here and through
- * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
- * alert occurred.
- */
- if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
- return ret;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
- if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- return ret;
-}
-
-int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (ssl == NULL ||
- ssl->conf == NULL ||
- ssl->handshake == NULL ||
- ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ret = ssl_prepare_handshake_step(ssl);
- if (ret != 0) {
- return ret;
- }
-
- ret = mbedtls_ssl_handle_pending_alert(ssl);
- if (ret != 0) {
- goto cleanup;
- }
-
- /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
- * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
- ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
- mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
-
- switch (ssl->state) {
- case MBEDTLS_SSL_HELLO_REQUEST:
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
- ret = 0;
- break;
-
- case MBEDTLS_SSL_CLIENT_HELLO:
- ret = mbedtls_ssl_write_client_hello(ssl);
- break;
-
- default:
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
- } else {
- ret = mbedtls_ssl_handshake_client_step(ssl);
- }
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
- ret = mbedtls_ssl_handshake_client_step(ssl);
-#else
- ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
-#endif
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
- } else {
- ret = mbedtls_ssl_handshake_server_step(ssl);
- }
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
- ret = mbedtls_ssl_handshake_server_step(ssl);
-#else
- ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
-#endif
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
- if (ret != 0) {
- /* handshake_step return error. And it is same
- * with alert_reason.
- */
- if (ssl->send_alert) {
- ret = mbedtls_ssl_handle_pending_alert(ssl);
- goto cleanup;
- }
- }
-
-cleanup:
- return ret;
-}
-
-/*
- * Perform the SSL handshake
- */
-int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
-{
- int ret = 0;
-
- /* Sanity checks */
-
- if (ssl == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
- "mbedtls_ssl_set_timer_cb() for DTLS"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
-
- /* Main handshake loop */
- while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
- ret = mbedtls_ssl_handshake_step(ssl);
-
- if (ret != 0) {
- break;
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
-
- return ret;
-}
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-#if defined(MBEDTLS_SSL_SRV_C)
-/*
- * Write HelloRequest to request renegotiation on server
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
-
- ssl->out_msglen = 4;
- ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_SRV_C */
-
-/*
- * Actually renegotiate current connection, triggered by either:
- * - any side: calling mbedtls_ssl_renegotiate(),
- * - client: receiving a HelloRequest during mbedtls_ssl_read(),
- * - server: receiving any handshake message on server during mbedtls_ssl_read() after
- * the initial handshake is completed.
- * If the handshake doesn't complete due to waiting for I/O, it will continue
- * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
- */
-int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
-
- if ((ret = ssl_handshake_init(ssl)) != 0) {
- return ret;
- }
-
- /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
- * the ServerHello will have message_seq = 1" */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- ssl->handshake->out_msg_seq = 1;
- } else {
- ssl->handshake->in_msg_seq = 1;
- }
- }
-#endif
-
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
- ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
-
- if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
-
- return 0;
-}
-
-/*
- * Renegotiate current connection on client,
- * or request renegotiation on server
- */
-int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-
- if (ssl == NULL || ssl->conf == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
-#if defined(MBEDTLS_SSL_SRV_C)
- /* On server, just send the request */
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
-
- /* Did we already try/start sending HelloRequest? */
- if (ssl->out_left != 0) {
- return mbedtls_ssl_flush_output(ssl);
- }
-
- return ssl_write_hello_request(ssl);
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_CLI_C)
- /*
- * On client, either start the renegotiation process or,
- * if already in progress, continue the handshake
- */
- if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
- if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
- return ret;
- }
- } else {
- if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
- return ret;
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-
- return ret;
-}
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
-void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
-{
- mbedtls_ssl_handshake_params *handshake = ssl->handshake;
-
- if (handshake == NULL) {
- return;
- }
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- if (ssl->handshake->group_list_heap_allocated) {
- mbedtls_free((void *) handshake->group_list);
- }
- handshake->group_list = NULL;
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
- if (ssl->handshake->sig_algs_heap_allocated) {
- mbedtls_free((void *) handshake->sig_algs);
- }
- handshake->sig_algs = NULL;
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (ssl->handshake->certificate_request_context) {
- mbedtls_free((void *) handshake->certificate_request_context);
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
- if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
- ssl->conf->f_async_cancel(ssl);
- handshake->async_in_progress = 0;
- }
-#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&handshake->fin_sha256_psa);
-#else
- mbedtls_md_free(&handshake->fin_sha256);
-#endif
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&handshake->fin_sha384_psa);
-#else
- mbedtls_md_free(&handshake->fin_sha384);
-#endif
-#endif
-
-#if defined(MBEDTLS_DHM_C)
- mbedtls_dhm_free(&handshake->dhm_ctx);
-#endif
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
- mbedtls_ecdh_free(&handshake->ecdh_ctx);
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_pake_abort(&handshake->psa_pake_ctx);
- /*
- * Opaque keys are not stored in the handshake's data and it's the user
- * responsibility to destroy them. Clear ones, instead, are created by
- * the TLS library and should be destroyed at the same level
- */
- if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
- psa_destroy_key(handshake->psa_pake_password);
- }
- handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
-#else
- mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_SSL_CLI_C)
- mbedtls_free(handshake->ecjpake_cache);
- handshake->ecjpake_cache = NULL;
- handshake->ecjpake_cache_len = 0;
-#endif
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- /* explicit void pointer cast for buggy MS compiler */
- mbedtls_free((void *) handshake->curves_tls_id);
-#endif
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
- /* The maintenance of the external PSK key slot is the
- * user's responsibility. */
- if (ssl->handshake->psk_opaque_is_internal) {
- psa_destroy_key(ssl->handshake->psk_opaque);
- ssl->handshake->psk_opaque_is_internal = 0;
- }
- ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
- }
-#else
- if (handshake->psk != NULL) {
- mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- /*
- * Free only the linked list wrapper, not the keys themselves
- * since the belong to the SNI callback
- */
- ssl_key_cert_free(handshake->sni_key_cert);
-#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
- if (handshake->ecrs_peer_cert != NULL) {
- mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
- mbedtls_free(handshake->ecrs_peer_cert);
- }
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- mbedtls_pk_free(&handshake->peer_pubkey);
-#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
-#if defined(MBEDTLS_SSL_CLI_C) && \
- (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
- mbedtls_free(handshake->cookie);
-#endif /* MBEDTLS_SSL_CLI_C &&
- ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- mbedtls_ssl_flight_free(handshake->flight);
- mbedtls_ssl_buffering_free(ssl);
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
- if (handshake->xxdh_psa_privkey_is_external == 0) {
- psa_destroy_key(handshake->xxdh_psa_privkey);
- }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_transform_free(handshake->transform_handshake);
- mbedtls_free(handshake->transform_handshake);
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- mbedtls_ssl_transform_free(handshake->transform_earlydata);
- mbedtls_free(handshake->transform_earlydata);
-#endif
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- /* If the buffers are too big - reallocate. Because of the way Mbed TLS
- * processes datagrams and the fact that a datagram is allowed to have
- * several records in it, it is possible that the I/O buffers are not
- * empty at this stage */
- handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
- mbedtls_ssl_get_output_buflen(ssl));
-#endif
-
- /* mbedtls_platform_zeroize MUST be last one in this function */
- mbedtls_platform_zeroize(handshake,
- sizeof(mbedtls_ssl_handshake_params));
-}
-
-void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
-{
- if (session == NULL) {
- return;
- }
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- ssl_clear_peer_cert(session);
-#endif
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- mbedtls_free(session->hostname);
-#endif
- mbedtls_free(session->ticket);
-#endif
-
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
- defined(MBEDTLS_SSL_SRV_C)
- mbedtls_free(session->ticket_alpn);
-#endif
-
- mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
-}
-
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
-#else
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
-#else
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
-#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
-
-#if defined(MBEDTLS_SSL_ALPN)
-#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
-#else
-#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
-#endif /* MBEDTLS_SSL_ALPN */
-
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
-#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
-#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
-
-#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
- ((uint32_t) ( \
- (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
- SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
- (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
- SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
- (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
- SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
- (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
- 0u))
-
-static const unsigned char ssl_serialized_context_header[] = {
- MBEDTLS_VERSION_MAJOR,
- MBEDTLS_VERSION_MINOR,
- MBEDTLS_VERSION_PATCH,
- MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
- MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
- MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
- MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
- MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
-};
-
-/*
- * Serialize a full SSL context
- *
- * The format of the serialized data is:
- * (in the presentation language of TLS, RFC 8446 section 3)
- *
- * // header
- * opaque mbedtls_version[3]; // major, minor, patch
- * opaque context_format[5]; // version-specific field determining
- * // the format of the remaining
- * // serialized data.
- * Note: When updating the format, remember to keep these
- * version+format bytes. (We may make their size part of the API.)
- *
- * // session sub-structure
- * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
- * // transform sub-structure
- * uint8 random[64]; // ServerHello.random+ClientHello.random
- * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
- * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
- * // fields from ssl_context
- * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC
- * uint64 in_window_top; // DTLS: last validated record seq_num
- * uint64 in_window; // DTLS: bitmask for replay protection
- * uint8 disable_datagram_packing; // DTLS: only one record per datagram
- * uint64 cur_out_ctr; // Record layer: outgoing sequence number
- * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
- * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
- *
- * Note that many fields of the ssl_context or sub-structures are not
- * serialized, as they fall in one of the following categories:
- *
- * 1. forced value (eg in_left must be 0)
- * 2. pointer to dynamically-allocated memory (eg session, transform)
- * 3. value can be re-derived from other data (eg session keys from MS)
- * 4. value was temporary (eg content of input buffer)
- * 5. value will be provided by the user again (eg I/O callbacks and context)
- */
-int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t buf_len,
- size_t *olen)
-{
- unsigned char *p = buf;
- size_t used = 0;
- size_t session_len;
- int ret = 0;
-
- /*
- * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
- * this function's documentation.
- *
- * These are due to assumptions/limitations in the implementation. Some of
- * them are likely to stay (no handshake in progress) some might go away
- * (only DTLS) but are currently used to simplify the implementation.
- */
- /* The initial handshake must be over */
- if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (ssl->handshake != NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- /* Double-check that sub-structures are indeed ready */
- if (ssl->transform == NULL || ssl->session == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- /* There must be no pending incoming or outgoing data */
- if (mbedtls_ssl_check_pending(ssl) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- if (ssl->out_left != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- /* Protocol must be DTLS, not TLS */
- if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- /* Version must be 1.2 */
- if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- /* We must be using an AEAD ciphersuite */
- if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- /* Renegotiation must not be enabled */
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-#endif
-
- /*
- * Version and format identifier
- */
- used += sizeof(ssl_serialized_context_header);
-
- if (used <= buf_len) {
- memcpy(p, ssl_serialized_context_header,
- sizeof(ssl_serialized_context_header));
- p += sizeof(ssl_serialized_context_header);
- }
-
- /*
- * Session (length + data)
- */
- ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
- if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
- return ret;
- }
-
- used += 4 + session_len;
- if (used <= buf_len) {
- MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
- p += 4;
-
- ret = ssl_session_save(ssl->session, 1,
- p, session_len, &session_len);
- if (ret != 0) {
- return ret;
- }
-
- p += session_len;
- }
-
- /*
- * Transform
- */
- used += sizeof(ssl->transform->randbytes);
- if (used <= buf_len) {
- memcpy(p, ssl->transform->randbytes,
- sizeof(ssl->transform->randbytes));
- p += sizeof(ssl->transform->randbytes);
- }
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
- if (used <= buf_len) {
- *p++ = ssl->transform->in_cid_len;
- memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
- p += ssl->transform->in_cid_len;
-
- *p++ = ssl->transform->out_cid_len;
- memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
- p += ssl->transform->out_cid_len;
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- /*
- * Saved fields from top-level ssl_context structure
- */
- used += 4;
- if (used <= buf_len) {
- MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0);
- p += 4;
- }
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- used += 16;
- if (used <= buf_len) {
- MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
- p += 8;
-
- MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
- p += 8;
- }
-#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- used += 1;
- if (used <= buf_len) {
- *p++ = ssl->disable_datagram_packing;
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- if (used <= buf_len) {
- memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
- p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- used += 2;
- if (used <= buf_len) {
- MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
- p += 2;
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_SSL_ALPN)
- {
- const uint8_t alpn_len = ssl->alpn_chosen
- ? (uint8_t) strlen(ssl->alpn_chosen)
- : 0;
-
- used += 1 + alpn_len;
- if (used <= buf_len) {
- *p++ = alpn_len;
-
- if (ssl->alpn_chosen != NULL) {
- memcpy(p, ssl->alpn_chosen, alpn_len);
- p += alpn_len;
- }
- }
- }
-#endif /* MBEDTLS_SSL_ALPN */
-
- /*
- * Done
- */
- *olen = used;
-
- if (used > buf_len) {
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
-
- return mbedtls_ssl_session_reset_int(ssl, 0);
-}
-
-/*
- * Deserialize context, see mbedtls_ssl_context_save() for format.
- *
- * This internal version is wrapped by a public function that cleans up in
- * case of error.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_context_load(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- const unsigned char *p = buf;
- const unsigned char * const end = buf + len;
- size_t session_len;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- tls_prf_fn prf_func = NULL;
-#endif
-
- /*
- * The context should have been freshly setup or reset.
- * Give the user an error in case of obvious misuse.
- * (Checking session is useful because it won't be NULL if we're
- * renegotiating, or if the user mistakenly loaded a session first.)
- */
- if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
- ssl->session != NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /*
- * We can't check that the config matches the initial one, but we can at
- * least check it matches the requirements for serializing.
- */
- if (
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
-#endif
- ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
- ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
- ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
- ) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
-
- /*
- * Check version identifier
- */
- if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (memcmp(p, ssl_serialized_context_header,
- sizeof(ssl_serialized_context_header)) != 0) {
- return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
- }
- p += sizeof(ssl_serialized_context_header);
-
- /*
- * Session
- */
- if ((size_t) (end - p) < 4) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- session_len = MBEDTLS_GET_UINT32_BE(p, 0);
- p += 4;
-
- /* This has been allocated by ssl_handshake_init(), called by
- * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
- ssl->session = ssl->session_negotiate;
- ssl->session_in = ssl->session;
- ssl->session_out = ssl->session;
- ssl->session_negotiate = NULL;
-
- if ((size_t) (end - p) < session_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ret = ssl_session_load(ssl->session, 1, p, session_len);
- if (ret != 0) {
- mbedtls_ssl_session_free(ssl->session);
- return ret;
- }
-
- p += session_len;
-
- /*
- * Transform
- */
-
- /* This has been allocated by ssl_handshake_init(), called by
- * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- ssl->transform = ssl->transform_negotiate;
- ssl->transform_in = ssl->transform;
- ssl->transform_out = ssl->transform;
- ssl->transform_negotiate = NULL;
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
- if (prf_func == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* Read random bytes and populate structure */
- if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ret = ssl_tls12_populate_transform(ssl->transform,
- ssl->session->ciphersuite,
- ssl->session->master,
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- ssl->session->encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- prf_func,
- p, /* currently pointing to randbytes */
- MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
- ssl->conf->endpoint,
- ssl);
- if (ret != 0) {
- return ret;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- p += sizeof(ssl->transform->randbytes);
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /* Read connection IDs and store them */
- if ((size_t) (end - p) < 1) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->transform->in_cid_len = *p++;
-
- if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
- p += ssl->transform->in_cid_len;
-
- ssl->transform->out_cid_len = *p++;
-
- if ((size_t) (end - p) < ssl->transform->out_cid_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
- p += ssl->transform->out_cid_len;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- /*
- * Saved fields from top-level ssl_context structure
- */
- if ((size_t) (end - p) < 4) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0);
- p += 4;
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- if ((size_t) (end - p) < 16) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
- p += 8;
-
- ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
- p += 8;
-#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if ((size_t) (end - p) < 1) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->disable_datagram_packing = *p++;
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
- p += sizeof(ssl->cur_out_ctr);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if ((size_t) (end - p) < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_SSL_ALPN)
- {
- uint8_t alpn_len;
- const char **cur;
-
- if ((size_t) (end - p) < 1) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- alpn_len = *p++;
-
- if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
- /* alpn_chosen should point to an item in the configured list */
- for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
- if (strlen(*cur) == alpn_len &&
- memcmp(p, *cur, alpn_len) == 0) {
- ssl->alpn_chosen = *cur;
- break;
- }
- }
- }
-
- /* can only happen on conf mismatch */
- if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- p += alpn_len;
- }
-#endif /* MBEDTLS_SSL_ALPN */
-
- /*
- * Forced fields from top-level ssl_context structure
- *
- * Most of them already set to the correct value by mbedtls_ssl_init() and
- * mbedtls_ssl_reset(), so we only need to set the remaining ones.
- */
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
- ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
-
- /* Adjust pointers for header fields of outgoing records to
- * the given transform, accounting for explicit IV and CID. */
- mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- ssl->in_epoch = 1;
-#endif
-
- /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
- * which we don't want - otherwise we'd end up freeing the wrong transform
- * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
- * inappropriately. */
- if (ssl->handshake != NULL) {
- mbedtls_ssl_handshake_free(ssl);
- mbedtls_free(ssl->handshake);
- ssl->handshake = NULL;
- }
-
- /*
- * Done - should have consumed entire buffer
- */
- if (p != end) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- return 0;
-}
-
-/*
- * Deserialize context: public wrapper for error cleaning
- */
-int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
- const unsigned char *buf,
- size_t len)
-{
- int ret = ssl_context_load(context, buf, len);
-
- if (ret != 0) {
- mbedtls_ssl_free(context);
- }
-
- return ret;
-}
-#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
-
-/*
- * Free an SSL context
- */
-void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
-{
- if (ssl == NULL) {
- return;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
-
- if (ssl->out_buf != NULL) {
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
-
- mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
- ssl->out_buf = NULL;
- }
-
- if (ssl->in_buf != NULL) {
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
-#endif
-
- mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
- ssl->in_buf = NULL;
- }
-
- if (ssl->transform) {
- mbedtls_ssl_transform_free(ssl->transform);
- mbedtls_free(ssl->transform);
- }
-
- if (ssl->handshake) {
- mbedtls_ssl_handshake_free(ssl);
- mbedtls_free(ssl->handshake);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- mbedtls_ssl_transform_free(ssl->transform_negotiate);
- mbedtls_free(ssl->transform_negotiate);
-#endif
-
- mbedtls_ssl_session_free(ssl->session_negotiate);
- mbedtls_free(ssl->session_negotiate);
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_transform_free(ssl->transform_application);
- mbedtls_free(ssl->transform_application);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- if (ssl->session) {
- mbedtls_ssl_session_free(ssl->session);
- mbedtls_free(ssl->session);
- }
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- mbedtls_ssl_free_hostname(ssl);
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
- mbedtls_free(ssl->cli_id);
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
-
- /* Actually clear after last debug message */
- mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
-}
-
-/*
- * Initialize mbedtls_ssl_config
- */
-void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
-{
- memset(conf, 0, sizeof(mbedtls_ssl_config));
-}
-
-/* The selection should be the same as mbedtls_x509_crt_profile_default in
- * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
- * curves with a lower resource usage come first.
- * See the documentation of mbedtls_ssl_conf_curves() for what we promise
- * about this list.
- */
-static const uint16_t ssl_preset_default_groups[] = {
-#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
- MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_CURVE448)
- MBEDTLS_SSL_IANA_TLS_GROUP_X448,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP256R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP384R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP512R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
-#endif
-#if defined(PSA_WANT_ALG_FFDH)
- MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
- MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
- MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
- MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
- MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
-#endif
- MBEDTLS_SSL_IANA_TLS_GROUP_NONE
-};
-
-static const int ssl_preset_suiteb_ciphersuites[] = {
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- 0
-};
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-
-/* NOTICE:
- * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
- * rules SHOULD be upheld.
- * - No duplicate entries.
- * - But if there is a good reason, do not change the order of the algorithms.
- * - ssl_tls12_preset* is for TLS 1.2 use only.
- * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
- */
-static const uint16_t ssl_preset_default_sig_algs[] = {
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
- defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(PSA_WANT_ECC_SECP_R1_256)
- MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
- // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
- defined(MBEDTLS_MD_CAN_SHA384) && \
- defined(PSA_WANT_ECC_SECP_R1_384)
- MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
- // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
- defined(MBEDTLS_MD_CAN_SHA512) && \
- defined(PSA_WANT_ECC_SECP_R1_521)
- MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
- // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
-#endif
-
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
-#endif
-
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
-#endif
-
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
-
- MBEDTLS_TLS_SIG_NONE
-};
-
-/* NOTICE: see above */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
-
-#if defined(MBEDTLS_MD_CAN_SHA512)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
-#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
-#endif
-#if defined(MBEDTLS_RSA_C)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA512 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
-#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
-#endif
-#if defined(MBEDTLS_RSA_C)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
-#endif
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif
-#if defined(MBEDTLS_RSA_C)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
- MBEDTLS_TLS_SIG_NONE
-};
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-/* NOTICE: see above */
-static const uint16_t ssl_preset_suiteb_sig_algs[] = {
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
- defined(MBEDTLS_MD_CAN_SHA256) && \
- defined(MBEDTLS_ECP_HAVE_SECP256R1)
- MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
- // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
- defined(MBEDTLS_MD_CAN_SHA384) && \
- defined(MBEDTLS_ECP_HAVE_SECP384R1)
- MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
- // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
-#endif
-
- MBEDTLS_TLS_SIG_NONE
-};
-
-/* NOTICE: see above */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-static const uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
- MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
-#endif
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
- MBEDTLS_TLS_SIG_NONE
-};
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-static const uint16_t ssl_preset_suiteb_groups[] = {
-#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
- MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
-#endif
- MBEDTLS_SSL_IANA_TLS_GROUP_NONE
-};
-
-#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
- * to make sure there are no duplicated signature algorithm entries. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
-{
- size_t i, j;
- int ret = 0;
-
- for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
- for (j = 0; j < i; j++) {
- if (sig_algs[i] != sig_algs[j]) {
- continue;
- }
- mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
- ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
- sig_algs[i], j, i);
- ret = -1;
- }
- }
- return ret;
-}
-
-#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-/*
- * Load default in mbedtls_ssl_config
- */
-int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
- int endpoint, int transport, int preset)
-{
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#endif
-
-#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
- mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
-
- if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
- mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
- mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
-
- if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
- mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
- /* Use the functions here so that they are covered in tests,
- * but otherwise access member directly for efficiency */
- mbedtls_ssl_conf_endpoint(conf, endpoint);
- mbedtls_ssl_conf_transport(conf, transport);
-
- /*
- * Things that are common to all presets
- */
-#if defined(MBEDTLS_SSL_CLI_C)
- if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
- conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message
- * handling is disabled by default in Mbed TLS 3.6.x for backward
- * compatibility with client applications developed using Mbed TLS 3.5
- * or earlier with the default configuration.
- *
- * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was
- * disabled, and a Mbed TLS client with the default configuration would
- * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable
- * server.
- *
- * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus
- * an Mbed TLS client with the default configuration establishes a
- * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If
- * following the handshake the TLS 1.3 server sends NewSessionTicket
- * messages and the Mbed TLS client processes them, this results in
- * Mbed TLS high level APIs (mbedtls_ssl_read(),
- * mbedtls_ssl_handshake(), ...) to eventually return an
- * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code
- * (see the documentation of mbedtls_ssl_read() for more information on
- * that error code). Applications unaware of that TLS 1.3 specific non
- * fatal error code are then failing.
