EIC code displayed by LXR |
|
|
|
|||
File indexing completed on 2025-08-27 09:37:34
0001 /** 0002 * \file ssl.h 0003 * 0004 * \brief SSL/TLS functions. 0005 */ 0006 /* 0007 * Copyright The Mbed TLS Contributors 0008 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 0009 */ 0010 #ifndef MBEDTLS_SSL_H 0011 #define MBEDTLS_SSL_H 0012 #include "mbedtls/platform_util.h" 0013 #include "mbedtls/private_access.h" 0014 0015 #include "mbedtls/build_info.h" 0016 0017 #include "mbedtls/bignum.h" 0018 #include "mbedtls/ecp.h" 0019 0020 #include "mbedtls/ssl_ciphersuites.h" 0021 0022 #if defined(MBEDTLS_X509_CRT_PARSE_C) 0023 #include "mbedtls/x509_crt.h" 0024 #include "mbedtls/x509_crl.h" 0025 #endif 0026 0027 #if defined(MBEDTLS_DHM_C) 0028 #include "mbedtls/dhm.h" 0029 #endif 0030 0031 #include "mbedtls/md.h" 0032 0033 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) 0034 #include "mbedtls/ecdh.h" 0035 #endif 0036 0037 #if defined(MBEDTLS_HAVE_TIME) 0038 #include "mbedtls/platform_time.h" 0039 #endif 0040 0041 #include "psa/crypto.h" 0042 0043 /* 0044 * SSL Error codes 0045 */ 0046 /** A cryptographic operation is in progress. Try again later. */ 0047 #define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 0048 /** The requested feature is not available. */ 0049 #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 0050 /** Bad input parameters to function. */ 0051 #define MBEDTLS_ERR_SSL_BAD_INPUT_DATA -0x7100 0052 /** Verification of the message MAC failed. */ 0053 #define MBEDTLS_ERR_SSL_INVALID_MAC -0x7180 0054 /** An invalid SSL record was received. */ 0055 #define MBEDTLS_ERR_SSL_INVALID_RECORD -0x7200 0056 /** The connection indicated an EOF. */ 0057 #define MBEDTLS_ERR_SSL_CONN_EOF -0x7280 0058 /** A message could not be parsed due to a syntactic error. */ 0059 #define MBEDTLS_ERR_SSL_DECODE_ERROR -0x7300 0060 /* Error space gap */ 0061 /** No RNG was provided to the SSL module. */ 0062 #define MBEDTLS_ERR_SSL_NO_RNG -0x7400 0063 /** No client certification received from the client, but required by the authentication mode. */ 0064 #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 0065 /** Client received an extended server hello containing an unsupported extension */ 0066 #define MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION -0x7500 0067 /** No ALPN protocols supported that the client advertises */ 0068 #define MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL -0x7580 0069 /** The own private key or pre-shared key is not set, but needed. */ 0070 #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 0071 /** No CA Chain is set, but required to operate. */ 0072 #define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 0073 /** An unexpected message was received from our peer. */ 0074 #define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 0075 /** A fatal alert message was received from our peer. */ 0076 #define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 0077 /** No server could be identified matching the client's SNI. */ 0078 #define MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME -0x7800 0079 /** The peer notified us that the connection is going to be closed. */ 0080 #define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 0081 /* Error space gap */ 0082 /* Error space gap */ 0083 /** Processing of the Certificate handshake message failed. */ 0084 #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 0085 /* Error space gap */ 0086 /** A TLS 1.3 NewSessionTicket message has been received. */ 0087 #define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00 0088 /** Not possible to read early data */ 0089 #define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 0090 /** 0091 * Early data has been received as part of an on-going handshake. 0092 * This error code can be returned only on server side if and only if early 0093 * data has been enabled by means of the mbedtls_ssl_conf_early_data() API. 0094 * This error code can then be returned by mbedtls_ssl_handshake(), 0095 * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if 0096 * early data has been received as part of the handshake sequence they 0097 * triggered. To read the early data, call mbedtls_ssl_read_early_data(). 0098 */ 0099 #define MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA -0x7C00 0100 /** Not possible to write early data */ 0101 #define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C80 0102 /* Error space gap */ 0103 /* Error space gap */ 0104 /* Error space gap */ 0105 /* Error space gap */ 0106 /** Cache entry not found */ 0107 #define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x7E80 0108 /** Memory allocation failed */ 0109 #define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00 0110 /** Hardware acceleration function returned with error */ 0111 #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80 0112 /** Hardware acceleration function skipped / left alone data */ 0113 #define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 0114 /** Handshake protocol not within min/max boundaries */ 0115 #define MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION -0x6E80 0116 /** The handshake negotiation failed. */ 0117 #define MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE -0x6E00 0118 /** Session ticket has expired. */ 0119 #define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 0120 /** Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */ 0121 #define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 0122 /** Unknown identity received (eg, PSK identity) */ 0123 #define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 0124 /** Internal error (eg, unexpected failure in lower-level module) */ 0125 #define MBEDTLS_ERR_SSL_INTERNAL_ERROR -0x6C00 0126 /** A counter would wrap (eg, too many messages exchanged). */ 0127 #define MBEDTLS_ERR_SSL_COUNTER_WRAPPING -0x6B80 0128 /** Unexpected message at ServerHello in renegotiation. */ 0129 #define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO -0x6B00 0130 /** DTLS client must retry for hello verification */ 0131 #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80 0132 /** A buffer is too small to receive or write a message */ 0133 #define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00 0134 /* Error space gap */ 0135 /** No data of requested type currently available on underlying transport. */ 0136 #define MBEDTLS_ERR_SSL_WANT_READ -0x6900 0137 /** Connection requires a write call. */ 0138 #define MBEDTLS_ERR_SSL_WANT_WRITE -0x6880 0139 /** The operation timed out. */ 0140 #define MBEDTLS_ERR_SSL_TIMEOUT -0x6800 0141 /** The client initiated a reconnect from the same port. */ 0142 #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780 0143 /** Record header looks valid but is not expected. */ 0144 #define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD -0x6700 0145 /** The alert message received indicates a non-fatal error. */ 0146 #define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 0147 /** A field in a message was incorrect or inconsistent with other fields. */ 0148 #define MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER -0x6600 0149 /** Internal-only message signaling that further message-processing should be done */ 0150 #define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 0151 /** The asynchronous operation is not completed yet. */ 0152 #define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 0153 /** Internal-only message signaling that a message arrived early. */ 0154 #define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 0155 /* Error space gap */ 0156 /* Error space gap */ 0157 /* Error space gap */ 0158 /* Error space gap */ 0159 /* Error space gap */ 0160 /* Error space gap */ 0161 /* Error space gap */ 0162 /* Error space gap */ 0163 /** An encrypted DTLS-frame with an unexpected CID was received. */ 0164 #define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 0165 /** An operation failed due to an unexpected version or configuration. */ 0166 #define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 0167 /** Invalid value in SSL config */ 0168 #define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 0169 0170 /* 0171 * Constants from RFC 8446 for TLS 1.3 PSK modes 0172 * 0173 * Those are used in the Pre-Shared Key Exchange Modes extension. 0174 * See Section 4.2.9 in RFC 8446. 0175 */ 0176 #define MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE 0 /* Pure PSK-based exchange */ 0177 #define MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE 1 /* PSK+ECDHE-based exchange */ 0178 0179 /* 0180 * TLS 1.3 NamedGroup values 0181 * 0182 * From RF 8446 0183 * enum { 0184 * // Elliptic Curve Groups (ECDHE) 0185 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), 0186 * x25519(0x001D), x448(0x001E), 0187 * // Finite Field Groups (DHE) 0188 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), 0189 * ffdhe6144(0x0103), ffdhe8192(0x0104), 0190 * // Reserved Code Points 0191 * ffdhe_private_use(0x01FC..0x01FF), 0192 * ecdhe_private_use(0xFE00..0xFEFF), 0193 * (0xFFFF) 0194 * } NamedGroup; 0195 * 0196 */ 0197 0198 /* Elliptic Curve Groups (ECDHE) */ 0199 #define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0 0200 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012 0201 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013 0202 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 0x0014 0203 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 0x0015 0204 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016 0205 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017 0206 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018 0207 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 0x0019 0208 #define MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 0x001A 0209 #define MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 0x001B 0210 #define MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 0x001C 0211 #define MBEDTLS_SSL_IANA_TLS_GROUP_X25519 0x001D 0212 #define MBEDTLS_SSL_IANA_TLS_GROUP_X448 0x001E 0213 /* Finite Field Groups (DHE) */ 0214 #define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 0x0100 0215 #define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072 0x0101 0216 #define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096 0x0102 0217 #define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144 0x0103 0218 #define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 0x0104 0219 0220 /* 0221 * TLS 1.3 Key Exchange Modes 0222 * 0223 * Mbed TLS internal identifiers for use with the SSL configuration API 0224 * mbedtls_ssl_conf_tls13_key_exchange_modes(). 0225 */ 0226 0227 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK (1u << 0) /*!< Pure-PSK TLS 1.3 key exchange, 0228 * encompassing both externally agreed PSKs 0229 * as well as resumption PSKs. */ 0230 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL (1u << 1) /*!< Pure-Ephemeral TLS 1.3 key exchanges, 0231 * including for example ECDHE and DHE 0232 * key exchanges. */ 0233 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL (1u << 2) /*!< PSK-Ephemeral TLS 1.3 key exchanges, 0234 * using both a PSK and an ephemeral 0235 * key exchange. */ 0236 0237 /* Convenience macros for sets of key exchanges. */ 0238 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL \ 0239 (MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK | \ 0240 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \ 0241 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) /*!< All TLS 1.3 key exchanges */ 0242 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL \ 0243 (MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK | \ 0244 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) /*!< All PSK-based TLS 1.3 key exchanges */ 0245 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \ 0246 (MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL | \ 0247 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) /*!< All ephemeral TLS 1.3 key exchanges */ 0248 0249 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE (0) 0250 0251 /* 0252 * Various constants 0253 */ 0254 0255 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 0256 /* These are the high and low bytes of ProtocolVersion as defined by: 0257 * - RFC 5246: ProtocolVersion version = { 3, 3 }; // TLS v1.2 0258 * - RFC 8446: see section 4.2.1 0259 */ 0260 #define MBEDTLS_SSL_MAJOR_VERSION_3 3 0261 #define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ 0262 #define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 */ 0263 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 0264 0265 #define MBEDTLS_SSL_TRANSPORT_STREAM 0 /*!< TLS */ 0266 #define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1 /*!< DTLS */ 0267 0268 #define MBEDTLS_SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */ 0269 #define MBEDTLS_SSL_MAX_ALPN_NAME_LEN 255 /*!< Maximum size in bytes of a protocol name in alpn ext., RFC 7301 */ 0270 0271 #define MBEDTLS_SSL_MAX_ALPN_LIST_LEN 65535 /*!< Maximum size in bytes of list in alpn ext., RFC 7301 */ 0272 0273 /* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c 0274 * NONE must be zero so that memset()ing structure to zero works */ 0275 #define MBEDTLS_SSL_MAX_FRAG_LEN_NONE 0 /*!< don't use this extension */ 0276 #define MBEDTLS_SSL_MAX_FRAG_LEN_512 1 /*!< MaxFragmentLength 2^9 */ 0277 #define MBEDTLS_SSL_MAX_FRAG_LEN_1024 2 /*!< MaxFragmentLength 2^10 */ 0278 #define MBEDTLS_SSL_MAX_FRAG_LEN_2048 3 /*!< MaxFragmentLength 2^11 */ 0279 #define MBEDTLS_SSL_MAX_FRAG_LEN_4096 4 /*!< MaxFragmentLength 2^12 */ 0280 #define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID 5 /*!< first invalid value */ 0281 0282 #define MBEDTLS_SSL_IS_CLIENT 0 0283 #define MBEDTLS_SSL_IS_SERVER 1 0284 0285 #define MBEDTLS_SSL_EXTENDED_MS_DISABLED 0 0286 #define MBEDTLS_SSL_EXTENDED_MS_ENABLED 1 0287 0288 #define MBEDTLS_SSL_CID_DISABLED 0 0289 #define MBEDTLS_SSL_CID_ENABLED 1 0290 0291 #define MBEDTLS_SSL_ETM_DISABLED 0 0292 #define MBEDTLS_SSL_ETM_ENABLED 1 0293 0294 #define MBEDTLS_SSL_COMPRESS_NULL 0 0295 0296 #define MBEDTLS_SSL_VERIFY_NONE 0 0297 #define MBEDTLS_SSL_VERIFY_OPTIONAL 1 0298 #define MBEDTLS_SSL_VERIFY_REQUIRED 2 0299 #define MBEDTLS_SSL_VERIFY_UNSET 3 /* Used only for sni_authmode */ 0300 0301 #define MBEDTLS_SSL_LEGACY_RENEGOTIATION 0 0302 #define MBEDTLS_SSL_SECURE_RENEGOTIATION 1 0303 0304 #define MBEDTLS_SSL_RENEGOTIATION_DISABLED 0 0305 #define MBEDTLS_SSL_RENEGOTIATION_ENABLED 1 0306 0307 #define MBEDTLS_SSL_ANTI_REPLAY_DISABLED 0 0308 #define MBEDTLS_SSL_ANTI_REPLAY_ENABLED 1 0309 0310 #define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED -1 0311 #define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT 16 0312 0313 #define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION 0 0314 #define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION 1 0315 #define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE 2 0316 0317 #define MBEDTLS_SSL_TRUNC_HMAC_DISABLED 0 0318 #define MBEDTLS_SSL_TRUNC_HMAC_ENABLED 1 0319 #define MBEDTLS_SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */ 0320 0321 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0 0322 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1 0323 0324 #define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED 0 0325 #define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED 1 0326 0327 #define MBEDTLS_SSL_PRESET_DEFAULT 0 0328 #define MBEDTLS_SSL_PRESET_SUITEB 2 0329 0330 #define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED 1 0331 #define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED 0 0332 0333 #define MBEDTLS_SSL_EARLY_DATA_DISABLED 0 0334 #define MBEDTLS_SSL_EARLY_DATA_ENABLED 1 0335 0336 #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0 0337 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1 0338 0339 #define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT 1 0340 #define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0 0341 0342 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 0343 #if defined(PSA_WANT_ALG_SHA_384) 0344 #define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 48 0345 #elif defined(PSA_WANT_ALG_SHA_256) 0346 #define MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN 32 0347 #endif 0348 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 0349 /* 0350 * Default range for DTLS retransmission timer value, in milliseconds. 0351 * RFC 6347 4.2.4.1 says from 1 second to 60 seconds. 0352 */ 0353 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN 1000 0354 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX 60000 0355 0356 /* 0357 * Whether early data record should be discarded or not and how. 0358 * 0359 * The client has indicated early data and the server has rejected them. 0360 * The server has then to skip past early data by either: 0361 * - attempting to deprotect received records using the handshake traffic 0362 * key, discarding records which fail deprotection (up to the configured 0363 * max_early_data_size). Once a record is deprotected successfully, 0364 * it is treated as the start of the client's second flight and the 0365 * server proceeds as with an ordinary 1-RTT handshake. 0366 * - skipping all records with an external content type of 0367 * "application_data" (indicating that they are encrypted), up to the 0368 * configured max_early_data_size. This is the expected behavior if the 0369 * server has sent an HelloRetryRequest message. The server ignores 0370 * application data message before 2nd ClientHello. 0371 */ 0372 #define MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 0 0373 #define MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1 0374 #define MBEDTLS_SSL_EARLY_DATA_DISCARD 2 0375 0376 /** 0377 * \name SECTION: Module settings 0378 * 0379 * The configuration options you can set for this module are in this section. 0380 * Either change them in mbedtls_config.h or define them on the compiler command line. 0381 * \{ 0382 */ 0383 0384 /* 0385 * Maximum fragment length in bytes, 0386 * determines the size of each of the two internal I/O buffers. 0387 * 0388 * Note: the RFC defines the default size of SSL / TLS messages. If you 0389 * change the value here, other clients / servers may not be able to 0390 * communicate with you anymore. Only change this value if you control 0391 * both sides of the connection and have it reduced at both sides, or 0392 * if you're using the Max Fragment Length extension and you know all your 0393 * peers are using it too! 0394 */ 0395 #if !defined(MBEDTLS_SSL_IN_CONTENT_LEN) 0396 #define MBEDTLS_SSL_IN_CONTENT_LEN 16384 0397 #endif 0398 0399 #if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN) 0400 #define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 0401 #endif 0402 0403 /* 0404 * Maximum number of heap-allocated bytes for the purpose of 0405 * DTLS handshake message reassembly and future message buffering. 0406 */ 0407 #if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING) 0408 #define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 0409 #endif 0410 0411 /* 0412 * Maximum length of CIDs for incoming and outgoing messages. 0413 */ 0414 #if !defined(MBEDTLS_SSL_CID_IN_LEN_MAX) 0415 #define MBEDTLS_SSL_CID_IN_LEN_MAX 32 0416 #endif 0417 0418 #if !defined(MBEDTLS_SSL_CID_OUT_LEN_MAX) 0419 #define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 0420 #endif 0421 0422 #if !defined(MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) 0423 #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 0424 #endif 0425 0426 #if !defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) 0427 #define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 0428 #endif 0429 0430 #if !defined(MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) 0431 #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 0432 #endif 0433 0434 #if !defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) 0435 #define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 0436 #endif 0437 0438 #if !defined(MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS) 0439 #define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 0440 #endif 0441 0442 /** \} name SECTION: Module settings */ 0443 0444 /* 0445 * Default to standard CID mode 0446 */ 0447 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ 0448 !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) 0449 #define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 0450 #endif 0451 0452 /* 0453 * Length of the verify data for secure renegotiation 0454 */ 0455 #define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12 0456 0457 /* 0458 * Signaling ciphersuite values (SCSV) 0459 */ 0460 #define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */ 0461 0462 /* 0463 * Supported Signature and Hash algorithms (For TLS 1.2) 0464 * RFC 5246 section 7.4.1.4.1 0465 */ 0466 #define MBEDTLS_SSL_HASH_NONE 0 0467 #define MBEDTLS_SSL_HASH_MD5 1 0468 #define MBEDTLS_SSL_HASH_SHA1 2 0469 #define MBEDTLS_SSL_HASH_SHA224 3 0470 #define MBEDTLS_SSL_HASH_SHA256 4 0471 #define MBEDTLS_SSL_HASH_SHA384 5 0472 #define MBEDTLS_SSL_HASH_SHA512 6 0473 0474 #define MBEDTLS_SSL_SIG_ANON 0 0475 #define MBEDTLS_SSL_SIG_RSA 1 0476 #define MBEDTLS_SSL_SIG_ECDSA 3 0477 0478 /* 0479 * TLS 1.3 signature algorithms 0480 * RFC 8446, Section 4.2.3 0481 */ 0482 0483 /* RSASSA-PKCS1-v1_5 algorithms */ 0484 #define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 0x0401 0485 #define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 0x0501 0486 #define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 0x0601 0487 0488 /* ECDSA algorithms */ 0489 #define MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 0x0403 0490 #define MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 0x0503 0491 #define MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 0x0603 0492 0493 /* RSASSA-PSS algorithms with public key OID rsaEncryption */ 0494 #define MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 0x0804 0495 #define MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 0x0805 0496 #define MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 0x0806 0497 0498 /* EdDSA algorithms */ 0499 #define MBEDTLS_TLS1_3_SIG_ED25519 0x0807 0500 #define MBEDTLS_TLS1_3_SIG_ED448 0x0808 0501 0502 /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ 0503 #define MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256 0x0809 0504 #define MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384 0x080A 0505 #define MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512 0x080B 0506 0507 /* LEGACY ALGORITHMS */ 0508 #define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1 0x0201 0509 #define MBEDTLS_TLS1_3_SIG_ECDSA_SHA1 0x0203 0510 0511 #define MBEDTLS_TLS1_3_SIG_NONE 0x0 0512 0513 /* 0514 * Client Certificate Types 0515 * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5 0516 */ 0517 #define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN 1 0518 #define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN 64 0519 0520 /* 0521 * Message, alert and handshake types 0522 */ 0523 #define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC 20 0524 #define MBEDTLS_SSL_MSG_ALERT 21 0525 #define MBEDTLS_SSL_MSG_HANDSHAKE 22 0526 #define MBEDTLS_SSL_MSG_APPLICATION_DATA 23 0527 #define MBEDTLS_SSL_MSG_CID 25 0528 0529 #define MBEDTLS_SSL_ALERT_LEVEL_WARNING 1 0530 #define MBEDTLS_SSL_ALERT_LEVEL_FATAL 2 0531 0532 #define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY 0 /* 0x00 */ 0533 #define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 /* 0x0A */ 0534 #define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC 20 /* 0x14 */ 0535 #define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED 21 /* 0x15 */ 0536 #define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW 22 /* 0x16 */ 0537 #define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 /* 0x1E */ 0538 #define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 /* 0x28 */ 0539 #define MBEDTLS_SSL_ALERT_MSG_NO_CERT 41 /* 0x29 */ 0540 #define MBEDTLS_SSL_ALERT_MSG_BAD_CERT 42 /* 0x2A */ 0541 #define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT 43 /* 0x2B */ 0542 #define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED 44 /* 0x2C */ 0543 #define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED 45 /* 0x2D */ 0544 #define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN 46 /* 0x2E */ 0545 #define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER 47 /* 0x2F */ 0546 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA 48 /* 0x30 */ 0547 #define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED 49 /* 0x31 */ 0548 #define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR 50 /* 0x32 */ 0549 #define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR 51 /* 0x33 */ 0550 #define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION 60 /* 0x3C */ 0551 #define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION 70 /* 0x46 */ 0552 #define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 /* 0x47 */ 0553 #define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR 80 /* 0x50 */ 0554 #define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86 /* 0x56 */ 0555 #define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED 90 /* 0x5A */ 0556 #define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION 100 /* 0x64 */ 0557 #define MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION 109 /* 0x6d -- new in TLS 1.3 */ 0558 #define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT 110 /* 0x6E */ 0559 #define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME 112 /* 0x70 */ 0560 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115 /* 0x73 */ 0561 #define MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED 116 /* 0x74 */ 0562 #define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */ 0563 0564 #define MBEDTLS_SSL_HS_HELLO_REQUEST 0 0565 #define MBEDTLS_SSL_HS_CLIENT_HELLO 1 0566 #define MBEDTLS_SSL_HS_SERVER_HELLO 2 0567 #define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST 3 0568 #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET 4 0569 #define MBEDTLS_SSL_HS_END_OF_EARLY_DATA 5 0570 #define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS 8 0571 #define MBEDTLS_SSL_HS_CERTIFICATE 11 0572 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE 12 0573 #define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST 13 0574 #define MBEDTLS_SSL_HS_SERVER_HELLO_DONE 14 0575 #define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY 15 0576 #define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE 16 0577 #define MBEDTLS_SSL_HS_FINISHED 20 0578 #define MBEDTLS_SSL_HS_MESSAGE_HASH 254 0579 0580 /* 0581 * TLS extensions 0582 */ 0583 #define MBEDTLS_TLS_EXT_SERVERNAME 0 0584 #define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME 0 0585 0586 #define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH 1 0587 0588 #define MBEDTLS_TLS_EXT_TRUNCATED_HMAC 4 0589 #define MBEDTLS_TLS_EXT_STATUS_REQUEST 5 /* RFC 6066 TLS 1.2 and 1.3 */ 0590 0591 #define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10 0592 #define MBEDTLS_TLS_EXT_SUPPORTED_GROUPS 10 /* RFC 8422,7919 TLS 1.2 and 1.3 */ 0593 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS 11 0594 0595 #define MBEDTLS_TLS_EXT_SIG_ALG 13 /* RFC 8446 TLS 1.3 */ 0596 #define MBEDTLS_TLS_EXT_USE_SRTP 14 0597 #define MBEDTLS_TLS_EXT_HEARTBEAT 15 /* RFC 6520 TLS 1.2 and 1.3 */ 0598 #define MBEDTLS_TLS_EXT_ALPN 16 0599 0600 #define MBEDTLS_TLS_EXT_SCT 18 /* RFC 6962 TLS 1.2 and 1.3 */ 0601 #define MBEDTLS_TLS_EXT_CLI_CERT_TYPE 19 /* RFC 7250 TLS 1.2 and 1.3 */ 0602 #define MBEDTLS_TLS_EXT_SERV_CERT_TYPE 20 /* RFC 7250 TLS 1.2 and 1.3 */ 0603 #define MBEDTLS_TLS_EXT_PADDING 21 /* RFC 7685 TLS 1.2 and 1.3 */ 0604 #define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */ 0605 #define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */ 0606 0607 #define MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT 28 /* RFC 8449 (implemented for TLS 1.3 only) */ 0608 0609 #define MBEDTLS_TLS_EXT_SESSION_TICKET 35 0610 0611 #define MBEDTLS_TLS_EXT_PRE_SHARED_KEY 41 /* RFC 8446 TLS 1.3 */ 0612 #define MBEDTLS_TLS_EXT_EARLY_DATA 42 /* RFC 8446 TLS 1.3 */ 0613 #define MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS 43 /* RFC 8446 TLS 1.3 */ 0614 #define MBEDTLS_TLS_EXT_COOKIE 44 /* RFC 8446 TLS 1.3 */ 0615 #define MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES 45 /* RFC 8446 TLS 1.3 */ 0616 0617 #define MBEDTLS_TLS_EXT_CERT_AUTH 47 /* RFC 8446 TLS 1.3 */ 0618 #define MBEDTLS_TLS_EXT_OID_FILTERS 48 /* RFC 8446 TLS 1.3 */ 0619 #define MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH 49 /* RFC 8446 TLS 1.3 */ 0620 #define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */ 0621 #define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */ 0622 0623 #if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 0624 #define MBEDTLS_TLS_EXT_CID 54 /* RFC 9146 DTLS 1.2 CID */ 0625 #else 0626 #define MBEDTLS_TLS_EXT_CID 254 /* Pre-RFC 9146 DTLS 1.2 CID */ 0627 #endif 0628 0629 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ 0630 0631 #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01 0632 0633 /* 0634 * Size defines 0635 */ 0636 #if !defined(MBEDTLS_PSK_MAX_LEN) 0637 /* 0638 * If the library supports TLS 1.3 tickets and the cipher suite 0639 * TLS1-3-AES-256-GCM-SHA384, set the PSK maximum length to 48 instead of 32. 0640 * That way, the TLS 1.3 client and server are able to resume sessions where 0641 * the cipher suite is TLS1-3-AES-256-GCM-SHA384 (pre-shared keys are 48 0642 * bytes long in that case). 