Gitly


1 /*
2  *  TLS shared functions
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 /*
8  *  http://www.ietf.org/rfc/rfc2246.txt
9  *  http://www.ietf.org/rfc/rfc4346.txt
10  */
11 
12 #include "common.h"
13 
14 #if defined(MBEDTLS_SSL_TLS_C)
15 
16 #include "mbedtls/platform.h"
17 
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22 #include "ssl_tls13_keys.h"
23 
24 #include "debug_internal.h"
25 #include "mbedtls/error.h"
26 #include "mbedtls/platform_util.h"
27 #include "mbedtls/version.h"
28 #include "mbedtls/constant_time.h"
29 
30 #include <string.h>
31 
32 #if defined(MBEDTLS_USE_PSA_CRYPTO)
33 #include "mbedtls/psa_util.h"
34 #include "md_psa.h"
35 #include "psa_util_internal.h"
36 #include "psa/crypto.h"
37 #endif
38 
39 #if defined(MBEDTLS_X509_CRT_PARSE_C)
40 #include "mbedtls/oid.h"
41 #endif
42 
43 #if defined(MBEDTLS_USE_PSA_CRYPTO)
44 /* Define local translating functions to save code size by not using too many
45  * arguments in each translating place. */
46 static int local_err_translation(psa_status_t status)
47 {
48     return psa_status_to_mbedtls(status, psa_to_ssl_errors,
49                                  ARRAY_LENGTH(psa_to_ssl_errors),
50                                  psa_generic_status_to_mbedtls);
51 }
52 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
53 #endif
54 
55 #if defined(MBEDTLS_TEST_HOOKS)
56 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
57 
58 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
59     const uint8_t *cur, const uint8_t *end, size_t need)
60 {
61     chk_buf_ptr_fail_args.cur = cur;
62     chk_buf_ptr_fail_args.end = end;
63     chk_buf_ptr_fail_args.need = need;
64 }
65 
66 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
67 {
68     memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
69 }
70 
71 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
72 {
73     return (chk_buf_ptr_fail_args.cur  != args->cur) ||
74            (chk_buf_ptr_fail_args.end  != args->end) ||
75            (chk_buf_ptr_fail_args.need != args->need);
76 }
77 #endif /* MBEDTLS_TEST_HOOKS */
78 
79 #if defined(MBEDTLS_SSL_PROTO_DTLS)
80 
81 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
82 /* Top-level Connection ID API */
83 
84 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
85                          size_t len,
86                          int ignore_other_cid)
87 {
88     if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
89         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
90     }
91 
92     if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
93         ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
94         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
95     }
96 
97     conf->ignore_unexpected_cid = ignore_other_cid;
98     conf->cid_len = len;
99     return 0;
100 }
101 
102 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
103                         int enable,
104                         unsigned char const *own_cid,
105                         size_t own_cid_len)
106 {
107     if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
108         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
109     }
110 
111     ssl->negotiate_cid = enable;
112     if (enable == MBEDTLS_SSL_CID_DISABLED) {
113         MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
114         return 0;
115     }
116     MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
117     MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
118 
119     if (own_cid_len != ssl->conf->cid_len) {
120         MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
121                                   (unsigned) own_cid_len,
122                                   (unsigned) ssl->conf->cid_len));
123         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
124     }
125 
126     memcpy(ssl->own_cid, own_cid, own_cid_len);
127     /* Truncation is not an issue here because
128      * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
129     ssl->own_cid_len = (uint8_t) own_cid_len;
130 
131     return 0;
132 }
133 
134 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
135                             int *enabled,
136                             unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
137                             size_t *own_cid_len)
138 {
139     *enabled = MBEDTLS_SSL_CID_DISABLED;
140 
141     if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
142         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
143     }
144 
145     /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
146      * zero as this is indistinguishable from not requesting to use
147      * the CID extension. */
148     if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
149         return 0;
150     }
151 
152     if (own_cid_len != NULL) {
153         *own_cid_len = ssl->own_cid_len;
154         if (own_cid != NULL) {
155             memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
156         }
157     }
158 
159     *enabled = MBEDTLS_SSL_CID_ENABLED;
160 
161     return 0;
162 }
163 
164 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
165                              int *enabled,
166                              unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
167                              size_t *peer_cid_len)
168 {
169     *enabled = MBEDTLS_SSL_CID_DISABLED;
170 
171     if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
172         mbedtls_ssl_is_handshake_over(ssl) == 0) {
173         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
174     }
175 
176     /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
177      * were used, but client and server requested the empty CID.
178      * This is indistinguishable from not using the CID extension
179      * in the first place. */
180     if (ssl->transform_in->in_cid_len  == 0 &&
181         ssl->transform_in->out_cid_len == 0) {
182         return 0;
183     }
184 
185     if (peer_cid_len != NULL) {
186         *peer_cid_len = ssl->transform_in->out_cid_len;
187         if (peer_cid != NULL) {
188             memcpy(peer_cid, ssl->transform_in->out_cid,
189                    ssl->transform_in->out_cid_len);
190         }
191     }
192 
193     *enabled = MBEDTLS_SSL_CID_ENABLED;
194 
195     return 0;
196 }
197 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
198 
199 #endif /* MBEDTLS_SSL_PROTO_DTLS */
200 
201 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
202 /*
203  * Convert max_fragment_length codes to length.
204  * RFC 6066 says:
205  *    enum{
206  *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
207  *    } MaxFragmentLength;
208  * and we add 0 -> extension unused
209  */
210 static unsigned int ssl_mfl_code_to_length(int mfl)
211 {
212     switch (mfl) {
213         case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
214             return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
215         case MBEDTLS_SSL_MAX_FRAG_LEN_512:
216             return 512;
217         case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
218             return 1024;
219         case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
220             return 2048;
221         case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
222             return 4096;
223         default:
224             return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
225     }
226 }
227 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
228 
229 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
230                              const mbedtls_ssl_session *src)
231 {
232     mbedtls_ssl_session_free(dst);
233     memcpy(dst, src, sizeof(mbedtls_ssl_session));
234 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
235     dst->ticket = NULL;
236 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
237     defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
238     dst->hostname = NULL;
239 #endif
240 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
241 
242 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
243     defined(MBEDTLS_SSL_EARLY_DATA)
244     dst->ticket_alpn = NULL;
245 #endif
246 
247 #if defined(MBEDTLS_X509_CRT_PARSE_C)
248 
249 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
250     if (src->peer_cert != NULL) {
251         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
252 
253         dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
254         if (dst->peer_cert == NULL) {
255             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
256         }
257 
258         mbedtls_x509_crt_init(dst->peer_cert);
259 
260         if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
261                                               src->peer_cert->raw.len)) != 0) {
262             mbedtls_free(dst->peer_cert);
263             dst->peer_cert = NULL;
264             return ret;
265         }
266     }
267 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
268     if (src->peer_cert_digest != NULL) {
269         dst->peer_cert_digest =
270             mbedtls_calloc(1, src->peer_cert_digest_len);
271         if (dst->peer_cert_digest == NULL) {
272             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
273         }
274 
275         memcpy(dst->peer_cert_digest, src->peer_cert_digest,
276                src->peer_cert_digest_len);
277         dst->peer_cert_digest_type = src->peer_cert_digest_type;
278         dst->peer_cert_digest_len = src->peer_cert_digest_len;
279     }
280 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
281 
282 #endif /* MBEDTLS_X509_CRT_PARSE_C */
283 
284 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
285     defined(MBEDTLS_SSL_EARLY_DATA)
286     {
287         int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
288         if (ret != 0) {
289             return ret;
290         }
291     }
292 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
293 
294 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
295     if (src->ticket != NULL) {
296         dst->ticket = mbedtls_calloc(1, src->ticket_len);
297         if (dst->ticket == NULL) {
298             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
299         }
300 
301         memcpy(dst->ticket, src->ticket, src->ticket_len);
302     }
303 
304 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
305     defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
306     if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
307         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
308         ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
309         if (ret != 0) {
310             return ret;
311         }
312     }
313 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
314           MBEDTLS_SSL_SERVER_NAME_INDICATION */
315 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
316 
317     return 0;
318 }
319 
320 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
321 MBEDTLS_CHECK_RETURN_CRITICAL
322 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
323 {
324     unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
325     if (resized_buffer == NULL) {
326         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
327     }
328 
329     /* We want to copy len_new bytes when downsizing the buffer, and
330      * len_old bytes when upsizing, so we choose the smaller of two sizes,
331      * to fit one buffer into another. Size checks, ensuring that no data is
332      * lost, are done outside of this function. */
333     memcpy(resized_buffer, *buffer,
334            (len_new < *len_old) ? len_new : *len_old);
335     mbedtls_zeroize_and_free(*buffer, *len_old);
336 
337     *buffer = resized_buffer;
338     *len_old = len_new;
339 
340     return 0;
341 }
342 
343 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
344                                    size_t in_buf_new_len,
345                                    size_t out_buf_new_len)
346 {
347     int modified = 0;
348     size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
349     size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
350     if (ssl->in_buf != NULL) {
351         written_in = ssl->in_msg - ssl->in_buf;
352         iv_offset_in = ssl->in_iv - ssl->in_buf;
353         len_offset_in = ssl->in_len - ssl->in_buf;
354         hdr_in = ssl->in_hdr - ssl->in_buf;
355         if (downsizing ?
356             ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
357             ssl->in_buf_len < in_buf_new_len) {
358             if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
359                 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
360             } else {
361                 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
362                                           in_buf_new_len));
363                 modified = 1;
364             }
365         }
366     }
367 
368     if (ssl->out_buf != NULL) {
369         written_out = ssl->out_msg - ssl->out_buf;
370         iv_offset_out = ssl->out_iv - ssl->out_buf;
371         len_offset_out = ssl->out_len - ssl->out_buf;
372         if (downsizing ?