- */
- mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
- conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED);
-#endif
-#endif
- }
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
-#endif
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
- conf->f_cookie_write = ssl_cookie_write_dummy;
- conf->f_cookie_check = ssl_cookie_check_dummy;
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
- conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
-#endif
-
-#if defined(MBEDTLS_SSL_SRV_C)
- conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
- conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
- conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
-#endif
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
- memset(conf->renego_period, 0x00, 2);
- memset(conf->renego_period + 2, 0xFF, 6);
-#endif
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
- if (endpoint == MBEDTLS_SSL_IS_SERVER) {
- const unsigned char dhm_p[] =
- MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
- const unsigned char dhm_g[] =
- MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
-
- if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
- dhm_p, sizeof(dhm_p),
- dhm_g, sizeof(dhm_g))) != 0) {
- return ret;
- }
- }
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
- mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
-#if defined(MBEDTLS_SSL_SRV_C)
- mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
-#endif
-#endif /* MBEDTLS_SSL_EARLY_DATA */
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
- mbedtls_ssl_conf_new_session_tickets(
- conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
-#endif
- /*
- * Allow all TLS 1.3 key exchange modes by default.
- */
- conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
- conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
-#else
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-#endif
- } else {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
- conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
- conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
- conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
- conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
- conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
- conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
-#else
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-#endif
- }
-
- /*
- * Preset-specific defaults
- */
- switch (preset) {
- /*
- * NSA Suite B
- */
- case MBEDTLS_SSL_PRESET_SUITEB:
-
- conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
-#endif
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (mbedtls_ssl_conf_is_tls12_only(conf)) {
- conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
- } else
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- conf->sig_algs = ssl_preset_suiteb_sig_algs;
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
- conf->curve_list = NULL;
-#endif
- conf->group_list = ssl_preset_suiteb_groups;
- break;
-
- /*
- * Default
- */
- default:
-
- conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- conf->cert_profile = &mbedtls_x509_crt_profile_default;
-#endif
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (mbedtls_ssl_conf_is_tls12_only(conf)) {
- conf->sig_algs = ssl_tls12_preset_default_sig_algs;
- } else
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- conf->sig_algs = ssl_preset_default_sig_algs;
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
- conf->curve_list = NULL;
-#endif
- conf->group_list = ssl_preset_default_groups;
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
- conf->dhm_min_bitlen = 1024;
-#endif
- }
-
- return 0;
-}
-
-/*
- * Free mbedtls_ssl_config
- */
-void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
-{
- if (conf == NULL) {
- return;
- }
-
-#if defined(MBEDTLS_DHM_C)
- mbedtls_mpi_free(&conf->dhm_P);
- mbedtls_mpi_free(&conf->dhm_G);
-#endif
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
- conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- if (conf->psk != NULL) {
- mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
- conf->psk = NULL;
- conf->psk_len = 0;
- }
-
- if (conf->psk_identity != NULL) {
- mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
- conf->psk_identity = NULL;
- conf->psk_identity_len = 0;
- }
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- ssl_key_cert_free(conf->key_cert);
-#endif
-
- mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
-}
-
-#if defined(MBEDTLS_PK_C) && \
- (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
-/*
- * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
- */
-unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
-{
-#if defined(MBEDTLS_RSA_C)
- if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
- return MBEDTLS_SSL_SIG_RSA;
- }
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
- if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
- return MBEDTLS_SSL_SIG_ECDSA;
- }
-#endif
- return MBEDTLS_SSL_SIG_ANON;
-}
-
-unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
-{
- switch (type) {
- case MBEDTLS_PK_RSA:
- return MBEDTLS_SSL_SIG_RSA;
- case MBEDTLS_PK_ECDSA:
- case MBEDTLS_PK_ECKEY:
- return MBEDTLS_SSL_SIG_ECDSA;
- default:
- return MBEDTLS_SSL_SIG_ANON;
- }
-}
-
-mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
-{
- switch (sig) {
-#if defined(MBEDTLS_RSA_C)
- case MBEDTLS_SSL_SIG_RSA:
- return MBEDTLS_PK_RSA;
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
- case MBEDTLS_SSL_SIG_ECDSA:
- return MBEDTLS_PK_ECDSA;
-#endif
- default:
- return MBEDTLS_PK_NONE;
- }
-}
-#endif /* MBEDTLS_PK_C &&
- ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
-
-/*
- * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
- */
-mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
-{
- switch (hash) {
-#if defined(MBEDTLS_MD_CAN_MD5)
- case MBEDTLS_SSL_HASH_MD5:
- return MBEDTLS_MD_MD5;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA1)
- case MBEDTLS_SSL_HASH_SHA1:
- return MBEDTLS_MD_SHA1;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
- case MBEDTLS_SSL_HASH_SHA224:
- return MBEDTLS_MD_SHA224;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_SSL_HASH_SHA256:
- return MBEDTLS_MD_SHA256;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_SSL_HASH_SHA384:
- return MBEDTLS_MD_SHA384;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA512)
- case MBEDTLS_SSL_HASH_SHA512:
- return MBEDTLS_MD_SHA512;
-#endif
- default:
- return MBEDTLS_MD_NONE;
- }
-}
-
-/*
- * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
- */
-unsigned char mbedtls_ssl_hash_from_md_alg(int md)
-{
- switch (md) {
-#if defined(MBEDTLS_MD_CAN_MD5)
- case MBEDTLS_MD_MD5:
- return MBEDTLS_SSL_HASH_MD5;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA1)
- case MBEDTLS_MD_SHA1:
- return MBEDTLS_SSL_HASH_SHA1;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
- case MBEDTLS_MD_SHA224:
- return MBEDTLS_SSL_HASH_SHA224;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_MD_SHA256:
- return MBEDTLS_SSL_HASH_SHA256;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_MD_SHA384:
- return MBEDTLS_SSL_HASH_SHA384;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA512)
- case MBEDTLS_MD_SHA512:
- return MBEDTLS_SSL_HASH_SHA512;
-#endif
- default:
- return MBEDTLS_SSL_HASH_NONE;
- }
-}
-
-/*
- * Check if a curve proposed by the peer is in our list.
- * Return 0 if we're willing to use it, -1 otherwise.
- */
-int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
-{
- const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
-
- if (group_list == NULL) {
- return -1;
- }
-
- for (; *group_list != 0; group_list++) {
- if (*group_list == tls_id) {
- return 0;
- }
- }
-
- return -1;
-}
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
-/*
- * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
- */
-int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
-{
- uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
-
- if (tls_id == 0) {
- return -1;
- }
-
- return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
-}
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
-static const struct {
- uint16_t tls_id;
- mbedtls_ecp_group_id ecp_group_id;
- psa_ecc_family_t psa_family;
- uint16_t bits;
-} tls_id_match_table[] =
-{
-#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
- { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP512R1)
- { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
- { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP384R1)
- { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
- { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
- { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_BP256R1)
- { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
- { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
- { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
- { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
- { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
- { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
-#endif
-#if defined(MBEDTLS_ECP_HAVE_CURVE448)
- { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
-#endif
- { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
-};
-
-int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
- psa_key_type_t *type,
- size_t *bits)
-{
- for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
- if (tls_id_match_table[i].tls_id == tls_id) {
- if (type != NULL) {
- *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
- }
- if (bits != NULL) {
- *bits = tls_id_match_table[i].bits;
- }
- return PSA_SUCCESS;
- }
- }
-
- return PSA_ERROR_NOT_SUPPORTED;
-}
-
-mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
-{
- for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
- if (tls_id_match_table[i].tls_id == tls_id) {
- return tls_id_match_table[i].ecp_group_id;
- }
- }
-
- return MBEDTLS_ECP_DP_NONE;
-}
-
-uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
-{
- for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
- i++) {
- if (tls_id_match_table[i].ecp_group_id == grp_id) {
- return tls_id_match_table[i].tls_id;
- }
- }
-
- return 0;
-}
-
-#if defined(MBEDTLS_DEBUG_C)
-static const struct {
- uint16_t tls_id;
- const char *name;
-} tls_id_curve_name_table[] =
-{
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
- { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
- { 0, NULL },
-};
-
-const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
-{
- for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
- if (tls_id_curve_name_table[i].tls_id == tls_id) {
- return tls_id_curve_name_table[i].name;
- }
- }
-
- return NULL;
-}
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
- const mbedtls_md_type_t md,
- unsigned char *dst,
- size_t dst_len,
- size_t *olen)
-{
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_hash_operation_t *hash_operation_to_clone;
- psa_hash_operation_t hash_operation = psa_hash_operation_init();
-
- *olen = 0;
-
- switch (md) {
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_MD_SHA384:
- hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
- break;
-#endif
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_MD_SHA256:
- hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
- break;
-#endif
-
- default:
- goto exit;
- }
-
- status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
-exit:
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
- !defined(MBEDTLS_MD_CAN_SHA256)
- (void) ssl;
-#endif
- return PSA_TO_MBEDTLS_ERR(status);
-}
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
- unsigned char *dst,
- size_t dst_len,
- size_t *olen)
-{
- int ret;
- mbedtls_md_context_t sha384;
-
- if (dst_len < 48) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- mbedtls_md_init(&sha384);
- ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
- if (ret != 0) {
- goto exit;
- }
-
- if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
- goto exit;
- }
-
- *olen = 48;
-
-exit:
-
- mbedtls_md_free(&sha384);
- return ret;
-}
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
- unsigned char *dst,
- size_t dst_len,
- size_t *olen)
-{
- int ret;
- mbedtls_md_context_t sha256;
-
- if (dst_len < 32) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- mbedtls_md_init(&sha256);
- ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
- if (ret != 0) {
- goto exit;
- }
-
- if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
- goto exit;
- }
-
- *olen = 32;
-
-exit:
-
- mbedtls_md_free(&sha256);
- return ret;
-}
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
- const mbedtls_md_type_t md,
- unsigned char *dst,
- size_t dst_len,
- size_t *olen)
-{
- switch (md) {
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_MD_SHA384:
- return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_MD_SHA256:
- return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-
- default:
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
- !defined(MBEDTLS_MD_CAN_SHA256)
- (void) ssl;
- (void) dst;
- (void) dst_len;
- (void) olen;
-#endif
- break;
- }
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-}
-
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-/* mbedtls_ssl_parse_sig_alg_ext()
- *
- * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
- * value (TLS 1.3 RFC8446):
- * enum {
- * ....
- * ecdsa_secp256r1_sha256( 0x0403 ),
- * ecdsa_secp384r1_sha384( 0x0503 ),
- * ecdsa_secp521r1_sha512( 0x0603 ),
- * ....
- * } SignatureScheme;
- *
- * struct {
- * SignatureScheme supported_signature_algorithms<2..2^16-2>;
- * } SignatureSchemeList;
- *
- * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
- * value (TLS 1.2 RFC5246):
- * enum {
- * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
- * sha512(6), (255)
- * } HashAlgorithm;
- *
- * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
- * SignatureAlgorithm;
- *
- * struct {
- * HashAlgorithm hash;
- * SignatureAlgorithm signature;
- * } SignatureAndHashAlgorithm;
- *
- * SignatureAndHashAlgorithm
- * supported_signature_algorithms<2..2^16-2>;
- *
- * The TLS 1.3 signature algorithm extension was defined to be a compatible
- * generalization of the TLS 1.2 signature algorithm extension.
- * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
- * `SignatureScheme` field of TLS 1.3
- *
- */
-int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end)
-{
- const unsigned char *p = buf;
- size_t supported_sig_algs_len = 0;
- const unsigned char *supported_sig_algs_end;
- uint16_t sig_alg;
- uint32_t common_idx = 0;
-
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
- supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- memset(ssl->handshake->received_sig_algs, 0,
- sizeof(ssl->handshake->received_sig_algs));
-
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
- supported_sig_algs_end = p + supported_sig_algs_len;
- while (p < supported_sig_algs_end) {
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
- sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
- MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
- sig_alg,
- mbedtls_ssl_sig_alg_to_str(sig_alg)));
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
- (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
- mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
- continue;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
- mbedtls_ssl_sig_alg_to_str(sig_alg)));
-
- if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
- ssl->handshake->received_sig_algs[common_idx] = sig_alg;
- common_idx += 1;
- }
- }
- /* Check that we consumed all the message. */
- if (p != end) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("Signature algorithms extension length misaligned"));
- MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
- MBEDTLS_ERR_SSL_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- if (common_idx == 0) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
- MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
- MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
- return 0;
-}
-
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-
-static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
- mbedtls_svc_key_id_t key,
- psa_algorithm_t alg,
- const unsigned char *raw_psk, size_t raw_psk_length,
- const unsigned char *seed, size_t seed_length,
- const unsigned char *label, size_t label_length,
- const unsigned char *other_secret,
- size_t other_secret_length,
- size_t capacity)
-{
- psa_status_t status;
-
- status = psa_key_derivation_setup(derivation, alg);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
- status = psa_key_derivation_input_bytes(derivation,
- PSA_KEY_DERIVATION_INPUT_SEED,
- seed, seed_length);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- if (other_secret != NULL) {
- status = psa_key_derivation_input_bytes(derivation,
- PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
- other_secret, other_secret_length);
- if (status != PSA_SUCCESS) {
- return status;
- }
- }
-
- if (mbedtls_svc_key_id_is_null(key)) {
- status = psa_key_derivation_input_bytes(
- derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
- raw_psk, raw_psk_length);
- } else {
- status = psa_key_derivation_input_key(
- derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
- }
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- status = psa_key_derivation_input_bytes(derivation,
- PSA_KEY_DERIVATION_INPUT_LABEL,
- label, label_length);
- if (status != PSA_SUCCESS) {
- return status;
- }
- } else {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- status = psa_key_derivation_set_capacity(derivation, capacity);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- return PSA_SUCCESS;
-}
-
-#if defined(PSA_WANT_ALG_SHA_384) || \
- defined(PSA_WANT_ALG_SHA_256)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int tls_prf_generic(mbedtls_md_type_t md_type,
- const unsigned char *secret, size_t slen,
- const char *label, size_t label_len,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen)
-{
- psa_status_t status;
- psa_algorithm_t alg;
- mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
- psa_key_derivation_operation_t derivation =
- PSA_KEY_DERIVATION_OPERATION_INIT;
-
- if (md_type == MBEDTLS_MD_SHA384) {
- alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
- } else {
- alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
- }
-
- /* Normally a "secret" should be long enough to be impossible to
- * find by brute force, and in particular should not be empty. But
- * this PRF is also used to derive an IV, in particular in EAP-TLS,
- * and for this use case it makes sense to have a 0-length "secret".
- * Since the key API doesn't allow importing a key of length 0,
- * keep master_key=0, which setup_psa_key_derivation() understands
- * to mean a 0-length "secret" input. */
- if (slen != 0) {
- psa_key_attributes_t key_attributes = psa_key_attributes_init();
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
- psa_set_key_algorithm(&key_attributes, alg);
- psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
-
- status = psa_import_key(&key_attributes, secret, slen, &master_key);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
- }
-
- status = setup_psa_key_derivation(&derivation,
- master_key, alg,
- NULL, 0,
- random, rlen,
- (unsigned char const *) label,
- label_len,
- NULL, 0,
- dlen);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- psa_destroy_key(master_key);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- psa_destroy_key(master_key);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_abort(&derivation);
- if (status != PSA_SUCCESS) {
- psa_destroy_key(master_key);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- if (!mbedtls_svc_key_id_is_null(master_key)) {
- status = psa_destroy_key(master_key);
- }
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- return 0;
-}
-#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_MD_C) && \
- (defined(MBEDTLS_MD_CAN_SHA256) || \
- defined(MBEDTLS_MD_CAN_SHA384))
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int tls_prf_generic(mbedtls_md_type_t md_type,
- const unsigned char *secret, size_t slen,
- const char *label, size_t label_len,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen)
-{
- size_t nb;
- size_t i, j, k, md_len;
- unsigned char *tmp;
- size_t tmp_len = 0;
- unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
- const mbedtls_md_info_t *md_info;
- mbedtls_md_context_t md_ctx;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- mbedtls_md_init(&md_ctx);
-
- if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- md_len = mbedtls_md_get_size(md_info);
-
- tmp_len = md_len + label_len + rlen;
- tmp = mbedtls_calloc(1, tmp_len);
- if (tmp == NULL) {
- ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
- goto exit;
- }
-
- nb = label_len;
- memcpy(tmp + md_len, label, nb);
- memcpy(tmp + md_len + nb, random, rlen);
- nb += rlen;
-
- /*
- * Compute P_(secret, label + random)[0..dlen]
- */
- if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
- goto exit;
- }
-
- ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
- if (ret != 0) {
- goto exit;
- }
-
- for (i = 0; i < dlen; i += md_len) {
- ret = mbedtls_md_hmac_reset(&md_ctx);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
- if (ret != 0) {
- goto exit;
- }
-
- ret = mbedtls_md_hmac_reset(&md_ctx);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
- if (ret != 0) {
- goto exit;
- }
-
- k = (i + md_len > dlen) ? dlen % md_len : md_len;
-
- for (j = 0; j < k; j++) {
- dstbuf[i + j] = h_i[j];
- }
- }
-
-exit:
- mbedtls_md_free(&md_ctx);
-
- if (tmp != NULL) {
- mbedtls_platform_zeroize(tmp, tmp_len);
- }
-
- mbedtls_platform_zeroize(h_i, sizeof(h_i));
-
- mbedtls_free(tmp);
-
- return ret;
-}
-#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int tls_prf_sha256(const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen)
-{
- return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
- label, strlen(label), random, rlen, dstbuf, dlen);
-}
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int tls_prf_sha384(const unsigned char *secret, size_t slen,
- const char *label,
- const unsigned char *random, size_t rlen,
- unsigned char *dstbuf, size_t dlen)
-{
- return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
- label, strlen(label), random, rlen, dstbuf, dlen);
-}
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-
-/*
- * Set appropriate PRF function and other SSL / TLS1.2 functions
- *
- * Inputs:
- * - hash associated with the ciphersuite (only used by TLS 1.2)
- *
- * Outputs:
- * - the tls_prf, calc_verify and calc_finished members of handshake structure
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
- mbedtls_md_type_t hash)
-{
-#if defined(MBEDTLS_MD_CAN_SHA384)
- if (hash == MBEDTLS_MD_SHA384) {
- handshake->tls_prf = tls_prf_sha384;
- handshake->calc_verify = ssl_calc_verify_tls_sha384;
- handshake->calc_finished = ssl_calc_finished_tls_sha384;
- } else
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- {
- (void) hash;
- handshake->tls_prf = tls_prf_sha256;
- handshake->calc_verify = ssl_calc_verify_tls_sha256;
- handshake->calc_finished = ssl_calc_finished_tls_sha256;
- }
-#else
- {
- (void) handshake;
- (void) hash;
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-#endif
-
- return 0;
-}
-
-/*
- * Compute master secret if needed
- *
- * Parameters:
- * [in/out] handshake
- * [in] resume, premaster, extended_ms, calc_verify, tls_prf
- * (PSA-PSK) ciphersuite_info, psk_opaque
- * [out] premaster (cleared)
- * [out] master
- * [in] ssl: optionally used for debugging, EMS and PSA-PSK
- * debug: conf->f_dbg, conf->p_dbg
- * EMS: passed to calc_verify (debug + session_negotiate)
- * PSA-PSA: conf
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
- unsigned char *master,
- const mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* cf. RFC 5246, Section 8.1:
- * "The master secret is always exactly 48 bytes in length." */
- size_t const master_secret_len = 48;
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- unsigned char session_hash[48];
-#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-
- /* The label for the KDF used for key expansion.
- * This is either "master secret" or "extended master secret"
- * depending on whether the Extended Master Secret extension
- * is used. */
- char const *lbl = "master secret";
-
- /* The seed for the KDF used for key expansion.
- * - If the Extended Master Secret extension is not used,
- * this is ClientHello.Random + ServerHello.Random
- * (see Sect. 8.1 in RFC 5246).
- * - If the Extended Master Secret extension is used,
- * this is the transcript of the handshake so far.
- * (see Sect. 4 in RFC 7627). */
- unsigned char const *seed = handshake->randbytes;
- size_t seed_len = 64;
-
-#if !defined(MBEDTLS_DEBUG_C) && \
- !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
- !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
- ssl = NULL; /* make sure we don't use it except for those cases */
- (void) ssl;
-#endif
-
- if (handshake->resume != 0) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
- return 0;
- }
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
- lbl = "extended master secret";
- seed = session_hash;
- ret = handshake->calc_verify(ssl, session_hash, &seed_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
- }
-
- MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
- session_hash, seed_len);
- }
-#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
- if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
- /* Perform PSK-to-MS expansion in a single step. */
- psa_status_t status;
- psa_algorithm_t alg;
- mbedtls_svc_key_id_t psk;
- psa_key_derivation_operation_t derivation =
- PSA_KEY_DERIVATION_OPERATION_INIT;
- mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
-
- psk = mbedtls_ssl_get_opaque_psk(ssl);
-
- if (hash_alg == MBEDTLS_MD_SHA384) {
- alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
- } else {
- alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
- }
-
- size_t other_secret_len = 0;
- unsigned char *other_secret = NULL;
-
- switch (handshake->ciphersuite_info->key_exchange) {
- /* Provide other secret.
- * Other secret is stored in premaster, where first 2 bytes hold the
- * length of the other key.