0643 */ 0644 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 0645 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 0646 defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) && \ 0647 defined(MBEDTLS_MD_CAN_SHA384) 0648 #define MBEDTLS_PSK_MAX_LEN 48 /* 384 bits */ 0649 #else 0650 #define MBEDTLS_PSK_MAX_LEN 32 /* 256 bits */ 0651 #endif 0652 #endif /* !MBEDTLS_PSK_MAX_LEN */ 0653 0654 /* Dummy type used only for its size */ 0655 union mbedtls_ssl_premaster_secret { 0656 unsigned char dummy; /* Make the union non-empty even with SSL disabled */ 0657 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 0658 unsigned char _pms_rsa[48]; /* RFC 5246 8.1.1 */ 0659 #endif 0660 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 0661 unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE]; /* RFC 5246 8.1.2 */ 0662 #endif 0663 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 0664 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 0665 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 0666 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 0667 unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES]; /* RFC 4492 5.10 */ 0668 #endif 0669 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 0670 unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 2 */ 0671 #endif 0672 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 0673 unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE 0674 + MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 3 */ 0675 #endif 0676 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 0677 unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 4 */ 0678 #endif 0679 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 0680 unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES 0681 + MBEDTLS_PSK_MAX_LEN]; /* RFC 5489 2 */ 0682 #endif 0683 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 0684 unsigned char _pms_ecjpake[32]; /* Thread spec: SHA-256 output */ 0685 #endif 0686 }; 0687 0688 #define MBEDTLS_PREMASTER_SIZE sizeof(union mbedtls_ssl_premaster_secret) 0689 0690 #define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE 0691 0692 0693 /* Length in number of bytes of the TLS sequence number */ 0694 #define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8 0695 0696 #ifdef __cplusplus 0697 extern "C" { 0698 #endif 0699 0700 /* 0701 * SSL state machine 0702 */ 0703 typedef enum { 0704 MBEDTLS_SSL_HELLO_REQUEST, 0705 MBEDTLS_SSL_CLIENT_HELLO, 0706 MBEDTLS_SSL_SERVER_HELLO, 0707 MBEDTLS_SSL_SERVER_CERTIFICATE, 0708 MBEDTLS_SSL_SERVER_KEY_EXCHANGE, 0709 MBEDTLS_SSL_CERTIFICATE_REQUEST, 0710 MBEDTLS_SSL_SERVER_HELLO_DONE, 0711 MBEDTLS_SSL_CLIENT_CERTIFICATE, 0712 MBEDTLS_SSL_CLIENT_KEY_EXCHANGE, 0713 MBEDTLS_SSL_CERTIFICATE_VERIFY, 0714 MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC, 0715 MBEDTLS_SSL_CLIENT_FINISHED, 0716 MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC, 0717 MBEDTLS_SSL_SERVER_FINISHED, 0718 MBEDTLS_SSL_FLUSH_BUFFERS, 0719 MBEDTLS_SSL_HANDSHAKE_WRAPUP, 0720 MBEDTLS_SSL_NEW_SESSION_TICKET, 0721 MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, 0722 MBEDTLS_SSL_HELLO_RETRY_REQUEST, 0723 MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, 0724 MBEDTLS_SSL_END_OF_EARLY_DATA, 0725 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, 0726 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, 0727 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, 0728 MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, 0729 MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO, 0730 MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST, 0731 MBEDTLS_SSL_HANDSHAKE_OVER, 0732 MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET, 0733 MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH, 0734 } 0735 mbedtls_ssl_states; 0736 0737 /* 0738 * Early data status, client side only. 0739 */ 0740 0741 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) 0742 typedef enum { 0743 /* 0744 * See documentation of mbedtls_ssl_get_early_data_status(). 0745 */ 0746 MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED, 0747 MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED, 0748 MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED, 0749 } mbedtls_ssl_early_data_status; 0750 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ 0751 0752 /** 0753 * \brief Callback type: send data on the network. 0754 * 0755 * \note That callback may be either blocking or non-blocking. 0756 * 0757 * \param ctx Context for the send callback (typically a file descriptor) 0758 * \param buf Buffer holding the data to send 0759 * \param len Length of the data to send 0760 * 0761 * \return The callback must return the number of bytes sent if any, 0762 * or a non-zero error code. 0763 * If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE 0764 * must be returned when the operation would block. 0765 * 0766 * \note The callback is allowed to send fewer bytes than requested. 0767 * It must always return the number of bytes actually sent. 0768 */ 0769 typedef int mbedtls_ssl_send_t(void *ctx, 0770 const unsigned char *buf, 0771 size_t len); 0772 0773 /** 0774 * \brief Callback type: receive data from the network. 0775 * 0776 * \note That callback may be either blocking or non-blocking. 0777 * 0778 * \param ctx Context for the receive callback (typically a file 0779 * descriptor) 0780 * \param buf Buffer to write the received data to 0781 * \param len Length of the receive buffer 0782 * 0783 * \returns If data has been received, the positive number of bytes received. 0784 * \returns \c 0 if the connection has been closed. 0785 * \returns If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ 0786 * must be returned when the operation would block. 0787 * \returns Another negative error code on other kinds of failures. 0788 * 0789 * \note The callback may receive fewer bytes than the length of the 0790 * buffer. It must always return the number of bytes actually 0791 * received and written to the buffer. 0792 */ 0793 typedef int mbedtls_ssl_recv_t(void *ctx, 0794 unsigned char *buf, 0795 size_t len); 0796 0797 /** 0798 * \brief Callback type: receive data from the network, with timeout 0799 * 0800 * \note That callback must block until data is received, or the 0801 * timeout delay expires, or the operation is interrupted by a 0802 * signal. 0803 * 0804 * \param ctx Context for the receive callback (typically a file descriptor) 0805 * \param buf Buffer to write the received data to 0806 * \param len Length of the receive buffer 0807 * \param timeout Maximum number of milliseconds to wait for data 0808 * 0 means no timeout (potentially waiting forever) 0809 * 0810 * \return The callback must return the number of bytes received, 0811 * or a non-zero error code: 0812 * \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out, 0813 * \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal. 0814 * 0815 * \note The callback may receive fewer bytes than the length of the 0816 * buffer. It must always return the number of bytes actually 0817 * received and written to the buffer. 0818 */ 0819 typedef int mbedtls_ssl_recv_timeout_t(void *ctx, 0820 unsigned char *buf, 0821 size_t len, 0822 uint32_t timeout); 0823 /** 0824 * \brief Callback type: set a pair of timers/delays to watch 0825 * 0826 * \param ctx Context pointer 0827 * \param int_ms Intermediate delay in milliseconds 0828 * \param fin_ms Final delay in milliseconds 0829 * 0 cancels the current timer. 0830 * 0831 * \note This callback must at least store the necessary information 0832 * for the associated \c mbedtls_ssl_get_timer_t callback to 0833 * return correct information. 0834 * 0835 * \note If using an event-driven style of programming, an event must 0836 * be generated when the final delay is passed. The event must 0837 * cause a call to \c mbedtls_ssl_handshake() with the proper 0838 * SSL context to be scheduled. Care must be taken to ensure 0839 * that at most one such call happens at a time. 0840 * 0841 * \note Only one timer at a time must be running. Calling this 0842 * function while a timer is running must cancel it. Cancelled 0843 * timers must not generate any event. 0844 */ 0845 typedef void mbedtls_ssl_set_timer_t(void *ctx, 0846 uint32_t int_ms, 0847 uint32_t fin_ms); 0848 0849 /** 0850 * \brief Callback type: get status of timers/delays 0851 * 0852 * \param ctx Context pointer 0853 * 0854 * \return This callback must return: 0855 * -1 if cancelled (fin_ms == 0), 0856 * 0 if none of the delays have passed, 0857 * 1 if only the intermediate delay has passed, 0858 * 2 if the final delay has passed. 0859 */ 0860 typedef int mbedtls_ssl_get_timer_t(void *ctx); 0861 0862 /* Defined below */ 0863 typedef struct mbedtls_ssl_session mbedtls_ssl_session; 0864 typedef struct mbedtls_ssl_context mbedtls_ssl_context; 0865 typedef struct mbedtls_ssl_config mbedtls_ssl_config; 0866 0867 /* Defined in library/ssl_misc.h */ 0868 typedef struct mbedtls_ssl_transform mbedtls_ssl_transform; 0869 typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params; 0870 typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t; 0871 #if defined(MBEDTLS_X509_CRT_PARSE_C) 0872 typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; 0873 #endif 0874 #if defined(MBEDTLS_SSL_PROTO_DTLS) 0875 typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; 0876 #endif 0877 0878 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 0879 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ 0880 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ 0881 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ 0882 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */ 0883 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA (1U << 3) 0884 0885 #define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK \ 0886 (MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION | \ 0887 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION | \ 0888 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) 0889 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 0890 0891 /** 0892 * \brief Callback type: server-side session cache getter 0893 * 0894 * The session cache is logically a key value store, with 0895 * keys being session IDs and values being instances of 0896 * mbedtls_ssl_session. 0897 * 0898 * This callback retrieves an entry in this key-value store. 0899 * 0900 * \param data The address of the session cache structure to query. 0901 * \param session_id The buffer holding the session ID to query. 0902 * \param session_id_len The length of \p session_id in Bytes. 0903 * \param session The address of the session structure to populate. 0904 * It is initialized with mbdtls_ssl_session_init(), 0905 * and the callback must always leave it in a state 0906 * where it can safely be freed via 0907 * mbedtls_ssl_session_free() independent of the 0908 * return code of this function. 0909 * 0910 * \return \c 0 on success 0911 * \return A non-zero return value on failure. 0912 * 0913 */ 0914 typedef int mbedtls_ssl_cache_get_t(void *data, 0915 unsigned char const *session_id, 0916 size_t session_id_len, 0917 mbedtls_ssl_session *session); 0918 /** 0919 * \brief Callback type: server-side session cache setter 0920 * 0921 * The session cache is logically a key value store, with 0922 * keys being session IDs and values being instances of 0923 * mbedtls_ssl_session. 0924 * 0925 * This callback sets an entry in this key-value store. 0926 * 0927 * \param data The address of the session cache structure to modify. 0928 * \param session_id The buffer holding the session ID to query. 0929 * \param session_id_len The length of \p session_id in Bytes. 0930 * \param session The address of the session to be stored in the 0931 * session cache. 0932 * 0933 * \return \c 0 on success 0934 * \return A non-zero return value on failure. 0935 */ 0936 typedef int mbedtls_ssl_cache_set_t(void *data, 0937 unsigned char const *session_id, 0938 size_t session_id_len, 0939 const mbedtls_ssl_session *session); 0940 0941 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 0942 #if defined(MBEDTLS_X509_CRT_PARSE_C) 0943 /** 0944 * \brief Callback type: start external signature operation. 0945 * 0946 * This callback is called during an SSL handshake to start 0947 * a signature decryption operation using an 0948 * external processor. The parameter \p cert contains 0949 * the public key; it is up to the callback function to 0950 * determine how to access the associated private key. 0951 * 0952 * This function typically sends or enqueues a request, and 0953 * does not wait for the operation to complete. This allows 0954 * the handshake step to be non-blocking. 0955 * 0956 * The parameters \p ssl and \p cert are guaranteed to remain 0957 * valid throughout the handshake. On the other hand, this 0958 * function must save the contents of \p hash if the value 0959 * is needed for later processing, because the \p hash buffer 0960 * is no longer valid after this function returns. 0961 * 0962 * This function may call mbedtls_ssl_set_async_operation_data() 0963 * to store an operation context for later retrieval 0964 * by the resume or cancel callback. 0965 * 0966 * \note For RSA signatures, this function must produce output 0967 * that is consistent with PKCS#1 v1.5 in the same way as 0968 * mbedtls_rsa_pkcs1_sign(). Before the private key operation, 0969 * apply the padding steps described in RFC 8017, section 9.2 0970 * "EMSA-PKCS1-v1_5" as follows. 0971 * - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5 0972 * encoding, treating \p hash as the DigestInfo to be 0973 * padded. In other words, apply EMSA-PKCS1-v1_5 starting 0974 * from step 3, with `T = hash` and `tLen = hash_len`. 0975 * - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5 0976 * encoding, treating \p hash as the hash to be encoded and 0977 * padded. In other words, apply EMSA-PKCS1-v1_5 starting 0978 * from step 2, with `digestAlgorithm` obtained by calling 0979 * mbedtls_oid_get_oid_by_md() on \p md_alg. 0980 * 0981 * \note For ECDSA signatures, the output format is the DER encoding 0982 * `Ecdsa-Sig-Value` defined in 0983 * [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4). 0984 * 0985 * \param ssl The SSL connection instance. It should not be 0986 * modified other than via 0987 * mbedtls_ssl_set_async_operation_data(). 0988 * \param cert Certificate containing the public key. 0989 * In simple cases, this is one of the pointers passed to 0990 * mbedtls_ssl_conf_own_cert() when configuring the SSL 0991 * connection. However, if other callbacks are used, this 0992 * property may not hold. For example, if an SNI callback 0993 * is registered with mbedtls_ssl_conf_sni(), then 0994 * this callback determines what certificate is used. 0995 * \param md_alg Hash algorithm. 0996 * \param hash Buffer containing the hash. This buffer is 0997 * no longer valid when the function returns. 0998 * \param hash_len Size of the \c hash buffer in bytes. 0999 * 1000 * \return 0 if the operation was started successfully and the SSL 1001 * stack should call the resume callback immediately. 1002 * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation 1003 * was started successfully and the SSL stack should return 1004 * immediately without calling the resume callback yet. 1005 * \return #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external 1006 * processor does not support this key. The SSL stack will 1007 * use the private key object instead. 1008 * \return Any other error indicates a fatal failure and is 1009 * propagated up the call chain. The callback should 1010 * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b> 1011 * use \c MBEDTLS_ERR_SSL_xxx error codes except as 1012 * directed in the documentation of this callback. 1013 */ 1014 typedef int mbedtls_ssl_async_sign_t(mbedtls_ssl_context *ssl, 1015 mbedtls_x509_crt *cert, 1016 mbedtls_md_type_t md_alg, 1017 const unsigned char *hash, 1018 size_t hash_len); 1019 1020 /** 1021 * \brief Callback type: start external decryption operation. 1022 * 1023 * This callback is called during an SSL handshake to start 1024 * an RSA decryption operation using an 1025 * external processor. The parameter \p cert contains 1026 * the public key; it is up to the callback function to 1027 * determine how to access the associated private key. 1028 * 1029 * This function typically sends or enqueues a request, and 1030 * does not wait for the operation to complete. This allows 1031 * the handshake step to be non-blocking. 1032 * 1033 * The parameters \p ssl and \p cert are guaranteed to remain 1034 * valid throughout the handshake. On the other hand, this 1035 * function must save the contents of \p input if the value 1036 * is needed for later processing, because the \p input buffer 1037 * is no longer valid after this function returns. 1038 * 1039 * This function may call mbedtls_ssl_set_async_operation_data() 1040 * to store an operation context for later retrieval 1041 * by the resume or cancel callback. 1042 * 1043 * \warning RSA decryption as used in TLS is subject to a potential 1044 * timing side channel attack first discovered by Bleichenbacher 1045 * in 1998. This attack can be remotely exploitable 1046 * in practice. To avoid this attack, you must ensure that 1047 * if the callback performs an RSA decryption, the time it 1048 * takes to execute and return the result does not depend 1049 * on whether the RSA decryption succeeded or reported 1050 * invalid padding. 1051 * 1052 * \param ssl The SSL connection instance. It should not be 1053 * modified other than via 1054 * mbedtls_ssl_set_async_operation_data(). 1055 * \param cert Certificate containing the public key. 1056 * In simple cases, this is one of the pointers passed to 1057 * mbedtls_ssl_conf_own_cert() when configuring the SSL 1058 * connection. However, if other callbacks are used, this 1059 * property may not hold. For example, if an SNI callback 1060 * is registered with mbedtls_ssl_conf_sni(), then 1061 * this callback determines what certificate is used. 1062 * \param input Buffer containing the input ciphertext. This buffer 1063 * is no longer valid when the function returns. 1064 * \param input_len Size of the \p input buffer in bytes. 1065 * 1066 * \return 0 if the operation was started successfully and the SSL 1067 * stack should call the resume callback immediately. 1068 * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation 1069 * was started successfully and the SSL stack should return 1070 * immediately without calling the resume callback yet. 1071 * \return #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external 1072 * processor does not support this key. The SSL stack will 1073 * use the private key object instead. 1074 * \return Any other error indicates a fatal failure and is 1075 * propagated up the call chain. The callback should 1076 * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b> 1077 * use \c MBEDTLS_ERR_SSL_xxx error codes except as 1078 * directed in the documentation of this callback. 1079 */ 1080 typedef int mbedtls_ssl_async_decrypt_t(mbedtls_ssl_context *ssl, 1081 mbedtls_x509_crt *cert, 1082 const unsigned char *input, 1083 size_t input_len); 1084 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1085 1086 /** 1087 * \brief Callback type: resume external operation. 1088 * 1089 * This callback is called during an SSL handshake to resume 1090 * an external operation started by the 1091 * ::mbedtls_ssl_async_sign_t or 1092 * ::mbedtls_ssl_async_decrypt_t callback. 1093 * 1094 * This function typically checks the status of a pending 1095 * request or causes the request queue to make progress, and 1096 * does not wait for the operation to complete. This allows 1097 * the handshake step to be non-blocking. 1098 * 1099 * This function may call mbedtls_ssl_get_async_operation_data() 1100 * to retrieve an operation context set by the start callback. 1101 * It may call mbedtls_ssl_set_async_operation_data() to modify 1102 * this context. 1103 * 1104 * Note that when this function returns a status other than 1105 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any 1106 * resources associated with the operation. 1107 * 1108 * \param ssl The SSL connection instance. It should not be 1109 * modified other than via 1110 * mbedtls_ssl_set_async_operation_data(). 1111 * \param output Buffer containing the output (signature or decrypted 1112 * data) on success. 1113 * \param output_len On success, number of bytes written to \p output. 1114 * \param output_size Size of the \p output buffer in bytes. 1115 * 1116 * \return 0 if output of the operation is available in the 1117 * \p output buffer. 1118 * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation 1119 * is still in progress. Subsequent requests for progress 1120 * on the SSL connection will call the resume callback 1121 * again. 1122 * \return Any other error means that the operation is aborted. 1123 * The SSL handshake is aborted. The callback should 1124 * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b> 1125 * use \c MBEDTLS_ERR_SSL_xxx error codes except as 1126 * directed in the documentation of this callback. 1127 */ 1128 typedef int mbedtls_ssl_async_resume_t(mbedtls_ssl_context *ssl, 1129 unsigned char *output, 1130 size_t *output_len, 1131 size_t output_size); 1132 1133 /** 1134 * \brief Callback type: cancel external operation. 1135 * 1136 * This callback is called if an SSL connection is closed 1137 * while an asynchronous operation is in progress. Note that 1138 * this callback is not called if the 1139 * ::mbedtls_ssl_async_resume_t callback has run and has 1140 * returned a value other than 1141 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case 1142 * the asynchronous operation has already completed. 1143 * 1144 * This function may call mbedtls_ssl_get_async_operation_data() 1145 * to retrieve an operation context set by the start callback. 1146 * 1147 * \param ssl The SSL connection instance. It should not be 1148 * modified. 1149 */ 1150 typedef void mbedtls_ssl_async_cancel_t(mbedtls_ssl_context *ssl); 1151 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 1152 1153 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ 1154 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1155 #define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN 48 1156 #if defined(MBEDTLS_MD_CAN_SHA256) 1157 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256 1158 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 32 1159 #elif defined(MBEDTLS_MD_CAN_SHA384) 1160 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384 1161 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 48 1162 #elif defined(MBEDTLS_MD_CAN_SHA1) 1163 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1 1164 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 20 1165 #else 1166 /* This is already checked in check_config.h, but be sure. */ 1167 #error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT." 1168 #endif 1169 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && 1170 !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1171 1172 typedef struct { 1173 unsigned char client_application_traffic_secret_N[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1174 unsigned char server_application_traffic_secret_N[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1175 unsigned char exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1176 unsigned char resumption_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1177 } mbedtls_ssl_tls13_application_secrets; 1178 1179 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1180 1181 #define MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH 255 1182 #define MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH 4 1183 /* 1184 * For code readability use a typedef for DTLS-SRTP profiles 1185 * 1186 * Use_srtp extension protection profiles values as defined in 1187 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml 1188 * 1189 * Reminder: if this list is expanded mbedtls_ssl_check_srtp_profile_value 1190 * must be updated too. 1191 */ 1192 #define MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80 ((uint16_t) 0x0001) 1193 #define MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32 ((uint16_t) 0x0002) 1194 #define MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80 ((uint16_t) 0x0005) 1195 #define MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32 ((uint16_t) 0x0006) 1196 /* This one is not iana defined, but for code readability. */ 1197 #define MBEDTLS_TLS_SRTP_UNSET ((uint16_t) 0x0000) 1198 1199 typedef uint16_t mbedtls_ssl_srtp_profile; 1200 1201 typedef struct mbedtls_dtls_srtp_info_t { 1202 /*! The SRTP profile that was negotiated. */ 1203 mbedtls_ssl_srtp_profile MBEDTLS_PRIVATE(chosen_dtls_srtp_profile); 1204 /*! The length of mki_value. */ 1205 uint16_t MBEDTLS_PRIVATE(mki_len); 1206 /*! The mki_value used, with max size of 256 bytes. */ 1207 unsigned char MBEDTLS_PRIVATE(mki_value)[MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH]; 1208 } 1209 mbedtls_dtls_srtp_info; 1210 1211 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1212 1213 /** Human-friendly representation of the (D)TLS protocol version. */ 1214 typedef enum { 1215 MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ 1216 MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */ 1217 MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */ 1218 } mbedtls_ssl_protocol_version; 1219 1220 /* 1221 * This structure is used for storing current session data. 1222 * 1223 * Note: when changing this definition, we need to check and update: 1224 * - in tests/suites/test_suite_ssl.function: 1225 * ssl_populate_session() and ssl_serialize_session_save_load() 1226 * - in library/ssl_tls.c: 1227 * mbedtls_ssl_session_init() and mbedtls_ssl_session_free() 1228 * mbedtls_ssl_session_save() and ssl_session_load() 1229 * ssl_session_copy() 1230 */ 1231 struct mbedtls_ssl_session { 1232 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1233 unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */ 1234 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1235 1236 /*!< RecordSizeLimit received from the peer */ 1237 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 1238 uint16_t MBEDTLS_PRIVATE(record_size_limit); 1239 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 1240 1241 unsigned char MBEDTLS_PRIVATE(exported); 1242 uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ 1243 1244 /** TLS version negotiated in the session. Used if and when renegotiating 1245 * or resuming a session instead of the configured minor TLS version. 1246 */ 1247 mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); 1248 1249 #if defined(MBEDTLS_HAVE_TIME) 1250 mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< start time of current session */ 1251 #endif 1252 int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ 1253 size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ 1254 unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ 1255 unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ 1256 1257 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1258 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1259 mbedtls_x509_crt *MBEDTLS_PRIVATE(peer_cert); /*!< peer X.509 cert chain */ 1260 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1261 /*! The digest of the peer's end-CRT. This must be kept to detect CRT 1262 * changes during renegotiation, mitigating the triple handshake attack. */ 1263 unsigned char *MBEDTLS_PRIVATE(peer_cert_digest); 1264 size_t MBEDTLS_PRIVATE(peer_cert_digest_len); 1265 mbedtls_md_type_t MBEDTLS_PRIVATE(peer_cert_digest_type); 1266 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1267 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1268 uint32_t MBEDTLS_PRIVATE(verify_result); /*!< verification result */ 1269 1270 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 1271 unsigned char *MBEDTLS_PRIVATE(ticket); /*!< RFC 5077 session ticket */ 1272 size_t MBEDTLS_PRIVATE(ticket_len); /*!< session ticket length */ 1273 uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< ticket lifetime hint */ 1274 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 1275 1276 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) && \ 1277 defined(MBEDTLS_HAVE_TIME) 1278 /*! When a ticket is created by a TLS server as part of an established TLS 1279 * session, the ticket creation time may need to be saved for the ticket 1280 * module to be able to check the ticket age when the ticket is used. 1281 * That's the purpose of this field. 1282 * Before creating a new ticket, an Mbed TLS server set this field with 1283 * its current time in milliseconds. This time may then be saved in the 1284 * session ticket data by the session ticket writing function and 1285 * recovered by the ticket parsing function later when the ticket is used. 1286 * The ticket module may then use this time to compute the ticket age and 1287 * determine if it has expired or not. 1288 * The Mbed TLS implementations of the session ticket writing and parsing 1289 * functions save and retrieve the ticket creation time as part of the 1290 * session ticket data. The session ticket parsing function relies on 1291 * the mbedtls_ssl_session_get_ticket_creation_time() API to get the 1292 * ticket creation time from the session ticket data. 1293 */ 1294 mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_creation_time); 1295 #endif 1296 1297 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 1298 uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ 1299 uint8_t MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ 1300 uint8_t MBEDTLS_PRIVATE(resumption_key_len); /*!< resumption_key length */ 1301 unsigned char MBEDTLS_PRIVATE(resumption_key)[MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN]; 1302 1303 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C) 1304 char *MBEDTLS_PRIVATE(hostname); /*!< host name binded with tickets */ 1305 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */ 1306 1307 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) 1308 char *ticket_alpn; /*!< ALPN negotiated in the session 1309 during which the ticket was generated. */ 1310 #endif 1311 1312 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_CLI_C) 1313 /*! Time in milliseconds when the last ticket was received. */ 1314 mbedtls_ms_time_t MBEDTLS_PRIVATE(ticket_reception_time); 1315 #endif 1316 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 1317 1318 #if defined(MBEDTLS_SSL_EARLY_DATA) 1319 uint32_t MBEDTLS_PRIVATE(max_early_data_size); /*!< maximum amount of early data in tickets */ 1320 #endif 1321 1322 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1323 int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */ 1324 #endif 1325 1326 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1327 mbedtls_ssl_tls13_application_secrets MBEDTLS_PRIVATE(app_secrets); 1328 #endif 1329 }; 1330 1331 /* 1332 * Identifiers for PRFs used in various versions of TLS. 1333 */ 1334 typedef enum { 1335 MBEDTLS_SSL_TLS_PRF_NONE, 1336 MBEDTLS_SSL_TLS_PRF_SHA384, 1337 MBEDTLS_SSL_TLS_PRF_SHA256, 1338 MBEDTLS_SSL_HKDF_EXPAND_SHA384, 1339 MBEDTLS_SSL_HKDF_EXPAND_SHA256 1340 } 1341 mbedtls_tls_prf_types; 1342 1343 typedef enum { 1344 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET = 0, 1345 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1346 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, 1347 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET, 1348 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET, 1349 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET, 1350 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET, 1351 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET, 1352 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1353 } mbedtls_ssl_key_export_type; 1354 1355 /** 1356 * \brief Callback type: Export key alongside random values for 1357 * session identification, and PRF for 1358 * implementation of TLS key exporters. 1359 * 1360 * \param p_expkey Context for the callback. 1361 * \param type The type of the key that is being exported. 1362 * \param secret The address of the buffer holding the secret 1363 * that's being exporterd. 