373             ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
374             ssl->out_buf_len < out_buf_new_len) {
375             if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
376                 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
377             } else {
378                 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
379                                           out_buf_new_len));
380                 modified = 1;
381             }
382         }
383     }
384     if (modified) {
385         /* Update pointers here to avoid doing it twice. */
386         ssl->in_hdr = ssl->in_buf + hdr_in;
387         mbedtls_ssl_update_in_pointers(ssl);
388         mbedtls_ssl_reset_out_pointers(ssl);
389 
390         /* Fields below might not be properly updated with record
391          * splitting or with CID, so they are manually updated here. */
392         ssl->out_msg = ssl->out_buf + written_out;
393         ssl->out_len = ssl->out_buf + len_offset_out;
394         ssl->out_iv = ssl->out_buf + iv_offset_out;
395 
396         ssl->in_msg = ssl->in_buf + written_in;
397         ssl->in_len = ssl->in_buf + len_offset_in;
398         ssl->in_iv = ssl->in_buf + iv_offset_in;
399     }
400 }
401 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
402 
403 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
404 
405 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
406 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
407                           const char *label,
408                           const unsigned char *random, size_t rlen,
409                           unsigned char *dstbuf, size_t dlen);
410 
411 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
412 
413 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
414 
415 /* Type for the TLS PRF */
416 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
417                           const unsigned char *, size_t,
418                           unsigned char *, size_t);
419 
420 MBEDTLS_CHECK_RETURN_CRITICAL
421 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
422                                         int ciphersuite,
423                                         const unsigned char master[48],
424 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
425                                         int encrypt_then_mac,
426 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
427                                         ssl_tls_prf_t tls_prf,
428                                         const unsigned char randbytes[64],
429                                         mbedtls_ssl_protocol_version tls_version,
430                                         unsigned endpoint,
431                                         const mbedtls_ssl_context *ssl);
432 
433 #if defined(MBEDTLS_MD_CAN_SHA256)
434 MBEDTLS_CHECK_RETURN_CRITICAL
435 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
436                           const char *label,
437                           const unsigned char *random, size_t rlen,
438                           unsigned char *dstbuf, size_t dlen);
439 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
440 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
441 
442 #endif /* MBEDTLS_MD_CAN_SHA256*/
443 
444 #if defined(MBEDTLS_MD_CAN_SHA384)
445 MBEDTLS_CHECK_RETURN_CRITICAL
446 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
447                           const char *label,
448                           const unsigned char *random, size_t rlen,
449                           unsigned char *dstbuf, size_t dlen);
450 
451 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
452 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
453 #endif /* MBEDTLS_MD_CAN_SHA384*/
454 
455 MBEDTLS_CHECK_RETURN_CRITICAL
456 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
457                                   const unsigned char *buf,
458                                   size_t len);
459 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
460 
461 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
462 
463 #if defined(MBEDTLS_MD_CAN_SHA256)
464 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
465 #endif /* MBEDTLS_MD_CAN_SHA256*/
466 
467 #if defined(MBEDTLS_MD_CAN_SHA384)
468 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
469 #endif /* MBEDTLS_MD_CAN_SHA384*/
470 
471 int  mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
472                          const unsigned char *secret, size_t slen,
473                          const char *label,
474                          const unsigned char *random, size_t rlen,
475                          unsigned char *dstbuf, size_t dlen)
476 {
477     mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
478 
479     switch (prf) {
480 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
481 #if defined(MBEDTLS_MD_CAN_SHA384)
482         case MBEDTLS_SSL_TLS_PRF_SHA384:
483             tls_prf = tls_prf_sha384;
484             break;
485 #endif /* MBEDTLS_MD_CAN_SHA384*/
486 #if defined(MBEDTLS_MD_CAN_SHA256)
487         case MBEDTLS_SSL_TLS_PRF_SHA256:
488             tls_prf = tls_prf_sha256;
489             break;
490 #endif /* MBEDTLS_MD_CAN_SHA256*/
491 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
492         default:
493             return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
494     }
495 
496     return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
497 }
498 
499 #if defined(MBEDTLS_X509_CRT_PARSE_C)
500 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
501 {
502 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
503     if (session->peer_cert != NULL) {
504         mbedtls_x509_crt_free(session->peer_cert);
505         mbedtls_free(session->peer_cert);
506         session->peer_cert = NULL;
507     }
508 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
509     if (session->peer_cert_digest != NULL) {
510         /* Zeroization is not necessary. */
511         mbedtls_free(session->peer_cert_digest);
512         session->peer_cert_digest      = NULL;
513         session->peer_cert_digest_type = MBEDTLS_MD_NONE;
514         session->peer_cert_digest_len  = 0;
515     }
516 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
517 }
518 #endif /* MBEDTLS_X509_CRT_PARSE_C */
519 
520 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
521 {
522     switch (extension_type) {
523         case MBEDTLS_TLS_EXT_SERVERNAME:
524             return MBEDTLS_SSL_EXT_ID_SERVERNAME;
525 
526         case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
527             return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
528 
529         case MBEDTLS_TLS_EXT_STATUS_REQUEST:
530             return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
531 
532         case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
533             return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
534 
535         case MBEDTLS_TLS_EXT_SIG_ALG:
536             return MBEDTLS_SSL_EXT_ID_SIG_ALG;
537 
538         case MBEDTLS_TLS_EXT_USE_SRTP:
539             return MBEDTLS_SSL_EXT_ID_USE_SRTP;
540 
541         case MBEDTLS_TLS_EXT_HEARTBEAT:
542             return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
543 
544         case MBEDTLS_TLS_EXT_ALPN:
545             return MBEDTLS_SSL_EXT_ID_ALPN;
546 
547         case MBEDTLS_TLS_EXT_SCT:
548             return MBEDTLS_SSL_EXT_ID_SCT;
549 
550         case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
551             return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
552 
553         case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
554             return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
555 
556         case MBEDTLS_TLS_EXT_PADDING:
557             return MBEDTLS_SSL_EXT_ID_PADDING;
558 
559         case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
560             return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
561 
562         case MBEDTLS_TLS_EXT_EARLY_DATA:
563             return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
564 
565         case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
566             return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
567 
568         case MBEDTLS_TLS_EXT_COOKIE:
569             return MBEDTLS_SSL_EXT_ID_COOKIE;
570 
571         case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
572             return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
573 
574         case MBEDTLS_TLS_EXT_CERT_AUTH:
575             return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
576 
577         case MBEDTLS_TLS_EXT_OID_FILTERS:
578             return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
579 
580         case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
581             return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
582 
583         case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
584             return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
585 
586         case MBEDTLS_TLS_EXT_KEY_SHARE:
587             return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
588 
589         case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
590             return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
591 
592         case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
593             return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
594 
595         case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
596             return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
597 
598         case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
599             return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
600 
601         case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
602             return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
603 
604         case MBEDTLS_TLS_EXT_SESSION_TICKET:
605             return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
606 
607     }
608 
609     return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
610 }
611 
612 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
613 {
614     return 1 << mbedtls_ssl_get_extension_id(extension_type);
615 }
616 
617 #if defined(MBEDTLS_DEBUG_C)
618 static const char *extension_name_table[] = {
619     [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
620     [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
621     [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
622     [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
623     [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
624     [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
625     [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
626     [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
627     [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
628     [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
629     [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
630     [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
631     [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
632     [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
633     [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
634     [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
635     [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
636     [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
637     [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
638     [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
639     [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
640     [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
641     [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
642     [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
643     [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
644     [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
645     [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
646     [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
647     [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
648 };
649 
650 static const unsigned int extension_type_table[] = {
651     [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
652     [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
653     [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
654     [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
655     [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
656     [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
657     [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
658     [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
659     [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
660     [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
661     [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
662     [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
663     [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
664     [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
665     [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
666     [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
667     [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
668     [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
669     [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
670     [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
671     [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
672     [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
673     [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
674     [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
675     [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
676     [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
677     [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
678     [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
679     [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
680 };
681 
682 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
683 {
684     return extension_name_table[
685         mbedtls_ssl_get_extension_id(extension_type)];
686 }
687 
688 const char *mbedtls_ssl_get_hs_msg_name(int hs_msg_type)
689 {
690     switch (hs_msg_type) {
691         case MBEDTLS_SSL_HS_CLIENT_HELLO:
692             return "ClientHello";
693         case MBEDTLS_SSL_HS_SERVER_HELLO:
694             return "ServerHello";
695         case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
696             return "HelloRetryRequest";
697         case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
698             return "NewSessionTicket";
699         case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
700             return "EncryptedExtensions";
701         case MBEDTLS_SSL_HS_CERTIFICATE:
702             return "Certificate";
703         case MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE:
704             return "ServerKeyExchange";
705         case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
706             return "CertificateRequest";
707         case MBEDTLS_SSL_HS_CERTIFICATE_VERIFY:
708             return "CertificateVerify";
709         case MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE:
710             return "ClientKeyExchange";
711         case MBEDTLS_SSL_HS_FINISHED:
712             return "Finished";
713     }
714     return "Unknown";
715 }
716 
717 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
718                                  int level, const char *file, int line,
719                                  int hs_msg_type, unsigned int extension_type,
720                                  const char *extra_msg0, const char *extra_msg1)
721 {
722     const char *extra_msg;
723     if (extra_msg0 && extra_msg1) {
724         mbedtls_debug_print_msg(
725             ssl, level, file, line,
726             "%s: %s(%u) extension %s %s.",
727             mbedtls_ssl_get_hs_msg_name(hs_msg_type),
728             mbedtls_ssl_get_extension_name(extension_type),
729             extension_type,
730             extra_msg0, extra_msg1);
731         return;
732     }
733 
734     extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
735     if (extra_msg) {
736         mbedtls_debug_print_msg(
737             ssl, level, file, line,
738             "%s: %s(%u) extension %s.", mbedtls_ssl_get_hs_msg_name(hs_msg_type),
739             mbedtls_ssl_get_extension_name(extension_type), extension_type,
740             extra_msg);
741         return;
742     }
743 
744     mbedtls_debug_print_msg(
745         ssl, level, file, line,
746         "%s: %s(%u) extension.", mbedtls_ssl_get_hs_msg_name(hs_msg_type),
747         mbedtls_ssl_get_extension_name(extension_type), extension_type);
748 }
749 
750 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
751                                   int level, const char *file, int line,
752                                   int hs_msg_type, uint32_t extensions_mask,
753                                   const char *extra)
754 {
755 
756     for (unsigned i = 0;
757          i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
758          i++) {
759         mbedtls_ssl_print_extension(
760             ssl, level, file, line, hs_msg_type, extension_type_table[i],
761             extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
762     }
763 }
764 
765 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
766 static const char *ticket_flag_name_table[] =
767 {
768     [0] = "ALLOW_PSK_RESUMPTION",
769     [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
770     [3] = "ALLOW_EARLY_DATA",
771 };
772 
773 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
774                                     int level, const char *file, int line,
775                                     unsigned int flags)
776 {
777     size_t i;
778 
779     mbedtls_debug_print_msg(ssl, level, file, line,
780                             "print ticket_flags (0x%02x)", flags);
781 
782     flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
783 
784     for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
785         if ((flags & (1 << i))) {
786             mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
787                                     ticket_flag_name_table[i]);
788         }
789     }
790 }
791 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
792 
793 #endif /* MBEDTLS_DEBUG_C */
794 
795 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
796                                    const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
797 {
798     ((void) ciphersuite_info);
799 
800 #if defined(MBEDTLS_MD_CAN_SHA384)
801     if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
802         ssl->handshake->update_checksum = ssl_update_checksum_sha384;
803     } else
804 #endif
805 #if defined(MBEDTLS_MD_CAN_SHA256)
806     if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
807         ssl->handshake->update_checksum = ssl_update_checksum_sha256;
808     } else
809 #endif
810     {
811         MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
812         return;
813     }
814 }
815 
816 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
817                                        unsigned hs_type,
818                                        size_t total_hs_len)
819 {
820     unsigned char hs_hdr[4];
821 
822     /* Build HS header for checksum update. */
823     hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
824     hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
825     hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
826     hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
827 
828     return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
829 }
830 
831 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
832                                        unsigned hs_type,
833                                        unsigned char const *msg,
834                                        size_t msg_len)
835 {
836     int ret;
837     ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
838     if (ret != 0) {
839         return ret;
840     }
841     return ssl->handshake->update_checksum(ssl, msg, msg_len);
842 }
843 
844 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
845 {
846 #if defined(MBEDTLS_MD_CAN_SHA256) || \
847     defined(MBEDTLS_MD_CAN_SHA384)
848 #if defined(MBEDTLS_USE_PSA_CRYPTO)
849     psa_status_t status;
850 #else
851     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
852 #endif
853 #else /* SHA-256 or SHA-384 */
854     ((void) ssl);
855 #endif /* SHA-256 or SHA-384 */
856 #if defined(MBEDTLS_MD_CAN_SHA256)
857 #if defined(MBEDTLS_USE_PSA_CRYPTO)
858     status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
859     if (status != PSA_SUCCESS) {
860         return mbedtls_md_error_from_psa(status);
861     }
862     status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
863     if (status != PSA_SUCCESS) {
864         return mbedtls_md_error_from_psa(status);
865     }
866 #else
867     mbedtls_md_free(&ssl->handshake->fin_sha256);
868     mbedtls_md_init(&ssl->handshake->fin_sha256);
869     ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
870                            mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
871                            0);
872     if (ret != 0) {
873         return ret;
874     }
875     ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
876     if (ret != 0) {
877         return ret;
878     }
879 #endif
880 #endif
881 #if defined(MBEDTLS_MD_CAN_SHA384)
882 #if defined(MBEDTLS_USE_PSA_CRYPTO)
883     status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
884     if (status != PSA_SUCCESS) {
885         return mbedtls_md_error_from_psa(status);
886     }
887     status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
888     if (status != PSA_SUCCESS) {
889         return mbedtls_md_error_from_psa(status);
890     }
891 #else
892     mbedtls_md_free(&ssl->handshake->fin_sha384);
893     mbedtls_md_init(&ssl->handshake->fin_sha384);
894     ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
895                            mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
896     if (ret != 0) {
897         return ret;
898     }
899     ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
900     if (ret != 0) {
901         return ret;
902     }
903 #endif
904 #endif
905     return 0;
906 }
907 
908 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
909                                      const unsigned char *buf, size_t len)
910 {
911 #if defined(MBEDTLS_MD_CAN_SHA256) || \
912     defined(MBEDTLS_MD_CAN_SHA384)
913 #if defined(MBEDTLS_USE_PSA_CRYPTO)
914     psa_status_t status;
915 #else
916     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
917 #endif
918 #else /* SHA-256 or SHA-384 */
919     ((void) ssl);
920     (void) buf;
921     (void) len;
922 #endif /* SHA-256 or SHA-384 */
923 #if defined(MBEDTLS_MD_CAN_SHA256)
924 #if defined(MBEDTLS_USE_PSA_CRYPTO)
925     status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
926     if (status != PSA_SUCCESS) {
927         return mbedtls_md_error_from_psa(status);
928     }
929 #else
930     ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
931     if (ret != 0) {
932         return ret;
933     }
934 #endif
935 #endif
936 #if defined(MBEDTLS_MD_CAN_SHA384)
937 #if defined(MBEDTLS_USE_PSA_CRYPTO)
938     status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
939     if (status != PSA_SUCCESS) {
940         return mbedtls_md_error_from_psa(status);
941     }
942 #else
943     ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
944     if (ret != 0) {
945         return ret;
946     }
947 #endif
948 #endif
949     return 0;
950 }
951 
952 #if defined(MBEDTLS_MD_CAN_SHA256)
953 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
954                                       const unsigned char *buf, size_t len)
955 {
956 #if defined(MBEDTLS_USE_PSA_CRYPTO)
957     return mbedtls_md_error_from_psa(psa_hash_update(
958                                          &ssl->handshake->fin_sha256_psa, buf, len));
959 #else
960     return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
961 #endif
962 }
963 #endif
964 
965 #if defined(MBEDTLS_MD_CAN_SHA384)
966 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
967                                       const unsigned char *buf, size_t len)
968 {
969 #if defined(MBEDTLS_USE_PSA_CRYPTO)
970     return mbedtls_md_error_from_psa(psa_hash_update(
971                                          &ssl->handshake->fin_sha384_psa, buf, len));
972 #else
973     return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
974 #endif
975 }
976 #endif
977 
978 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
979 {
980     memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
981 
982 #if defined(MBEDTLS_MD_CAN_SHA256)
983 #if defined(MBEDTLS_USE_PSA_CRYPTO)
984     handshake->fin_sha256_psa = psa_hash_operation_init();
985 #else
986     mbedtls_md_init(&handshake->fin_sha256);
987 #endif
988 #endif
989 #if defined(MBEDTLS_MD_CAN_SHA384)
990 #if defined(MBEDTLS_USE_PSA_CRYPTO)
991     handshake->fin_sha384_psa = psa_hash_operation_init();
992 #else
993     mbedtls_md_init(&handshake->fin_sha384);
994 #endif
995 #endif
996 
997     handshake->update_checksum = ssl_update_checksum_start;
998 
999 #if defined(MBEDTLS_DHM_C)
1000     mbedtls_dhm_init(&handshake->dhm_ctx);
1001 #endif
1002 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
1003     defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
1004     mbedtls_ecdh_init(&handshake->ecdh_ctx);
1005 #endif
1006 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1007 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1008     handshake->psa_pake_ctx = psa_pake_operation_init();
1009     handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
1010 #else
1011     mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
1012 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1013 #if defined(MBEDTLS_SSL_CLI_C)
1014     handshake->ecjpake_cache = NULL;
1015     handshake->ecjpake_cache_len = 0;
1016 #endif
1017 #endif
1018 
1019 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1020     mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1021 #endif
1022 
1023 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1024     handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1025 #endif
1026 
1027 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1028     !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1029     mbedtls_pk_init(&handshake->peer_pubkey);
1030 #endif
1031 }
1032 
1033 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1034 {
1035     memset(transform, 0, sizeof(mbedtls_ssl_transform));
1036 
1037 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1038     transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1039     transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1040 #else
1041     mbedtls_cipher_init(&transform->cipher_ctx_enc);
1042     mbedtls_cipher_init(&transform->cipher_ctx_dec);
1043 #endif
1044 
1045 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1046 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1047     transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1048     transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1049 #else
1050     mbedtls_md_init(&transform->md_ctx_enc);
1051     mbedtls_md_init(&transform->md_ctx_dec);
1052 #endif
1053 #endif
1054 }
1055 
1056 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1057 {
1058     memset(session, 0, sizeof(mbedtls_ssl_session));
1059     /* Set verify_result to -1u to indicate 'result not available'. */
1060     session->verify_result = 0xFFFFFFFF;
1061 }
1062 
1063 MBEDTLS_CHECK_RETURN_CRITICAL
1064 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1065 {
1066     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1067 
1068     /* Clear old handshake information if present */
1069 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1070     if (ssl->transform_negotiate) {
1071         mbedtls_ssl_transform_free(ssl->transform_negotiate);
1072     }
1073 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1074     if (ssl->session_negotiate) {
1075         mbedtls_ssl_session_free(ssl->session_negotiate);
1076     }
1077     if (ssl->handshake) {
1078         mbedtls_ssl_handshake_free(ssl);
1079     }
1080 
1081 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1082     /*
1083      * Either the pointers are now NULL or cleared properly and can be freed.