- */
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- /* For RSA-PSK other key length is always 48 bytes. */
- other_secret_len = 48;
- other_secret = handshake->premaster + 2;
- break;
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
- other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
- other_secret = handshake->premaster + 2;
- break;
- default:
- break;
- }
-
- status = setup_psa_key_derivation(&derivation, psk, alg,
- ssl->conf->psk, ssl->conf->psk_len,
- seed, seed_len,
- (unsigned char const *) lbl,
- (size_t) strlen(lbl),
- other_secret, other_secret_len,
- master_secret_len);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_output_bytes(&derivation,
- master,
- master_secret_len);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_abort(&derivation);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
- } else
-#endif
- {
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
- psa_status_t status;
- psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
- psa_key_derivation_operation_t derivation =
- PSA_KEY_DERIVATION_OPERATION_INIT;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
-
- handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
-
- status = psa_key_derivation_setup(&derivation, alg);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_set_capacity(&derivation,
- PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
- &derivation);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_output_bytes(&derivation,
- handshake->premaster,
- handshake->pmslen);
- if (status != PSA_SUCCESS) {
- psa_key_derivation_abort(&derivation);
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- status = psa_key_derivation_abort(&derivation);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
- }
-#endif
- ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
- lbl, seed, seed_len,
- master,
- master_secret_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
- handshake->premaster,
- handshake->pmslen);
-
- mbedtls_platform_zeroize(handshake->premaster,
- sizeof(handshake->premaster));
- }
-
- return 0;
-}
-
-int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
-
- /* Set PRF, calc_verify and calc_finished function pointers */
- ret = ssl_set_handshake_prfs(ssl->handshake,
- (mbedtls_md_type_t) ciphersuite_info->mac);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
- return ret;
- }
-
- /* Compute master secret if needed */
- ret = ssl_compute_master(ssl->handshake,
- ssl->session_negotiate->master,
- ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
- return ret;
- }
-
- /* Swap the client and server random values:
- * - MS derivation wanted client+server (RFC 5246 8.1)
- * - key derivation wants server+client (RFC 5246 6.3) */
- {
- unsigned char tmp[64];
- memcpy(tmp, ssl->handshake->randbytes, 64);
- memcpy(ssl->handshake->randbytes, tmp + 32, 32);
- memcpy(ssl->handshake->randbytes + 32, tmp, 32);
- mbedtls_platform_zeroize(tmp, sizeof(tmp));
- }
-
- /* Populate transform structure */
- ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
- ssl->session_negotiate->ciphersuite,
- ssl->session_negotiate->master,
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- ssl->session_negotiate->encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- ssl->handshake->tls_prf,
- ssl->handshake->randbytes,
- ssl->tls_version,
- ssl->conf->endpoint,
- ssl);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
- return ret;
- }
-
- /* We no longer need Server/ClientHello.random values */
- mbedtls_platform_zeroize(ssl->handshake->randbytes,
- sizeof(ssl->handshake->randbytes));
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
-
- return 0;
-}
-
-int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
-{
- switch (md) {
-#if defined(MBEDTLS_MD_CAN_SHA384)
- case MBEDTLS_SSL_HASH_SHA384:
- ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
- break;
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- case MBEDTLS_SSL_HASH_SHA256:
- ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
- break;
-#endif
- default:
- return -1;
- }
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
- !defined(MBEDTLS_MD_CAN_SHA256)
- (void) ssl;
-#endif
- return 0;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
- const psa_hash_operation_t *hs_op,
- size_t buffer_size,
- unsigned char *hash,
- size_t *hlen)
-{
- psa_status_t status;
- psa_hash_operation_t cloned_op = psa_hash_operation_init();
-
-#if !defined(MBEDTLS_DEBUG_C)
- (void) ssl;
-#endif
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
- status = psa_hash_clone(hs_op, &cloned_op);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
-
-exit:
- psa_hash_abort(&cloned_op);
- return mbedtls_md_error_from_psa(status);
-}
-#else
-static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
- const mbedtls_md_context_t *hs_ctx,
- unsigned char *hash,
- size_t *hlen)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t cloned_ctx;
-
- mbedtls_md_init(&cloned_ctx);
-
-#if !defined(MBEDTLS_DEBUG_C)
- (void) ssl;
-#endif
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
-
- ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
- if (ret != 0) {
- goto exit;
- }
-
- ret = mbedtls_md_finish(&cloned_ctx, hash);
- if (ret != 0) {
- goto exit;
- }
-
- *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
-
- MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
-
-exit:
- mbedtls_md_free(&cloned_ctx);
- return ret;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
- unsigned char *hash,
- size_t *hlen)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
- hash, hlen);
-#else
- return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
- hash, hlen);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-#endif /* MBEDTLS_MD_CAN_SHA256 */
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
- unsigned char *hash,
- size_t *hlen)
-{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
- hash, hlen);
-#else
- return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
- hash, hlen);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-#endif /* MBEDTLS_MD_CAN_SHA384 */
-
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
-{
- unsigned char *p = ssl->handshake->premaster;
- unsigned char *end = p + sizeof(ssl->handshake->premaster);
- const unsigned char *psk = NULL;
- size_t psk_len = 0;
- int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
-
- if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
- /*
- * This should never happen because the existence of a PSK is always
- * checked before calling this function.
- *
- * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
- * the shared secret without PSK.
- */
- if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- }
-
- /*
- * PMS = struct {
- * opaque other_secret<0..2^16-1>;
- * opaque psk<0..2^16-1>;
- * };
- * with "other_secret" depending on the particular key exchange
- */
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
- if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
- p += 2;
-
- if (end < p || (size_t) (end - p) < psk_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- memset(p, 0, psk_len);
- p += psk_len;
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
- if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
- /*
- * other_secret already set by the ClientKeyExchange message,
- * and is 48 bytes long
- */
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- *p++ = 0;
- *p++ = 48;
- p += 48;
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
- if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t len;
-
- /* Write length only when we know the actual value */
- if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
- p + 2, (size_t) (end - (p + 2)), &len,
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
- return ret;
- }
- MBEDTLS_PUT_UINT16_BE(len, p, 0);
- p += 2 + len;
-
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
- if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t zlen;
-
- if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
- p + 2, (size_t) (end - (p + 2)),
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
- return ret;
- }
-
- MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
- p += 2 + zlen;
-
- MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
- MBEDTLS_DEBUG_ECDH_Z);
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* opaque psk<0..2^16-1>; */
- if (end - p < 2) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
- p += 2;
-
- if (end < p || (size_t) (end - p) < psk_len) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- memcpy(p, psk, psk_len);
- p += psk_len;
-
- ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
-
- return 0;
-}
-#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
-{
- /* If renegotiation is not enforced, retransmit until we would reach max
- * timeout if we were using the usual handshake doubling scheme */
- if (ssl->conf->renego_max_records < 0) {
- uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
- unsigned char doublings = 1;
-
- while (ratio != 0) {
- ++doublings;
- ratio >>= 1;
- }
-
- if (++ssl->renego_records_seen > doublings) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
- return 0;
- }
- }
-
- return ssl_write_hello_request(ssl);
-}
-#endif
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
-
-/*
- * Handshake functions
- */
-#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-/* No certificate support -> dummy functions */
-int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
-{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
-
- if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-}
-
-int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
-{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
-
- if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-}
-
-#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-/* Some certificate support -> implement write and parse */
-
-int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- size_t i, n;
- const mbedtls_x509_crt *crt;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
-
- if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
-#if defined(MBEDTLS_SSL_CLI_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- if (ssl->handshake->client_auth == 0) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
- }
-#endif /* MBEDTLS_SSL_CLI_C */
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- if (mbedtls_ssl_own_cert(ssl) == NULL) {
- /* Should never happen because we shouldn't have picked the
- * ciphersuite if we don't have a certificate. */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
-
- /*
- * 0 . 0 handshake type
- * 1 . 3 handshake length
- * 4 . 6 length of all certs
- * 7 . 9 length of cert. 1
- * 10 . n-1 peer certificate
- * n . n+2 length of cert. 2
- * n+3 . ... upper level cert, etc.
- */
- i = 7;
- crt = mbedtls_ssl_own_cert(ssl);
-
- while (crt != NULL) {
- n = crt->raw.len;
- if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
- " > %" MBEDTLS_PRINTF_SIZET,
- i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
- ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
- ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
-
- i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
- i += n; crt = crt->next;
- }
-
- ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
- ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
- ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
-
- ssl->out_msglen = i;
- ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
-
- mbedtls_ssl_handshake_increment_state(ssl);
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
-
- return ret;
-}
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
-
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
- unsigned char *crt_buf,
- size_t crt_buf_len)
-{
- mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
-
- if (peer_crt == NULL) {
- return -1;
- }
-
- if (peer_crt->raw.len != crt_buf_len) {
- return -1;
- }
-
- return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
-}
-#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
- unsigned char *crt_buf,
- size_t crt_buf_len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char const * const peer_cert_digest =
- ssl->session->peer_cert_digest;
- mbedtls_md_type_t const peer_cert_digest_type =
- ssl->session->peer_cert_digest_type;
- mbedtls_md_info_t const * const digest_info =
- mbedtls_md_info_from_type(peer_cert_digest_type);
- unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
- size_t digest_len;
-
- if (peer_cert_digest == NULL || digest_info == NULL) {
- return -1;
- }
-
- digest_len = mbedtls_md_get_size(digest_info);
- if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
- return -1;
- }
-
- ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
- if (ret != 0) {
- return -1;
- }
-
- return memcmp(tmp_digest, peer_cert_digest, digest_len);
-}
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
-
-/*
- * Once the certificate message is read, parse it into a cert chain and
- * perform basic checks, but leave actual verification to the caller
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
- mbedtls_x509_crt *chain)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
- int crt_cnt = 0;
-#endif
- size_t i, n;
- uint8_t alert;
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- i = mbedtls_ssl_hs_hdr_len(ssl);
-
- /*
- * Same message structure as in mbedtls_ssl_write_certificate()
- */
- n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
-
- if (ssl->in_msg[i] != 0 ||
- ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
- i += 3;
-
- /* Iterate through and parse the CRTs in the provided chain. */
- while (i < ssl->in_hslen) {
- /* Check that there's room for the next CRT's length fields. */
- if (i + 3 > ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
- * anything beyond 2**16 ~ 64K. */
- if (ssl->in_msg[i] != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
- return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
-
- /* Read length of the next CRT in the chain. */
- n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
- i += 3;
-
- if (n < 128 || i + n > ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* Check if we're handling the first CRT in the chain. */
-#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
- if (crt_cnt++ == 0 &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
- /* During client-side renegotiation, check that the server's
- * end-CRTs hasn't changed compared to the initial handshake,
- * mitigating the triple handshake attack. On success, reuse
- * the original end-CRT instead of parsing it again. */
- MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
- if (ssl_check_peer_crt_unchanged(ssl,
- &ssl->in_msg[i],
- n) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
- return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
-
- /* Now we can safely free the original chain. */
- ssl_clear_peer_cert(ssl->session);
- }
-#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
-
- /* Parse the next certificate in the chain. */
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
-#else
- /* If we don't need to store the CRT chain permanently, parse
- * it in-place from the input buffer instead of making a copy. */
- ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- switch (ret) {
- case 0: /*ok*/
- case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
- /* Ignore certificate with an unknown algorithm: maybe a
- prior certificate was already trusted. */
- break;
-
- case MBEDTLS_ERR_X509_ALLOC_FAILED:
- alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
- goto crt_parse_der_failed;
-
- case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- goto crt_parse_der_failed;
-
- default:
- alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
-crt_parse_der_failed:
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
- MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
- return ret;
- }
-
- i += n;
- }
-
- MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_SRV_C)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
-{
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- return -1;
- }
-
- if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
- ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
- ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
- memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
- return 0;
- }
- return -1;
-}
-#endif /* MBEDTLS_SSL_SRV_C */
-
-/* Check if a certificate message is expected.
- * Return either
- * - SSL_CERTIFICATE_EXPECTED, or
- * - SSL_CERTIFICATE_SKIP
- * indicating whether a Certificate message is expected or not.
- */
-#define SSL_CERTIFICATE_EXPECTED 0
-#define SSL_CERTIFICATE_SKIP 1
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
- int authmode)
-{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
- return SSL_CERTIFICATE_SKIP;
- }
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
- return SSL_CERTIFICATE_SKIP;
- }
-
- if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
- ssl->session_negotiate->verify_result =
- MBEDTLS_X509_BADCERT_SKIP_VERIFY;
- return SSL_CERTIFICATE_SKIP;
- }
- }
-#else
- ((void) authmode);
-#endif /* MBEDTLS_SSL_SRV_C */
-
- return SSL_CERTIFICATE_EXPECTED;
-}
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
- unsigned char *start, size_t len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- /* Remember digest of the peer's end-CRT. */
- ssl->session_negotiate->peer_cert_digest =
- mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
- if (ssl->session_negotiate->peer_cert_digest == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
- MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
-
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- ret = mbedtls_md(mbedtls_md_info_from_type(
- MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
- start, len,
- ssl->session_negotiate->peer_cert_digest);
-
- ssl->session_negotiate->peer_cert_digest_type =
- MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
- ssl->session_negotiate->peer_cert_digest_len =
- MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
-
- return ret;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
- unsigned char *start, size_t len)
-{
- unsigned char *end = start + len;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- /* Make a copy of the peer's raw public key. */
- mbedtls_pk_init(&ssl->handshake->peer_pubkey);
- ret = mbedtls_pk_parse_subpubkey(&start, end,
- &ssl->handshake->peer_pubkey);
- if (ret != 0) {
- /* We should have parsed the public key before. */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- return 0;
-}
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
-int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
-{
- int ret = 0;
- int crt_expected;
- /* Authmode: precedence order is SNI if used else configuration */
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
- ? ssl->handshake->sni_authmode
- : ssl->conf->authmode;
-#else
- const int authmode = ssl->conf->authmode;
-#endif
- void *rs_ctx = NULL;
- mbedtls_x509_crt *chain = NULL;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
-
- crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
- if (crt_expected == SSL_CERTIFICATE_SKIP) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
- goto exit;
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled &&
- ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
- chain = ssl->handshake->ecrs_peer_cert;
- ssl->handshake->ecrs_peer_cert = NULL;
- goto crt_verify;
- }
-#endif
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- /* mbedtls_ssl_read_record may have sent an alert already. We
- let it decide whether to alert. */
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- goto exit;
- }
-
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
- ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
-
- if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
- ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
- }
-
- goto exit;
- }
-#endif /* MBEDTLS_SSL_SRV_C */
-
- /* Clear existing peer CRT structure in case we tried to
- * reuse a session but it failed, and allocate a new one. */
- ssl_clear_peer_cert(ssl->session_negotiate);
-
- chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
- if (chain == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
- sizeof(mbedtls_x509_crt)));
- mbedtls_ssl_send_alert_message(ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
-
- ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
- goto exit;
- }
- mbedtls_x509_crt_init(chain);
-
- ret = ssl_parse_certificate_chain(ssl, chain);
- if (ret != 0) {
- goto exit;
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
- }
-
-crt_verify:
- if (ssl->handshake->ecrs_enabled) {
- rs_ctx = &ssl->handshake->ecrs_ctx;
- }
-#endif
-
- ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
- ssl->handshake->ciphersuite_info,
- rs_ctx);
- if (ret != 0) {
- goto exit;
- }
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- {
- unsigned char *crt_start, *pk_start;
- size_t crt_len, pk_len;
-
- /* We parse the CRT chain without copying, so
- * these pointers point into the input buffer,
- * and are hence still valid after freeing the
- * CRT chain. */
-
- crt_start = chain->raw.p;
- crt_len = chain->raw.len;
-
- pk_start = chain->pk_raw.p;
- pk_len = chain->pk_raw.len;
-
- /* Free the CRT structures before computing
- * digest and copying the peer's public key. */
- mbedtls_x509_crt_free(chain);
- mbedtls_free(chain);
- chain = NULL;
-
- ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
- if (ret != 0) {
- goto exit;
- }
-
- ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
- if (ret != 0) {
- goto exit;
- }
- }
-#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- /* Pass ownership to session structure. */
- ssl->session_negotiate->peer_cert = chain;
- chain = NULL;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
-
-exit:
-
- if (ret == 0) {
- mbedtls_ssl_handshake_increment_state(ssl);
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
- ssl->handshake->ecrs_peer_cert = chain;
- chain = NULL;
- }
-#endif
-
- if (chain != NULL) {
- mbedtls_x509_crt_free(chain);
- mbedtls_free(chain);
- }
-
- return ret;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
-static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
- unsigned char *padbuf, size_t hlen,
- unsigned char *buf, int from)
-{
- unsigned int len = 12;
- const char *sender;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status;
- psa_hash_operation_t *hs_op = ctx;
- psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
- size_t hash_size;
-#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t *hs_ctx = ctx;
- mbedtls_md_context_t cloned_ctx;
- mbedtls_md_init(&cloned_ctx);
-#endif
-
- mbedtls_ssl_session *session = ssl->session_negotiate;
- if (!session) {
- session = ssl->session;
- }
-
- sender = (from == MBEDTLS_SSL_IS_CLIENT)
- ? "client finished"
- : "server finished";
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
-
- status = psa_hash_clone(hs_op, &cloned_op);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
-#else
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
-
- ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
- if (ret != 0) {
- goto exit;
- }
-
- ret = mbedtls_md_finish(&cloned_ctx, padbuf);
- if (ret != 0) {
- goto exit;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
-
- /*
- * TLSv1.2:
- * hash = PRF( master, finished_label,
- * Hash( handshake ) )[0.11]
- */
- ssl->handshake->tls_prf(session->master, 48, sender,
- padbuf, hlen, buf, len);
-
- MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
-
- mbedtls_platform_zeroize(padbuf, hlen);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
-
-exit:
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&cloned_op);
- return mbedtls_md_error_from_psa(status);
-#else
- mbedtls_md_free(&cloned_ctx);
- return ret;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-
-#if defined(MBEDTLS_MD_CAN_SHA256)
-static int ssl_calc_finished_tls_sha256(
- mbedtls_ssl_context *ssl, unsigned char *buf, int from)
-{
- unsigned char padbuf[32];
- return ssl_calc_finished_tls_generic(ssl,
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- &ssl->handshake->fin_sha256_psa,
-#else
- &ssl->handshake->fin_sha256,
-#endif
- padbuf, sizeof(padbuf),
- buf, from);
-}
-#endif /* MBEDTLS_MD_CAN_SHA256*/
-
-
-#if defined(MBEDTLS_MD_CAN_SHA384)
-static int ssl_calc_finished_tls_sha384(
- mbedtls_ssl_context *ssl, unsigned char *buf, int from)
-{
- unsigned char padbuf[48];
- return ssl_calc_finished_tls_generic(ssl,
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- &ssl->handshake->fin_sha384_psa,
-#else
- &ssl->handshake->fin_sha384,
-#endif
- padbuf, sizeof(padbuf),
- buf, from);
-}
-#endif /* MBEDTLS_MD_CAN_SHA384*/
-
-void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
-{
- MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
-
- /*
- * Free our handshake params
- */
- mbedtls_ssl_handshake_free(ssl);
- mbedtls_free(ssl->handshake);
- ssl->handshake = NULL;
-
- /*
- * Free the previous transform and switch in the current one
- */
- if (ssl->transform) {
- mbedtls_ssl_transform_free(ssl->transform);
- mbedtls_free(ssl->transform);
- }
- ssl->transform = ssl->transform_negotiate;
- ssl->transform_negotiate = NULL;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
-}
-
-void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
-{
- int resume = ssl->handshake->resume;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
- ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
- ssl->renego_records_seen = 0;
- }
-#endif
-
- /*
- * Free the previous session and switch in the current one
- */
- if (ssl->session) {
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- /* RFC 7366 3.1: keep the EtM state */
- ssl->session_negotiate->encrypt_then_mac =
- ssl->session->encrypt_then_mac;
-#endif
-
- mbedtls_ssl_session_free(ssl->session);
- mbedtls_free(ssl->session);
- }
- ssl->session = ssl->session_negotiate;
- ssl->session_negotiate = NULL;
-
- /*
- * Add cache entry
- */
- if (ssl->conf->f_set_cache != NULL &&
- ssl->session->id_len != 0 &&
- resume == 0) {
- if (ssl->conf->f_set_cache(ssl->conf->p_cache,
- ssl->session->id,
- ssl->session->id_len,
- ssl->session) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
- }
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- ssl->handshake->flight != NULL) {
- /* Cancel handshake timer */
- mbedtls_ssl_set_timer(ssl, 0);
-
- /* Keep last flight around in case we need to resend it:
- * we need the handshake and transform structures for that */
- MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
- } else
-#endif
- mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
-
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
-}
-
-int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
-{
- int ret;
- unsigned int hash_len;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
-
- mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
-
- ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
- return ret;
- }
-
- /*
- * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
- * may define some other value. Currently (early 2016), no defined
- * ciphersuite does this (and this is unlikely to change as activity has
- * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
- */
- hash_len = 12;
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->verify_data_len = hash_len;
- memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
-#endif
-
- ssl->out_msglen = 4 + hash_len;
- ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
-
- /*
- * In case of session resuming, invert the client and server
- * ChangeCipherSpec messages order.
- */
- if (ssl->handshake->resume != 0) {
-#if defined(MBEDTLS_SSL_CLI_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
- }
-#endif
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
- }
-#endif
- } else {
- mbedtls_ssl_handshake_increment_state(ssl);
- }
-
- /*
- * Switch to our negotiated transform and session parameters for outbound
- * data.
- */
- MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- unsigned char i;
-
- /* Remember current epoch settings for resending */
- ssl->handshake->alt_transform_out = ssl->transform_out;
- memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
- sizeof(ssl->handshake->alt_out_ctr));
-
- /* Set sequence_number to zero */
- memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
-
-
- /* Increment epoch */
- for (i = 2; i > 0; i--) {
- if (++ssl->cur_out_ctr[i - 1] != 0) {
- break;
- }
- }
-
- /* The loop goes to its end iff the counter is wrapping */
- if (i == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
- return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
- }
- } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
- memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
-
- ssl->transform_out = ssl->transform_negotiate;
- ssl->session_out = ssl->session_negotiate;
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- mbedtls_ssl_send_flight_completed(ssl);
- }
-#endif
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
- (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
- return ret;
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
-
- return 0;
-}
-
-#define SSL_MAX_HASH_LEN 12
-
-int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned int hash_len = 12;
- unsigned char buf[SSL_MAX_HASH_LEN];
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
-
- ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
- return ret;
- }
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- goto exit;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- goto exit;
- }
-
- if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- goto exit;
- }
-
- if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
- goto exit;
- }
-
- if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
- buf, hash_len) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
- ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- goto exit;
- }
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->verify_data_len = hash_len;
- memcpy(ssl->peer_verify_data, buf, hash_len);
-#endif
-
- if (ssl->handshake->resume != 0) {
-#if defined(MBEDTLS_SSL_CLI_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
- }
-#endif
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
- }
-#endif
- } else {
- mbedtls_ssl_handshake_increment_state(ssl);
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- mbedtls_ssl_recv_flight_completed(ssl);
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
-
-exit:
- mbedtls_platform_zeroize(buf, hash_len);
- return ret;
-}
-
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
-/*
- * Helper to get TLS 1.2 PRF from ciphersuite
- * (Duplicates bits of logic from ssl_set_handshake_prfs().)
- */
-static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
-{
- const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
- mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
-#if defined(MBEDTLS_MD_CAN_SHA384)
- if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
- return tls_prf_sha384;
- } else
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- {
- if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
- return tls_prf_sha256;
- }
- }
-#endif
-#if !defined(MBEDTLS_MD_CAN_SHA384) && \
- !defined(MBEDTLS_MD_CAN_SHA256)
- (void) ciphersuite_info;
-#endif
-
- return NULL;
-}
-#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
-
-static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
-{
- ((void) tls_prf);
-#if defined(MBEDTLS_MD_CAN_SHA384)
- if (tls_prf == tls_prf_sha384) {
- return MBEDTLS_SSL_TLS_PRF_SHA384;
- } else
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- if (tls_prf == tls_prf_sha256) {
- return MBEDTLS_SSL_TLS_PRF_SHA256;
- } else
-#endif
- return MBEDTLS_SSL_TLS_PRF_NONE;
-}
-
-/*
- * Populate a transform structure with session keys and all the other
- * necessary information.
- *
- * Parameters:
- * - [in/out]: transform: structure to populate
- * [in] must be just initialised with mbedtls_ssl_transform_init()
- * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
- * - [in] ciphersuite
- * - [in] master
- * - [in] encrypt_then_mac
- * - [in] tls_prf: pointer to PRF to use for key derivation
- * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
- * - [in] tls_version: TLS version
- * - [in] endpoint: client or server
- * - [in] ssl: used for:
- * - ssl->conf->{f,p}_export_keys
- * [in] optionally used for:
- * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
- int ciphersuite,
- const unsigned char master[48],
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- int encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- ssl_tls_prf_t tls_prf,
- const unsigned char randbytes[64],
- mbedtls_ssl_protocol_version tls_version,
- unsigned endpoint,
- const mbedtls_ssl_context *ssl)
-{
- int ret = 0;
- unsigned char keyblk[256];
- unsigned char *key1;
- unsigned char *key2;
- unsigned char *mac_enc;
- unsigned char *mac_dec;
- size_t mac_key_len = 0;
- size_t iv_copy_len;
- size_t keylen;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
- mbedtls_ssl_mode_t ssl_mode;
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
- const mbedtls_cipher_info_t *cipher_info;
- const mbedtls_md_info_t *md_info;
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_type_t key_type;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_algorithm_t alg;
- psa_algorithm_t mac_alg = 0;
- size_t key_bits;
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#endif
-
- /*
- * Some data just needs copying into the structure
- */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- transform->encrypt_then_mac = encrypt_then_mac;
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- transform->tls_version = tls_version;
-
-#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
- memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
- /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
- * generation separate. This should never happen. */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- /*
- * Get various info structures
- */
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
- if (ciphersuite_info == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
- ciphersuite));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
- ciphersuite_info);
-
- if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
- transform->taglen =
- ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
- }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
- transform->taglen,
- &alg,
- &key_type,
- &key_bits)) != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
- goto end;
- }
-#else
- cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
- if (cipher_info == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
- ciphersuite_info->cipher));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
- if (mac_alg == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
- (unsigned) ciphersuite_info->mac));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-#else
- md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
- if (md_info == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
- (unsigned) ciphersuite_info->mac));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- /* Copy own and peer's CID if the use of the CID
- * extension has been negotiated. */
- if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
-
- transform->in_cid_len = ssl->own_cid_len;
- memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
- MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
- transform->in_cid_len);
-
- transform->out_cid_len = ssl->handshake->peer_cid_len;
- memcpy(transform->out_cid, ssl->handshake->peer_cid,
- ssl->handshake->peer_cid_len);
- MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
- transform->out_cid_len);
- }
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
- /*
- * Compute key block using the PRF
- */
- ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
- mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
- MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
- MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
- MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
-
- /*
- * Determine the appropriate key, IV and MAC length.
