WNCInterface - The WDCInterface is is a drop-in replacement for …

Avnet » Code » WNCInterface

The WDCInterface is is a drop-in replacement for an EthernetInterface class that allows the user to connect to the Internet with a Wistron NeWeb Corporation (WNC) M14A2A Series data module using the standard network Socket API's. This interface class is used in the AT&T Cellular IoT Starter Kit which is sold by Avnet (http://cloudconnectkits.org/product/att-cellular-iot-starter-kit).

Dependencies: WncControllerK64F

Dependents: WNCProximityMqtt Pubnub_ATT_IoT_SK_WNC_sync BluemixDemo BluemixQS ... more

See the WNCInterface README in the Wiki tab for detailed information on this library.

mbedtls/source/ssl_srv.c@29:b278b745fb4f, 2017-03-24 (annotated)

Committer:: JMF
Date:: Fri Mar 24 22:26:23 2017 +0000
Revision:: 29:b278b745fb4f
Parent:: 12:0071cb144c7a

updated Class name of TCPSocketConnection to WncTCPSocketConnection;

Who changed what in which revision?

User	Revision	Line number	New contents of line
JMF	12:0071cb144c7a	1	/*
JMF	12:0071cb144c7a	2	* SSLv3/TLSv1 server-side functions
JMF	12:0071cb144c7a	3	*
JMF	12:0071cb144c7a	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
JMF	12:0071cb144c7a	5	* SPDX-License-Identifier: Apache-2.0
JMF	12:0071cb144c7a	6	*
JMF	12:0071cb144c7a	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
JMF	12:0071cb144c7a	8	* not use this file except in compliance with the License.
JMF	12:0071cb144c7a	9	* You may obtain a copy of the License at
JMF	12:0071cb144c7a	10	*
JMF	12:0071cb144c7a	11	* http://www.apache.org/licenses/LICENSE-2.0
JMF	12:0071cb144c7a	12	*
JMF	12:0071cb144c7a	13	* Unless required by applicable law or agreed to in writing, software
JMF	12:0071cb144c7a	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
JMF	12:0071cb144c7a	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
JMF	12:0071cb144c7a	16	* See the License for the specific language governing permissions and
JMF	12:0071cb144c7a	17	* limitations under the License.
JMF	12:0071cb144c7a	18	*
JMF	12:0071cb144c7a	19	* This file is part of mbed TLS (https://tls.mbed.org)
JMF	12:0071cb144c7a	20	*/
JMF	12:0071cb144c7a	21
JMF	12:0071cb144c7a	22	#if !defined(MBEDTLS_CONFIG_FILE)
JMF	12:0071cb144c7a	23	#include "mbedtls/config.h"
JMF	12:0071cb144c7a	24	#else
JMF	12:0071cb144c7a	25	#include MBEDTLS_CONFIG_FILE
JMF	12:0071cb144c7a	26	#endif
JMF	12:0071cb144c7a	27
JMF	12:0071cb144c7a	28	#if defined(MBEDTLS_SSL_SRV_C)
JMF	12:0071cb144c7a	29
JMF	12:0071cb144c7a	30	#if defined(MBEDTLS_PLATFORM_C)
JMF	12:0071cb144c7a	31	#include "mbedtls/platform.h"
JMF	12:0071cb144c7a	32	#else
JMF	12:0071cb144c7a	33	#include <stdlib.h>
JMF	12:0071cb144c7a	34	#define mbedtls_calloc calloc
JMF	12:0071cb144c7a	35	#define mbedtls_free free
JMF	12:0071cb144c7a	36	#endif
JMF	12:0071cb144c7a	37
JMF	12:0071cb144c7a	38	#include "mbedtls/debug.h"
JMF	12:0071cb144c7a	39	#include "mbedtls/ssl.h"
JMF	12:0071cb144c7a	40	#include "mbedtls/ssl_internal.h"
JMF	12:0071cb144c7a	41
JMF	12:0071cb144c7a	42	#include <string.h>
JMF	12:0071cb144c7a	43
JMF	12:0071cb144c7a	44	#if defined(MBEDTLS_ECP_C)
JMF	12:0071cb144c7a	45	#include "mbedtls/ecp.h"
JMF	12:0071cb144c7a	46	#endif
JMF	12:0071cb144c7a	47
JMF	12:0071cb144c7a	48	#if defined(MBEDTLS_HAVE_TIME)
JMF	12:0071cb144c7a	49	#include "mbedtls/platform_time.h"
JMF	12:0071cb144c7a	50	#endif
JMF	12:0071cb144c7a	51
JMF	12:0071cb144c7a	52	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	53	/* Implementation that should never be optimized out by the compiler */
JMF	12:0071cb144c7a	54	static void mbedtls_zeroize( void *v, size_t n ) {