1084      * Now allocate missing structures.
1085      */
1086     if (ssl->transform_negotiate == NULL) {
1087         ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1088     }
1089 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1090 
1091     if (ssl->session_negotiate == NULL) {
1092         ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1093     }
1094 
1095     if (ssl->handshake == NULL) {
1096         ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1097     }
1098 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1099     /* If the buffers are too small - reallocate */
1100 
1101     handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1102                            MBEDTLS_SSL_OUT_BUFFER_LEN);
1103 #endif
1104 
1105     /* All pointers should exist and can be directly freed without issue */
1106     if (ssl->handshake           == NULL ||
1107 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1108         ssl->transform_negotiate == NULL ||
1109 #endif
1110         ssl->session_negotiate   == NULL) {
1111         MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1112 
1113         mbedtls_free(ssl->handshake);
1114         ssl->handshake = NULL;
1115 
1116 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1117         mbedtls_free(ssl->transform_negotiate);
1118         ssl->transform_negotiate = NULL;
1119 #endif
1120 
1121         mbedtls_free(ssl->session_negotiate);
1122         ssl->session_negotiate = NULL;
1123 
1124         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1125     }
1126 
1127 #if defined(MBEDTLS_SSL_EARLY_DATA)
1128 #if defined(MBEDTLS_SSL_CLI_C)
1129     ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1130 #endif
1131 #if defined(MBEDTLS_SSL_SRV_C)
1132     ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1133 #endif
1134     ssl->total_early_data_size = 0;
1135 #endif /* MBEDTLS_SSL_EARLY_DATA */
1136 
1137     /* Initialize structures */
1138     mbedtls_ssl_session_init(ssl->session_negotiate);
1139     ssl_handshake_params_init(ssl->handshake);
1140 
1141 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1142     mbedtls_ssl_transform_init(ssl->transform_negotiate);
1143 #endif
1144 
1145     /* Setup handshake checksums */
1146     ret = mbedtls_ssl_reset_checksum(ssl);
1147     if (ret != 0) {
1148         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1149         return ret;
1150     }
1151 
1152 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1153     defined(MBEDTLS_SSL_SRV_C) && \
1154     defined(MBEDTLS_SSL_SESSION_TICKETS)
1155     ssl->handshake->new_session_tickets_count =
1156         ssl->conf->new_session_tickets_count;
1157 #endif
1158 
1159 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1160     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1161         ssl->handshake->alt_transform_out = ssl->transform_out;
1162 
1163         if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1164             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1165         } else {
1166             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1167         }
1168 
1169         mbedtls_ssl_set_timer(ssl, 0);
1170     }
1171 #endif
1172 
1173 /*
1174  * curve_list is translated to IANA TLS group identifiers here because
1175  * mbedtls_ssl_conf_curves returns void and so can't return
1176  * any error codes.
1177  */
1178 #if defined(MBEDTLS_ECP_C)
1179 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1180     /* Heap allocate and translate curve_list from internal to IANA group ids */
1181     if (ssl->conf->curve_list != NULL) {
1182         size_t length;
1183         const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1184 
1185         for (length = 0;  (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1186         }
1187 
1188         /* Leave room for zero termination */
1189         uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1190         if (group_list == NULL) {
1191             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1192         }
1193 
1194         for (size_t i = 0; i < length; i++) {
1195             uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1196                 curve_list[i]);
1197             if (tls_id == 0) {
1198                 mbedtls_free(group_list);
1199                 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1200             }
1201             group_list[i] = tls_id;
1202         }
1203 
1204         group_list[length] = 0;
1205 
1206         ssl->handshake->group_list = group_list;
1207         ssl->handshake->group_list_heap_allocated = 1;
1208     } else {
1209         ssl->handshake->group_list = ssl->conf->group_list;
1210         ssl->handshake->group_list_heap_allocated = 0;
1211     }
1212 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1213 #endif /* MBEDTLS_ECP_C */
1214 
1215 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1216 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1217 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1218     /* Heap allocate and translate sig_hashes from internal hash identifiers to
1219        signature algorithms IANA identifiers.  */
1220     if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1221         ssl->conf->sig_hashes != NULL) {
1222         const int *md;
1223         const int *sig_hashes = ssl->conf->sig_hashes;
1224         size_t sig_algs_len = 0;
1225         uint16_t *p;
1226 
1227         MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1228                               <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1229                               "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1230 
1231         for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1232             if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1233                 continue;
1234             }
1235 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1236             sig_algs_len += sizeof(uint16_t);
1237 #endif
1238 
1239 #if defined(MBEDTLS_RSA_C)
1240             sig_algs_len += sizeof(uint16_t);
1241 #endif
1242             if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1243                 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1244             }
1245         }
1246 
1247         if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1248             return MBEDTLS_ERR_SSL_BAD_CONFIG;
1249         }
1250 
1251         ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1252                                                   sizeof(uint16_t));
1253         if (ssl->handshake->sig_algs == NULL) {
1254             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1255         }
1256 
1257         p = (uint16_t *) ssl->handshake->sig_algs;
1258         for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1259             unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1260             if (hash == MBEDTLS_SSL_HASH_NONE) {
1261                 continue;
1262             }
1263 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1264             *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1265             p++;
1266 #endif
1267 #if defined(MBEDTLS_RSA_C)
1268             *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1269             p++;
1270 #endif
1271         }
1272         *p = MBEDTLS_TLS_SIG_NONE;
1273         ssl->handshake->sig_algs_heap_allocated = 1;
1274     } else
1275 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1276     {
1277         ssl->handshake->sig_algs_heap_allocated = 0;
1278     }
1279 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1280 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1281     return 0;
1282 }
1283 
1284 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1285 /* Dummy cookie callbacks for defaults */
1286 MBEDTLS_CHECK_RETURN_CRITICAL
1287 static int ssl_cookie_write_dummy(void *ctx,
1288                                   unsigned char **p, unsigned char *end,
1289                                   const unsigned char *cli_id, size_t cli_id_len)
1290 {
1291     ((void) ctx);
1292     ((void) p);
1293     ((void) end);
1294     ((void) cli_id);
1295     ((void) cli_id_len);
1296 
1297     return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1298 }
1299 
1300 MBEDTLS_CHECK_RETURN_CRITICAL
1301 static int ssl_cookie_check_dummy(void *ctx,
1302                                   const unsigned char *cookie, size_t cookie_len,
1303                                   const unsigned char *cli_id, size_t cli_id_len)
1304 {
1305     ((void) ctx);
1306     ((void) cookie);
1307     ((void) cookie_len);
1308     ((void) cli_id);
1309     ((void) cli_id_len);
1310 
1311     return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1312 }
1313 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1314 
1315 /*
1316  * Initialize an SSL context
1317  */
1318 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1319 {
1320     memset(ssl, 0, sizeof(mbedtls_ssl_context));
1321 }
1322 
1323 MBEDTLS_CHECK_RETURN_CRITICAL
1324 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1325 {
1326     const mbedtls_ssl_config *conf = ssl->conf;
1327 
1328 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1329     if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1330         if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1331             MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1332             return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1333         }
1334 
1335         MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1336         return 0;
1337     }
1338 #endif
1339 
1340 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1341     if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1342         MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1343         return 0;
1344     }
1345 #endif
1346 
1347 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1348     if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1349         if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1350             MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1351             return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1352         }
1353 
1354         MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1355         return 0;
1356     }
1357 #endif
1358 
1359     MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1360     return MBEDTLS_ERR_SSL_BAD_CONFIG;
1361 }
1362 
1363 MBEDTLS_CHECK_RETURN_CRITICAL
1364 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1365 {
1366     int ret;
1367     ret = ssl_conf_version_check(ssl);
1368     if (ret != 0) {
1369         return ret;
1370     }
1371 
1372     if (ssl->conf->f_rng == NULL) {
1373         MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1374         return MBEDTLS_ERR_SSL_NO_RNG;
1375     }
1376 
1377     /* Space for further checks */
1378 
1379     return 0;
1380 }
1381 
1382 /*
1383  * Setup an SSL context
1384  */
1385 
1386 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1387                       const mbedtls_ssl_config *conf)
1388 {
1389     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1390     size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1391     size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1392 
1393     ssl->conf = conf;
1394 
1395     if ((ret = ssl_conf_check(ssl)) != 0) {
1396         return ret;
1397     }
1398     ssl->tls_version = ssl->conf->max_tls_version;
1399 
1400     /*
1401      * Prepare base structures
1402      */
1403 
1404     /* Set to NULL in case of an error condition */
1405     ssl->out_buf = NULL;
1406 
1407 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1408     ssl->in_buf_len = in_buf_len;
1409 #endif
1410     ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1411     if (ssl->in_buf == NULL) {
1412         MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1413         ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1414         goto error;
1415     }
1416 
1417 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1418     ssl->out_buf_len = out_buf_len;
1419 #endif
1420     ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1421     if (ssl->out_buf == NULL) {
1422         MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1423         ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1424         goto error;
1425     }
1426 
1427     mbedtls_ssl_reset_in_pointers(ssl);
1428     mbedtls_ssl_reset_out_pointers(ssl);
1429 
1430 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1431     memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1432 #endif
1433 
1434     if ((ret = ssl_handshake_init(ssl)) != 0) {
1435         goto error;
1436     }
1437 
1438     return 0;
1439 
1440 error:
1441     mbedtls_free(ssl->in_buf);
1442     mbedtls_free(ssl->out_buf);
1443 
1444     ssl->conf = NULL;
1445 
1446 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1447     ssl->in_buf_len = 0;
1448     ssl->out_buf_len = 0;
1449 #endif
1450     ssl->in_buf = NULL;
1451     ssl->out_buf = NULL;
1452 
1453     ssl->in_hdr = NULL;
1454     ssl->in_ctr = NULL;
1455     ssl->in_len = NULL;
1456     ssl->in_iv = NULL;
1457     ssl->in_msg = NULL;
1458 
1459     ssl->out_hdr = NULL;
1460     ssl->out_ctr = NULL;
1461     ssl->out_len = NULL;
1462     ssl->out_iv = NULL;
1463     ssl->out_msg = NULL;
1464 
1465     return ret;
1466 }
1467 
1468 /*
1469  * Reset an initialized and used SSL context for re-use while retaining
1470  * all application-set variables, function pointers and data.
1471  *
1472  * If partial is non-zero, keep data in the input buffer and client ID.
1473  * (Use when a DTLS client reconnects from the same port.)
