NCBI C++ ToolKit
ssl_tls.c
Go to the documentation of this file.

Go to the SVN repository for this file.

1 /*
2  * TLS shared functions
3  *
4  * Copyright The Mbed TLS Contributors
5  * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 /*
8  * http://www.ietf.org/rfc/rfc2246.txt
9  * http://www.ietf.org/rfc/rfc4346.txt
10  */
11 
12 #include "common.h"
13 
14 #if defined(MBEDTLS_SSL_TLS_C)
15 
16 #include "mbedtls/platform.h"
17 
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22 
23 #include "debug_internal.h"
24 #include "mbedtls/error.h"
25 #include "mbedtls/platform_util.h"
26 #include "mbedtls/version.h"
27 #include "mbedtls/constant_time.h"
28 
29 #include <string.h>
30 
31 #if defined(MBEDTLS_USE_PSA_CRYPTO)
32 #include "mbedtls/psa_util.h"
33 #include "md_psa.h"
34 #include "psa_util_internal.h"
35 #include "psa/crypto.h"
36 #endif
37 
38 #if defined(MBEDTLS_X509_CRT_PARSE_C)
39 #include "mbedtls/oid.h"
40 #endif
41 
42 #if defined(MBEDTLS_USE_PSA_CRYPTO)
43 /* Define local translating functions to save code size by not using too many
44  * arguments in each translating place. */
45 static int local_err_translation(psa_status_t status)
46 {
50 }
51 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
52 #endif
53 
54 #if defined(MBEDTLS_TEST_HOOKS)
55 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
56 
57 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
58  const uint8_t *cur, const uint8_t *end, size_t need)
59 {
60  chk_buf_ptr_fail_args.cur = cur;
61  chk_buf_ptr_fail_args.end = end;
62  chk_buf_ptr_fail_args.need = need;
63 }
64 
65 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
66 {
67  memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
68 }
69 
70 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
71 {
72  return (chk_buf_ptr_fail_args.cur != args->cur) ||
73  (chk_buf_ptr_fail_args.end != args->end) ||
74  (chk_buf_ptr_fail_args.need != args->need);
75 }
76 #endif /* MBEDTLS_TEST_HOOKS */
77 
78 #if defined(MBEDTLS_SSL_PROTO_DTLS)
79 
80 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
81 /* Top-level Connection ID API */
82 
84  size_t len,
85  int ignore_other_cid)
86 {
89  }
90 
91  if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
92  ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
94  }
95 
96  conf->ignore_unexpected_cid = ignore_other_cid;
97  conf->cid_len = len;
98  return 0;
99 }
100 
102  int enable,
103  unsigned char const *own_cid,
104  size_t own_cid_len)
105 {
106  if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
108  }
109 
110  ssl->negotiate_cid = enable;
111  if (enable == MBEDTLS_SSL_CID_DISABLED) {
112  MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
113  return 0;
114  }
115  MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
116  MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
117 
118  if (own_cid_len != ssl->conf->cid_len) {
119  MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
120  (unsigned) own_cid_len,
121  (unsigned) ssl->conf->cid_len));
123  }
124 
125  memcpy(ssl->own_cid, own_cid, own_cid_len);
126  /* Truncation is not an issue here because
127  * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
128  ssl->own_cid_len = (uint8_t) own_cid_len;
129 
130  return 0;
131 }
132 
134  int *enabled,
135  unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
136  size_t *own_cid_len)
137 {
138  *enabled = MBEDTLS_SSL_CID_DISABLED;
139 
140  if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
142  }
143 
144  /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
145  * zero as this is indistinguishable from not requesting to use
146  * the CID extension. */
147  if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
148  return 0;
149  }
150 
151  if (own_cid_len != NULL) {
152  *own_cid_len = ssl->own_cid_len;
153  if (own_cid != NULL) {
154  memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
155  }
156  }
157 
158  *enabled = MBEDTLS_SSL_CID_ENABLED;
159 
160  return 0;
161 }
162 
164  int *enabled,
165  unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
166  size_t *peer_cid_len)
167 {
168  *enabled = MBEDTLS_SSL_CID_DISABLED;
169 
170  if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
171  mbedtls_ssl_is_handshake_over(ssl) == 0) {
173  }
174 
175  /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
176  * were used, but client and server requested the empty CID.
177  * This is indistinguishable from not using the CID extension
178  * in the first place. */
179  if (ssl->transform_in->in_cid_len == 0 &&
180  ssl->transform_in->out_cid_len == 0) {
181  return 0;
182  }
183 
184  if (peer_cid_len != NULL) {
185  *peer_cid_len = ssl->transform_in->out_cid_len;
186  if (peer_cid != NULL) {
187  memcpy(peer_cid, ssl->transform_in->out_cid,
188  ssl->transform_in->out_cid_len);
189  }
190  }
191 
192  *enabled = MBEDTLS_SSL_CID_ENABLED;
193 
194  return 0;
195 }
196 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
197 
198 #endif /* MBEDTLS_SSL_PROTO_DTLS */
199 
200 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
201 /*
202  * Convert max_fragment_length codes to length.
203  * RFC 6066 says:
204  * enum{
205  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
206  * } MaxFragmentLength;
207  * and we add 0 -> extension unused
208  */
209 static unsigned int ssl_mfl_code_to_length(int mfl)
210 {
211  switch (mfl) {
215  return 512;
217  return 1024;
219  return 2048;
221  return 4096;
222  default:
224  }
225 }
226 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
227 
229  const mbedtls_ssl_session *src)
230 {
232  memcpy(dst, src, sizeof(mbedtls_ssl_session));
233 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
234  dst->ticket = NULL;
235 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
236  defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
237  dst->hostname = NULL;
238 #endif
239 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
240 
241 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
242  defined(MBEDTLS_SSL_EARLY_DATA)
243  dst->ticket_alpn = NULL;
244 #endif
245 
246 #if defined(MBEDTLS_X509_CRT_PARSE_C)
247 
248 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
249  if (src->peer_cert != NULL) {
251 
252  dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
253  if (dst->peer_cert == NULL) {
255  }
256 
257  mbedtls_x509_crt_init(dst->peer_cert);
258 
259  if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
260  src->peer_cert->raw.len)) != 0) {
261  mbedtls_free(dst->peer_cert);
262  dst->peer_cert = NULL;
263  return ret;
264  }
265  }
266 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
267  if (src->peer_cert_digest != NULL) {
268  dst->peer_cert_digest =
269  mbedtls_calloc(1, src->peer_cert_digest_len);
270  if (dst->peer_cert_digest == NULL) {
272  }
273 
274  memcpy(dst->peer_cert_digest, src->peer_cert_digest,
275  src->peer_cert_digest_len);
276  dst->peer_cert_digest_type = src->peer_cert_digest_type;
277  dst->peer_cert_digest_len = src->peer_cert_digest_len;
278  }
279 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
280 
281 #endif /* MBEDTLS_X509_CRT_PARSE_C */
282 
283 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
284  defined(MBEDTLS_SSL_EARLY_DATA)
285  {
286  int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
287  if (ret != 0) {
288  return ret;
289  }
290  }
291 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
292 
293 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
294  if (src->ticket != NULL) {
295  dst->ticket = mbedtls_calloc(1, src->ticket_len);
296  if (dst->ticket == NULL) {
298  }
299 
300  memcpy(dst->ticket, src->ticket, src->ticket_len);
301  }
302 
303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
304  defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
305  if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
307  ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
308  if (ret != 0) {
309  return ret;
310  }
311  }
312 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
313  MBEDTLS_SSL_SERVER_NAME_INDICATION */
314 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
315 
316  return 0;
317 }
318 
319 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
321 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
322 {
323  unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
324  if (resized_buffer == NULL) {
326  }
327 
328  /* We want to copy len_new bytes when downsizing the buffer, and
329  * len_old bytes when upsizing, so we choose the smaller of two sizes,
330  * to fit one buffer into another. Size checks, ensuring that no data is
331  * lost, are done outside of this function. */
332  memcpy(resized_buffer, *buffer,
333  (len_new < *len_old) ? len_new : *len_old);
334  mbedtls_zeroize_and_free(*buffer, *len_old);
335 
336  *buffer = resized_buffer;
337  *len_old = len_new;
338 
339  return 0;
340 }
341 
342 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
343  size_t in_buf_new_len,
344  size_t out_buf_new_len)
345 {
346  int modified = 0;
347  size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
348  size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
349  if (ssl->in_buf != NULL) {
350  written_in = ssl->in_msg - ssl->in_buf;
351  iv_offset_in = ssl->in_iv - ssl->in_buf;
352  len_offset_in = ssl->in_len - ssl->in_buf;
353  if (downsizing ?
354  ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
355  ssl->in_buf_len < in_buf_new_len) {
356  if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
357  MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
358  } else {
359  MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
360  in_buf_new_len));
361  modified = 1;
362  }
363  }
364  }
365 
366  if (ssl->out_buf != NULL) {
367  written_out = ssl->out_msg - ssl->out_buf;
368  iv_offset_out = ssl->out_iv - ssl->out_buf;
369  len_offset_out = ssl->out_len - ssl->out_buf;
370  if (downsizing ?
371  ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
372  ssl->out_buf_len < out_buf_new_len) {
373  if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
374  MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
375  } else {
376  MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
377  out_buf_new_len));
378  modified = 1;
379  }
380  }
381  }
382  if (modified) {
383  /* Update pointers here to avoid doing it twice. */
385  /* Fields below might not be properly updated with record
386  * splitting or with CID, so they are manually updated here. */
387  ssl->out_msg = ssl->out_buf + written_out;
388  ssl->out_len = ssl->out_buf + len_offset_out;
389  ssl->out_iv = ssl->out_buf + iv_offset_out;
390 
391  ssl->in_msg = ssl->in_buf + written_in;
392  ssl->in_len = ssl->in_buf + len_offset_in;
393  ssl->in_iv = ssl->in_buf + iv_offset_in;
394  }
395 }
396 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
397 
398 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
399 
400 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
401 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
402  const char *label,
403  const unsigned char *random, size_t rlen,
404  unsigned char *dstbuf, size_t dlen);
405 
406 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
407 
408 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
409 
410 /* Type for the TLS PRF */
411 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
412  const unsigned char *, size_t,
413  unsigned char *, size_t);
414 
416 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
417  int ciphersuite,
418  const unsigned char master[48],
419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
420  int encrypt_then_mac,
421 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
422  ssl_tls_prf_t tls_prf,
423  const unsigned char randbytes[64],
424  mbedtls_ssl_protocol_version tls_version,
425  unsigned endpoint,
426  const mbedtls_ssl_context *ssl);
427 
428 #if defined(MBEDTLS_MD_CAN_SHA256)
430 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
431  const char *label,
432  const unsigned char *random, size_t rlen,
433  unsigned char *dstbuf, size_t dlen);
434 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
435 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
436 
437 #endif /* MBEDTLS_MD_CAN_SHA256*/
438 
439 #if defined(MBEDTLS_MD_CAN_SHA384)
441 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
442  const char *label,
443  const unsigned char *random, size_t rlen,
444  unsigned char *dstbuf, size_t dlen);
445 
446 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
447 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
448 #endif /* MBEDTLS_MD_CAN_SHA384*/
449 
451 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
452  const unsigned char *buf,
453  size_t len);
454 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
455 
456 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
457 
458 #if defined(MBEDTLS_MD_CAN_SHA256)
459 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
460 #endif /* MBEDTLS_MD_CAN_SHA256*/
461 
462 #if defined(MBEDTLS_MD_CAN_SHA384)
463 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
464 #endif /* MBEDTLS_MD_CAN_SHA384*/
465 
467  const unsigned char *secret, size_t slen,
468  const char *label,
469  const unsigned char *random, size_t rlen,
470  unsigned char *dstbuf, size_t dlen)
471 {
472  mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
473 
474  switch (prf) {
475 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
476 #if defined(MBEDTLS_MD_CAN_SHA384)
478  tls_prf = tls_prf_sha384;
479  break;
480 #endif /* MBEDTLS_MD_CAN_SHA384*/
481 #if defined(MBEDTLS_MD_CAN_SHA256)
483  tls_prf = tls_prf_sha256;
484  break;
485 #endif /* MBEDTLS_MD_CAN_SHA256*/
486 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
487  default:
489  }
490 
491  return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
492 }
493 
494 #if defined(MBEDTLS_X509_CRT_PARSE_C)
495 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
496 {
497 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
498  if (session->peer_cert != NULL) {
499  mbedtls_x509_crt_free(session->peer_cert);
500  mbedtls_free(session->peer_cert);
501  session->peer_cert = NULL;
502  }
503 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
504  if (session->peer_cert_digest != NULL) {
505  /* Zeroization is not necessary. */
506  mbedtls_free(session->peer_cert_digest);
507  session->peer_cert_digest = NULL;
508  session->peer_cert_digest_type = MBEDTLS_MD_NONE;
509  session->peer_cert_digest_len = 0;
510  }
511 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
512 }
513 #endif /* MBEDTLS_X509_CRT_PARSE_C */
514 
515 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
516 {
517  switch (extension_type) {
520 
523 
526 
529 
532 
535 
538 
541 
542  case MBEDTLS_TLS_EXT_SCT:
543  return MBEDTLS_SSL_EXT_ID_SCT;
544 
547 
550 
553 
556 
559 
562 
565 
568 
571 
574 
577 
580 
583 
586 
589 
592 
595 
598 
601 
602  }
603 
605 }
606 
607 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
608 {
609  return 1 << mbedtls_ssl_get_extension_id(extension_type);
610 }
611 
612 #if defined(MBEDTLS_DEBUG_C)
613 static const char *extension_name_table[] = {
614  [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
615  [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
616  [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
617  [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
618  [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
619  [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
620  [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
621  [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
622  [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
623  [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
624  [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
625  [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
626  [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
627  [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
628  [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
629  [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
630  [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
631  [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
632  [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
633  [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
634  [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
635  [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
636  [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
637  [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
638  [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
639  [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
640  [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
641  [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
642  [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
643 };
644 
645 static const unsigned int extension_type_table[] = {
675 };
676 
677 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
678 {
679  return extension_name_table[
680  mbedtls_ssl_get_extension_id(extension_type)];
681 }
682 
683 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
684 {
685  switch (hs_msg_type) {
687  return "ClientHello";
689  return "ServerHello";
691  return "HelloRetryRequest";
693  return "NewSessionTicket";
695  return "EncryptedExtensions";
697  return "Certificate";
699  return "CertificateRequest";
700  }
701  return "Unknown";
702 }
703 
705  int level, const char *file, int line,
706  int hs_msg_type, unsigned int extension_type,
707  const char *extra_msg0, const char *extra_msg1)
708 {
709  const char *extra_msg;
710  if (extra_msg0 && extra_msg1) {
712  ssl, level, file, line,
713  "%s: %s(%u) extension %s %s.",
714  ssl_tls13_get_hs_msg_name(hs_msg_type),
715  mbedtls_ssl_get_extension_name(extension_type),
716  extension_type,
717  extra_msg0, extra_msg1);
718  return;
719  }
720 
721  extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
722  if (extra_msg) {
724  ssl, level, file, line,
725  "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
726  mbedtls_ssl_get_extension_name(extension_type), extension_type,
727  extra_msg);
728  return;
729  }
730 
732  ssl, level, file, line,
733  "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
734  mbedtls_ssl_get_extension_name(extension_type), extension_type);
735 }
736 
738  int level, const char *file, int line,
739  int hs_msg_type, uint32_t extensions_mask,
740  const char *extra)
741 {
742 
743  for (unsigned i = 0;
744  i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
745  i++) {
747  ssl, level, file, line, hs_msg_type, extension_type_table[i],
748  extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
749  }
750 }
751 
752 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
753 static const char *ticket_flag_name_table[] =
754 {
755  [0] = "ALLOW_PSK_RESUMPTION",
756  [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
757  [3] = "ALLOW_EARLY_DATA",
758 };
759 
761  int level, const char *file, int line,
762  unsigned int flags)
763 {
764  size_t i;
765 
766  mbedtls_debug_print_msg(ssl, level, file, line,
767  "print ticket_flags (0x%02x)", flags);
768 
769  flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
770 
771  for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
772  if ((flags & (1 << i))) {
773  mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
774  ticket_flag_name_table[i]);
775  }
776  }
777 }
778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
779 
780 #endif /* MBEDTLS_DEBUG_C */
781 
783  const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
784 {
785  ((void) ciphersuite_info);
786 
787 #if defined(MBEDTLS_MD_CAN_SHA384)
788  if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
789  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
790  } else
791 #endif
792 #if defined(MBEDTLS_MD_CAN_SHA256)
793  if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
794  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
795  } else
796 #endif
797  {
798  MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
799  return;
800  }
801 }
802 
804  unsigned hs_type,
805  size_t total_hs_len)
806 {
807  unsigned char hs_hdr[4];
808 
809  /* Build HS header for checksum update. */
810  hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
811  hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
812  hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
813  hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
814 
815  return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
816 }
817 
819  unsigned hs_type,
820  unsigned char const *msg,
821  size_t msg_len)
822 {
823  int ret;
824  ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
825  if (ret != 0) {
826  return ret;
827  }
828  return ssl->handshake->update_checksum(ssl, msg, msg_len);
829 }
830 
832 {
833 #if defined(MBEDTLS_MD_CAN_SHA256) || \
834  defined(MBEDTLS_MD_CAN_SHA384)
835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
836  psa_status_t status;
837 #else
839 #endif
840 #else /* SHA-256 or SHA-384 */
841  ((void) ssl);
842 #endif /* SHA-256 or SHA-384 */
843 #if defined(MBEDTLS_MD_CAN_SHA256)
844 #if defined(MBEDTLS_USE_PSA_CRYPTO)
845  status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
846  if (status != PSA_SUCCESS) {
847  return mbedtls_md_error_from_psa(status);
848  }
849  status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
850  if (status != PSA_SUCCESS) {
851  return mbedtls_md_error_from_psa(status);
852  }
853 #else
854  mbedtls_md_free(&ssl->handshake->fin_sha256);
855  mbedtls_md_init(&ssl->handshake->fin_sha256);