JMF	12:0071cb144c7a	55	volatile unsigned char p = v; while( n-- ) p++ = 0;
JMF	12:0071cb144c7a	56	}
JMF	12:0071cb144c7a	57	#endif
JMF	12:0071cb144c7a	58
JMF	12:0071cb144c7a	59	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
JMF	12:0071cb144c7a	60	int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	61	const unsigned char *info,
JMF	12:0071cb144c7a	62	size_t ilen )
JMF	12:0071cb144c7a	63	{
JMF	12:0071cb144c7a	64	if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
JMF	12:0071cb144c7a	65	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
JMF	12:0071cb144c7a	66
JMF	12:0071cb144c7a	67	mbedtls_free( ssl->cli_id );
JMF	12:0071cb144c7a	68
JMF	12:0071cb144c7a	69	if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
JMF	12:0071cb144c7a	70	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
JMF	12:0071cb144c7a	71
JMF	12:0071cb144c7a	72	memcpy( ssl->cli_id, info, ilen );
JMF	12:0071cb144c7a	73	ssl->cli_id_len = ilen;
JMF	12:0071cb144c7a	74
JMF	12:0071cb144c7a	75	return( 0 );
JMF	12:0071cb144c7a	76	}
JMF	12:0071cb144c7a	77
JMF	12:0071cb144c7a	78	void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
JMF	12:0071cb144c7a	79	mbedtls_ssl_cookie_write_t *f_cookie_write,
JMF	12:0071cb144c7a	80	mbedtls_ssl_cookie_check_t *f_cookie_check,
JMF	12:0071cb144c7a	81	void *p_cookie )
JMF	12:0071cb144c7a	82	{
JMF	12:0071cb144c7a	83	conf->f_cookie_write = f_cookie_write;
JMF	12:0071cb144c7a	84	conf->f_cookie_check = f_cookie_check;
JMF	12:0071cb144c7a	85	conf->p_cookie = p_cookie;
JMF	12:0071cb144c7a	86	}
JMF	12:0071cb144c7a	87	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
JMF	12:0071cb144c7a	88
JMF	12:0071cb144c7a	89	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
JMF	12:0071cb144c7a	90	static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	91	const unsigned char *buf,
JMF	12:0071cb144c7a	92	size_t len )
JMF	12:0071cb144c7a	93	{
JMF	12:0071cb144c7a	94	int ret;
JMF	12:0071cb144c7a	95	size_t servername_list_size, hostname_len;
JMF	12:0071cb144c7a	96	const unsigned char *p;
JMF	12:0071cb144c7a	97
JMF	12:0071cb144c7a	98	MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
JMF	12:0071cb144c7a	99
JMF	12:0071cb144c7a	100	servername_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
JMF	12:0071cb144c7a	101	if( servername_list_size + 2 != len )
JMF	12:0071cb144c7a	102	{
JMF	12:0071cb144c7a	103	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	104	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	105	}
JMF	12:0071cb144c7a	106
JMF	12:0071cb144c7a	107	p = buf + 2;
JMF	12:0071cb144c7a	108	while( servername_list_size > 0 )
JMF	12:0071cb144c7a	109	{
JMF	12:0071cb144c7a	110	hostname_len = ( ( p[1] << 8 ) \| p[2] );
JMF	12:0071cb144c7a	111	if( hostname_len + 3 > servername_list_size )
JMF	12:0071cb144c7a	112	{
JMF	12:0071cb144c7a	113	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	114	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	115	}
JMF	12:0071cb144c7a	116
JMF	12:0071cb144c7a	117	if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
JMF	12:0071cb144c7a	118	{
JMF	12:0071cb144c7a	119	ret = ssl->conf->f_sni( ssl->conf->p_sni,
JMF	12:0071cb144c7a	120	ssl, p + 3, hostname_len );
JMF	12:0071cb144c7a	121	if( ret != 0 )
JMF	12:0071cb144c7a	122	{
JMF	12:0071cb144c7a	123	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
JMF	12:0071cb144c7a	124	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	125	MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
JMF	12:0071cb144c7a	126	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	127	}
JMF	12:0071cb144c7a	128	return( 0 );
JMF	12:0071cb144c7a	129	}
JMF	12:0071cb144c7a	130
JMF	12:0071cb144c7a	131	servername_list_size -= hostname_len + 3;