1474  */
1475 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1476                                          int partial)
1477 {
1478 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1479     size_t in_buf_len = ssl->in_buf_len;
1480     size_t out_buf_len = ssl->out_buf_len;
1481 #else
1482     size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1483     size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1484 #endif
1485 
1486 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1487     partial = 0;
1488 #endif
1489 
1490     /* Cancel any possibly running timer */
1491     mbedtls_ssl_set_timer(ssl, 0);
1492 
1493     mbedtls_ssl_reset_in_pointers(ssl);
1494     mbedtls_ssl_reset_out_pointers(ssl);
1495 
1496     /* Reset incoming message parsing */
1497     ssl->in_offt    = NULL;
1498     ssl->nb_zero    = 0;
1499     ssl->in_msgtype = 0;
1500     ssl->in_msglen  = 0;
1501     ssl->in_hslen   = 0;
1502     ssl->keep_current_message = 0;
1503     ssl->transform_in  = NULL;
1504 
1505     /* TLS: reset in_hsfraglen, which is part of message parsing.
1506      * DTLS: on a client reconnect, don't reset badmac_seen. */
1507     if (!partial) {
1508         ssl->badmac_seen_or_in_hsfraglen = 0;
1509     }
1510 
1511 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1512     ssl->next_record_offset = 0;
1513     ssl->in_epoch = 0;
1514 #endif
1515 
1516     /* Keep current datagram if partial == 1 */
1517     if (partial == 0) {
1518         ssl->in_left = 0;
1519         memset(ssl->in_buf, 0, in_buf_len);
1520     }
1521 
1522     ssl->send_alert = 0;
1523 
1524     /* Reset outgoing message writing */
1525     ssl->out_msgtype = 0;
1526     ssl->out_msglen  = 0;
1527     ssl->out_left    = 0;
1528     memset(ssl->out_buf, 0, out_buf_len);
1529     memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1530     ssl->transform_out = NULL;
1531 
1532 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1533     mbedtls_ssl_dtls_replay_reset(ssl);
1534 #endif
1535 
1536 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1537     if (ssl->transform) {
1538         mbedtls_ssl_transform_free(ssl->transform);
1539         mbedtls_free(ssl->transform);
1540         ssl->transform = NULL;
1541     }
1542 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1543 
1544 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1545     mbedtls_ssl_transform_free(ssl->transform_application);
1546     mbedtls_free(ssl->transform_application);
1547     ssl->transform_application = NULL;
1548 
1549     if (ssl->handshake != NULL) {
1550 #if defined(MBEDTLS_SSL_EARLY_DATA)
1551         mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1552         mbedtls_free(ssl->handshake->transform_earlydata);
1553         ssl->handshake->transform_earlydata = NULL;
1554 #endif
1555 
1556         mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1557         mbedtls_free(ssl->handshake->transform_handshake);
1558         ssl->handshake->transform_handshake = NULL;
1559     }
1560 
1561 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1562 }
1563 
1564 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1565 {
1566     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1567 
1568     mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
1569     ssl->tls_version = ssl->conf->max_tls_version;
1570 
1571     mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1572 
1573     /* Reset renegotiation state */
1574 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1575     ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1576     ssl->renego_records_seen = 0;
1577 
1578     ssl->verify_data_len = 0;
1579     memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1580     memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1581 #endif
1582     ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1583 
1584     ssl->session_in  = NULL;
1585     ssl->session_out = NULL;
1586     if (ssl->session) {
1587         mbedtls_ssl_session_free(ssl->session);
1588         mbedtls_free(ssl->session);
1589         ssl->session = NULL;
1590     }
1591 
1592 #if defined(MBEDTLS_SSL_ALPN)
1593     ssl->alpn_chosen = NULL;
1594 #endif
1595 
1596 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1597     int free_cli_id = 1;
1598 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1599     free_cli_id = (partial == 0);
1600 #endif
1601     if (free_cli_id) {
1602         mbedtls_free(ssl->cli_id);
1603         ssl->cli_id = NULL;
1604         ssl->cli_id_len = 0;
1605     }
1606 #endif
1607 
1608     if ((ret = ssl_handshake_init(ssl)) != 0) {
1609         return ret;
1610     }
1611 
1612     return 0;
1613 }
1614 
1615 /*
1616  * Reset an initialized and used SSL context for re-use while retaining
1617  * all application-set variables, function pointers and data.
1618  */
1619 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1620 {
1621     return mbedtls_ssl_session_reset_int(ssl, 0);
1622 }
1623 
1624 /*
1625  * SSL set accessors
1626  */
1627 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1628 {
1629     conf->endpoint   = endpoint;
1630 }
1631 
1632 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1633 {
1634     conf->transport = transport;
1635 }
1636 
1637 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1638 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1639 {
1640     conf->anti_replay = mode;
1641 }
1642 #endif
1643 
1644 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1645 {
1646     conf->badmac_limit = limit;
1647 }
1648 
1649 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1650 
1651 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1652                                       unsigned allow_packing)
1653 {
1654     ssl->disable_datagram_packing = !allow_packing;
1655 }
1656 
1657 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1658                                         uint32_t min, uint32_t max)
1659 {
1660     conf->hs_timeout_min = min;
1661     conf->hs_timeout_max = max;
1662 }
1663 #endif
1664 
1665 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1666 {
1667     conf->authmode   = authmode;
1668 }
1669 
1670 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1671 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1672                              int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1673                              void *p_vrfy)
1674 {
1675     conf->f_vrfy      = f_vrfy;
1676     conf->p_vrfy      = p_vrfy;
1677 }
1678 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1679 
1680 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1681                           int (*f_rng)(void *, unsigned char *, size_t),
1682                           void *p_rng)
1683 {
1684     conf->f_rng      = f_rng;
1685     conf->p_rng      = p_rng;
1686 }
1687 
1688 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1689                           void (*f_dbg)(void *, int, const char *, int, const char *),
1690                           void  *p_dbg)
1691 {
1692     conf->f_dbg      = f_dbg;
1693     conf->p_dbg      = p_dbg;
1694 }
1695 
1696 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1697                          void *p_bio,
1698                          mbedtls_ssl_send_t *f_send,
1699                          mbedtls_ssl_recv_t *f_recv,
1700                          mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1701 {
1702     ssl->p_bio          = p_bio;
1703     ssl->f_send         = f_send;
1704     ssl->f_recv         = f_recv;
1705     ssl->f_recv_timeout = f_recv_timeout;
1706 }
1707 
1708 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1709 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1710 {
1711     ssl->mtu = mtu;
1712 }
1713 #endif
1714 
1715 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1716 {
1717     conf->read_timeout   = timeout;
1718 }
1719 
1720 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1721                               void *p_timer,
1722                               mbedtls_ssl_set_timer_t *f_set_timer,
1723                               mbedtls_ssl_get_timer_t *f_get_timer)
1724 {
1725     ssl->p_timer        = p_timer;
1726     ssl->f_set_timer    = f_set_timer;
1727     ssl->f_get_timer    = f_get_timer;
1728 
1729     /* Make sure we start with no timer running */
1730     mbedtls_ssl_set_timer(ssl, 0);
1731 }
1732 
1733 #if defined(MBEDTLS_SSL_SRV_C)
1734 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1735                                     void *p_cache,
1736                                     mbedtls_ssl_cache_get_t *f_get_cache,
1737                                     mbedtls_ssl_cache_set_t *f_set_cache)
1738 {
1739     conf->p_cache = p_cache;
1740     conf->f_get_cache = f_get_cache;
1741     conf->f_set_cache = f_set_cache;
1742 }
1743 #endif /* MBEDTLS_SSL_SRV_C */
1744 
1745 #if defined(MBEDTLS_SSL_CLI_C)
1746 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1747 {
1748     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1749 
1750     if (ssl == NULL ||
1751         session == NULL ||
1752         ssl->session_negotiate == NULL ||
1753         ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1754         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1755     }
1756 
1757     if (ssl->handshake->resume == 1) {
1758         return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1759     }
1760 
1761 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1762     if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1763 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1764         const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1765             mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1766 
1767         if (mbedtls_ssl_validate_ciphersuite(
1768                 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1769                 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1770             MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1771                                       session->ciphersuite));
1772             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1773         }
1774 #else
1775         /*
1776          * If session tickets are not enabled, it is not possible to resume a
1777          * TLS 1.3 session, thus do not make any change to the SSL context in
1778          * the first place.
1779          */
1780         return 0;
1781 #endif
1782     }
1783 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1784 
1785     if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1786                                         session)) != 0) {
1787         return ret;
1788     }
1789 
1790     ssl->handshake->resume = 1;
1791 
1792     return 0;
1793 }
1794 #endif /* MBEDTLS_SSL_CLI_C */
1795 
1796 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1797                                    const int *ciphersuites)
1798 {
1799     conf->ciphersuite_list = ciphersuites;
1800 }
1801 
1802 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1803 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1804                                                const int kex_modes)
1805 {
1806     conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1807 }
1808 
1809 #if defined(MBEDTLS_SSL_EARLY_DATA)
1810 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1811                                  int early_data_enabled)
1812 {
1813     conf->early_data_enabled = early_data_enabled;
1814 }
1815 
1816 #if defined(MBEDTLS_SSL_SRV_C)
1817 void mbedtls_ssl_conf_max_early_data_size(
1818     mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1819 {
1820     conf->max_early_data_size = max_early_data_size;
1821 }
1822 #endif /* MBEDTLS_SSL_SRV_C */
1823 
1824 #endif /* MBEDTLS_SSL_EARLY_DATA */
1825 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1826 
1827 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1828 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1829                                    const mbedtls_x509_crt_profile *profile)
1830 {
1831     conf->cert_profile = profile;
1832 }
1833 
1834 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1835 {
1836     mbedtls_ssl_key_cert *cur = key_cert, *next;
1837 
1838     while (cur != NULL) {
1839         next = cur->next;
1840         mbedtls_free(cur);
1841         cur = next;
1842     }
1843 }
1844 
1845 /* Append a new keycert entry to a (possibly empty) list */
1846 MBEDTLS_CHECK_RETURN_CRITICAL
1847 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1848                                mbedtls_x509_crt *cert,
1849                                mbedtls_pk_context *key)
1850 {
1851     mbedtls_ssl_key_cert *new_cert;
1852 
1853     if (cert == NULL) {
1854         /* Free list if cert is null */
1855         ssl_key_cert_free(*head);
1856         *head = NULL;
1857         return 0;
1858     }
1859 
1860     new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1861     if (new_cert == NULL) {
1862         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1863     }
1864 
1865     new_cert->cert = cert;
1866     new_cert->key  = key;
1867     new_cert->next = NULL;
1868 
1869     /* Update head if the list was null, else add to the end */
1870     if (*head == NULL) {
1871         *head = new_cert;
1872     } else {
1873         mbedtls_ssl_key_cert *cur = *head;
1874         while (cur->next != NULL) {
1875             cur = cur->next;
1876         }
1877         cur->next = new_cert;
1878     }
1879 
1880     return 0;
1881 }
1882 
1883 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1884                               mbedtls_x509_crt *own_cert,
1885                               mbedtls_pk_context *pk_key)
1886 {
1887     return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1888 }
1889 
1890 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1891                                mbedtls_x509_crt *ca_chain,
1892                                mbedtls_x509_crl *ca_crl)
1893 {
1894     conf->ca_chain   = ca_chain;
1895     conf->ca_crl     = ca_crl;
1896 
1897 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1898     /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1899      * cannot be used together. */
1900     conf->f_ca_cb = NULL;
1901     conf->p_ca_cb = NULL;
1902 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1903 }
1904 
1905 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1906 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1907                             mbedtls_x509_crt_ca_cb_t f_ca_cb,
1908                             void *p_ca_cb)
1909 {
1910     conf->f_ca_cb = f_ca_cb;
1911     conf->p_ca_cb = p_ca_cb;
1912 
1913     /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1914      * cannot be used together. */
1915     conf->ca_chain   = NULL;
1916     conf->ca_crl     = NULL;
1917 }
1918 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1919 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1920 
1921 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1922 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1923                                             size_t *name_len)
1924 {
1925     *name_len = ssl->handshake->sni_name_len;
1926     return ssl->handshake->sni_name;
1927 }
1928 
1929 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1930                                 mbedtls_x509_crt *own_cert,
1931                                 mbedtls_pk_context *pk_key)
1932 {
1933     return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1934                                own_cert, pk_key);
1935 }
1936 
1937 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1938                                  mbedtls_x509_crt *ca_chain,
1939                                  mbedtls_x509_crl *ca_crl)
1940 {
1941     ssl->handshake->sni_ca_chain   = ca_chain;
1942     ssl->handshake->sni_ca_crl     = ca_crl;
1943 }
1944 
1945 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1946 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1947                                  const mbedtls_x509_crt *crt)
1948 {
1949     ssl->handshake->dn_hints = crt;
1950 }
1951 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1952 
1953 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1954                                  int authmode)
1955 {
1956     ssl->handshake->sni_authmode = authmode;
1957 }
1958 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1959 
1960 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1961 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1962                             int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1963                             void *p_vrfy)
1964 {
1965     ssl->f_vrfy = f_vrfy;
1966     ssl->p_vrfy = p_vrfy;
1967 }
1968 #endif
1969 
1970 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1971 
1972 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1973 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1974 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1975 
1976 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1977     mbedtls_ssl_context *ssl,