1364 * \param secret_len The length of \p secret in bytes. 1365 * \param client_random The client random bytes. 1366 * \param server_random The server random bytes. 1367 * \param tls_prf_type The identifier for the PRF used in the handshake 1368 * to which the key belongs. 1369 */ 1370 typedef void mbedtls_ssl_export_keys_t(void *p_expkey, 1371 mbedtls_ssl_key_export_type type, 1372 const unsigned char *secret, 1373 size_t secret_len, 1374 const unsigned char client_random[32], 1375 const unsigned char server_random[32], 1376 mbedtls_tls_prf_types tls_prf_type); 1377 1378 #if defined(MBEDTLS_SSL_SRV_C) 1379 /** 1380 * \brief Callback type: generic handshake callback 1381 * 1382 * \note Callbacks may use user_data funcs to set/get app user data. 1383 * See \c mbedtls_ssl_get_user_data_p() 1384 * \c mbedtls_ssl_get_user_data_n() 1385 * \c mbedtls_ssl_conf_get_user_data_p() 1386 * \c mbedtls_ssl_conf_get_user_data_n() 1387 * 1388 * \param ssl \c mbedtls_ssl_context on which the callback is run 1389 * 1390 * \return The return value of the callback is 0 if successful, 1391 * or a specific MBEDTLS_ERR_XXX code, which will cause 1392 * the handshake to be aborted. 1393 */ 1394 typedef int (*mbedtls_ssl_hs_cb_t)(mbedtls_ssl_context *ssl); 1395 #endif 1396 1397 /* A type for storing user data in a library structure. 1398 * 1399 * The representation of type may change in future versions of the library. 1400 * Only the behaviors guaranteed by documented accessor functions are 1401 * guaranteed to remain stable. 1402 */ 1403 typedef union { 1404 uintptr_t n; /* typically a handle to an associated object */ 1405 void *p; /* typically a pointer to extra data */ 1406 } mbedtls_ssl_user_data_t; 1407 1408 /** 1409 * SSL/TLS configuration to be shared between mbedtls_ssl_context structures. 1410 */ 1411 struct mbedtls_ssl_config { 1412 /* Group items mostly by size. This helps to reduce memory wasted to 1413 * padding. It also helps to keep smaller fields early in the structure, 1414 * so that elements tend to be in the 128-element direct access window 1415 * on Arm Thumb, which reduces the code size. */ 1416 1417 mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(max_tls_version); /*!< max. TLS version used */ 1418 mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(min_tls_version); /*!< min. TLS version used */ 1419 1420 /* 1421 * Flags (could be bit-fields to save RAM, but separate bytes make 1422 * the code smaller on architectures with an instruction for direct 1423 * byte access). 1424 */ 1425 1426 uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ 1427 uint8_t MBEDTLS_PRIVATE(transport); /*!< 0: stream (TLS), 1: datagram (DTLS) */ 1428 uint8_t MBEDTLS_PRIVATE(authmode); /*!< MBEDTLS_SSL_VERIFY_XXX */ 1429 /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ 1430 uint8_t MBEDTLS_PRIVATE(allow_legacy_renegotiation); /*!< MBEDTLS_LEGACY_XXX */ 1431 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1432 uint8_t MBEDTLS_PRIVATE(mfl_code); /*!< desired fragment length indicator 1433 (MBEDTLS_SSL_MAX_FRAG_LEN_XXX) */ 1434 #endif 1435 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1436 uint8_t MBEDTLS_PRIVATE(encrypt_then_mac); /*!< negotiate encrypt-then-mac? */ 1437 #endif 1438 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1439 uint8_t MBEDTLS_PRIVATE(extended_ms); /*!< negotiate extended master secret? */ 1440 #endif 1441 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1442 uint8_t MBEDTLS_PRIVATE(anti_replay); /*!< detect and prevent replay? */ 1443 #endif 1444 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1445 uint8_t MBEDTLS_PRIVATE(disable_renegotiation); /*!< disable renegotiation? */ 1446 #endif 1447 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 1448 defined(MBEDTLS_SSL_CLI_C) 1449 /** Encodes two booleans, one stating whether TLS 1.2 session tickets are 1450 * enabled or not, the other one whether the handling of TLS 1.3 1451 * NewSessionTicket messages is enabled or not. They are respectively set 1452 * by mbedtls_ssl_conf_session_tickets() and 1453 * mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). 1454 */ 1455 uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */ 1456 #endif 1457 1458 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 1459 defined(MBEDTLS_SSL_SRV_C) && \ 1460 defined(MBEDTLS_SSL_PROTO_TLS1_3) 1461 uint16_t MBEDTLS_PRIVATE(new_session_tickets_count); /*!< number of NewSessionTicket */ 1462 #endif 1463 1464 #if defined(MBEDTLS_SSL_SRV_C) 1465 uint8_t MBEDTLS_PRIVATE(cert_req_ca_list); /*!< enable sending CA list in 1466 Certificate Request messages? */ 1467 uint8_t MBEDTLS_PRIVATE(respect_cli_pref); /*!< pick the ciphersuite according to 1468 the client's preferences rather 1469 than ours? */ 1470 #endif 1471 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1472 uint8_t MBEDTLS_PRIVATE(ignore_unexpected_cid); /*!< Should DTLS record with 1473 * unexpected CID 1474 * lead to failure? */ 1475 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1476 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1477 uint8_t MBEDTLS_PRIVATE(dtls_srtp_mki_support); /* support having mki_value 1478 in the use_srtp extension? */ 1479 #endif 1480 1481 /* 1482 * Pointers 1483 */ 1484 1485 /** Allowed ciphersuites for (D)TLS 1.2 (0-terminated) */ 1486 const int *MBEDTLS_PRIVATE(ciphersuite_list); 1487 1488 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1489 /** Allowed TLS 1.3 key exchange modes. */ 1490 int MBEDTLS_PRIVATE(tls13_kex_modes); 1491 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1492 1493 /** Callback for printing debug output */ 1494 void(*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *); 1495 void *MBEDTLS_PRIVATE(p_dbg); /*!< context for the debug function */ 1496 1497 /** Callback for getting (pseudo-)random numbers */ 1498 int(*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t); 1499 void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */ 1500 1501 /** Callback to retrieve a session from the cache */ 1502 mbedtls_ssl_cache_get_t *MBEDTLS_PRIVATE(f_get_cache); 1503 /** Callback to store a session into the cache */ 1504 mbedtls_ssl_cache_set_t *MBEDTLS_PRIVATE(f_set_cache); 1505 void *MBEDTLS_PRIVATE(p_cache); /*!< context for cache callbacks */ 1506 1507 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1508 /** Callback for setting cert according to SNI extension */ 1509 int(*MBEDTLS_PRIVATE(f_sni))(void *, mbedtls_ssl_context *, const unsigned char *, size_t); 1510 void *MBEDTLS_PRIVATE(p_sni); /*!< context for SNI callback */ 1511 #endif 1512 1513 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1514 /** Callback to customize X.509 certificate chain verification */ 1515 int(*MBEDTLS_PRIVATE(f_vrfy))(void *, mbedtls_x509_crt *, int, uint32_t *); 1516 void *MBEDTLS_PRIVATE(p_vrfy); /*!< context for X.509 verify calllback */ 1517 #endif 1518 1519 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1520 #if defined(MBEDTLS_SSL_SRV_C) 1521 /** Callback to retrieve PSK key from identity */ 1522 int(*MBEDTLS_PRIVATE(f_psk))(void *, mbedtls_ssl_context *, const unsigned char *, size_t); 1523 void *MBEDTLS_PRIVATE(p_psk); /*!< context for PSK callback */ 1524 #endif 1525 #endif 1526 1527 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1528 /** Callback to create & write a cookie for ClientHello verification */ 1529 int(*MBEDTLS_PRIVATE(f_cookie_write))(void *, unsigned char **, unsigned char *, 1530 const unsigned char *, size_t); 1531 /** Callback to verify validity of a ClientHello cookie */ 1532 int(*MBEDTLS_PRIVATE(f_cookie_check))(void *, const unsigned char *, size_t, 1533 const unsigned char *, size_t); 1534 void *MBEDTLS_PRIVATE(p_cookie); /*!< context for the cookie callbacks */ 1535 #endif 1536 1537 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) 1538 /** Callback to create & write a session ticket */ 1539 int(*MBEDTLS_PRIVATE(f_ticket_write))(void *, const mbedtls_ssl_session *, 1540 unsigned char *, const unsigned char *, size_t *, 1541 uint32_t *); 1542 /** Callback to parse a session ticket into a session structure */ 1543 int(*MBEDTLS_PRIVATE(f_ticket_parse))(void *, mbedtls_ssl_session *, unsigned char *, size_t); 1544 void *MBEDTLS_PRIVATE(p_ticket); /*!< context for the ticket callbacks */ 1545 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ 1546 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1547 size_t MBEDTLS_PRIVATE(cid_len); /*!< The length of CIDs for incoming DTLS records. */ 1548 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1549 1550 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1551 const mbedtls_x509_crt_profile *MBEDTLS_PRIVATE(cert_profile); /*!< verification profile */ 1552 mbedtls_ssl_key_cert *MBEDTLS_PRIVATE(key_cert); /*!< own certificate/key pair(s) */ 1553 mbedtls_x509_crt *MBEDTLS_PRIVATE(ca_chain); /*!< trusted CAs */ 1554 mbedtls_x509_crl *MBEDTLS_PRIVATE(ca_crl); /*!< trusted CAs CRLs */ 1555 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1556 mbedtls_x509_crt_ca_cb_t MBEDTLS_PRIVATE(f_ca_cb); 1557 void *MBEDTLS_PRIVATE(p_ca_cb); 1558 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1559 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1560 1561 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 1562 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1563 mbedtls_ssl_async_sign_t *MBEDTLS_PRIVATE(f_async_sign_start); /*!< start asynchronous signature operation */ 1564 mbedtls_ssl_async_decrypt_t *MBEDTLS_PRIVATE(f_async_decrypt_start); /*!< start asynchronous decryption operation */ 1565 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1566 mbedtls_ssl_async_resume_t *MBEDTLS_PRIVATE(f_async_resume); /*!< resume asynchronous operation */ 1567 mbedtls_ssl_async_cancel_t *MBEDTLS_PRIVATE(f_async_cancel); /*!< cancel asynchronous operation */ 1568 void *MBEDTLS_PRIVATE(p_async_config_data); /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */ 1569 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 1570 1571 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1572 1573 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1574 const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ 1575 #endif 1576 const uint16_t *MBEDTLS_PRIVATE(sig_algs); /*!< allowed signature algorithms */ 1577 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1578 1579 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1580 const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */ 1581 #endif 1582 1583 const uint16_t *MBEDTLS_PRIVATE(group_list); /*!< allowed IANA NamedGroups */ 1584 1585 #if defined(MBEDTLS_DHM_C) 1586 mbedtls_mpi MBEDTLS_PRIVATE(dhm_P); /*!< prime modulus for DHM */ 1587 mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */ 1588 #endif 1589 1590 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1591 1592 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1593 mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field 1594 * should only be set via 1595 * mbedtls_ssl_conf_psk_opaque(). 1596 * If either no PSK or a raw PSK have been 1597 * configured, this has value \c 0. 1598 */ 1599 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1600 unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should 1601 * only be set via mbedtls_ssl_conf_psk(). 1602 * If either no PSK or an opaque PSK 1603 * have been configured, this has value NULL. */ 1604 size_t MBEDTLS_PRIVATE(psk_len); /*!< The length of the raw pre-shared key. 1605 * This field should only be set via 1606 * mbedtls_ssl_conf_psk(). 1607 * Its value is non-zero if and only if 1608 * \c psk is not \c NULL. */ 1609 1610 unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation. 1611 * This field should only be set via 1612 * mbedtls_ssl_conf_psk(). 1613 * This is set if and only if either 1614 * \c psk or \c psk_opaque are set. */ 1615 size_t MBEDTLS_PRIVATE(psk_identity_len);/*!< The length of PSK identity. 1616 * This field should only be set via 1617 * mbedtls_ssl_conf_psk(). 1618 * Its value is non-zero if and only if 1619 * \c psk is not \c NULL or \c psk_opaque 1620 * is not \c 0. */ 1621 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 1622 1623 #if defined(MBEDTLS_SSL_EARLY_DATA) 1624 int MBEDTLS_PRIVATE(early_data_enabled); /*!< Early data enablement: 1625 * - MBEDTLS_SSL_EARLY_DATA_DISABLED, 1626 * - MBEDTLS_SSL_EARLY_DATA_ENABLED */ 1627 1628 #if defined(MBEDTLS_SSL_SRV_C) 1629 /* The maximum amount of 0-RTT data. RFC 8446 section 4.6.1 */ 1630 uint32_t MBEDTLS_PRIVATE(max_early_data_size); 1631 #endif /* MBEDTLS_SSL_SRV_C */ 1632 1633 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1634 1635 #if defined(MBEDTLS_SSL_ALPN) 1636 const char **MBEDTLS_PRIVATE(alpn_list); /*!< ordered list of protocols */ 1637 #endif 1638 1639 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1640 /*! ordered list of supported srtp profile */ 1641 const mbedtls_ssl_srtp_profile *MBEDTLS_PRIVATE(dtls_srtp_profile_list); 1642 /*! number of supported profiles */ 1643 size_t MBEDTLS_PRIVATE(dtls_srtp_profile_list_len); 1644 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1645 1646 /* 1647 * Numerical settings (int) 1648 */ 1649 1650 uint32_t MBEDTLS_PRIVATE(read_timeout); /*!< timeout for mbedtls_ssl_read (ms) */ 1651 1652 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1653 uint32_t MBEDTLS_PRIVATE(hs_timeout_min); /*!< initial value of the handshake 1654 retransmission timeout (ms) */ 1655 uint32_t MBEDTLS_PRIVATE(hs_timeout_max); /*!< maximum value of the handshake 1656 retransmission timeout (ms) */ 1657 #endif 1658 1659 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1660 int MBEDTLS_PRIVATE(renego_max_records); /*!< grace period for renegotiation */ 1661 unsigned char MBEDTLS_PRIVATE(renego_period)[8]; /*!< value of the record counters 1662 that triggers renegotiation */ 1663 #endif 1664 1665 unsigned int MBEDTLS_PRIVATE(badmac_limit); /*!< limit of records with a bad MAC */ 1666 1667 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 1668 unsigned int MBEDTLS_PRIVATE(dhm_min_bitlen); /*!< min. bit length of the DHM prime */ 1669 #endif 1670 1671 /** User data pointer or handle. 1672 * 1673 * The library sets this to \p 0 when creating a context and does not 1674 * access it afterwards. 1675 */ 1676 mbedtls_ssl_user_data_t MBEDTLS_PRIVATE(user_data); 1677 1678 #if defined(MBEDTLS_SSL_SRV_C) 1679 mbedtls_ssl_hs_cb_t MBEDTLS_PRIVATE(f_cert_cb); /*!< certificate selection callback */ 1680 #endif /* MBEDTLS_SSL_SRV_C */ 1681 1682 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1683 const mbedtls_x509_crt *MBEDTLS_PRIVATE(dn_hints);/*!< acceptable client cert issuers */ 1684 #endif 1685 }; 1686 1687 struct mbedtls_ssl_context { 1688 const mbedtls_ssl_config *MBEDTLS_PRIVATE(conf); /*!< configuration information */ 1689 1690 /* 1691 * Miscellaneous 1692 */ 1693 int MBEDTLS_PRIVATE(state); /*!< SSL handshake: current state */ 1694 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1695 int MBEDTLS_PRIVATE(renego_status); /*!< Initial, in progress, pending? */ 1696 int MBEDTLS_PRIVATE(renego_records_seen); /*!< Records since renego request, or with DTLS, 1697 number of retransmissions of request if 1698 renego_max_records is < 0 */ 1699 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1700 1701 /** 1702 * Maximum TLS version to be negotiated, then negotiated TLS version. 1703 * 1704 * It is initialized as the configured maximum TLS version to be 1705 * negotiated by mbedtls_ssl_setup(). 1706 * 1707 * When renegotiating or resuming a session, it is overwritten in the 1708 * ClientHello writing preparation stage with the previously negotiated 1709 * TLS version. 1710 * 1711 * On client side, it is updated to the TLS version selected by the server 1712 * for the handshake when the ServerHello is received. 1713 * 1714 * On server side, it is updated to the TLS version the server selects for 1715 * the handshake when the ClientHello is received. 1716 */ 1717 mbedtls_ssl_protocol_version MBEDTLS_PRIVATE(tls_version); 1718 1719 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) 1720 /** 1721 * State of the negotiation and transfer of early data. Reset to 1722 * MBEDTLS_SSL_EARLY_DATA_STATE_IDLE when the context is reset. 1723 */ 1724 int MBEDTLS_PRIVATE(early_data_state); 1725 #endif 1726 1727 unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ 1728 1729 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1730 /** Callback to customize X.509 certificate chain verification */ 1731 int(*MBEDTLS_PRIVATE(f_vrfy))(void *, mbedtls_x509_crt *, int, uint32_t *); 1732 void *MBEDTLS_PRIVATE(p_vrfy); /*!< context for X.509 verify callback */ 1733 #endif 1734 1735 mbedtls_ssl_send_t *MBEDTLS_PRIVATE(f_send); /*!< Callback for network send */ 1736 mbedtls_ssl_recv_t *MBEDTLS_PRIVATE(f_recv); /*!< Callback for network receive */ 1737 mbedtls_ssl_recv_timeout_t *MBEDTLS_PRIVATE(f_recv_timeout); 1738 /*!< Callback for network receive with timeout */ 1739 1740 void *MBEDTLS_PRIVATE(p_bio); /*!< context for I/O operations */ 1741 1742 /* 1743 * Session layer 1744 */ 1745 mbedtls_ssl_session *MBEDTLS_PRIVATE(session_in); /*!< current session data (in) */ 1746 mbedtls_ssl_session *MBEDTLS_PRIVATE(session_out); /*!< current session data (out) */ 1747 mbedtls_ssl_session *MBEDTLS_PRIVATE(session); /*!< negotiated session data */ 1748 mbedtls_ssl_session *MBEDTLS_PRIVATE(session_negotiate); /*!< session data in negotiation */ 1749 1750 mbedtls_ssl_handshake_params *MBEDTLS_PRIVATE(handshake); /*!< params required only during 1751 the handshake process */ 1752 1753 /* 1754 * Record layer transformations 1755 */ 1756 mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) 1757 * This is always a reference, 1758 * never an owning pointer. */ 1759 mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (out) 1760 * This is always a reference, 1761 * never an owning pointer. */ 1762 mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params 1763 * This pointer owns the transform 1764 * it references. */ 1765 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1766 mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation 1767 * This pointer owns the transform 1768 * it references. */ 1769 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1770 1771 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1772 /*! The application data transform in TLS 1.3. 1773 * This pointer owns the transform it references. */ 1774 mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_application); 1775 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1776 1777 /* 1778 * Timers 1779 */ 1780 void *MBEDTLS_PRIVATE(p_timer); /*!< context for the timer callbacks */ 1781 1782 mbedtls_ssl_set_timer_t *MBEDTLS_PRIVATE(f_set_timer); /*!< set timer callback */ 1783 mbedtls_ssl_get_timer_t *MBEDTLS_PRIVATE(f_get_timer); /*!< get timer callback */ 1784 1785 /* 1786 * Record layer (incoming data) 1787 */ 1788 unsigned char *MBEDTLS_PRIVATE(in_buf); /*!< input buffer */ 1789 unsigned char *MBEDTLS_PRIVATE(in_ctr); /*!< 64-bit incoming message counter 1790 TLS: maintained by us 1791 DTLS: read from peer */ 1792 unsigned char *MBEDTLS_PRIVATE(in_hdr); /*!< start of record header */ 1793 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1794 unsigned char *MBEDTLS_PRIVATE(in_cid); /*!< The start of the CID; 1795 * (the end is marked by in_len). */ 1796 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1797 unsigned char *MBEDTLS_PRIVATE(in_len); /*!< two-bytes message length field */ 1798 unsigned char *MBEDTLS_PRIVATE(in_iv); /*!< ivlen-byte IV */ 1799 unsigned char *MBEDTLS_PRIVATE(in_msg); /*!< message contents (in_iv+ivlen) */ 1800 unsigned char *MBEDTLS_PRIVATE(in_offt); /*!< read offset in application data */ 1801 1802 int MBEDTLS_PRIVATE(in_msgtype); /*!< record header: message type */ 1803 size_t MBEDTLS_PRIVATE(in_msglen); /*!< record header: message length */ 1804 size_t MBEDTLS_PRIVATE(in_left); /*!< amount of data read so far */ 1805 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1806 size_t MBEDTLS_PRIVATE(in_buf_len); /*!< length of input buffer */ 1807 #endif 1808 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1809 uint16_t MBEDTLS_PRIVATE(in_epoch); /*!< DTLS epoch for incoming records */ 1810 size_t MBEDTLS_PRIVATE(next_record_offset); /*!< offset of the next record in datagram 1811 (equal to in_left if none) */ 1812 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1813 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1814 uint64_t MBEDTLS_PRIVATE(in_window_top); /*!< last validated record seq_num */ 1815 uint64_t MBEDTLS_PRIVATE(in_window); /*!< bitmask for replay detection */ 1816 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 1817 1818 size_t MBEDTLS_PRIVATE(in_hslen); /*!< current handshake message length, 1819 including the handshake header */ 1820 int MBEDTLS_PRIVATE(nb_zero); /*!< # of 0-length encrypted messages */ 1821 1822 int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message 1823 on next call to record layer? */ 1824 1825 /* The following three variables indicate if and, if yes, 1826 * what kind of alert is pending to be sent. 1827 */ 1828 unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if a fatal alert 1829 should be sent. Values: 1830 - \c 0 , no alert is to be sent. 1831 - \c 1 , alert is to be sent. */ 1832 unsigned char MBEDTLS_PRIVATE(alert_type); /*!< Type of alert if send_alert 1833 != 0 */ 1834 int MBEDTLS_PRIVATE(alert_reason); /*!< The error code to be returned 1835 to the user once the fatal alert 1836 has been sent. */ 1837 1838 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1839 uint8_t MBEDTLS_PRIVATE(disable_datagram_packing); /*!< Disable packing multiple records 1840 * within a single datagram. */ 1841 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1842 1843 #if defined(MBEDTLS_SSL_EARLY_DATA) 1844 #if defined(MBEDTLS_SSL_SRV_C) 1845 /* 1846 * One of: 1847 * MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 1848 * MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1849 * MBEDTLS_SSL_EARLY_DATA_DISCARD 1850 */ 1851 uint8_t MBEDTLS_PRIVATE(discard_early_data_record); 1852 #endif 1853 uint32_t MBEDTLS_PRIVATE(total_early_data_size); /*!< Number of received/written early data bytes */ 1854 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1855 1856 /* 1857 * Record layer (outgoing data) 1858 */ 1859 unsigned char *MBEDTLS_PRIVATE(out_buf); /*!< output buffer */ 1860 unsigned char *MBEDTLS_PRIVATE(out_ctr); /*!< 64-bit outgoing message counter */ 1861 unsigned char *MBEDTLS_PRIVATE(out_hdr); /*!< start of record header */ 1862 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1863 unsigned char *MBEDTLS_PRIVATE(out_cid); /*!< The start of the CID; 1864 * (the end is marked by in_len). */ 1865 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1866 unsigned char *MBEDTLS_PRIVATE(out_len); /*!< two-bytes message length field */ 1867 unsigned char *MBEDTLS_PRIVATE(out_iv); /*!< ivlen-byte IV */ 1868 unsigned char *MBEDTLS_PRIVATE(out_msg); /*!< message contents (out_iv+ivlen) */ 1869 1870 int MBEDTLS_PRIVATE(out_msgtype); /*!< record header: message type */ 1871 size_t MBEDTLS_PRIVATE(out_msglen); /*!< record header: message length */ 1872 size_t MBEDTLS_PRIVATE(out_left); /*!< amount of data not yet written */ 1873 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1874 size_t MBEDTLS_PRIVATE(out_buf_len); /*!< length of output buffer */ 1875 #endif 1876 1877 unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Outgoing record sequence number. */ 1878 1879 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1880 uint16_t MBEDTLS_PRIVATE(mtu); /*!< path mtu, used to fragment outgoing messages */ 1881 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1882 1883 /* 1884 * User settings 1885 */ 1886 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1887 char *MBEDTLS_PRIVATE(hostname); /*!< expected peer CN for verification 1888 (and SNI if available) */ 1889 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1890 1891 #if defined(MBEDTLS_SSL_ALPN) 1892 const char *MBEDTLS_PRIVATE(alpn_chosen); /*!< negotiated protocol */ 1893 #endif /* MBEDTLS_SSL_ALPN */ 1894 1895 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1896 /* 1897 * use_srtp extension 1898 */ 1899 mbedtls_dtls_srtp_info MBEDTLS_PRIVATE(dtls_srtp_info); 1900 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1901 1902 /* 1903 * Information for DTLS hello verify 1904 */ 1905 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1906 unsigned char *MBEDTLS_PRIVATE(cli_id); /*!< transport-level ID of the client */ 1907 size_t MBEDTLS_PRIVATE(cli_id_len); /*!< length of cli_id */ 1908 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 1909 1910 /* 1911 * Secure renegotiation 1912 */ 1913 /* needed to know when to send extension on server */ 1914 int MBEDTLS_PRIVATE(secure_renegotiation); /*!< does peer support legacy or 1915 secure renegotiation */ 1916 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1917 size_t MBEDTLS_PRIVATE(verify_data_len); /*!< length of verify data stored */ 1918 char MBEDTLS_PRIVATE(own_verify_data)[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ 1919 char MBEDTLS_PRIVATE(peer_verify_data)[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ 1920 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1921 1922 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1923 /* CID configuration to use in subsequent handshakes. */ 1924 1925 /*! The next incoming CID, chosen by the user and applying to 1926 * all subsequent handshakes. This may be different from the 1927 * CID currently used in case the user has re-configured the CID 1928 * after an initial handshake. */ 1929 unsigned char MBEDTLS_PRIVATE(own_cid)[MBEDTLS_SSL_CID_IN_LEN_MAX]; 1930 uint8_t MBEDTLS_PRIVATE(own_cid_len); /*!< The length of \c own_cid. */ 1931 uint8_t MBEDTLS_PRIVATE(negotiate_cid); /*!< This indicates whether the CID extension should 1932 * be negotiated in the next handshake or not. 1933 * Possible values are #MBEDTLS_SSL_CID_ENABLED 1934 * and #MBEDTLS_SSL_CID_DISABLED. */ 1935 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1936 1937 /** Callback to export key block and master secret */ 1938 mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); 1939 void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */ 1940 1941 /** User data pointer or handle. 1942 * 1943 * The library sets this to \p 0 when creating a context and does not 1944 * access it afterwards. 1945 * 1946 * \warning Serializing and restoring an SSL context with 1947 * mbedtls_ssl_context_save() and mbedtls_ssl_context_load() 1948 * does not currently restore the user data. 1949 */ 1950 mbedtls_ssl_user_data_t MBEDTLS_PRIVATE(user_data); 1951 }; 1952 1953 /** 1954 * \brief Return the name of the ciphersuite associated with the 1955 * given ID 1956 * 1957 * \param ciphersuite_id SSL ciphersuite ID 1958 * 1959 * \return a string containing the ciphersuite name 1960 */ 1961 const char *mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id); 1962 1963 /** 1964 * \brief Return the ID of the ciphersuite associated with the 1965 * given name 1966 * 1967 * \param ciphersuite_name SSL ciphersuite name 1968 * 1969 * \return the ID with the ciphersuite or 0 if not found 1970 */ 1971 int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name); 1972 1973 /** 1974 * \brief Initialize an SSL context 1975 * Just makes the context ready for mbedtls_ssl_setup() or 1976 * mbedtls_ssl_free() 1977 * 1978 * \param ssl SSL context 1979 */ 1980 void mbedtls_ssl_init(mbedtls_ssl_context *ssl); 1981 1982 /** 1983 * \brief Set up an SSL context for use 1984 * 1985 * \note No copy of the configuration context is made, it can be 1986 * shared by many mbedtls_ssl_context structures. 1987 * 1988 * \warning The conf structure will be accessed during the session. 1989 * It must not be modified or freed as long as the session 1990 * is active. 1991 * 1992 * \warning This function must be called exactly once per context. 1993 * Calling mbedtls_ssl_setup again is not supported, even 1994 * if no session is active. 1995 * 1996 * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto 1997 * subsystem must have been initialized by calling 1998 * psa_crypto_init() before calling this function. 1999 * 2000 * \param ssl SSL context 2001 * \param conf SSL configuration to use 2002 * 2003 * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if 2004 * memory allocation failed 2005 */ 2006 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, 2007 const mbedtls_ssl_config *conf); 2008 2009 /** 2010 * \brief Reset an already initialized SSL context for re-use 2011 * while retaining application-set variables, function 2012 * pointers and data. 2013 * 2014 * \param ssl SSL context 2015 * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED or 2016 MBEDTLS_ERR_SSL_HW_ACCEL_FAILED 2017 */ 2018 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl); 2019 2020 /** 2021 * \brief Set the current endpoint type 2022 * 2023 * \param conf SSL configuration 2024 * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER 2025 */ 2026 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint); 2027 2028 /** 2029 * \brief Get the current endpoint type 2030 * 2031 * \param conf SSL configuration 2032 * 2033 * \return Endpoint type, either MBEDTLS_SSL_IS_CLIENT 2034 * or MBEDTLS_SSL_IS_SERVER 2035 */ 2036 static inline int mbedtls_ssl_conf_get_endpoint(const mbedtls_ssl_config *conf) 2037 { 2038 return conf->MBEDTLS_PRIVATE(endpoint); 2039 } 2040 2041 /** 2042 * \brief Set the transport type (TLS or DTLS). 2043 * Default: TLS 2044 * 2045 * \note For DTLS, you must either provide a recv callback that 2046 * doesn't block, or one that handles timeouts, see 2047 * \c mbedtls_ssl_set_bio(). You also need to provide timer 2048 * callbacks with \c mbedtls_ssl_set_timer_cb(). 2049 * 2050 * \param conf SSL configuration 2051 * \param transport transport type: 2052 * MBEDTLS_SSL_TRANSPORT_STREAM for TLS, 2053 * MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS. 2054 */ 2055 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport); 2056 2057 /** 2058 * \brief Set the certificate verification mode 2059 * Default: NONE on server, REQUIRED on client 2060 * 2061 * \param conf SSL configuration 2062 * \param authmode can be: 2063 * 2064 * MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked 2065 * (default on server) 2066 * (insecure on client) 2067 * 2068 * MBEDTLS_SSL_VERIFY_OPTIONAL: peer certificate is checked, however the 2069 * handshake continues even if verification failed; 2070 * mbedtls_ssl_get_verify_result() can be called after the 2071 * handshake is complete. 2072 * 2073 * MBEDTLS_SSL_VERIFY_REQUIRED: peer *must* present a valid certificate, 2074 * handshake is aborted if verification failed. 