JMF	12:0071cb144c7a	132	p += hostname_len + 3;
JMF	12:0071cb144c7a	133	}
JMF	12:0071cb144c7a	134
JMF	12:0071cb144c7a	135	if( servername_list_size != 0 )
JMF	12:0071cb144c7a	136	{
JMF	12:0071cb144c7a	137	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	138	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	139	}
JMF	12:0071cb144c7a	140
JMF	12:0071cb144c7a	141	return( 0 );
JMF	12:0071cb144c7a	142	}
JMF	12:0071cb144c7a	143	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
JMF	12:0071cb144c7a	144
JMF	12:0071cb144c7a	145	static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	146	const unsigned char *buf,
JMF	12:0071cb144c7a	147	size_t len )
JMF	12:0071cb144c7a	148	{
JMF	12:0071cb144c7a	149	int ret;
JMF	12:0071cb144c7a	150
JMF	12:0071cb144c7a	151	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	152	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
JMF	12:0071cb144c7a	153	{
JMF	12:0071cb144c7a	154	/* Check verify-data in constant-time. The length OTOH is no secret */
JMF	12:0071cb144c7a	155	if( len != 1 + ssl->verify_data_len \|\|
JMF	12:0071cb144c7a	156	buf[0] != ssl->verify_data_len \|\|
JMF	12:0071cb144c7a	157	mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
JMF	12:0071cb144c7a	158	ssl->verify_data_len ) != 0 )
JMF	12:0071cb144c7a	159	{
JMF	12:0071cb144c7a	160	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
JMF	12:0071cb144c7a	161
JMF	12:0071cb144c7a	162	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	163	return( ret );
JMF	12:0071cb144c7a	164
JMF	12:0071cb144c7a	165	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	166	}
JMF	12:0071cb144c7a	167	}
JMF	12:0071cb144c7a	168	else
JMF	12:0071cb144c7a	169	#endif /* MBEDTLS_SSL_RENEGOTIATION */
JMF	12:0071cb144c7a	170	{
JMF	12:0071cb144c7a	171	if( len != 1 \|\| buf[0] != 0x0 )
JMF	12:0071cb144c7a	172	{
JMF	12:0071cb144c7a	173	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
JMF	12:0071cb144c7a	174
JMF	12:0071cb144c7a	175	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	176	return( ret );
JMF	12:0071cb144c7a	177
JMF	12:0071cb144c7a	178	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	179	}
JMF	12:0071cb144c7a	180
JMF	12:0071cb144c7a	181	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
JMF	12:0071cb144c7a	182	}
JMF	12:0071cb144c7a	183
JMF	12:0071cb144c7a	184	return( 0 );
JMF	12:0071cb144c7a	185	}
JMF	12:0071cb144c7a	186
JMF	12:0071cb144c7a	187	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
JMF	12:0071cb144c7a	188	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
JMF	12:0071cb144c7a	189	static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	190	const unsigned char *buf,
JMF	12:0071cb144c7a	191	size_t len )
JMF	12:0071cb144c7a	192	{
JMF	12:0071cb144c7a	193	size_t sig_alg_list_size;
JMF	12:0071cb144c7a	194	const unsigned char *p;
JMF	12:0071cb144c7a	195	const unsigned char *end = buf + len;
JMF	12:0071cb144c7a	196	const int *md_cur;
JMF	12:0071cb144c7a	197
JMF	12:0071cb144c7a	198
JMF	12:0071cb144c7a	199	sig_alg_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
JMF	12:0071cb144c7a	200	if( sig_alg_list_size + 2 != len \|\|
JMF	12:0071cb144c7a	201	sig_alg_list_size % 2 != 0 )
JMF	12:0071cb144c7a	202	{
JMF	12:0071cb144c7a	203	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	204	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	205	}
JMF	12:0071cb144c7a	206
JMF	12:0071cb144c7a	207	/*
JMF	12:0071cb144c7a	208	* For now, ignore the SignatureAlgorithm part and rely on offered
JMF	12:0071cb144c7a	209	* ciphersuites only for that part. To be fixed later.
JMF	12:0071cb144c7a	210	*
JMF	12:0071cb144c7a	211	* So, just look at the HashAlgorithm part.