1978     mbedtls_svc_key_id_t pwd)
1979 {
1980     psa_status_t status;
1981     psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1982     const uint8_t *user = NULL;
1983     size_t user_len = 0;
1984     const uint8_t *peer = NULL;
1985     size_t peer_len = 0;
1986     psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1987     psa_pake_cs_set_primitive(&cipher_suite,
1988                               PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1989                                                  PSA_ECC_FAMILY_SECP_R1,
1990                                                  256));
1991     psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1992 
1993     status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1994     if (status != PSA_SUCCESS) {
1995         return status;
1996     }
1997 
1998     if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1999         user = jpake_server_id;
2000         user_len = sizeof(jpake_server_id);
2001         peer = jpake_client_id;
2002         peer_len = sizeof(jpake_client_id);
2003     } else {
2004         user = jpake_client_id;
2005         user_len = sizeof(jpake_client_id);
2006         peer = jpake_server_id;
2007         peer_len = sizeof(jpake_server_id);
2008     }
2009 
2010     status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
2011     if (status != PSA_SUCCESS) {
2012         return status;
2013     }
2014 
2015     status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
2016     if (status != PSA_SUCCESS) {
2017         return status;
2018     }
2019 
2020     status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
2021     if (status != PSA_SUCCESS) {
2022         return status;
2023     }
2024 
2025     ssl->handshake->psa_pake_ctx_is_ok = 1;
2026 
2027     return PSA_SUCCESS;
2028 }
2029 
2030 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2031                                         const unsigned char *pw,
2032                                         size_t pw_len)
2033 {
2034     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2035     psa_status_t status;
2036 
2037     if (ssl->handshake == NULL || ssl->conf == NULL) {
2038         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2039     }
2040 
2041     /* Empty password is not valid  */
2042     if ((pw == NULL) || (pw_len == 0)) {
2043         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2044     }
2045 
2046     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2047     psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2048     psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2049 
2050     status = psa_import_key(&attributes, pw, pw_len,
2051                             &ssl->handshake->psa_pake_password);
2052     if (status != PSA_SUCCESS) {
2053         return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2054     }
2055 
2056     status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2057                                                         ssl->handshake->psa_pake_password);
2058     if (status != PSA_SUCCESS) {
2059         psa_destroy_key(ssl->handshake->psa_pake_password);
2060         psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2061         return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2062     }
2063 
2064     return 0;
2065 }
2066 
2067 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2068                                                mbedtls_svc_key_id_t pwd)
2069 {
2070     psa_status_t status;
2071 
2072     if (ssl->handshake == NULL || ssl->conf == NULL) {
2073         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2074     }
2075 
2076     if (mbedtls_svc_key_id_is_null(pwd)) {
2077         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2078     }
2079 
2080     status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2081     if (status != PSA_SUCCESS) {
2082         psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2083         return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2084     }
2085 
2086     return 0;
2087 }
2088 #else /* MBEDTLS_USE_PSA_CRYPTO */
2089 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2090                                         const unsigned char *pw,
2091                                         size_t pw_len)
2092 {
2093     mbedtls_ecjpake_role role;
2094 
2095     if (ssl->handshake == NULL || ssl->conf == NULL) {
2096         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2097     }
2098 
2099     /* Empty password is not valid  */
2100     if ((pw == NULL) || (pw_len == 0)) {
2101         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2102     }
2103 
2104     if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2105         role = MBEDTLS_ECJPAKE_SERVER;
2106     } else {
2107         role = MBEDTLS_ECJPAKE_CLIENT;
2108     }
2109 
2110     return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2111                                  role,
2112                                  MBEDTLS_MD_SHA256,
2113                                  MBEDTLS_ECP_DP_SECP256R1,
2114                                  pw, pw_len);
2115 }
2116 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2117 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2118 
2119 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
2120 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2121 {
2122     if (conf->psk_identity     == NULL ||
2123         conf->psk_identity_len == 0) {
2124         return 0;
2125     }
2126 
2127 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2128     if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2129         return 1;
2130     }
2131 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2132 
2133     if (conf->psk != NULL && conf->psk_len != 0) {
2134         return 1;
2135     }
2136 
2137     return 0;
2138 }
2139 
2140 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2141 {
2142     /* Remove reference to existing PSK, if any. */
2143 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2144     if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2145         /* The maintenance of the PSK key slot is the
2146          * user's responsibility. */
2147         conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2148     }
2149 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2150     if (conf->psk != NULL) {
2151         mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2152         conf->psk = NULL;
2153         conf->psk_len = 0;
2154     }
2155 
2156     /* Remove reference to PSK identity, if any. */
2157     if (conf->psk_identity != NULL) {
2158         mbedtls_free(conf->psk_identity);
2159         conf->psk_identity = NULL;
2160         conf->psk_identity_len = 0;
2161     }
2162 }
2163 
2164 /* This function assumes that PSK identity in the SSL config is unset.
2165  * It checks that the provided identity is well-formed and attempts
2166  * to make a copy of it in the SSL config.
2167  * On failure, the PSK identity in the config remains unset. */
2168 MBEDTLS_CHECK_RETURN_CRITICAL
2169 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2170                                      unsigned char const *psk_identity,
2171                                      size_t psk_identity_len)
2172 {
2173     /* Identity len will be encoded on two bytes */
2174     if (psk_identity               == NULL ||
2175         psk_identity_len           == 0    ||
2176         (psk_identity_len >> 16) != 0    ||
2177         psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2178         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2179     }
2180 
2181     conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2182     if (conf->psk_identity == NULL) {
2183         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2184     }
2185 
2186     conf->psk_identity_len = psk_identity_len;
2187     memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2188 
2189     return 0;
2190 }
2191 
2192 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2193                          const unsigned char *psk, size_t psk_len,
2194                          const unsigned char *psk_identity, size_t psk_identity_len)
2195 {
2196     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2197 
2198     /* We currently only support one PSK, raw or opaque. */
2199     if (mbedtls_ssl_conf_has_static_psk(conf)) {
2200         return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2201     }
2202 
2203     /* Check and set raw PSK */
2204     if (psk == NULL) {
2205         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2206     }
2207     if (psk_len == 0) {
2208         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2209     }
2210     if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2211         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2212     }
2213 
2214     if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2215         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2216     }
2217     conf->psk_len = psk_len;
2218     memcpy(conf->psk, psk, conf->psk_len);
2219 
2220     /* Check and set PSK Identity */
2221     ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2222     if (ret != 0) {
2223         ssl_conf_remove_psk(conf);
2224     }
2225 
2226     return ret;
2227 }
2228 
2229 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2230 {
2231 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2232     if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2233         /* The maintenance of the external PSK key slot is the
2234          * user's responsibility. */
2235         if (ssl->handshake->psk_opaque_is_internal) {
2236             psa_destroy_key(ssl->handshake->psk_opaque);
2237             ssl->handshake->psk_opaque_is_internal = 0;
2238         }
2239         ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2240     }
2241 #else
2242     if (ssl->handshake->psk != NULL) {
2243         mbedtls_zeroize_and_free(ssl->handshake->psk,
2244                                  ssl->handshake->psk_len);
2245         ssl->handshake->psk_len = 0;
2246         ssl->handshake->psk = NULL;
2247     }
2248 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2249 }
2250 
2251 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2252                            const unsigned char *psk, size_t psk_len)
2253 {
2254 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2255     psa_key_attributes_t key_attributes = psa_key_attributes_init();
2256     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2257     psa_algorithm_t alg = PSA_ALG_NONE;
2258     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2259 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2260 
2261     if (psk == NULL || ssl->handshake == NULL) {
2262         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2263     }
2264 
2265     if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2266         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2267     }
2268 
2269     ssl_remove_psk(ssl);
2270 
2271 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2272 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2273     if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2274         if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2275             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2276         } else {
2277             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2278         }
2279         psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2280     }
2281 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2282 
2283 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2284     if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2285         alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2286         psa_set_key_usage_flags(&key_attributes,
2287                                 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2288     }
2289 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2290 
2291     psa_set_key_algorithm(&key_attributes, alg);
2292     psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2293 
2294     status = psa_import_key(&key_attributes, psk, psk_len, &key);
2295     if (status != PSA_SUCCESS) {
2296         return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2297     }
2298 
2299     /* Allow calling psa_destroy_key() on psk remove */
2300     ssl->handshake->psk_opaque_is_internal = 1;
2301     return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2302 #else
2303     if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2304         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2305     }
2306 
2307     ssl->handshake->psk_len = psk_len;
2308     memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2309 
2310     return 0;
2311 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2312 }
2313 
2314 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2315 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2316                                 mbedtls_svc_key_id_t psk,
2317                                 const unsigned char *psk_identity,
2318                                 size_t psk_identity_len)
2319 {
2320     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2321 
2322     /* We currently only support one PSK, raw or opaque. */
2323     if (mbedtls_ssl_conf_has_static_psk(conf)) {
2324         return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2325     }
2326 
2327     /* Check and set opaque PSK */
2328     if (mbedtls_svc_key_id_is_null(psk)) {
2329         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2330     }
2331     conf->psk_opaque = psk;
2332 
2333     /* Check and set PSK Identity */
2334     ret = ssl_conf_set_psk_identity(conf, psk_identity,
2335                                     psk_identity_len);
2336     if (ret != 0) {
2337         ssl_conf_remove_psk(conf);
2338     }
2339 
2340     return ret;
2341 }
2342 
2343 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2344                                   mbedtls_svc_key_id_t psk)
2345 {
2346     if ((mbedtls_svc_key_id_is_null(psk)) ||
2347         (ssl->handshake == NULL)) {
2348         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2349     }
2350 
2351     ssl_remove_psk(ssl);
2352     ssl->handshake->psk_opaque = psk;
2353     return 0;
2354 }
2355 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2356 
2357 #if defined(MBEDTLS_SSL_SRV_C)
2358 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2359                              int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2360                                           size_t),
2361                              void *p_psk)
2362 {
2363     conf->f_psk = f_psk;
2364     conf->p_psk = p_psk;
2365 }
2366 #endif /* MBEDTLS_SSL_SRV_C */
2367 
2368 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2369 
2370 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2371 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2372     psa_algorithm_t alg)
2373 {
2374 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2375     if (alg == PSA_ALG_CBC_NO_PADDING) {
2376         return MBEDTLS_SSL_MODE_CBC;
2377     }
2378 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2379     if (PSA_ALG_IS_AEAD(alg)) {
2380         return MBEDTLS_SSL_MODE_AEAD;
2381     }
2382     return MBEDTLS_SSL_MODE_STREAM;
2383 }
2384 
2385 #else /* MBEDTLS_USE_PSA_CRYPTO */
2386 
2387 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2388     mbedtls_cipher_mode_t mode)
2389 {
2390 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2391     if (mode == MBEDTLS_MODE_CBC) {
2392         return MBEDTLS_SSL_MODE_CBC;
2393     }
2394 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2395 
2396 #if defined(MBEDTLS_GCM_C) || \
2397     defined(MBEDTLS_CCM_C) || \
2398     defined(MBEDTLS_CHACHAPOLY_C)
2399     if (mode == MBEDTLS_MODE_GCM ||
2400         mode == MBEDTLS_MODE_CCM ||
2401         mode == MBEDTLS_MODE_CHACHAPOLY) {
2402         return MBEDTLS_SSL_MODE_AEAD;
2403     }
2404 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2405 
2406     return MBEDTLS_SSL_MODE_STREAM;
2407 }
2408 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2409 
2410 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2411     mbedtls_ssl_mode_t base_mode,
2412     int encrypt_then_mac)
2413 {
2414 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2415     if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2416         base_mode == MBEDTLS_SSL_MODE_CBC) {
2417         return MBEDTLS_SSL_MODE_CBC_ETM;
2418     }
2419 #else
2420     (void) encrypt_then_mac;
2421 #endif
2422     return base_mode;
2423 }
2424 
2425 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2426     const mbedtls_ssl_transform *transform)
2427 {
2428     mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2429 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2430         transform->psa_alg
2431 #else
2432         mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2433 #endif
2434         );
2435 
2436     int encrypt_then_mac = 0;