856  ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
858  0);
859  if (ret != 0) {
860  return ret;
861  }
862  ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
863  if (ret != 0) {
864  return ret;
865  }
866 #endif
867 #endif
868 #if defined(MBEDTLS_MD_CAN_SHA384)
869 #if defined(MBEDTLS_USE_PSA_CRYPTO)
870  status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
871  if (status != PSA_SUCCESS) {
872  return mbedtls_md_error_from_psa(status);
873  }
874  status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
875  if (status != PSA_SUCCESS) {
876  return mbedtls_md_error_from_psa(status);
877  }
878 #else
879  mbedtls_md_free(&ssl->handshake->fin_sha384);
880  mbedtls_md_init(&ssl->handshake->fin_sha384);
881  ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
883  if (ret != 0) {
884  return ret;
885  }
886  ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
887  if (ret != 0) {
888  return ret;
889  }
890 #endif
891 #endif
892  return 0;
893 }
894 
895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
896  const unsigned char *buf, size_t len)
897 {
898 #if defined(MBEDTLS_MD_CAN_SHA256) || \
899  defined(MBEDTLS_MD_CAN_SHA384)
900 #if defined(MBEDTLS_USE_PSA_CRYPTO)
901  psa_status_t status;
902 #else
904 #endif
905 #else /* SHA-256 or SHA-384 */
906  ((void) ssl);
907  (void) buf;
908  (void) len;
909 #endif /* SHA-256 or SHA-384 */
910 #if defined(MBEDTLS_MD_CAN_SHA256)
911 #if defined(MBEDTLS_USE_PSA_CRYPTO)
912  status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
913  if (status != PSA_SUCCESS) {
914  return mbedtls_md_error_from_psa(status);
915  }
916 #else
917  ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
918  if (ret != 0) {
919  return ret;
920  }
921 #endif
922 #endif
923 #if defined(MBEDTLS_MD_CAN_SHA384)
924 #if defined(MBEDTLS_USE_PSA_CRYPTO)
925  status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
926  if (status != PSA_SUCCESS) {
927  return mbedtls_md_error_from_psa(status);
928  }
929 #else
930  ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
931  if (ret != 0) {
932  return ret;
933  }
934 #endif
935 #endif
936  return 0;
937 }
938 
939 #if defined(MBEDTLS_MD_CAN_SHA256)
940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
941  const unsigned char *buf, size_t len)
942 {
943 #if defined(MBEDTLS_USE_PSA_CRYPTO)
945  &ssl->handshake->fin_sha256_psa, buf, len));
946 #else
947  return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
948 #endif
949 }
950 #endif
951 
952 #if defined(MBEDTLS_MD_CAN_SHA384)
953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
954  const unsigned char *buf, size_t len)
955 {
956 #if defined(MBEDTLS_USE_PSA_CRYPTO)
958  &ssl->handshake->fin_sha384_psa, buf, len));
959 #else
960  return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
961 #endif
962 }
963 #endif
964 
965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
966 {
967  memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
968 
969 #if defined(MBEDTLS_MD_CAN_SHA256)
970 #if defined(MBEDTLS_USE_PSA_CRYPTO)
971  handshake->fin_sha256_psa = psa_hash_operation_init();
972 #else
973  mbedtls_md_init(&handshake->fin_sha256);
974 #endif
975 #endif
976 #if defined(MBEDTLS_MD_CAN_SHA384)
977 #if defined(MBEDTLS_USE_PSA_CRYPTO)
978  handshake->fin_sha384_psa = psa_hash_operation_init();
979 #else
980  mbedtls_md_init(&handshake->fin_sha384);
981 #endif
982 #endif
983 
984  handshake->update_checksum = ssl_update_checksum_start;
985 
986 #if defined(MBEDTLS_DHM_C)
987  mbedtls_dhm_init(&handshake->dhm_ctx);
988 #endif
989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
990  defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
991  mbedtls_ecdh_init(&handshake->ecdh_ctx);
992 #endif
993 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
994 #if defined(MBEDTLS_USE_PSA_CRYPTO)
995  handshake->psa_pake_ctx = psa_pake_operation_init();
996  handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
997 #else
998  mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
999 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1000 #if defined(MBEDTLS_SSL_CLI_C)
1001  handshake->ecjpake_cache = NULL;
1002  handshake->ecjpake_cache_len = 0;
1003 #endif
1004 #endif
1005 
1006 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1007  mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1008 #endif
1009 
1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1011  handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1012 #endif
1013 
1014 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1015  !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1016  mbedtls_pk_init(&handshake->peer_pubkey);
1017 #endif
1018 }
1019 
1021 {
1022  memset(transform, 0, sizeof(mbedtls_ssl_transform));
1023 
1024 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1025  transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1026  transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1027 #else
1028  mbedtls_cipher_init(&transform->cipher_ctx_enc);
1029  mbedtls_cipher_init(&transform->cipher_ctx_dec);
1030 #endif
1031 
1032 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1033 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1034  transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1035  transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1036 #else
1037  mbedtls_md_init(&transform->md_ctx_enc);
1038  mbedtls_md_init(&transform->md_ctx_dec);
1039 #endif
1040 #endif
1041 }
1042 
1044 {
1045  memset(session, 0, sizeof(mbedtls_ssl_session));
1046 }
1047 
1049 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1050 {
1052 
1053  /* Clear old handshake information if present */
1054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1055  if (ssl->transform_negotiate) {
1056  mbedtls_ssl_transform_free(ssl->transform_negotiate);
1057  }
1058 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1059  if (ssl->session_negotiate) {
1060  mbedtls_ssl_session_free(ssl->session_negotiate);
1061  }
1062  if (ssl->handshake) {
1064  }
1065 
1066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1067  /*
1068  * Either the pointers are now NULL or cleared properly and can be freed.
1069  * Now allocate missing structures.
1070  */
1071  if (ssl->transform_negotiate == NULL) {
1072  ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1073  }
1074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1075 
1076  if (ssl->session_negotiate == NULL) {
1077  ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1078  }
1079 
1080  if (ssl->handshake == NULL) {
1081  ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1082  }
1083 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1084  /* If the buffers are too small - reallocate */
1085 
1086  handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1088 #endif
1089 
1090  /* All pointers should exist and can be directly freed without issue */
1091  if (ssl->handshake == NULL ||
1092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1093  ssl->transform_negotiate == NULL ||
1094 #endif
1095  ssl->session_negotiate == NULL) {
1096  MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1097 
1098  mbedtls_free(ssl->handshake);
1099  ssl->handshake = NULL;
1100 
1101 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1102  mbedtls_free(ssl->transform_negotiate);
1103  ssl->transform_negotiate = NULL;
1104 #endif
1105 
1106  mbedtls_free(ssl->session_negotiate);
1107  ssl->session_negotiate = NULL;
1108 
1110  }
1111 
1112 #if defined(MBEDTLS_SSL_EARLY_DATA)
1113 #if defined(MBEDTLS_SSL_CLI_C)
1114  ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1115 #endif
1116 #if defined(MBEDTLS_SSL_SRV_C)
1117  ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1118 #endif
1119  ssl->total_early_data_size = 0;
1120 #endif /* MBEDTLS_SSL_EARLY_DATA */
1121 
1122  /* Initialize structures */
1123  mbedtls_ssl_session_init(ssl->session_negotiate);
1124  ssl_handshake_params_init(ssl->handshake);
1125 
1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1127  mbedtls_ssl_transform_init(ssl->transform_negotiate);
1128 #endif
1129 
1130  /* Setup handshake checksums */
1131  ret = mbedtls_ssl_reset_checksum(ssl);
1132  if (ret != 0) {
1133  MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1134  return ret;
1135  }
1136 
1137 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1138  defined(MBEDTLS_SSL_SRV_C) && \
1139  defined(MBEDTLS_SSL_SESSION_TICKETS)
1140  ssl->handshake->new_session_tickets_count =
1141  ssl->conf->new_session_tickets_count;
1142 #endif
1143 
1144 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1145  if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1146  ssl->handshake->alt_transform_out = ssl->transform_out;
1147 
1148  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1149  ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1150  } else {
1151  ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1152  }
1153 
1154  mbedtls_ssl_set_timer(ssl, 0);
1155  }
1156 #endif
1157 
1158 /*
1159  * curve_list is translated to IANA TLS group identifiers here because
1160  * mbedtls_ssl_conf_curves returns void and so can't return
1161  * any error codes.
1162  */
1163 #if defined(MBEDTLS_ECP_C)
1164 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1165  /* Heap allocate and translate curve_list from internal to IANA group ids */
1166  if (ssl->conf->curve_list != NULL) {
1167  size_t length;
1168  const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1169 
1170  for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1171  }
1172 
1173  /* Leave room for zero termination */
1174  uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1175  if (group_list == NULL) {
1177  }
1178 
1179  for (size_t i = 0; i < length; i++) {
1181  curve_list[i]);
1182  if (tls_id == 0) {
1183  mbedtls_free(group_list);
1185  }
1186  group_list[i] = tls_id;
1187  }
1188 
1189  group_list[length] = 0;
1190 
1191  ssl->handshake->group_list = group_list;
1192  ssl->handshake->group_list_heap_allocated = 1;
1193  } else {
1194  ssl->handshake->group_list = ssl->conf->group_list;
1195  ssl->handshake->group_list_heap_allocated = 0;
1196  }
1197 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1198 #endif /* MBEDTLS_ECP_C */
1199 
1200 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1201 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1203  /* Heap allocate and translate sig_hashes from internal hash identifiers to
1204  signature algorithms IANA identifiers. */
1205  if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1206  ssl->conf->sig_hashes != NULL) {
1207  const int *md;
1208  const int *sig_hashes = ssl->conf->sig_hashes;
1209  size_t sig_algs_len = 0;
1210  uint16_t *p;
1211 
1213  <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1214  "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1215 
1216  for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1218  continue;
1219  }
1220 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1221  sig_algs_len += sizeof(uint16_t);
1222 #endif
1223 
1224 #if defined(MBEDTLS_RSA_C)
1225  sig_algs_len += sizeof(uint16_t);
1226 #endif
1227  if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1229  }
1230  }
1231 
1232  if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1234  }
1235 
1236  ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1237  sizeof(uint16_t));
1238  if (ssl->handshake->sig_algs == NULL) {
1240  }
1241 
1242  p = (uint16_t *) ssl->handshake->sig_algs;
1243  for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1244  unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1245  if (hash == MBEDTLS_SSL_HASH_NONE) {
1246  continue;
1247  }
1248 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1249  *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1250  p++;
1251 #endif
1252 #if defined(MBEDTLS_RSA_C)
1253  *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1254  p++;
1255 #endif
1256  }
1257  *p = MBEDTLS_TLS_SIG_NONE;
1258  ssl->handshake->sig_algs_heap_allocated = 1;
1259  } else
1260 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1261  {
1262  ssl->handshake->sig_algs_heap_allocated = 0;
1263  }
1264 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1265 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1266  return 0;
1267 }
1268 
1269 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1270 /* Dummy cookie callbacks for defaults */
1272 static int ssl_cookie_write_dummy(void *ctx,
1273  unsigned char **p, unsigned char *end,
1274  const unsigned char *cli_id, size_t cli_id_len)
1275 {
1276  ((void) ctx);
1277  ((void) p);
1278  ((void) end);
1279  ((void) cli_id);
1280  ((void) cli_id_len);
1281 
1283 }
1284 
1286 static int ssl_cookie_check_dummy(void *ctx,
1287  const unsigned char *cookie, size_t cookie_len,
1288  const unsigned char *cli_id, size_t cli_id_len)
1289 {
1290  ((void) ctx);
1291  ((void) cookie);
1292  ((void) cookie_len);
1293  ((void) cli_id);
1294  ((void) cli_id_len);
1295 
1297 }
1298 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1299 
1300 /*
1301  * Initialize an SSL context
1302  */
1304 {
1305  memset(ssl, 0, sizeof(mbedtls_ssl_context));
1306 }
1307 
1309 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1310 {
1311  const mbedtls_ssl_config *conf = ssl->conf;
1312 
1313 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1314  if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1315  if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1316  MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1318  }
1319 
1320  MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1321  return 0;
1322  }
1323 #endif
1324 
1325 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1326  if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1327  MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1328  return 0;
1329  }
1330 #endif
1331 
1332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1333  if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1334  if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1335  MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1337  }
1338 
1339  MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1340  return 0;
1341  }
1342 #endif
1343 
1344  MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1346 }
1347 
1349 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1350 {
1351  int ret;
1352  ret = ssl_conf_version_check(ssl);
1353  if (ret != 0) {
1354  return ret;
1355  }
1356 
1357 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1358  /* RFC 8446 section 4.4.3
1359  *
1360  * If the verification fails, the receiver MUST terminate the handshake with
1361  * a "decrypt_error" alert.
1362  *
1363  * If the client is configured as TLS 1.3 only with optional verify, return
1364  * bad config.
1365  *
1366  */
1367  if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
1368  (mbedtls_ssl_context *) ssl) &&
1369  ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1370  ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1371  ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1372  ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
1374  1, ("Optional verify auth mode "
1375  "is not available for TLS 1.3 client"));
1377  }
1378 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1379 
1380  if (ssl->conf->f_rng == NULL) {
1381  MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1382  return MBEDTLS_ERR_SSL_NO_RNG;
1383  }
1384 
1385  /* Space for further checks */
1386 
1387  return 0;
1388 }
1389 
1390 /*
1391  * Setup an SSL context
1392  */
1393 
1395  const mbedtls_ssl_config *conf)
1396 {
1398  size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1399  size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1400 
1401  ssl->conf = conf;
1402 
1403  if ((ret = ssl_conf_check(ssl)) != 0) {
1404  return ret;
1405  }
1406  ssl->tls_version = ssl->conf->max_tls_version;
1407 
1408  /*
1409  * Prepare base structures
1410  */
1411 
1412  /* Set to NULL in case of an error condition */
1413  ssl->out_buf = NULL;
1414 
1415 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1416  ssl->in_buf_len = in_buf_len;
1417 #endif
1418  ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1419  if (ssl->in_buf == NULL) {
1420  MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1422  goto error;
1423  }
1424 
1425 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1426  ssl->out_buf_len = out_buf_len;
1427 #endif
1428  ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1429  if (ssl->out_buf == NULL) {
1430  MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1432  goto error;
1433  }
1434 
1436 
1437 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1438  memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1439 #endif
1440 
1441  if ((ret = ssl_handshake_init(ssl)) != 0) {
1442  goto error;
1443  }
1444 
1445  return 0;
1446 
1447 error:
1448  mbedtls_free(ssl->in_buf);
1449  mbedtls_free(ssl->out_buf);
1450 
1451  ssl->conf = NULL;
1452 
1453 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1454  ssl->in_buf_len = 0;
1455  ssl->out_buf_len = 0;
1456 #endif
1457  ssl->in_buf = NULL;
1458  ssl->out_buf = NULL;
1459 
1460  ssl->in_hdr = NULL;
1461  ssl->in_ctr = NULL;
1462  ssl->in_len = NULL;
1463  ssl->in_iv = NULL;
1464  ssl->in_msg = NULL;
1465 
1466  ssl->out_hdr = NULL;
1467  ssl->out_ctr = NULL;
1468  ssl->out_len = NULL;
1469  ssl->out_iv = NULL;
1470  ssl->out_msg = NULL;
1471 
1472  return ret;
1473 }
1474 
1475 /*
1476  * Reset an initialized and used SSL context for re-use while retaining
1477  * all application-set variables, function pointers and data.
1478  *
1479  * If partial is non-zero, keep data in the input buffer and client ID.
1480  * (Use when a DTLS client reconnects from the same port.)
1481  */
1483  int partial)
1484 {
1485 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1486  size_t in_buf_len = ssl->in_buf_len;
1487  size_t out_buf_len = ssl->out_buf_len;
1488 #else
1489  size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1490  size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1491 #endif
1492 
1493 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1494  partial = 0;
1495 #endif
1496 
1497  /* Cancel any possibly running timer */
1498  mbedtls_ssl_set_timer(ssl, 0);
1499 
1501 
1502  /* Reset incoming message parsing */
1503  ssl->in_offt = NULL;
1504  ssl->nb_zero = 0;
1505  ssl->in_msgtype = 0;
1506  ssl->in_msglen = 0;
1507  ssl->in_hslen = 0;
1508  ssl->keep_current_message = 0;
1509  ssl->transform_in = NULL;
1510 
1511 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1512  ssl->next_record_offset = 0;
1513  ssl->in_epoch = 0;
1514 #endif
1515 
1516  /* Keep current datagram if partial == 1 */
1517  if (partial == 0) {
1518  ssl->in_left = 0;
1519  memset(ssl->in_buf, 0, in_buf_len);
1520  }
1521 
1522  ssl->send_alert = 0;
1523 
1524  /* Reset outgoing message writing */
1525  ssl->out_msgtype = 0;
1526  ssl->out_msglen = 0;
1527  ssl->out_left = 0;
1528  memset(ssl->out_buf, 0, out_buf_len);
1529  memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1530  ssl->transform_out = NULL;
1531 
1532 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1534 #endif
1535 
1536 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1537  if (ssl->transform) {
1538  mbedtls_ssl_transform_free(ssl->transform);
1539  mbedtls_free(ssl->transform);
1540  ssl->transform = NULL;
1541  }
1542 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1543 
1544 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1545  mbedtls_ssl_transform_free(ssl->transform_application);
1546  mbedtls_free(ssl->transform_application);
1547  ssl->transform_application = NULL;
1548 
1549  if (ssl->handshake != NULL) {
1550 #if defined(MBEDTLS_SSL_EARLY_DATA)
1551  mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1552  mbedtls_free(ssl->handshake->transform_earlydata);
1553  ssl->handshake->transform_earlydata = NULL;
1554 #endif
1555 
1556  mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1557  mbedtls_free(ssl->handshake->transform_handshake);
1558  ssl->handshake->transform_handshake = NULL;
1559  }
1560 
1561 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1562 }
1563 
1565 {
1567 
1568  ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
1569  ssl->tls_version = ssl->conf->max_tls_version;
1570 
1572 
1573  /* Reset renegotiation state */
1574 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1575  ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1576  ssl->renego_records_seen = 0;
1577 
1578  ssl->verify_data_len = 0;
1579  memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1580  memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1581 #endif
1582  ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1583 
1584  ssl->session_in = NULL;
1585  ssl->session_out = NULL;
1586  if (ssl->session) {
1587  mbedtls_ssl_session_free(ssl->session);
1588  mbedtls_free(ssl->session);
1589  ssl->session = NULL;
1590  }
1591 
1592 #if defined(MBEDTLS_SSL_ALPN)
1593  ssl->alpn_chosen = NULL;
1594 #endif
1595 
1596 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1597  int free_cli_id = 1;
1598 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1599  free_cli_id = (partial == 0);
1600 #endif
1601  if (free_cli_id) {
1602  mbedtls_free(ssl->cli_id);
1603  ssl->cli_id = NULL;
1604  ssl->cli_id_len = 0;
1605  }
1606 #endif
1607 
1608  if ((ret = ssl_handshake_init(ssl)) != 0) {
1609  return ret;
1610  }
1611 
1612  return 0;
1613 }
1614 
1615 /*
1616  * Reset an initialized and used SSL context for re-use while retaining
1617  * all application-set variables, function pointers and data.