JMF	12:0071cb144c7a	212	*/
JMF	12:0071cb144c7a	213	for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
JMF	12:0071cb144c7a	214	for( p = buf + 2; p < end; p += 2 ) {
JMF	12:0071cb144c7a	215	if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
JMF	12:0071cb144c7a	216	ssl->handshake->sig_alg = p[0];
JMF	12:0071cb144c7a	217	goto have_sig_alg;
JMF	12:0071cb144c7a	218	}
JMF	12:0071cb144c7a	219	}
JMF	12:0071cb144c7a	220	}
JMF	12:0071cb144c7a	221
JMF	12:0071cb144c7a	222	/* Some key echanges do not need signatures at all */
JMF	12:0071cb144c7a	223	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
JMF	12:0071cb144c7a	224	return( 0 );
JMF	12:0071cb144c7a	225
JMF	12:0071cb144c7a	226	have_sig_alg:
JMF	12:0071cb144c7a	227	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
JMF	12:0071cb144c7a	228	ssl->handshake->sig_alg ) );
JMF	12:0071cb144c7a	229
JMF	12:0071cb144c7a	230	return( 0 );
JMF	12:0071cb144c7a	231	}
JMF	12:0071cb144c7a	232	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
JMF	12:0071cb144c7a	233	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
JMF	12:0071cb144c7a	234
JMF	12:0071cb144c7a	235	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
JMF	12:0071cb144c7a	236	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	237	static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	238	const unsigned char *buf,
JMF	12:0071cb144c7a	239	size_t len )
JMF	12:0071cb144c7a	240	{
JMF	12:0071cb144c7a	241	size_t list_size, our_size;
JMF	12:0071cb144c7a	242	const unsigned char *p;
JMF	12:0071cb144c7a	243	const mbedtls_ecp_curve_info curve_info, *curves;
JMF	12:0071cb144c7a	244
JMF	12:0071cb144c7a	245	list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
JMF	12:0071cb144c7a	246	if( list_size + 2 != len \|\|
JMF	12:0071cb144c7a	247	list_size % 2 != 0 )
JMF	12:0071cb144c7a	248	{
JMF	12:0071cb144c7a	249	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	250	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	251	}
JMF	12:0071cb144c7a	252
JMF	12:0071cb144c7a	253	/* Should never happen unless client duplicates the extension */
JMF	12:0071cb144c7a	254	if( ssl->handshake->curves != NULL )
JMF	12:0071cb144c7a	255	{
JMF	12:0071cb144c7a	256	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	257	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	258	}
JMF	12:0071cb144c7a	259
JMF	12:0071cb144c7a	260	/* Don't allow our peer to make us allocate too much memory,
JMF	12:0071cb144c7a	261	* and leave room for a final 0 */
JMF	12:0071cb144c7a	262	our_size = list_size / 2 + 1;
JMF	12:0071cb144c7a	263	if( our_size > MBEDTLS_ECP_DP_MAX )
JMF	12:0071cb144c7a	264	our_size = MBEDTLS_ECP_DP_MAX;
JMF	12:0071cb144c7a	265
JMF	12:0071cb144c7a	266	if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
JMF	12:0071cb144c7a	267	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
JMF	12:0071cb144c7a	268
JMF	12:0071cb144c7a	269	ssl->handshake->curves = curves;
JMF	12:0071cb144c7a	270
JMF	12:0071cb144c7a	271	p = buf + 2;
JMF	12:0071cb144c7a	272	while( list_size > 0 && our_size > 1 )
JMF	12:0071cb144c7a	273	{
JMF	12:0071cb144c7a	274	curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) \| p[1] );
JMF	12:0071cb144c7a	275
JMF	12:0071cb144c7a	276	if( curve_info != NULL )
JMF	12:0071cb144c7a	277	{
JMF	12:0071cb144c7a	278	*curves++ = curve_info;
JMF	12:0071cb144c7a	279	our_size--;
JMF	12:0071cb144c7a	280	}
JMF	12:0071cb144c7a	281
JMF	12:0071cb144c7a	282	list_size -= 2;
JMF	12:0071cb144c7a	283	p += 2;
JMF	12:0071cb144c7a	284	}
JMF	12:0071cb144c7a	285
JMF	12:0071cb144c7a	286	return( 0 );
JMF	12:0071cb144c7a	287	}
JMF	12:0071cb144c7a	288
JMF	12:0071cb144c7a	289	static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	290	const unsigned char *buf,
JMF	12:0071cb144c7a	291	size_t len )
JMF	12:0071cb144c7a	292	{
JMF	12:0071cb144c7a	293	size_t list_size;
JMF	12:0071cb144c7a	294	const unsigned char *p;
JMF	12:0071cb144c7a	295
JMF	12:0071cb144c7a	296	list_size = buf[0];
JMF	12:0071cb144c7a	297	if( list_size + 1 != len )
JMF	12:0071cb144c7a	298	{
JMF	12:0071cb144c7a	299	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	300	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	301	}
JMF	12:0071cb144c7a	302
JMF	12:0071cb144c7a	303	p = buf + 1;
JMF	12:0071cb144c7a	304	while( list_size > 0 )
JMF	12:0071cb144c7a	305	{
JMF	12:0071cb144c7a	306	if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED \|\|
JMF	12:0071cb144c7a	307	p[0] == MBEDTLS_ECP_PF_COMPRESSED )
JMF	12:0071cb144c7a	308	{
JMF	12:0071cb144c7a	309	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