- */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- keylen = PSA_BITS_TO_BYTES(key_bits);
-#else
- keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
-#endif
-
-#if defined(MBEDTLS_SSL_HAVE_AEAD)
- if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
- size_t explicit_ivlen;
-
- transform->maclen = 0;
- mac_key_len = 0;
-
- /* All modes haves 96-bit IVs, but the length of the static parts vary
- * with mode and version:
- * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
- * (to be concatenated with a dynamically chosen IV of 8 Bytes)
- * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
- * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
- * sequence number).
- */
- transform->ivlen = 12;
-
- int is_chachapoly = 0;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
-#else
- is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
- == MBEDTLS_MODE_CHACHAPOLY);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- if (is_chachapoly) {
- transform->fixed_ivlen = 12;
- } else {
- transform->fixed_ivlen = 4;
- }
-
- /* Minimum length of encrypted record */
- explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
- transform->minlen = explicit_ivlen + transform->taglen;
- } else
-#endif /* MBEDTLS_SSL_HAVE_AEAD */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
- ssl_mode == MBEDTLS_SSL_MODE_CBC ||
- ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
-#else
- size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Get MAC length */
- mac_key_len = PSA_HASH_LENGTH(mac_alg);
-#else
- /* Initialize HMAC contexts */
- if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
- (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
- goto end;
- }
-
- /* Get MAC length */
- mac_key_len = mbedtls_md_get_size(md_info);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- transform->maclen = mac_key_len;
-
- /* IV length */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
-#else
- transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /* Minimum length */
- if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
- transform->minlen = transform->maclen;
- } else {
- /*
- * GenericBlockCipher:
- * 1. if EtM is in use: one block plus MAC
- * otherwise: * first multiple of blocklen greater than maclen
- * 2. IV
- */
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
- transform->minlen = transform->maclen
- + block_size;
- } else
-#endif
- {
- transform->minlen = transform->maclen
- + block_size
- - transform->maclen % block_size;
- }
-
- if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
- transform->minlen += transform->ivlen;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- goto end;
- }
- }
- } else
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
- (unsigned) keylen,
- (unsigned) transform->minlen,
- (unsigned) transform->ivlen,
- (unsigned) transform->maclen));
-
- /*
- * Finally setup the cipher contexts, IVs and MAC secrets.
- */
-#if defined(MBEDTLS_SSL_CLI_C)
- if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
- key1 = keyblk + mac_key_len * 2;
- key2 = keyblk + mac_key_len * 2 + keylen;
-
- mac_enc = keyblk;
- mac_dec = keyblk + mac_key_len;
-
- iv_copy_len = (transform->fixed_ivlen) ?
- transform->fixed_ivlen : transform->ivlen;
- memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
- memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
- iv_copy_len);
- } else
-#endif /* MBEDTLS_SSL_CLI_C */
-#if defined(MBEDTLS_SSL_SRV_C)
- if (endpoint == MBEDTLS_SSL_IS_SERVER) {
- key1 = keyblk + mac_key_len * 2 + keylen;
- key2 = keyblk + mac_key_len * 2;
-
- mac_enc = keyblk + mac_key_len;
- mac_dec = keyblk;
-
- iv_copy_len = (transform->fixed_ivlen) ?
- transform->fixed_ivlen : transform->ivlen;
- memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
- memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
- iv_copy_len);
- } else
-#endif /* MBEDTLS_SSL_SRV_C */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- goto end;
- }
-
- if (ssl->f_export_keys != NULL) {
- ssl->f_export_keys(ssl->p_export_keys,
- MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
- master, 48,
- randbytes + 32,
- randbytes,
- tls_prf_get_type(tls_prf));
- }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- transform->psa_alg = alg;
-
- if (alg != MBEDTLS_SSL_NULL_CIPHER) {
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
- psa_set_key_algorithm(&attributes, alg);
- psa_set_key_type(&attributes, key_type);
-
- if ((status = psa_import_key(&attributes,
- key1,
- PSA_BITS_TO_BYTES(key_bits),
- &transform->psa_key_enc)) != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
- goto end;
- }
-
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
-
- if ((status = psa_import_key(&attributes,
- key2,
- PSA_BITS_TO_BYTES(key_bits),
- &transform->psa_key_dec)) != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
- goto end;
- }
- }
-#else
- if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
- cipher_info)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
- goto end;
- }
-
- if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
- cipher_info)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
- goto end;
- }
-
- if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
- (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
- MBEDTLS_ENCRYPT)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
- goto end;
- }
-
- if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
- (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
- MBEDTLS_DECRYPT)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
- goto end;
- }
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
- if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
- if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
- MBEDTLS_PADDING_NONE)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
- goto end;
- }
-
- if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
- MBEDTLS_PADDING_NONE)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
- goto end;
- }
- }
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
- /* For HMAC-based ciphersuites, initialize the HMAC transforms.
- For AEAD-based ciphersuites, there is nothing to do here. */
- if (mac_key_len != 0) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
-
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
- psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
- psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
-
- if ((status = psa_import_key(&attributes,
- mac_enc, mac_key_len,
- &transform->psa_mac_enc)) != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
- goto end;
- }
-
- if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
- ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
- && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
-#endif
- )) {
- /* mbedtls_ct_hmac() requires the key to be exportable */
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
- PSA_KEY_USAGE_VERIFY_HASH);
- } else {
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
- }
-
- if ((status = psa_import_key(&attributes,
- mac_dec, mac_key_len,
- &transform->psa_mac_dec)) != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
- goto end;
- }
-#else
- ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
- if (ret != 0) {
- goto end;
- }
- ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
- if (ret != 0) {
- goto end;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- }
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
-
- ((void) mac_dec);
- ((void) mac_enc);
-
-end:
- mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
- return ret;
-}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
- defined(MBEDTLS_USE_PSA_CRYPTO)
-int mbedtls_psa_ecjpake_read_round(
- psa_pake_operation_t *pake_ctx,
- const unsigned char *buf,
- size_t len, mbedtls_ecjpake_rounds_t round)
-{
- psa_status_t status;
- size_t input_offset = 0;
- /*
- * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
- * At round two perform a single cycle
- */
- unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
-
- for (; remaining_steps > 0; remaining_steps--) {
- for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
- step <= PSA_PAKE_STEP_ZK_PROOF;
- ++step) {
- /* Length is stored at the first byte */
- size_t length = buf[input_offset];
- input_offset += 1;
-
- if (input_offset + length > len) {
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- status = psa_pake_input(pake_ctx, step,
- buf + input_offset, length);
- if (status != PSA_SUCCESS) {
- return PSA_TO_MBEDTLS_ERR(status);
- }
-
- input_offset += length;
- }
- }
-
- if (input_offset != len) {
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- return 0;
-}
-
-int mbedtls_psa_ecjpake_write_round(
- psa_pake_operation_t *pake_ctx,
- unsigned char *buf,
- size_t len, size_t *olen,
- mbedtls_ecjpake_rounds_t round)
-{
- psa_status_t status;
- size_t output_offset = 0;
- size_t output_len;
- /*
- * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
- * At round two perform a single cycle
- */
- unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
-
- for (; remaining_steps > 0; remaining_steps--) {
- for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
- step <= PSA_PAKE_STEP_ZK_PROOF;
- ++step) {
- /*
- * For each step, prepend 1 byte with the length of the data as
- * given by psa_pake_output().
- */
- status = psa_pake_output(pake_ctx, step,
- buf + output_offset + 1,
- len - output_offset - 1,
- &output_len);
- if (status != PSA_SUCCESS) {
- return PSA_TO_MBEDTLS_ERR(status);
- }
-
- *(buf + output_offset) = (uint8_t) output_len;
-
- output_offset += output_len + 1;
- }
- }
-
- *olen = output_offset;
-
- return 0;
-}
-#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
- unsigned char *hash, size_t *hashlen,
- unsigned char *data, size_t data_len,
- mbedtls_md_type_t md_alg)
-{
- psa_status_t status;
- psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
- psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
-
- if ((status = psa_hash_setup(&hash_operation,
- hash_alg)) != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
- goto exit;
- }
-
- if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
- 64)) != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
- goto exit;
- }
-
- if ((status = psa_hash_update(&hash_operation,
- data, data_len)) != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
- goto exit;
- }
-
- if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
- hashlen)) != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
- goto exit;
- }
-
-exit:
- if (status != PSA_SUCCESS) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
- switch (status) {
- case PSA_ERROR_NOT_SUPPORTED:
- return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
- case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
- case PSA_ERROR_BUFFER_TOO_SMALL:
- return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
- case PSA_ERROR_INSUFFICIENT_MEMORY:
- return MBEDTLS_ERR_MD_ALLOC_FAILED;
- default:
- return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
- }
- }
- return 0;
-}
-
-#else
-
-int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
- unsigned char *hash, size_t *hashlen,
- unsigned char *data, size_t data_len,
- mbedtls_md_type_t md_alg)
-{
- int ret = 0;
- mbedtls_md_context_t ctx;
- const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
- *hashlen = mbedtls_md_get_size(md_info);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
-
- mbedtls_md_init(&ctx);
-
- /*
- * digitally-signed struct {
- * opaque client_random[32];
- * opaque server_random[32];
- * ServerDHParams params;
- * };
- */
- if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
- goto exit;
- }
- if ((ret = mbedtls_md_starts(&ctx)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
- goto exit;
- }
- if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
- goto exit;
- }
- if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
- goto exit;
- }
- if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
- goto exit;
- }
-
-exit:
- mbedtls_md_free(&ctx);
-
- if (ret != 0) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
- }
-
- return ret;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
-/* Find the preferred hash for a given signature algorithm. */
-unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
- mbedtls_ssl_context *ssl,
- unsigned int sig_alg)
-{
- unsigned int i;
- uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
-
- if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
- return MBEDTLS_SSL_HASH_NONE;
- }
-
- for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
- unsigned int hash_alg_received =
- MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
- received_sig_algs[i]);
- unsigned int sig_alg_received =
- MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
- received_sig_algs[i]);
-
- mbedtls_md_type_t md_alg =
- mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
- if (md_alg == MBEDTLS_MD_NONE) {
- continue;
- }
-
- if (sig_alg == sig_alg_received) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
- psa_algorithm_t psa_hash_alg =
- mbedtls_md_psa_alg_from_type(md_alg);
-
- if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
- !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
- PSA_ALG_ECDSA(psa_hash_alg),
- PSA_KEY_USAGE_SIGN_HASH)) {
- continue;
- }
-
- if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
- !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
- PSA_ALG_RSA_PKCS1V15_SIGN(
- psa_hash_alg),
- PSA_KEY_USAGE_SIGN_HASH)) {
- continue;
- }
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- return hash_alg_received;
- }
- }
-
- return MBEDTLS_SSL_HASH_NONE;
-}
-
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-int mbedtls_ssl_validate_ciphersuite(
- const mbedtls_ssl_context *ssl,
- const mbedtls_ssl_ciphersuite_t *suite_info,
- mbedtls_ssl_protocol_version min_tls_version,
- mbedtls_ssl_protocol_version max_tls_version)
-{
- (void) ssl;
-
- if (suite_info == NULL) {
- return -1;
- }
-
- if ((suite_info->min_tls_version > max_tls_version) ||
- (suite_info->max_tls_version < min_tls_version)) {
- return -1;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
- ssl->handshake->psa_pake_ctx_is_ok != 1)
-#else
- if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
- mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- {
- return -1;
- }
-#endif
-
- /* Don't suggest PSK-based ciphersuite if no PSK is available. */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
- if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
- mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
- return -1;
- }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-/*
- * Function for writing a signature algorithm extension.
- *
- * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
- * value (TLS 1.3 RFC8446):
- * enum {
- * ....
- * ecdsa_secp256r1_sha256( 0x0403 ),
- * ecdsa_secp384r1_sha384( 0x0503 ),
- * ecdsa_secp521r1_sha512( 0x0603 ),
- * ....
- * } SignatureScheme;
- *
- * struct {
- * SignatureScheme supported_signature_algorithms<2..2^16-2>;
- * } SignatureSchemeList;
- *
- * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
- * value (TLS 1.2 RFC5246):
- * enum {
- * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
- * sha512(6), (255)
- * } HashAlgorithm;
- *
- * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
- * SignatureAlgorithm;
- *
- * struct {
- * HashAlgorithm hash;
- * SignatureAlgorithm signature;
- * } SignatureAndHashAlgorithm;
- *
- * SignatureAndHashAlgorithm
- * supported_signature_algorithms<2..2^16-2>;
- *
- * The TLS 1.3 signature algorithm extension was defined to be a compatible
- * generalization of the TLS 1.2 signature algorithm extension.
- * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
- * `SignatureScheme` field of TLS 1.3
- *
- */
-int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
- const unsigned char *end, size_t *out_len)
-{
- unsigned char *p = buf;
- unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
- size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
-
- *out_len = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
-
- /* Check if we have space for header and length field:
- * - extension_type (2 bytes)
- * - extension_data_length (2 bytes)
- * - supported_signature_algorithms_length (2 bytes)
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
- p += 6;
-
- /*
- * Write supported_signature_algorithms
- */
- supported_sig_alg = p;
- const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
- if (sig_alg == NULL) {
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
-
- for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
- *sig_alg,
- mbedtls_ssl_sig_alg_to_str(*sig_alg)));
- if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
- continue;
- }
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
- MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
- p += 2;
- MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
- *sig_alg,
- mbedtls_ssl_sig_alg_to_str(*sig_alg)));
- }
-
- /* Length of supported_signature_algorithms */
- supported_sig_alg_len = (size_t) (p - supported_sig_alg);
- if (supported_sig_alg_len == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
- MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
- MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
-
- *out_len = (size_t) (p - buf);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-/*
- * mbedtls_ssl_parse_server_name_ext
- *
- * Structure of server_name extension:
- *
- * enum {
- * host_name(0), (255)
- * } NameType;
- * opaque HostName<1..2^16-1>;
- *
- * struct {
- * NameType name_type;
- * select (name_type) {
- * case host_name: HostName;
- * } name;
- * } ServerName;
- * struct {
- * ServerName server_name_list<1..2^16-1>
- * } ServerNameList;
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const unsigned char *p = buf;
- size_t server_name_list_len, hostname_len;
- const unsigned char *server_name_list_end;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
-
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
- server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
- server_name_list_end = p + server_name_list_len;
- while (p < server_name_list_end) {
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
- hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
- hostname_len + 3);
-
- if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
- /* sni_name is intended to be used only during the parsing of the
- * ClientHello message (it is reset to NULL before the end of
- * the message parsing). Thus it is ok to just point to the
- * reception buffer and not make a copy of it.
- */
- ssl->handshake->sni_name = p + 3;
- ssl->handshake->sni_name_len = hostname_len;
- if (ssl->conf->f_sni == NULL) {
- return 0;
- }
- ret = ssl->conf->f_sni(ssl->conf->p_sni,
- ssl, p + 3, hostname_len);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
- MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
- MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
- return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
- }
- return 0;
- }
-
- p += hostname_len + 3;
- }
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-#if defined(MBEDTLS_SSL_ALPN)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end)
-{
- const unsigned char *p = buf;
- size_t protocol_name_list_len;
- const unsigned char *protocol_name_list;
- const unsigned char *protocol_name_list_end;
- size_t protocol_name_len;
-
- /* If ALPN not configured, just ignore the extension */
- if (ssl->conf->alpn_list == NULL) {
- return 0;
- }
-
- /*
- * RFC7301, section 3.1
- * opaque ProtocolName<1..2^8-1>;
- *
- * struct {
- * ProtocolName protocol_name_list<2..2^16-1>
- * } ProtocolNameList;
- */
-
- /*
- * protocol_name_list_len 2 bytes
- * protocol_name_len 1 bytes
- * protocol_name >=1 byte
- */
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
-
- protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
- protocol_name_list = p;
- protocol_name_list_end = p + protocol_name_list_len;
-
- /* Validate peer's list (lengths) */
- while (p < protocol_name_list_end) {
- protocol_name_len = *p++;
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
- protocol_name_len);
- if (protocol_name_len == 0) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
- MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- p += protocol_name_len;
- }
-
- /* Use our order of preference */
- for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
- size_t const alpn_len = strlen(*alpn);
- p = protocol_name_list;
- while (p < protocol_name_list_end) {
- protocol_name_len = *p++;
- if (protocol_name_len == alpn_len &&
- memcmp(p, *alpn, alpn_len) == 0) {
- ssl->alpn_chosen = *alpn;
- return 0;
- }
-
- p += protocol_name_len;
- }
- }
-
- /* If we get here, no match was found */
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
- MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
- return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
-}
-
-int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- unsigned char *end,
- size_t *out_len)
-{
- unsigned char *p = buf;
- size_t protocol_name_len;
- *out_len = 0;
-
- if (ssl->alpn_chosen == NULL) {
- return 0;
- }
-
- protocol_name_len = strlen(ssl->alpn_chosen);
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
- /*
- * 0 . 1 ext identifier
- * 2 . 3 ext length
- * 4 . 5 protocol list length
- * 6 . 6 protocol name length
- * 7 . 7+n protocol name
- */
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
-
- *out_len = 7 + protocol_name_len;
-
- MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
- MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
- /* Note: the length of the chosen protocol has been checked to be less
- * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
- */
- p[6] = MBEDTLS_BYTE_0(protocol_name_len);
-
- memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
-#endif
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_SSL_SESSION_TICKETS) && \
- defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
- defined(MBEDTLS_SSL_CLI_C)
-int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
- const char *hostname)
-{
- /* Initialize to suppress unnecessary compiler warning */
- size_t hostname_len = 0;
-
- /* Check if new hostname is valid before
- * making any change to current one */
- if (hostname != NULL) {
- hostname_len = strlen(hostname);
-
- if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- }
-
- /* Now it's clear that we will overwrite the old hostname,
- * so we can free it safely */
- if (session->hostname != NULL) {
- mbedtls_zeroize_and_free(session->hostname,
- strlen(session->hostname));
- }
-
- /* Passing NULL as hostname shall clear the old one */
- if (hostname == NULL) {
- session->hostname = NULL;
- } else {
- session->hostname = mbedtls_calloc(1, hostname_len + 1);
- if (session->hostname == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(session->hostname, hostname, hostname_len);
- }
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
- MBEDTLS_SSL_SESSION_TICKETS &&
- MBEDTLS_SSL_SERVER_NAME_INDICATION &&
- MBEDTLS_SSL_CLI_C */
-
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
- defined(MBEDTLS_SSL_ALPN)
-int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
- const char *alpn)
-{
- size_t alpn_len = 0;
-
- if (alpn != NULL) {
- alpn_len = strlen(alpn);
-
- if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
- }
-
- if (session->ticket_alpn != NULL) {
- mbedtls_zeroize_and_free(session->ticket_alpn,
- strlen(session->ticket_alpn));
- session->ticket_alpn = NULL;
- }
-
- if (alpn != NULL) {
- session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
- if (session->ticket_alpn == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
- memcpy(session->ticket_alpn, alpn, alpn_len);
- }
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
-
-/*
- * The following functions are used by 1.2 and 1.3, client and server.
- */
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
- const mbedtls_ssl_ciphersuite_t *ciphersuite,
- int recv_endpoint,
- mbedtls_ssl_protocol_version tls_version,
- uint32_t *flags)
-{
- int ret = 0;
- unsigned int usage = 0;
- const char *ext_oid;
- size_t ext_len;
-
- /*
- * keyUsage
- */
-
- /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
- * to check what a compliant client will think while choosing which cert
- * to send to the client. */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
- recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
- /* TLS 1.2 server part of the key exchange */
- switch (ciphersuite->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
- break;
-
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
- break;
-
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
- break;
-
- /* Don't use default: we want warnings when adding new values */
- case MBEDTLS_KEY_EXCHANGE_NONE:
- case MBEDTLS_KEY_EXCHANGE_PSK:
- case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
- usage = 0;
- }
- } else
-#endif
- {
- /* This is either TLS 1.3 authentication, which always uses signatures,
- * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
- * options we implement, both using signatures. */
- (void) tls_version;
- (void) ciphersuite;
- usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
- }
-
- if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
- *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
- ret = -1;
- }
-
- /*
- * extKeyUsage
- */
-
- if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ext_oid = MBEDTLS_OID_SERVER_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
- } else {
- ext_oid = MBEDTLS_OID_CLIENT_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
- }
-
- if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
- *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
- ret = -1;
- }
-
- return ret;
-}
-
-static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
- const char **hostname)
-{
- if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
-#if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
- if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
- ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
- return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
- }
-#endif
- }
-
- *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
- if (*hostname == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
- }
-
- return 0;
-}
-
-int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
- int authmode,
- mbedtls_x509_crt *chain,
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
- void *rs_ctx)
-{
- if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
- return 0;
- }
-
- /*
- * Primary check: use the appropriate X.509 verification function
- */
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
- void *p_vrfy;
- if (ssl->f_vrfy != NULL) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
- f_vrfy = ssl->f_vrfy;
- p_vrfy = ssl->p_vrfy;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
- f_vrfy = ssl->conf->f_vrfy;
- p_vrfy = ssl->conf->p_vrfy;
- }
-
- const char *hostname = "";
- int ret = get_hostname_for_verification(ssl, &hostname);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
- return ret;
- }
-
- int have_ca_chain_or_callback = 0;
-#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
- if (ssl->conf->f_ca_cb != NULL) {
- ((void) rs_ctx);
- have_ca_chain_or_callback = 1;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
- ret = mbedtls_x509_crt_verify_with_ca_cb(
- chain,
- ssl->conf->f_ca_cb,
- ssl->conf->p_ca_cb,
- ssl->conf->cert_profile,
- hostname,
- &ssl->session_negotiate->verify_result,
- f_vrfy, p_vrfy);
- } else
-#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
- {
- mbedtls_x509_crt *ca_chain;
- mbedtls_x509_crl *ca_crl;
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if (ssl->handshake->sni_ca_chain != NULL) {
- ca_chain = ssl->handshake->sni_ca_chain;
- ca_crl = ssl->handshake->sni_ca_crl;
- } else
-#endif
- {
- ca_chain = ssl->conf->ca_chain;
- ca_crl = ssl->conf->ca_crl;
- }
-
- if (ca_chain != NULL) {
- have_ca_chain_or_callback = 1;
- }
-
- ret = mbedtls_x509_crt_verify_restartable(
- chain,
- ca_chain, ca_crl,
- ssl->conf->cert_profile,
- hostname,
- &ssl->session_negotiate->verify_result,
- f_vrfy, p_vrfy, rs_ctx);
- }
-
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
-
- /*
- * Secondary checks: always done, but change 'ret' only if it was 0
- */
-
- /* With TLS 1.2 and ECC certs, check that the curve used by the
- * certificate is on our list of acceptable curves.