1618  */
1620 {
1621  return mbedtls_ssl_session_reset_int(ssl, 0);
1622 }
1623 
1624 /*
1625  * SSL set accessors
1626  */
1627 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1628 {
1629  conf->endpoint = endpoint;
1630 }
1631 
1632 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1633 {
1634  conf->transport = transport;
1635 }
1636 
1637 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1639 {
1640  conf->anti_replay = mode;
1641 }
1642 #endif
1643 
1644 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1645 {
1646  conf->badmac_limit = limit;
1647 }
1648 
1649 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1650 
1652  unsigned allow_packing)
1653 {
1654  ssl->disable_datagram_packing = !allow_packing;
1655 }
1656 
1659 {
1660  conf->hs_timeout_min = min;
1661  conf->hs_timeout_max = max;
1662 }
1663 #endif
1664 
1665 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1666 {
1667  conf->authmode = authmode;
1668 }
1669 
1670 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1672  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1673  void *p_vrfy)
1674 {
1675  conf->f_vrfy = f_vrfy;
1676  conf->p_vrfy = p_vrfy;
1677 }
1678 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1679 
1681  int (*f_rng)(void *, unsigned char *, size_t),
1682  void *p_rng)
1683 {
1684  conf->f_rng = f_rng;
1685  conf->p_rng = p_rng;
1686 }
1687 
1689  void (*f_dbg)(void *, int, const char *, int, const char *),
1690  void *p_dbg)
1691 {
1692  conf->f_dbg = f_dbg;
1693  conf->p_dbg = p_dbg;
1694 }
1695 
1697  void *p_bio,
1698  mbedtls_ssl_send_t *f_send,
1699  mbedtls_ssl_recv_t *f_recv,
1700  mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1701 {
1702  ssl->p_bio = p_bio;
1703  ssl->f_send = f_send;
1704  ssl->f_recv = f_recv;
1705  ssl->f_recv_timeout = f_recv_timeout;
1706 }
1707 
1708 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1710 {
1711  ssl->mtu = mtu;
1712 }
1713 #endif
1714 
1716 {
1717  conf->read_timeout = timeout;
1718 }
1719 
1721  void *p_timer,
1722  mbedtls_ssl_set_timer_t *f_set_timer,
1723  mbedtls_ssl_get_timer_t *f_get_timer)
1724 {
1725  ssl->p_timer = p_timer;
1726  ssl->f_set_timer = f_set_timer;
1727  ssl->f_get_timer = f_get_timer;
1728 
1729  /* Make sure we start with no timer running */
1730  mbedtls_ssl_set_timer(ssl, 0);
1731 }
1732 
1733 #if defined(MBEDTLS_SSL_SRV_C)
1735  void *p_cache,
1736  mbedtls_ssl_cache_get_t *f_get_cache,
1737  mbedtls_ssl_cache_set_t *f_set_cache)
1738 {
1739  conf->p_cache = p_cache;
1740  conf->f_get_cache = f_get_cache;
1741  conf->f_set_cache = f_set_cache;
1742 }
1743 #endif /* MBEDTLS_SSL_SRV_C */
1744 
1745 #if defined(MBEDTLS_SSL_CLI_C)
1747 {
1749 
1750  if (ssl == NULL ||
1751  session == NULL ||
1752  ssl->session_negotiate == NULL ||
1753  ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1755  }
1756 
1757  if (ssl->handshake->resume == 1) {
1759  }
1760 
1761 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1762  if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1763  const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1764  mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1765 
1767  ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1769  MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1770  session->ciphersuite));
1772  }
1773  }
1774 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1775 
1776  if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1777  session)) != 0) {
1778  return ret;
1779  }
1780 
1781  ssl->handshake->resume = 1;
1782 
1783  return 0;
1784 }
1785 #endif /* MBEDTLS_SSL_CLI_C */
1786 
1788  const int *ciphersuites)
1789 {
1790  conf->ciphersuite_list = ciphersuites;
1791 }
1792 
1793 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1795  const int kex_modes)
1796 {
1797  conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1798 }
1799 
1800 #if defined(MBEDTLS_SSL_EARLY_DATA)
1801 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1802  int early_data_enabled)
1803 {
1804  conf->early_data_enabled = early_data_enabled;
1805 }
1806 
1807 #if defined(MBEDTLS_SSL_SRV_C)
1808 void mbedtls_ssl_conf_max_early_data_size(
1809  mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1810 {
1811  conf->max_early_data_size = max_early_data_size;
1812 }
1813 #endif /* MBEDTLS_SSL_SRV_C */
1814 
1815 #endif /* MBEDTLS_SSL_EARLY_DATA */
1816 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1817 
1818 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1820  const mbedtls_x509_crt_profile *profile)
1821 {
1822  conf->cert_profile = profile;
1823 }
1824 
1825 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1826 {
1827  mbedtls_ssl_key_cert *cur = key_cert, *next;
1828 
1829  while (cur != NULL) {
1830  next = cur->next;
1831  mbedtls_free(cur);
1832  cur = next;
1833  }
1834 }
1835 
1836 /* Append a new keycert entry to a (possibly empty) list */
1838 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1839  mbedtls_x509_crt *cert,
1841 {
1842  mbedtls_ssl_key_cert *new_cert;
1843 
1844  if (cert == NULL) {
1845  /* Free list if cert is null */
1846  ssl_key_cert_free(*head);
1847  *head = NULL;
1848  return 0;
1849  }
1850 
1851  new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1852  if (new_cert == NULL) {
1854  }
1855 
1856  new_cert->cert = cert;
1857  new_cert->key = key;
1858  new_cert->next = NULL;
1859 
1860  /* Update head if the list was null, else add to the end */
1861  if (*head == NULL) {
1862  *head = new_cert;
1863  } else {
1864  mbedtls_ssl_key_cert *cur = *head;
1865  while (cur->next != NULL) {
1866  cur = cur->next;
1867  }
1868  cur->next = new_cert;
1869  }
1870 
1871  return 0;
1872 }
1873 
1875  mbedtls_x509_crt *own_cert,
1876  mbedtls_pk_context *pk_key)
1877 {
1878  return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1879 }
1880 
1882  mbedtls_x509_crt *ca_chain,
1883  mbedtls_x509_crl *ca_crl)
1884 {
1885  conf->ca_chain = ca_chain;
1886  conf->ca_crl = ca_crl;
1887 
1888 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1889  /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1890  * cannot be used together. */
1891  conf->f_ca_cb = NULL;
1892  conf->p_ca_cb = NULL;
1893 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1894 }
1895 
1896 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1897 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1898  mbedtls_x509_crt_ca_cb_t f_ca_cb,
1899  void *p_ca_cb)
1900 {
1901  conf->f_ca_cb = f_ca_cb;
1902  conf->p_ca_cb = p_ca_cb;
1903 
1904  /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1905  * cannot be used together. */
1906  conf->ca_chain = NULL;
1907  conf->ca_crl = NULL;
1908 }
1909 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1910 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1911 
1912 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1913 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1914  size_t *name_len)
1915 {
1916  *name_len = ssl->handshake->sni_name_len;
1917  return ssl->handshake->sni_name;
1918 }
1919 
1921  mbedtls_x509_crt *own_cert,
1922  mbedtls_pk_context *pk_key)
1923 {
1924  return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1925  own_cert, pk_key);
1926 }
1927 
1929  mbedtls_x509_crt *ca_chain,
1930  mbedtls_x509_crl *ca_crl)
1931 {
1932  ssl->handshake->sni_ca_chain = ca_chain;
1933  ssl->handshake->sni_ca_crl = ca_crl;
1934 }
1935 
1936 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1938  const mbedtls_x509_crt *crt)
1939 {
1940  ssl->handshake->dn_hints = crt;
1941 }
1942 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1943 
1945  int authmode)
1946 {
1947  ssl->handshake->sni_authmode = authmode;
1948 }
1949 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1950 
1951 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1953  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1954  void *p_vrfy)
1955 {
1956  ssl->f_vrfy = f_vrfy;
1957  ssl->p_vrfy = p_vrfy;
1958 }
1959 #endif
1960 
1961 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1962 
1963 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1964 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1965 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1966 
1967 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1968  mbedtls_ssl_context *ssl,
1970 {
1971  psa_status_t status;
1973  const uint8_t *user = NULL;
1974  size_t user_len = 0;
1975  const uint8_t *peer = NULL;
1976  size_t peer_len = 0;
1977  psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1978  psa_pake_cs_set_primitive(&cipher_suite,
1981  256));
1982  psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1983 
1984  status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1985  if (status != PSA_SUCCESS) {
1986  return status;
1987  }
1988 
1989  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1990  user = jpake_server_id;
1991  user_len = sizeof(jpake_server_id);
1992  peer = jpake_client_id;
1993  peer_len = sizeof(jpake_client_id);
1994  } else {
1995  user = jpake_client_id;
1996  user_len = sizeof(jpake_client_id);
1997  peer = jpake_server_id;
1998  peer_len = sizeof(jpake_server_id);
1999  }
2000 
2001  status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
2002  if (status != PSA_SUCCESS) {
2003  return status;
2004  }
2005 
2006  status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
2007  if (status != PSA_SUCCESS) {
2008  return status;
2009  }
2010 
2011  status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
2012  if (status != PSA_SUCCESS) {
2013  return status;
2014  }
2015 
2016  ssl->handshake->psa_pake_ctx_is_ok = 1;
2017 
2018  return PSA_SUCCESS;
2019 }
2020 
2021 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2022  const unsigned char *pw,
2023  size_t pw_len)
2024 {
2026  psa_status_t status;
2027 
2028  if (ssl->handshake == NULL || ssl->conf == NULL) {
2030  }
2031 
2032  /* Empty password is not valid */
2033  if ((pw == NULL) || (pw_len == 0)) {
2035  }
2036 
2040 
2041  status = psa_import_key(&attributes, pw, pw_len,
2042  &ssl->handshake->psa_pake_password);
2043  if (status != PSA_SUCCESS) {
2045  }
2046 
2047  status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2048  ssl->handshake->psa_pake_password);
2049  if (status != PSA_SUCCESS) {
2050  psa_destroy_key(ssl->handshake->psa_pake_password);
2051  psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2053  }
2054 
2055  return 0;
2056 }
2057 
2058 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2060 {
2061  psa_status_t status;
2062 
2063  if (ssl->handshake == NULL || ssl->conf == NULL) {
2065  }
2066 
2067  if (mbedtls_svc_key_id_is_null(pwd)) {
2069  }
2070 
2071  status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2072  if (status != PSA_SUCCESS) {
2073  psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2075  }
2076 
2077  return 0;
2078 }
2079 #else /* MBEDTLS_USE_PSA_CRYPTO */
2080 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2081  const unsigned char *pw,
2082  size_t pw_len)
2083 {
2084  mbedtls_ecjpake_role role;
2085 
2086  if (ssl->handshake == NULL || ssl->conf == NULL) {
2088  }
2089 
2090  /* Empty password is not valid */
2091  if ((pw == NULL) || (pw_len == 0)) {
2093  }
2094 
2095  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2096  role = MBEDTLS_ECJPAKE_SERVER;
2097  } else {
2098  role = MBEDTLS_ECJPAKE_CLIENT;
2099  }
2100 
2101  return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2102  role,
2105  pw, pw_len);
2106 }
2107 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2108 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2109 
2110 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
2112 {
2113  if (conf->psk_identity == NULL ||
2114  conf->psk_identity_len == 0) {
2115  return 0;
2116  }
2117 
2118 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2119  if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2120  return 1;
2121  }
2122 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2123 
2124  if (conf->psk != NULL && conf->psk_len != 0) {
2125  return 1;
2126  }
2127 
2128  return 0;
2129 }
2130 
2131 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2132 {
2133  /* Remove reference to existing PSK, if any. */
2134 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2135  if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2136  /* The maintenance of the PSK key slot is the
2137  * user's responsibility. */
2138  conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2139  }
2140 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2141  if (conf->psk != NULL) {
2142  mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2143  conf->psk = NULL;
2144  conf->psk_len = 0;
2145  }
2146 
2147  /* Remove reference to PSK identity, if any. */
2148  if (conf->psk_identity != NULL) {
2149  mbedtls_free(conf->psk_identity);
2150  conf->psk_identity = NULL;
2151  conf->psk_identity_len = 0;
2152  }
2153 }
2154 
2155 /* This function assumes that PSK identity in the SSL config is unset.
2156  * It checks that the provided identity is well-formed and attempts
2157  * to make a copy of it in the SSL config.