JMF	12:0071cb144c7a	310	ssl->handshake->ecdh_ctx.point_format = p[0];
JMF	12:0071cb144c7a	311	#endif
JMF	12:0071cb144c7a	312	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	313	ssl->handshake->ecjpake_ctx.point_format = p[0];
JMF	12:0071cb144c7a	314	#endif
JMF	12:0071cb144c7a	315	MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
JMF	12:0071cb144c7a	316	return( 0 );
JMF	12:0071cb144c7a	317	}
JMF	12:0071cb144c7a	318
JMF	12:0071cb144c7a	319	list_size--;
JMF	12:0071cb144c7a	320	p++;
JMF	12:0071cb144c7a	321	}
JMF	12:0071cb144c7a	322
JMF	12:0071cb144c7a	323	return( 0 );
JMF	12:0071cb144c7a	324	}
JMF	12:0071cb144c7a	325	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
JMF	12:0071cb144c7a	326	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	327
JMF	12:0071cb144c7a	328	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	329	static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	330	const unsigned char *buf,
JMF	12:0071cb144c7a	331	size_t len )
JMF	12:0071cb144c7a	332	{
JMF	12:0071cb144c7a	333	int ret;
JMF	12:0071cb144c7a	334
JMF	12:0071cb144c7a	335	if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
JMF	12:0071cb144c7a	336	{
JMF	12:0071cb144c7a	337	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
JMF	12:0071cb144c7a	338	return( 0 );
JMF	12:0071cb144c7a	339	}
JMF	12:0071cb144c7a	340
JMF	12:0071cb144c7a	341	if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
JMF	12:0071cb144c7a	342	buf, len ) ) != 0 )
JMF	12:0071cb144c7a	343	{
JMF	12:0071cb144c7a	344	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
JMF	12:0071cb144c7a	345	return( ret );
JMF	12:0071cb144c7a	346	}
JMF	12:0071cb144c7a	347
JMF	12:0071cb144c7a	348	/* Only mark the extension as OK when we're sure it is */
JMF	12:0071cb144c7a	349	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
JMF	12:0071cb144c7a	350
JMF	12:0071cb144c7a	351	return( 0 );
JMF	12:0071cb144c7a	352	}
JMF	12:0071cb144c7a	353	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	354
JMF	12:0071cb144c7a	355	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
JMF	12:0071cb144c7a	356	static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	357	const unsigned char *buf,
JMF	12:0071cb144c7a	358	size_t len )
JMF	12:0071cb144c7a	359	{
JMF	12:0071cb144c7a	360	if( len != 1 \|\| buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
JMF	12:0071cb144c7a	361	{
JMF	12:0071cb144c7a	362	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	363	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	364	}
JMF	12:0071cb144c7a	365
JMF	12:0071cb144c7a	366	ssl->session_negotiate->mfl_code = buf[0];
JMF	12:0071cb144c7a	367
JMF	12:0071cb144c7a	368	return( 0 );
JMF	12:0071cb144c7a	369	}
JMF	12:0071cb144c7a	370	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
JMF	12:0071cb144c7a	371
JMF	12:0071cb144c7a	372	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
JMF	12:0071cb144c7a	373	static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	374	const unsigned char *buf,
JMF	12:0071cb144c7a	375	size_t len )
JMF	12:0071cb144c7a	376	{
JMF	12:0071cb144c7a	377	if( len != 0 )
JMF	12:0071cb144c7a	378	{
JMF	12:0071cb144c7a	379	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	380	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	381	}
JMF	12:0071cb144c7a	382
JMF	12:0071cb144c7a	383	((void) buf);
JMF	12:0071cb144c7a	384
JMF	12:0071cb144c7a	385	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
JMF	12:0071cb144c7a	386	ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
JMF	12:0071cb144c7a	387
JMF	12:0071cb144c7a	388	return( 0 );
JMF	12:0071cb144c7a	389	}
JMF	12:0071cb144c7a	390	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
JMF	12:0071cb144c7a	391
JMF	12:0071cb144c7a	392	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
JMF	12:0071cb144c7a	393	static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	394	const unsigned char *buf,
JMF	12:0071cb144c7a	395	size_t len )
JMF	12:0071cb144c7a	396	{
JMF	12:0071cb144c7a	397	if( len != 0 )
JMF	12:0071cb144c7a	398	{
JMF	12:0071cb144c7a	399	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	400	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	401	}
JMF	12:0071cb144c7a	402
JMF	12:0071cb144c7a	403	((void) buf);
JMF	12:0071cb144c7a	404
JMF	12:0071cb144c7a	405	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
JMF	12:0071cb144c7a	406	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
JMF	12:0071cb144c7a	407	{
JMF	12:0071cb144c7a	408	ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
JMF	12:0071cb144c7a	409	}
JMF	12:0071cb144c7a	410