2075 * (default on client) 2076 * 2077 * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode. 2078 * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at 2079 * the right time(s), which may not be obvious, while REQUIRED always perform 2080 * the verification as soon as possible. For example, REQUIRED was protecting 2081 * against the "triple handshake" attack even before it was found. 2082 */ 2083 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode); 2084 2085 #if defined(MBEDTLS_SSL_EARLY_DATA) 2086 /** 2087 * \brief Set the early data mode 2088 * Default: disabled on server and client 2089 * 2090 * \param conf The SSL configuration to use. 2091 * \param early_data_enabled can be: 2092 * 2093 * MBEDTLS_SSL_EARLY_DATA_DISABLED: 2094 * Early data functionality is disabled. This is the default on client and 2095 * server. 2096 * 2097 * MBEDTLS_SSL_EARLY_DATA_ENABLED: 2098 * Early data functionality is enabled and may be negotiated in the handshake. 2099 * Application using early data functionality needs to be aware that the 2100 * security properties for early data (also refered to as 0-RTT data) are 2101 * weaker than those for other kinds of TLS data. See the documentation of 2102 * mbedtls_ssl_write_early_data() and mbedtls_ssl_read_early_data() for more 2103 * information. 2104 * When early data functionality is enabled on server and only in that case, 2105 * the call to one of the APIs that trigger or resume an handshake sequence, 2106 * namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), 2107 * mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code 2108 * MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have 2109 * been received. To read the early data, call mbedtls_ssl_read_early_data() 2110 * before calling the original function again. 2111 */ 2112 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf, 2113 int early_data_enabled); 2114 2115 #if defined(MBEDTLS_SSL_SRV_C) 2116 /** 2117 * \brief Set the maximum amount of 0-RTT data in bytes 2118 * Default: #MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 2119 * 2120 * This function sets the value of the max_early_data_size 2121 * field of the early data indication extension included in 2122 * the NewSessionTicket messages that the server may send. 2123 * 2124 * The value defines the maximum amount of 0-RTT data 2125 * in bytes that a client will be allowed to send when using 2126 * one of the tickets defined by the NewSessionTicket messages. 2127 * 2128 * \note When resuming a session using a ticket, if the server receives more 2129 * early data than allowed for the ticket, it terminates the connection. 2130 * The maximum amount of 0-RTT data should thus be large enough 2131 * to allow a minimum of early data to be exchanged. 2132 * 2133 * \param[in] conf The SSL configuration to use. 2134 * \param[in] max_early_data_size The maximum amount of 0-RTT data. 2135 * 2136 * \warning This interface DOES NOT influence/limit the amount of early data 2137 * that can be received through previously created and issued tickets, 2138 * which clients may have stored. 2139 */ 2140 void mbedtls_ssl_conf_max_early_data_size( 2141 mbedtls_ssl_config *conf, uint32_t max_early_data_size); 2142 #endif /* MBEDTLS_SSL_SRV_C */ 2143 2144 #endif /* MBEDTLS_SSL_EARLY_DATA */ 2145 2146 #if defined(MBEDTLS_X509_CRT_PARSE_C) 2147 /** 2148 * \brief Set the verification callback (Optional). 2149 * 2150 * If set, the provided verify callback is called for each 2151 * certificate in the peer's CRT chain, including the trusted 2152 * root. For more information, please see the documentation of 2153 * \c mbedtls_x509_crt_verify(). 2154 * 2155 * \note For per context callbacks and contexts, please use 2156 * mbedtls_ssl_set_verify() instead. 2157 * 2158 * \param conf The SSL configuration to use. 2159 * \param f_vrfy The verification callback to use during CRT verification. 2160 * \param p_vrfy The opaque context to be passed to the callback. 2161 */ 2162 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf, 2163 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2164 void *p_vrfy); 2165 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 2166 2167 /** 2168 * \brief Set the random number generator callback 2169 * 2170 * \param conf SSL configuration 2171 * \param f_rng RNG function (mandatory) 2172 * \param p_rng RNG parameter 2173 */ 2174 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf, 2175 int (*f_rng)(void *, unsigned char *, size_t), 2176 void *p_rng); 2177 2178 /** 2179 * \brief Set the debug callback 2180 * 2181 * The callback has the following argument: 2182 * void * opaque context for the callback 2183 * int debug level 2184 * const char * file name 2185 * int line number 2186 * const char * message 2187 * 2188 * \param conf SSL configuration 2189 * \param f_dbg debug function 2190 * \param p_dbg debug parameter 2191 */ 2192 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf, 2193 void (*f_dbg)(void *, int, const char *, int, const char *), 2194 void *p_dbg); 2195 2196 /** 2197 * \brief Return the SSL configuration structure associated 2198 * with the given SSL context. 2199 * 2200 * \note The pointer returned by this function is guaranteed to 2201 * remain valid until the context is freed. 2202 * 2203 * \param ssl The SSL context to query. 2204 * \return Pointer to the SSL configuration associated with \p ssl. 2205 */ 2206 static inline const mbedtls_ssl_config *mbedtls_ssl_context_get_config( 2207 const mbedtls_ssl_context *ssl) 2208 { 2209 return ssl->MBEDTLS_PRIVATE(conf); 2210 } 2211 2212 /** 2213 * \brief Set the underlying BIO callbacks for write, read and 2214 * read-with-timeout. 2215 * 2216 * \param ssl SSL context 2217 * \param p_bio parameter (context) shared by BIO callbacks 2218 * \param f_send write callback 2219 * \param f_recv read callback 2220 * \param f_recv_timeout blocking read callback with timeout. 2221 * 2222 * \note One of f_recv or f_recv_timeout can be NULL, in which case 2223 * the other is used. If both are non-NULL, f_recv_timeout is 2224 * used and f_recv is ignored (as if it were NULL). 2225 * 2226 * \note The two most common use cases are: 2227 * - non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL 2228 * - blocking I/O, f_recv == NULL, f_recv_timeout != NULL 2229 * 2230 * \note For DTLS, you need to provide either a non-NULL 2231 * f_recv_timeout callback, or a f_recv that doesn't block. 2232 * 2233 * \note See the documentations of \c mbedtls_ssl_send_t, 2234 * \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for 2235 * the conventions those callbacks must follow. 2236 * 2237 * \note On some platforms, net_sockets.c provides 2238 * \c mbedtls_net_send(), \c mbedtls_net_recv() and 2239 * \c mbedtls_net_recv_timeout() that are suitable to be used 2240 * here. 2241 */ 2242 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl, 2243 void *p_bio, 2244 mbedtls_ssl_send_t *f_send, 2245 mbedtls_ssl_recv_t *f_recv, 2246 mbedtls_ssl_recv_timeout_t *f_recv_timeout); 2247 2248 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2249 2250 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 2251 2252 2253 /** 2254 * \brief Configure the use of the Connection ID (CID) 2255 * extension in the next handshake. 2256 * 2257 * Reference: RFC 9146 (or draft-ietf-tls-dtls-connection-id-05 2258 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 2259 * for legacy version) 2260 * 2261 * The DTLS CID extension allows the reliable association of 2262 * DTLS records to DTLS connections across changes in the 2263 * underlying transport (changed IP and Port metadata) by 2264 * adding explicit connection identifiers (CIDs) to the 2265 * headers of encrypted DTLS records. The desired CIDs are 2266 * configured by the application layer and are exchanged in 2267 * new `ClientHello` / `ServerHello` extensions during the 2268 * handshake, where each side indicates the CID it wants the 2269 * peer to use when writing encrypted messages. The CIDs are 2270 * put to use once records get encrypted: the stack discards 2271 * any incoming records that don't include the configured CID 2272 * in their header, and adds the peer's requested CID to the 2273 * headers of outgoing messages. 2274 * 2275 * This API enables or disables the use of the CID extension 2276 * in the next handshake and sets the value of the CID to 2277 * be used for incoming messages. 2278 * 2279 * \param ssl The SSL context to configure. This must be initialized. 2280 * \param enable This value determines whether the CID extension should 2281 * be used or not. Possible values are: 2282 * - MBEDTLS_SSL_CID_ENABLED to enable the use of the CID. 2283 * - MBEDTLS_SSL_CID_DISABLED (default) to disable the use 2284 * of the CID. 2285 * \param own_cid The address of the readable buffer holding the CID we want 2286 * the peer to use when sending encrypted messages to us. 2287 * This may be \c NULL if \p own_cid_len is \c 0. 2288 * This parameter is unused if \p enable is set to 2289 * MBEDTLS_SSL_CID_DISABLED. 2290 * \param own_cid_len The length of \p own_cid. 2291 * This parameter is unused if \p enable is set to 2292 * MBEDTLS_SSL_CID_DISABLED. 2293 * 2294 * \note The value of \p own_cid_len must match the value of the 2295 * \c len parameter passed to mbedtls_ssl_conf_cid() 2296 * when configuring the ::mbedtls_ssl_config that \p ssl 2297 * is bound to. 2298 * 2299 * \note This CID configuration applies to subsequent handshakes 2300 * performed on the SSL context \p ssl, but does not trigger 2301 * one. You still have to call `mbedtls_ssl_handshake()` 2302 * (for the initial handshake) or `mbedtls_ssl_renegotiate()` 2303 * (for a renegotiation handshake) explicitly after a 2304 * successful call to this function to run the handshake. 2305 * 2306 * \note This call cannot guarantee that the use of the CID 2307 * will be successfully negotiated in the next handshake, 2308 * because the peer might not support it. Specifically: 2309 * - On the Client, enabling the use of the CID through 2310 * this call implies that the `ClientHello` in the next 2311 * handshake will include the CID extension, thereby 2312 * offering the use of the CID to the server. Only if 2313 * the `ServerHello` contains the CID extension, too, 2314 * the CID extension will actually be put to use. 2315 * - On the Server, enabling the use of the CID through 2316 * this call implies that the server will look for 2317 * the CID extension in a `ClientHello` from the client, 2318 * and, if present, reply with a CID extension in its 2319 * `ServerHello`. 2320 * 2321 * \note To check whether the use of the CID was negotiated 2322 * after the subsequent handshake has completed, please 2323 * use the API mbedtls_ssl_get_peer_cid(). 2324 * 2325 * \warning If the use of the CID extension is enabled in this call 2326 * and the subsequent handshake negotiates its use, Mbed TLS 2327 * will silently drop every packet whose CID does not match 2328 * the CID configured in \p own_cid. It is the responsibility 2329 * of the user to adapt the underlying transport to take care 2330 * of CID-based demultiplexing before handing datagrams to 2331 * Mbed TLS. 2332 * 2333 * \return \c 0 on success. In this case, the CID configuration 2334 * applies to the next handshake. 2335 * \return A negative error code on failure. 2336 */ 2337 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, 2338 int enable, 2339 unsigned char const *own_cid, 2340 size_t own_cid_len); 2341 2342 /** 2343 * \brief Get information about our request for usage of the CID 2344 * extension in the current connection. 2345 * 2346 * \param ssl The SSL context to query. 2347 * \param enabled The address at which to store whether the CID extension 2348 * is requested to be used or not. If the CID is 2349 * requested, `*enabled` is set to 2350 * MBEDTLS_SSL_CID_ENABLED; otherwise, it is set to 2351 * MBEDTLS_SSL_CID_DISABLED. 2352 * \param own_cid The address of the buffer in which to store our own 2353 * CID (if the CID extension is requested). This may be 2354 * \c NULL in case the value of our CID isn't needed. If 2355 * it is not \c NULL, \p own_cid_len must not be \c NULL. 2356 * \param own_cid_len The address at which to store the size of our own CID 2357 * (if the CID extension is requested). This is also the 2358 * number of Bytes in \p own_cid that have been written. 2359 * This may be \c NULL in case the length of our own CID 2360 * isn't needed. If it is \c NULL, \p own_cid must be 2361 * \c NULL, too. 2362 * 2363 *\note If we are requesting an empty CID this function sets 2364 * `*enabled` to #MBEDTLS_SSL_CID_DISABLED (the rationale 2365 * for this is that the resulting outcome is the 2366 * same as if the CID extensions wasn't requested). 2367 * 2368 * \return \c 0 on success. 2369 * \return A negative error code on failure. 2370 */ 2371 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, 2372 int *enabled, 2373 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX], 2374 size_t *own_cid_len); 2375 2376 /** 2377 * \brief Get information about the use of the CID extension 2378 * in the current connection. 2379 * 2380 * \param ssl The SSL context to query. 2381 * \param enabled The address at which to store whether the CID extension 2382 * is currently in use or not. If the CID is in use, 2383 * `*enabled` is set to MBEDTLS_SSL_CID_ENABLED; 2384 * otherwise, it is set to MBEDTLS_SSL_CID_DISABLED. 2385 * \param peer_cid The address of the buffer in which to store the CID 2386 * chosen by the peer (if the CID extension is used). 2387 * This may be \c NULL in case the value of peer CID 2388 * isn't needed. If it is not \c NULL, \p peer_cid_len 2389 * must not be \c NULL. 2390 * \param peer_cid_len The address at which to store the size of the CID 2391 * chosen by the peer (if the CID extension is used). 2392 * This is also the number of Bytes in \p peer_cid that 2393 * have been written. 2394 * This may be \c NULL in case the length of the peer CID 2395 * isn't needed. If it is \c NULL, \p peer_cid must be 2396 * \c NULL, too. 2397 * 2398 * \note This applies to the state of the CID negotiated in 2399 * the last complete handshake. If a handshake is in 2400 * progress, this function will attempt to complete 2401 * the handshake first. 2402 * 2403 * \note If CID extensions have been exchanged but both client 2404 * and server chose to use an empty CID, this function 2405 * sets `*enabled` to #MBEDTLS_SSL_CID_DISABLED 2406 * (the rationale for this is that the resulting 2407 * communication is the same as if the CID extensions 2408 * hadn't been used). 2409 * 2410 * \return \c 0 on success. 2411 * \return A negative error code on failure. 2412 */ 2413 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl, 2414 int *enabled, 2415 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 2416 size_t *peer_cid_len); 2417 2418 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 2419 2420 /** 2421 * \brief Set the Maximum Transport Unit (MTU). 2422 * Special value: 0 means unset (no limit). 2423 * This represents the maximum size of a datagram payload 2424 * handled by the transport layer (usually UDP) as determined 2425 * by the network link and stack. In practice, this controls 2426 * the maximum size datagram the DTLS layer will pass to the 2427 * \c f_send() callback set using \c mbedtls_ssl_set_bio(). 2428 * 2429 * \note The limit on datagram size is converted to a limit on 2430 * record payload by subtracting the current overhead of 2431 * encapsulation and encryption/authentication if any. 2432 * 2433 * \note This can be called at any point during the connection, for 2434 * example when a Path Maximum Transfer Unit (PMTU) 2435 * estimate becomes available from other sources, 2436 * such as lower (or higher) protocol layers. 2437 * 2438 * \note This setting only controls the size of the packets we send, 2439 * and does not restrict the size of the datagrams we're 2440 * willing to receive. Client-side, you can request the 2441 * server to use smaller records with \c 2442 * mbedtls_ssl_conf_max_frag_len(). 2443 * 2444 * \note If both a MTU and a maximum fragment length have been 2445 * configured (or negotiated with the peer), the resulting 2446 * lower limit on record payload (see first note) is used. 2447 * 2448 * \note This can only be used to decrease the maximum size 2449 * of datagrams (hence records, see first note) sent. It 2450 * cannot be used to increase the maximum size of records over 2451 * the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN. 2452 * 2453 * \note Values lower than the current record layer expansion will 2454 * result in an error when trying to send data. 2455 * 2456 * \param ssl SSL context 2457 * \param mtu Value of the path MTU in bytes 2458 */ 2459 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu); 2460 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2461 2462 #if defined(MBEDTLS_X509_CRT_PARSE_C) 2463 /** 2464 * \brief Set a connection-specific verification callback (optional). 2465 * 2466 * If set, the provided verify callback is called for each 2467 * certificate in the peer's CRT chain, including the trusted 2468 * root. For more information, please see the documentation of 2469 * \c mbedtls_x509_crt_verify(). 2470 * 2471 * \note This call is analogous to mbedtls_ssl_conf_verify() but 2472 * binds the verification callback and context to an SSL context 2473 * as opposed to an SSL configuration. 2474 * If mbedtls_ssl_conf_verify() and mbedtls_ssl_set_verify() 2475 * are both used, mbedtls_ssl_set_verify() takes precedence. 2476 * 2477 * \param ssl The SSL context to use. 2478 * \param f_vrfy The verification callback to use during CRT verification. 2479 * \param p_vrfy The opaque context to be passed to the callback. 2480 */ 2481 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl, 2482 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2483 void *p_vrfy); 2484 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 2485 2486 /** 2487 * \brief Set the timeout period for mbedtls_ssl_read() 2488 * (Default: no timeout.) 2489 * 2490 * \param conf SSL configuration context 2491 * \param timeout Timeout value in milliseconds. 2492 * Use 0 for no timeout (default). 2493 * 2494 * \note With blocking I/O, this will only work if a non-NULL 2495 * \c f_recv_timeout was set with \c mbedtls_ssl_set_bio(). 2496 * With non-blocking I/O, this will only work if timer 2497 * callbacks were set with \c mbedtls_ssl_set_timer_cb(). 2498 * 2499 * \note With non-blocking I/O, you may also skip this function 2500 * altogether and handle timeouts at the application layer. 2501 */ 2502 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout); 2503 2504 /** 2505 * \brief Check whether a buffer contains a valid and authentic record 2506 * that has not been seen before. (DTLS only). 2507 * 2508 * This function does not change the user-visible state 2509 * of the SSL context. Its sole purpose is to provide 2510 * an indication of the legitimacy of an incoming record. 2511 * 2512 * This can be useful e.g. in distributed server environments 2513 * using the DTLS Connection ID feature, in which connections 2514 * might need to be passed between service instances on a change 2515 * of peer address, but where such disruptive operations should 2516 * only happen after the validity of incoming records has been 2517 * confirmed. 2518 * 2519 * \param ssl The SSL context to use. 2520 * \param buf The address of the buffer holding the record to be checked. 2521 * This must be a read/write buffer of length \p buflen Bytes. 2522 * \param buflen The length of \p buf in Bytes. 2523 * 2524 * \note This routine only checks whether the provided buffer begins 2525 * with a valid and authentic record that has not been seen 2526 * before, but does not check potential data following the 2527 * initial record. In particular, it is possible to pass DTLS 2528 * datagrams containing multiple records, in which case only 2529 * the first record is checked. 2530 * 2531 * \note This function modifies the input buffer \p buf. If you need 2532 * to preserve the original record, you have to maintain a copy. 2533 * 2534 * \return \c 0 if the record is valid and authentic and has not been 2535 * seen before. 2536 * \return MBEDTLS_ERR_SSL_INVALID_MAC if the check completed 2537 * successfully but the record was found to be not authentic. 2538 * \return MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed 2539 * successfully but the record was found to be invalid for 2540 * a reason different from authenticity checking. 2541 * \return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed 2542 * successfully but the record was found to be unexpected 2543 * in the state of the SSL context, including replayed records. 2544 * \return Another negative error code on different kinds of failure. 2545 * In this case, the SSL context becomes unusable and needs 2546 * to be freed or reset before reuse. 2547 */ 2548 int mbedtls_ssl_check_record(mbedtls_ssl_context const *ssl, 2549 unsigned char *buf, 2550 size_t buflen); 2551 2552 /** 2553 * \brief Set the timer callbacks (Mandatory for DTLS.) 2554 * 2555 * \param ssl SSL context 2556 * \param p_timer parameter (context) shared by timer callbacks 2557 * \param f_set_timer set timer callback 2558 * \param f_get_timer get timer callback. Must return: 2559 * 2560 * \note See the documentation of \c mbedtls_ssl_set_timer_t and 2561 * \c mbedtls_ssl_get_timer_t for the conventions this pair of 2562 * callbacks must follow. 2563 * 2564 * \note On some platforms, timing.c provides 2565 * \c mbedtls_timing_set_delay() and 2566 * \c mbedtls_timing_get_delay() that are suitable for using 2567 * here, except if using an event-driven style. 2568 * 2569 * \note See also the "DTLS tutorial" article in our knowledge base. 2570 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/dtls-tutorial 2571 */ 2572 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, 2573 void *p_timer, 2574 mbedtls_ssl_set_timer_t *f_set_timer, 2575 mbedtls_ssl_get_timer_t *f_get_timer); 2576 2577 #if defined(MBEDTLS_SSL_SRV_C) 2578 /** 2579 * \brief Set the certificate selection callback (server-side only). 2580 * 2581 * If set, the callback is always called for each handshake, 2582 * after `ClientHello` processing has finished. 2583 * 2584 * \param conf The SSL configuration to register the callback with. 2585 * \param f_cert_cb The callback for selecting server certificate after 2586 * `ClientHello` processing has finished. 2587 */ 2588 static inline void mbedtls_ssl_conf_cert_cb(mbedtls_ssl_config *conf, 2589 mbedtls_ssl_hs_cb_t f_cert_cb) 2590 { 2591 conf->MBEDTLS_PRIVATE(f_cert_cb) = f_cert_cb; 2592 } 2593 #endif /* MBEDTLS_SSL_SRV_C */ 2594 2595 /** 2596 * \brief Callback type: generate and write session ticket 2597 * 2598 * \note This describes what a callback implementation should do. 2599 * This callback should generate an encrypted and 2600 * authenticated ticket for the session and write it to the 2601 * output buffer. Here, ticket means the opaque ticket part 2602 * of the NewSessionTicket structure of RFC 5077. 2603 * 2604 * \param p_ticket Context for the callback 2605 * \param session SSL session to be written in the ticket 2606 * \param start Start of the output buffer 2607 * \param end End of the output buffer 2608 * \param tlen On exit, holds the length written 2609 * \param lifetime On exit, holds the lifetime of the ticket in seconds 2610 * 2611 * \return 0 if successful, or 2612 * a specific MBEDTLS_ERR_XXX code. 2613 */ 2614 typedef int mbedtls_ssl_ticket_write_t(void *p_ticket, 2615 const mbedtls_ssl_session *session, 2616 unsigned char *start, 2617 const unsigned char *end, 2618 size_t *tlen, 2619 uint32_t *lifetime); 2620 2621 /** 2622 * \brief Callback type: parse and load session ticket 2623 * 2624 * \note This describes what a callback implementation should do. 2625 * This callback should parse a session ticket as generated 2626 * by the corresponding mbedtls_ssl_ticket_write_t function, 2627 * and, if the ticket is authentic and valid, load the 2628 * session. 2629 * 2630 * \note The implementation is allowed to modify the first len 2631 * bytes of the input buffer, eg to use it as a temporary 2632 * area for the decrypted ticket contents. 2633 * 2634 * \param p_ticket Context for the callback 2635 * \param session SSL session to be loaded 2636 * \param buf Start of the buffer containing the ticket 2637 * \param len Length of the ticket. 2638 * 2639 * \return 0 if successful, or 2640 * MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or 2641 * MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or 2642 * any other non-zero code for other failures. 2643 */ 2644 typedef int mbedtls_ssl_ticket_parse_t(void *p_ticket, 2645 mbedtls_ssl_session *session, 2646 unsigned char *buf, 2647 size_t len); 2648 2649 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) 2650 /** 2651 * \brief Configure SSL session ticket callbacks (server only). 2652 * (Default: none.) 2653 * 2654 * \note On server, session tickets are enabled by providing 2655 * non-NULL callbacks. 2656 * 2657 * \note On client, use \c mbedtls_ssl_conf_session_tickets(). 2658 * 2659 * \param conf SSL configuration context 2660 * \param f_ticket_write Callback for writing a ticket 2661 * \param f_ticket_parse Callback for parsing a ticket 2662 * \param p_ticket Context shared by the two callbacks 2663 */ 2664 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, 2665 mbedtls_ssl_ticket_write_t *f_ticket_write, 2666 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 2667 void *p_ticket); 2668 2669 #if defined(MBEDTLS_HAVE_TIME) 2670 /** 2671 * \brief Get the creation time of a session ticket. 2672 * 2673 * \note See the documentation of \c ticket_creation_time for information about 2674 * the intended usage of this function. 2675 * 2676 * \param session SSL session 2677 * \param ticket_creation_time On exit, holds the ticket creation time in 2678 * milliseconds. 2679 * 2680 * \return 0 on success, 2681 * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid. 2682 */ 2683 static inline int mbedtls_ssl_session_get_ticket_creation_time( 2684 mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time) 2685 { 2686 if (session == NULL || ticket_creation_time == NULL || 2687 session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) { 2688 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2689 } 2690 2691 *ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time); 2692 2693 return 0; 2694 } 2695 #endif /* MBEDTLS_HAVE_TIME */ 2696 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ 2697 2698 /** 2699 * \brief Get the session-id buffer. 2700 * 2701 * \param session SSL session. 2702 * 2703 * \return The address of the session-id buffer. 2704 */ 2705 static inline unsigned const char (*mbedtls_ssl_session_get_id(const mbedtls_ssl_session * 2706 session))[32] 2707 { 2708 return &session->MBEDTLS_PRIVATE(id); 2709 } 2710 2711 /** 2712 * \brief Get the size of the session-id. 2713 * 2714 * \param session SSL session. 2715 * 2716 * \return size_t size of session-id buffer. 2717 */ 2718 static inline size_t mbedtls_ssl_session_get_id_len(const mbedtls_ssl_session *session) 2719 { 2720 return session->MBEDTLS_PRIVATE(id_len); 2721 } 2722 2723 /** 2724 * \brief Get the ciphersuite-id. 2725 * 2726 * \param session SSL session. 2727 * 2728 * \return int represetation for ciphersuite. 2729 */ 2730 static inline int mbedtls_ssl_session_get_ciphersuite_id(const mbedtls_ssl_session *session) 2731 { 2732 return session->MBEDTLS_PRIVATE(ciphersuite); 2733 } 2734 2735 /** 2736 * \brief Configure a key export callback. 2737 * (Default: none.) 2738 * 2739 * This API can be used for two purposes: 2740 * - Debugging: Use this API to e.g. generate an NSSKeylog 2741 * file and use it to inspect encrypted traffic in tools 2742 * such as Wireshark. 2743 * - Application-specific export: Use this API to implement 2744 * key exporters, e.g. for EAP-TLS or DTLS-SRTP. 2745 * 2746 * 2747 * \param ssl The SSL context to which the export 2748 * callback should be attached. 2749 * \param f_export_keys The callback for the key export. 2750 * \param p_export_keys The opaque context pointer to be passed to the 2751 * callback \p f_export_keys. 2752 */ 2753 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl, 2754 mbedtls_ssl_export_keys_t *f_export_keys, 2755 void *p_export_keys); 2756 2757 /** \brief Set the user data in an SSL configuration to a pointer. 2758 * 2759 * You can retrieve this value later with mbedtls_ssl_conf_get_user_data_p(). 2760 * 2761 * \note The library stores \c p without accessing it. It is the responsibility 2762 * of the caller to ensure that the pointer remains valid. 2763 * 2764 * \param conf The SSL configuration context to modify. 2765 * \param p The new value of the user data. 2766 */ 2767 static inline void mbedtls_ssl_conf_set_user_data_p( 2768 mbedtls_ssl_config *conf, 2769 void *p) 2770 { 2771 conf->MBEDTLS_PRIVATE(user_data).p = p; 2772 } 2773 2774 /** \brief Set the user data in an SSL configuration to an integer. 2775 * 2776 * You can retrieve this value later with mbedtls_ssl_conf_get_user_data_n(). 2777 * 2778 * \param conf The SSL configuration context to modify. 2779 * \param n The new value of the user data. 2780 */ 2781 static inline void mbedtls_ssl_conf_set_user_data_n( 2782 mbedtls_ssl_config *conf, 2783 uintptr_t n) 2784 { 2785 conf->MBEDTLS_PRIVATE(user_data).n = n; 2786 } 2787 2788 /** \brief Retrieve the user data in an SSL configuration as a pointer. 2789 * 2790 * This is the value last set with mbedtls_ssl_conf_set_user_data_p(), or 2791 * \c NULL if mbedtls_ssl_conf_set_user_data_p() has not previously been 2792 * called. The value is undefined if mbedtls_ssl_conf_set_user_data_n() has 2793 * been called without a subsequent call to mbedtls_ssl_conf_set_user_data_p(). 2794 * 2795 * \param conf The SSL configuration context to modify. 2796 * \return The current value of the user data. 2797 */ 2798 static inline void *mbedtls_ssl_conf_get_user_data_p( 2799 mbedtls_ssl_config *conf) 2800 { 2801 return conf->MBEDTLS_PRIVATE(user_data).p; 2802 } 2803 2804 /** \brief Retrieve the user data in an SSL configuration as an integer. 2805 * 2806 * This is the value last set with mbedtls_ssl_conf_set_user_data_n(), or 2807 * \c 0 if mbedtls_ssl_conf_set_user_data_n() has not previously been 2808 * called. The value is undefined if mbedtls_ssl_conf_set_user_data_p() has 2809 * been called without a subsequent call to mbedtls_ssl_conf_set_user_data_n(). 2810 * 2811 * \param conf The SSL configuration context to modify. 2812 * \return The current value of the user data. 2813 */ 2814 static inline uintptr_t mbedtls_ssl_conf_get_user_data_n( 2815 mbedtls_ssl_config *conf) 2816 { 2817 return conf->MBEDTLS_PRIVATE(user_data).n; 2818 } 2819 2820 /** \brief Set the user data in an SSL context to a pointer. 2821 * 2822 * You can retrieve this value later with mbedtls_ssl_get_user_data_p(). 