2158  * On failure, the PSK identity in the config remains unset. */
2160 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2161  unsigned char const *psk_identity,
2162  size_t psk_identity_len)
2163 {
2164  /* Identity len will be encoded on two bytes */
2165  if (psk_identity == NULL ||
2166  psk_identity_len == 0 ||
2167  (psk_identity_len >> 16) != 0 ||
2168  psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2170  }
2171 
2172  conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2173  if (conf->psk_identity == NULL) {
2175  }
2176 
2177  conf->psk_identity_len = psk_identity_len;
2178  memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2179 
2180  return 0;
2181 }
2182 
2184  const unsigned char *psk, size_t psk_len,
2185  const unsigned char *psk_identity, size_t psk_identity_len)
2186 {
2188 
2189  /* We currently only support one PSK, raw or opaque. */
2190  if (mbedtls_ssl_conf_has_static_psk(conf)) {
2192  }
2193 
2194  /* Check and set raw PSK */
2195  if (psk == NULL) {
2197  }
2198  if (psk_len == 0) {
2200  }
2201  if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2203  }
2204 
2205  if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2207  }
2208  conf->psk_len = psk_len;
2209  memcpy(conf->psk, psk, conf->psk_len);
2210 
2211  /* Check and set PSK Identity */
2212  ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2213  if (ret != 0) {
2214  ssl_conf_remove_psk(conf);
2215  }
2216 
2217  return ret;
2218 }
2219 
2220 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2221 {
2222 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2223  if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2224  /* The maintenance of the external PSK key slot is the
2225  * user's responsibility. */
2226  if (ssl->handshake->psk_opaque_is_internal) {
2227  psa_destroy_key(ssl->handshake->psk_opaque);
2228  ssl->handshake->psk_opaque_is_internal = 0;
2229  }
2230  ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2231  }
2232 #else
2233  if (ssl->handshake->psk != NULL) {
2234  mbedtls_zeroize_and_free(ssl->handshake->psk,
2235  ssl->handshake->psk_len);
2236  ssl->handshake->psk_len = 0;
2237  }
2238 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2239 }
2240 
2242  const unsigned char *psk, size_t psk_len)
2243 {
2244 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2245  psa_key_attributes_t key_attributes = psa_key_attributes_init();
2249 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2250 
2251  if (psk == NULL || ssl->handshake == NULL) {
2253  }
2254 
2255  if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2257  }
2258 
2259  ssl_remove_psk(ssl);
2260 
2261 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2262 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2263  if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2264  if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2266  } else {
2268  }
2270  }
2271 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2272 
2273 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2274  if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2276  psa_set_key_usage_flags(&key_attributes,
2278  }
2279 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2280 
2281  psa_set_key_algorithm(&key_attributes, alg);
2282  psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2283 
2284  status = psa_import_key(&key_attributes, psk, psk_len, &key);
2285  if (status != PSA_SUCCESS) {
2287  }
2288 
2289  /* Allow calling psa_destroy_key() on psk remove */
2290  ssl->handshake->psk_opaque_is_internal = 1;
2291  return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2292 #else
2293  if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2295  }
2296 
2297  ssl->handshake->psk_len = psk_len;
2298  memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2299 
2300  return 0;
2301 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2302 }
2303 
2304 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2305 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2307  const unsigned char *psk_identity,
2308  size_t psk_identity_len)
2309 {
2311 
2312  /* We currently only support one PSK, raw or opaque. */
2313  if (mbedtls_ssl_conf_has_static_psk(conf)) {
2315  }
2316 
2317  /* Check and set opaque PSK */
2318  if (mbedtls_svc_key_id_is_null(psk)) {
2320  }
2321  conf->psk_opaque = psk;
2322 
2323  /* Check and set PSK Identity */
2324  ret = ssl_conf_set_psk_identity(conf, psk_identity,
2325  psk_identity_len);
2326  if (ret != 0) {
2327  ssl_conf_remove_psk(conf);
2328  }
2329 
2330  return ret;
2331 }
2332 
2333 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2335 {
2336  if ((mbedtls_svc_key_id_is_null(psk)) ||
2337  (ssl->handshake == NULL)) {
2339  }
2340 
2341  ssl_remove_psk(ssl);
2342  ssl->handshake->psk_opaque = psk;
2343  return 0;
2344 }
2345 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2346 
2347 #if defined(MBEDTLS_SSL_SRV_C)
2349  int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2350  size_t),
2351  void *p_psk)
2352 {
2353  conf->f_psk = f_psk;
2354  conf->p_psk = p_psk;
2355 }
2356 #endif /* MBEDTLS_SSL_SRV_C */
2357 
2358 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2359 
2360 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2361 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2362  psa_algorithm_t alg)
2363 {
2364 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2365  if (alg == PSA_ALG_CBC_NO_PADDING) {
2366  return MBEDTLS_SSL_MODE_CBC;
2367  }
2368 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2369  if (PSA_ALG_IS_AEAD(alg)) {
2370  return MBEDTLS_SSL_MODE_AEAD;
2371  }
2372  return MBEDTLS_SSL_MODE_STREAM;
2373 }
2374 
2375 #else /* MBEDTLS_USE_PSA_CRYPTO */
2376 
2377 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2379 {
2380 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2381  if (mode == MBEDTLS_MODE_CBC) {
2382  return MBEDTLS_SSL_MODE_CBC;
2383  }
2384 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2385 
2386 #if defined(MBEDTLS_GCM_C) || \
2387  defined(MBEDTLS_CCM_C) || \
2388  defined(MBEDTLS_CHACHAPOLY_C)
2389  if (mode == MBEDTLS_MODE_GCM ||
2390  mode == MBEDTLS_MODE_CCM ||
2392  return MBEDTLS_SSL_MODE_AEAD;
2393  }
2394 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2395 
2396  return MBEDTLS_SSL_MODE_STREAM;
2397 }
2398 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2399 
2400 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2401  mbedtls_ssl_mode_t base_mode,
2402  int encrypt_then_mac)
2403 {
2404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2405  if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2406  base_mode == MBEDTLS_SSL_MODE_CBC) {
2407  return MBEDTLS_SSL_MODE_CBC_ETM;
2408  }
2409 #else
2410  (void) encrypt_then_mac;
2411 #endif
2412  return base_mode;
2413 }
2414 
2417 {
2418  mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2419 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2420  transform->psa_alg
2421 #else
2422  mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2423 #endif
2424  );
2425 
2426  int encrypt_then_mac = 0;
2427 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2428  encrypt_then_mac = transform->encrypt_then_mac;
2429 #endif
2430  return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2431 }
2432 
2434 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2435  int encrypt_then_mac,
2436 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2437  const mbedtls_ssl_ciphersuite_t *suite)
2438 {
2440 
2441 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2442  psa_status_t status;
2443  psa_algorithm_t alg;
2445  size_t size;
2446  status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2447  0, &alg, &type, &size);
2448  if (status == PSA_SUCCESS) {
2449  base_mode = mbedtls_ssl_get_base_mode(alg);
2450  }
2451 #else
2452  const mbedtls_cipher_info_t *cipher =
2454  if (cipher != NULL) {
2455  base_mode =
2456  mbedtls_ssl_get_base_mode(
2458  }
2459 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2460 
2461 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2462  int encrypt_then_mac = 0;
2463 #endif
2464  return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2465 }
2466 
2467 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2468 
2470  size_t taglen,
2471  psa_algorithm_t *alg,
2472  psa_key_type_t *key_type,
2473  size_t *key_size)
2474 {
2475 #if !defined(MBEDTLS_SSL_HAVE_CCM)
2476  (void) taglen;
2477 #endif
2478  switch (mbedtls_cipher_type) {
2479 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2481  *alg = PSA_ALG_CBC_NO_PADDING;
2482  *key_type = PSA_KEY_TYPE_AES;
2483  *key_size = 128;
2484  break;
2485 #endif
2486 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2488  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2489  *key_type = PSA_KEY_TYPE_AES;
2490  *key_size = 128;
2491  break;
2492 #endif
2493 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2495  *alg = PSA_ALG_GCM;
2496  *key_type = PSA_KEY_TYPE_AES;
2497  *key_size = 128;
2498  break;
2499 #endif
2500 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2502  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2503  *key_type = PSA_KEY_TYPE_AES;
2504  *key_size = 192;
2505  break;
2506 #endif
2507 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2509  *alg = PSA_ALG_GCM;
2510  *key_type = PSA_KEY_TYPE_AES;
2511  *key_size = 192;
2512  break;
2513 #endif
2514 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2516  *alg = PSA_ALG_CBC_NO_PADDING;
2517  *key_type = PSA_KEY_TYPE_AES;
2518  *key_size = 256;
2519  break;
2520 #endif
2521 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2523  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2524  *key_type = PSA_KEY_TYPE_AES;
2525  *key_size = 256;
2526  break;
2527 #endif
2528 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2530  *alg = PSA_ALG_GCM;
2531  *key_type = PSA_KEY_TYPE_AES;
2532  *key_size = 256;
2533  break;
2534 #endif
2535 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2537  *alg = PSA_ALG_CBC_NO_PADDING;
2538  *key_type = PSA_KEY_TYPE_ARIA;
2539  *key_size = 128;
2540  break;
2541 #endif
2542 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2544  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2545  *key_type = PSA_KEY_TYPE_ARIA;
2546  *key_size = 128;
2547  break;
2548 #endif
2549 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2551  *alg = PSA_ALG_GCM;
2552  *key_type = PSA_KEY_TYPE_ARIA;
2553  *key_size = 128;
2554  break;
2555 #endif
2556 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2558  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2559  *key_type = PSA_KEY_TYPE_ARIA;
2560  *key_size = 192;
2561  break;
2562 #endif
2563 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2565  *alg = PSA_ALG_GCM;
2566  *key_type = PSA_KEY_TYPE_ARIA;
2567  *key_size = 192;
2568  break;
2569 #endif
2570 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2572  *alg = PSA_ALG_CBC_NO_PADDING;
2573  *key_type = PSA_KEY_TYPE_ARIA;
2574  *key_size = 256;
2575  break;
2576 #endif
2577 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2579  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2580  *key_type = PSA_KEY_TYPE_ARIA;
2581  *key_size = 256;
2582  break;
2583 #endif
2584 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2586  *alg = PSA_ALG_GCM;
2587  *key_type = PSA_KEY_TYPE_ARIA;
2588  *key_size = 256;
2589  break;
2590 #endif
2591 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2593  *alg = PSA_ALG_CBC_NO_PADDING;
2594  *key_type = PSA_KEY_TYPE_CAMELLIA;
2595  *key_size = 128;
2596  break;
2597 #endif
2598 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2600  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2601  *key_type = PSA_KEY_TYPE_CAMELLIA;
2602  *key_size = 128;
2603  break;
2604 #endif
2605 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2607  *alg = PSA_ALG_GCM;
2608  *key_type = PSA_KEY_TYPE_CAMELLIA;
2609  *key_size = 128;
2610  break;
2611 #endif
2612 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2614  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2615  *key_type = PSA_KEY_TYPE_CAMELLIA;
2616  *key_size = 192;
2617  break;
2618 #endif
2619 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2621  *alg = PSA_ALG_GCM;
2622  *key_type = PSA_KEY_TYPE_CAMELLIA;
2623  *key_size = 192;
2624  break;
2625 #endif
2626 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2628  *alg = PSA_ALG_CBC_NO_PADDING;
2629  *key_type = PSA_KEY_TYPE_CAMELLIA;
2630  *key_size = 256;
2631  break;
2632 #endif
2633 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2635  *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2636  *key_type = PSA_KEY_TYPE_CAMELLIA;
2637  *key_size = 256;
2638  break;
2639 #endif
2640 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2642  *alg = PSA_ALG_GCM;
2643  *key_type = PSA_KEY_TYPE_CAMELLIA;
2644  *key_size = 256;
2645  break;
2646 #endif
2647 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2650  *key_type = PSA_KEY_TYPE_CHACHA20;
2651  *key_size = 256;
2652  break;
2653 #endif
2654  case MBEDTLS_CIPHER_NULL:
2655  *alg = MBEDTLS_SSL_NULL_CIPHER;
2656  *key_type = 0;
2657  *key_size = 0;
2658  break;
2659  default:
2660  return PSA_ERROR_NOT_SUPPORTED;
2661  }
2662 
2663  return PSA_SUCCESS;
2664 }
2665 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2666 
2667 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
2669  const unsigned char *dhm_P, size_t P_len,
2670  const unsigned char *dhm_G, size_t G_len)
2671 {
2673 
2674  mbedtls_mpi_free(&conf->dhm_P);
2675  mbedtls_mpi_free(&conf->dhm_G);
2676 
2677  if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2678  (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2679  mbedtls_mpi_free(&conf->dhm_P);
2680  mbedtls_mpi_free(&conf->dhm_G);
2681  return ret;
2682  }
2683 
2684  return 0;
2685 }
2686 
2688 {
2690 
2691  mbedtls_mpi_free(&conf->dhm_P);
2692  mbedtls_mpi_free(&conf->dhm_G);
2693 
2694  if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2695  &conf->dhm_P)) != 0 ||
2697  &conf->dhm_G)) != 0) {
2698  mbedtls_mpi_free(&conf->dhm_P);
2699  mbedtls_mpi_free(&conf->dhm_G);
2700  return ret;
2701  }
2702 
2703  return 0;
2704 }
2705 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2706 
2707 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2708 /*
2709  * Set the minimum length for Diffie-Hellman parameters
2710  */
2712  unsigned int bitlen)
2713 {
2714  conf->dhm_min_bitlen = bitlen;
2715 }
2716 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2717 
2718 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2719 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2720 /*
2721  * Set allowed/preferred hashes for handshake signatures
2722  */
2724  const int *hashes)
2725 {
2726  conf->sig_hashes = hashes;
2727 }
2728 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2729 
2730 /* Configure allowed signature algorithms for handshake */
2732  const uint16_t *sig_algs)
2733 {
2734 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2735  conf->sig_hashes = NULL;
2736 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2737  conf->sig_algs = sig_algs;
2738 }
2739 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2740 
2741 #if defined(MBEDTLS_ECP_C)
2742 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2743 /*
2744  * Set the allowed elliptic curves
2745  *
2746  * mbedtls_ssl_setup() takes the provided list
2747  * and translates it to a list of IANA TLS group identifiers,
2748  * stored in ssl->handshake->group_list.
2749  *
2750  */
2752  const mbedtls_ecp_group_id *curve_list)
2753 {
2754  conf->curve_list = curve_list;
2755  conf->group_list = NULL;
2756 }
2757 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2758 #endif /* MBEDTLS_ECP_C */
2759 
2760 /*
2761  * Set the allowed groups
2762  */
2764  const uint16_t *group_list)
2765 {
2766 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2767  conf->curve_list = NULL;
2768 #endif
2769  conf->group_list = group_list;
2770 }
2771 
2772 #if defined(MBEDTLS_X509_CRT_PARSE_C)
2773 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2774 {
2775  /* Initialize to suppress unnecessary compiler warning */
2776  size_t hostname_len = 0;
2777 
2778  /* Check if new hostname is valid before
2779  * making any change to current one */
2780  if (hostname != NULL) {
2781  hostname_len = strlen(hostname);
2782 
2783  if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2785  }
2786  }
2787 
2788  /* Now it's clear that we will overwrite the old hostname,
2789  * so we can free it safely */
2790 
2791  if (ssl->hostname != NULL) {
2792  mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2793  }
2794 
2795  /* Passing NULL as hostname shall clear the old one */
2796 
2797  if (hostname == NULL) {
2798  ssl->hostname = NULL;
2799  } else {
2800  ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2801  if (ssl->hostname == NULL) {
2803  }
2804 
2805  memcpy(ssl->hostname, hostname, hostname_len);
2806 
2807  ssl->hostname[hostname_len] = '\0';
2808  }
2809 
2810  return 0;
2811 }
2812 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2813 
2814 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2816  int (*f_sni)(void *, mbedtls_ssl_context *,
2817  const unsigned char *, size_t),
2818  void *p_sni)
2819 {
2820  conf->f_sni = f_sni;
2821  conf->p_sni = p_sni;
2822 }
2823 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2824 
2825 #if defined(MBEDTLS_SSL_ALPN)
2826 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2827 {
2828  size_t cur_len, tot_len;
2829  const char **p;
2830 
2831  /*
2832  * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2833  * MUST NOT be truncated."
2834  * We check lengths now rather than later.
2835  */
2836  tot_len = 0;
2837  for (p = protos; *p != NULL; p++) {
2838  cur_len = strlen(*p);
2839  tot_len += cur_len;
2840 
2841  if ((cur_len == 0) ||
2842  (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2843  (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2845  }
2846  }
2847 
2848  conf->alpn_list = protos;
2849 
2850  return 0;
2851 }
2852 
2853 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2854 {
2855  return ssl->alpn_chosen;
2856 }
2857 #endif /* MBEDTLS_SSL_ALPN */
2858 
2859 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2860 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2861  int support_mki_value)
2862 {
2863  conf->dtls_srtp_mki_support = support_mki_value;
2864 }
2865 
2866 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2867  unsigned char *mki_value,
2868  uint16_t mki_len)
2869 {
2870  if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2872  }
2873 
2874  if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2876  }
2877 
2878  memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2879  ssl->dtls_srtp_info.mki_len = mki_len;
2880  return 0;
2881 }
2882 
2883 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2884  const mbedtls_ssl_srtp_profile *profiles)
2885 {
2886  const mbedtls_ssl_srtp_profile *p;
2887  size_t list_size = 0;
2888 
2889  /* check the profiles list: all entry must be valid,
2890  * its size cannot be more than the total number of supported profiles, currently 4 */
2891  for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2892  list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2893  p++) {
2894  if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2895  list_size++;
2896  } else {
2897  /* unsupported value, stop parsing and set the size to an error value */
2898  list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2899  }
2900  }
2901 
2902  if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2903  conf->dtls_srtp_profile_list = NULL;
2904  conf->dtls_srtp_profile_list_len = 0;
2906  }
2907 
2908  conf->dtls_srtp_profile_list = profiles;
2909  conf->dtls_srtp_profile_list_len = list_size;
2910 
2911  return 0;
2912 }
2913 
2914 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2915  mbedtls_dtls_srtp_info *dtls_srtp_info)
2916 {
2917  dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2918  /* do not copy the mki value if there is no chosen profile */
2919  if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2920  dtls_srtp_info->mki_len = 0;
2921  } else {
2922  dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2923  memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2924  ssl->dtls_srtp_info.mki_len);
2925  }
2926 }
2927 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2928 
2929 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2930 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2931 {
2932  conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2933 }
2934 
2935 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2936 {
2937  conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2938 }
2939 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2940 
2941 #if defined(MBEDTLS_SSL_SRV_C)
2943  char cert_req_ca_list)
2944 {
2945  conf->cert_req_ca_list = cert_req_ca_list;
2946 }
2947 #endif
2948 
2949 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2951 {
2952  conf->encrypt_then_mac = etm;
2953 }
2954 #endif
2955 
2956 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2958 {
2959  conf->extended_ms = ems;
2960 }
2961 #endif
2962 
2963 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2964 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
2965 {
2966  if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
2967  ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
2969  }
2970 
2971  conf->mfl_code = mfl_code;
2972 
2973  return 0;
2974 }
2975 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2976 
2977 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
2978 {
2979  conf->allow_legacy_renegotiation = allow_legacy;
2980 }
2981 
2982 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2983 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
2984 {
2985  conf->disable_renegotiation = renegotiation;
2986 }
2987 
2989 {
2990  conf->renego_max_records = max_records;
2991 }
2992 
2994  const unsigned char period[8])
2995 {
2996  memcpy(conf->renego_period, period, 8);
2997 }
2998 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2999 
3000 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3001 #if defined(MBEDTLS_SSL_CLI_C)
3002 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3003 {
3004  conf->session_tickets = use_tickets;
3005 }
3006 #endif
3007 
3008 #if defined(MBEDTLS_SSL_SRV_C)
3009 
3010 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
3012  uint16_t num_tickets)
3013 {
3014  conf->new_session_tickets_count = num_tickets;
3015 }
3016 #endif
3017 
3019  mbedtls_ssl_ticket_write_t *f_ticket_write,
3020  mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3021  void *p_ticket)
3022 {
3023  conf->f_ticket_write = f_ticket_write;
3024  conf->f_ticket_parse = f_ticket_parse;
3025  conf->p_ticket = p_ticket;
3026 }
3027 #endif
3028 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3029 
3031  mbedtls_ssl_export_keys_t *f_export_keys,
3032  void *p_export_keys)
3033 {
3034  ssl->f_export_keys = f_export_keys;
3035  ssl->p_export_keys = p_export_keys;
3036 }
3037 
3038 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3039 void mbedtls_ssl_conf_async_private_cb(
3040  mbedtls_ssl_config *conf,
3041  mbedtls_ssl_async_sign_t *f_async_sign,
3042  mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3043  mbedtls_ssl_async_resume_t *f_async_resume,
3044  mbedtls_ssl_async_cancel_t *f_async_cancel,
3045  void *async_config_data)
3046 {
3047  conf->f_async_sign_start = f_async_sign;
3048  conf->f_async_decrypt_start = f_async_decrypt;
3049  conf->f_async_resume = f_async_resume;
3050  conf->f_async_cancel = f_async_cancel;
3051  conf->p_async_config_data = async_config_data;
3052 }
3053 
3054 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3055 {
3056  return conf->p_async_config_data;
3057 }
3058 
3059 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3060 {
3061  if (ssl->handshake == NULL) {
3062  return NULL;
3063  } else {
3064  return ssl->handshake->user_async_ctx;
3065  }
3066 }
3067 
3068 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3069  void *ctx)
3070 {
3071  if (ssl->handshake != NULL) {
3072  ssl->handshake->user_async_ctx = ctx;
3073  }
3074 }
3075 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3076 
3077 /*
3078  * SSL get accessors
3079  */
3081 {
3082  if (ssl->session != NULL) {
3083  return ssl->session->verify_result;
3084  }
3085 
3086  if (ssl->session_negotiate != NULL) {
3087  return ssl->session_negotiate->verify_result;
3088  }
3089 
3090  return 0xFFFFFFFF;
3091 }
3092 
3094 {
3095  if (ssl == NULL || ssl->session == NULL) {
3096  return 0;
3097  }
3098 
3099  return ssl->session->ciphersuite;
3100 }
3101 
3102 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3103 {
3104  if (ssl == NULL || ssl->session == NULL) {
3105  return NULL;
3106  }
3107 
3108  return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3109 }
3110 
3111 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3112 {
3113 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3114  if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3115  switch (ssl->tls_version) {
3117  return "DTLSv1.2";
3118  default:
3119  return "unknown (DTLS)";
3120  }
3121  }
3122 #endif
3123 
3124  switch (ssl->tls_version) {
3126  return "TLSv1.2";
3128  return "TLSv1.3";
3129  default:
3130  return "unknown";
3131  }
3132 }
3133 
3134 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3135 
3136 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3137 {
3138  const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3139  size_t record_size_limit = max_len;
3140 
3141  if (ssl->session != NULL &&
3142  ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3143  ssl->session->record_size_limit < max_len) {
3144  record_size_limit = ssl->session->record_size_limit;
3145  }
3146 
3147  // TODO: this is currently untested
3148  /* During a handshake, use the value being negotiated */
3149  if (ssl->session_negotiate != NULL &&
3150  ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3151  ssl->session_negotiate->record_size_limit < max_len) {
3152  record_size_limit = ssl->session_negotiate->record_size_limit;
3153  }
3154 
3155  return record_size_limit;
3156 }
3157 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3158 
3159 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3161 {
3162  size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3163  size_t read_mfl;
3164 
3165 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3166  /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3167  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3168  ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3169  return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3170  }
3171 #endif
3172 
3173  /* Check if a smaller max length was negotiated */
3174  if (ssl->session_out != NULL) {
3175  read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3176  if (read_mfl < max_len) {
3177  max_len = read_mfl;
3178  }
3179  }
3180 
3181  /* During a handshake, use the value being negotiated */
3182  if (ssl->session_negotiate != NULL) {
3183  read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3184  if (read_mfl < max_len) {
3185  max_len = read_mfl;
3186  }
3187  }
3188 
3189  return max_len;
3190 }
3191 
3193 {
3194  size_t max_len;
3195 
3196  /*
3197  * Assume mfl_code is correct since it was checked when set
3198  */
3199  max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3200 
3201  /* Check if a smaller max length was negotiated */
3202  if (ssl->session_out != NULL &&
3203  ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3204  max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3205  }
3206 
3207  /* During a handshake, use the value being negotiated */
3208  if (ssl->session_negotiate != NULL &&
3209  ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3210  max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3211  }
3212 
3213  return max_len;
3214 }
3215 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3216 
3217 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3219 {
3220  /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3221  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3222  (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3223  ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3224  return 0;
3225  }
3226 
3227  if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3228  return ssl->mtu;
3229  }
3230 
3231  if (ssl->mtu == 0) {
3232  return ssl->handshake->mtu;
3233  }
3234 
3235  return ssl->mtu < ssl->handshake->mtu ?