JMF	12:0071cb144c7a	411	return( 0 );
JMF	12:0071cb144c7a	412	}
JMF	12:0071cb144c7a	413	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
JMF	12:0071cb144c7a	414
JMF	12:0071cb144c7a	415	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
JMF	12:0071cb144c7a	416	static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	417	const unsigned char *buf,
JMF	12:0071cb144c7a	418	size_t len )
JMF	12:0071cb144c7a	419	{
JMF	12:0071cb144c7a	420	if( len != 0 )
JMF	12:0071cb144c7a	421	{
JMF	12:0071cb144c7a	422	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	423	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	424	}
JMF	12:0071cb144c7a	425
JMF	12:0071cb144c7a	426	((void) buf);
JMF	12:0071cb144c7a	427
JMF	12:0071cb144c7a	428	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
JMF	12:0071cb144c7a	429	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
JMF	12:0071cb144c7a	430	{
JMF	12:0071cb144c7a	431	ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
JMF	12:0071cb144c7a	432	}
JMF	12:0071cb144c7a	433
JMF	12:0071cb144c7a	434	return( 0 );
JMF	12:0071cb144c7a	435	}
JMF	12:0071cb144c7a	436	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
JMF	12:0071cb144c7a	437
JMF	12:0071cb144c7a	438	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	439	static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	440	unsigned char *buf,
JMF	12:0071cb144c7a	441	size_t len )
JMF	12:0071cb144c7a	442	{
JMF	12:0071cb144c7a	443	int ret;
JMF	12:0071cb144c7a	444	mbedtls_ssl_session session;
JMF	12:0071cb144c7a	445
JMF	12:0071cb144c7a	446	mbedtls_ssl_session_init( &session );
JMF	12:0071cb144c7a	447
JMF	12:0071cb144c7a	448	if( ssl->conf->f_ticket_parse == NULL \|\|
JMF	12:0071cb144c7a	449	ssl->conf->f_ticket_write == NULL )
JMF	12:0071cb144c7a	450	{
JMF	12:0071cb144c7a	451	return( 0 );
JMF	12:0071cb144c7a	452	}
JMF	12:0071cb144c7a	453
JMF	12:0071cb144c7a	454	/* Remember the client asked us to send a new ticket */
JMF	12:0071cb144c7a	455	ssl->handshake->new_session_ticket = 1;
JMF	12:0071cb144c7a	456
JMF	12:0071cb144c7a	457	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
JMF	12:0071cb144c7a	458
JMF	12:0071cb144c7a	459	if( len == 0 )
JMF	12:0071cb144c7a	460	return( 0 );
JMF	12:0071cb144c7a	461
JMF	12:0071cb144c7a	462	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	463	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
JMF	12:0071cb144c7a	464	{
JMF	12:0071cb144c7a	465	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
JMF	12:0071cb144c7a	466	return( 0 );
JMF	12:0071cb144c7a	467	}
JMF	12:0071cb144c7a	468	#endif /* MBEDTLS_SSL_RENEGOTIATION */
JMF	12:0071cb144c7a	469
JMF	12:0071cb144c7a	470	/*
JMF	12:0071cb144c7a	471	* Failures are ok: just ignore the ticket and proceed.
JMF	12:0071cb144c7a	472	*/
JMF	12:0071cb144c7a	473	if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
JMF	12:0071cb144c7a	474	buf, len ) ) != 0 )
JMF	12:0071cb144c7a	475	{
JMF	12:0071cb144c7a	476	mbedtls_ssl_session_free( &session );
JMF	12:0071cb144c7a	477
JMF	12:0071cb144c7a	478	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
JMF	12:0071cb144c7a	479	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
JMF	12:0071cb144c7a	480	else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
JMF	12:0071cb144c7a	481	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
JMF	12:0071cb144c7a	482	else
JMF	12:0071cb144c7a	483	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
JMF	12:0071cb144c7a	484
JMF	12:0071cb144c7a	485	return( 0 );
JMF	12:0071cb144c7a	486	}
JMF	12:0071cb144c7a	487
JMF	12:0071cb144c7a	488	/*
JMF	12:0071cb144c7a	489	* Keep the session ID sent by the client, since we MUST send it back to
JMF	12:0071cb144c7a	490	* inform them we're accepting the ticket (RFC 5077 section 3.4)
JMF	12:0071cb144c7a	491	*/
JMF	12:0071cb144c7a	492	session.id_len = ssl->session_negotiate->id_len;
JMF	12:0071cb144c7a	493	memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
JMF	12:0071cb144c7a	494
JMF	12:0071cb144c7a	495	mbedtls_ssl_session_free( ssl->session_negotiate );
JMF	12:0071cb144c7a	496	memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
JMF	12:0071cb144c7a	497
JMF	12:0071cb144c7a	498	/* Zeroize instead of free as we copied the content */
JMF	12:0071cb144c7a	499	mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
JMF	12:0071cb144c7a	500
JMF	12:0071cb144c7a	501	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
JMF	12:0071cb144c7a	502
JMF	12:0071cb144c7a	503	ssl->handshake->resume = 1;
JMF	12:0071cb144c7a	504
JMF	12:0071cb144c7a	505	/* Don't send a new ticket after all, this one is OK */