- *
- * With TLS 1.3 this is not needed because the curve is part of the
- * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
- * we validate the signature made with the key associated to this cert.
- */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_PK_HAVE_ECC_KEYS)
- if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
- mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
- if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
- ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
- if (ret == 0) {
- ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
-
- /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
- if (mbedtls_ssl_check_cert_usage(chain,
- ciphersuite_info,
- ssl->conf->endpoint,
- ssl->tls_version,
- &ssl->session_negotiate->verify_result) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
- if (ret == 0) {
- ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
- }
-
- /* With authmode optional, we want to keep going if the certificate was
- * unacceptable, but still fail on other errors (out of memory etc),
- * including fatal errors from the f_vrfy callback.
- *
- * The only acceptable errors are:
- * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
- * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
- * Anything else is a fatal error. */
- if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
- (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
- ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
- ret = 0;
- }
-
- /* Return a specific error as this is a user error: inconsistent
- * configuration - can't verify without trust anchors. */
- if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
- ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
- }
-
- if (ret != 0) {
- uint8_t alert;
-
- /* The certificate may have been rejected for several reasons.
- Pick one and send the corresponding alert. Which alert to send
- may be a subject of debate in some cases. */
- if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
- alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
- alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
- alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
- alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
- } else {
- alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
- }
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- alert);
- }
-
-#if defined(MBEDTLS_DEBUG_C)
- if (ssl->session_negotiate->verify_result != 0) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
- (unsigned int) ssl->session_negotiate->verify_result));
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
- }
-#endif /* MBEDTLS_DEBUG_C */
-
- return ret;
-}
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
- const mbedtls_md_type_t hash_alg,
- uint8_t *out,
- const size_t key_len,
- const char *label,
- const size_t label_len,
- const unsigned char *context,
- const size_t context_len,
- const int use_context)
-{
- int ret = 0;
- unsigned char *prf_input = NULL;
-
- /* The input to the PRF is client_random, then server_random.
- * If a context is provided, this is then followed by the context length
- * as a 16-bit big-endian integer, and then the context itself. */
- const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN;
- size_t prf_input_len = randbytes_len;
- if (use_context) {
- if (context_len > UINT16_MAX) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- /* This does not overflow a 32-bit size_t because the current value of
- * prf_input_len is 64 (length of client_random + server_random) and
- * context_len fits into two bytes (checked above). */
- prf_input_len += sizeof(uint16_t) + context_len;
- }
-
- prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char));
- if (prf_input == NULL) {
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(prf_input,
- ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN,
- MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
- memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
- ssl->transform->randbytes,
- MBEDTLS_SERVER_HELLO_RANDOM_LEN);
- if (use_context) {
- MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len);
- memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len);
- }
- ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master),
- label, label_len,
- prf_input, prf_input_len,
- out, key_len);
- mbedtls_free(prf_input);
- return ret;
-}
-#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
- const mbedtls_md_type_t hash_alg,
- uint8_t *out,
- const size_t key_len,
- const char *label,
- const size_t label_len,
- const unsigned char *context,
- const size_t context_len)
-{
- const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg);
- const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
- const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
-
- /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
- * struct as defined in RFC 8446, Section 7.1.
- *
- * The length of the context is unlimited even though the context field in the
- * struct can only hold up to 255 bytes. This is because we place a *hash* of
- * the context in the field. */
- if (label_len > 249) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len,
- (const unsigned char *) label, label_len,
- context, context_len, out, key_len);
-}
-#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
-
-int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
- uint8_t *out, const size_t key_len,
- const char *label, const size_t label_len,
- const unsigned char *context, const size_t context_len,
- const int use_context)
-{
- if (!mbedtls_ssl_is_handshake_over(ssl)) {
- /* TODO: Change this to a more appropriate error code when one is available. */
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
- const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
- const mbedtls_md_type_t hash_alg = ciphersuite->mac;
-
- switch (mbedtls_ssl_get_version_number(ssl)) {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
- case MBEDTLS_SSL_VERSION_TLS1_2:
- return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len,
- label, label_len,
- context, context_len, use_context);
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- case MBEDTLS_SSL_VERSION_TLS1_3:
- return mbedtls_ssl_tls13_export_keying_material(ssl,
- hash_alg,
- out,
- key_len,
- label,
- label_len,
- use_context ? context : NULL,
- use_context ? context_len : 0);
-#endif
- default:
- return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
- }
-}
-
-#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
-
-#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/lib/mbedtls_ssl/src/ssl_tls12_client.c b/lib/mbedtls_ssl/src/ssl_tls12_client.c
deleted file mode 100644
index 65d6dbd1a..000000000
--- a/lib/mbedtls_ssl/src/ssl_tls12_client.c
+++ /dev/null
@@ -1,3603 +0,0 @@
-/*
- * TLS client-side functions
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#include "common.h"
-
-#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
-
-#include "mbedtls/platform.h"
-
-#include "mbedtls/ssl.h"
-#include "ssl_client.h"
-#include "ssl_misc.h"
-#include "debug_internal.h"
-#include "mbedtls/error.h"
-#include "mbedtls/constant_time.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa_util_internal.h"
-#include "psa/crypto.h"
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
-/* Define a local translating function to save code size by not using too many
- * arguments in each translating place. */
-static int local_err_translation(psa_status_t status)
-{
- return psa_status_to_mbedtls(status, psa_to_ssl_errors,
- ARRAY_LENGTH(psa_to_ssl_errors),
- psa_generic_status_to_mbedtls);
-}
-#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#include
-
-#include
-
-#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
-#endif
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-#include "mbedtls/platform_util.h"
-#endif
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
-
- *olen = 0;
-
- /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
- * initial ClientHello, in which case also adding the renegotiation
- * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
- if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding renegotiation extension"));
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
-
- /*
- * Secure renegotiation
- */
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
- p += 2;
-
- *p++ = 0x00;
- *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
- *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
-
- memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
-
- *olen = 5 + ssl->verify_data_len;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
- (void) ssl; /* ssl used for debugging only */
-
- *olen = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding supported_point_formats extension"));
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
- p += 2;
-
- *p++ = 0x00;
- *p++ = 2;
-
- *p++ = 1;
- *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
-
- *olen = 6;
-
- return 0;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *p = buf;
- size_t kkpp_len = 0;
-
- *olen = 0;
-
- /* Skip costly extension if we can't use EC J-PAKE anyway */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
- return 0;
- }
-#else
- if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
- return 0;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding ecjpake_kkpp extension"));
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
- p += 2;
-
- /*
- * We may need to send ClientHello multiple times for Hello verification.
- * We don't want to compute fresh values every time (both for performance
- * and consistency reasons), so cache the extension content.
- */
- if (ssl->handshake->ecjpake_cache == NULL ||
- ssl->handshake->ecjpake_cache_len == 0) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
- p + 2, end - p - 2, &kkpp_len,
- MBEDTLS_ECJPAKE_ROUND_ONE);
- if (ret != 0) {
- psa_destroy_key(ssl->handshake->psa_pake_password);
- psa_pake_abort(&ssl->handshake->psa_pake_ctx);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
- return ret;
- }
-#else
- ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
- p + 2, end - p - 2, &kkpp_len,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1,
- "mbedtls_ecjpake_write_round_one", ret);
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
- if (ssl->handshake->ecjpake_cache == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
- ssl->handshake->ecjpake_cache_len = kkpp_len;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
-
- kkpp_len = ssl->handshake->ecjpake_cache_len;
- MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
-
- memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
- }
-
- MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
- p += 2;
-
- *olen = kkpp_len + 4;
-
- return 0;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
- size_t ext_len;
-
- /*
- * struct {
- * opaque cid<0..2^8-1>;
- * } ConnectionId;
- */
-
- *olen = 0;
- if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
- ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
- return 0;
- }
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
-
- /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
- * which is at most 255, so the increment cannot overflow. */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
-
- /* Add extension ID + size */
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
- p += 2;
- ext_len = (size_t) ssl->own_cid_len + 1;
- MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
- p += 2;
-
- *p++ = (uint8_t) ssl->own_cid_len;
- memcpy(p, ssl->own_cid, ssl->own_cid_len);
-
- *olen = ssl->own_cid_len + 5;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
-
- *olen = 0;
-
- if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding max_fragment_length extension"));
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
- p += 2;
-
- *p++ = 0x00;
- *p++ = 1;
-
- *p++ = ssl->conf->mfl_code;
-
- *olen = 5;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
-
- *olen = 0;
-
- if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding encrypt_then_mac extension"));
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
- p += 2;
-
- *p++ = 0x00;
- *p++ = 0x00;
-
- *olen = 4;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
-
- *olen = 0;
-
- if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding extended_master_secret extension"));
-
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
- p += 2;
-
- *p++ = 0x00;
- *p++ = 0x00;
-
- *olen = 4;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
- size_t tlen = ssl->session_negotiate->ticket_len;
-
- *olen = 0;
-
- if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
- MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, adding session ticket extension"));
-
- /* The addition is safe here since the ticket length is 16 bit. */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
- p += 2;
-
- MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
- p += 2;
-
- *olen = 4;
-
- if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
-
- memcpy(p, ssl->session_negotiate->ticket, tlen);
-
- *olen += tlen;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- size_t *olen)
-{
- unsigned char *p = buf;
- size_t protection_profiles_index = 0, ext_len = 0;
- uint16_t mki_len = 0, profile_value = 0;
-
- *olen = 0;
-
- if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
- (ssl->conf->dtls_srtp_profile_list == NULL) ||
- (ssl->conf->dtls_srtp_profile_list_len == 0)) {
- return 0;
- }
-
- /* RFC 5764 section 4.1.1
- * uint8 SRTPProtectionProfile[2];
- *
- * struct {
- * SRTPProtectionProfiles SRTPProtectionProfiles;
- * opaque srtp_mki<0..255>;
- * } UseSRTPData;
- * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
- */
- if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
- mki_len = ssl->dtls_srtp_info.mki_len;
- }
- /* Extension length = 2 bytes for profiles length,
- * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
- * 1 byte for srtp_mki vector length and the mki_len value
- */
- ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
-
- /* Check there is room in the buffer for the extension + 4 bytes
- * - the extension tag (2 bytes)
- * - the extension length (2 bytes)
- */
- MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
-
- MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
- p += 2;
-
- MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
- p += 2;
-
- /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
- /* micro-optimization:
- * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
- * which is lower than 127, so the upper byte of the length is always 0
- * For the documentation, the more generic code is left in comments
- * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
- * >> 8 ) & 0xFF );
- */
- *p++ = 0;
- *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
-
- for (protection_profiles_index = 0;
- protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
- protection_profiles_index++) {
- profile_value = mbedtls_ssl_check_srtp_profile_value
- (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
- if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
- profile_value));
- MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
- p += 2;
- } else {
- /*
- * Note: we shall never arrive here as protection profiles
- * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
- */
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("client hello, "
- "illegal DTLS-SRTP protection profile %d",
- ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
- ));
- return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- }
- }
-
- *p++ = mki_len & 0xFF;
-
- if (mki_len != 0) {
- memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
- /*
- * Increment p to point to the current position.
- */
- p += mki_len;
- MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
- ssl->dtls_srtp_info.mki_len);
- }
-
- /*
- * total extension length: extension type (2 bytes)
- * + extension length (2 bytes)
- * + protection profile length (2 bytes)
- * + 2 * number of protection profiles
- * + srtp_mki vector length(1 byte)
- * + mki value
- */
- *olen = p - buf;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_SRTP */
-
-int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
- unsigned char *buf,
- const unsigned char *end,
- int uses_ec,
- size_t *out_len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *p = buf;
- size_t ext_len = 0;
-
- (void) ssl;
- (void) end;
- (void) uses_ec;
- (void) ret;
- (void) ext_len;
-
- *out_len = 0;
-
- /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
- * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- if (uses_ec) {
- if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
- &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
- return ret;
- }
- p += ext_len;
- }
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
- &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
- if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
- return ret;
- }
- p += ext_len;
-#endif
-
- *out_len = (size_t) (p - buf);
-
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
- /* Check verify-data in constant-time. The length OTOH is no secret */
- if (len != 1 + ssl->verify_data_len * 2 ||
- buf[0] != ssl->verify_data_len * 2 ||
- mbedtls_ct_memcmp(buf + 1,
- ssl->own_verify_data, ssl->verify_data_len) != 0 ||
- mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
- ssl->peer_verify_data, ssl->verify_data_len) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
- } else
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
- {
- if (len != 1 || buf[0] != 0x00) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("non-zero length renegotiation info"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
- }
-
- return 0;
-}
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- /*
- * server should use the extension only if we did,
- * and if so the server's value should match ours (and len is always 1)
- */
- if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
- len != 1 ||
- buf[0] != ssl->conf->mfl_code) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("non-matching max fragment length extension"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- size_t peer_cid_len;
-
- if ( /* CID extension only makes sense in DTLS */
- ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
- /* The server must only send the CID extension if we have offered it. */
- ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
- return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
- }
-
- if (len == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- peer_cid_len = *buf++;
- len--;
-
- if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- if (len != peer_cid_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
- ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
- memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
- MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
- len != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("non-matching encrypt-then-MAC extension"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
- return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
- }
-
- ((void) buf);
-
- ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
- len != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("non-matching extended master secret extension"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
- return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
- }
-
- ((void) buf);
-
- ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
- MBEDTLS_SSL_SESSION_TICKETS_DISABLED) ||
- len != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("non-matching session ticket extension"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
- return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
- }
-
- ((void) buf);
-
- ssl->handshake->new_session_ticket = 1;
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- size_t list_size;
- const unsigned char *p;
-
- if (len == 0 || (size_t) (buf[0] + 1) != len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- list_size = buf[0];
-
- p = buf + 1;
- while (list_size > 0) {
- if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
- p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
- ssl->handshake->ecdh_ctx.point_format = p[0];
-#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
- p[0]);
-#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
- MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
- return 0;
- }
-
- list_size--;
- p++;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- if (ssl->handshake->ciphersuite_info->key_exchange !=
- MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
- return 0;
- }
-
- /* If we got here, we no longer need our cached extension */
- mbedtls_free(ssl->handshake->ecjpake_cache);
- ssl->handshake->ecjpake_cache = NULL;
- ssl->handshake->ecjpake_cache_len = 0;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if ((ret = mbedtls_psa_ecjpake_read_round(
- &ssl->handshake->psa_pake_ctx, buf, len,
- MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
- psa_destroy_key(ssl->handshake->psa_pake_password);
- psa_pake_abort(&ssl->handshake->psa_pake_ctx);
-
- MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return ret;
- }
-
- return 0;
-#else
- if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
- buf, len)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return ret;
- }
-
- return 0;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_SSL_ALPN)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
-{
- size_t list_len, name_len;
- const char **p;
-
- /* If we didn't send it, the server shouldn't send it */
- if (ssl->conf->alpn_list == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
- return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
- }
-
- /*
- * opaque ProtocolName<1..2^8-1>;
- *
- * struct {
- * ProtocolName protocol_name_list<2..2^16-1>
- * } ProtocolNameList;
- *
- * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
- */
-
- /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
- if (len < 4) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- list_len = MBEDTLS_GET_UINT16_BE(buf, 0);
- if (list_len != len - 2) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- name_len = buf[2];
- if (name_len != list_len - 1) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* Check that the server chosen protocol was in our list and save it */
- for (p = ssl->conf->alpn_list; *p != NULL; p++) {
- if (name_len == strlen(*p) &&
- memcmp(buf + 3, *p, name_len) == 0) {
- ssl->alpn_chosen = *p;
- return 0;
- }
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
-}
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len)
-{
- mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
- size_t i, mki_len = 0;
- uint16_t server_protection_profile_value = 0;
-
- /* If use_srtp is not configured, just ignore the extension */
- if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
- (ssl->conf->dtls_srtp_profile_list == NULL) ||
- (ssl->conf->dtls_srtp_profile_list_len == 0)) {
- return 0;
- }
-
- /* RFC 5764 section 4.1.1
- * uint8 SRTPProtectionProfile[2];
- *
- * struct {
- * SRTPProtectionProfiles SRTPProtectionProfiles;
- * opaque srtp_mki<0..255>;
- * } UseSRTPData;
-
- * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
- *
- */
- if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
- mki_len = ssl->dtls_srtp_info.mki_len;
- }
-
- /*
- * Length is 5 + optional mki_value : one protection profile length (2 bytes)
- * + protection profile (2 bytes)
- * + mki_len(1 byte)
- * and optional srtp_mki
- */
- if ((len < 5) || (len != (buf[4] + 5u))) {
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /*
- * get the server protection profile
- */
-
- /*
- * protection profile length must be 0x0002 as we must have only
- * one protection profile in server Hello
- */
- if ((buf[0] != 0) || (buf[1] != 2)) {
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- server_protection_profile_value = (buf[2] << 8) | buf[3];
- server_protection = mbedtls_ssl_check_srtp_profile_value(
- server_protection_profile_value);
- if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
- mbedtls_ssl_get_srtp_profile_as_string(
- server_protection)));
- }
-
- ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
-
- /*
- * Check we have the server profile in our list
- */
- for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
- if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
- ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
- MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
- mbedtls_ssl_get_srtp_profile_as_string(
- server_protection)));
- break;
- }
- }
-
- /* If no match was found : server problem, it shall never answer with incompatible profile */
- if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- /* If server does not use mki in its reply, make sure the client won't keep
- * one as negotiated */
- if (len == 5) {
- ssl->dtls_srtp_info.mki_len = 0;
- }
-
- /*
- * RFC5764:
- * If the client detects a nonzero-length MKI in the server's response
- * that is different than the one the client offered, then the client
- * MUST abort the handshake and SHOULD send an invalid_parameter alert.
- */
- if (len > 5 && (buf[4] != mki_len ||
- (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-#if defined(MBEDTLS_DEBUG_C)
- if (len > 5) {
- MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
- ssl->dtls_srtp_info.mki_len);
- }
-#endif
- return 0;
-}
-#endif /* MBEDTLS_SSL_DTLS_SRTP */
-
-/*
- * Parse HelloVerifyRequest. Only called after verifying the HS type.
- */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
- uint16_t dtls_legacy_version;
-
-#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
- uint8_t cookie_len;
-#else
- uint16_t cookie_len;
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
-
- /* Check that there is enough room for:
- * - 2 bytes of version
- * - 1 byte of cookie_len
- */
- if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("incoming HelloVerifyRequest message is too short"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /*
- * struct {
- * ProtocolVersion server_version;
- * opaque cookie<0..2^8-1>;
- * } HelloVerifyRequest;
- */
- MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
- dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- /*
- * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
- * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
- * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
- */
- if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
-
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
-
- return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
- }
-
- cookie_len = *p++;
- if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("cookie length does not match incoming message size"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
-
- mbedtls_free(ssl->handshake->cookie);
-
- ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
- if (ssl->handshake->cookie == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(ssl->handshake->cookie, p, cookie_len);
- ssl->handshake->cookie_len = cookie_len;
-
- /* Start over at ClientHello */
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
- ret = mbedtls_ssl_reset_checksum(ssl);
- if (0 != ret) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
- return ret;
- }
-
- mbedtls_ssl_recv_flight_completed(ssl);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
-{
- int ret, i;
- size_t n;
- size_t ext_len;
- unsigned char *buf, *ext;
- unsigned char comp;
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- int renegotiation_info_seen = 0;
-#endif
- int handshake_failure = 0;
- const mbedtls_ssl_ciphersuite_t *suite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- /* No alert on a read error. */
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- buf = ssl->in_msg;
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
- ssl->renego_records_seen++;
-
- if (ssl->conf->renego_max_records >= 0 &&
- ssl->renego_records_seen > ssl->conf->renego_max_records) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("renegotiation requested, but not honored by server"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("non-handshake message during renegotiation"));
-
- ssl->keep_current_message = 1;
- return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
- }
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
- return ssl_parse_hello_verify_request(ssl);
- } else {
- /* We made it through the verification process */
- mbedtls_free(ssl->handshake->cookie);
- ssl->handshake->cookie = NULL;
- ssl->handshake->cookie_len = 0;
- }
- }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
- if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
- buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /*
- * 0 . 1 server_version
- * 2 . 33 random (maybe including 4 bytes of Unix time)
- * 34 . 34 session_id length = n
- * 35 . 34+n session_id
- * 35+n . 36+n cipher_suite
- * 37+n . 37+n compression_method
- *
- * 38+n . 39+n extensions length (optional)
- * 40+n . .. extensions
- */
- buf += mbedtls_ssl_hs_hdr_len(ssl);
-
- MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
- ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
- ssl->conf->transport);
- ssl->session_negotiate->tls_version = ssl->tls_version;
- ssl->session_negotiate->endpoint = ssl->conf->endpoint;
-
- if (ssl->tls_version < ssl->conf->min_tls_version ||
- ssl->tls_version > ssl->conf->max_tls_version) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- (
- "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
- (unsigned) ssl->conf->min_tls_version,
- (unsigned) ssl->tls_version,
- (unsigned) ssl->conf->max_tls_version));
-
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
-
- return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
- ((unsigned long) buf[2] << 24) |
- ((unsigned long) buf[3] << 16) |
- ((unsigned long) buf[4] << 8) |
- ((unsigned long) buf[5])));
-
- memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
-
- n = buf[34];
-
- MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
-
- if (n > 32) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
- ext_len = MBEDTLS_GET_UINT16_BE(buf, 38 + n);
-
- if ((ext_len > 0 && ext_len < 4) ||
- ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
- ext_len = 0;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* ciphersuite (used later) */
- i = (int) MBEDTLS_GET_UINT16_BE(buf, n + 35);
-
- /*
- * Read and check compression
- */
- comp = buf[37 + n];
-
- if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("server hello, bad compression: %d", comp));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- /*
- * Initialize update checksum functions
- */
- ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
- if (ssl->handshake->ciphersuite_info == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("ciphersuite info for %04x not found", (unsigned int) i));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
- MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
-
- /*
- * Check if the session can be resumed
- */
- if (ssl->handshake->resume == 0 || n == 0 ||
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
-#endif
- ssl->session_negotiate->ciphersuite != i ||
- ssl->session_negotiate->id_len != n ||
- memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
- mbedtls_ssl_handshake_increment_state(ssl);
- ssl->handshake->resume = 0;
-#if defined(MBEDTLS_HAVE_TIME)
- ssl->session_negotiate->start = mbedtls_time(NULL);
-#endif
- ssl->session_negotiate->ciphersuite = i;
- ssl->session_negotiate->id_len = n;
- memcpy(ssl->session_negotiate->id, buf + 35, n);
- } else {
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
- ssl->handshake->resume ? "a" : "no"));
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
- MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
- buf[37 + n]));
-
- /*
- * Perform cipher suite validation in same way as in ssl_write_client_hello.