3236  ssl->mtu : ssl->handshake->mtu;
3237 }
3238 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3239 
3241 {
3242  size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3243 
3244 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3245  !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3246  !defined(MBEDTLS_SSL_PROTO_DTLS)
3247  (void) ssl;
3248 #endif
3249 
3250 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3251  const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3252 
3253  if (max_len > mfl) {
3254  max_len = mfl;
3255  }
3256 #endif
3257 
3258 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3259  const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3260 
3261  if (max_len > record_size_limit) {
3262  max_len = record_size_limit;
3263  }
3264 #endif
3265 
3266  if (ssl->transform_out != NULL &&
3267  ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3268  /*
3269  * In TLS 1.3 case, when records are protected, `max_len` as computed
3270  * above is the maximum length of the TLSInnerPlaintext structure that
3271  * along the plaintext payload contains the inner content type (one byte)
3272  * and some zero padding. Given the algorithm used for padding
3273  * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3274  * the plaintext payload. Round down to a multiple of
3275  * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3276  * subtract 1.
3277  */
3278  max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3280  }
3281 
3282 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3283  if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3284  const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3285  const int ret = mbedtls_ssl_get_record_expansion(ssl);
3286  const size_t overhead = (size_t) ret;
3287 
3288  if (ret < 0) {
3289  return ret;
3290  }
3291 
3292  if (mtu <= overhead) {
3293  MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3295  }
3296 
3297  if (max_len > mtu - overhead) {
3298  max_len = mtu - overhead;
3299  }
3300  }
3301 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3302 
3303 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3304  !defined(MBEDTLS_SSL_PROTO_DTLS) && \
3305  !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3306  ((void) ssl);
3307 #endif
3308 
3309  return (int) max_len;
3310 }
3311 
3313 {
3314  size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3315 
3316 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3317  (void) ssl;
3318 #endif
3319 
3320 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3321  const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3322 
3323  if (max_len > mfl) {
3324  max_len = mfl;
3325  }
3326 #endif
3327 
3328  return (int) max_len;
3329 }
3330 
3331 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3333 {
3334  if (ssl == NULL || ssl->session == NULL) {
3335  return NULL;
3336  }
3337 
3338 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3339  return ssl->session->peer_cert;
3340 #else
3341  return NULL;
3342 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3343 }
3344 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3345 
3346 #if defined(MBEDTLS_SSL_CLI_C)
3348  mbedtls_ssl_session *dst)
3349 {
3350  int ret;
3351 
3352  if (ssl == NULL ||
3353  dst == NULL ||
3354  ssl->session == NULL ||
3355  ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3357  }
3358 
3359  /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3360  * idempotent: Each session can only be exported once.
3361  *
3362  * (This is in preparation for TLS 1.3 support where we will
3363  * need the ability to export multiple sessions (aka tickets),
3364  * which will be achieved by calling mbedtls_ssl_get_session()
3365  * multiple times until it fails.)
3366  *
3367  * Check whether we have already exported the current session,
3368  * and fail if so.
3369  */
3370  if (ssl->session->exported == 1) {
3372  }
3373 
3374  ret = mbedtls_ssl_session_copy(dst, ssl->session);
3375  if (ret != 0) {
3376  return ret;
3377  }
3378 
3379  /* Remember that we've exported the session. */
3380  ssl->session->exported = 1;
3381  return 0;
3382 }
3383 #endif /* MBEDTLS_SSL_CLI_C */
3384 
3385 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3386 
3387 /* Serialization of TLS 1.2 sessions
3388  *
3389  * For more detail, see the description of ssl_session_save().
3390  */
3391 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3392  unsigned char *buf,
3393  size_t buf_len)
3394 {
3395  unsigned char *p = buf;
3396  size_t used = 0;
3397 
3398 #if defined(MBEDTLS_HAVE_TIME)
3399  uint64_t start;
3400 #endif
3401 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3402 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3403  size_t cert_len;
3404 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3405 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3406 
3407  /*
3408  * Time
3409  */
3410 #if defined(MBEDTLS_HAVE_TIME)
3411  used += 8;
3412 
3413  if (used <= buf_len) {
3414  start = (uint64_t) session->start;
3415 
3416  MBEDTLS_PUT_UINT64_BE(start, p, 0);
3417  p += 8;
3418  }
3419 #endif /* MBEDTLS_HAVE_TIME */
3420 
3421  /*
3422  * Basic mandatory fields
3423  */
3424  used += 1 /* id_len */
3425  + sizeof(session->id)
3426  + sizeof(session->master)
3427  + 4; /* verify_result */
3428 
3429  if (used <= buf_len) {
3430  *p++ = MBEDTLS_BYTE_0(session->id_len);
3431  memcpy(p, session->id, 32);
3432  p += 32;
3433 
3434  memcpy(p, session->master, 48);
3435  p += 48;
3436 
3437  MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3438  p += 4;
3439  }
3440 
3441  /*
3442  * Peer's end-entity certificate
3443  */
3444 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3445 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3446  if (session->peer_cert == NULL) {
3447  cert_len = 0;
3448  } else {
3449  cert_len = session->peer_cert->raw.len;
3450  }
3451 
3452  used += 3 + cert_len;
3453 
3454  if (used <= buf_len) {
3455  *p++ = MBEDTLS_BYTE_2(cert_len);
3456  *p++ = MBEDTLS_BYTE_1(cert_len);
3457  *p++ = MBEDTLS_BYTE_0(cert_len);
3458 
3459  if (session->peer_cert != NULL) {
3460  memcpy(p, session->peer_cert->raw.p, cert_len);
3461  p += cert_len;
3462  }
3463  }
3464 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3465  if (session->peer_cert_digest != NULL) {
3466  used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3467  if (used <= buf_len) {
3468  *p++ = (unsigned char) session->peer_cert_digest_type;
3469  *p++ = (unsigned char) session->peer_cert_digest_len;
3470  memcpy(p, session->peer_cert_digest,
3471  session->peer_cert_digest_len);
3472  p += session->peer_cert_digest_len;
3473  }
3474  } else {
3475  used += 2;
3476  if (used <= buf_len) {
3477  *p++ = (unsigned char) MBEDTLS_MD_NONE;
3478  *p++ = 0;
3479  }
3480  }
3481 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3482 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3483 
3484  /*
3485  * Session ticket if any, plus associated data
3486  */
3487 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3488 #if defined(MBEDTLS_SSL_CLI_C)
3489  if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3490  used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3491 
3492  if (used <= buf_len) {
3493  *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3494  *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3495  *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3496 
3497  if (session->ticket != NULL) {
3498  memcpy(p, session->ticket, session->ticket_len);
3499  p += session->ticket_len;
3500  }
3501 
3502  MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3503  p += 4;
3504  }
3505  }
3506 #endif /* MBEDTLS_SSL_CLI_C */
3507 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3508  if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3509  used += 8;
3510 
3511  if (used <= buf_len) {
3512  MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3513  p += 8;
3514  }
3515  }
3516 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3517 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3518 
3519  /*
3520  * Misc extension-related info
3521  */
3522 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3523  used += 1;
3524 
3525  if (used <= buf_len) {
3526  *p++ = session->mfl_code;
3527  }
3528 #endif
3529 
3530 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3531  used += 1;
3532 
3533  if (used <= buf_len) {
3534  *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3535  }
3536 #endif
3537 
3538  return used;
3539 }
3540 
3542 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3543  const unsigned char *buf,
3544  size_t len)
3545 {
3546 #if defined(MBEDTLS_HAVE_TIME)
3547  uint64_t start;
3548 #endif
3549 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3550 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3551  size_t cert_len;
3552 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3553 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3554 
3555  const unsigned char *p = buf;
3556  const unsigned char * const end = buf + len;
3557 
3558  /*
3559  * Time
3560  */
3561 #if defined(MBEDTLS_HAVE_TIME)
3562  if (8 > (size_t) (end - p)) {
3564  }
3565 
3566  start = MBEDTLS_GET_UINT64_BE(p, 0);
3567  p += 8;
3568 
3569  session->start = (time_t) start;
3570 #endif /* MBEDTLS_HAVE_TIME */
3571 
3572  /*
3573  * Basic mandatory fields
3574  */
3575  if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3577  }
3578 
3579  session->id_len = *p++;
3580  memcpy(session->id, p, 32);
3581  p += 32;
3582 
3583  memcpy(session->master, p, 48);
3584  p += 48;
3585 
3586  session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3587  p += 4;
3588 
3589  /* Immediately clear invalid pointer values that have been read, in case
3590  * we exit early before we replaced them with valid ones. */
3591 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3592 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3593  session->peer_cert = NULL;
3594 #else
3595  session->peer_cert_digest = NULL;
3596 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3597 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3598 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3599  session->ticket = NULL;
3600 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3601 
3602  /*
3603  * Peer certificate
3604  */
3605 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3606 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3607  /* Deserialize CRT from the end of the ticket. */
3608  if (3 > (size_t) (end - p)) {
3610  }
3611 
3612  cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3613  p += 3;
3614 
3615  if (cert_len != 0) {
3617 
3618  if (cert_len > (size_t) (end - p)) {
3620  }
3621 
3622  session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3623 
3624  if (session->peer_cert == NULL) {
3626  }
3627 
3628  mbedtls_x509_crt_init(session->peer_cert);
3629 
3630  if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3631  p, cert_len)) != 0) {
3632  mbedtls_x509_crt_free(session->peer_cert);
3633  mbedtls_free(session->peer_cert);
3634  session->peer_cert = NULL;
3635  return ret;
3636  }
3637 
3638  p += cert_len;
3639  }
3640 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3641  /* Deserialize CRT digest from the end of the ticket. */
3642  if (2 > (size_t) (end - p)) {
3644  }
3645 
3646  session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3647  session->peer_cert_digest_len = (size_t) *p++;
3648 
3649  if (session->peer_cert_digest_len != 0) {
3650  const mbedtls_md_info_t *md_info =
3651  mbedtls_md_info_from_type(session->peer_cert_digest_type);
3652  if (md_info == NULL) {
3654  }
3655  if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3657  }
3658 
3659  if (session->peer_cert_digest_len > (size_t) (end - p)) {
3661  }
3662 
3663  session->peer_cert_digest =
3664  mbedtls_calloc(1, session->peer_cert_digest_len);
3665  if (session->peer_cert_digest == NULL) {
3667  }
3668 
3669  memcpy(session->peer_cert_digest, p,
3670  session->peer_cert_digest_len);
3671  p += session->peer_cert_digest_len;
3672  }
3673 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3674 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3675 
3676  /*
3677  * Session ticket and associated data
3678  */
3679 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3680 #if defined(MBEDTLS_SSL_CLI_C)
3681  if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3682  if (3 > (size_t) (end - p)) {
3684  }
3685 
3686  session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3687  p += 3;
3688 
3689  if (session->ticket_len != 0) {
3690  if (session->ticket_len > (size_t) (end - p)) {
3692  }
3693 
3694  session->ticket = mbedtls_calloc(1, session->ticket_len);
3695  if (session->ticket == NULL) {
3697  }
3698 
3699  memcpy(session->ticket, p, session->ticket_len);
3700  p += session->ticket_len;
3701  }
3702 
3703  if (4 > (size_t) (end - p)) {
3705  }
3706 
3707  session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3708  p += 4;
3709  }
3710 #endif /* MBEDTLS_SSL_CLI_C */
3711 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3712  if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3713  if (8 > (size_t) (end - p)) {
3715  }
3716  session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3717  p += 8;
3718  }
3719 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3720 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3721 
3722  /*
3723  * Misc extension-related info
3724  */
3725 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3726  if (1 > (size_t) (end - p)) {
3728  }
3729 
3730  session->mfl_code = *p++;
3731 #endif
3732 
3733 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3734  if (1 > (size_t) (end - p)) {
3736  }
3737 
3738  session->encrypt_then_mac = *p++;
3739 #endif
3740 
3741  /* Done, should have consumed entire buffer */
3742  if (p != end) {
3744  }
3745 
3746  return 0;
3747 }
3748 
3749 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3750 
3751 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3752 /* Serialization of TLS 1.3 sessions:
3753  *
3754  * For more detail, see the description of ssl_session_save().
3755  */
3756 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3758 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3759  unsigned char *buf,
3760  size_t buf_len,
3761  size_t *olen)
3762 {
3763  unsigned char *p = buf;
3764 #if defined(MBEDTLS_SSL_CLI_C) && \
3765  defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3766  size_t hostname_len = (session->hostname == NULL) ?
3767  0 : strlen(session->hostname) + 1;
3768 #endif
3769 
3770 #if defined(MBEDTLS_SSL_SRV_C) && \
3771  defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3772  const size_t alpn_len = (session->ticket_alpn == NULL) ?