JMF	12:0071cb144c7a	506	ssl->handshake->new_session_ticket = 0;
JMF	12:0071cb144c7a	507
JMF	12:0071cb144c7a	508	return( 0 );
JMF	12:0071cb144c7a	509	}
JMF	12:0071cb144c7a	510	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
JMF	12:0071cb144c7a	511
JMF	12:0071cb144c7a	512	#if defined(MBEDTLS_SSL_ALPN)
JMF	12:0071cb144c7a	513	static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	514	const unsigned char *buf, size_t len )
JMF	12:0071cb144c7a	515	{
JMF	12:0071cb144c7a	516	size_t list_len, cur_len, ours_len;
JMF	12:0071cb144c7a	517	const unsigned char theirs, start, *end;
JMF	12:0071cb144c7a	518	const char **ours;
JMF	12:0071cb144c7a	519
JMF	12:0071cb144c7a	520	/* If ALPN not configured, just ignore the extension */
JMF	12:0071cb144c7a	521	if( ssl->conf->alpn_list == NULL )
JMF	12:0071cb144c7a	522	return( 0 );
JMF	12:0071cb144c7a	523
JMF	12:0071cb144c7a	524	/*
JMF	12:0071cb144c7a	525	* opaque ProtocolName<1..2^8-1>;
JMF	12:0071cb144c7a	526	*
JMF	12:0071cb144c7a	527	* struct {
JMF	12:0071cb144c7a	528	* ProtocolName protocol_name_list<2..2^16-1>
JMF	12:0071cb144c7a	529	* } ProtocolNameList;
JMF	12:0071cb144c7a	530	*/
JMF	12:0071cb144c7a	531
JMF	12:0071cb144c7a	532	/* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
JMF	12:0071cb144c7a	533	if( len < 4 )
JMF	12:0071cb144c7a	534	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	535
JMF	12:0071cb144c7a	536	list_len = ( buf[0] << 8 ) \| buf[1];
JMF	12:0071cb144c7a	537	if( list_len != len - 2 )
JMF	12:0071cb144c7a	538	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	539
JMF	12:0071cb144c7a	540	/*
JMF	12:0071cb144c7a	541	* Use our order of preference
JMF	12:0071cb144c7a	542	*/
JMF	12:0071cb144c7a	543	start = buf + 2;
JMF	12:0071cb144c7a	544	end = buf + len;
JMF	12:0071cb144c7a	545	for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
JMF	12:0071cb144c7a	546	{
JMF	12:0071cb144c7a	547	ours_len = strlen( *ours );
JMF	12:0071cb144c7a	548	for( theirs = start; theirs != end; theirs += cur_len )
JMF	12:0071cb144c7a	549	{
JMF	12:0071cb144c7a	550	/* If the list is well formed, we should get equality first */
JMF	12:0071cb144c7a	551	if( theirs > end )
JMF	12:0071cb144c7a	552	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	553
JMF	12:0071cb144c7a	554	cur_len = *theirs++;
JMF	12:0071cb144c7a	555
JMF	12:0071cb144c7a	556	/* Empty strings MUST NOT be included */
JMF	12:0071cb144c7a	557	if( cur_len == 0 )
JMF	12:0071cb144c7a	558	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	559
JMF	12:0071cb144c7a	560	if( cur_len == ours_len &&
JMF	12:0071cb144c7a	561	memcmp( theirs, *ours, cur_len ) == 0 )
JMF	12:0071cb144c7a	562	{
JMF	12:0071cb144c7a	563	ssl->alpn_chosen = *ours;
JMF	12:0071cb144c7a	564	return( 0 );
JMF	12:0071cb144c7a	565	}
JMF	12:0071cb144c7a	566	}
JMF	12:0071cb144c7a	567	}
JMF	12:0071cb144c7a	568
JMF	12:0071cb144c7a	569	/* If we get there, no match was found */
JMF	12:0071cb144c7a	570	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	571	MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
JMF	12:0071cb144c7a	572	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	573	}
JMF	12:0071cb144c7a	574	#endif /* MBEDTLS_SSL_ALPN */
JMF	12:0071cb144c7a	575
JMF	12:0071cb144c7a	576	/*
JMF	12:0071cb144c7a	577	* Auxiliary functions for ServerHello parsing and related actions
JMF	12:0071cb144c7a	578	*/
JMF	12:0071cb144c7a	579
JMF	12:0071cb144c7a	580	#if defined(MBEDTLS_X509_CRT_PARSE_C)
JMF	12:0071cb144c7a	581	/*
JMF	12:0071cb144c7a	582	* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
JMF	12:0071cb144c7a	583	*/
JMF	12:0071cb144c7a	584	#if defined(MBEDTLS_ECDSA_C)
JMF	12:0071cb144c7a	585	static int ssl_check_key_curve( mbedtls_pk_context *pk,
JMF	12:0071cb144c7a	586	const mbedtls_ecp_curve_info **curves )
JMF	12:0071cb144c7a	587	{
JMF	12:0071cb144c7a	588	const mbedtls_ecp_curve_info **crv = curves;
JMF	12:0071cb144c7a	589	mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
JMF	12:0071cb144c7a	590
JMF	12:0071cb144c7a	591	while( *crv != NULL )
JMF	12:0071cb144c7a	592	{
JMF	12:0071cb144c7a	593	if( (*crv)->grp_id == grp_id )
JMF	12:0071cb144c7a	594	return( 0 );
JMF	12:0071cb144c7a	595	crv++;
JMF	12:0071cb144c7a	596	}
JMF	12:0071cb144c7a	597
JMF	12:0071cb144c7a	598	return( -1 );
JMF	12:0071cb144c7a	599	}
JMF	12:0071cb144c7a	600	#endif /* MBEDTLS_ECDSA_C */
JMF	12:0071cb144c7a	601
JMF	12:0071cb144c7a	602	/*
JMF	12:0071cb144c7a	603	* Try picking a certificate for this ciphersuite,
JMF	12:0071cb144c7a	604	* return 0 on success and -1 on failure.