2437 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2438     encrypt_then_mac = transform->encrypt_then_mac;
2439 #endif
2440     return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2441 }
2442 
2443 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2444 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2445     int encrypt_then_mac,
2446 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2447     const mbedtls_ssl_ciphersuite_t *suite)
2448 {
2449     mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2450 
2451 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2452     psa_status_t status;
2453     psa_algorithm_t alg;
2454     psa_key_type_t type;
2455     size_t size;
2456     status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2457                                        0, &alg, &type, &size);
2458     if (status == PSA_SUCCESS) {
2459         base_mode = mbedtls_ssl_get_base_mode(alg);
2460     }
2461 #else
2462     const mbedtls_cipher_info_t *cipher =
2463         mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2464     if (cipher != NULL) {
2465         base_mode =
2466             mbedtls_ssl_get_base_mode(
2467                 mbedtls_cipher_info_get_mode(cipher));
2468     }
2469 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2470 
2471 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2472     int encrypt_then_mac = 0;
2473 #endif
2474     return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2475 }
2476 
2477 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2478 
2479 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2480                                        size_t taglen,
2481                                        psa_algorithm_t *alg,
2482                                        psa_key_type_t *key_type,
2483                                        size_t *key_size)
2484 {
2485 #if !defined(MBEDTLS_SSL_HAVE_CCM)
2486     (void) taglen;
2487 #endif
2488     switch (mbedtls_cipher_type) {
2489 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2490         case MBEDTLS_CIPHER_AES_128_CBC:
2491             *alg = PSA_ALG_CBC_NO_PADDING;
2492             *key_type = PSA_KEY_TYPE_AES;
2493             *key_size = 128;
2494             break;
2495 #endif
2496 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2497         case MBEDTLS_CIPHER_AES_128_CCM:
2498             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2499             *key_type = PSA_KEY_TYPE_AES;
2500             *key_size = 128;
2501             break;
2502 #endif
2503 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2504         case MBEDTLS_CIPHER_AES_128_GCM:
2505             *alg = PSA_ALG_GCM;
2506             *key_type = PSA_KEY_TYPE_AES;
2507             *key_size = 128;
2508             break;
2509 #endif
2510 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2511         case MBEDTLS_CIPHER_AES_192_CCM:
2512             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2513             *key_type = PSA_KEY_TYPE_AES;
2514             *key_size = 192;
2515             break;
2516 #endif
2517 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2518         case MBEDTLS_CIPHER_AES_192_GCM:
2519             *alg = PSA_ALG_GCM;
2520             *key_type = PSA_KEY_TYPE_AES;
2521             *key_size = 192;
2522             break;
2523 #endif
2524 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2525         case MBEDTLS_CIPHER_AES_256_CBC:
2526             *alg = PSA_ALG_CBC_NO_PADDING;
2527             *key_type = PSA_KEY_TYPE_AES;
2528             *key_size = 256;
2529             break;
2530 #endif
2531 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2532         case MBEDTLS_CIPHER_AES_256_CCM:
2533             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2534             *key_type = PSA_KEY_TYPE_AES;
2535             *key_size = 256;
2536             break;
2537 #endif
2538 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2539         case MBEDTLS_CIPHER_AES_256_GCM:
2540             *alg = PSA_ALG_GCM;
2541             *key_type = PSA_KEY_TYPE_AES;
2542             *key_size = 256;
2543             break;
2544 #endif
2545 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2546         case MBEDTLS_CIPHER_ARIA_128_CBC:
2547             *alg = PSA_ALG_CBC_NO_PADDING;
2548             *key_type = PSA_KEY_TYPE_ARIA;
2549             *key_size = 128;
2550             break;
2551 #endif
2552 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2553         case MBEDTLS_CIPHER_ARIA_128_CCM:
2554             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2555             *key_type = PSA_KEY_TYPE_ARIA;
2556             *key_size = 128;
2557             break;
2558 #endif
2559 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2560         case MBEDTLS_CIPHER_ARIA_128_GCM:
2561             *alg = PSA_ALG_GCM;
2562             *key_type = PSA_KEY_TYPE_ARIA;
2563             *key_size = 128;
2564             break;
2565 #endif
2566 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2567         case MBEDTLS_CIPHER_ARIA_192_CCM:
2568             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2569             *key_type = PSA_KEY_TYPE_ARIA;
2570             *key_size = 192;
2571             break;
2572 #endif
2573 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2574         case MBEDTLS_CIPHER_ARIA_192_GCM:
2575             *alg = PSA_ALG_GCM;
2576             *key_type = PSA_KEY_TYPE_ARIA;
2577             *key_size = 192;
2578             break;
2579 #endif
2580 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2581         case MBEDTLS_CIPHER_ARIA_256_CBC:
2582             *alg = PSA_ALG_CBC_NO_PADDING;
2583             *key_type = PSA_KEY_TYPE_ARIA;
2584             *key_size = 256;
2585             break;
2586 #endif
2587 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2588         case MBEDTLS_CIPHER_ARIA_256_CCM:
2589             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2590             *key_type = PSA_KEY_TYPE_ARIA;
2591             *key_size = 256;
2592             break;
2593 #endif
2594 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2595         case MBEDTLS_CIPHER_ARIA_256_GCM:
2596             *alg = PSA_ALG_GCM;
2597             *key_type = PSA_KEY_TYPE_ARIA;
2598             *key_size = 256;
2599             break;
2600 #endif
2601 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2602         case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2603             *alg = PSA_ALG_CBC_NO_PADDING;
2604             *key_type = PSA_KEY_TYPE_CAMELLIA;
2605             *key_size = 128;
2606             break;
2607 #endif
2608 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2609         case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2610             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2611             *key_type = PSA_KEY_TYPE_CAMELLIA;
2612             *key_size = 128;
2613             break;
2614 #endif
2615 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2616         case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2617             *alg = PSA_ALG_GCM;
2618             *key_type = PSA_KEY_TYPE_CAMELLIA;
2619             *key_size = 128;
2620             break;
2621 #endif
2622 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2623         case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2624             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2625             *key_type = PSA_KEY_TYPE_CAMELLIA;
2626             *key_size = 192;
2627             break;
2628 #endif
2629 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2630         case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2631             *alg = PSA_ALG_GCM;
2632             *key_type = PSA_KEY_TYPE_CAMELLIA;
2633             *key_size = 192;
2634             break;
2635 #endif
2636 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2637         case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2638             *alg = PSA_ALG_CBC_NO_PADDING;
2639             *key_type = PSA_KEY_TYPE_CAMELLIA;
2640             *key_size = 256;
2641             break;
2642 #endif
2643 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2644         case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2645             *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2646             *key_type = PSA_KEY_TYPE_CAMELLIA;
2647             *key_size = 256;
2648             break;
2649 #endif
2650 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2651         case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2652             *alg = PSA_ALG_GCM;
2653             *key_type = PSA_KEY_TYPE_CAMELLIA;
2654             *key_size = 256;
2655             break;
2656 #endif
2657 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2658         case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2659             *alg = PSA_ALG_CHACHA20_POLY1305;
2660             *key_type = PSA_KEY_TYPE_CHACHA20;
2661             *key_size = 256;
2662             break;
2663 #endif
2664         case MBEDTLS_CIPHER_NULL:
2665             *alg = MBEDTLS_SSL_NULL_CIPHER;
2666             *key_type = 0;
2667             *key_size = 0;
2668             break;
2669         default:
2670             return PSA_ERROR_NOT_SUPPORTED;
2671     }
2672 
2673     return PSA_SUCCESS;
2674 }
2675 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2676 
2677 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
2678 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2679                                   const unsigned char *dhm_P, size_t P_len,
2680                                   const unsigned char *dhm_G, size_t G_len)
2681 {
2682     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2683 
2684     mbedtls_mpi_free(&conf->dhm_P);
2685     mbedtls_mpi_free(&conf->dhm_G);
2686 
2687     if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2688         (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2689         mbedtls_mpi_free(&conf->dhm_P);
2690         mbedtls_mpi_free(&conf->dhm_G);
2691         return ret;
2692     }
2693 
2694     return 0;
2695 }
2696 
2697 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2698 {
2699     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2700 
2701     mbedtls_mpi_free(&conf->dhm_P);
2702     mbedtls_mpi_free(&conf->dhm_G);
2703 
2704     if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2705                                      &conf->dhm_P)) != 0 ||
2706         (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2707                                      &conf->dhm_G)) != 0) {
2708         mbedtls_mpi_free(&conf->dhm_P);
2709         mbedtls_mpi_free(&conf->dhm_G);
2710         return ret;
2711     }
2712 
2713     return 0;
2714 }
2715 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2716 
2717 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2718 /*
2719  * Set the minimum length for Diffie-Hellman parameters
2720  */
2721 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2722                                      unsigned int bitlen)
2723 {
2724     conf->dhm_min_bitlen = bitlen;
2725 }
2726 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2727 
2728 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2729 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2730 /*
2731  * Set allowed/preferred hashes for handshake signatures
2732  */
2733 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2734                                  const int *hashes)
2735 {
2736     conf->sig_hashes = hashes;
2737 }
2738 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2739 
2740 /* Configure allowed signature algorithms for handshake */
2741 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2742                                const uint16_t *sig_algs)
2743 {
2744 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2745     conf->sig_hashes = NULL;
2746 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2747     conf->sig_algs = sig_algs;
2748 }
2749 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2750 
2751 #if defined(MBEDTLS_ECP_C)
2752 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2753 /*
2754  * Set the allowed elliptic curves
2755  *
2756  * mbedtls_ssl_setup() takes the provided list
2757  * and translates it to a list of IANA TLS group identifiers,
2758  * stored in ssl->handshake->group_list.
2759  *
2760  */
2761 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2762                              const mbedtls_ecp_group_id *curve_list)
2763 {
2764     conf->curve_list = curve_list;
2765     conf->group_list = NULL;
2766 }
2767 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2768 #endif /* MBEDTLS_ECP_C */
2769 
2770 /*
2771  * Set the allowed groups
2772  */
2773 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2774                              const uint16_t *group_list)
2775 {
2776 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2777     conf->curve_list = NULL;
2778 #endif
2779     conf->group_list = group_list;
2780 }
2781 
2782 #if defined(MBEDTLS_X509_CRT_PARSE_C)
2783 
2784 /* A magic value for `ssl->hostname` indicating that
2785  * mbedtls_ssl_set_hostname() has been called with `NULL`.
2786  * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
2787  * `ssl->hostname == NULL`. */
2788 static const char *const ssl_hostname_skip_cn_verification = "";
2789 
2790 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2791 /** Whether mbedtls_ssl_set_hostname() has been called.
2792  *
2793  * \param[in]   ssl     SSL context
2794  *
2795  * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
2796  *         (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
2797  *         otherwise \c 0.
2798  */
2799 static int mbedtls_ssl_has_set_hostname_been_called(
2800     const mbedtls_ssl_context *ssl)
2801 {
2802     return ssl->hostname != NULL;
2803 }
2804 #endif
2805 
2806 /* Micro-optimization: don't export this function if it isn't needed outside
2807  * of this source file. */
2808 #if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2809 static
2810 #endif
2811 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
2812 {
2813     if (ssl->hostname == ssl_hostname_skip_cn_verification) {
2814         return NULL;
2815     }
2816     return ssl->hostname;
2817 }
2818 
2819 static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
2820 {
2821     if (ssl->hostname != NULL &&
2822         ssl->hostname != ssl_hostname_skip_cn_verification) {
2823         mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2824     }
2825     ssl->hostname = NULL;
2826 }
2827 
2828 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2829 {
2830     /* Initialize to suppress unnecessary compiler warning */
2831     size_t hostname_len = 0;
2832 
2833     /* Check if new hostname is valid before
2834      * making any change to current one */
2835     if (hostname != NULL) {
2836         hostname_len = strlen(hostname);
2837 
2838         if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2839             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2840         }
2841     }
2842 
2843     /* Now it's clear that we will overwrite the old hostname,
2844      * so we can free it safely */
2845     mbedtls_ssl_free_hostname(ssl);
2846 
2847     if (hostname == NULL) {
2848         /* Passing NULL as hostname clears the old one, but leaves a
2849          * special marker to indicate that mbedtls_ssl_set_hostname()
2850          * has been called. */
2851         /* ssl->hostname should be const, but isn't. We won't actually
2852          * write to the buffer, so it's ok to cast away the const. */
2853         ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
2854     } else {
2855         ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2856         if (ssl->hostname == NULL) {
2857             /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
2858              * Leave ssl->hostname in the same state as if the function had
2859              * not been called, i.e. a null pointer. */
2860             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2861         }
2862 
2863         memcpy(ssl->hostname, hostname, hostname_len);
2864 
2865         ssl->hostname[hostname_len] = '\0';
2866     }
2867 
2868     return 0;
2869 }
2870 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2871 
2872 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2873 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2874                           int (*f_sni)(void *, mbedtls_ssl_context *,
2875                                        const unsigned char *, size_t),
2876                           void *p_sni)
2877 {
2878     conf->f_sni = f_sni;
2879     conf->p_sni = p_sni;
2880 }
2881 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2882 
2883 #if defined(MBEDTLS_SSL_ALPN)
2884 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2885 {
2886     size_t cur_len, tot_len;
2887     const char **p;
2888 
2889     /*
2890      * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2891      * MUST NOT be truncated."
2892      * We check lengths now rather than later.