3773  0 : strlen(session->ticket_alpn) + 1;
3774 #endif
3775  size_t needed = 4 /* ticket_age_add */
3776  + 1 /* ticket_flags */
3777  + 1; /* resumption_key length */
3778 
3779  *olen = 0;
3780 
3781  if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3783  }
3784  needed += session->resumption_key_len; /* resumption_key */
3785 
3786 #if defined(MBEDTLS_SSL_EARLY_DATA)
3787  needed += 4; /* max_early_data_size */
3788 #endif
3789 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3790  needed += 2; /* record_size_limit */
3791 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3792 
3793 #if defined(MBEDTLS_HAVE_TIME)
3794  needed += 8; /* ticket_creation_time or ticket_reception_time */
3795 #endif
3796 
3797 #if defined(MBEDTLS_SSL_SRV_C)
3798  if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3799 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3800  needed += 2 /* alpn_len */
3801  + alpn_len; /* alpn */
3802 #endif
3803  }
3804 #endif /* MBEDTLS_SSL_SRV_C */
3805 
3806 #if defined(MBEDTLS_SSL_CLI_C)
3807  if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3808 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3809  needed += 2 /* hostname_len */
3810  + hostname_len; /* hostname */
3811 #endif
3812 
3813  needed += 4 /* ticket_lifetime */
3814  + 2; /* ticket_len */
3815 
3816  /* Check size_t overflow */
3817  if (session->ticket_len > SIZE_MAX - needed) {
3819  }
3820 
3821  needed += session->ticket_len; /* ticket */
3822  }
3823 #endif /* MBEDTLS_SSL_CLI_C */
3824 
3825  *olen = needed;
3826  if (needed > buf_len) {
3828  }
3829 
3830  MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3831  p[4] = session->ticket_flags;
3832 
3833  /* save resumption_key */
3834  p[5] = session->resumption_key_len;
3835  p += 6;
3836  memcpy(p, session->resumption_key, session->resumption_key_len);
3837  p += session->resumption_key_len;
3838 
3839 #if defined(MBEDTLS_SSL_EARLY_DATA)
3840  MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3841  p += 4;
3842 #endif
3843 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3844  MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3845  p += 2;
3846 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3847 
3848 #if defined(MBEDTLS_SSL_SRV_C)
3849  if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3850 #if defined(MBEDTLS_HAVE_TIME)
3851  MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3852  p += 8;
3853 #endif /* MBEDTLS_HAVE_TIME */
3854 
3855 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3856  MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3857  p += 2;
3858 
3859  if (alpn_len > 0) {
3860  /* save chosen alpn */
3861  memcpy(p, session->ticket_alpn, alpn_len);
3862  p += alpn_len;
3863  }
3864 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3865  }
3866 #endif /* MBEDTLS_SSL_SRV_C */
3867 
3868 #if defined(MBEDTLS_SSL_CLI_C)
3869  if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3870 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3871  MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3872  p += 2;
3873  if (hostname_len > 0) {
3874  /* save host name */
3875  memcpy(p, session->hostname, hostname_len);
3876  p += hostname_len;
3877  }
3878 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3879 
3880 #if defined(MBEDTLS_HAVE_TIME)
3881  MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3882  p += 8;
3883 #endif
3884  MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3885  p += 4;
3886 
3887  MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3888  p += 2;
3889 
3890  if (session->ticket != NULL && session->ticket_len > 0) {
3891  memcpy(p, session->ticket, session->ticket_len);
3892  p += session->ticket_len;
3893  }
3894  }
3895 #endif /* MBEDTLS_SSL_CLI_C */
3896  return 0;
3897 }
3898 
3900 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3901  const unsigned char *buf,
3902  size_t len)
3903 {
3904  const unsigned char *p = buf;
3905  const unsigned char *end = buf + len;
3906 
3907  if (end - p < 6) {
3909  }
3910  session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3911  session->ticket_flags = p[4];
3912 
3913  /* load resumption_key */
3914  session->resumption_key_len = p[5];
3915  p += 6;
3916 
3917  if (end - p < session->resumption_key_len) {
3919  }
3920 
3921  if (sizeof(session->resumption_key) < session->resumption_key_len) {
3923  }
3924  memcpy(session->resumption_key, p, session->resumption_key_len);
3925  p += session->resumption_key_len;
3926 
3927 #if defined(MBEDTLS_SSL_EARLY_DATA)
3928  if (end - p < 4) {
3930  }
3931  session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3932  p += 4;
3933 #endif
3934 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3935  if (end - p < 2) {
3937  }
3938  session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
3939  p += 2;
3940 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3941 
3942 #if defined(MBEDTLS_SSL_SRV_C)
3943  if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3944 #if defined(MBEDTLS_HAVE_TIME)
3945  if (end - p < 8) {
3947  }
3948  session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3949  p += 8;
3950 #endif /* MBEDTLS_HAVE_TIME */
3951 
3952 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3953  size_t alpn_len;
3954 
3955  if (end - p < 2) {
3957  }
3958 
3959  alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
3960  p += 2;
3961 
3962  if (end - p < (long int) alpn_len) {
3964  }
3965 
3966  if (alpn_len > 0) {
3967  int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
3968  if (ret != 0) {
3969  return ret;
3970  }
3971  p += alpn_len;
3972  }
3973 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3974  }
3975 #endif /* MBEDTLS_SSL_SRV_C */
3976 
3977 #if defined(MBEDTLS_SSL_CLI_C)
3978  if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3979 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3980  size_t hostname_len;
3981  /* load host name */
3982  if (end - p < 2) {
3984  }
3985  hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
3986  p += 2;
3987 
3988  if (end - p < (long int) hostname_len) {
3990  }
3991  if (hostname_len > 0) {
3992  session->hostname = mbedtls_calloc(1, hostname_len);
3993  if (session->hostname == NULL) {
3995  }
3996  memcpy(session->hostname, p, hostname_len);
3997  p += hostname_len;
3998  }
3999 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4000 
4001 #if defined(MBEDTLS_HAVE_TIME)
4002  if (end - p < 8) {
4004  }
4005  session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
4006  p += 8;
4007 #endif
4008  if (end - p < 4) {
4010  }
4011  session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
4012  p += 4;
4013 
4014  if (end - p < 2) {
4016  }
4017  session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
4018  p += 2;
4019 
4020  if (end - p < (long int) session->ticket_len) {
4022  }
4023  if (session->ticket_len > 0) {
4024  session->ticket = mbedtls_calloc(1, session->ticket_len);
4025  if (session->ticket == NULL) {
4027  }
4028  memcpy(session->ticket, p, session->ticket_len);
4029  p += session->ticket_len;
4030  }
4031  }
4032 #endif /* MBEDTLS_SSL_CLI_C */
4033 
4034  return 0;
4035 
4036 }
4037 #else /* MBEDTLS_SSL_SESSION_TICKETS */
4039 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
4040  unsigned char *buf,
4041  size_t buf_len,
4042  size_t *olen)
4043 {
4044  ((void) session);
4045  ((void) buf);
4046  ((void) buf_len);
4047  *olen = 0;
4049 }
4050 
4051 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
4052  unsigned char *buf,
4053  size_t buf_len)
4054 {
4055  ((void) session);
4056  ((void) buf);
4057  ((void) buf_len);
4059 }
4060 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
4061 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4062 
4063 /*
4064  * Define ticket header determining Mbed TLS version
4065  * and structure of the ticket.
4066  */
4067 
4068 /*
4069  * Define bitflag determining compile-time settings influencing
4070  * structure of serialized SSL sessions.
4071  */
4072 
4073 #if defined(MBEDTLS_HAVE_TIME)
4074 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4075 #else
4076 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4077 #endif /* MBEDTLS_HAVE_TIME */
4078 
4079 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4080 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4081 #else
4082 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4083 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4084 
4085 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4086 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
4087 #else
4088 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
4089 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4090 
4091 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4092 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4093 #else
4094 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4095 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4096 
4097 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4098 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4099 #else
4100 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4101 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4102 
4103 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4104 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4105 #else
4106 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4107 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4108 
4109 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4110 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4111 #else
4112 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4113 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4114 
4115 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4116 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
4117 #else
4118 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
4119 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4120 
4121 #if defined(MBEDTLS_SSL_EARLY_DATA)
4122 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
4123 #else
4124 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
4125 #endif /* MBEDTLS_SSL_EARLY_DATA */
4126 
4127 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4128 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
4129 #else
4130 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
4131 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4132 
4133 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
4134  defined(MBEDTLS_SSL_EARLY_DATA)
4135 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
4136 #else
4137 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
4138 #endif /* MBEDTLS_SSL_ALPN */
4139 
4140 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4141 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4142 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4143 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4144 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4145 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4146 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
4147 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
4148 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
4149 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
4150 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
4151 
4152 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4153  ((uint16_t) ( \
4154  (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
4155  (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
4156  (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
4157  SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
4158  (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
4159  (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
4160  (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
4161  (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
4162  SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
4163  (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
4164  (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
4165  SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
4166  (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
4167  SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
4168  (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
4169  SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
4170 
4171 static const unsigned char ssl_serialized_session_header[] = {
4175  MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4176  MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4177 };
4178 
4179 /*
4180  * Serialize a session in the following format:
4181  * (in the presentation language of TLS, RFC 8446 section 3)
4182  *
4183  * TLS 1.2 session:
4184  *
4185  * struct {
4186  * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4187  * opaque ticket<0..2^24-1>; // length 0 means no ticket
4188  * uint32 ticket_lifetime;
4189  * #endif
4190  * } ClientOnlyData;
4191  *
4192  * struct {
4193  * #if defined(MBEDTLS_HAVE_TIME)
4194  * uint64 start_time;
4195  * #endif
4196  * uint8 session_id_len; // at most 32
4197  * opaque session_id[32];
4198  * opaque master[48]; // fixed length in the standard
4199  * uint32 verify_result;
4200  * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
4201  * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4202  * #else
4203  * uint8 peer_cert_digest_type;
4204  * opaque peer_cert_digest<0..2^8-1>
4205  * #endif
4206  * select (endpoint) {
4207  * case client: ClientOnlyData;
4208  * case server: uint64 ticket_creation_time;
4209  * };
4210  * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4211  * uint8 mfl_code; // up to 255 according to standard
4212  * #endif
4213  * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4214  * uint8 encrypt_then_mac; // 0 or 1
4215  * #endif
4216  * } serialized_session_tls12;
4217  *
4218  *
4219  * TLS 1.3 Session:
4220  *
4221  * struct {
4222  * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4223  * opaque hostname<0..2^16-1>;
4224  * #endif
4225  * #if defined(MBEDTLS_HAVE_TIME)
4226  * uint64 ticket_reception_time;
4227  * #endif
4228  * uint32 ticket_lifetime;
4229  * opaque ticket<1..2^16-1>;
4230  * } ClientOnlyData;
4231  *
4232  * struct {
4233  * uint32 ticket_age_add;
4234  * uint8 ticket_flags;
4235  * opaque resumption_key<0..255>;
4236  * #if defined(MBEDTLS_SSL_EARLY_DATA)
4237  * uint32 max_early_data_size;
4238  * #endif
4239  * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4240  * uint16 record_size_limit;
4241  * #endif
4242  * select ( endpoint ) {
4243  * case client: ClientOnlyData;
4244  * case server:
4245  * #if defined(MBEDTLS_HAVE_TIME)
4246  * uint64 ticket_creation_time;
4247  * #endif
4248  * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4249  * opaque ticket_alpn<0..256>;
4250  * #endif
4251  * };
4252  * } serialized_session_tls13;
4253  *
4254  *
4255  * SSL session:
4256  *
4257  * struct {
4258  *
4259  * opaque mbedtls_version[3]; // library version: major, minor, patch
4260  * opaque session_format[2]; // library-version specific 16-bit field
4261  * // determining the format of the remaining
4262  * // serialized data.
4263  *
4264  * Note: When updating the format, remember to keep
4265  * these version+format bytes.
4266  *
4267  * // In this version, `session_format` determines
4268  * // the setting of those compile-time
4269  * // configuration options which influence
4270  * // the structure of mbedtls_ssl_session.
4271  *
4272  * uint8_t minor_ver; // Protocol minor version. Possible values:
4273  * // - TLS 1.2 (0x0303)
4274  * // - TLS 1.3 (0x0304)
4275  * uint8_t endpoint;
4276  * uint16_t ciphersuite;
4277  *
4278  * select (serialized_session.tls_version) {
4279  *
4280  * case MBEDTLS_SSL_VERSION_TLS1_2:
4281  * serialized_session_tls12 data;
4282  * case MBEDTLS_SSL_VERSION_TLS1_3:
4283  * serialized_session_tls13 data;
4284  *
4285  * };
4286  *
4287  * } serialized_session;
4288  *
4289  */
4290 
4292 static int ssl_session_save(const mbedtls_ssl_session *session,
4293  unsigned char omit_header,
4294  unsigned char *buf,
4295  size_t buf_len,
4296  size_t *olen)
4297 {
4298  unsigned char *p = buf;
4299  size_t used = 0;
4300  size_t remaining_len;
4301 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4302  size_t out_len;
4304 #endif
4305  if (session == NULL) {
4307  }
4308 
4309  if (!omit_header) {
4310  /*
4311  * Add Mbed TLS version identifier
4312  */
4313  used += sizeof(ssl_serialized_session_header);
4314 
4315  if (used <= buf_len) {
4316  memcpy(p, ssl_serialized_session_header,
4317  sizeof(ssl_serialized_session_header));
4318  p += sizeof(ssl_serialized_session_header);
4319  }
4320  }
4321 
4322  /*
4323  * TLS version identifier, endpoint, ciphersuite
4324  */
4325  used += 1 /* TLS version */
4326  + 1 /* endpoint */
4327  + 2; /* ciphersuite */
4328  if (used <= buf_len) {
4329  *p++ = MBEDTLS_BYTE_0(session->tls_version);
4330  *p++ = session->endpoint;
4331  MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4332  p += 2;
4333  }
4334 
4335  /* Forward to version-specific serialization routine. */
4336  remaining_len = (buf_len >= used) ? buf_len - used : 0;
4337  switch (session->tls_version) {
4338 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4340  used += ssl_tls12_session_save(session, p, remaining_len);
4341  break;
4342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4343 
4344 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4346  ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4347  if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4348  return ret;
4349  }
4350  used += out_len;
4351  break;
4352 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4353 
4354  default:
4356  }
4357 
4358  *olen = used;
4359  if (used > buf_len) {
4361  }
4362 
4363  return 0;
4364 }
4365 
4366 /*
4367  * Public wrapper for ssl_session_save()
4368  */
4370  unsigned char *buf,
4371  size_t buf_len,
4372  size_t *olen)
4373 {
4374  return ssl_session_save(session, 0, buf, buf_len, olen);
4375 }
4376 
4377 /*
4378  * Deserialize session, see mbedtls_ssl_session_save() for format.
4379  *
4380  * This internal version is wrapped by a public function that cleans up in
4381  * case of error, and has an extra option omit_header.
4382  */
4384 static int ssl_session_load(mbedtls_ssl_session *session,
4385  unsigned char omit_header,
4386  const unsigned char *buf,
4387  size_t len)
4388 {
4389  const unsigned char *p = buf;
4390  const unsigned char * const end = buf + len;
4391  size_t remaining_len;
4392 
4393 
4394  if (session == NULL) {
4396  }
4397 
4398  if (!omit_header) {
4399  /*
4400  * Check Mbed TLS version identifier
4401  */
4402 
4403  if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4405  }
4406 
4407  if (memcmp(p, ssl_serialized_session_header,
4408  sizeof(ssl_serialized_session_header)) != 0) {
4410  }
4411  p += sizeof(ssl_serialized_session_header);
4412  }
4413 
4414  /*
4415  * TLS version identifier, endpoint, ciphersuite
4416  */
4417  if (4 > (size_t) (end - p)) {
4419  }
4420  session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
4421  session->endpoint = *p++;
4422  session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4423  p += 2;
4424 
4425  /* Dispatch according to TLS version. */
4426  remaining_len = (size_t) (end - p);
4427  switch (session->tls_version) {
4428 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4430  return ssl_tls12_session_load(session, p, remaining_len);
4431 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4432 
4433 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4435  return ssl_tls13_session_load(session, p, remaining_len);
4436 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4437 
4438  default:
4440  }
4441 }
4442 
4443 /*
4444  * Deserialize session: public wrapper for error cleaning
4445  */
4447  const unsigned char *buf,
4448  size_t len)
4449 {
4450  int ret = ssl_session_load(session, 0, buf, len);
4451 
4452  if (ret != 0) {
4453  mbedtls_ssl_session_free(session);
4454  }
4455 
4456  return ret;
4457 }
4458 
4459 /*
4460  * Perform a single step of the SSL handshake
4461  */
4463 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
4464 {
4466 
4467  /*
4468  * We may have not been able to send to the peer all the handshake data
4469  * that were written into the output buffer by the previous handshake step,
4470  * if the write to the network callback returned with the
4471  * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4472  * We proceed to the next handshake step only when all data from the
4473  * previous one have been sent to the peer, thus we make sure that this is
4474  * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4475  * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4476  * we have to wait before to go ahead.
4477  * In the case of TLS 1.3, handshake step handlers do not send data to the
4478  * peer. Data are only sent here and through
4479  * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
4480  * alert occurred.
4481  */
4482  if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4483  return ret;
4484  }
4485 
4486 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4487  if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4488  ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4489  if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4490  return ret;
4491  }
4492  }
4493 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4494 
4495  return ret;
4496 }
4497 
4499 {
4501 
4502  if (ssl == NULL ||
4503  ssl->conf == NULL ||
4504  ssl->handshake == NULL ||
4505  ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4507  }
4508 
4509  ret = ssl_prepare_handshake_step(ssl);
4510  if (ret != 0) {
4511  return ret;
4512  }
4513 
4515  if (ret != 0) {
4516  goto cleanup;
4517  }
4518 
4519  /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4520  * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4522 
4523 #if defined(MBEDTLS_SSL_CLI_C)
4524  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4525  MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
4527 
4528  switch (ssl->state) {
4530  ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4531  ret = 0;
4532  break;
4533 
4535  ret = mbedtls_ssl_write_client_hello(ssl);
4536  break;
4537 
4538  default:
4539 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4540  if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4542  } else {
4544  }
4545 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4547 #else
4549 #endif
4550  }
4551  }
4552 #endif /* MBEDTLS_SSL_CLI_C */
4553 
4554 #if defined(MBEDTLS_SSL_SRV_C)
4555  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4556 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4557  if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4559  } else {
4561  }
4562 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4564 #else
4566 #endif
4567  }
4568 #endif /* MBEDTLS_SSL_SRV_C */
4569 
4570  if (ret != 0) {
4571  /* handshake_step return error. And it is same
4572  * with alert_reason.
4573  */
4574  if (ssl->send_alert) {
4576  goto cleanup;
4577  }
4578  }
4579 
4580 cleanup:
4581  return ret;
4582 }
4583 
4584 /*
4585  * Perform the SSL handshake
4586  */
4588 {
4589  int ret = 0;
4590 
4591  /* Sanity checks */
4592 
4593  if (ssl == NULL || ssl->conf == NULL) {
4595  }
4596 
4597 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4598  if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4599  (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4600  MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4601  "mbedtls_ssl_set_timer_cb() for DTLS"));
4603  }
4604 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4605 
4606  MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
4607 
4608  /* Main handshake loop */
4609  while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4610  ret = mbedtls_ssl_handshake_step(ssl);
4611 
4612  if (ret != 0) {
4613  break;
4614  }
4615  }
4616 
4617  MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
4618 
4619  return ret;
4620 }
4621 
4622 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4623 #if defined(MBEDTLS_SSL_SRV_C)
4624 /*
4625  * Write HelloRequest to request renegotiation on server
4626  */
4628 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
4629 {
4631 
4632  MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
4633 
4634  ssl->out_msglen = 4;
4635  ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4636  ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
4637 
4638  if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4639  MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4640  return ret;
4641  }
4642 
4643  MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
4644 
4645  return 0;
4646 }
4647 #endif /* MBEDTLS_SSL_SRV_C */
4648 
4649 /*
4650  * Actually renegotiate current connection, triggered by either:
4651  * - any side: calling mbedtls_ssl_renegotiate(),
4652  * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4653  * - server: receiving any handshake message on server during mbedtls_ssl_read() after
4654  * the initial handshake is completed.