- */
- i = 0;
- while (1) {
- if (ssl->conf->ciphersuite_list[i] == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- if (ssl->conf->ciphersuite_list[i++] ==
- ssl->session_negotiate->ciphersuite) {
- break;
- }
- }
-
- suite_info = mbedtls_ssl_ciphersuite_from_id(
- ssl->session_negotiate->ciphersuite);
- if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
- ssl->tls_version) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("server hello, chosen ciphersuite: %s", suite_info->name));
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
- ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
- ssl->handshake->ecrs_enabled = 1;
- }
-#endif
-
- if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- ext = buf + 40 + n;
-
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
- ext_len));
-
- while (ext_len) {
- unsigned int ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
- unsigned int ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
-
- if (ext_size + 4 > ext_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- mbedtls_ssl_send_alert_message(
- ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- switch (ext_id) {
- case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- renegotiation_info_seen = 1;
-#endif
-
- if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
- ext_size)) != 0) {
- return ret;
- }
-
- break;
-
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("found max_fragment_length extension"));
-
- if ((ret = ssl_parse_max_fragment_length_ext(ssl,
- ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- case MBEDTLS_TLS_EXT_CID:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
-
- if ((ret = ssl_parse_cid_ext(ssl,
- ext + 4,
- ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
-
- if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
- ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("found extended_master_secret extension"));
-
- if ((ret = ssl_parse_extended_ms_ext(ssl,
- ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- case MBEDTLS_TLS_EXT_SESSION_TICKET:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
-
- if ((ret = ssl_parse_session_ticket_ext(ssl,
- ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("found supported_point_formats extension"));
-
- if ((ret = ssl_parse_supported_point_formats_ext(ssl,
- ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
-
- if ((ret = ssl_parse_ecjpake_kkpp(ssl,
- ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_SSL_ALPN)
- case MBEDTLS_TLS_EXT_ALPN:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
-
- if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_ALPN */
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
- case MBEDTLS_TLS_EXT_USE_SRTP:
- MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
-
- if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
- return ret;
- }
-
- break;
-#endif /* MBEDTLS_SSL_DTLS_SRTP */
-
- default:
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("unknown extension found: %u (ignoring)", ext_id));
- }
-
- ext_len -= 4 + ext_size;
- ext += 4 + ext_size;
-
- if (ext_len > 0 && ext_len < 4) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- }
-
- /*
- * mbedtls_ssl_derive_keys() has to be called after the parsing of the
- * extensions. It sets the transform data for the resumed session which in
- * case of DTLS includes the server CID extracted from the CID extension.
- */
- if (ssl->handshake->resume) {
- if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
- return ret;
- }
- }
-
- /*
- * Renegotiation security checks
- */
- if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation ==
- MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("legacy renegotiation, breaking off handshake"));
- handshake_failure = 1;
- }
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
- ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
- renegotiation_info_seen == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("renegotiation_info extension missing (secure)"));
- handshake_failure = 1;
- } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
- ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation ==
- MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
- handshake_failure = 1;
- } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
- ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- renegotiation_info_seen == 1) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("renegotiation_info extension present (legacy)"));
- handshake_failure = 1;
- }
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
- if (handshake_failure == 1) {
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
-
- return 0;
-}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
- unsigned char **p,
- unsigned char *end)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- size_t dhm_actual_bitlen;
-
- /*
- * Ephemeral DH parameters:
- *
- * struct {
- * opaque dh_p<1..2^16-1>;
- * opaque dh_g<1..2^16-1>;
- * opaque dh_Ys<1..2^16-1>;
- * } ServerDHParams;
- */
- if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
- p, end)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
- return ret;
- }
-
- dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
- if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
- dhm_actual_bitlen,
- ssl->conf->dhm_min_bitlen));
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
-
- return ret;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
- unsigned char **p,
- unsigned char *end)
-{
- uint16_t tls_id;
- size_t ecpoint_len;
- mbedtls_ssl_handshake_params *handshake = ssl->handshake;
- psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
- size_t ec_bits = 0;
-
- /*
- * struct {
- * ECParameters curve_params;
- * ECPoint public;
- * } ServerECDHParams;
- *
- * 1 curve_type (must be "named_curve")
- * 2..3 NamedCurve
- * 4 ECPoint.len
- * 5+ ECPoint contents
- */
- if (end - *p < 4) {
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* First byte is curve_type; only named_curve is handled */
- if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- /* Next two bytes are the namedcurve value */
- tls_id = MBEDTLS_GET_UINT16_BE(*p, 0);
- *p += 2;
-
- /* Check it's a curve we offered */
- if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(2,
- ("bad server key exchange message (ECDHE curve): %u",
- (unsigned) tls_id));
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- /* Convert EC's TLS ID to PSA key type. */
- if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
- &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
- handshake->xxdh_psa_type = key_type;
- handshake->xxdh_psa_bits = ec_bits;
-
- /* Keep a copy of the peer's public key */
- ecpoint_len = *(*p)++;
- if ((size_t) (end - *p) < ecpoint_len) {
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
- handshake->xxdh_psa_peerkey_len = ecpoint_len;
- *p += ecpoint_len;
-
- return 0;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-#else
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
-{
- uint16_t tls_id;
- mbedtls_ecp_group_id grp_id;
-#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
- grp_id = ssl->handshake->ecdh_ctx.grp.id;
-#else
- grp_id = ssl->handshake->ecdh_ctx.grp_id;
-#endif
-
- tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
- if (tls_id == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
- mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
-
- if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
- return -1;
- }
-
- MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
- MBEDTLS_DEBUG_ECDH_QP);
-
- return 0;
-}
-
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
- unsigned char **p,
- unsigned char *end)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
-
- /*
- * Ephemeral ECDH parameters:
- *
- * struct {
- * ECParameters curve_params;
- * ECPoint public;
- * } ServerECDHParams;
- */
- if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
- (const unsigned char **) p, end)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
- return ret;
- }
-
- if (ssl_check_server_ecdh_params(ssl) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("bad server key exchange message (ECDHE curve)"));
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- return ret;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
- unsigned char **p,
- unsigned char *end)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- uint16_t len;
- ((void) ssl);
-
- /*
- * PSK parameters:
- *
- * opaque psk_identity_hint<0..2^16-1>;
- */
- if (end - (*p) < 2) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("bad server key exchange message (psk_identity_hint length)"));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- len = MBEDTLS_GET_UINT16_BE(*p, 0);
- *p += 2;
-
- if (end - (*p) < len) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("bad server key exchange message (psk_identity_hint length)"));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /*
- * Note: we currently ignore the PSK identity hint, as we only allow one
- * PSK to be provisioned on the client. This could be changed later if
- * someone needs that feature.
- */
- *p += len;
- ret = 0;
-
- return ret;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-/*
- * Generate a pre-master secret and encrypt it with the server's RSA key
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
- size_t offset, size_t *olen,
- size_t pms_offset)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t len_bytes = 2;
- unsigned char *p = ssl->handshake->premaster + pms_offset;
- mbedtls_pk_context *peer_pk;
-
- if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- /*
- * Generate (part of) the pre-master as
- * struct {
- * ProtocolVersion client_version;
- * opaque random[46];
- * } PreMasterSecret;
- */
- mbedtls_ssl_write_version(p, ssl->conf->transport,
- MBEDTLS_SSL_VERSION_TLS1_2);
-
- if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
- return ret;
- }
-
- ssl->handshake->pmslen = 48;
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- peer_pk = &ssl->handshake->peer_pubkey;
-#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if (ssl->session_negotiate->peer_cert == NULL) {
- /* Should never happen */
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- peer_pk = &ssl->session_negotiate->peer_cert->pk;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
- /*
- * Now write it out, encrypted
- */
- if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
- return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
- }
-
- if ((ret = mbedtls_pk_encrypt(peer_pk,
- p, ssl->handshake->pmslen,
- ssl->out_msg + offset + len_bytes, olen,
- MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_encrypt", ret);
- return ret;
- }
-
- if (len_bytes == 2) {
- MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
- *olen += 2;
- }
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- /* We don't need the peer's public key anymore. Free it. */
- mbedtls_pk_free(peer_pk);
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- return 0;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_pk_context *peer_pk;
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- peer_pk = &ssl->handshake->peer_pubkey;
-#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if (ssl->session_negotiate->peer_cert == NULL) {
- /* Should never happen */
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- peer_pk = &ssl->session_negotiate->peer_cert->pk;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
- /* This is a public key, so it can't be opaque, so can_do() is a good
- * enough check to ensure pk_ec() is safe to use below. */
- if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
- return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
- }
-
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
-#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- uint16_t tls_id = 0;
- psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
- mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
-
- if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
- return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
-
- tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
- if (tls_id == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not supported",
- grp_id));
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- /* If the above conversion to TLS ID was fine, then also this one will be,
- so there is no need to check the return value here */
- mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
- &ssl->handshake->xxdh_psa_bits);
-
- ssl->handshake->xxdh_psa_type = key_type;
-
- /* Store peer's public key in psa format. */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
- ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
- ret = 0;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
- size_t olen = 0;
- ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
- MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
- ssl->handshake->xxdh_psa_peerkey,
- sizeof(ssl->handshake->xxdh_psa_peerkey));
-
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
- return ret;
- }
- ssl->handshake->xxdh_psa_peerkey_len = olen;
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
-#else /* MBEDTLS_USE_PSA_CRYPTO */
- if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
- MBEDTLS_ECDH_THEIRS)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
- return ret;
- }
-
- if (ssl_check_server_ecdh_params(ssl) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
- return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- /* We don't need the peer's public key anymore. Free it,
- * so that more RAM is available for upcoming expensive
- * operations like ECDHE. */
- mbedtls_pk_free(peer_pk);
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
- return ret;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
- unsigned char *p = NULL, *end = NULL;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
- ((void) p);
- ((void) end);
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
- if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
- ((void) p);
- ((void) end);
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled &&
- ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
- goto start_processing;
- }
-#endif
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- /*
- * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
- * doesn't use a psk_identity_hint
- */
- if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
- /* Current message is probably either
- * CertificateRequest or ServerHelloDone */
- ssl->keep_current_message = 1;
- goto exit;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("server key exchange message must not be skipped"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
-
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
- }
-
-start_processing:
-#endif
- p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
- end = ssl->in_msg + ssl->in_hslen;
- MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, (size_t) (end - p));
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
- if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- } /* FALLTHROUGH */
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
- ; /* nothing more to do */
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
- if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
- if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /*
- * The first 3 bytes are:
- * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
- * [1, 2] elliptic curve's TLS ID
- *
- * However since we only support secp256r1 for now, we check only
- * that TLS ID here
- */
- uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
- uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
- MBEDTLS_ECP_DP_SECP256R1);
-
- if (exp_tls_id == 0) {
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- }
-
- if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
- (read_tls_id != exp_tls_id)) {
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- p += 3;
-
- if ((ret = mbedtls_psa_ecjpake_read_round(
- &ssl->handshake->psa_pake_ctx, p, end - p,
- MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
- psa_destroy_key(ssl->handshake->psa_pake_password);
- psa_pake_abort(&ssl->handshake->psa_pake_ctx);
-
- MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-#else
- ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
- p, end - p);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
- if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
- size_t sig_len, hashlen;
- unsigned char hash[MBEDTLS_MD_MAX_SIZE];
-
- mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
- mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
- unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
- size_t params_len = (size_t) (p - params);
- void *rs_ctx = NULL;
- uint16_t sig_alg;
-
- mbedtls_pk_context *peer_pk;
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- peer_pk = &ssl->handshake->peer_pubkey;
-#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if (ssl->session_negotiate->peer_cert == NULL) {
- /* Should never happen */
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- peer_pk = &ssl->session_negotiate->peer_cert->pk;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
- /*
- * Handle the digitally-signed structure
- */
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
- sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
- if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
- sig_alg, &pk_alg, &md_alg) != 0 &&
- !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
- !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
- p += 2;
-
- if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
- return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
- }
-
- /*
- * Read signature
- */
-
- if (p > end - 2) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- sig_len = MBEDTLS_GET_UINT16_BE(p, 0);
- p += 2;
-
- if (p != end - sig_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
-
- /*
- * Compute the hash that has been signed
- */
- if (md_alg != MBEDTLS_MD_NONE) {
- ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
- params, params_len,
- md_alg);
- if (ret != 0) {
- return ret;
- }
- } else {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
-
- /*
- * Verify signature
- */
- if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
- return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- rs_ctx = &ssl->handshake->ecrs_ctx.pk;
- }
-#endif
-
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
- if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
- mbedtls_pk_rsassa_pss_options rsassa_pss_options;
- rsassa_pss_options.mgf1_hash_id = md_alg;
- rsassa_pss_options.expected_salt_len =
- mbedtls_md_get_size_from_type(md_alg);
- if (rsassa_pss_options.expected_salt_len == 0) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
- peer_pk,
- md_alg, hash, hashlen,
- p, sig_len);
- } else
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
- ret = mbedtls_pk_verify_restartable(peer_pk,
- md_alg, hash, hashlen, p, sig_len, rs_ctx);
-
- if (ret != 0) {
- int send_alert_msg = 1;
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
-#endif
- if (send_alert_msg) {
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
- }
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
- return ret;
- }
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- /* We don't need the peer's public key anymore. Free it,
- * so that more RAM is available for upcoming expensive
- * operations like ECDHE. */
- mbedtls_pk_free(peer_pk);
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- }
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
-
-exit:
- mbedtls_ssl_handshake_increment_state(ssl);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
-
- return 0;
-}
-
-#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
-{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
-
- if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-}
-#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *buf;
- size_t n = 0;
- size_t cert_type_len = 0, dn_len = 0;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
- size_t sig_alg_len;
-#if defined(MBEDTLS_DEBUG_C)
- unsigned char *sig_alg;
- unsigned char *dn;
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
-
- if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- mbedtls_ssl_handshake_increment_state(ssl);
- ssl->handshake->client_auth =
- (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
- ssl->handshake->client_auth ? "a" : "no"));
-
- if (ssl->handshake->client_auth == 0) {
- /* Current message is probably the ServerHelloDone */
- ssl->keep_current_message = 1;
- goto exit;
- }
-
- /*
- * struct {
- * ClientCertificateType certificate_types<1..2^8-1>;
- * SignatureAndHashAlgorithm
- * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
- * DistinguishedName certificate_authorities<0..2^16-1>;
- * } CertificateRequest;
- *
- * Since we only support a single certificate on clients, let's just
- * ignore all the information that's supposed to help us pick a
- * certificate.
- *
- * We could check that our certificate matches the request, and bail out
- * if it doesn't, but it's simpler to just send the certificate anyway,
- * and give the server the opportunity to decide if it should terminate
- * the connection when it doesn't like our certificate.
- *
- * Same goes for the hash in TLS 1.2's signature_algorithms: at this
- * point we only have one hash available (see comments in
- * write_certificate_verify), so let's just use what we have.
- *
- * However, we still minimally parse the message to check it is at least
- * superficially sane.
- */
- buf = ssl->in_msg;
-
- /* certificate_types */
- if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
- n = cert_type_len;
-
- /*
- * In the subsequent code there are two paths that read from buf:
- * * the length of the signature algorithms field (if minor version of
- * SSL is 3),
- * * distinguished name length otherwise.
- * Both reach at most the index:
- * ...hdr_len + 2 + n,
- * therefore the buffer length at this point must be greater than that
- * regardless of the actual code path.
- */
- if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* supported_signature_algorithms */
- sig_alg_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
-
- /*
- * The furthest access in buf is in the loop few lines below:
- * sig_alg[i + 1],
- * where:
- * sig_alg = buf + ...hdr_len + 3 + n,
- * max(i) = sig_alg_len - 1.
- * Therefore the furthest access is:
- * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
- * which reduces to:
- * buf[...hdr_len + 3 + n + sig_alg_len],
- * which is one less than we need the buf to be.
- */
- if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
-#if defined(MBEDTLS_DEBUG_C)
- sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
- for (size_t i = 0; i < sig_alg_len; i += 2) {
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("Supported Signature Algorithm found: %02x %02x",
- sig_alg[i], sig_alg[i + 1]));
- }
-#endif
-
- n += 2 + sig_alg_len;
-
- /* certificate_authorities */
- dn_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
-
- n += dn_len;
- if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
-#if defined(MBEDTLS_DEBUG_C)
- dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
- for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
- unsigned char *p = dn + i + 2;
- mbedtls_x509_name name;
- size_t asn1_len;
- char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
- memset(&name, 0, sizeof(name));
- dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
- if (dni_len > dn_len - i - 2 ||
- mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
- MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
- mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- MBEDTLS_SSL_DEBUG_MSG(3,
- ("DN hint: %.*s",
- mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
- mbedtls_asn1_free_named_data_list_shallow(name.next);
- }
-#endif
-
-exit:
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
-
- return 0;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
- ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- mbedtls_ssl_handshake_increment_state(ssl);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
- if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
- mbedtls_ssl_recv_flight_completed(ssl);
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
-
- return 0;
-}
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- size_t header_len;
- size_t content_len;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
- /*
- * DHM key exchange -- send G^X mod P
- */
- content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
-
- MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
- header_len = 6;
-
- ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
- (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
- &ssl->out_msg[header_len], content_len,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
-
- if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
- ssl->handshake->premaster,
- MBEDTLS_PREMASTER_SIZE,
- &ssl->handshake->pmslen,
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_key_attributes_t key_attributes;
-
- mbedtls_ssl_handshake_params *handshake = ssl->handshake;
-
- header_len = 4;
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
-
- /*
- * Generate EC private key for ECDHE exchange.
- */
-
- /* The master secret is obtained from the shared ECDH secret by
- * applying the TLS 1.2 PRF with a specific salt and label. While
- * the PSA Crypto API encourages combining key agreement schemes
- * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
- * yet support the provisioning of salt + label to the KDF.
- * For the time being, we therefore need to split the computation
- * of the ECDH secret and the application of the TLS 1.2 PRF. */
- key_attributes = psa_key_attributes_init();
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
- psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
- psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
- psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
-
- /* Generate ECDH private key. */
- status = psa_generate_key(&key_attributes,
- &handshake->xxdh_psa_privkey);
- if (status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- /* Export the public part of the ECDH private key from PSA.
- * The export format is an ECPoint structure as expected by TLS,
- * but we just need to add a length byte before that. */
- unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
- unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
- size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
- size_t own_pubkey_len;
-
- status = psa_export_public_key(handshake->xxdh_psa_privkey,
- own_pubkey, own_pubkey_max_len,
- &own_pubkey_len);
- if (status != PSA_SUCCESS) {
- psa_destroy_key(handshake->xxdh_psa_privkey);
- handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-
- ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
- content_len = own_pubkey_len + 1;
-
- /* The ECDH secret is the premaster secret used for key derivation. */
-
- /* Compute ECDH shared secret. */
- status = psa_raw_key_agreement(PSA_ALG_ECDH,
- handshake->xxdh_psa_privkey,
- handshake->xxdh_psa_peerkey,
- handshake->xxdh_psa_peerkey_len,
- ssl->handshake->premaster,
- sizeof(ssl->handshake->premaster),
- &ssl->handshake->pmslen);
-
- destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
- handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
-
- if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- }
-#else
- /*
- * ECDH key exchange -- send client public value
- */
- header_len = 4;
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
- goto ecdh_calc_secret;
- }
-
- mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
- }
-#endif
-
- ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
- &content_len,
- &ssl->out_msg[header_len], 1000,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
- MBEDTLS_DEBUG_ECDH_Q);
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- ssl->handshake->ecrs_n = content_len;
- ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
- }
-
-ecdh_calc_secret:
- if (ssl->handshake->ecrs_enabled) {
- content_len = ssl->handshake->ecrs_n;
- }
-#endif
- if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
- &ssl->handshake->pmslen,
- ssl->handshake->premaster,
- MBEDTLS_MPI_MAX_SIZE,
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
- MBEDTLS_DEBUG_ECDH_Z);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_key_attributes_t key_attributes;
-
- mbedtls_ssl_handshake_params *handshake = ssl->handshake;
-
- /*
- * opaque psk_identity<0..2^16-1>;
- */
- if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
- /* We don't offer PSK suites if we don't have a PSK,
- * and we check that the server's choice is among the
- * ciphersuites we offered, so this should never happen. */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- /* uint16 to store content length */
- const size_t content_len_size = 2;
-
- header_len = 4;
-
- if (header_len + content_len_size + ssl->conf->psk_identity_len
- > MBEDTLS_SSL_OUT_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("psk identity too long or SSL buffer too short"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- unsigned char *p = ssl->out_msg + header_len;
-
- *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
- *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
- header_len += content_len_size;
-
- memcpy(p, ssl->conf->psk_identity,
- ssl->conf->psk_identity_len);
- p += ssl->conf->psk_identity_len;
-
- header_len += ssl->conf->psk_identity_len;
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
-
- /*
- * Generate EC private key for ECDHE exchange.
- */
-
- /* The master secret is obtained from the shared ECDH secret by
- * applying the TLS 1.2 PRF with a specific salt and label. While
- * the PSA Crypto API encourages combining key agreement schemes
- * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
- * yet support the provisioning of salt + label to the KDF.
- * For the time being, we therefore need to split the computation
- * of the ECDH secret and the application of the TLS 1.2 PRF. */
- key_attributes = psa_key_attributes_init();
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
- psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
- psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
- psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
-
- /* Generate ECDH private key. */
- status = psa_generate_key(&key_attributes,
- &handshake->xxdh_psa_privkey);
- if (status != PSA_SUCCESS) {
- return PSA_TO_MBEDTLS_ERR(status);
- }
-
- /* Export the public part of the ECDH private key from PSA.