2893      */
2894     tot_len = 0;
2895     for (p = protos; *p != NULL; p++) {
2896         cur_len = strlen(*p);
2897         tot_len += cur_len;
2898 
2899         if ((cur_len == 0) ||
2900             (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2901             (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2902             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2903         }
2904     }
2905 
2906     conf->alpn_list = protos;
2907 
2908     return 0;
2909 }
2910 
2911 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2912 {
2913     return ssl->alpn_chosen;
2914 }
2915 #endif /* MBEDTLS_SSL_ALPN */
2916 
2917 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2918 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2919                                                int support_mki_value)
2920 {
2921     conf->dtls_srtp_mki_support = support_mki_value;
2922 }
2923 
2924 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2925                                         unsigned char *mki_value,
2926                                         uint16_t mki_len)
2927 {
2928     if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2929         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2930     }
2931 
2932     if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2933         return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2934     }
2935 
2936     memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2937     ssl->dtls_srtp_info.mki_len = mki_len;
2938     return 0;
2939 }
2940 
2941 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2942                                                    const mbedtls_ssl_srtp_profile *profiles)
2943 {
2944     const mbedtls_ssl_srtp_profile *p;
2945     size_t list_size = 0;
2946 
2947     /* check the profiles list: all entry must be valid,
2948      * its size cannot be more than the total number of supported profiles, currently 4 */
2949     for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2950          list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2951          p++) {
2952         if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2953             list_size++;
2954         } else {
2955             /* unsupported value, stop parsing and set the size to an error value */
2956             list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2957         }
2958     }
2959 
2960     if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2961         conf->dtls_srtp_profile_list = NULL;
2962         conf->dtls_srtp_profile_list_len = 0;
2963         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2964     }
2965 
2966     conf->dtls_srtp_profile_list = profiles;
2967     conf->dtls_srtp_profile_list_len = list_size;
2968 
2969     return 0;
2970 }
2971 
2972 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2973                                                   mbedtls_dtls_srtp_info *dtls_srtp_info)
2974 {
2975     dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2976     /* do not copy the mki value if there is no chosen profile */
2977     if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2978         dtls_srtp_info->mki_len = 0;
2979     } else {
2980         dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2981         memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2982                ssl->dtls_srtp_info.mki_len);
2983     }
2984 }
2985 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2986 
2987 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2988 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2989 {
2990     conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2991 }
2992 
2993 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2994 {
2995     conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2996 }
2997 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2998 
2999 #if defined(MBEDTLS_SSL_SRV_C)
3000 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
3001                                        char cert_req_ca_list)
3002 {
3003     conf->cert_req_ca_list = cert_req_ca_list;
3004 }
3005 #endif
3006 
3007 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3008 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
3009 {
3010     conf->encrypt_then_mac = etm;
3011 }
3012 #endif
3013 
3014 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
3015 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
3016 {
3017     conf->extended_ms = ems;
3018 }
3019 #endif
3020 
3021 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3022 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
3023 {
3024     if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
3025         ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
3026         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3027     }
3028 
3029     conf->mfl_code = mfl_code;
3030 
3031     return 0;
3032 }
3033 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3034 
3035 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
3036 {
3037     conf->allow_legacy_renegotiation = allow_legacy;
3038 }
3039 
3040 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3041 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
3042 {
3043     conf->disable_renegotiation = renegotiation;
3044 }
3045 
3046 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
3047 {
3048     conf->renego_max_records = max_records;
3049 }
3050 
3051 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
3052                                            const unsigned char period[8])
3053 {
3054     memcpy(conf->renego_period, period, 8);
3055 }
3056 #endif /* MBEDTLS_SSL_RENEGOTIATION */
3057 
3058 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3059 #if defined(MBEDTLS_SSL_CLI_C)
3060 
3061 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3062 {
3063     conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
3064     conf->session_tickets |= (use_tickets != 0) <<
3065                              MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
3066 }
3067 
3068 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3069 void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
3070     mbedtls_ssl_config *conf, int signal_new_session_tickets)
3071 {
3072     conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
3073     conf->session_tickets |= (signal_new_session_tickets != 0) <<
3074                              MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
3075 }
3076 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3077 #endif /* MBEDTLS_SSL_CLI_C */
3078 
3079 #if defined(MBEDTLS_SSL_SRV_C)
3080 
3081 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
3082 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3083                                           uint16_t num_tickets)
3084 {
3085     conf->new_session_tickets_count = num_tickets;
3086 }
3087 #endif
3088 
3089 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3090                                          mbedtls_ssl_ticket_write_t *f_ticket_write,
3091                                          mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3092                                          void *p_ticket)
3093 {
3094     conf->f_ticket_write = f_ticket_write;
3095     conf->f_ticket_parse = f_ticket_parse;
3096     conf->p_ticket       = p_ticket;
3097 }
3098 #endif
3099 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3100 
3101 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3102                                     mbedtls_ssl_export_keys_t *f_export_keys,
3103                                     void *p_export_keys)
3104 {
3105     ssl->f_export_keys = f_export_keys;
3106     ssl->p_export_keys = p_export_keys;
3107 }
3108 
3109 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3110 void mbedtls_ssl_conf_async_private_cb(
3111     mbedtls_ssl_config *conf,
3112     mbedtls_ssl_async_sign_t *f_async_sign,
3113     mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3114     mbedtls_ssl_async_resume_t *f_async_resume,
3115     mbedtls_ssl_async_cancel_t *f_async_cancel,
3116     void *async_config_data)
3117 {
3118     conf->f_async_sign_start = f_async_sign;
3119     conf->f_async_decrypt_start = f_async_decrypt;
3120     conf->f_async_resume = f_async_resume;
3121     conf->f_async_cancel = f_async_cancel;
3122     conf->p_async_config_data = async_config_data;
3123 }
3124 
3125 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3126 {
3127     return conf->p_async_config_data;
3128 }
3129 
3130 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3131 {
3132     if (ssl->handshake == NULL) {
3133         return NULL;
3134     } else {
3135         return ssl->handshake->user_async_ctx;
3136     }
3137 }
3138 
3139 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3140                                           void *ctx)
3141 {
3142     if (ssl->handshake != NULL) {
3143         ssl->handshake->user_async_ctx = ctx;
3144     }
3145 }
3146 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3147 
3148 /*
3149  * SSL get accessors
3150  */
3151 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3152 {
3153     if (ssl->session != NULL) {
3154         return ssl->session->verify_result;
3155     }
3156 
3157     if (ssl->session_negotiate != NULL) {
3158         return ssl->session_negotiate->verify_result;
3159     }
3160 
3161     return 0xFFFFFFFF;
3162 }
3163 
3164 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3165 {
3166     if (ssl == NULL || ssl->session == NULL) {
3167         return 0;
3168     }
3169 
3170     return ssl->session->ciphersuite;
3171 }
3172 
3173 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3174 {
3175     if (ssl == NULL || ssl->session == NULL) {
3176         return NULL;
3177     }
3178 
3179     return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3180 }
3181 
3182 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3183 {
3184 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3185     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3186         switch (ssl->tls_version) {
3187             case MBEDTLS_SSL_VERSION_TLS1_2:
3188                 return "DTLSv1.2";
3189             default:
3190                 return "unknown (DTLS)";
3191         }
3192     }
3193 #endif
3194 
3195     switch (ssl->tls_version) {
3196         case MBEDTLS_SSL_VERSION_TLS1_2:
3197             return "TLSv1.2";
3198         case MBEDTLS_SSL_VERSION_TLS1_3:
3199             return "TLSv1.3";
3200         default:
3201             return "unknown";
3202     }
3203 }
3204 
3205 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3206 
3207 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3208 {
3209     const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3210     size_t record_size_limit = max_len;
3211 
3212     if (ssl->session != NULL &&
3213         ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3214         ssl->session->record_size_limit < max_len) {
3215         record_size_limit = ssl->session->record_size_limit;
3216     }
3217 
3218     // TODO: this is currently untested
3219     /* During a handshake, use the value being negotiated */
3220     if (ssl->session_negotiate != NULL &&
3221         ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3222         ssl->session_negotiate->record_size_limit < max_len) {
3223         record_size_limit = ssl->session_negotiate->record_size_limit;
3224     }
3225 
3226     return record_size_limit;
3227 }
3228 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3229 
3230 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3231 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3232 {
3233     size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3234     size_t read_mfl;
3235 
3236 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3237     /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3238     if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3239         ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3240         return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3241     }
3242 #endif
3243 
3244     /* Check if a smaller max length was negotiated */
3245     if (ssl->session_out != NULL) {
3246         read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3247         if (read_mfl < max_len) {
3248             max_len = read_mfl;
3249         }
3250     }
3251 
3252     /* During a handshake, use the value being negotiated */
3253     if (ssl->session_negotiate != NULL) {
3254         read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3255         if (read_mfl < max_len) {
3256             max_len = read_mfl;
3257         }
3258     }
3259 
3260     return max_len;
3261 }
3262 
3263 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3264 {
3265     size_t max_len;
3266 
3267     /*
3268      * Assume mfl_code is correct since it was checked when set
3269      */
3270     max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3271 
3272     /* Check if a smaller max length was negotiated */
3273     if (ssl->session_out != NULL &&
3274         ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3275         max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3276     }
3277 
3278     /* During a handshake, use the value being negotiated */
3279     if (ssl->session_negotiate != NULL &&
3280         ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3281         max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3282     }
3283 
3284     return max_len;
3285 }
3286 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3287 
3288 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3289 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3290 {
3291     if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3292         return ssl->mtu;
3293     }
3294 
3295     if (ssl->mtu == 0) {
3296         return ssl->handshake->mtu;
3297     }
3298 
3299     return ssl->mtu < ssl->handshake->mtu ?
3300            ssl->mtu : ssl->handshake->mtu;
3301 }
3302 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3303 
3304 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3305 {
3306     size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3307 
3308 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3309     !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3310     !defined(MBEDTLS_SSL_PROTO_DTLS)
3311     (void) ssl;
3312 #endif
3313 
3314 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3315     const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3316 
3317     if (max_len > mfl) {
3318         max_len = mfl;
3319     }
3320 #endif
3321 
3322 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3323     const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3324 
3325     if (max_len > record_size_limit) {
3326         max_len = record_size_limit;
3327     }
3328 #endif
3329 
3330     if (ssl->transform_out != NULL &&
3331         ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3332         /*
3333          * In TLS 1.3 case, when records are protected, `max_len` as computed
3334          * above is the maximum length of the TLSInnerPlaintext structure that
3335          * along the plaintext payload contains the inner content type (one byte)
3336          * and some zero padding. Given the algorithm used for padding
3337          * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3338          * the plaintext payload. Round down to a multiple of
3339          * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3340          * subtract 1.
3341          */
3342         max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3343                    MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
3344     }
3345 
3346 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3347     if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3348         const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3349         const int ret = mbedtls_ssl_get_record_expansion(ssl);
3350         const size_t overhead = (size_t) ret;
3351 
3352         if (ret < 0) {
3353             return ret;
3354         }
3355 
3356         if (mtu <= overhead) {
3357             MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3358             return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3359         }
3360 
3361         if (max_len > mtu - overhead) {
3362             max_len = mtu - overhead;
3363         }
3364     }
3365 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3366 
3367 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
3368     !defined(MBEDTLS_SSL_PROTO_DTLS) &&                 \
3369     !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3370     ((void) ssl);
3371 #endif
3372 
3373     return (int) max_len;
3374 }
3375 
3376 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3377 {
3378     size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3379 
3380 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3381     (void) ssl;
3382 #endif
3383 
3384 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3385     const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3386 
3387     if (max_len > mfl) {
3388         max_len = mfl;
3389     }
3390 #endif
3391 
3392     return (int) max_len;
3393 }
3394 
3395 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3396 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3397 {
3398     if (ssl == NULL || ssl->session == NULL) {
3399         return NULL;
3400     }
3401 
3402 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3403     return ssl->session->peer_cert;
3404 #else
3405     return NULL;
3406 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3407 }
3408 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3409 
3410 #if defined(MBEDTLS_SSL_CLI_C)
3411 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3412                             mbedtls_ssl_session *dst)
3413 {
3414     int ret;
3415 
3416     if (ssl == NULL ||
3417         dst == NULL ||
3418         ssl->session == NULL ||
3419         ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3420         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3421     }
3422 
3423     /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3424      * idempotent: Each session can only be exported once.
3425      *
3426      * (This is in preparation for TLS 1.3 support where we will
3427      * need the ability to export multiple sessions (aka tickets),
3428      * which will be achieved by calling mbedtls_ssl_get_session()
3429      * multiple times until it fails.)
3430      *
3431      * Check whether we have already exported the current session,
3432      * and fail if so.
3433      */
3434     if (ssl->session->exported == 1) {
3435         return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3436     }
3437 
3438     ret = mbedtls_ssl_session_copy(dst, ssl->session);
3439     if (ret != 0) {
3440         return ret;
3441     }
3442 
3443     /* Remember that we've exported the session. */
3444     ssl->session->exported = 1;
3445     return 0;
3446 }
3447 #endif /* MBEDTLS_SSL_CLI_C */
3448 
3449 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3450 
3451 /* Serialization of TLS 1.2 sessions
3452  *
3453  * For more detail, see the description of ssl_session_save().