4655  * If the handshake doesn't complete due to waiting for I/O, it will continue
4656  * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
4657  */
4659 {
4661 
4662  MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
4663 
4664  if ((ret = ssl_handshake_init(ssl)) != 0) {
4665  return ret;
4666  }
4667 
4668  /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4669  * the ServerHello will have message_seq = 1" */
4670 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4671  if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4672  ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4673  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4674  ssl->handshake->out_msg_seq = 1;
4675  } else {
4676  ssl->handshake->in_msg_seq = 1;
4677  }
4678  }
4679 #endif
4680 
4681  ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
4682  ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4683 
4684  if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4685  MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4686  return ret;
4687  }
4688 
4689  MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4690 
4691  return 0;
4692 }
4693 
4694 /*
4695  * Renegotiate current connection on client,
4696  * or request renegotiation on server
4697  */
4699 {
4701 
4702  if (ssl == NULL || ssl->conf == NULL) {
4704  }
4705 
4706 #if defined(MBEDTLS_SSL_SRV_C)
4707  /* On server, just send the request */
4708  if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4709  if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4711  }
4712 
4713  ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4714 
4715  /* Did we already try/start sending HelloRequest? */
4716  if (ssl->out_left != 0) {
4717  return mbedtls_ssl_flush_output(ssl);
4718  }
4719 
4720  return ssl_write_hello_request(ssl);
4721  }
4722 #endif /* MBEDTLS_SSL_SRV_C */
4723 
4724 #if defined(MBEDTLS_SSL_CLI_C)
4725  /*
4726  * On client, either start the renegotiation process or,
4727  * if already in progress, continue the handshake
4728  */
4729  if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4730  if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4732  }
4733 
4734  if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4735  MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4736  return ret;
4737  }
4738  } else {
4739  if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4740  MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4741  return ret;
4742  }
4743  }
4744 #endif /* MBEDTLS_SSL_CLI_C */
4745 
4746  return ret;
4747 }
4748 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4749 
4751 {
4752  mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4753 
4754  if (handshake == NULL) {
4755  return;
4756  }
4757 
4758 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4759 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4760  if (ssl->handshake->group_list_heap_allocated) {
4761  mbedtls_free((void *) handshake->group_list);
4762  }
4763  handshake->group_list = NULL;
4764 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4765 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4766 
4767 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4768 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4769  if (ssl->handshake->sig_algs_heap_allocated) {
4770  mbedtls_free((void *) handshake->sig_algs);
4771  }
4772  handshake->sig_algs = NULL;
4773 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4774 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4775  if (ssl->handshake->certificate_request_context) {
4776  mbedtls_free((void *) handshake->certificate_request_context);
4777  }
4778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4779 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4780 
4781 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4782  if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4783  ssl->conf->f_async_cancel(ssl);
4784  handshake->async_in_progress = 0;
4785  }
4786 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4787 
4788 #if defined(MBEDTLS_MD_CAN_SHA256)
4789 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4790  psa_hash_abort(&handshake->fin_sha256_psa);
4791 #else
4792  mbedtls_md_free(&handshake->fin_sha256);
4793 #endif
4794 #endif
4795 #if defined(MBEDTLS_MD_CAN_SHA384)
4796 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4797  psa_hash_abort(&handshake->fin_sha384_psa);
4798 #else
4799  mbedtls_md_free(&handshake->fin_sha384);
4800 #endif
4801 #endif
4802 
4803 #if defined(MBEDTLS_DHM_C)
4804  mbedtls_dhm_free(&handshake->dhm_ctx);
4805 #endif
4806 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4807  defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4808  mbedtls_ecdh_free(&handshake->ecdh_ctx);
4809 #endif
4810 
4811 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4812 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4813  psa_pake_abort(&handshake->psa_pake_ctx);
4814  /*
4815  * Opaque keys are not stored in the handshake's data and it's the user
4816  * responsibility to destroy them. Clear ones, instead, are created by
4817  * the TLS library and should be destroyed at the same level
4818  */
4819  if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4820  psa_destroy_key(handshake->psa_pake_password);
4821  }
4822  handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4823 #else
4824  mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4825 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4826 #if defined(MBEDTLS_SSL_CLI_C)
4827  mbedtls_free(handshake->ecjpake_cache);
4828  handshake->ecjpake_cache = NULL;
4829  handshake->ecjpake_cache_len = 0;
4830 #endif
4831 #endif
4832 
4833 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4834  defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4835  defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4836  /* explicit void pointer cast for buggy MS compiler */
4837  mbedtls_free((void *) handshake->curves_tls_id);
4838 #endif
4839 
4840 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4841 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4842  if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4843  /* The maintenance of the external PSK key slot is the
4844  * user's responsibility. */
4845  if (ssl->handshake->psk_opaque_is_internal) {
4846  psa_destroy_key(ssl->handshake->psk_opaque);
4847  ssl->handshake->psk_opaque_is_internal = 0;
4848  }
4849  ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4850  }
4851 #else
4852  if (handshake->psk != NULL) {
4853  mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4854  }
4855 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4856 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4857 
4858 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4859  defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4860  /*
4861  * Free only the linked list wrapper, not the keys themselves
4862  * since the belong to the SNI callback
4863  */
4864  ssl_key_cert_free(handshake->sni_key_cert);
4865 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4866 
4867 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4868  mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4869  if (handshake->ecrs_peer_cert != NULL) {
4870  mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4871  mbedtls_free(handshake->ecrs_peer_cert);
4872  }
4873 #endif
4874 
4875 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4876  !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4877  mbedtls_pk_free(&handshake->peer_pubkey);
4878 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4879 
4880 #if defined(MBEDTLS_SSL_CLI_C) && \
4881  (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4882  mbedtls_free(handshake->cookie);
4883 #endif /* MBEDTLS_SSL_CLI_C &&
4884  ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4885 
4886 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4887  mbedtls_ssl_flight_free(handshake->flight);
4889 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4890 
4891 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4892  if (handshake->xxdh_psa_privkey_is_external == 0) {
4893  psa_destroy_key(handshake->xxdh_psa_privkey);
4894  }
4895 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4896 
4897 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4898  mbedtls_ssl_transform_free(handshake->transform_handshake);
4899  mbedtls_free(handshake->transform_handshake);
4900 #if defined(MBEDTLS_SSL_EARLY_DATA)
4901  mbedtls_ssl_transform_free(handshake->transform_earlydata);
4902  mbedtls_free(handshake->transform_earlydata);
4903 #endif
4904 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4905 
4906 
4907 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4908  /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4909  * processes datagrams and the fact that a datagram is allowed to have
4910  * several records in it, it is possible that the I/O buffers are not
4911  * empty at this stage */
4912  handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4913  mbedtls_ssl_get_output_buflen(ssl));
4914 #endif
4915 
4916  /* mbedtls_platform_zeroize MUST be last one in this function */
4917  mbedtls_platform_zeroize(handshake,
4919 }
4920 
4922 {
4923  if (session == NULL) {
4924  return;
4925  }
4926 
4927 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4928  ssl_clear_peer_cert(session);
4929 #endif
4930 
4931 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4932 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4933  defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4934  mbedtls_free(session->hostname);
4935 #endif
4936  mbedtls_free(session->ticket);
4937 #endif
4938 
4939 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
4940  defined(MBEDTLS_SSL_SRV_C)
4941  mbedtls_free(session->ticket_alpn);
4942 #endif
4943 
4945 }
4946 
4947 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4948 
4949 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4950 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4951 #else
4952 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4953 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4954 
4955 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
4956 
4957 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4958 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4959 #else
4960 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4961 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4962 
4963 #if defined(MBEDTLS_SSL_ALPN)
4964 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4965 #else
4966 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4967 #endif /* MBEDTLS_SSL_ALPN */
4968 
4969 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4970 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4971 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4972 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4973 
4974 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
4975  ((uint32_t) ( \
4976  (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4977  SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4978  (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4979  SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4980  (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4981  SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4982  (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4983  0u))
4984 
4985 static const unsigned char ssl_serialized_context_header[] = {
4989  MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4990  MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4991  MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4992  MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4993  MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4994 };
4995 
4996 /*
4997  * Serialize a full SSL context
4998  *
4999  * The format of the serialized data is:
5000  * (in the presentation language of TLS, RFC 8446 section 3)
5001  *
5002  * // header
5003  * opaque mbedtls_version[3]; // major, minor, patch
5004  * opaque context_format[5]; // version-specific field determining
5005  * // the format of the remaining
5006  * // serialized data.
5007  * Note: When updating the format, remember to keep these
5008  * version+format bytes. (We may make their size part of the API.)
5009  *
5010  * // session sub-structure
5011  * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5012  * // transform sub-structure
5013  * uint8 random[64]; // ServerHello.random+ClientHello.random
5014  * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5015  * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5016  * // fields from ssl_context
5017  * uint32 badmac_seen; // DTLS: number of records with failing MAC
5018  * uint64 in_window_top; // DTLS: last validated record seq_num
5019  * uint64 in_window; // DTLS: bitmask for replay protection
5020  * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5021  * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5022  * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5023  * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5024  *
5025  * Note that many fields of the ssl_context or sub-structures are not
5026  * serialized, as they fall in one of the following categories:
5027  *
5028  * 1. forced value (eg in_left must be 0)
5029  * 2. pointer to dynamically-allocated memory (eg session, transform)
5030  * 3. value can be re-derived from other data (eg session keys from MS)
5031  * 4. value was temporary (eg content of input buffer)
5032  * 5. value will be provided by the user again (eg I/O callbacks and context)
5033  */
5035  unsigned char *buf,
5036  size_t buf_len,
5037  size_t *olen)
5038 {
5039  unsigned char *p = buf;
5040  size_t used = 0;
5041  size_t session_len;
5042  int ret = 0;
5043 
5044  /*
5045  * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5046  * this function's documentation.
5047  *
5048  * These are due to assumptions/limitations in the implementation. Some of
5049  * them are likely to stay (no handshake in progress) some might go away
5050  * (only DTLS) but are currently used to simplify the implementation.
5051  */
5052  /* The initial handshake must be over */
5053  if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
5054  MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
5056  }
5057  if (ssl->handshake != NULL) {
5058  MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
5060  }
5061  /* Double-check that sub-structures are indeed ready */
5062  if (ssl->transform == NULL || ssl->session == NULL) {
5063  MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
5065  }
5066  /* There must be no pending incoming or outgoing data */
5067  if (mbedtls_ssl_check_pending(ssl) != 0) {
5068  MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
5070  }
5071  if (ssl->out_left != 0) {
5072  MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
5074  }
5075  /* Protocol must be DTLS, not TLS */
5076  if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5077  MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
5079  }
5080  /* Version must be 1.2 */
5081  if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
5082  MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
5084  }
5085  /* We must be using an AEAD ciphersuite */
5086  if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
5087  MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
5089  }
5090  /* Renegotiation must not be enabled */
5091 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5092  if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
5093  MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
5095  }
5096 #endif
5097 
5098  /*
5099  * Version and format identifier
5100  */
5101  used += sizeof(ssl_serialized_context_header);
5102 
5103  if (used <= buf_len) {
5104  memcpy(p, ssl_serialized_context_header,
5105  sizeof(ssl_serialized_context_header));
5106  p += sizeof(ssl_serialized_context_header);
5107  }
5108 
5109  /*
5110  * Session (length + data)
5111  */
5112  ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
5113  if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
5114  return ret;
5115  }
5116 
5117  used += 4 + session_len;
5118  if (used <= buf_len) {
5119  MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
5120  p += 4;
5121 
5122  ret = ssl_session_save(ssl->session, 1,
5123  p, session_len, &session_len);
5124  if (ret != 0) {
5125  return ret;
5126  }
5127 
5128  p += session_len;
5129  }
5130 
5131  /*
5132  * Transform
5133  */
5134  used += sizeof(ssl->transform->randbytes);
5135  if (used <= buf_len) {
5136  memcpy(p, ssl->transform->randbytes,
5137  sizeof(ssl->transform->randbytes));
5138  p += sizeof(ssl->transform->randbytes);
5139  }
5140 
5141 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5142  used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5143  if (used <= buf_len) {
5144  *p++ = ssl->transform->in_cid_len;
5145  memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
5146  p += ssl->transform->in_cid_len;
5147 
5148  *p++ = ssl->transform->out_cid_len;
5149  memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
5150  p += ssl->transform->out_cid_len;
5151  }
5152 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5153 
5154  /*
5155  * Saved fields from top-level ssl_context structure
5156  */
5157  used += 4;
5158  if (used <= buf_len) {
5159  MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
5160  p += 4;
5161  }
5162 
5163 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5164  used += 16;
5165  if (used <= buf_len) {
5166  MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
5167  p += 8;
5168 
5169  MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
5170  p += 8;
5171  }
5172 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5173 
5174 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5175  used += 1;
5176  if (used <= buf_len) {
5177  *p++ = ssl->disable_datagram_packing;
5178  }
5179 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5180 
5182  if (used <= buf_len) {
5183  memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
5185  }
5186 
5187 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5188  used += 2;
5189  if (used <= buf_len) {
5190  MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
5191  p += 2;
5192  }
5193 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5194 
5195 #if defined(MBEDTLS_SSL_ALPN)
5196  {
5197  const uint8_t alpn_len = ssl->alpn_chosen
5198  ? (uint8_t) strlen(ssl->alpn_chosen)
5199  : 0;
5200 
5201  used += 1 + alpn_len;
5202  if (used <= buf_len) {
5203  *p++ = alpn_len;
5204 
5205  if (ssl->alpn_chosen != NULL) {
5206  memcpy(p, ssl->alpn_chosen, alpn_len);
5207  p += alpn_len;
5208  }
5209  }
5210  }
5211 #endif /* MBEDTLS_SSL_ALPN */
5212 
5213  /*
5214  * Done
5215  */
5216  *olen = used;
5217 
5218  if (used > buf_len) {
5220  }
5221 
5222  MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
5223 
5224  return mbedtls_ssl_session_reset_int(ssl, 0);
5225 }
5226 
5227 /*
5228  * Deserialize context, see mbedtls_ssl_context_save() for format.
5229  *
5230  * This internal version is wrapped by a public function that cleans up in
5231  * case of error.
5232  */
5234 static int ssl_context_load(mbedtls_ssl_context *ssl,
5235  const unsigned char *buf,
5236  size_t len)
5237 {
5238  const unsigned char *p = buf;
5239  const unsigned char * const end = buf + len;
5240  size_t session_len;
5242 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5243  tls_prf_fn prf_func = NULL;
5244 #endif
5245 
5246  /*
5247  * The context should have been freshly setup or reset.
5248  * Give the user an error in case of obvious misuse.
5249  * (Checking session is useful because it won't be NULL if we're
5250  * renegotiating, or if the user mistakenly loaded a session first.)
5251  */
5252  if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5253  ssl->session != NULL) {
5255  }
5256 
5257  /*
5258  * We can't check that the config matches the initial one, but we can at
5259  * least check it matches the requirements for serializing.
5260  */
5261  if (
5262 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5263  ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5264 #endif
5265  ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5266  ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
5267  ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
5268  ) {
5270  }
5271 
5272  MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
5273 
5274  /*
5275  * Check version identifier
5276  */
5277  if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
5279  }
5280 
5281  if (memcmp(p, ssl_serialized_context_header,
5282  sizeof(ssl_serialized_context_header)) != 0) {
5284  }
5285  p += sizeof(ssl_serialized_context_header);
5286 
5287  /*
5288  * Session
5289  */
5290  if ((size_t) (end - p) < 4) {
5292  }
5293 
5294  session_len = MBEDTLS_GET_UINT32_BE(p, 0);
5295  p += 4;
5296 
5297  /* This has been allocated by ssl_handshake_init(), called by
5298  * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5299  ssl->session = ssl->session_negotiate;
5300  ssl->session_in = ssl->session;
5301  ssl->session_out = ssl->session;
5302  ssl->session_negotiate = NULL;
5303 
5304  if ((size_t) (end - p) < session_len) {
5306  }
5307 
5308  ret = ssl_session_load(ssl->session, 1, p, session_len);
5309  if (ret != 0) {
5310  mbedtls_ssl_session_free(ssl->session);
5311  return ret;
5312  }
5313 
5314  p += session_len;
5315 
5316  /*
5317  * Transform
5318  */
5319 
5320  /* This has been allocated by ssl_handshake_init(), called by
5321  * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5322 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5323  ssl->transform = ssl->transform_negotiate;
5324  ssl->transform_in = ssl->transform;
5325  ssl->transform_out = ssl->transform;
5326  ssl->transform_negotiate = NULL;
5327 #endif
5328 
5329 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5330  prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
5331  if (prf_func == NULL) {
5333  }
5334 
5335  /* Read random bytes and populate structure */
5336  if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5338  }
5339 
5340  ret = ssl_tls12_populate_transform(ssl->transform,
5341  ssl->session->ciphersuite,
5342  ssl->session->master,
5343 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
5344  ssl->session->encrypt_then_mac,
5345 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
5346  prf_func,
5347  p, /* currently pointing to randbytes */
5348  MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5349  ssl->conf->endpoint,
5350  ssl);
5351  if (ret != 0) {
5352  return ret;
5353  }
5354 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5355  p += sizeof(ssl->transform->randbytes);
5356 
5357 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5358  /* Read connection IDs and store them */
5359  if ((size_t) (end - p) < 1) {
5361  }
5362 
5363  ssl->transform->in_cid_len = *p++;
5364 
5365  if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5367  }
5368 
5369  memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
5370  p += ssl->transform->in_cid_len;
5371 
5372  ssl->transform->out_cid_len = *p++;
5373 
5374  if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5376  }
5377 
5378  memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
5379  p += ssl->transform->out_cid_len;
5380 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5381 
5382  /*
5383  * Saved fields from top-level ssl_context structure
5384  */
5385  if ((size_t) (end - p) < 4) {
5387  }
5388 
5389  ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
5390  p += 4;
5391 
5392 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5393  if ((size_t) (end - p) < 16) {
5395  }
5396 
5397  ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
5398  p += 8;
5399 
5400  ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
5401  p += 8;
5402 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5403 
5404 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5405  if ((size_t) (end - p) < 1) {
5407  }
5408 
5409  ssl->disable_datagram_packing = *p++;
5410 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5411 
5412  if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5414  }
5415  memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5416  p += sizeof(ssl->cur_out_ctr);
5417 
5418 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5419  if ((size_t) (end - p) < 2) {
5421  }
5422 
5423  ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
5424  p += 2;
5425 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5426 
5427 #if defined(MBEDTLS_SSL_ALPN)
5428  {
5429  uint8_t alpn_len;
5430  const char **cur;
5431 
5432  if ((size_t) (end - p) < 1) {
5434  }
5435 
5436  alpn_len = *p++;
5437 
5438  if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
5439  /* alpn_chosen should point to an item in the configured list */
5440  for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5441  if (strlen(*cur) == alpn_len &&
5442  memcmp(p, *cur, alpn_len) == 0) {
5443  ssl->alpn_chosen = *cur;
5444  break;
5445  }
5446  }
5447  }
5448 
5449  /* can only happen on conf mismatch */
5450  if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5452  }
5453 
5454  p += alpn_len;
5455  }
5456 #endif /* MBEDTLS_SSL_ALPN */
5457 
5458  /*
5459  * Forced fields from top-level ssl_context structure
5460  *
5461  * Most of them already set to the correct value by mbedtls_ssl_init() and
5462  * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5463  */
5464  ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
5465  ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5466 
5467  /* Adjust pointers for header fields of outgoing records to
5468  * the given transform, accounting for explicit IV and CID. */
5469  mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
5470 
5471 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5472  ssl->in_epoch = 1;
5473 #endif
5474 
5475  /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5476  * which we don't want - otherwise we'd end up freeing the wrong transform
5477  * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5478  * inappropriately. */
5479  if (ssl->handshake != NULL) {
5481  mbedtls_free(ssl->handshake);
5482  ssl->handshake = NULL;
5483  }
5484 
5485  /*
5486  * Done - should have consumed entire buffer
5487  */
5488  if (p != end) {
5490  }
5491 
5492  return 0;
5493 }
5494 
5495 /*
5496  * Deserialize context: public wrapper for error cleaning
5497  */
5499  const unsigned char *buf,
5500  size_t len)
5501 {
5502  int ret = ssl_context_load(context, buf, len);
5503 
5504  if (ret != 0) {
5506  }
5507 
5508  return ret;
5509 }
5510 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
5511 
5512 /*
5513  * Free an SSL context
5514  */
5516 {
5517  if (ssl == NULL) {
5518  return;
5519  }
5520 
5521  MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
5522 
5523  if (ssl->out_buf != NULL) {
5524 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5525  size_t out_buf_len = ssl->out_buf_len;
5526 #else
5527  size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5528 #endif
5529 
5530  mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
5531  ssl->out_buf = NULL;
5532  }
5533 
5534  if (ssl->in_buf != NULL) {
5535 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5536  size_t in_buf_len = ssl->in_buf_len;
5537 #else
5538  size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5539 #endif
5540 
5541  mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
5542  ssl->in_buf = NULL;
5543  }
5544 
5545  if (ssl->transform) {
5546  mbedtls_ssl_transform_free(ssl->transform);
5547  mbedtls_free(ssl->transform);
5548  }
5549 
5550  if (ssl->handshake) {
5552  mbedtls_free(ssl->handshake);
5553 
5554 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5555  mbedtls_ssl_transform_free(ssl->transform_negotiate);
5556  mbedtls_free(ssl->transform_negotiate);
5557 #endif
5558 
5559  mbedtls_ssl_session_free(ssl->session_negotiate);
5560  mbedtls_free(ssl->session_negotiate);
5561  }
5562 
5563 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5564  mbedtls_ssl_transform_free(ssl->transform_application);
5565  mbedtls_free(ssl->transform_application);
5566 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5567 
5568  if (ssl->session) {
5569  mbedtls_ssl_session_free(ssl->session);
5570  mbedtls_free(ssl->session);
5571  }
5572 
5573 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5574  if (ssl->hostname != NULL) {
5575  mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
5576  }
5577 #endif
5578 
5579 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5580  mbedtls_free(ssl->cli_id);
5581 #endif
5582 
5583  MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
5584 
5585  /* Actually clear after last debug message */
5587 }
5588 
5589 /*
5590  * Initialize mbedtls_ssl_config
5591  */
5593 {
5594  memset(conf, 0, sizeof(mbedtls_ssl_config));
5595 }
5596 
5597 /* The selection should be the same as mbedtls_x509_crt_profile_default in
5598  * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
5599  * curves with a lower resource usage come first.