- * The export format is an ECPoint structure as expected by TLS,
- * but we just need to add a length byte before that. */
- unsigned char *own_pubkey = p + 1;
- unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
- size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
- size_t own_pubkey_len = 0;
-
- status = psa_export_public_key(handshake->xxdh_psa_privkey,
- own_pubkey, own_pubkey_max_len,
- &own_pubkey_len);
- if (status != PSA_SUCCESS) {
- psa_destroy_key(handshake->xxdh_psa_privkey);
- handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
- return PSA_TO_MBEDTLS_ERR(status);
- }
-
- *p = (unsigned char) own_pubkey_len;
- content_len = own_pubkey_len + 1;
-
- /* As RFC 5489 section 2, the premaster secret is formed as follows:
- * - a uint16 containing the length (in octets) of the ECDH computation
- * - the octet string produced by the ECDH computation
- * - a uint16 containing the length (in octets) of the PSK
- * - the PSK itself
- */
- unsigned char *pms = ssl->handshake->premaster;
- const unsigned char * const pms_end = pms +
- sizeof(ssl->handshake->premaster);
- /* uint16 to store length (in octets) of the ECDH computation */
- const size_t zlen_size = 2;
- size_t zlen = 0;
-
- /* Perform ECDH computation after the uint16 reserved for the length */
- status = psa_raw_key_agreement(PSA_ALG_ECDH,
- handshake->xxdh_psa_privkey,
- handshake->xxdh_psa_peerkey,
- handshake->xxdh_psa_peerkey_len,
- pms + zlen_size,
- pms_end - (pms + zlen_size),
- &zlen);
-
- destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
- handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
-
- if (status != PSA_SUCCESS) {
- return PSA_TO_MBEDTLS_ERR(status);
- } else if (destruction_status != PSA_SUCCESS) {
- return PSA_TO_MBEDTLS_ERR(destruction_status);
- }
-
- /* Write the ECDH computation length before the ECDH computation */
- MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
- pms += zlen_size + zlen;
- } else
-#endif /* MBEDTLS_USE_PSA_CRYPTO &&
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
- if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
- /*
- * opaque psk_identity<0..2^16-1>;
- */
- if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
- /* We don't offer PSK suites if we don't have a PSK,
- * and we check that the server's choice is among the
- * ciphersuites we offered, so this should never happen. */
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- header_len = 4;
- content_len = ssl->conf->psk_identity_len;
-
- if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("psk identity too long or SSL buffer too short"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
- ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
-
- memcpy(ssl->out_msg + header_len,
- ssl->conf->psk_identity,
- ssl->conf->psk_identity_len);
- header_len += ssl->conf->psk_identity_len;
-
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
- content_len = 0;
- } else
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
- if ((ret = ssl_write_encrypted_pms(ssl, header_len,
- &content_len, 2)) != 0) {
- return ret;
- }
- } else
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
- /*
- * ClientDiffieHellmanPublic public (DHM send G^X mod P)
- */
- content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
-
- if (header_len + 2 + content_len >
- MBEDTLS_SSL_OUT_CONTENT_LEN) {
- MBEDTLS_SSL_DEBUG_MSG(1,
- ("psk identity or DHM size too long or SSL buffer too short"));
- return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
- }
-
- ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
- ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
-
- ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
- (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
- &ssl->out_msg[header_len], content_len,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
- return ret;
- }
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- unsigned char *pms = ssl->handshake->premaster;
- unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
- size_t pms_len;
-
- /* Write length only when we know the actual value */
- if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
- pms + 2, pms_end - (pms + 2), &pms_len,
- ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
- return ret;
- }
- MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
- pms += 2 + pms_len;
-
- MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
-#endif
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
-#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
- /*
- * ClientECDiffieHellmanPublic public;
- */
- ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
- &content_len,
- &ssl->out_msg[header_len],
- MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
- MBEDTLS_DEBUG_ECDH_Q);
- } else
-#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
- {
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
- if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
- (mbedtls_key_exchange_type_t) ciphersuite_info->
- key_exchange)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1,
- "mbedtls_ssl_psk_derive_premaster", ret);
- return ret;
- }
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
- header_len = 4;
- if ((ret = ssl_write_encrypted_pms(ssl, header_len,
- &content_len, 0)) != 0) {
- return ret;
- }
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
- header_len = 4;
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- unsigned char *out_p = ssl->out_msg + header_len;
- unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
- header_len;
- ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
- out_p, end_p - out_p, &content_len,
- MBEDTLS_ECJPAKE_ROUND_TWO);
- if (ret != 0) {
- psa_destroy_key(ssl->handshake->psa_pake_password);
- psa_pake_abort(&ssl->handshake->psa_pake_ctx);
- MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
- return ret;
- }
-#else
- ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
- ssl->out_msg + header_len,
- MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
- &content_len,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
- return ret;
- }
-
- ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
- ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
- ssl->conf->f_rng, ssl->conf->p_rng);
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- } else
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
- {
- ((void) ciphersuite_info);
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- ssl->out_msglen = header_len + content_len;
- ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
-
- mbedtls_ssl_handshake_increment_state(ssl);
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
-
- return 0;
-}
-
-#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
-{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
-
- if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
- return ret;
- }
-
- if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-}
-#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
- size_t n = 0, offset = 0;
- unsigned char hash[48];
- unsigned char *hash_start = hash;
- mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
- size_t hashlen;
- void *rs_ctx = NULL;
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
-#else
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
-#endif
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled &&
- ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
- goto sign;
- }
-#endif
-
- if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
- return ret;
- }
-
- if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- if (ssl->handshake->client_auth == 0 ||
- mbedtls_ssl_own_cert(ssl) == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
- mbedtls_ssl_handshake_increment_state(ssl);
- return 0;
- }
-
- if (mbedtls_ssl_own_key(ssl) == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
- return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
- }
-
- /*
- * Make a signature of the handshake digests
- */
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
- }
-
-sign:
-#endif
-
- ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
- if (0 != ret) {
- MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
- return ret;
- }
-
- /*
- * digitally-signed struct {
- * opaque handshake_messages[handshake_messages_length];
- * };
- *
- * Taking shortcut here. We assume that the server always allows the
- * PRF Hash function and has sent it in the allowed signature
- * algorithms list received in the Certificate Request message.
- *
- * Until we encounter a server that does not, we will take this
- * shortcut.
- *
- * Reason: Otherwise we should have running hashes for SHA512 and
- * SHA224 in order to satisfy 'weird' needs from the server
- * side.
- */
- if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
- md_alg = MBEDTLS_MD_SHA384;
- ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
- } else {
- md_alg = MBEDTLS_MD_SHA256;
- ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
- }
- ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
-
- /* Info from md_alg will be used instead */
- hashlen = 0;
- offset = 2;
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ssl->handshake->ecrs_enabled) {
- rs_ctx = &ssl->handshake->ecrs_ctx.pk;
- }
-#endif
-
- if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
- md_alg, hash_start, hashlen,
- ssl->out_msg + 6 + offset,
- out_buf_len - 6 - offset,
- &n,
- ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
- return ret;
- }
-
- MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
-
- ssl->out_msglen = 6 + n + offset;
- ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
- ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
-
- mbedtls_ssl_handshake_increment_state(ssl);
-
- if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
- return ret;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
-
- return ret;
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- uint32_t lifetime;
- size_t ticket_len;
- unsigned char *ticket;
- const unsigned char *msg;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
-
- if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
- return ret;
- }
-
- if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
- mbedtls_ssl_send_alert_message(
- ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
- return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
- }
-
- /*
- * struct {
- * uint32 ticket_lifetime_hint;
- * opaque ticket<0..2^16-1>;
- * } NewSessionTicket;
- *
- * 0 . 3 ticket_lifetime_hint
- * 4 . 5 ticket_len (n)
- * 6 . 5+n ticket content
- */
- if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
- ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
-
- lifetime = MBEDTLS_GET_UINT32_BE(msg, 0);
-
- ticket_len = MBEDTLS_GET_UINT16_BE(msg, 4);
-
- if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
-
- /* We're not waiting for a NewSessionTicket message any more */
- ssl->handshake->new_session_ticket = 0;
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
-
- /*
- * Zero-length ticket means the server changed his mind and doesn't want
- * to send a ticket after all, so just forget it
- */
- if (ticket_len == 0) {
- return 0;
- }
-
- if (ssl->session != NULL && ssl->session->ticket != NULL) {
- mbedtls_zeroize_and_free(ssl->session->ticket,
- ssl->session->ticket_len);
- ssl->session->ticket = NULL;
- ssl->session->ticket_len = 0;
- }
-
- mbedtls_zeroize_and_free(ssl->session_negotiate->ticket,
- ssl->session_negotiate->ticket_len);
- ssl->session_negotiate->ticket = NULL;
- ssl->session_negotiate->ticket_len = 0;
-
- if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
- return MBEDTLS_ERR_SSL_ALLOC_FAILED;
- }
-
- memcpy(ticket, msg + 6, ticket_len);
-
- ssl->session_negotiate->ticket = ticket;
- ssl->session_negotiate->ticket_len = ticket_len;
- ssl->session_negotiate->ticket_lifetime = lifetime;
-
- /*
- * RFC 5077 section 3.4:
- * "If the client receives a session ticket from the server, then it
- * discards any Session ID that was sent in the ServerHello."
- */
- MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
- ssl->session_negotiate->id_len = 0;
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
-
- return 0;
-}
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-/*
- * SSL handshake -- client side -- single step
- */
-int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
-{
- int ret = 0;
-
- /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
- * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
- ssl->handshake->new_session_ticket != 0) {
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_NEW_SESSION_TICKET);
- }
-#endif
-
- switch (ssl->state) {
- case MBEDTLS_SSL_HELLO_REQUEST:
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
- break;
-
- /*
- * ==> ClientHello
- */
- case MBEDTLS_SSL_CLIENT_HELLO:
- ret = mbedtls_ssl_write_client_hello(ssl);
- break;
-
- /*
- * <== ServerHello
- * Certificate
- * ( ServerKeyExchange )
- * ( CertificateRequest )
- * ServerHelloDone
- */
- case MBEDTLS_SSL_SERVER_HELLO:
- ret = ssl_parse_server_hello(ssl);
- break;
-
- case MBEDTLS_SSL_SERVER_CERTIFICATE:
- ret = mbedtls_ssl_parse_certificate(ssl);
- break;
-
- case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
- ret = ssl_parse_server_key_exchange(ssl);
- break;
-
- case MBEDTLS_SSL_CERTIFICATE_REQUEST:
- ret = ssl_parse_certificate_request(ssl);
- break;
-
- case MBEDTLS_SSL_SERVER_HELLO_DONE:
- ret = ssl_parse_server_hello_done(ssl);
- break;
-
- /*
- * ==> ( Certificate/Alert )
- * ClientKeyExchange
- * ( CertificateVerify )
- * ChangeCipherSpec
- * Finished
- */
- case MBEDTLS_SSL_CLIENT_CERTIFICATE:
- ret = mbedtls_ssl_write_certificate(ssl);
- break;
-
- case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
- ret = ssl_write_client_key_exchange(ssl);
- break;
-
- case MBEDTLS_SSL_CERTIFICATE_VERIFY:
- ret = ssl_write_certificate_verify(ssl);
- break;
-
- case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
- ret = mbedtls_ssl_write_change_cipher_spec(ssl);
- break;
-
- case MBEDTLS_SSL_CLIENT_FINISHED:
- ret = mbedtls_ssl_write_finished(ssl);
- break;
-
- /*
- * <== ( NewSessionTicket )
- * ChangeCipherSpec
- * Finished
- */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- case MBEDTLS_SSL_NEW_SESSION_TICKET:
- ret = ssl_parse_new_session_ticket(ssl);
- break;
-#endif
-
- case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
- ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
- break;
-
- case MBEDTLS_SSL_SERVER_FINISHED:
- ret = mbedtls_ssl_parse_finished(ssl);
- break;
-
- case MBEDTLS_SSL_FLUSH_BUFFERS:
- MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
- mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
- break;
-
- case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
- mbedtls_ssl_handshake_wrapup(ssl);
- break;
-
- default:
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- return ret;
-}
-
-#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */
diff --git a/lib/mbedtls_ssl/src/ssl_tls13_keys.h b/lib/mbedtls_ssl/src/ssl_tls13_keys.h
deleted file mode 100644
index 1509e9a4d..000000000
--- a/lib/mbedtls_ssl/src/ssl_tls13_keys.h
+++ /dev/null
@@ -1,668 +0,0 @@
-/*
- * TLS 1.3 key schedule
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
-#define MBEDTLS_SSL_TLS1_3_KEYS_H
-
-/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
- * the point of use. See e.g. the definition of mbedtls_ssl_tls13_labels_union
- * below. */
-#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \
- MBEDTLS_SSL_TLS1_3_LABEL(finished, "finished") \
- MBEDTLS_SSL_TLS1_3_LABEL(resumption, "resumption") \
- MBEDTLS_SSL_TLS1_3_LABEL(traffic_upd, "traffic upd") \
- MBEDTLS_SSL_TLS1_3_LABEL(exporter, "exporter") \
- MBEDTLS_SSL_TLS1_3_LABEL(key, "key") \
- MBEDTLS_SSL_TLS1_3_LABEL(iv, "iv") \
- MBEDTLS_SSL_TLS1_3_LABEL(c_hs_traffic, "c hs traffic") \
- MBEDTLS_SSL_TLS1_3_LABEL(c_ap_traffic, "c ap traffic") \
- MBEDTLS_SSL_TLS1_3_LABEL(c_e_traffic, "c e traffic") \
- MBEDTLS_SSL_TLS1_3_LABEL(s_hs_traffic, "s hs traffic") \
- MBEDTLS_SSL_TLS1_3_LABEL(s_ap_traffic, "s ap traffic") \
- MBEDTLS_SSL_TLS1_3_LABEL(s_e_traffic, "s e traffic") \
- MBEDTLS_SSL_TLS1_3_LABEL(e_exp_master, "e exp master") \
- MBEDTLS_SSL_TLS1_3_LABEL(res_master, "res master") \
- MBEDTLS_SSL_TLS1_3_LABEL(exp_master, "exp master") \
- MBEDTLS_SSL_TLS1_3_LABEL(ext_binder, "ext binder") \
- MBEDTLS_SSL_TLS1_3_LABEL(res_binder, "res binder") \
- MBEDTLS_SSL_TLS1_3_LABEL(derived, "derived") \
- MBEDTLS_SSL_TLS1_3_LABEL(client_cv, "TLS 1.3, client CertificateVerify") \
- MBEDTLS_SSL_TLS1_3_LABEL(server_cv, "TLS 1.3, server CertificateVerify")
-
-#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0
-#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1
-
-#define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL 0
-#define MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION 1
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-/* We need to tell the compiler that we meant to leave out the null character. */
-#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
- const unsigned char name [sizeof(string) - 1] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING;
-
-union mbedtls_ssl_tls13_labels_union {
- MBEDTLS_SSL_TLS1_3_LABEL_LIST
-};
-struct mbedtls_ssl_tls13_labels_struct {
- MBEDTLS_SSL_TLS1_3_LABEL_LIST
-};
-#undef MBEDTLS_SSL_TLS1_3_LABEL
-
-extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
-
-#define MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL) \
- sizeof(mbedtls_ssl_tls13_labels.LABEL)
-
-#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(LABEL) \
- mbedtls_ssl_tls13_labels.LABEL, \
- MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL)
-
-/* Maximum length of the label field in the HkdfLabel struct defined in
- * RFC 8446, Section 7.1, excluding the "tls13 " prefix. */
-#define MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN 249
-
-/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
- * Since contexts are always hashes of message transcripts, this can
- * be approximated from above by the maximum hash size. */
-#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \
- PSA_HASH_MAX_SIZE
-
-/* Maximum desired length for expanded key material generated
- * by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size
- * bytes of key material where hash_size is the output size of the
- * underlying hash function. */
-#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \
- (255 * MBEDTLS_TLS1_3_MD_MAX_SIZE)
-
-/**
- * \brief The \c HKDF-Expand-Label function from
- * the TLS 1.3 standard RFC 8446.
- *
- *
- * HKDF-Expand-Label( Secret, Label, Context, Length ) =
- * HKDF-Expand( Secret, HkdfLabel, Length )
- *
- *
- * \param hash_alg The identifier for the hash algorithm to use.
- * \param secret The \c Secret argument to \c HKDF-Expand-Label.
- * This must be a readable buffer of length
- * \p secret_len Bytes.
- * \param secret_len The length of \p secret in Bytes.
- * \param label The \c Label argument to \c HKDF-Expand-Label.
- * This must be a readable buffer of length
- * \p label_len Bytes.
- * \param label_len The length of \p label in Bytes.
- * \param ctx The \c Context argument to \c HKDF-Expand-Label.
- * This must be a readable buffer of length \p ctx_len Bytes.
- * \param ctx_len The length of \p context in Bytes.
- * \param buf The destination buffer to hold the expanded secret.
- * This must be a writable buffer of length \p buf_len Bytes.
- * \param buf_len The desired size of the expanded secret in Bytes.
- *
- * \returns \c 0 on success.
- * \return A negative error code on failure.
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_hkdf_expand_label(
- psa_algorithm_t hash_alg,
- const unsigned char *secret, size_t secret_len,
- const unsigned char *label, size_t label_len,
- const unsigned char *ctx, size_t ctx_len,
- unsigned char *buf, size_t buf_len);
-
-/**
- * \brief This function is part of the TLS 1.3 key schedule.
- * It extracts key and IV for the actual client/server traffic
- * from the client/server traffic secrets.
- *
- * From RFC 8446:
- *
- *
- * [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
- * [sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)*
- *
- *
- * \param hash_alg The identifier for the hash algorithm to be used
- * for the HKDF-based expansion of the secret.
- * \param client_secret The client traffic secret.
- * This must be a readable buffer of size
- * \p secret_len Bytes
- * \param server_secret The server traffic secret.
- * This must be a readable buffer of size
- * \p secret_len Bytes
- * \param secret_len Length of the secrets \p client_secret and
- * \p server_secret in Bytes.
- * \param key_len The desired length of the key to be extracted in Bytes.
- * \param iv_len The desired length of the IV to be extracted in Bytes.
- * \param keys The address of the structure holding the generated
- * keys and IVs.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_make_traffic_keys(
- psa_algorithm_t hash_alg,
- const unsigned char *client_secret,
- const unsigned char *server_secret, size_t secret_len,
- size_t key_len, size_t iv_len,
- mbedtls_ssl_key_set *keys);
-
-/**
- * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446.
- *
- *
- * Derive-Secret( Secret, Label, Messages ) =
- * HKDF-Expand-Label( Secret, Label,
- * Hash( Messages ),
- * Hash.Length ) )
- *
- *
- * \param hash_alg The identifier for the hash function used for the
- * applications of HKDF.
- * \param secret The \c Secret argument to the \c Derive-Secret function.
- * This must be a readable buffer of length
- * \p secret_len Bytes.
- * \param secret_len The length of \p secret in Bytes.
- * \param label The \c Label argument to the \c Derive-Secret function.
- * This must be a readable buffer of length
- * \p label_len Bytes.
- * \param label_len The length of \p label in Bytes.
- * \param ctx The hash of the \c Messages argument to the
- * \c Derive-Secret function, or the \c Messages argument
- * itself, depending on \p ctx_hashed.
- * \param ctx_len The length of \p ctx in Bytes.
- * \param ctx_hashed This indicates whether the \p ctx contains the hash of
- * the \c Messages argument in the application of the
- * \c Derive-Secret function
- * (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether
- * it is the content of \c Messages itself, in which case
- * the function takes care of the hashing
- * (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED).
- * \param dstbuf The target buffer to write the output of
- * \c Derive-Secret to. This must be a writable buffer of
- * size \p dtsbuf_len Bytes.
- * \param dstbuf_len The length of \p dstbuf in Bytes.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_derive_secret(
- psa_algorithm_t hash_alg,
- const unsigned char *secret, size_t secret_len,
- const unsigned char *label, size_t label_len,
- const unsigned char *ctx, size_t ctx_len,
- int ctx_hashed,
- unsigned char *dstbuf, size_t dstbuf_len);
-
-/**
- * \brief Derive TLS 1.3 early data key material from early secret.
- *
- * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
- * with the appropriate labels.
- *
- *
- * Early Secret
- * |
- * +-----> Derive-Secret(., "c e traffic", ClientHello)
- * | = client_early_traffic_secret
- * |
- * +-----> Derive-Secret(., "e exp master", ClientHello)
- * . = early_exporter_master_secret
- * .
- * .
- *
- *
- * \note To obtain the actual key and IV for the early data traffic,
- * the client secret derived by this function need to be
- * further processed by mbedtls_ssl_tls13_make_traffic_keys().
- *
- * \note The binder key, which is also generated from the early secret,
- * is omitted here. Its calculation is part of the separate routine
- * mbedtls_ssl_tls13_create_psk_binder().
- *
- * \param hash_alg The hash algorithm associated with the PSK for which
- * early data key material is being derived.
- * \param early_secret The early secret from which the early data key material
- * should be derived. This must be a readable buffer whose
- * length is the digest size of the hash algorithm
- * represented by \p md_size.
- * \param transcript The transcript of the handshake so far, calculated with
- * respect to \p hash_alg. This must be a readable buffer
- * whose length is the digest size of the hash algorithm
- * represented by \p md_size.
- * \param derived The address of the structure in which to store
- * the early data key material.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_derive_early_secrets(
- psa_algorithm_t hash_alg,
- unsigned char const *early_secret,
- unsigned char const *transcript, size_t transcript_len,
- mbedtls_ssl_tls13_early_secrets *derived);
-
-/**
- * \brief Derive TLS 1.3 handshake key material from the handshake secret.
- *
- * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
- * with the appropriate labels from the standard.
- *
- *
- * Handshake Secret
- * |
- * +-----> Derive-Secret( ., "c hs traffic",
- * | ClientHello...ServerHello )
- * | = client_handshake_traffic_secret
- * |
- * +-----> Derive-Secret( ., "s hs traffic",
- * . ClientHello...ServerHello )
- * . = server_handshake_traffic_secret
- * .
- *
- *
- * \note To obtain the actual key and IV for the encrypted handshake traffic,
- * the client and server secret derived by this function need to be
- * further processed by mbedtls_ssl_tls13_make_traffic_keys().
- *
- * \param hash_alg The hash algorithm associated with the ciphersuite
- * that's being used for the connection.
- * \param handshake_secret The handshake secret from which the handshake key
- * material should be derived. This must be a readable
- * buffer whose length is the digest size of the hash
- * algorithm represented by \p md_size.
- * \param transcript The transcript of the handshake so far, calculated
- * with respect to \p hash_alg. This must be a readable
- * buffer whose length is the digest size of the hash
- * algorithm represented by \p md_size.
- * \param derived The address of the structure in which to
- * store the handshake key material.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_derive_handshake_secrets(
- psa_algorithm_t hash_alg,
- unsigned char const *handshake_secret,
- unsigned char const *transcript, size_t transcript_len,
- mbedtls_ssl_tls13_handshake_secrets *derived);
-
-/**
- * \brief Derive TLS 1.3 application key material from the master secret.
- *
- * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
- * with the appropriate labels from the standard.
- *
- *
- * Master Secret
- * |
- * +-----> Derive-Secret( ., "c ap traffic",
- * | ClientHello...server Finished )
- * | = client_application_traffic_secret_0
- * |
- * +-----> Derive-Secret( ., "s ap traffic",
- * | ClientHello...Server Finished )
- * | = server_application_traffic_secret_0
- * |
- * +-----> Derive-Secret( ., "exp master",
- * . ClientHello...server Finished)
- * . = exporter_master_secret
- * .
- *
- *
- * \note To obtain the actual key and IV for the (0-th) application traffic,
- * the client and server secret derived by this function need to be
- * further processed by mbedtls_ssl_tls13_make_traffic_keys().
- *
- * \param hash_alg The hash algorithm associated with the ciphersuite
- * that's being used for the connection.
- * \param master_secret The master secret from which the application key
- * material should be derived. This must be a readable
- * buffer whose length is the digest size of the hash
- * algorithm represented by \p md_size.
- * \param transcript The transcript of the handshake up to and including
- * the ServerFinished message, calculated with respect
- * to \p hash_alg. This must be a readable buffer whose
- * length is the digest size of the hash algorithm
- * represented by \p hash_alg.
- * \param derived The address of the structure in which to
- * store the application key material.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_derive_application_secrets(
- psa_algorithm_t hash_alg,
- unsigned char const *master_secret,
- unsigned char const *transcript, size_t transcript_len,
- mbedtls_ssl_tls13_application_secrets *derived);
-
-/**
- * \brief Derive TLS 1.3 resumption master secret from the master secret.
- *
- * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
- * with the appropriate labels from the standard.
- *
- * \param hash_alg The hash algorithm used in the application for which
- * key material is being derived.
- * \param application_secret The application secret from which the resumption master
- * secret should be derived. This must be a readable
- * buffer whose length is the digest size of the hash
- * algorithm represented by \p md_size.
- * \param transcript The transcript of the handshake up to and including
- * the ClientFinished message, calculated with respect
- * to \p hash_alg. This must be a readable buffer whose
- * length is the digest size of the hash algorithm
- * represented by \p hash_alg.
- * \param transcript_len The length of \p transcript in Bytes.
- * \param derived The address of the structure in which to
- * store the resumption master secret.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_derive_resumption_master_secret(
- psa_algorithm_t hash_alg,
- unsigned char const *application_secret,
- unsigned char const *transcript, size_t transcript_len,
- mbedtls_ssl_tls13_application_secrets *derived);
-
-/**
- * \brief Compute the next secret in the TLS 1.3 key schedule
- *
- * The TLS 1.3 key schedule proceeds as follows to compute
- * the three main secrets during the handshake: The early
- * secret for early data, the handshake secret for all
- * other encrypted handshake messages, and the master
- * secret for all application traffic.