2823 * 2824 * \note The library stores \c p without accessing it. It is the responsibility 2825 * of the caller to ensure that the pointer remains valid. 2826 * 2827 * \param ssl The SSL context to modify. 2828 * \param p The new value of the user data. 2829 */ 2830 static inline void mbedtls_ssl_set_user_data_p( 2831 mbedtls_ssl_context *ssl, 2832 void *p) 2833 { 2834 ssl->MBEDTLS_PRIVATE(user_data).p = p; 2835 } 2836 2837 /** \brief Set the user data in an SSL context to an integer. 2838 * 2839 * You can retrieve this value later with mbedtls_ssl_get_user_data_n(). 2840 * 2841 * \param ssl The SSL context to modify. 2842 * \param n The new value of the user data. 2843 */ 2844 static inline void mbedtls_ssl_set_user_data_n( 2845 mbedtls_ssl_context *ssl, 2846 uintptr_t n) 2847 { 2848 ssl->MBEDTLS_PRIVATE(user_data).n = n; 2849 } 2850 2851 /** \brief Retrieve the user data in an SSL context as a pointer. 2852 * 2853 * This is the value last set with mbedtls_ssl_set_user_data_p(), or 2854 * \c NULL if mbedtls_ssl_set_user_data_p() has not previously been 2855 * called. The value is undefined if mbedtls_ssl_set_user_data_n() has 2856 * been called without a subsequent call to mbedtls_ssl_set_user_data_p(). 2857 * 2858 * \param ssl The SSL context to modify. 2859 * \return The current value of the user data. 2860 */ 2861 static inline void *mbedtls_ssl_get_user_data_p( 2862 mbedtls_ssl_context *ssl) 2863 { 2864 return ssl->MBEDTLS_PRIVATE(user_data).p; 2865 } 2866 2867 /** \brief Retrieve the user data in an SSL context as an integer. 2868 * 2869 * This is the value last set with mbedtls_ssl_set_user_data_n(), or 2870 * \c 0 if mbedtls_ssl_set_user_data_n() has not previously been 2871 * called. The value is undefined if mbedtls_ssl_set_user_data_p() has 2872 * been called without a subsequent call to mbedtls_ssl_set_user_data_n(). 2873 * 2874 * \param ssl The SSL context to modify. 2875 * \return The current value of the user data. 2876 */ 2877 static inline uintptr_t mbedtls_ssl_get_user_data_n( 2878 mbedtls_ssl_context *ssl) 2879 { 2880 return ssl->MBEDTLS_PRIVATE(user_data).n; 2881 } 2882 2883 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 2884 /** 2885 * \brief Configure asynchronous private key operation callbacks. 2886 * 2887 * \param conf SSL configuration context 2888 * \param f_async_sign Callback to start a signature operation. See 2889 * the description of ::mbedtls_ssl_async_sign_t 2890 * for more information. This may be \c NULL if the 2891 * external processor does not support any signature 2892 * operation; in this case the private key object 2893 * associated with the certificate will be used. 2894 * \param f_async_decrypt Callback to start a decryption operation. See 2895 * the description of ::mbedtls_ssl_async_decrypt_t 2896 * for more information. This may be \c NULL if the 2897 * external processor does not support any decryption 2898 * operation; in this case the private key object 2899 * associated with the certificate will be used. 2900 * \param f_async_resume Callback to resume an asynchronous operation. See 2901 * the description of ::mbedtls_ssl_async_resume_t 2902 * for more information. This may not be \c NULL unless 2903 * \p f_async_sign and \p f_async_decrypt are both 2904 * \c NULL. 2905 * \param f_async_cancel Callback to cancel an asynchronous operation. See 2906 * the description of ::mbedtls_ssl_async_cancel_t 2907 * for more information. This may be \c NULL if 2908 * no cleanup is needed. 2909 * \param config_data A pointer to configuration data which can be 2910 * retrieved with 2911 * mbedtls_ssl_conf_get_async_config_data(). The 2912 * library stores this value without dereferencing it. 2913 */ 2914 void mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config *conf, 2915 mbedtls_ssl_async_sign_t *f_async_sign, 2916 mbedtls_ssl_async_decrypt_t *f_async_decrypt, 2917 mbedtls_ssl_async_resume_t *f_async_resume, 2918 mbedtls_ssl_async_cancel_t *f_async_cancel, 2919 void *config_data); 2920 2921 /** 2922 * \brief Retrieve the configuration data set by 2923 * mbedtls_ssl_conf_async_private_cb(). 2924 * 2925 * \param conf SSL configuration context 2926 * \return The configuration data set by 2927 * mbedtls_ssl_conf_async_private_cb(). 2928 */ 2929 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf); 2930 2931 /** 2932 * \brief Retrieve the asynchronous operation user context. 2933 * 2934 * \note This function may only be called while a handshake 2935 * is in progress. 2936 * 2937 * \param ssl The SSL context to access. 2938 * 2939 * \return The asynchronous operation user context that was last 2940 * set during the current handshake. If 2941 * mbedtls_ssl_set_async_operation_data() has not yet been 2942 * called during the current handshake, this function returns 2943 * \c NULL. 2944 */ 2945 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl); 2946 2947 /** 2948 * \brief Retrieve the asynchronous operation user context. 2949 * 2950 * \note This function may only be called while a handshake 2951 * is in progress. 2952 * 2953 * \param ssl The SSL context to access. 2954 * \param ctx The new value of the asynchronous operation user context. 2955 * Call mbedtls_ssl_get_async_operation_data() later during the 2956 * same handshake to retrieve this value. 2957 */ 2958 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl, 2959 void *ctx); 2960 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 2961 2962 /** 2963 * \brief Callback type: generate a cookie 2964 * 2965 * \param ctx Context for the callback 2966 * \param p Buffer to write to, 2967 * must be updated to point right after the cookie 2968 * \param end Pointer to one past the end of the output buffer 2969 * \param info Client ID info that was passed to 2970 * \c mbedtls_ssl_set_client_transport_id() 2971 * \param ilen Length of info in bytes 2972 * 2973 * \return The callback must return 0 on success, 2974 * or a negative error code. 2975 */ 2976 typedef int mbedtls_ssl_cookie_write_t(void *ctx, 2977 unsigned char **p, unsigned char *end, 2978 const unsigned char *info, size_t ilen); 2979 2980 /** 2981 * \brief Callback type: verify a cookie 2982 * 2983 * \param ctx Context for the callback 2984 * \param cookie Cookie to verify 2985 * \param clen Length of cookie 2986 * \param info Client ID info that was passed to 2987 * \c mbedtls_ssl_set_client_transport_id() 2988 * \param ilen Length of info in bytes 2989 * 2990 * \return The callback must return 0 if cookie is valid, 2991 * or a negative error code. 2992 */ 2993 typedef int mbedtls_ssl_cookie_check_t(void *ctx, 2994 const unsigned char *cookie, size_t clen, 2995 const unsigned char *info, size_t ilen); 2996 2997 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 2998 /** 2999 * \brief Register callbacks for DTLS cookies 3000 * (Server only. DTLS only.) 3001 * 3002 * Default: dummy callbacks that fail, in order to force you to 3003 * register working callbacks (and initialize their context). 3004 * 3005 * To disable HelloVerifyRequest, register NULL callbacks. 3006 * 3007 * \warning Disabling hello verification allows your server to be used 3008 * for amplification in DoS attacks against other hosts. 3009 * Only disable if you known this can't happen in your 3010 * particular environment. 3011 * 3012 * \note See comments on \c mbedtls_ssl_handshake() about handling 3013 * the MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED that is expected 3014 * on the first handshake attempt when this is enabled. 3015 * 3016 * \note This is also necessary to handle client reconnection from 3017 * the same port as described in RFC 6347 section 4.2.8 (only 3018 * the variant with cookies is supported currently). See 3019 * comments on \c mbedtls_ssl_read() for details. 3020 * 3021 * \param conf SSL configuration 3022 * \param f_cookie_write Cookie write callback 3023 * \param f_cookie_check Cookie check callback 3024 * \param p_cookie Context for both callbacks 3025 */ 3026 void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, 3027 mbedtls_ssl_cookie_write_t *f_cookie_write, 3028 mbedtls_ssl_cookie_check_t *f_cookie_check, 3029 void *p_cookie); 3030 3031 /** 3032 * \brief Set client's transport-level identification info. 3033 * (Server only. DTLS only.) 3034 * 3035 * This is usually the IP address (and port), but could be 3036 * anything identify the client depending on the underlying 3037 * network stack. Used for HelloVerifyRequest with DTLS. 3038 * This is *not* used to route the actual packets. 3039 * 3040 * \param ssl SSL context 3041 * \param info Transport-level info identifying the client (eg IP + port) 3042 * \param ilen Length of info in bytes 3043 * 3044 * \note An internal copy is made, so the info buffer can be reused. 3045 * 3046 * \return 0 on success, 3047 * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client, 3048 * MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory. 3049 */ 3050 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, 3051 const unsigned char *info, 3052 size_t ilen); 3053 3054 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 3055 3056 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 3057 /** 3058 * \brief Enable or disable anti-replay protection for DTLS. 3059 * (DTLS only, no effect on TLS.) 3060 * Default: enabled. 3061 * 3062 * \param conf SSL configuration 3063 * \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED. 3064 * 3065 * \warning Disabling this is a security risk unless the application 3066 * protocol handles duplicated packets in a safe way. You 3067 * should not disable this without careful consideration. 3068 * However, if your application already detects duplicated 3069 * packets and needs information about them to adjust its 3070 * transmission strategy, then you'll want to disable this. 3071 */ 3072 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode); 3073 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 3074 3075 /** 3076 * \brief Set a limit on the number of records with a bad MAC 3077 * before terminating the connection. 3078 * (DTLS only, no effect on TLS.) 3079 * Default: 0 (disabled). 3080 * 3081 * \param conf SSL configuration 3082 * \param limit Limit, or 0 to disable. 3083 * 3084 * \note If the limit is N, then the connection is terminated when 3085 * the Nth non-authentic record is seen. 3086 * 3087 * \note Records with an invalid header are not counted, only the 3088 * ones going through the authentication-decryption phase. 3089 * 3090 * \note This is a security trade-off related to the fact that it's 3091 * often relatively easy for an active attacker to inject UDP 3092 * datagrams. On one hand, setting a low limit here makes it 3093 * easier for such an attacker to forcibly terminated a 3094 * connection. On the other hand, a high limit or no limit 3095 * might make us waste resources checking authentication on 3096 * many bogus packets. 3097 */ 3098 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit); 3099 3100 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3101 3102 /** 3103 * \brief Allow or disallow packing of multiple handshake records 3104 * within a single datagram. 3105 * 3106 * \param ssl The SSL context to configure. 3107 * \param allow_packing This determines whether datagram packing may 3108 * be used or not. A value of \c 0 means that every 3109 * record will be sent in a separate datagram; a 3110 * value of \c 1 means that, if space permits, 3111 * multiple handshake messages (including CCS) belonging to 3112 * a single flight may be packed within a single datagram. 3113 * 3114 * \note This is enabled by default and should only be disabled 3115 * for test purposes, or if datagram packing causes 3116 * interoperability issues with peers that don't support it. 3117 * 3118 * \note Allowing datagram packing reduces the network load since 3119 * there's less overhead if multiple messages share the same 3120 * datagram. Also, it increases the handshake efficiency 3121 * since messages belonging to a single datagram will not 3122 * be reordered in transit, and so future message buffering 3123 * or flight retransmission (if no buffering is used) as 3124 * means to deal with reordering are needed less frequently. 3125 * 3126 * \note Application records are not affected by this option and 3127 * are currently always sent in separate datagrams. 3128 * 3129 */ 3130 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl, 3131 unsigned allow_packing); 3132 3133 /** 3134 * \brief Set retransmit timeout values for the DTLS handshake. 3135 * (DTLS only, no effect on TLS.) 3136 * 3137 * \param conf SSL configuration 3138 * \param min Initial timeout value in milliseconds. 3139 * Default: 1000 (1 second). 3140 * \param max Maximum timeout value in milliseconds. 3141 * Default: 60000 (60 seconds). 3142 * 3143 * \note Default values are from RFC 6347 section 4.2.4.1. 3144 * 3145 * \note The 'min' value should typically be slightly above the 3146 * expected round-trip time to your peer, plus whatever time 3147 * it takes for the peer to process the message. For example, 3148 * if your RTT is about 600ms and you peer needs up to 1s to 3149 * do the cryptographic operations in the handshake, then you 3150 * should set 'min' slightly above 1600. Lower values of 'min' 3151 * might cause spurious resends which waste network resources, 3152 * while larger value of 'min' will increase overall latency 3153 * on unreliable network links. 3154 * 3155 * \note The more unreliable your network connection is, the larger 3156 * your max / min ratio needs to be in order to achieve 3157 * reliable handshakes. 3158 * 3159 * \note Messages are retransmitted up to log2(ceil(max/min)) times. 3160 * For example, if min = 1s and max = 5s, the retransmit plan 3161 * goes: send ... 1s -> resend ... 2s -> resend ... 4s -> 3162 * resend ... 5s -> give up and return a timeout error. 3163 */ 3164 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf, uint32_t min, uint32_t max); 3165 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3166 3167 #if defined(MBEDTLS_SSL_SRV_C) 3168 /** 3169 * \brief Set the session cache callbacks (server-side only) 3170 * If not set, no session resuming is done (except if session 3171 * tickets are enabled too). 3172 * 3173 * The session cache has the responsibility to check for stale 3174 * entries based on timeout. See RFC 5246 for recommendations. 3175 * 3176 * Warning: session.peer_cert is cleared by the SSL/TLS layer on 3177 * connection shutdown, so do not cache the pointer! Either set 3178 * it to NULL or make a full copy of the certificate. 3179 * 3180 * The get callback is called once during the initial handshake 3181 * to enable session resuming. The get function has the 3182 * following parameters: (void *parameter, mbedtls_ssl_session *session) 3183 * If a valid entry is found, it should fill the master of 3184 * the session object with the cached values and return 0, 3185 * return 1 otherwise. Optionally peer_cert can be set as well 3186 * if it is properly present in cache entry. 3187 * 3188 * The set callback is called once during the initial handshake 3189 * to enable session resuming after the entire handshake has 3190 * been finished. The set function has the following parameters: 3191 * (void *parameter, const mbedtls_ssl_session *session). The function 3192 * should create a cache entry for future retrieval based on 3193 * the data in the session structure and should keep in mind 3194 * that the mbedtls_ssl_session object presented (and all its referenced 3195 * data) is cleared by the SSL/TLS layer when the connection is 3196 * terminated. It is recommended to add metadata to determine if 3197 * an entry is still valid in the future. Return 0 if 3198 * successfully cached, return 1 otherwise. 3199 * 3200 * \param conf SSL configuration 3201 * \param p_cache parameter (context) for both callbacks 3202 * \param f_get_cache session get callback 3203 * \param f_set_cache session set callback 3204 */ 3205 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, 3206 void *p_cache, 3207 mbedtls_ssl_cache_get_t *f_get_cache, 3208 mbedtls_ssl_cache_set_t *f_set_cache); 3209 #endif /* MBEDTLS_SSL_SRV_C */ 3210 3211 #if defined(MBEDTLS_SSL_CLI_C) 3212 /** 3213 * \brief Load a session for session resumption. 3214 * 3215 * Sessions loaded through this call will be considered 3216 * for session resumption in the next handshake. 3217 * 3218 * \note Even if this call succeeds, it is not guaranteed that 3219 * the next handshake will indeed be shortened through the 3220 * use of session resumption: The server is always free 3221 * to reject any attempt for resumption and fall back to 3222 * a full handshake. 3223 * 3224 * \note This function can handle a variety of mechanisms for session 3225 * resumption: For TLS 1.2, both session ID-based resumption 3226 * and ticket-based resumption will be considered. For TLS 1.3, 3227 * sessions equate to tickets, and loading one session by 3228 * calling this function will lead to its corresponding ticket 3229 * being advertised as resumption PSK by the client. This 3230 * depends on session tickets being enabled (see 3231 * #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. 3232 * If session tickets are disabled, a call to this function 3233 * with a TLS 1.3 session, will not have any effect on the next 3234 * handshake for the SSL context \p ssl. 3235 * 3236 * \param ssl The SSL context representing the connection which should 3237 * be attempted to be setup using session resumption. This 3238 * must be initialized via mbedtls_ssl_init() and bound to 3239 * an SSL configuration via mbedtls_ssl_setup(), but 3240 * the handshake must not yet have been started. 3241 * \param session The session to be considered for session resumption. 3242 * This must be a session previously exported via 3243 * mbedtls_ssl_get_session(), and potentially serialized and 3244 * deserialized through mbedtls_ssl_session_save() and 3245 * mbedtls_ssl_session_load() in the meantime. 3246 * 3247 * \return \c 0 if successful. 3248 * \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session 3249 * could not be loaded because one session has already been 3250 * loaded. This error is non-fatal, and has no observable 3251 * effect on the SSL context or the session that was attempted 3252 * to be loaded. 3253 * \return Another negative error code on other kinds of failure. 3254 * 3255 * \sa mbedtls_ssl_get_session() 3256 * \sa mbedtls_ssl_session_load() 3257 */ 3258 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session); 3259 #endif /* MBEDTLS_SSL_CLI_C */ 3260 3261 /** 3262 * \brief Load serialized session data into a session structure. 3263 * On client, this can be used for loading saved sessions 3264 * before resuming them with mbedtls_ssl_set_session(). 3265 * On server, this can be used for alternative implementations 3266 * of session cache or session tickets. 3267 * 3268 * \warning If a peer certificate chain is associated with the session, 3269 * the serialized state will only contain the peer's 3270 * end-entity certificate and the result of the chain 3271 * verification (unless verification was disabled), but not 3272 * the rest of the chain. 3273 * 3274 * \see mbedtls_ssl_session_save() 3275 * \see mbedtls_ssl_set_session() 3276 * 3277 * \param session The session structure to be populated. It must have been 3278 * initialised with mbedtls_ssl_session_init() but not 3279 * populated yet. 3280 * \param buf The buffer holding the serialized session data. It must be a 3281 * readable buffer of at least \p len bytes. 3282 * \param len The size of the serialized data in bytes. 3283 * 3284 * \return \c 0 if successful. 3285 * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. 3286 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. 3287 * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data 3288 * was generated in a different version or configuration of 3289 * Mbed TLS. 3290 * \return Another negative value for other kinds of errors (for 3291 * example, unsupported features in the embedded certificate). 3292 */ 3293 int mbedtls_ssl_session_load(mbedtls_ssl_session *session, 3294 const unsigned char *buf, 3295 size_t len); 3296 3297 /** 3298 * \brief Save session structure as serialized data in a buffer. 3299 * On client, this can be used for saving session data, 3300 * potentially in non-volatile storage, for resuming later. 3301 * On server, this can be used for alternative implementations 3302 * of session cache or session tickets. 3303 * 3304 * \see mbedtls_ssl_session_load() 3305 * 3306 * \param session The session structure to be saved. 3307 * \param buf The buffer to write the serialized data to. It must be a 3308 * writeable buffer of at least \p buf_len bytes, or may be \c 3309 * NULL if \p buf_len is \c 0. 3310 * \param buf_len The number of bytes available for writing in \p buf. 3311 * \param olen The size in bytes of the data that has been or would have 3312 * been written. It must point to a valid \c size_t. 3313 * 3314 * \note \p olen is updated to the correct value regardless of 3315 * whether \p buf_len was large enough. This makes it possible 3316 * to determine the necessary size by calling this function 3317 * with \p buf set to \c NULL and \p buf_len to \c 0. 3318 * 3319 * \note For TLS 1.3 sessions, this feature is supported only if the 3320 * MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, 3321 * as in TLS 1.3 session resumption is possible only with 3322 * tickets. 3323 * 3324 * \return \c 0 if successful. 3325 * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. 3326 * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the 3327 * MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled 3328 * and the session is a TLS 1.3 session. 3329 */ 3330 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, 3331 unsigned char *buf, 3332 size_t buf_len, 3333 size_t *olen); 3334 3335 /** 3336 * \brief Set the list of allowed ciphersuites and the preference 3337 * order. First in the list has the highest preference. 3338 * 3339 * For TLS 1.2, the notion of ciphersuite determines both 3340 * the key exchange mechanism and the suite of symmetric 3341 * algorithms to be used during and after the handshake. 3342 * 3343 * For TLS 1.3 (in development), the notion of ciphersuite 3344 * only determines the suite of symmetric algorithms to be 3345 * used during and after the handshake, while key exchange 3346 * mechanisms are configured separately. 3347 * 3348 * In Mbed TLS, ciphersuites for both TLS 1.2 and TLS 1.3 3349 * are configured via this function. For users of TLS 1.3, 3350 * there will be separate API for the configuration of key 3351 * exchange mechanisms. 3352 * 3353 * The list of ciphersuites passed to this function may 3354 * contain a mixture of TLS 1.2 and TLS 1.3 ciphersuite 3355 * identifiers. This is useful if negotiation of TLS 1.3 3356 * should be attempted, but a fallback to TLS 1.2 would 3357 * be tolerated. 3358 * 3359 * \note By default, the server chooses its preferred 3360 * ciphersuite among those that the client supports. If 3361 * mbedtls_ssl_conf_preference_order() is called to prefer 3362 * the client's preferences, the server instead chooses 3363 * the client's preferred ciphersuite among those that 3364 * the server supports. 3365 * 3366 * \warning The ciphersuites array \p ciphersuites is not copied. 3367 * It must remain valid for the lifetime of the SSL 3368 * configuration \p conf. 3369 * 3370 * \param conf The SSL configuration to modify. 3371 * \param ciphersuites A 0-terminated list of IANA identifiers of supported 3372 * ciphersuites, accessible through \c MBEDTLS_TLS_XXX 3373 * and \c MBEDTLS_TLS1_3_XXX macros defined in 3374 * ssl_ciphersuites.h. 3375 */ 3376 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, 3377 const int *ciphersuites); 3378 3379 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3380 /** 3381 * \brief Set the supported key exchange modes for TLS 1.3 connections. 3382 * 3383 * In contrast to TLS 1.2, the ciphersuite concept in TLS 1.3 does not 3384 * include the choice of key exchange mechanism. It is therefore not 3385 * covered by the API mbedtls_ssl_conf_ciphersuites(). See the 3386 * documentation of mbedtls_ssl_conf_ciphersuites() for more 3387 * information on the ciphersuite concept in TLS 1.2 and TLS 1.3. 3388 * 3389 * The present function is specific to TLS 1.3 and allows users to 3390 * configure the set of supported key exchange mechanisms in TLS 1.3. 3391 * 3392 * \param conf The SSL configuration the change should apply to. 3393 * \param kex_modes A bitwise combination of one or more of the following: 3394 * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK 3395 * This flag enables pure-PSK key exchanges. 3396 * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL 3397 * This flag enables combined PSK-ephemeral key exchanges. 3398 * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL 3399 * This flag enables pure-ephemeral key exchanges. 3400 * For convenience, the following pre-defined macros are 3401 * available for combinations of the above: 3402 * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL 3403 * Includes all of pure-PSK, PSK-ephemeral and pure-ephemeral. 3404 * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL 3405 * Includes both pure-PSK and combined PSK-ephemeral 3406 * key exchanges, but excludes pure-ephemeral key exchanges. 3407 * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL 3408 * Includes both pure-ephemeral and combined PSK-ephemeral 3409 * key exchanges. 3410 * 3411 * \note If a PSK-based key exchange mode shall be supported, applications 3412 * must also use the APIs mbedtls_ssl_conf_psk() or 3413 * mbedtls_ssl_conf_psk_cb() or mbedtls_ssl_conf_psk_opaque() 3414 * to configure the PSKs to be used. 3415 * 3416 * \note If a pure-ephemeral key exchange mode shall be supported, 3417 * server-side applications must also provide a certificate via 3418 * mbedtls_ssl_conf_own_cert(). 3419 * 3420 */ 3421 3422 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, 3423 const int kex_modes); 3424 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3425 3426 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 3427 #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 3428 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1 3429 /** 3430 * \brief Specify the length of Connection IDs for incoming 3431 * encrypted DTLS records, as well as the behaviour 3432 * on unexpected CIDs. 3433 * 3434 * By default, the CID length is set to \c 0, 3435 * and unexpected CIDs are silently ignored. 3436 * 3437 * \param conf The SSL configuration to modify. 3438 * \param len The length in Bytes of the CID fields in encrypted 3439 * DTLS records using the CID mechanism. This must 3440 * not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX. 3441 * \param ignore_other_cids This determines the stack's behaviour when 3442 * receiving a record with an unexpected CID. 3443 * Possible values are: 3444 * - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 3445 * In this case, the record is silently ignored. 3446 * - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL 3447 * In this case, the stack fails with the specific 3448 * error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID. 3449 * 3450 * \note The CID specification allows implementations to either 3451 * use a common length for all incoming connection IDs or 3452 * allow variable-length incoming IDs. Mbed TLS currently 3453 * requires a common length for all connections sharing the 3454 * same SSL configuration; this allows simpler parsing of 3455 * record headers. 3456 * 3457 * \return \c 0 on success. 3458 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len 3459 * is too large. 3460 */ 3461 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len, 3462 int ignore_other_cids); 3463 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3464 3465 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3466 /** 3467 * \brief Set the X.509 security profile used for verification 3468 * 3469 * \note The restrictions are enforced for all certificates in the 3470 * chain. However, signatures in the handshake are not covered 3471 * by this setting but by \b mbedtls_ssl_conf_sig_hashes(). 3472 * 3473 * \param conf SSL configuration 3474 * \param profile Profile to use 3475 */ 3476 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf, 3477 const mbedtls_x509_crt_profile *profile); 3478 3479 /** 3480 * \brief Set the data required to verify peer certificate 3481 * 3482 * \note See \c mbedtls_x509_crt_verify() for notes regarding the 3483 * parameters ca_chain (maps to trust_ca for that function) 3484 * and ca_crl. 3485 * 3486 * \param conf SSL configuration 3487 * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) 3488 * \param ca_crl trusted CA CRLs 3489 */ 3490 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, 3491 mbedtls_x509_crt *ca_chain, 3492 mbedtls_x509_crl *ca_crl); 3493 3494 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 3495 /** 3496 * \brief Set DN hints sent to client in CertificateRequest message 3497 * 3498 * \note If not set, subject distinguished names (DNs) are taken 3499 * from \c mbedtls_ssl_conf_ca_chain() 3500 * or \c mbedtls_ssl_set_hs_ca_chain()) 3501 * 3502 * \param conf SSL configuration 3503 * \param crt crt chain whose subject DNs are issuer DNs of client certs 3504 * from which the client should select client peer certificate. 3505 */ 3506 static inline 3507 void mbedtls_ssl_conf_dn_hints(mbedtls_ssl_config *conf, 3508 const mbedtls_x509_crt *crt) 3509 { 3510 conf->MBEDTLS_PRIVATE(dn_hints) = crt; 3511 } 3512 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 3513 3514 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 3515 /** 3516 * \brief Set the trusted certificate callback. 3517 * 3518 * This API allows to register the set of trusted certificates 3519 * through a callback, instead of a linked list as configured 3520 * by mbedtls_ssl_conf_ca_chain(). 3521 * 3522 * This is useful for example in contexts where a large number 3523 * of CAs are used, and the inefficiency of maintaining them 3524 * in a linked list cannot be tolerated. It is also useful when 3525 * the set of trusted CAs needs to be modified frequently. 3526 * 3527 * See the documentation of `mbedtls_x509_crt_ca_cb_t` for 3528 * more information. 3529 * 3530 * \param conf The SSL configuration to register the callback with. 3531 * \param f_ca_cb The trusted certificate callback to use when verifying 3532 * certificate chains. 3533 * \param p_ca_cb The context to be passed to \p f_ca_cb (for example, 3534 * a reference to a trusted CA database). 3535 * 3536 * \note This API is incompatible with mbedtls_ssl_conf_ca_chain(): 3537 * Any call to this function overwrites the values set through 3538 * earlier calls to mbedtls_ssl_conf_ca_chain() or 3539 * mbedtls_ssl_conf_ca_cb(). 