5600  * See the documentation of mbedtls_ssl_conf_curves() for what we promise
5601  * about this list.
5602  */
5603 static const uint16_t ssl_preset_default_groups[] = {
5604 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5606 #endif
5607 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5609 #endif
5610 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5612 #endif
5613 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
5615 #endif
5616 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5618 #endif
5619 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
5621 #endif
5622 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
5624 #endif
5625 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
5627 #endif
5628 #if defined(PSA_WANT_ALG_FFDH)
5634 #endif
5636 };
5637 
5638 static const int ssl_preset_suiteb_ciphersuites[] = {
5641  0
5642 };
5643 
5644 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5645 
5646 /* NOTICE:
5647  * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
5648  * rules SHOULD be upheld.
5649  * - No duplicate entries.
5650  * - But if there is a good reason, do not change the order of the algorithms.
5651  * - ssl_tls12_preset* is for TLS 1.2 use only.
5652  * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
5653  */
5654 static const uint16_t ssl_preset_default_sig_algs[] = {
5655 
5656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5657  defined(MBEDTLS_MD_CAN_SHA256) && \
5658  defined(PSA_WANT_ECC_SECP_R1_256)
5660  // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5661 #endif
5662 
5663 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5664  defined(MBEDTLS_MD_CAN_SHA384) && \
5665  defined(PSA_WANT_ECC_SECP_R1_384)
5667  // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5668 #endif
5669 
5670 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5671  defined(MBEDTLS_MD_CAN_SHA512) && \
5672  defined(PSA_WANT_ECC_SECP_R1_521)
5674  // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5675 #endif
5676 
5677 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
5679 #endif
5680 
5681 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
5683 #endif
5684 
5685 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
5687 #endif
5688 
5689 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5691 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5692 
5693 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5695 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5696 
5697 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5699 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5700 
5701  MBEDTLS_TLS_SIG_NONE
5702 };
5703 
5704 /* NOTICE: see above */
5705 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5706 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
5707 
5708 #if defined(MBEDTLS_MD_CAN_SHA512)
5709 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5710  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5711 #endif
5712 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5714 #endif
5715 #if defined(MBEDTLS_RSA_C)
5716  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5717 #endif
5718 #endif /* MBEDTLS_MD_CAN_SHA512 */
5719 
5720 #if defined(MBEDTLS_MD_CAN_SHA384)
5721 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5722  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5723 #endif
5724 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5726 #endif
5727 #if defined(MBEDTLS_RSA_C)
5728  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5729 #endif
5730 #endif /* MBEDTLS_MD_CAN_SHA384 */
5731 
5732 #if defined(MBEDTLS_MD_CAN_SHA256)
5733 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5734  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5735 #endif
5736 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5738 #endif
5739 #if defined(MBEDTLS_RSA_C)
5740  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5741 #endif
5742 #endif /* MBEDTLS_MD_CAN_SHA256 */
5743 
5744  MBEDTLS_TLS_SIG_NONE
5745 };
5746 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5747 
5748 /* NOTICE: see above */
5749 static const uint16_t ssl_preset_suiteb_sig_algs[] = {
5750 
5751 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5752  defined(MBEDTLS_MD_CAN_SHA256) && \
5753  defined(MBEDTLS_ECP_HAVE_SECP256R1)
5755  // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5756 #endif
5757 
5758 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5759  defined(MBEDTLS_MD_CAN_SHA384) && \
5760  defined(MBEDTLS_ECP_HAVE_SECP384R1)
5762  // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5763 #endif
5764 
5765  MBEDTLS_TLS_SIG_NONE
5766 };
5767 
5768 /* NOTICE: see above */
5769 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5770 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5771 
5772 #if defined(MBEDTLS_MD_CAN_SHA256)
5773 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5774  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5775 #endif
5776 #endif /* MBEDTLS_MD_CAN_SHA256 */
5777 
5778 #if defined(MBEDTLS_MD_CAN_SHA384)
5779 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5780  MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5781 #endif
5782 #endif /* MBEDTLS_MD_CAN_SHA384 */
5783 
5784  MBEDTLS_TLS_SIG_NONE
5785 };
5786 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5787 
5788 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5789 
5790 static const uint16_t ssl_preset_suiteb_groups[] = {
5791 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5793 #endif
5794 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5796 #endif
5798 };
5799 
5800 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5801 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5802  * to make sure there are no duplicated signature algorithm entries. */
5804 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
5805 {
5806  size_t i, j;
5807  int ret = 0;
5808 
5809  for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5810  for (j = 0; j < i; j++) {
5811  if (sig_algs[i] != sig_algs[j]) {
5812  continue;
5813  }
5814  mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5815  ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5816  sig_algs[i], j, i);
5817  ret = -1;
5818  }
5819  }
5820  return ret;
5821 }
5822 
5823 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5824 
5825 /*
5826  * Load default in mbedtls_ssl_config
5827  */
5829  int endpoint, int transport, int preset)
5830 {
5831 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5833 #endif
5834 
5835 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5836  if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5837  mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5839  }
5840 
5841  if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5842  mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5844  }
5845 
5846 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5847  if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5848  mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5850  }
5851 
5852  if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5853  mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5855  }
5856 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5857 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5858 
5859  /* Use the functions here so that they are covered in tests,
5860  * but otherwise access member directly for efficiency */
5861  mbedtls_ssl_conf_endpoint(conf, endpoint);
5862  mbedtls_ssl_conf_transport(conf, transport);
5863 
5864  /*
5865  * Things that are common to all presets
5866  */
5867 #if defined(MBEDTLS_SSL_CLI_C)
5868  if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5869  conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5870 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5871  conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5872 #endif
5873  }
5874 #endif
5875 
5876 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5877  conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5878 #endif
5879 
5880 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5881  conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5882 #endif
5883 
5884 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5885  conf->f_cookie_write = ssl_cookie_write_dummy;
5886  conf->f_cookie_check = ssl_cookie_check_dummy;
5887 #endif
5888 
5889 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5890  conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5891 #endif
5892 
5893 #if defined(MBEDTLS_SSL_SRV_C)
5894  conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5895  conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5896 #endif
5897 
5898 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5899  conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5900  conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5901 #endif
5902 
5903 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5904  conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5905  memset(conf->renego_period, 0x00, 2);
5906  memset(conf->renego_period + 2, 0xFF, 6);
5907 #endif
5908 
5909 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5910  if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5911  const unsigned char dhm_p[] =
5913  const unsigned char dhm_g[] =
5915 
5916  if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
5917  dhm_p, sizeof(dhm_p),
5918  dhm_g, sizeof(dhm_g))) != 0) {
5919  return ret;
5920  }
5921  }
5922 #endif
5923 
5924 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5925 
5926 #if defined(MBEDTLS_SSL_EARLY_DATA)
5927  mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
5928 #if defined(MBEDTLS_SSL_SRV_C)
5929  mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
5930 #endif
5931 #endif /* MBEDTLS_SSL_EARLY_DATA */
5932 
5933 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
5936 #endif
5937  /*
5938  * Allow all TLS 1.3 key exchange modes by default.
5939  */
5940  conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
5941 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5942 
5943  if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5944 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5945  conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5946  conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5947 #else
5949 #endif
5950  } else {
5951 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
5952  conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5953  conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5954 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5955  conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5956  conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5957 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5958  conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5959  conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5960 #else
5962 #endif
5963  }
5964 
5965  /*
5966  * Preset-specific defaults
5967  */
5968  switch (preset) {
5969  /*
5970  * NSA Suite B
5971  */
5973 
5974  conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
5975 
5976 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5977  conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
5978 #endif
5979 
5980 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5981 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5982  if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5983  conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
5984  } else
5985 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5986  conf->sig_algs = ssl_preset_suiteb_sig_algs;
5987 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5988 
5989 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5990  conf->curve_list = NULL;
5991 #endif
5992  conf->group_list = ssl_preset_suiteb_groups;
5993  break;
5994 
5995  /*
5996  * Default
5997  */
5998  default:
5999 
6000  conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
6001 
6002 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6003  conf->cert_profile = &mbedtls_x509_crt_profile_default;
6004 #endif
6005 
6006 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6007 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6008  if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6009  conf->sig_algs = ssl_tls12_preset_default_sig_algs;
6010  } else
6011 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6012  conf->sig_algs = ssl_preset_default_sig_algs;
6013 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6014 
6015 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6016  conf->curve_list = NULL;
6017 #endif
6018  conf->group_list = ssl_preset_default_groups;
6019 
6020 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6021  conf->dhm_min_bitlen = 1024;
6022 #endif
6023  }
6024 
6025  return 0;
6026 }
6027 
6028 /*
6029  * Free mbedtls_ssl_config
6030  */
6032 {
6033 #if defined(MBEDTLS_DHM_C)
6034  mbedtls_mpi_free(&conf->dhm_P);
6035  mbedtls_mpi_free(&conf->dhm_G);
6036 #endif
6037 
6038 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
6039 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6040  if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
6041  conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
6042  }
6043 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6044  if (conf->psk != NULL) {
6045  mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
6046  conf->psk = NULL;
6047  conf->psk_len = 0;
6048  }
6049 
6050  if (conf->psk_identity != NULL) {
6051  mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
6052  conf->psk_identity = NULL;
6053  conf->psk_identity_len = 0;
6054  }
6055 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
6056 
6057 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6058  ssl_key_cert_free(conf->key_cert);
6059 #endif
6060 
6062 }
6063 
6064 #if defined(MBEDTLS_PK_C) && \
6065  (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
6066 /*
6067  * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6068  */
6070 {
6071 #if defined(MBEDTLS_RSA_C)
6072  if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
6073  return MBEDTLS_SSL_SIG_RSA;
6074  }
6075 #endif
6076 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6078  return MBEDTLS_SSL_SIG_ECDSA;
6079  }
6080 #endif
6081  return MBEDTLS_SSL_SIG_ANON;
6082 }
6083 
6085 {
6086  switch (type) {
6087  case MBEDTLS_PK_RSA:
6088  return MBEDTLS_SSL_SIG_RSA;
6089  case MBEDTLS_PK_ECDSA:
6090  case MBEDTLS_PK_ECKEY:
6091  return MBEDTLS_SSL_SIG_ECDSA;
6092  default:
6093  return MBEDTLS_SSL_SIG_ANON;
6094  }
6095 }
6096 
6098 {
6099  switch (sig) {
6100 #if defined(MBEDTLS_RSA_C)
6101  case MBEDTLS_SSL_SIG_RSA:
6102  return MBEDTLS_PK_RSA;
6103 #endif
6104 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6105  case MBEDTLS_SSL_SIG_ECDSA:
6106  return MBEDTLS_PK_ECDSA;
6107 #endif
6108  default:
6109  return MBEDTLS_PK_NONE;
6110  }
6111 }
6112 #endif /* MBEDTLS_PK_C &&
6113  ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
6114 
6115 /*
6116  * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6117  */
6119 {
6120  switch (hash) {
6121 #if defined(MBEDTLS_MD_CAN_MD5)
6122  case MBEDTLS_SSL_HASH_MD5:
6123  return MBEDTLS_MD_MD5;
6124 #endif
6125 #if defined(MBEDTLS_MD_CAN_SHA1)
6126  case MBEDTLS_SSL_HASH_SHA1:
6127  return MBEDTLS_MD_SHA1;
6128 #endif
6129 #if defined(MBEDTLS_MD_CAN_SHA224)
6131  return MBEDTLS_MD_SHA224;
6132 #endif
6133 #if defined(MBEDTLS_MD_CAN_SHA256)
6135  return MBEDTLS_MD_SHA256;
6136 #endif
6137 #if defined(MBEDTLS_MD_CAN_SHA384)
6139  return MBEDTLS_MD_SHA384;
6140 #endif
6141 #if defined(MBEDTLS_MD_CAN_SHA512)
6143  return MBEDTLS_MD_SHA512;
6144 #endif
6145  default:
6146  return MBEDTLS_MD_NONE;
6147  }
6148 }
6149 
6150 /*
6151  * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6152  */
6153 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
6154 {
6155  switch (md) {
6156 #if defined(MBEDTLS_MD_CAN_MD5)
6157  case MBEDTLS_MD_MD5:
6158  return MBEDTLS_SSL_HASH_MD5;
6159 #endif
6160 #if defined(MBEDTLS_MD_CAN_SHA1)
6161  case MBEDTLS_MD_SHA1:
6162  return MBEDTLS_SSL_HASH_SHA1;
6163 #endif
6164 #if defined(MBEDTLS_MD_CAN_SHA224)
6165  case MBEDTLS_MD_SHA224:
6166  return MBEDTLS_SSL_HASH_SHA224;
6167 #endif
6168 #if defined(MBEDTLS_MD_CAN_SHA256)
6169  case MBEDTLS_MD_SHA256:
6170  return MBEDTLS_SSL_HASH_SHA256;
6171 #endif
6172 #if defined(MBEDTLS_MD_CAN_SHA384)
6173  case MBEDTLS_MD_SHA384:
6174  return MBEDTLS_SSL_HASH_SHA384;
6175 #endif
6176 #if defined(MBEDTLS_MD_CAN_SHA512)
6177  case MBEDTLS_MD_SHA512:
6178  return MBEDTLS_SSL_HASH_SHA512;
6179 #endif
6180  default:
6181  return MBEDTLS_SSL_HASH_NONE;
6182  }
6183 }
6184 
6185 /*
6186  * Check if a curve proposed by the peer is in our list.
6187  * Return 0 if we're willing to use it, -1 otherwise.
6188  */
6190 {
6191  const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
6192 
6193  if (group_list == NULL) {
6194  return -1;
6195  }
6196 
6197  for (; *group_list != 0; group_list++) {
6198  if (*group_list == tls_id) {
6199  return 0;
6200  }
6201  }
6202 
6203  return -1;
6204 }
6205 
6206 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
6207 /*
6208  * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
6209  */
6211 {
6213 
6214  if (tls_id == 0) {
6215  return -1;
6216  }
6217 
6218  return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
6219 }
6220 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
6221 
6222 static const struct {
6223  uint16_t tls_id;
6224  mbedtls_ecp_group_id ecp_group_id;
6225  psa_ecc_family_t psa_family;
6226  uint16_t bits;
6227 } tls_id_match_table[] =
6228 {
6229 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
6231 #endif
6232 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
6234 #endif
6235 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
6237 #endif
6238 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
6240 #endif
6241 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
6243 #endif
6244 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
6246 #endif
6247 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
6249 #endif
6250 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
6252 #endif
6253 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
6255 #endif
6256 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
6258 #endif
6259 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
6261 #endif
6262 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
6264 #endif
6265 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
6267 #endif
6268  { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
6269 };
6270 
6273  size_t *bits)
6274 {
6275  for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6276  if (tls_id_match_table[i].tls_id == tls_id) {
6277  if (type != NULL) {
6278  *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
6279  }
6280  if (bits != NULL) {
6281  *bits = tls_id_match_table[i].bits;
6282  }
6283  return PSA_SUCCESS;
6284  }
6285  }
6286 
6287  return PSA_ERROR_NOT_SUPPORTED;
6288 }
6289