- *
- *
- * 0
- * |
- * v
- * PSK -> HKDF-Extract = Early Secret
- * |
- * v
- * Derive-Secret( ., "derived", "" )
- * |
- * v
- * (EC)DHE -> HKDF-Extract = Handshake Secret
- * |
- * v
- * Derive-Secret( ., "derived", "" )
- * |
- * v
- * 0 -> HKDF-Extract = Master Secret
- *
- *
- * Each of the three secrets in turn is the basis for further
- * key derivations, such as the derivation of traffic keys and IVs;
- * see e.g. mbedtls_ssl_tls13_make_traffic_keys().
- *
- * This function implements one step in this evolution of secrets:
- *
- *
- * old_secret
- * |
- * v
- * Derive-Secret( ., "derived", "" )
- * |
- * v
- * input -> HKDF-Extract = new_secret
- *
- *
- * \param hash_alg The identifier for the hash function used for the
- * applications of HKDF.
- * \param secret_old The address of the buffer holding the old secret
- * on function entry. If not \c NULL, this must be a
- * readable buffer whose size matches the output size
- * of the hash function represented by \p hash_alg.
- * If \c NULL, an all \c 0 array will be used instead.
- * \param input The address of the buffer holding the additional
- * input for the key derivation (e.g., the PSK or the
- * ephemeral (EC)DH secret). If not \c NULL, this must be
- * a readable buffer whose size \p input_len Bytes.
- * If \c NULL, an all \c 0 array will be used instead.
- * \param input_len The length of \p input in Bytes.
- * \param secret_new The address of the buffer holding the new secret
- * on function exit. This must be a writable buffer
- * whose size matches the output size of the hash
- * function represented by \p hash_alg.
- * This may be the same as \p secret_old.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_evolve_secret(
- psa_algorithm_t hash_alg,
- const unsigned char *secret_old,
- const unsigned char *input, size_t input_len,
- unsigned char *secret_new);
-
-/**
- * \brief Calculate a TLS 1.3 PSK binder.
- *
- * \param ssl The SSL context. This is used for debugging only and may
- * be \c NULL if MBEDTLS_DEBUG_C is disabled.
- * \param hash_alg The hash algorithm associated to the PSK \p psk.
- * \param psk The buffer holding the PSK for which to create a binder.
- * \param psk_len The size of \p psk in bytes.
- * \param psk_type This indicates whether the PSK \p psk is externally
- * provisioned (#MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL) or a
- * resumption PSK (#MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION).
- * \param transcript The handshake transcript up to the point where the
- * PSK binder calculation happens. This must be readable,
- * and its size must be equal to the digest size of
- * the hash algorithm represented by \p hash_alg.
- * \param result The address at which to store the PSK binder on success.
- * This must be writable, and its size must be equal to the
- * digest size of the hash algorithm represented by
- * \p hash_alg.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl,
- const psa_algorithm_t hash_alg,
- unsigned char const *psk, size_t psk_len,
- int psk_type,
- unsigned char const *transcript,
- unsigned char *result);
-
-/**
- * \bref Setup an SSL transform structure representing the
- * record protection mechanism used by TLS 1.3
- *
- * \param transform The SSL transform structure to be created. This must have
- * been initialized through mbedtls_ssl_transform_init() and
- * not used in any other way prior to calling this function.
- * In particular, this function does not clean up the
- * transform structure prior to installing the new keys.
- * \param endpoint Indicates whether the transform is for the client
- * (value #MBEDTLS_SSL_IS_CLIENT) or the server
- * (value #MBEDTLS_SSL_IS_SERVER).
- * \param ciphersuite The numerical identifier for the ciphersuite to use.
- * This must be one of the identifiers listed in
- * ssl_ciphersuites.h.
- * \param traffic_keys The key material to use. No reference is stored in
- * the SSL transform being generated, and the caller
- * should destroy the key material afterwards.
- * \param ssl (Debug-only) The SSL context to use for debug output
- * in case of failure. This parameter is only needed if
- * #MBEDTLS_DEBUG_C is set, and is ignored otherwise.
- *
- * \return \c 0 on success. In this case, \p transform is ready to
- * be used with mbedtls_ssl_transform_decrypt() and
- * mbedtls_ssl_transform_encrypt().
- * \return A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
- int endpoint,
- int ciphersuite,
- mbedtls_ssl_key_set const *traffic_keys,
- mbedtls_ssl_context *ssl);
-
-/*
- * TLS 1.3 key schedule evolutions
- *
- * Early -> Handshake -> Application
- *
- * Small wrappers around mbedtls_ssl_tls13_evolve_secret().
- */
-
-/**
- * \brief Begin TLS 1.3 key schedule by calculating early secret.
- *
- * The TLS 1.3 key schedule can be viewed as a simple state machine
- * with states Initial -> Early -> Handshake -> Application, and
- * this function represents the Initial -> Early transition.
- *
- * \param ssl The SSL context to operate on.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl);
-
-/**
- * \brief Compute TLS 1.3 resumption master secret.
- *
- * \param ssl The SSL context to operate on. This must be in
- * key schedule stage \c Application, see
- * mbedtls_ssl_tls13_key_schedule_stage_application().
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl);
-
-/**
- * \brief Calculate the verify_data value for the client or server TLS 1.3
- * Finished message.
- *
- * \param ssl The SSL context to operate on. This must be in
- * key schedule stage \c Handshake, see
- * mbedtls_ssl_tls13_key_schedule_stage_application().
- * \param dst The address at which to write the verify_data value.
- * \param dst_len The size of \p dst in bytes.
- * \param actual_len The address at which to store the amount of data
- * actually written to \p dst upon success.
- * \param which The message to calculate the `verify_data` for:
- * - #MBEDTLS_SSL_IS_CLIENT for the Client's Finished message
- * - #MBEDTLS_SSL_IS_SERVER for the Server's Finished message
- *
- * \note Both client and server call this function twice, once to
- * generate their own Finished message, and once to verify the
- * peer's Finished message.
-
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
- unsigned char *dst,
- size_t dst_len,
- size_t *actual_len,
- int which);
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-/**
- * \brief Compute TLS 1.3 early transform
- *
- * \param ssl The SSL context to operate on.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- *
- * \warning The function does not compute the early master secret. Call
- * mbedtls_ssl_tls13_key_schedule_stage_early() before to
- * call this function to generate the early master secret.
- * \note For a client/server endpoint, the function computes only the
- * encryption/decryption part of the transform as the decryption/
- * encryption part is not defined by the specification (no early
- * traffic from the server to the client).
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_EARLY_DATA */
-
-/**
- * \brief Compute TLS 1.3 handshake transform
- *
- * \param ssl The SSL context to operate on. The early secret must have been
- * computed.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl);
-
-/**
- * \brief Compute TLS 1.3 application transform
- *
- * \param ssl The SSL context to operate on. The early secret must have been
- * computed.
- *
- * \returns \c 0 on success.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
-/**
- * \brief Export TLS 1.3 PSK from handshake context
- *
- * \param[in] ssl The SSL context to operate on.
- * \param[out] psk PSK output pointer.
- * \param[out] psk_len Length of PSK.
- *
- * \returns \c 0 if there is a configured PSK and it was exported
- * successfully.
- * \returns A negative error code on failure.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
- unsigned char **psk,
- size_t *psk_len);
-#endif
-
-/**
- * \brief Calculate TLS-Exporter function as defined in RFC 8446, Section 7.5.
- *
- * \param[in] hash_alg The hash algorithm.
- * \param[in] secret The secret to use. (Should be the exporter master secret.)
- * \param[in] secret_len Length of secret.
- * \param[in] label The label of the exported key.
- * \param[in] label_len The length of label.
- * \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes.
- * \param[in] out_len Length of the key to generate.
- */
-int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
- const unsigned char *secret, const size_t secret_len,
- const unsigned char *label, const size_t label_len,
- const unsigned char *context_value, const size_t context_len,
- uint8_t *out, const size_t out_len);
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
-#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
diff --git a/platformio.ini b/platformio.ini
index 9ac33f07f..78c558f1c 100644
--- a/platformio.ini
+++ b/platformio.ini
@@ -92,6 +92,8 @@ lib_deps =
bblanchon/ArduinoJson @ 7.4.2
ESP32Async/AsyncTCP @ 3.4.10
ESP32Async/ESPAsyncWebServer @ 3.10.1
+ https://github.com/mobizt/ReadyMail.git @ 0.3.8
+ https://github.com/mobizt/ESP_SSLClient.git @ 3.1.3
; https://github.com/emsesp/EMS-ESP-Modules.git @ 1.0.8
; builds the web interface only, not the firmware
diff --git a/src/core/locale_common.h b/src/core/locale_common.h
index 2b769dd2c..d5b88c789 100644
--- a/src/core/locale_common.h
+++ b/src/core/locale_common.h
@@ -47,6 +47,7 @@ MAKE_WORD(raw)
MAKE_WORD(watch)
MAKE_WORD(syslog)
MAKE_WORD(send)
+MAKE_WORD(sendmail)
MAKE_WORD(telegram)
MAKE_WORD(bus_id)
MAKE_WORD(tx_mode)
diff --git a/src/core/locale_translations.h b/src/core/locale_translations.h
index 65cda4859..c781a316b 100644
--- a/src/core/locale_translations.h
+++ b/src/core/locale_translations.h
@@ -65,6 +65,7 @@ MAKE_WORD_TRANSLATION(commands_cmd, "list all commands", "Liste aller Kommandos"
MAKE_WORD_TRANSLATION(entities_cmd, "list all entities", "Liste aller Entitäten", "lijst van alle entiteiten", "lista all entiteter", "wyświetl wszsytkie encje", "Viser alle enheter", "lister toutes les entités", "Tüm varlıkları listele", "elenca tutte le entità", "zobraziť všetky entity", "vypsat všechny entity")
MAKE_WORD_TRANSLATION(metrics_cmd, "list all prometheus metrics", "Liste aller Prometheus Metriken", "lijst van alle Prometheus metriken", "lista alla Prometheus metriker", "wyświetl wszystkie Prometheus metryki", "Viser alle Prometheus metrikker", "lister toutes les métriques Prometheus", "Tüm Prometheus metriklerini listele", "elenca tutte le metriche Prometheus", "zobraziť všetky Prometheus metriky", "vypsat všechny Prometheus metriky")
MAKE_WORD_TRANSLATION(send_cmd, "send a telegram", "Sende EMS-Telegramm", "stuur een telegram", "skicka ett telegram", "wyślij telegram", "send et telegram", "envoyer un télégramme", "Bir telegram gönder", "invia un telegramma", "poslať telegram", "odeslat telegram")
+MAKE_WORD_TRANSLATION(sendmail_cmd, "send email", "Sende eMail", "stuur email", "", "wyślij email", "send email", "", "email gönder", "invia email", "poslať email") // TODO translate
MAKE_WORD_TRANSLATION(read_cmd, "send read request", "Sende Leseanfrage", "stuur leesaanvraag", "skicka en läsförfrågan", "wyślij żądanie odczytu", "send leseforespørsel", "envoyer une demande de lecture", "okuma isteği gönder", "invia richiesta di lettura", "odoslať žiadosť o prečítanie", "odeslat požadavek na čtení")
MAKE_WORD_TRANSLATION(setiovalue_cmd, "set I/O value", "Setze Werte E/A", "instellen standaardwaarde", "sätt ett I/O-värde", "ustaw wartość", "sett en io verdi", "définir valeur E/S", "Giriş/Çıkış değerlerini ayarla", "imposta valore io", "nastaviť hodnotu io", "nastavit hodnotu I/O")
MAKE_WORD_TRANSLATION(changeloglevel_cmd, "change log level", "Ändere Protokollebene", "aanpassen log niveau", "ändra logg-nivå", "zmień poziom log-u", "endre loggnivå", "changer le niveau de journal", "Kayıt seviyesini değiştir", "cambia livello registrazione", "zmeniť úroveň protokolu", "změnit úroveň protokolování")
diff --git a/src/core/system.cpp b/src/core/system.cpp
index 2157aec72..1d92bb8db 100644
--- a/src/core/system.cpp
+++ b/src/core/system.cpp
@@ -52,6 +52,15 @@
#include
#endif
+#ifndef NO_TLS_SUPPORT
+#define ENABLE_SMTP
+#define USE_ESP_SSLCLIENT
+#define READYCLIENT_SSL_CLIENT ESP_SSLClient
+#define READYCLIENT_TYPE_1 // TYPE 1 when using ESP_SSLClient
+#include
+#include
+#endif
+
#ifndef EMSESP_STANDALONE
#include "esp_efuse.h"
#endif
@@ -124,6 +133,110 @@ bool System::command_send(const char * value, const int8_t id) {
return EMSESP::txservice_.send_raw(value); // ignore id
}
+bool System::command_sendmail(const char * value, const int8_t id) {
+ bool enabled = false;
+ bool ssl, starttls;
+ uint16_t port;
+ String server, login, pass, sender, recp, subject;
+ EMSESP::webSettingsService.read([&](WebSettings & settings) {
+ enabled = settings.email_enabled;
+ ssl = settings.email_ssl;
+ starttls = settings.email_starttls;
+ server = settings.email_server;
+ port = settings.email_port;
+ login = settings.email_login;
+ pass = settings.email_pass;
+ sender = settings.email_sender;
+ recp = settings.email_recp;
+ subject = settings.email_subject;
+ });
+ if (!enabled) {
+ return false;
+ }
+ LOG_DEBUG("Command sendmail port %d%s called with '%s'", port, ssl ? " (SSL)" : starttls ? " (STARTTLS)" : "", value);
+ // LOG_DEBUG("Command sendmail port %d called with '%s'", port, value);
+ bool success = false;
+
+#ifndef NO_TLS_SUPPORT
+ WiFiClient * basic_client;
+ ESP_SSLClient * ssl_client;
+ ReadyClient * r_client; // rClient(ssl_client);
+ SMTPClient * smtp; // smtp(rClient);
+ basic_client = new WiFiClient;
+ ssl_client = new ESP_SSLClient;
+ r_client = new ReadyClient(*ssl_client);
+ smtp = new SMTPClient(*r_client);
+
+ ssl_client->setClient(basic_client);
+ ssl_client->setInsecure();
+ ssl_client->setBufferSizes(1024, 1024);
+ r_client->addPort(port, starttls ? readymail_protocol_tls : ssl ? readymail_protocol_ssl : readymail_protocol_plain_text);
+
+ // smtp->connect(server, port, sendmailCallback);
+ smtp->connect(server, port);
+ if (!smtp->isConnected()) {
+ LOG_ERROR("Sendmail connection error");
+ delete smtp;
+ delete r_client;
+ delete ssl_client;
+ delete basic_client;
+ return false;
+ }
+
+ // LOG_INFO("autenticate %s:%s", login.c_str(), pass.c_str());
+ smtp->authenticate(login, pass, readymail_auth_password);
+ if (!smtp->isAuthenticated()) {
+ LOG_ERROR("Sendmail authenticate error");
+ delete smtp;
+ delete r_client;
+ delete ssl_client;
+ delete basic_client;
+ return false;
+ }
+ JsonDocument doc;
+ String body = value;
+ if (body.length()) {
+ auto error = deserializeJson(doc, (const char *)value);
+ if (!error && doc.as().size() >= 0) {
+ subject = doc["subject"] | subject;
+ recp = doc["to"] | recp;
+ sender = doc["from"] | sender;
+ body = doc["body"] | body;
+ }
+ }
+
+ SMTPMessage & msg = smtp->getMessage();
+ msg.headers.add(rfc822_subject, subject);
+ msg.headers.add(rfc822_from, sender);
+ msg.headers.add(rfc822_to, recp);
+
+ // Use addCustom to add custom header e.g. Imprtance and Priority.
+ // msg.headers.addCustom("Importance", PRIORITY);
+ // msg.headers.addCustom("X-MSMail-Priority", PRIORITY);
+ // msg.headers.addCustom("X-Priority", PRIORITY_NUM);
+
+ msg.text.body(body);
+
+ // bodyText.replace("\r\n", "
\r\n");
+ // msg.html.body("" + bodyText + "
");
+ // msg.html.transferEncoding("base64");
+
+ // With embedFile function, the html message will send as attachment.
+ // if (EMBED_MESSAGE)
+ // msg.html.embedFile(true, "msg.html", embed_message_type_attachment);
+
+ msg.timestamp = time(nullptr);
+
+ success = smtp->send(msg);
+
+ delete smtp;
+ delete r_client;
+ delete ssl_client;
+ delete basic_client;
+#endif
+ return success;
+}
+
// return string of languages and count
std::string System::languages_string() {
std::string languages_string = std::to_string(NUM_LANGUAGES) + " languages (";
@@ -1019,6 +1132,7 @@ void System::commands_init() {
Command::add(EMSdevice::DeviceType::SYSTEM, F_(read), System::command_read, FL_(read_cmd), CommandFlag::ADMIN_ONLY);
Command::add(EMSdevice::DeviceType::SYSTEM, F_(send), System::command_send, FL_(send_cmd), CommandFlag::ADMIN_ONLY);
Command::add(EMSdevice::DeviceType::SYSTEM, F_(fetch), System::command_fetch, FL_(fetch_cmd), CommandFlag::ADMIN_ONLY);
+ Command::add(EMSdevice::DeviceType::SYSTEM, F_(sendmail), System::command_sendmail, FL_(sendmail_cmd), CommandFlag::ADMIN_ONLY);
Command::add(EMSdevice::DeviceType::SYSTEM, F_(restart), System::command_restart, FL_(restart_cmd), CommandFlag::ADMIN_ONLY);
Command::add(EMSdevice::DeviceType::SYSTEM, F_(format), System::command_format, FL_(format_cmd), CommandFlag::ADMIN_ONLY);
Command::add(EMSdevice::DeviceType::SYSTEM, F_(txpause), System::command_txpause, FL_(txpause_cmd), CommandFlag::ADMIN_ONLY);
diff --git a/src/core/system.h b/src/core/system.h
index b2db2d541..b6c8836ce 100644
--- a/src/core/system.h
+++ b/src/core/system.h
@@ -95,6 +95,7 @@ class System {
static bool command_info(const char * value, const int8_t id, JsonObject output);
static bool command_response(const char * value, const int8_t id, JsonObject output);
static bool command_service(const char * cmd, const char * value);
+ static bool command_sendmail(const char * value, const int8_t id);
static bool command_txpause(const char * value, const int8_t id);
static bool get_value_info(JsonObject root, const char * cmd);
diff --git a/src/web/WebSettingsService.cpp b/src/web/WebSettingsService.cpp
index 6a7beca54..f1fb188c2 100644
--- a/src/web/WebSettingsService.cpp
+++ b/src/web/WebSettingsService.cpp
@@ -83,6 +83,20 @@ void WebSettings::read(WebSettings & settings, JsonObject root) {
root["modbus_max_clients"] = settings.modbus_max_clients;
root["modbus_timeout"] = settings.modbus_timeout;
root["developer_mode"] = settings.developer_mode;
+#ifndef NO_TLS_SUPPORT
+ root["email_enabled"] = settings.email_enabled;
+#else
+ root["email_enabled"] = false;
+#endif
+ root["email_ssl"] = settings.email_ssl;
+ root["email_starttls"] = settings.email_starttls;
+ root["email_server"] = settings.email_server;
+ root["email_port"] = settings.email_port;
+ root["email_login"] = settings.email_login;
+ root["email_pass"] = settings.email_pass;
+ root["email_sender"] = settings.email_sender;
+ root["email_recp"] = settings.email_recp;
+ root["email_subject"] = settings.email_subject;
}
// call on initialization and also when settings are updated/saved via web or console
@@ -296,6 +310,20 @@ StateUpdateResult WebSettings::update(JsonObject root, WebSettings & settings) {
settings.weblog_level = root["weblog_level"] | EMSESP_DEFAULT_WEBLOG_LEVEL;
settings.weblog_compact = root["weblog_compact"] | EMSESP_DEFAULT_WEBLOG_COMPACT;
+ settings.email_enabled = root["email_enabled"] | FACTORY_EMAIL_ENABLE;
+ settings.email_ssl = root["email_ssl"] | FACTORY_EMAIL_SSL;
+ settings.email_starttls = root["email_starttls"] | FACTORY_EMAIL_STARTTLS;
+ settings.email_server = root["email_server"] | FACTORY_EMAIL_SERVER;
+ settings.email_port = root["email_port"] | FACTORY_EMAIL_PORT;
+ settings.email_login = root["email_login"] | FACTORY_EMAIL_LOGIN;
+ settings.email_pass = root["email_pass"] | FACTORY_EMAIL_PASSWORD;
+ settings.email_sender = root["email_sender"] | FACTORY_EMAIL_FROM;
+ settings.email_recp = root["email_recp"] | FACTORY_EMAIL_TO;
+ settings.email_subject = root["email_subject"] | FACTORY_EMAIL_SUBJECT;
+
+ if (settings.email_ssl && settings.email_starttls) {
+ settings.email_ssl = false;
+ }
// if no psram limit weblog buffer to 25 messages
if (EMSESP::system_.PSram() > 0) {
settings.weblog_buffer = root["weblog_buffer"] | EMSESP_DEFAULT_WEBLOG_BUFFER;
diff --git a/src/web/WebSettingsService.h b/src/web/WebSettingsService.h
index 8ad076ab4..65526669e 100644
--- a/src/web/WebSettingsService.h
+++ b/src/web/WebSettingsService.h
@@ -26,6 +26,36 @@
#define EMSESP_SETTINGS_SERVICE_PATH "/rest/settings"
#define EMSESP_BOARD_PROFILE_SERVICE_PATH "/rest/boardProfile"
+#ifndef FACTORY_EMAIL_ENABLE
+#define FACTORY_EMAIL_ENABLE false
+#endif
+#ifndef FACTORY_EMAIL_SSL
+#define FACTORY_EMAIL_SSL false
+#endif
+#ifndef FACTORY_EMAIL_STARTTLS
+#define FACTORY_EMAIL_STARTTLS true
+#endif
+#ifndef FACTORY_EMAIL_PORT
+#define FACTORY_EMAIL_PORT 587
+#endif
+#ifndef FACTORY_EMAIL_SERVER
+#define FACTORY_EMAIL_SERVER "smtp.example.net"
+#endif
+#ifndef FACTORY_EMAIL_LOGIN
+#define FACTORY_EMAIL_LOGIN ""
+#endif
+#ifndef FACTORY_EMAIL_PASSWORD
+#define FACTORY_EMAIL_PASSWORD ""
+#endif
+#ifndef FACTORY_EMAIL_FROM
+#define FACTORY_EMAIL_FROM "ems-esp@example.net"
+#endif
+#ifndef FACTORY_EMAIL_TO
+#define FACTORY_EMAIL_TO ""
+#endif
+#ifndef FACTORY_EMAIL_SUBJECT
+#define FACTORY_EMAIL_SUBJECT "ems-esp notification"
+#endif
namespace emsesp {
class WebSettings {
@@ -77,6 +107,16 @@ class WebSettings {
uint16_t modbus_port;
uint8_t modbus_max_clients;
uint32_t modbus_timeout;
+ bool email_enabled;
+ bool email_ssl;
+ bool email_starttls;
+ String email_server;
+ uint16_t email_port;
+ String email_login;
+ String email_pass;
+ String email_sender;
+ String email_recp;
+ String email_subject;
uint8_t phy_type;
int8_t eth_power; // -1 means disabled