3454  */
3455 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3456                                      unsigned char *buf,
3457                                      size_t buf_len)
3458 {
3459     unsigned char *p = buf;
3460     size_t used = 0;
3461 
3462 #if defined(MBEDTLS_HAVE_TIME)
3463     uint64_t start;
3464 #endif
3465 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3466 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3467     size_t cert_len;
3468 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3469 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3470 
3471     /*
3472      * Time
3473      */
3474 #if defined(MBEDTLS_HAVE_TIME)
3475     used += 8;
3476 
3477     if (used <= buf_len) {
3478         start = (uint64_t) session->start;
3479 
3480         MBEDTLS_PUT_UINT64_BE(start, p, 0);
3481         p += 8;
3482     }
3483 #endif /* MBEDTLS_HAVE_TIME */
3484 
3485     /*
3486      * Basic mandatory fields
3487      */
3488     used += 1 /* id_len */
3489             + sizeof(session->id)
3490             + sizeof(session->master)
3491             + 4; /* verify_result */
3492 
3493     if (used <= buf_len) {
3494         *p++ = MBEDTLS_BYTE_0(session->id_len);
3495         memcpy(p, session->id, 32);
3496         p += 32;
3497 
3498         memcpy(p, session->master, 48);
3499         p += 48;
3500 
3501         MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3502         p += 4;
3503     }
3504 
3505     /*
3506      * Peer's end-entity certificate
3507      */
3508 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3509 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3510     if (session->peer_cert == NULL) {
3511         cert_len = 0;
3512     } else {
3513         cert_len = session->peer_cert->raw.len;
3514     }
3515 
3516     used += 3 + cert_len;
3517 
3518     if (used <= buf_len) {
3519         *p++ = MBEDTLS_BYTE_2(cert_len);
3520         *p++ = MBEDTLS_BYTE_1(cert_len);
3521         *p++ = MBEDTLS_BYTE_0(cert_len);
3522 
3523         if (session->peer_cert != NULL) {
3524             memcpy(p, session->peer_cert->raw.p, cert_len);
3525             p += cert_len;
3526         }
3527     }
3528 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3529     if (session->peer_cert_digest != NULL) {
3530         used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3531         if (used <= buf_len) {
3532             *p++ = (unsigned char) session->peer_cert_digest_type;
3533             *p++ = (unsigned char) session->peer_cert_digest_len;
3534             memcpy(p, session->peer_cert_digest,
3535                    session->peer_cert_digest_len);
3536             p += session->peer_cert_digest_len;
3537         }
3538     } else {
3539         used += 2;
3540         if (used <= buf_len) {
3541             *p++ = (unsigned char) MBEDTLS_MD_NONE;
3542             *p++ = 0;
3543         }
3544     }
3545 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3546 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3547 
3548     /*
3549      * Session ticket if any, plus associated data
3550      */
3551 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3552 #if defined(MBEDTLS_SSL_CLI_C)
3553     if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3554         used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3555 
3556         if (used <= buf_len) {
3557             *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3558             *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3559             *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3560 
3561             if (session->ticket != NULL) {
3562                 memcpy(p, session->ticket, session->ticket_len);
3563                 p += session->ticket_len;
3564             }
3565 
3566             MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3567             p += 4;
3568         }
3569     }
3570 #endif /* MBEDTLS_SSL_CLI_C */
3571 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3572     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3573         used += 8;
3574 
3575         if (used <= buf_len) {
3576             MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3577             p += 8;
3578         }
3579     }
3580 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3581 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3582 
3583     /*
3584      * Misc extension-related info
3585      */
3586 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3587     used += 1;
3588 
3589     if (used <= buf_len) {
3590         *p++ = session->mfl_code;
3591     }
3592 #endif
3593 
3594 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3595     used += 1;
3596 
3597     if (used <= buf_len) {
3598         *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3599     }
3600 #endif
3601 
3602     return used;
3603 }
3604 
3605 MBEDTLS_CHECK_RETURN_CRITICAL
3606 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3607                                   const unsigned char *buf,
3608                                   size_t len)
3609 {
3610 #if defined(MBEDTLS_HAVE_TIME)
3611     uint64_t start;
3612 #endif
3613 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3614 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3615     size_t cert_len;
3616 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3617 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3618 
3619     const unsigned char *p = buf;
3620     const unsigned char * const end = buf + len;
3621 
3622     /*
3623      * Time
3624      */
3625 #if defined(MBEDTLS_HAVE_TIME)
3626     if (8 > (size_t) (end - p)) {
3627         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3628     }
3629 
3630     start = MBEDTLS_GET_UINT64_BE(p, 0);
3631     p += 8;
3632 
3633     session->start = (mbedtls_time_t) start;
3634 #endif /* MBEDTLS_HAVE_TIME */
3635 
3636     /*
3637      * Basic mandatory fields
3638      */
3639     if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3640         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3641     }
3642 
3643     session->id_len = *p++;
3644     memcpy(session->id, p, 32);
3645     p += 32;
3646 
3647     memcpy(session->master, p, 48);
3648     p += 48;
3649 
3650     session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3651     p += 4;
3652 
3653     /* Immediately clear invalid pointer values that have been read, in case
3654      * we exit early before we replaced them with valid ones. */
3655 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3656 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3657     session->peer_cert = NULL;
3658 #else
3659     session->peer_cert_digest = NULL;
3660 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3661 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3662 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3663     session->ticket = NULL;
3664 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3665 
3666     /*
3667      * Peer certificate
3668      */
3669 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3670 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3671     /* Deserialize CRT from the end of the ticket. */
3672     if (3 > (size_t) (end - p)) {
3673         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3674     }
3675 
3676     cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3677     p += 3;
3678 
3679     if (cert_len != 0) {
3680         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3681 
3682         if (cert_len > (size_t) (end - p)) {
3683             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3684         }
3685 
3686         session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3687 
3688         if (session->peer_cert == NULL) {
3689             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3690         }
3691 
3692         mbedtls_x509_crt_init(session->peer_cert);
3693 
3694         if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3695                                               p, cert_len)) != 0) {
3696             mbedtls_x509_crt_free(session->peer_cert);
3697             mbedtls_free(session->peer_cert);
3698             session->peer_cert = NULL;
3699             return ret;
3700         }
3701 
3702         p += cert_len;
3703     }
3704 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3705     /* Deserialize CRT digest from the end of the ticket. */
3706     if (2 > (size_t) (end - p)) {
3707         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3708     }
3709 
3710     session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3711     session->peer_cert_digest_len  = (size_t) *p++;
3712 
3713     if (session->peer_cert_digest_len != 0) {
3714         const mbedtls_md_info_t *md_info =
3715             mbedtls_md_info_from_type(session->peer_cert_digest_type);
3716         if (md_info == NULL) {
3717             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3718         }
3719         if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3720             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3721         }
3722 
3723         if (session->peer_cert_digest_len > (size_t) (end - p)) {
3724             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3725         }
3726 
3727         session->peer_cert_digest =
3728             mbedtls_calloc(1, session->peer_cert_digest_len);
3729         if (session->peer_cert_digest == NULL) {
3730             return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3731         }
3732 
3733         memcpy(session->peer_cert_digest, p,
3734                session->peer_cert_digest_len);
3735         p += session->peer_cert_digest_len;
3736     }
3737 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3738 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3739 
3740     /*
3741      * Session ticket and associated data
3742      */
3743 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3744 #if defined(MBEDTLS_SSL_CLI_C)
3745     if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3746         if (3 > (size_t) (end - p)) {
3747             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3748         }
3749 
3750         session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3751         p += 3;
3752 
3753         if (session->ticket_len != 0) {
3754             if (session->ticket_len > (size_t) (end - p)) {
3755                 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3756             }
3757 
3758             session->ticket = mbedtls_calloc(1, session->ticket_len);
3759             if (session->ticket == NULL) {
3760                 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3761             }
3762 
3763             memcpy(session->ticket, p, session->ticket_len);
3764             p += session->ticket_len;
3765         }
3766 
3767         if (4 > (size_t) (end - p)) {
3768             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3769         }
3770 
3771         session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3772         p += 4;
3773     }
3774 #endif /* MBEDTLS_SSL_CLI_C */
3775 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3776     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3777         if (8 > (size_t) (end - p)) {
3778             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3779         }
3780         session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3781         p += 8;
3782     }
3783 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3784 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3785 
3786     /*
3787      * Misc extension-related info
3788      */
3789 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3790     if (1 > (size_t) (end - p)) {
3791         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3792     }
3793 
3794     session->mfl_code = *p++;
3795 #endif
3796 
3797 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3798     if (1 > (size_t) (end - p)) {
3799         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3800     }
3801 
3802     session->encrypt_then_mac = *p++;
3803 #endif
3804 
3805     /* Done, should have consumed entire buffer */
3806     if (p != end) {
3807         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3808     }
3809 
3810     return 0;
3811 }
3812 
3813 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3814 
3815 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3816 /* Serialization of TLS 1.3 sessions:
3817  *
3818  * For more detail, see the description of ssl_session_save().
3819  */
3820 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3821 MBEDTLS_CHECK_RETURN_CRITICAL
3822 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3823                                   unsigned char *buf,
3824                                   size_t buf_len,
3825                                   size_t *olen)
3826 {
3827     unsigned char *p = buf;
3828 #if defined(MBEDTLS_SSL_CLI_C) && \
3829     defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3830     size_t hostname_len = (session->hostname == NULL) ?
3831                           0 : strlen(session->hostname) + 1;
3832 #endif
3833 
3834 #if defined(MBEDTLS_SSL_SRV_C) && \
3835     defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3836     const size_t alpn_len = (session->ticket_alpn == NULL) ?
3837                             0 : strlen(session->ticket_alpn) + 1;
3838 #endif
3839     size_t needed =   4  /* ticket_age_add */
3840                     + 1  /* ticket_flags */
3841                     + 1; /* resumption_key length */
3842 
3843     *olen = 0;
3844 
3845     if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3846         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3847     }
3848     needed += session->resumption_key_len;  /* resumption_key */
3849 
3850 #if defined(MBEDTLS_SSL_EARLY_DATA)
3851     needed += 4;                            /* max_early_data_size */
3852 #endif
3853 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3854     needed += 2;                            /* record_size_limit */
3855 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3856 
3857 #if defined(MBEDTLS_HAVE_TIME)
3858     needed += 8; /* ticket_creation_time or ticket_reception_time */
3859 #endif
3860 
3861 #if defined(MBEDTLS_SSL_SRV_C)
3862     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3863 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3864         needed +=   2                         /* alpn_len */
3865                   + alpn_len;                 /* alpn */
3866 #endif
3867     }
3868 #endif /* MBEDTLS_SSL_SRV_C */
3869 
3870 #if defined(MBEDTLS_SSL_CLI_C)
3871     if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3872 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3873         needed +=  2                        /* hostname_len */
3874                   + hostname_len;           /* hostname */
3875 #endif
3876 
3877         needed +=   4                       /* ticket_lifetime */
3878                   + 2;                      /* ticket_len */
3879 
3880         /* Check size_t overflow */
3881         if (session->ticket_len > SIZE_MAX - needed) {
3882             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3883         }
3884 
3885         needed += session->ticket_len;      /* ticket */
3886     }
3887 #endif /* MBEDTLS_SSL_CLI_C */
3888 
3889     *olen = needed;
3890     if (needed > buf_len) {
3891         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3892     }
3893 
3894     MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3895     p[4] = session->ticket_flags;
3896 
3897     /* save resumption_key */
3898     p[5] = session->resumption_key_len;
3899     p += 6;
3900     memcpy(p, session->resumption_key, session->resumption_key_len);
3901     p += session->resumption_key_len;
3902 
3903 #if defined(MBEDTLS_SSL_EARLY_DATA)
3904     MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3905     p += 4;
3906 #endif
3907 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3908     MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3909     p += 2;
3910 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3911 
3912 #if defined(MBEDTLS_SSL_SRV_C)
3913     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3914 #if defined(MBEDTLS_HAVE_TIME)
3915         MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3916         p += 8;
3917 #endif /* MBEDTLS_HAVE_TIME */
3918 
3919 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3920         MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3921         p += 2;
3922 
3923         if (alpn_len > 0) {
3924             /* save chosen alpn */
3925             memcpy(p, session->ticket_alpn, alpn_len);
3926             p += alpn_len;
3927         }
3928 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3929     }
3930 #endif /* MBEDTLS_SSL_SRV_C */
3931 
3932 #if defined(MBEDTLS_SSL_CLI_C)
3933     if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3934 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3935         MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3936         p += 2;
3937         if (hostname_len > 0) {
3938             /* save host name */
3939             memcpy(p, session->hostname, hostname_len);
3940             p += hostname_len;
3941         }
3942 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3943 
3944 #if defined(MBEDTLS_HAVE_TIME)
3945         MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3946         p += 8;
3947 #endif
3948         MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3949         p += 4;
3950 
3951         MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3952         p += 2;
3953 
3954         if (session->ticket != NULL && session->ticket_len > 0) {
3955             memcpy(p, session->ticket, session->ticket_len);
3956             p += session->ticket_len;
3957         }
3958     }
3959 #endif /* MBEDTLS_SSL_CLI_C */
3960     return 0;
3961 }
3962 
3963 MBEDTLS_CHECK_RETURN_CRITICAL
3964 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3965                                   const unsigned char *buf,
3966                                   size_t len)
3967 {
3968     const unsigned char *p = buf;
3969     const unsigned char *end = buf + len;
3970 
3971     if (end - p < 6) {
3972         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3973     }
3974     session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3975     session->ticket_flags = p[4];
3976 
3977     /* load resumption_key */
3978     session->resumption_key_len = p[5];
3979     p += 6;
3980 
3981     if (end - p < session->resumption_key_len) {
3982         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3983     }
3984 
3985     if (sizeof(session->resumption_key) < session->resumption_key_len) {
3986         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3987     }
3988     memcpy(session->resumption_key, p, session->resumption_key_len);
3989     p += session->resumption_key_len;
3990 
3991 #if defined(MBEDTLS_SSL_EARLY_DATA)
3992     if (end - p < 4) {
3993         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3994     }
3995     session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3996     p += 4;
3997 #endif
3998 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3999     if (end - p < 2) {
4000         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4001     }
4002     session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
4003     p += 2;
4004 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4005 
4006 #if  defined(MBEDTLS_SSL_SRV_C)
4007     if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
4008 #if defined(MBEDTLS_HAVE_TIME)
4009         if (end - p < 8) {
4010             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4011         }
4012         session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
4013         p += 8;
4014 #endif /* MBEDTLS_HAVE_TIME */
4015 
4016 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4017         size_t alpn_len;
4018 
4019         if (end - p < 2) {
4020             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4021         }
4022 
4023         alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
4024         p += 2;
4025 
4026         if (end - p < (long int) alpn_len) {
4027             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4028         }
4029 
4030         if (alpn_len > 0) {
4031             int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
4032             if (ret != 0) {
4033                 return ret;
4034             }
4035             p += alpn_len;
4036         }
4037 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
4038     }
4039 #endif /* MBEDTLS_SSL_SRV_C */
4040 
4041 #if defined(MBEDTLS_SSL_CLI_C)
4042     if (