3540 * 3541 * \note This API is incompatible with CA indication in 3542 * CertificateRequest messages: A server-side SSL context which 3543 * is bound to an SSL configuration that uses a CA callback 3544 * configured via mbedtls_ssl_conf_ca_cb(), and which requires 3545 * client authentication, will send an empty CA list in the 3546 * corresponding CertificateRequest message. 3547 * 3548 * \note This API is incompatible with mbedtls_ssl_set_hs_ca_chain(): 3549 * If an SSL context is bound to an SSL configuration which uses 3550 * CA callbacks configured via mbedtls_ssl_conf_ca_cb(), then 3551 * calls to mbedtls_ssl_set_hs_ca_chain() have no effect. 3552 * 3553 * \note The use of this API disables the use of restartable ECC 3554 * during X.509 CRT signature verification (but doesn't affect 3555 * other uses). 3556 * 3557 * \warning This API is incompatible with the use of CRLs. Any call to 3558 * mbedtls_ssl_conf_ca_cb() unsets CRLs configured through 3559 * earlier calls to mbedtls_ssl_conf_ca_chain(). 3560 * 3561 * \warning In multi-threaded environments, the callback \p f_ca_cb 3562 * must be thread-safe, and it is the user's responsibility 3563 * to guarantee this (for example through a mutex 3564 * contained in the callback context pointed to by \p p_ca_cb). 3565 */ 3566 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, 3567 mbedtls_x509_crt_ca_cb_t f_ca_cb, 3568 void *p_ca_cb); 3569 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 3570 3571 /** 3572 * \brief Set own certificate chain and private key 3573 * 3574 * \note own_cert should contain in order from the bottom up your 3575 * certificate chain. The top certificate (self-signed) 3576 * can be omitted. 3577 * 3578 * \note On server, this function can be called multiple times to 3579 * provision more than one cert/key pair (eg one ECDSA, one 3580 * RSA with SHA-256, one RSA with SHA-1). An adequate 3581 * certificate will be selected according to the client's 3582 * advertised capabilities. In case multiple certificates are 3583 * adequate, preference is given to the one set by the first 3584 * call to this function, then second, etc. 3585 * 3586 * \note On client, only the first call has any effect. That is, 3587 * only one client certificate can be provisioned. The 3588 * server's preferences in its CertificateRequest message will 3589 * be ignored and our only cert will be sent regardless of 3590 * whether it matches those preferences - the server can then 3591 * decide what it wants to do with it. 3592 * 3593 * \note The provided \p pk_key needs to match the public key in the 3594 * first certificate in \p own_cert, or all handshakes using 3595 * that certificate will fail. It is your responsibility 3596 * to ensure that; this function will not perform any check. 3597 * You may use mbedtls_pk_check_pair() in order to perform 3598 * this check yourself, but be aware that this function can 3599 * be computationally expensive on some key types. 3600 * 3601 * \param conf SSL configuration 3602 * \param own_cert own public certificate chain 3603 * \param pk_key own private key 3604 * 3605 * \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED 3606 */ 3607 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, 3608 mbedtls_x509_crt *own_cert, 3609 mbedtls_pk_context *pk_key); 3610 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3611 3612 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 3613 /** 3614 * \brief Configure pre-shared keys (PSKs) and their 3615 * identities to be used in PSK-based ciphersuites. 3616 * 3617 * Only one PSK can be registered, through either 3618 * mbedtls_ssl_conf_psk() or mbedtls_ssl_conf_psk_opaque(). 3619 * If you attempt to register more than one PSK, this function 3620 * fails, though this may change in future versions, which 3621 * may add support for multiple PSKs. 3622 * 3623 * \note This is mainly useful for clients. Servers will usually 3624 * want to use \c mbedtls_ssl_conf_psk_cb() instead. 3625 * 3626 * \note A PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback 3627 * takes precedence over a PSK configured by this function. 3628 * 3629 * \param conf The SSL configuration to register the PSK with. 3630 * \param psk The pointer to the pre-shared key to use. 3631 * \param psk_len The length of the pre-shared key in bytes. 3632 * \param psk_identity The pointer to the pre-shared key identity. 3633 * \param psk_identity_len The length of the pre-shared key identity 3634 * in bytes. 3635 * 3636 * \note The PSK and its identity are copied internally and 3637 * hence need not be preserved by the caller for the lifetime 3638 * of the SSL configuration. 3639 * 3640 * \return \c 0 if successful. 3641 * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no more PSKs 3642 * can be configured. In this case, the old PSK(s) remain intact. 3643 * \return Another negative error code on other kinds of failure. 3644 */ 3645 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, 3646 const unsigned char *psk, size_t psk_len, 3647 const unsigned char *psk_identity, size_t psk_identity_len); 3648 3649 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3650 /** 3651 * \brief Configure one or more opaque pre-shared keys (PSKs) and 3652 * their identities to be used in PSK-based ciphersuites. 3653 * 3654 * Only one PSK can be registered, through either 3655 * mbedtls_ssl_conf_psk() or mbedtls_ssl_conf_psk_opaque(). 3656 * If you attempt to register more than one PSK, this function 3657 * fails, though this may change in future versions, which 3658 * may add support for multiple PSKs. 3659 * 3660 * \note This is mainly useful for clients. Servers will usually 3661 * want to use \c mbedtls_ssl_conf_psk_cb() instead. 3662 * 3663 * \note An opaque PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in 3664 * the PSK callback takes precedence over an opaque PSK 3665 * configured by this function. 3666 * 3667 * \param conf The SSL configuration to register the PSK with. 3668 * \param psk The identifier of the key slot holding the PSK. 3669 * Until \p conf is destroyed or this function is successfully 3670 * called again, the key slot \p psk must be populated with a 3671 * key of type PSA_ALG_CATEGORY_KEY_DERIVATION whose policy 3672 * allows its use for the key derivation algorithm applied 3673 * in the handshake. 3674 * \param psk_identity The pointer to the pre-shared key identity. 3675 * \param psk_identity_len The length of the pre-shared key identity 3676 * in bytes. 3677 * 3678 * \note The PSK identity hint is copied internally and hence need 3679 * not be preserved by the caller for the lifetime of the 3680 * SSL configuration. 3681 * 3682 * \return \c 0 if successful. 3683 * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no more PSKs 3684 * can be configured. In this case, the old PSK(s) remain intact. 3685 * \return Another negative error code on other kinds of failure. 3686 */ 3687 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf, 3688 mbedtls_svc_key_id_t psk, 3689 const unsigned char *psk_identity, 3690 size_t psk_identity_len); 3691 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3692 3693 /** 3694 * \brief Set the pre-shared Key (PSK) for the current handshake. 3695 * 3696 * \note This should only be called inside the PSK callback, 3697 * i.e. the function passed to \c mbedtls_ssl_conf_psk_cb(). 3698 * 3699 * \note A PSK set by this function takes precedence over a PSK 3700 * configured by \c mbedtls_ssl_conf_psk(). 3701 * 3702 * \param ssl The SSL context to configure a PSK for. 3703 * \param psk The pointer to the pre-shared key. 3704 * \param psk_len The length of the pre-shared key in bytes. 3705 * 3706 * \return \c 0 if successful. 3707 * \return An \c MBEDTLS_ERR_SSL_XXX error code on failure. 3708 */ 3709 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, 3710 const unsigned char *psk, size_t psk_len); 3711 3712 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3713 /** 3714 * \brief Set an opaque pre-shared Key (PSK) for the current handshake. 3715 * 3716 * \note This should only be called inside the PSK callback, 3717 * i.e. the function passed to \c mbedtls_ssl_conf_psk_cb(). 3718 * 3719 * \note An opaque PSK set by this function takes precedence over an 3720 * opaque PSK configured by \c mbedtls_ssl_conf_psk_opaque(). 3721 * 3722 * \param ssl The SSL context to configure a PSK for. 3723 * \param psk The identifier of the key slot holding the PSK. 3724 * For the duration of the current handshake, the key slot 3725 * must be populated with a key of type 3726 * PSA_ALG_CATEGORY_KEY_DERIVATION whose policy allows its 3727 * use for the key derivation algorithm 3728 * applied in the handshake. 3729 * 3730 * \return \c 0 if successful. 3731 * \return An \c MBEDTLS_ERR_SSL_XXX error code on failure. 3732 */ 3733 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl, 3734 mbedtls_svc_key_id_t psk); 3735 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3736 3737 #if defined(MBEDTLS_SSL_SRV_C) 3738 /** 3739 * \brief Set the PSK callback (server-side only). 3740 * 3741 * If set, the PSK callback is called for each 3742 * handshake where a PSK-based ciphersuite was negotiated. 3743 * The caller provides the identity received and wants to 3744 * receive the actual PSK data and length. 3745 * 3746 * The callback has the following parameters: 3747 * - \c void*: The opaque pointer \p p_psk. 3748 * - \c mbedtls_ssl_context*: The SSL context to which 3749 * the operation applies. 3750 * - \c const unsigned char*: The PSK identity 3751 * selected by the client. 3752 * - \c size_t: The length of the PSK identity 3753 * selected by the client. 3754 * 3755 * If a valid PSK identity is found, the callback should use 3756 * \c mbedtls_ssl_set_hs_psk() or 3757 * \c mbedtls_ssl_set_hs_psk_opaque() 3758 * on the SSL context to set the correct PSK and return \c 0. 3759 * Any other return value will result in a denied PSK identity. 3760 * 3761 * \note A dynamic PSK (i.e. set by the PSK callback) takes 3762 * precedence over a static PSK (i.e. set by 3763 * \c mbedtls_ssl_conf_psk() or 3764 * \c mbedtls_ssl_conf_psk_opaque()). 3765 * This means that if you set a PSK callback using this 3766 * function, you don't need to set a PSK using 3767 * \c mbedtls_ssl_conf_psk() or 3768 * \c mbedtls_ssl_conf_psk_opaque()). 3769 * 3770 * \param conf The SSL configuration to register the callback with. 3771 * \param f_psk The callback for selecting and setting the PSK based 3772 * in the PSK identity chosen by the client. 3773 * \param p_psk A pointer to an opaque structure to be passed to 3774 * the callback, for example a PSK store. 3775 */ 3776 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, 3777 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 3778 size_t), 3779 void *p_psk); 3780 #endif /* MBEDTLS_SSL_SRV_C */ 3781 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 3782 3783 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 3784 /** 3785 * \brief Set the Diffie-Hellman public P and G values 3786 * from big-endian binary presentations. 3787 * (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN) 3788 * 3789 * \param conf SSL configuration 3790 * \param dhm_P Diffie-Hellman-Merkle modulus in big-endian binary form 3791 * \param P_len Length of DHM modulus 3792 * \param dhm_G Diffie-Hellman-Merkle generator in big-endian binary form 3793 * \param G_len Length of DHM generator 3794 * 3795 * \return 0 if successful 3796 */ 3797 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf, 3798 const unsigned char *dhm_P, size_t P_len, 3799 const unsigned char *dhm_G, size_t G_len); 3800 3801 /** 3802 * \brief Set the Diffie-Hellman public P and G values, 3803 * read from existing context (server-side only) 3804 * 3805 * \param conf SSL configuration 3806 * \param dhm_ctx Diffie-Hellman-Merkle context 3807 * 3808 * \return 0 if successful 3809 */ 3810 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx); 3811 #endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */ 3812 3813 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 3814 /** 3815 * \brief Set the minimum length for Diffie-Hellman parameters. 3816 * (Client-side only.) 3817 * (Default: 1024 bits.) 3818 * 3819 * \param conf SSL configuration 3820 * \param bitlen Minimum bit length of the DHM prime 3821 */ 3822 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, 3823 unsigned int bitlen); 3824 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 3825 3826 #if defined(MBEDTLS_ECP_C) 3827 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 3828 /** 3829 * \brief Set the allowed curves in order of preference. 3830 * 3831 * On server: this only affects selection of the ECDHE curve; 3832 * the curves used for ECDH and ECDSA are determined by the 3833 * list of available certificates instead. 3834 * 3835 * On client: this affects the list of curves offered for any 3836 * use. The server can override our preference order. 3837 * 3838 * Both sides: limits the set of curves accepted for use in 3839 * ECDHE and in the peer's end-entity certificate. 3840 * 3841 * \deprecated Superseded by mbedtls_ssl_conf_groups(). 3842 * 3843 * \note This has no influence on which curves are allowed inside the 3844 * certificate chains, see \c mbedtls_ssl_conf_cert_profile() 3845 * for that. For the end-entity certificate however, the key 3846 * will be accepted only if it is allowed both by this list 3847 * and by the cert profile. 3848 * 3849 * \note This list should be ordered by decreasing preference 3850 * (preferred curve first). 3851 * 3852 * \note The default list is the same set of curves that 3853 * #mbedtls_x509_crt_profile_default allows, plus 3854 * ECDHE-only curves selected according to the same criteria. 3855 * The order favors curves with the lowest resource usage. 3856 * 3857 * \note New minor versions of Mbed TLS may extend this list, 3858 * for example if new curves are added to the library. 3859 * New minor versions of Mbed TLS will not remove items 3860 * from this list unless serious security concerns require it. 3861 * New minor versions of Mbed TLS may change the order in 3862 * keeping with the general principle of favoring the lowest 3863 * resource usage. 3864 * 3865 * \param conf SSL configuration 3866 * \param curves Ordered list of allowed curves, 3867 * terminated by MBEDTLS_ECP_DP_NONE. 3868 */ 3869 void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, 3870 const mbedtls_ecp_group_id *curves); 3871 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 3872 #endif /* MBEDTLS_ECP_C */ 3873 3874 /** 3875 * \brief Set the allowed groups in order of preference. 3876 * 3877 * On server: This only affects the choice of key agreement mechanism 3878 * 3879 * On client: this affects the list of groups offered for any 3880 * use. The server can override our preference order. 3881 * 3882 * Both sides: limits the set of groups accepted for use in 3883 * key sharing. 3884 * 3885 * \note This function replaces the deprecated mbedtls_ssl_conf_curves(), 3886 * which only allows ECP curves to be configured. 3887 * 3888 * \note The most recent invocation of either mbedtls_ssl_conf_curves() 3889 * or mbedtls_ssl_conf_groups() nullifies all previous invocations 3890 * of both. 3891 * 3892 * \note This list should be ordered by decreasing preference 3893 * (preferred group first). 3894 * 3895 * \note When this function is not called, a default list is used, 3896 * consisting of all supported curves at 255 bits and above, 3897 * and all supported finite fields at 2048 bits and above. 3898 * The order favors groups with the lowest resource usage. 3899 * 3900 * \note New minor versions of Mbed TLS will not remove items 3901 * from the default list unless serious security concerns require it. 3902 * New minor versions of Mbed TLS may change the order in 3903 * keeping with the general principle of favoring the lowest 3904 * resource usage. 3905 * 3906 * \param conf SSL configuration 3907 * \param groups List of allowed groups ordered by preference, terminated by 0. 3908 * Must contain valid IANA NamedGroup IDs (provided via either an integer 3909 * or using MBEDTLS_TLS1_3_NAMED_GROUP_XXX macros). 3910 */ 3911 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, 3912 const uint16_t *groups); 3913 3914 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 3915 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 3916 /** 3917 * \brief Set the allowed hashes for signatures during the handshake. 3918 * 3919 * \note This only affects which hashes are offered and can be used 3920 * for signatures during the handshake. Hashes for message 3921 * authentication and the TLS PRF are controlled by the 3922 * ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes 3923 * used for certificate signature are controlled by the 3924 * verification profile, see \c mbedtls_ssl_conf_cert_profile(). 3925 * 3926 * \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). 3927 * 3928 * \note This list should be ordered by decreasing preference 3929 * (preferred hash first). 3930 * 3931 * \note By default, all supported hashes whose length is at least 3932 * 256 bits are allowed. This is the same set as the default 3933 * for certificate verification 3934 * (#mbedtls_x509_crt_profile_default). 3935 * The preference order is currently unspecified and may 3936 * change in future versions. 3937 * 3938 * \note New minor versions of Mbed TLS may extend this list, 3939 * for example if new curves are added to the library. 3940 * New minor versions of Mbed TLS will not remove items 3941 * from this list unless serious security concerns require it. 3942 * 3943 * \param conf SSL configuration 3944 * \param hashes Ordered list of allowed signature hashes, 3945 * terminated by \c MBEDTLS_MD_NONE. 3946 */ 3947 void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, 3948 const int *hashes); 3949 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ 3950 3951 /** 3952 * \brief Configure allowed signature algorithms for use in TLS 3953 * 3954 * \param conf The SSL configuration to use. 3955 * \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, 3956 * terminated by #MBEDTLS_TLS1_3_SIG_NONE. The list must remain 3957 * available throughout the lifetime of the conf object. 3958 * - For TLS 1.3, values of \c MBEDTLS_TLS1_3_SIG_XXXX should be 3959 * used. 3960 * - For TLS 1.2, values should be given as 3961 * "(HashAlgorithm << 8) | SignatureAlgorithm". 3962 */ 3963 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, 3964 const uint16_t *sig_algs); 3965 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 3966 3967 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3968 /** 3969 * \brief Set or reset the hostname to check against the received 3970 * server certificate. It sets the ServerName TLS extension, 3971 * too, if that extension is enabled. (client-side only) 3972 * 3973 * \param ssl SSL context 3974 * \param hostname the server hostname, may be NULL to clear hostname 3975 3976 * \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. 3977 * 3978 * \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on 3979 * allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on 3980 * too long input hostname. 3981 * 3982 * Hostname set to the one provided on success (cleared 3983 * when NULL). On allocation failure hostname is cleared. 3984 * On too long input failure, old hostname is unchanged. 3985 */ 3986 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname); 3987 3988 /** 3989 * \brief Get the hostname that checked against the received 3990 * server certificate. It is used to set the ServerName 3991 * TLS extension, too, if that extension is enabled. 3992 * (client-side only) 3993 * 3994 * \param ssl SSL context 3995 * 3996 * \return const pointer to the hostname value 3997 */ 3998 static inline const char *mbedtls_ssl_get_hostname(mbedtls_ssl_context *ssl) 3999 { 4000 return ssl->MBEDTLS_PRIVATE(hostname); 4001 } 4002 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 4003 4004 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4005 /** 4006 * \brief Retrieve SNI extension value for the current handshake. 4007 * Available in \c f_cert_cb of \c mbedtls_ssl_conf_cert_cb(), 4008 * this is the same value passed to \c f_sni callback of 4009 * \c mbedtls_ssl_conf_sni() and may be used instead of 4010 * \c mbedtls_ssl_conf_sni(). 4011 * 4012 * \param ssl SSL context 4013 * \param name_len pointer into which to store length of returned value. 4014 * 0 if SNI extension is not present or not yet processed. 4015 * 4016 * \return const pointer to SNI extension value. 4017 * - value is valid only when called in \c f_cert_cb 4018 * registered with \c mbedtls_ssl_conf_cert_cb(). 4019 * - value is NULL if SNI extension is not present. 4020 * - value is not '\0'-terminated. Use \c name_len for len. 4021 * - value must not be freed. 4022 */ 4023 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, 4024 size_t *name_len); 4025 4026 /** 4027 * \brief Set own certificate and key for the current handshake 4028 * 4029 * \note Same as \c mbedtls_ssl_conf_own_cert() but for use within 4030 * the SNI callback or the certificate selection callback. 4031 * 4032 * \note Passing null \c own_cert clears the certificate list for 4033 * the current handshake. 4034 * 4035 * \param ssl SSL context 4036 * \param own_cert own public certificate chain 4037 * \param pk_key own private key 4038 * 4039 * \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED 4040 */ 4041 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, 4042 mbedtls_x509_crt *own_cert, 4043 mbedtls_pk_context *pk_key); 4044 4045 /** 4046 * \brief Set the data required to verify peer certificate for the 4047 * current handshake 4048 * 4049 * \note Same as \c mbedtls_ssl_conf_ca_chain() but for use within 4050 * the SNI callback or the certificate selection callback. 4051 * 4052 * \param ssl SSL context 4053 * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) 4054 * \param ca_crl trusted CA CRLs 4055 */ 4056 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl, 4057 mbedtls_x509_crt *ca_chain, 4058 mbedtls_x509_crl *ca_crl); 4059 4060 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 4061 /** 4062 * \brief Set DN hints sent to client in CertificateRequest message 4063 * 4064 * \note Same as \c mbedtls_ssl_conf_dn_hints() but for use within 4065 * the SNI callback or the certificate selection callback. 4066 * 4067 * \param ssl SSL context 4068 * \param crt crt chain whose subject DNs are issuer DNs of client certs 4069 * from which the client should select client peer certificate. 4070 */ 4071 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl, 4072 const mbedtls_x509_crt *crt); 4073 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 4074 4075 /** 4076 * \brief Set authmode for the current handshake. 4077 * 4078 * \note Same as \c mbedtls_ssl_conf_authmode() but for use within 4079 * the SNI callback or the certificate selection callback. 4080 * 4081 * \param ssl SSL context 4082 * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or 4083 * MBEDTLS_SSL_VERIFY_REQUIRED 4084 */ 4085 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl, 4086 int authmode); 4087 4088 /** 4089 * \brief Set server side ServerName TLS extension callback 4090 * (optional, server-side only). 4091 * 4092 * If set, the ServerName callback is called whenever the 4093 * server receives a ServerName TLS extension from the client 4094 * during a handshake. The ServerName callback has the 4095 * following parameters: (void *parameter, mbedtls_ssl_context *ssl, 4096 * const unsigned char *hostname, size_t len). If a suitable 4097 * certificate is found, the callback must set the 4098 * certificate(s) and key(s) to use with \c 4099 * mbedtls_ssl_set_hs_own_cert() (can be called repeatedly), 4100 * and may optionally adjust the CA and associated CRL with \c 4101 * mbedtls_ssl_set_hs_ca_chain() as well as the client 4102 * authentication mode with \c mbedtls_ssl_set_hs_authmode(), 4103 * then must return 0. If no matching name is found, the 4104 * callback may return non-zero to abort the handshake. 4105 * 4106 * \param conf SSL configuration 4107 * \param f_sni verification function 4108 * \param p_sni verification parameter 4109 */ 4110 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, 4111 int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, 4112 size_t), 4113 void *p_sni); 4114 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4115 4116 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4117 /** 4118 * \brief Set the EC J-PAKE password for current handshake. 4119 * 4120 * \note An internal copy is made, and destroyed as soon as the 4121 * handshake is completed, or when the SSL context is reset or 4122 * freed. 4123 * 4124 * \note The SSL context needs to be already set up. The right place 4125 * to call this function is between \c mbedtls_ssl_setup() or 4126 * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). 4127 * Password cannot be empty (see RFC 8236). 4128 * 4129 * \param ssl SSL context 4130 * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty 4131 * \param pw_len length of pw in bytes 4132 * 4133 * \return 0 on success, or a negative error code. 4134 */ 4135 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 4136 const unsigned char *pw, 4137 size_t pw_len); 4138 4139 /** 4140 * \brief Set the EC J-PAKE opaque password for current handshake. 4141 * 4142 * \note The key must remain valid until the handshake is over. 4143 * 4144 * \note The SSL context needs to be already set up. The right place 4145 * to call this function is between \c mbedtls_ssl_setup() or 4146 * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). 4147 * 4148 * \param ssl SSL context 4149 * \param pwd EC J-PAKE opaque password 4150 * 4151 * \return 0 on success, or a negative error code. 4152 */ 4153 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, 4154 mbedtls_svc_key_id_t pwd); 4155 #endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 4156 4157 #if defined(MBEDTLS_SSL_ALPN) 4158 /** 4159 * \brief Set the supported Application Layer Protocols. 4160 * 4161 * \param conf SSL configuration 4162 * \param protos Pointer to a NULL-terminated list of supported protocols, 4163 * in decreasing preference order. The pointer to the list is 4164 * recorded by the library for later reference as required, so 4165 * the lifetime of the table must be at least as long as the 4166 * lifetime of the SSL configuration structure. 4167 * 4168 * \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA. 4169 */ 4170 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos); 4171 4172 /** 4173 * \brief Get the name of the negotiated Application Layer Protocol. 4174 * This function should be called after the handshake is 4175 * completed. 4176 * 4177 * \param ssl SSL context 4178 * 4179 * \return Protocol name, or NULL if no protocol was negotiated. 4180 */ 4181 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl); 4182 #endif /* MBEDTLS_SSL_ALPN */ 4183 4184 #if defined(MBEDTLS_SSL_DTLS_SRTP) 4185 #if defined(MBEDTLS_DEBUG_C) 4186 static inline const char *mbedtls_ssl_get_srtp_profile_as_string(mbedtls_ssl_srtp_profile profile) 4187 { 4188 switch (profile) { 4189 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: 4190 return "MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80"; 4191 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: 4192 return "MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32"; 4193 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: 4194 return "MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80"; 4195 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: 4196 return "MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32"; 4197 default: break; 4198 } 4199 return ""; 4200 } 4201 #endif /* MBEDTLS_DEBUG_C */ 4202 /** 4203 * \brief Manage support for mki(master key id) value 4204 * in use_srtp extension. 4205 * MKI is an optional part of SRTP used for key management 4206 * and re-keying. See RFC3711 section 3.1 for details. 4207 * The default value is 4208 * #MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED. 4209 * 4210 * \param conf The SSL configuration to manage mki support. 4211 * \param support_mki_value Enable or disable mki usage. Values are 4212 * #MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 4213 * or #MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED. 4214 */ 4215 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, 4216 int support_mki_value); 4217 4218 /** 4219 * \brief Set the supported DTLS-SRTP protection profiles. 4220 * 4221 * \param conf SSL configuration 4222 * \param profiles Pointer to a List of MBEDTLS_TLS_SRTP_UNSET terminated 4223 * supported protection profiles 4224 * in decreasing preference order. 4225 * The pointer to the list is recorded by the library 4226 * for later reference as required, so the lifetime 4227 * of the table must be at least as long as the lifetime 4228 * of the SSL configuration structure. 4229 * The list must not hold more than 4230 * MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH elements 4231 * (excluding the terminating MBEDTLS_TLS_SRTP_UNSET). 4232 * 4233 * \return 0 on success 4234 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of 4235 * protection profiles is incorrect. 4236 */ 4237 int mbedtls_ssl_conf_dtls_srtp_protection_profiles 4238 (mbedtls_ssl_config *conf, 4239 const mbedtls_ssl_srtp_profile *profiles); 4240 4241 /** 4242 * \brief Set the mki_value for the current DTLS-SRTP session. 4243 * 4244 * \param ssl SSL context to use. 4245 * \param mki_value The MKI value to set. 4246 * \param mki_len The length of the MKI value. 4247 * 4248 * \note This function is relevant on client side only. 4249 * The server discovers the mki value during handshake. 4250 * A mki value set on server side using this function 4251 * is ignored. 4252 * 4253 * \return 0 on success 4254 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA 4255 * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE 4256 */ 4257 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, 4258 unsigned char *mki_value, 4259 uint16_t mki_len); 4260 /** 4261 * \brief Get the negotiated DTLS-SRTP information: 4262 * Protection profile and MKI value. 4263 * 4264 * \warning This function must be called after the handshake is 4265 * completed. The value returned by this function must 4266 * not be trusted or acted upon before the handshake completes. 4267 * 4268 * \param ssl The SSL context to query. 4269 * \param dtls_srtp_info The negotiated DTLS-SRTP information: 4270 * - Protection profile in use. 4271 * A direct mapping of the iana defined value for protection 4272 * profile on an uint16_t. 4273 http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml 4274 * #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated 4275 * or peer's Hello packet was not parsed yet. 4276 * - mki size and value( if size is > 0 ). 4277 */ 4278 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl, 4279 mbedtls_dtls_srtp_info *dtls_srtp_info); 4280 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 4281 4282 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4283 /** 4284 * \brief Set the maximum supported version sent from the client side 4285 * and/or accepted at the server side. 4286 * 4287 * See also the documentation of mbedtls_ssl_conf_min_version(). 4288 * 4289 * \note This ignores ciphersuites from higher versions. 4290 * 4291 * \note This function is deprecated and has been replaced by 4292 * \c mbedtls_ssl_conf_max_tls_version(). 4293 * 4294 * \param conf SSL configuration 4295 * \param major Major version number (#MBEDTLS_SSL_MAJOR_VERSION_3) 4296 * \param minor Minor version number 4297 * (#MBEDTLS_SSL_MINOR_VERSION_3 for (D)TLS 1.2, 4298 * #MBEDTLS_SSL_MINOR_VERSION_4 for TLS 1.3) 4299 */ 4300 void MBEDTLS_DEPRECATED mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, 4301 int minor); 4302 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4303 4304 /** 4305 * \brief Set the maximum supported version sent from the client side 4306 * and/or accepted at the server side. 4307 * 4308 * \note After the handshake, you can call 4309 * mbedtls_ssl_get_version_number() to see what version was 4310 * negotiated. 4311 * 4312 * \param conf SSL configuration 4313 * \param tls_version TLS protocol version number (\c mbedtls_ssl_protocol_version) 4314 * (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid) 4315 */ 4316 static inline void mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, 4317 mbedtls_ssl_protocol_version tls_version) 4318 { 4319 conf->MBEDTLS_PRIVATE(max_tls_version) = tls_version; 4320 } 4321 4322 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4323 /** 4324 * \brief Set the minimum accepted SSL/TLS protocol version 4325 * 4326 * \note By default, all supported versions are accepted. 4327 * Future versions of the library may disable older 4328 * protocol versions by default if they become deprecated. 4329 * 4330 * \note The following versions are supported (if enabled at 4331 * compile time): 4332 * - (D)TLS 1.2: \p major = #MBEDTLS_SSL_MAJOR_VERSION_3, 4333 * \p minor = #MBEDTLS_SSL_MINOR_VERSION_3 4334 * - TLS 1.3: \p major = #MBEDTLS_SSL_MAJOR_VERSION_3, 4335 * \p minor = #MBEDTLS_SSL_MINOR_VERSION_4 4336 * 4337 * Note that the numbers in the constant names are the 4338 * TLS internal protocol numbers, and the minor versions 4339 * differ by one from the human-readable versions! 4340 * 4341 * \note Input outside of the SSL_MAX_XXXXX_VERSION and 4342 * SSL_MIN_XXXXX_VERSION range is ignored. 4343 * 4344 * \note After the handshake, you can call 4345 * mbedtls_ssl_get_version_number() to see what version was 4346 * negotiated. 4347 * 4348 * \note This function is deprecated and has been replaced by 4349 * \c mbedtls_ssl_conf_min_tls_version(). 4350 * 4351 * \param conf SSL configuration 4352 * \param major Major version number (#MBEDTLS_SSL_MAJOR_VERSION_3) 4353 * \param minor Minor version number 4354 * (#MBEDTLS_SSL_MINOR_VERSION_3 for (D)TLS 1.2, 4355 * #MBEDTLS_SSL_MINOR_VERSION_4 for TLS 1.3) 4356 */ 4357 void MBEDTLS_DEPRECATED mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, 4358 int minor); 4359 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4360 4361 /** 4362 * \brief Set the minimum supported version sent from the client side 4363 * and/or accepted at the server side. 4364 * 4365 * \note After the handshake, you can call 4366 * mbedtls_ssl_get_version_number() to see what version was 4367 * negotiated. 4368 * 4369 * \param conf SSL configuration 4370 * \param tls_version TLS protocol version number (\c mbedtls_ssl_protocol_version) 4371 * (#MBEDTLS_SSL_VERSION_UNKNOWN is not valid) 4372 */ 4373 static inline void mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, 4374 mbedtls_ssl_protocol_version tls_version) 4375 { 4376 conf->MBEDTLS_PRIVATE(min_tls_version) = tls_version; 4377 } 4378 4379 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4380 /** 4381 * \brief Enable or disable Encrypt-then-MAC 4382 * (Default: MBEDTLS_SSL_ETM_ENABLED) 4383 * 4384 * \note This should always be enabled, it is a security 4385 * improvement, and should not cause any interoperability 4386 * issue (used only if the peer supports it too). 4387 * 4388 * \param conf SSL configuration 4389 * \param etm MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED 4390 */ 4391 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm); 4392 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 4393 4394 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 4395 /** 4396 * \brief Enable or disable Extended Master Secret negotiation. 4397 * (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED) 4398 * 4399 * \note This should always be enabled, it is a security fix to the 4400 * protocol, and should not cause any interoperability issue 4401 * (used only if the peer supports it too). 4402 * 4403 * \param conf SSL configuration 4404 * \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED 4405 */ 4406 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems); 4407 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 4408 4409 #if defined(MBEDTLS_SSL_SRV_C) 4410 /** 4411 * \brief Whether to send a list of acceptable CAs in 4412 * CertificateRequest messages. 4413 * (Default: do send) 4414 * 4415 * \param conf SSL configuration 4416 * \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or 4417 * MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED 4418 */ 4419 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, 4420 char cert_req_ca_list); 4421 #endif /* MBEDTLS_SSL_SRV_C */ 4422 4423 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4424 /** 4425 * \brief Set the maximum fragment length to emit and/or negotiate. 4426 * (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and 4427 * #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes) 4428 * (Server: set maximum fragment length to emit, 4429 * usually negotiated by the client during handshake) 4430 * (Client: set maximum fragment length to emit *and* 4431 * negotiate with the server during handshake) 4432 * (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE) 4433 * 4434 * \note On the client side, the maximum fragment length extension 4435 * *will not* be used, unless the maximum fragment length has 4436 * been set via this function to a value different than 4437 * #MBEDTLS_SSL_MAX_FRAG_LEN_NONE. 4438 * 4439 * \note With TLS, this currently only affects ApplicationData (sent 4440 * with \c mbedtls_ssl_read()), not handshake messages. 4441 * With DTLS, this affects both ApplicationData and handshake. 4442 * 4443 * \note This sets the maximum length for a record's payload, 4444 * excluding record overhead that will be added to it, see 4445 * \c mbedtls_ssl_get_record_expansion(). 4446 * 4447 * \note For DTLS, it is also possible to set a limit for the total 4448 * size of datagrams passed to the transport layer, including 4449 * record overhead, see \c mbedtls_ssl_set_mtu(). 4450 * 4451 * \param conf SSL configuration 4452 * \param mfl_code Code for maximum fragment length (allowed values: 4453 * MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024, 4454 * MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096) 4455 * 4456 * \return 0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA 4457 */ 4458 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code); 4459 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 4460 4461 #if defined(MBEDTLS_SSL_SRV_C) 4462 /** 4463 * \brief Pick the ciphersuites order according to the second parameter 4464 * in the SSL Server module (MBEDTLS_SSL_SRV_C). 4465 * (Default, if never called: MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER) 4466 * 4467 * \param conf SSL configuration 4468 * \param order Server or client (MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 4469 * or MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) 4470 */ 4471 void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order); 4472 #endif /* MBEDTLS_SSL_SRV_C */ 4473 4474 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 4475 /** 4476 * \brief Enable / Disable TLS 1.2 session tickets (client only, 4477 * TLS 1.2 only). Enabled by default. 4478 * 4479 * \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). 4480 * 4481 * \param conf SSL configuration 4482 * \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or 4483 * #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) 4484 */ 4485 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets); 4486 4487 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4488 /** 4489 * \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages 4490 * (client only, TLS 1.3 only). 4491 * 4492 * The handling of TLS 1.3 NewSessionTicket messages is disabled by 4493 * default. 4494 * 4495 * In TLS 1.3, servers may send a NewSessionTicket message at any time, 4496 * and may send multiple NewSessionTicket messages. By default, TLS 1.3 4497 * clients ignore NewSessionTicket messages. 4498 * 4499 * To support session tickets in TLS 1.3 clients, call this function 4500 * with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When 4501 * this is enabled, when a client receives a NewSessionTicket message, 4502 * the next call to a message processing functions (notably 4503 * mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return 4504 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then 4505 * call mbedtls_ssl_get_session() to retrieve the session ticket before 4506 * calling the same message processing function again. 4507 * 4508 * \param conf SSL configuration 4509 * \param signal_new_session_tickets Enable or disable 4510 * (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or 4511 * #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) 4512 */ 4513 void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( 4514 mbedtls_ssl_config *conf, int signal_new_session_tickets); 4515 4516 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4517 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 4518 4519 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 4520 defined(MBEDTLS_SSL_SRV_C) && \ 4521 defined(MBEDTLS_SSL_PROTO_TLS1_3) 4522 /** 4523 * \brief Number of NewSessionTicket messages for the server to send 4524 * after handshake completion. 4525 * 4526 * \note The default value is 4527 * \c MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS. 4528 * 4529 * \note In case of a session resumption, this setting only partially apply. 4530 * At most one ticket is sent in that case to just renew the pool of 4531 * tickets of the client. The rationale is to avoid the number of 4532 * tickets on the server to become rapidly out of control when the 4533 * server has the same configuration for all its connection instances. 4534 * 4535 * \param conf SSL configuration 4536 * \param num_tickets Number of NewSessionTicket. 4537 * 4538 */ 4539 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf, 4540 uint16_t num_tickets); 4541 #endif /* MBEDTLS_SSL_SESSION_TICKETS && 4542 MBEDTLS_SSL_SRV_C && 4543 MBEDTLS_SSL_PROTO_TLS1_3*/ 4544 4545 #if defined(MBEDTLS_SSL_RENEGOTIATION) 4546 /** 4547 * \brief Enable / Disable renegotiation support for connection when 4548 * initiated by peer 4549 * (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED) 4550 * 4551 * \warning It is recommended to always disable renegotiation unless you 4552 * know you need it and you know what you're doing. In the 4553 * past, there have been several issues associated with 4554 * renegotiation or a poor understanding of its properties. 4555 * 4556 * \note Server-side, enabling renegotiation also makes the server 4557 * susceptible to a resource DoS by a malicious client. 4558 * 4559 * \param conf SSL configuration 4560 * \param renegotiation Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or 4561 * MBEDTLS_SSL_RENEGOTIATION_DISABLED) 4562 */ 4563 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation); 4564 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 4565 4566 /** 4567 * \brief Prevent or allow legacy renegotiation. 4568 * (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) 4569 * 4570 * MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to 4571 * be established even if the peer does not support 4572 * secure renegotiation, but does not allow renegotiation 4573 * to take place if not secure. 4574 * (Interoperable and secure option) 4575 * 4576 * MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations 4577 * with non-upgraded peers. Allowing legacy renegotiation 4578 * makes the connection vulnerable to specific man in the 4579 * middle attacks. (See RFC 5746) 4580 * (Most interoperable and least secure option) 4581 * 4582 * MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections 4583 * if peer does not support secure renegotiation. Results 4584 * in interoperability issues with non-upgraded peers 4585 * that do not support renegotiation altogether. 4586 * (Most secure option, interoperability issues) 4587 * 4588 * \param conf SSL configuration 4589 * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, 4590 * SSL_ALLOW_LEGACY_RENEGOTIATION or 4591 * MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) 4592 */ 4593 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy); 4594 4595 #if defined(MBEDTLS_SSL_RENEGOTIATION) 4596 /** 4597 * \brief Enforce renegotiation requests. 4598 * (Default: enforced, max_records = 16) 4599 * 4600 * When we request a renegotiation, the peer can comply or 4601 * ignore the request. This function allows us to decide 4602 * whether to enforce our renegotiation requests by closing 4603 * the connection if the peer doesn't comply. 4604 * 4605 * However, records could already be in transit from the peer 4606 * when the request is emitted. In order to increase 4607 * reliability, we can accept a number of records before the 4608 * expected handshake records. 4609 * 4610 * The optimal value is highly dependent on the specific usage 4611 * scenario. 4612 * 4613 * \note With DTLS and server-initiated renegotiation, the 4614 * HelloRequest is retransmitted every time mbedtls_ssl_read() times 4615 * out or receives Application Data, until: 4616 * - max_records records have beens seen, if it is >= 0, or 4617 * - the number of retransmits that would happen during an 4618 * actual handshake has been reached. 4619 * Please remember the request might be lost a few times 4620 * if you consider setting max_records to a really low value. 4621 * 4622 * \warning On client, the grace period can only happen during 4623 * mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate() 4624 * which always behave as if max_record was 0. The reason is, 4625 * if we receive application data from the server, we need a 4626 * place to write it, which only happens during mbedtls_ssl_read(). 4627 * 4628 * \param conf SSL configuration 4629 * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to 4630 * enforce renegotiation, or a non-negative value to enforce 4631 * it but allow for a grace period of max_records records. 4632 */ 4633 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records); 4634 4635 /** 4636 * \brief Set record counter threshold for periodic renegotiation. 4637 * (Default: 2^48 - 1) 4638 * 4639 * Renegotiation is automatically triggered when a record 4640 * counter (outgoing or incoming) crosses the defined 4641 * threshold. The default value is meant to prevent the 4642 * connection from being closed when the counter is about to 4643 * reached its maximal value (it is not allowed to wrap). 4644 * 4645 * Lower values can be used to enforce policies such as "keys 4646 * must be refreshed every N packets with cipher X". 4647 * 4648 * The renegotiation period can be disabled by setting 4649 * conf->disable_renegotiation to 4650 * MBEDTLS_SSL_RENEGOTIATION_DISABLED. 4651 * 4652 * \note When the configured transport is 4653 * MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation 4654 * period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM, 4655 * the maximum renegotiation period is 2^64 - 1. 4656 * 4657 * \param conf SSL configuration 4658 * \param period The threshold value: a big-endian 64-bit number. 4659 */ 4660 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, 4661 const unsigned char period[8]); 4662 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 4663 4664 /** 4665 * \brief Check if there is data already read from the 4666 * underlying transport but not yet processed. 4667 * 4668 * \param ssl SSL context 4669 * 4670 * \return 0 if nothing's pending, 1 otherwise. 4671 * 4672 * \note This is different in purpose and behaviour from 4673 * \c mbedtls_ssl_get_bytes_avail in that it considers 4674 * any kind of unprocessed data, not only unread 4675 * application data. If \c mbedtls_ssl_get_bytes 4676 * returns a non-zero value, this function will 4677 * also signal pending data, but the converse does 4678 * not hold. For example, in DTLS there might be 4679 * further records waiting to be processed from 4680 * the current underlying transport's datagram. 4681 * 4682 * \note If this function returns 1 (data pending), this 4683 * does not imply that a subsequent call to 4684 * \c mbedtls_ssl_read will provide any data; 4685 * e.g., the unprocessed data might turn out 4686 * to be an alert or a handshake message. 4687 * 4688 * \note This function is useful in the following situation: 4689 * If the SSL/TLS module successfully returns from an 4690 * operation - e.g. a handshake or an application record 4691 * read - and you're awaiting incoming data next, you 4692 * must not immediately idle on the underlying transport 4693 * to have data ready, but you need to check the value 4694 * of this function first. The reason is that the desired 4695 * data might already be read but not yet processed. 4696 * If, in contrast, a previous call to the SSL/TLS module 4697 * returned MBEDTLS_ERR_SSL_WANT_READ, it is not necessary 4698 * to call this function, as the latter error code entails 4699 * that all internal data has been processed. 4700 * 4701 */ 4702 int mbedtls_ssl_check_pending(const mbedtls_ssl_context *ssl); 4703 4704 /** 4705 * \brief Return the number of application data bytes 4706 * remaining to be read from the current record. 4707 * 4708 * \param ssl SSL context 4709 * 4710 * \return How many bytes are available in the application 4711 * data record read buffer. 4712 * 4713 * \note When working over a datagram transport, this is 4714 * useful to detect the current datagram's boundary 4715 * in case \c mbedtls_ssl_read has written the maximal 4716 * amount of data fitting into the input buffer. 4717 * 4718 */ 4719 size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl); 4720 4721 /** 4722 * \brief Return the result of the certificate verification 4723 * 4724 * \param ssl The SSL context to use. 4725 * 4726 * \return \c 0 if the certificate verification was successful. 4727 * \return \c -1u if the result is not available. This may happen 4728 * e.g. if the handshake aborts early, or a verification 4729 * callback returned a fatal error. 4730 * \return A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX 4731 * and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h. 4732 */ 4733 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl); 4734 4735 /** 4736 * \brief Return the id of the current ciphersuite 4737 * 4738 * \param ssl SSL context 4739 * 4740 * \return a ciphersuite id 4741 */ 4742 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl); 4743 4744 /** 4745 * \brief Return the name of the current ciphersuite 4746 * 4747 * \param ssl SSL context 4748 * 4749 * \return a string containing the ciphersuite name 4750 */ 4751 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl); 4752 4753 4754 /** 4755 * \brief Return the (D)TLS protocol version negotiated in the 4756 * given connection. 4757 * 4758 * \note If you call this function too early during the initial 4759 * handshake, before the two sides have agreed on a version, 4760 * this function returns #MBEDTLS_SSL_VERSION_UNKNOWN. 4761 * 4762 * \param ssl The SSL context to query. 4763 * \return The negotiated protocol version. 4764 */ 4765 static inline mbedtls_ssl_protocol_version mbedtls_ssl_get_version_number( 4766 const mbedtls_ssl_context *ssl) 4767 { 4768 return ssl->MBEDTLS_PRIVATE(tls_version); 4769 } 4770 4771 /** 4772 * \brief Return the current TLS version 4773 * 4774 * \param ssl SSL context 4775 * 4776 * \return a string containing the TLS version 4777 */ 4778 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl); 4779 4780 /** 4781 * \brief Return the (maximum) number of bytes added by the record 4782 * layer: header + encryption/MAC overhead (inc. padding) 4783 * 4784 * \param ssl SSL context 4785 * 4786 * \return Current maximum record expansion in bytes 4787 */ 4788 int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl); 4789 4790 /** 4791 * \brief Return the current maximum outgoing record payload in bytes. 4792 * 4793 * \note The logic to determine the maximum outgoing record payload is 4794 * version-specific. It takes into account various factors, such as 4795 * the mbedtls_config.h setting \c MBEDTLS_SSL_OUT_CONTENT_LEN, extensions 4796 * such as the max fragment length or record size limit extension if 4797 * used, and for DTLS the path MTU as configured and current 4798 * record expansion. 4799 * 4800 * \note With DTLS, \c mbedtls_ssl_write() will return an error if 4801 * called with a larger length value. 4802 * With TLS, \c mbedtls_ssl_write() will fragment the input if 4803 * necessary and return the number of bytes written; it is up 4804 * to the caller to call \c mbedtls_ssl_write() again in 4805 * order to send the remaining bytes if any. 4806 * 4807 * \sa mbedtls_ssl_get_max_out_record_payload() 4808 * \sa mbedtls_ssl_get_record_expansion() 4809 * 4810 * \param ssl SSL context 4811 * 4812 * \return Current maximum payload for an outgoing record, 4813 * or a negative error code. 4814 */ 4815 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl); 4816 4817 /** 4818 * \brief Return the current maximum incoming record payload in bytes. 4819 * 4820 * \note The logic to determine the maximum incoming record payload is 4821 * version-specific. It takes into account various factors, such as 4822 * the mbedtls_config.h setting \c MBEDTLS_SSL_IN_CONTENT_LEN, extensions 4823 * such as the max fragment length extension or record size limit 4824 * extension if used, and the current record expansion. 4825 * 4826 * \sa mbedtls_ssl_set_mtu() 4827 * \sa mbedtls_ssl_get_max_in_record_payload() 4828 * \sa mbedtls_ssl_get_record_expansion() 4829 * 4830 * \param ssl SSL context 4831 * 4832 * \return Current maximum payload for an incoming record, 4833 * or a negative error code. 4834 */ 4835 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl); 4836 4837 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4838 /** 4839 * \brief Return the peer certificate from the current connection. 4840 * 4841 * \param ssl The SSL context to use. This must be initialized and setup. 4842 * 4843 * \return The current peer certificate, if available. 4844 * The returned certificate is owned by the SSL context and 4845 * is valid only until the next call to the SSL API. 4846 * \return \c NULL if no peer certificate is available. This might 4847 * be because the chosen ciphersuite doesn't use CRTs 4848 * (PSK-based ciphersuites, for example), or because 4849 * #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled, 4850 * allowing the stack to free the peer's CRT to save memory. 4851 * 4852 * \note For one-time inspection of the peer's certificate during 4853 * the handshake, consider registering an X.509 CRT verification 4854 * callback through mbedtls_ssl_conf_verify() instead of calling 4855 * this function. Using mbedtls_ssl_conf_verify() also comes at 4856 * the benefit of allowing you to influence the verification 4857 * process, for example by masking expected and tolerated 4858 * verification failures. 4859 * 4860 * \warning You must not use the pointer returned by this function 4861 * after any further call to the SSL API, including 4862 * mbedtls_ssl_read() and mbedtls_ssl_write(); this is 4863 * because the pointer might change during renegotiation, 4864 * which happens transparently to the user. 4865 * If you want to use the certificate across API calls, 4866 * you must make a copy. 4867 */ 4868 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl); 4869 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 4870 4871 #if defined(MBEDTLS_SSL_CLI_C) 4872 /** 4873 * \brief Export a session in order to resume it later. 4874 * 4875 * \param ssl The SSL context representing the connection for which to 4876 * to export a session structure for later resumption. 4877 * \param session The target structure in which to store the exported session. 4878 * This must have been initialized with mbedtls_ssl_session_init() 4879 * but otherwise be unused. 4880 * 4881 * \note This function can handle a variety of mechanisms for session 4882 * resumption: For TLS 1.2, both session ID-based resumption and 4883 * ticket-based resumption will be considered. For TLS 1.3, 4884 * sessions equate to tickets, and if session tickets are 4885 * enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration 4886 * option), this function exports the last received ticket and 4887 * the exported session may be used to resume the TLS 1.3 4888 * session. If session tickets are disabled, exported sessions 4889 * cannot be used to resume a TLS 1.3 session. 4890 * 4891 * \return \c 0 if successful. In this case, \p session can be used for 4892 * session resumption by passing it to mbedtls_ssl_set_session(), 4893 * and serialized for storage via mbedtls_ssl_session_save(). 4894 * \return Another negative error code on other kinds of failure. 4895 * 4896 * \sa mbedtls_ssl_set_session() 4897 * \sa mbedtls_ssl_session_save() 4898 */ 4899 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, 4900 mbedtls_ssl_session *session); 4901 #endif /* MBEDTLS_SSL_CLI_C */ 4902 4903 /** 4904 * \brief Perform the SSL handshake 4905 * 4906 * \param ssl SSL context 4907 * 4908 * \return \c 0 if successful. 4909 * \return #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE 4910 * if the handshake is incomplete and waiting for data to 4911 * be available for reading from or writing to the underlying 4912 * transport - in this case you must call this function again 4913 * when the underlying transport is ready for the operation. 4914 * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous 4915 * operation is in progress (see 4916 * mbedtls_ssl_conf_async_private_cb()) - in this case you 4917 * must call this function again when the operation is ready. 4918 * \return #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic 4919 * operation is in progress (see mbedtls_ecp_set_max_ops()) - 4920 * in this case you must call this function again to complete 4921 * the handshake when you're done attending other tasks. 4922 * \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use 4923 * and the client did not demonstrate reachability yet - in 4924 * this case you must stop using the context (see below). 4925 * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 4926 * NewSessionTicket message has been received. See the 4927 * documentation of mbedtls_ssl_read() for more information 4928 * about this error code. 4929 * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as 4930 * defined in RFC 8446 (TLS 1.3 specification), has been 4931 * received as part of the handshake. This is server specific 4932 * and may occur only if the early data feature has been 4933 * enabled on server (see mbedtls_ssl_conf_early_data() 4934 * documentation). You must call mbedtls_ssl_read_early_data() 4935 * to read the early data before resuming the handshake. 4936 * \return Another SSL error code - in this case you must stop using 4937 * the context (see below). 4938 * 4939 * \warning If this function returns something other than 4940 * \c 0, 4941 * #MBEDTLS_ERR_SSL_WANT_READ, 4942 * #MBEDTLS_ERR_SSL_WANT_WRITE, 4943 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or 4944 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or 4945 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or 4946 * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, 4947 * you must stop using the SSL context for reading or writing, 4948 * and either free it or call \c mbedtls_ssl_session_reset() 4949 * on it before re-using it for a new connection; the current 4950 * connection must be closed. 4951 * 4952 * \note If DTLS is in use, then you may choose to handle 4953 * #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging 4954 * purposes, as it is an expected return value rather than an 4955 * actual error, but you still need to reset/free the context. 4956 * 4957 * \note Remarks regarding event-driven DTLS: 4958 * If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram 4959 * from the underlying transport layer is currently being processed, 4960 * and it is safe to idle until the timer or the underlying transport 4961 * signal a new event. This is not true for a successful handshake, 4962 * in which case the datagram of the underlying transport that is 4963 * currently being processed might or might not contain further 4964 * DTLS records. 4965 * 4966 * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto 4967 * subsystem must have been initialized by calling 4968 * psa_crypto_init() before calling this function. 4969 * Otherwise, the handshake may call psa_crypto_init() 4970 * if a negotiation involving TLS 1.3 takes place (this may 4971 * be the case even if TLS 1.3 is offered but eventually 4972 * not selected). 4973 */ 4974 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl); 4975 4976 /** 4977 * \brief After calling mbedtls_ssl_handshake() to start the SSL 4978 * handshake you can call this function to check whether the 4979 * handshake is over for a given SSL context. This function 4980 * should be also used to determine when to stop calling 4981 * mbedtls_handshake_step() for that context. 4982 * 4983 * \param ssl SSL context 4984 * 4985 * \return \c 1 if handshake is over, \c 0 if it is still ongoing. 4986 */ 4987 static inline int mbedtls_ssl_is_handshake_over(mbedtls_ssl_context *ssl) 4988 { 4989 return ssl->MBEDTLS_PRIVATE(state) >= MBEDTLS_SSL_HANDSHAKE_OVER; 4990 } 4991 4992 /** 4993 * \brief Perform a single step of the SSL handshake 4994 * 4995 * \note The state of the context (ssl->state) will be at 4996 * the next state after this function returns \c 0. Do not 4997 * call this function if mbedtls_ssl_is_handshake_over() 4998 * returns \c 1. 4999 * 5000 * \warning Whilst in the past you may have used direct access to the 5001 * context state (ssl->state) in order to ascertain when to 5002 * stop calling this function and although you can still do 5003 * so with something like ssl->MBEDTLS_PRIVATE(state) or by 5004 * defining MBEDTLS_ALLOW_PRIVATE_ACCESS, this is now 5005 * considered deprecated and could be broken in any future 5006 * release. If you still find you have good reason for such 5007 * direct access, then please do contact the team to explain 5008 * this (raise an issue or post to the mailing list), so that 5009 * we can add a solution to your problem that will be 5010 * guaranteed to work in the future. 5011 * 5012 * \param ssl SSL context 5013 * 5014 * \return See mbedtls_ssl_handshake(). 5015 * 5016 * \warning If this function returns something other than \c 0, 5017 * #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, 5018 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, 5019 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or 5020 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or 5021 * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using 5022 * the SSL context for reading or writing, and either free it 5023 * or call \c mbedtls_ssl_session_reset() on it before 5024 * re-using it for a new connection; the current connection 5025 * must be closed. 5026 */ 5027 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl); 5028 5029 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5030 /** 5031 * \brief Initiate an SSL renegotiation on the running connection. 5032 * Client: perform the renegotiation right now. 5033 * Server: request renegotiation, which will be performed 5034 * during the next call to mbedtls_ssl_read() if honored by 5035 * client. 5036 * 5037 * \param ssl SSL context 5038 * 5039 * \return 0 if successful, or any mbedtls_ssl_handshake() return 5040 * value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't 5041 * happen during a renegotiation. 5042 * 5043 * \warning If this function returns something other than \c 0, 5044 * #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, 5045 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or 5046 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using 5047 * the SSL context for reading or writing, and either free it 5048 * or call \c mbedtls_ssl_session_reset() on it before 5049 * re-using it for a new connection; the current connection 5050 * must be closed. 5051 * 5052 */ 5053 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); 5054 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 5055 5056 /** 5057 * \brief Read at most 'len' application data bytes 5058 * 5059 * \param ssl SSL context 5060 * \param buf buffer that will hold the data 5061 * \param len maximum number of bytes to read 5062 * 5063 * \return The (positive) number of bytes read if successful. 5064 * \return \c 0 if the read end of the underlying transport was closed 5065 * without sending a CloseNotify beforehand, which might happen 5066 * because of various reasons (internal error of an underlying 5067 * stack, non-conformant peer not sending a CloseNotify and 5068 * such) - in this case you must stop using the context 5069 * (see below). 5070 * \return #MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY if the underlying 5071 * transport is still functional, but the peer has 5072 * acknowledged to not send anything anymore. 5073 * \return #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE 5074 * if the handshake is incomplete and waiting for data to 5075 * be available for reading from or writing to the underlying 5076 * transport - in this case you must call this function again 5077 * when the underlying transport is ready for the operation. 5078 * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous 5079 * operation is in progress (see 5080 * mbedtls_ssl_conf_async_private_cb()) - in this case you 5081 * must call this function again when the operation is ready. 5082 * \return #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic 5083 * operation is in progress (see mbedtls_ecp_set_max_ops()) - 5084 * in this case you must call this function again to complete 5085 * the handshake when you're done attending other tasks. 5086 * \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server 5087 * side of a DTLS connection and the client is initiating a 5088 * new connection using the same source port. See below. 5089 * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 5090 * NewSessionTicket message has been received. 5091 * This error code is only returned on the client side. It is 5092 * only returned if handling of TLS 1.3 NewSessionTicket 5093 * messages has been enabled through 5094 * mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). 5095 * This error code indicates that a TLS 1.3 NewSessionTicket 5096 * message has been received and parsed successfully by the 5097 * client. The ticket data can be retrieved from the SSL 5098 * context by calling mbedtls_ssl_get_session(). It remains 5099 * available until the next call to mbedtls_ssl_read(). 5100 * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as 5101 * defined in RFC 8446 (TLS 1.3 specification), has been 5102 * received as part of the handshake. This is server specific 5103 * and may occur only if the early data feature has been 5104 * enabled on server (see mbedtls_ssl_conf_early_data() 5105 * documentation). You must call mbedtls_ssl_read_early_data() 5106 * to read the early data before resuming the handshake. 5107 * \return Another SSL error code - in this case you must stop using 5108 * the context (see below). 5109 * 5110 * \warning If this function returns something other than 5111 * a positive value, 5112 * #MBEDTLS_ERR_SSL_WANT_READ, 5113 * #MBEDTLS_ERR_SSL_WANT_WRITE, 5114 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, 5115 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, 5116 * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 5117 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or 5118 * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, 5119 * you must stop using the SSL context for reading or writing, 5120 * and either free it or call \c mbedtls_ssl_session_reset() 5121 * on it before re-using it for a new connection; the current 5122 * connection must be closed. 5123 * 5124 * \note When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT 5125 * (which can only happen server-side), it means that a client 5126 * is initiating a new connection using the same source port. 5127 * You can either treat that as a connection close and wait 5128 * for the client to resend a ClientHello, or directly 5129 * continue with \c mbedtls_ssl_handshake() with the same 5130 * context (as it has been reset internally). Either way, you 5131 * must make sure this is seen by the application as a new 5132 * connection: application state, if any, should be reset, and 5133 * most importantly the identity of the client must be checked 5134 * again. WARNING: not validating the identity of the client 5135 * again, or not transmitting the new identity to the 5136 * application layer, would allow authentication bypass! 5137 * 5138 * \note Remarks regarding event-driven DTLS: 5139 * - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram 5140 * from the underlying transport layer is currently being processed, 5141 * and it is safe to idle until the timer or the underlying transport 5142 * signal a new event. 5143 * - This function may return MBEDTLS_ERR_SSL_WANT_READ even if data was 5144 * initially available on the underlying transport, as this data may have 5145 * been only e.g. duplicated messages or a renegotiation request. 5146 * Therefore, you must be prepared to receive MBEDTLS_ERR_SSL_WANT_READ even 5147 * when reacting to an incoming-data event from the underlying transport. 5148 * - On success, the datagram of the underlying transport that is currently 5149 * being processed may contain further DTLS records. You should call 5150 * \c mbedtls_ssl_check_pending to check for remaining records. 5151 * 5152 */ 5153 int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); 5154 5155 /** 5156 * \brief Try to write exactly 'len' application data bytes 5157 * 5158 * \warning This function will do partial writes in some cases. If the 5159 * return value is non-negative but less than length, the 5160 * function must be called again with updated arguments: 5161 * buf + ret, len - ret (if ret is the return value) until 5162 * it returns a value equal to the last 'len' argument. 5163 * 5164 * \param ssl SSL context 5165 * \param buf buffer holding the data 5166 * \param len how many bytes must be written 5167 * 5168 * \return The (non-negative) number of bytes actually written if 5169 * successful (may be less than \p len). 5170 * \return #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE 5171 * if the handshake is incomplete and waiting for data to 5172 * be available for reading from or writing to the underlying 5173 * transport - in this case you must call this function again 5174 * when the underlying transport is ready for the operation. 5175 * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous 5176 * operation is in progress (see 5177 * mbedtls_ssl_conf_async_private_cb()) - in this case you 5178 * must call this function again when the operation is ready. 5179 * \return #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic 5180 * operation is in progress (see mbedtls_ecp_set_max_ops()) - 5181 * in this case you must call this function again to complete 5182 * the handshake when you're done attending other tasks. 5183 * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 5184 * NewSessionTicket message has been received. See the 5185 * documentation of mbedtls_ssl_read() for more information 5186 * about this error code. 5187 * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as 5188 * defined in RFC 8446 (TLS 1.3 specification), has been 5189 * received as part of the handshake. This is server specific 5190 * and may occur only if the early data feature has been 5191 * enabled on server (see mbedtls_ssl_conf_early_data() 5192 * documentation). You must call mbedtls_ssl_read_early_data() 5193 * to read the early data before resuming the handshake. 5194 * \return Another SSL error code - in this case you must stop using 5195 * the context (see below). 5196 * 5197 * \warning If this function returns something other than 5198 * a non-negative value, 5199 * #MBEDTLS_ERR_SSL_WANT_READ, 5200 * #MBEDTLS_ERR_SSL_WANT_WRITE, 5201 * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, 5202 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or 5203 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or 5204 * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, 5205 * you must stop using the SSL context for reading or writing, 5206 * and either free it or call \c mbedtls_ssl_session_reset() 5207 * on it before re-using it for a new connection; the current 5208 * connection must be closed. 5209 * 5210 * \note When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ, 5211 * it must be called later with the *same* arguments, 5212 * until it returns a value greater than or equal to 0. When 5213 * the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be 5214 * some partial data in the output buffer, however this is not 5215 * yet sent. 5216 * 5217 * \note If the requested length is greater than the maximum 5218 * fragment length (either the built-in limit or the one set 5219 * or negotiated with the peer), then: 5220 * - with TLS, less bytes than requested are written. 5221 * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. 5222 * \c mbedtls_ssl_get_max_out_record_payload() may be used to 5223 * query the active maximum fragment length. 5224 * 5225 * \note Attempting to write 0 bytes will result in an empty TLS 5226 * application record being sent. 5227 */ 5228 int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len); 5229 5230 /** 5231 * \brief Send an alert message 5232 * 5233 * \param ssl SSL context 5234 * \param level The alert level of the message 5235 * (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL) 5236 * \param message The alert message (SSL_ALERT_MSG_*) 5237 * 5238 * \return 0 if successful, or a specific SSL error code. 5239 * 5240 * \note If this function returns something other than 0 or 5241 * MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using 5242 * the SSL context for reading or writing, and either free it or 5243 * call \c mbedtls_ssl_session_reset() on it before re-using it 5244 * for a new connection; the current connection must be closed. 5245 */ 5246 int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl, 5247 unsigned char level, 5248 unsigned char message); 5249 /** 5250 * \brief Notify the peer that the connection is being closed 5251 * 5252 * \param ssl SSL context 5253 * 5254 * \return 0 if successful, or a specific SSL error code. 5255 * 5256 * \note If this function returns something other than 0 or 5257 * MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using 5258 * the SSL context for reading or writing, and either free it or 5259 * call \c mbedtls_ssl_session_reset() on it before re-using it 5260 * for a new connection; the current connection must be closed. 5261 */ 5262 int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); 5263 5264 #if defined(MBEDTLS_SSL_EARLY_DATA) 5265 5266 #if defined(MBEDTLS_SSL_SRV_C) 5267 /** 5268 * \brief Read at most 'len' bytes of early data 5269 * 5270 * \note This API is server specific. 5271 * 5272 * \warning Early data is defined in the TLS 1.3 specification, RFC 8446. 5273 * IMPORTANT NOTE from section 2.3 of the specification: 5274 * 5275 * The security properties for 0-RTT data are weaker than 5276 * those for other kinds of TLS data. Specifically: 5277 * - This data is not forward secret, as it is encrypted 5278 * solely under keys derived using the offered PSK. 5279 * - There are no guarantees of non-replay between connections. 5280 * Protection against replay for ordinary TLS 1.3 1-RTT data 5281 * is provided via the server's Random value, but 0-RTT data 5282 * does not depend on the ServerHello and therefore has 5283 * weaker guarantees. This is especially relevant if the 5284 * data is authenticated either with TLS client 5285 * authentication or inside the application protocol. The 5286 * same warnings apply to any use of the 5287 * early_exporter_master_secret. 5288 * 5289 * \warning Mbed TLS does not implement any of the anti-replay defenses 5290 * defined in section 8 of the TLS 1.3 specification: 5291 * single-use of tickets or ClientHello recording within a 5292 * given time window. 5293 * 5294 * \note This function is used in conjunction with 5295 * mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), 5296 * mbedtls_ssl_read() and mbedtls_ssl_write() to read early 5297 * data when these functions return 5298 * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA. 5299 * 5300 * \param ssl SSL context, it must have been initialized and set up. 5301 * \param buf buffer that will hold the data 5302 * \param len maximum number of bytes to read 5303 * 5304 * \return The (positive) number of bytes read if successful. 5305 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. 5306 * \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not 5307 * possible to read early data for the SSL context \p ssl. Note 5308 * that this function is intended to be called for an SSL 5309 * context \p ssl only after a call to mbedtls_ssl_handshake(), 5310 * mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or 5311 * mbedtls_ssl_write() for \p ssl that has returned 5312 * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA. 5313 */ 5314 int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, 5315 unsigned char *buf, size_t len); 5316 #endif /* MBEDTLS_SSL_SRV_C */ 5317 5318 #if defined(MBEDTLS_SSL_CLI_C) 5319 /** 5320 * \brief Try to write exactly 'len' application data bytes while 5321 * performing the handshake (early data). 5322 * 5323 * \warning Early data is defined in the TLS 1.3 specification, RFC 8446. 5324 * IMPORTANT NOTE from section 2.3 of the specification: 5325 * 5326 * The security properties for 0-RTT data are weaker than 5327 * those for other kinds of TLS data. Specifically: 5328 * - This data is not forward secret, as it is encrypted 5329 * solely under keys derived using the offered PSK. 5330 * - There are no guarantees of non-replay between connections. 5331 * Protection against replay for ordinary TLS 1.3 1-RTT data 5332 * is provided via the server's Random value, but 0-RTT data 5333 * does not depend on the ServerHello and therefore has 5334 * weaker guarantees. This is especially relevant if the 5335 * data is authenticated either with TLS client 5336 * authentication or inside the application protocol. The 5337 * same warnings apply to any use of the 5338 * early_exporter_master_secret. 5339 * 5340 * \note This function behaves mainly as mbedtls_ssl_write(). The 5341 * specification of mbedtls_ssl_write() relevant to TLS 1.3 5342 * (thus not the parts specific to (D)TLS1.2) applies to this 5343 * function and the present documentation is mainly restricted 5344 * to the differences with mbedtls_ssl_write(). One noticeable 5345 * difference though is that mbedtls_ssl_write() aims to 5346 * complete the handshake before to write application data 5347 * while mbedtls_ssl_write_early() aims to drive the handshake 5348 * just past the point where it is not possible to send early 5349 * data anymore. 5350 * 5351 * \param ssl SSL context 5352 * \param buf buffer holding the data 5353 * \param len how many bytes must be written 5354 * 5355 * \return The (non-negative) number of bytes actually written if 5356 * successful (may be less than \p len). 5357 * 5358 * \return One additional specific error code compared to 5359 * mbedtls_ssl_write(): 5360 * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA. 5361 * 5362 * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA is returned when it 5363 * is not possible to write early data for the SSL context 5364 * \p ssl. 5365 * 5366 * It may have been possible and it is not possible 5367 * anymore because the client received the server Finished 5368 * message, the server rejected early data or the maximum 5369 * number of allowed early data for the PSK in use has been 5370 * reached. 5371 * 5372 * It may never have been possible and will never be possible 5373 * for the SSL context \p ssl because the use of early data 5374 * is disabled for that context or more generally the context 5375 * is not suitably configured to enable early data or the first 5376 * call to the function was done while the handshake was 5377 * already completed. 5378 * 5379 * It is not possible to write early data for the SSL context 5380 * \p ssl and any subsequent call to this API will return this 5381 * error code. But this does not preclude for using it with 5382 * mbedtls_ssl_write(), mbedtls_ssl_read() or 5383 * mbedtls_ssl_handshake() and the handshake can be 5384 * completed by calling one of these APIs. 5385 * 5386 * \note This function may write early data only if the SSL context 5387 * has been configured for the handshake with a PSK for which 5388 * early data is allowed. 5389 * 5390 * \note To maximize the number of early data that can be written in 5391 * the course of the handshake, it is expected that this 5392 * function starts the handshake for the SSL context \p ssl. 5393 * But this is not mandatory. 5394 * 5395 * \note This function does not provide any information on whether 5396 * the server has accepted or will accept early data or not. 5397 * When it returns a positive value, it just means that it 5398 * has written early data to the server. To know whether the 5399 * server has accepted early data or not, you should call 5400 * mbedtls_ssl_get_early_data_status() with the handshake 5401 * completed. 5402 */ 5403 int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, 5404 const unsigned char *buf, size_t len); 5405 5406 /** 5407 * \brief Get the status of the negotiation of the use of early data. 5408 * 5409 * \param ssl The SSL context to query 5410 * 5411 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called 5412 * from the server-side. 5413 * 5414 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called 5415 * prior to completion of the handshake. 5416 * 5417 * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED if the client 5418 * has not indicated the use of early data to the server. 5419 * 5420 * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED if the client has 5421 * indicated the use of early data and the server has accepted 5422 * it. 5423 * 5424 * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED if the client has 5425 * indicated the use of early data but the server has rejected 5426 * it. In this situation, the client may want to re-send the 5427 * early data it may have tried to send by calling 5428 * mbedtls_ssl_write_early_data() as ordinary post-handshake 5429 * application data by calling mbedtls_ssl_write(). 5430 * 5431 */ 5432 int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl); 5433 #endif /* MBEDTLS_SSL_CLI_C */ 5434 5435 #endif /* MBEDTLS_SSL_EARLY_DATA */ 5436 5437 /** 5438 * \brief Free referenced items in an SSL context and clear memory 5439 * 5440 * \param ssl SSL context 5441 */ 5442 void mbedtls_ssl_free(mbedtls_ssl_context *ssl); 5443 5444 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 5445 /** 5446 * \brief Save an active connection as serialized data in a buffer. 5447 * This allows the freeing or re-using of the SSL context 5448 * while still picking up the connection later in a way that 5449 * it entirely transparent to the peer. 5450 * 5451 * \see mbedtls_ssl_context_load() 5452 * 5453 * \note The serialized data only contains the data that is 5454 * necessary to resume the connection: negotiated protocol 5455 * options, session identifier, keys, etc. 5456 * Loading a saved SSL context does not restore settings and 5457 * state related to how the application accesses the context, 5458 * such as configured callback functions, user data, pending 5459 * incoming or outgoing data, etc. 5460 * 5461 * \note This feature is currently only available under certain 5462 * conditions, see the documentation of the return value 5463 * #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details. 5464 * 5465 * \note When this function succeeds, it calls 5466 * mbedtls_ssl_session_reset() on \p ssl which as a result is 5467 * no longer associated with the connection that has been 5468 * serialized. This avoids creating copies of the connection 5469 * state. You're then free to either re-use the context 5470 * structure for a different connection, or call 5471 * mbedtls_ssl_free() on it. See the documentation of 5472 * mbedtls_ssl_session_reset() for more details. 5473 * 5474 * \param ssl The SSL context to save. On success, it is no longer 5475 * associated with the connection that has been serialized. 5476 * \param buf The buffer to write the serialized data to. It must be a 5477 * writeable buffer of at least \p buf_len bytes, or may be \c 5478 * NULL if \p buf_len is \c 0. 5479 * \param buf_len The number of bytes available for writing in \p buf. 5480 * \param olen The size in bytes of the data that has been or would have 5481 * been written. It must point to a valid \c size_t. 5482 * 5483 * \note \p olen is updated to the correct value regardless of 5484 * whether \p buf_len was large enough. This makes it possible 5485 * to determine the necessary size by calling this function 5486 * with \p buf set to \c NULL and \p buf_len to \c 0. However, 5487 * the value of \p olen is only guaranteed to be correct when 5488 * the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or 5489 * \c 0. If the return value is different, then the value of 5490 * \p olen is undefined. 5491 * 5492 * \return \c 0 if successful. 5493 * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. 5494 * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed 5495 * while resetting the context. 5496 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in 5497 * progress, or there is pending data for reading or sending, 5498 * or the connection does not use DTLS 1.2 with an AEAD 5499 * ciphersuite, or renegotiation is enabled. 5500 */ 5501 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, 5502 unsigned char *buf, 5503 size_t buf_len, 5504 size_t *olen); 5505 5506 /** 5507 * \brief Load serialized connection data to an SSL context. 5508 * 5509 * \see mbedtls_ssl_context_save() 5510 * 5511 * \warning The same serialized data must never be loaded into more 5512 * that one context. In order to ensure that, after 5513 * successfully loading serialized data to an SSL context, you 5514 * should immediately destroy or invalidate all copies of the 5515 * serialized data that was loaded. Loading the same data in 5516 * more than one context would cause severe security failures 5517 * including but not limited to loss of confidentiality. 5518 * 5519 * \note Before calling this function, the SSL context must be 5520 * prepared in one of the two following ways. The first way is 5521 * to take a context freshly initialised with 5522 * mbedtls_ssl_init() and call mbedtls_ssl_setup() on it with 5523 * the same ::mbedtls_ssl_config structure that was used in 5524 * the original connection. The second way is to 5525 * call mbedtls_ssl_session_reset() on a context that was 5526 * previously prepared as above but used in the meantime. 5527 * Either way, you must not use the context to perform a 5528 * handshake between calling mbedtls_ssl_setup() or 5529 * mbedtls_ssl_session_reset() and calling this function. You 5530 * may however call other setter functions in that time frame 5531 * as indicated in the note below. 5532 * 5533 * \note Before or after calling this function successfully, you 5534 * also need to configure some connection-specific callbacks 5535 * and settings before you can use the connection again 5536 * (unless they were already set before calling 5537 * mbedtls_ssl_session_reset() and the values are suitable for 5538 * the present connection). Specifically, you want to call 5539 * at least mbedtls_ssl_set_bio(), 5540 * mbedtls_ssl_set_timer_cb(), and 5541 * mbedtls_ssl_set_user_data_n() or 5542 * mbedtls_ssl_set_user_data_p() if they were set originally. 5543 * All other SSL setter functions 5544 * are not necessary to call, either because they're only used 5545 * in handshakes, or because the setting is already saved. You 5546 * might choose to call them anyway, for example in order to 5547 * share code between the cases of establishing a new 5548 * connection and the case of loading an already-established 5549 * connection. 5550 * 5551 * \note If you have new information about the path MTU, you want to 5552 * call mbedtls_ssl_set_mtu() after calling this function, as 5553 * otherwise this function would overwrite your 5554 * newly-configured value with the value that was active when 5555 * the context was saved. 5556 * 5557 * \note When this function returns an error code, it calls 5558 * mbedtls_ssl_free() on \p ssl. In this case, you need to 5559 * prepare the context with the usual sequence starting with a 5560 * call to mbedtls_ssl_init() if you want to use it again. 5561 * 5562 * \param ssl The SSL context structure to be populated. It must have 5563 * been prepared as described in the note above. 5564 * \param buf The buffer holding the serialized connection data. It must 5565 * be a readable buffer of at least \p len bytes. 5566 * \param len The size of the serialized data in bytes. 5567 * 5568 * \return \c 0 if successful. 5569 * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. 5570 * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data 5571 * comes from a different Mbed TLS version or build. 5572 * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. 5573 */ 5574 int mbedtls_ssl_context_load(mbedtls_ssl_context *ssl, 5575 const unsigned char *buf, 5576 size_t len); 5577 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 5578 5579 /** 5580 * \brief Initialize an SSL configuration context 5581 * Just makes the context ready for 5582 * mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free(). 5583 * 5584 * \note You need to call mbedtls_ssl_config_defaults() unless you 5585 * manually set all of the relevant fields yourself. 5586 * 5587 * \param conf SSL configuration context 5588 */ 5589 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf); 5590 5591 /** 5592 * \brief Load reasonable default SSL configuration values. 5593 * (You need to call mbedtls_ssl_config_init() first.) 5594 * 5595 * \param conf SSL configuration context 5596 * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER 5597 * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or 5598 * MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS 5599 * \param preset a MBEDTLS_SSL_PRESET_XXX value 5600 * 5601 * \note See \c mbedtls_ssl_conf_transport() for notes on DTLS. 5602 * 5603 * \return 0 if successful, or 5604 * MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error. 5605 */ 5606 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, 5607 int endpoint, int transport, int preset); 5608 5609 /** 5610 * \brief Free an SSL configuration context 5611 * 5612 * \param conf SSL configuration context 5613 */ 5614 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf); 5615 5616 /** 5617 * \brief Initialize SSL session structure 5618 * 5619 * \param session SSL session 5620 */ 5621 void mbedtls_ssl_session_init(mbedtls_ssl_session *session); 5622 5623 /** 5624 * \brief Free referenced items in an SSL session including the 5625 * peer certificate and clear memory 5626 * 5627 * \note A session object can be freed even if the SSL context 5628 * that was used to retrieve the session is still in use. 5629 * 5630 * \param session SSL session 5631 */ 5632 void mbedtls_ssl_session_free(mbedtls_ssl_session *session); 5633 5634 /** 5635 * \brief TLS-PRF function for key derivation. 5636 * 5637 * \param prf The tls_prf type function type to be used. 5638 * \param secret Secret for the key derivation function. 5639 * \param slen Length of the secret. 5640 * \param label String label for the key derivation function, 5641 * terminated with null character. 5642 * \param random Random bytes. 5643 * \param rlen Length of the random bytes buffer. 5644 * \param dstbuf The buffer holding the derived key. 5645 * \param dlen Length of the output buffer. 5646 * 5647 * \return 0 on success. An SSL specific error on failure. 5648 */ 5649 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, 5650 const unsigned char *secret, size_t slen, 5651 const char *label, 5652 const unsigned char *random, size_t rlen, 5653 unsigned char *dstbuf, size_t dlen); 5654 5655 #ifdef __cplusplus 5656 } 5657 #endif 5658 5659 #endif /* ssl.h */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.3.7 LXR engine. The LXR team |
|