JMF	12:0071cb144c7a	605	*/
JMF	12:0071cb144c7a	606	static int ssl_pick_cert( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	607	const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
JMF	12:0071cb144c7a	608	{
JMF	12:0071cb144c7a	609	mbedtls_ssl_key_cert cur, list, *fallback = NULL;
JMF	12:0071cb144c7a	610	mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
JMF	12:0071cb144c7a	611	uint32_t flags;
JMF	12:0071cb144c7a	612
JMF	12:0071cb144c7a	613	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
JMF	12:0071cb144c7a	614	if( ssl->handshake->sni_key_cert != NULL )
JMF	12:0071cb144c7a	615	list = ssl->handshake->sni_key_cert;
JMF	12:0071cb144c7a	616	else
JMF	12:0071cb144c7a	617	#endif
JMF	12:0071cb144c7a	618	list = ssl->conf->key_cert;
JMF	12:0071cb144c7a	619
JMF	12:0071cb144c7a	620	if( pk_alg == MBEDTLS_PK_NONE )
JMF	12:0071cb144c7a	621	return( 0 );
JMF	12:0071cb144c7a	622
JMF	12:0071cb144c7a	623	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
JMF	12:0071cb144c7a	624
JMF	12:0071cb144c7a	625	if( list == NULL )
JMF	12:0071cb144c7a	626	{
JMF	12:0071cb144c7a	627	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
JMF	12:0071cb144c7a	628	return( -1 );
JMF	12:0071cb144c7a	629	}
JMF	12:0071cb144c7a	630
JMF	12:0071cb144c7a	631	for( cur = list; cur != NULL; cur = cur->next )
JMF	12:0071cb144c7a	632	{
JMF	12:0071cb144c7a	633	MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
JMF	12:0071cb144c7a	634	cur->cert );
JMF	12:0071cb144c7a	635
JMF	12:0071cb144c7a	636	if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
JMF	12:0071cb144c7a	637	{
JMF	12:0071cb144c7a	638	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
JMF	12:0071cb144c7a	639	continue;
JMF	12:0071cb144c7a	640	}
JMF	12:0071cb144c7a	641
JMF	12:0071cb144c7a	642	/*
JMF	12:0071cb144c7a	643	* This avoids sending the client a cert it'll reject based on
JMF	12:0071cb144c7a	644	* keyUsage or other extensions.
JMF	12:0071cb144c7a	645	*
JMF	12:0071cb144c7a	646	* It also allows the user to provision different certificates for
JMF	12:0071cb144c7a	647	* different uses based on keyUsage, eg if they want to avoid signing
JMF	12:0071cb144c7a	648	* and decrypting with the same RSA key.
JMF	12:0071cb144c7a	649	*/
JMF	12:0071cb144c7a	650	if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
JMF	12:0071cb144c7a	651	MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
JMF	12:0071cb144c7a	652	{
JMF	12:0071cb144c7a	653	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
JMF	12:0071cb144c7a	654	"(extended) key usage extension" ) );
JMF	12:0071cb144c7a	655	continue;
JMF	12:0071cb144c7a	656	}
JMF	12:0071cb144c7a	657
JMF	12:0071cb144c7a	658	#if defined(MBEDTLS_ECDSA_C)
JMF	12:0071cb144c7a	659	if( pk_alg == MBEDTLS_PK_ECDSA &&
JMF	12:0071cb144c7a	660	ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
JMF	12:0071cb144c7a	661	{
JMF	12:0071cb144c7a	662	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
JMF	12:0071cb144c7a	663	continue;
JMF	12:0071cb144c7a	664	}
JMF	12:0071cb144c7a	665	#endif
JMF	12:0071cb144c7a	666
JMF	12:0071cb144c7a	667	/*
JMF	12:0071cb144c7a	668	* Try to select a SHA-1 certificate for pre-1.2 clients, but still
JMF	12:0071cb144c7a	669	* present them a SHA-higher cert rather than failing if it's the only
JMF	12:0071cb144c7a	670	* one we got that satisfies the other conditions.
JMF	12:0071cb144c7a	671	*/
JMF	12:0071cb144c7a	672	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
JMF	12:0071cb144c7a	673	cur->cert->sig_md != MBEDTLS_MD_SHA1 )
JMF	12:0071cb144c7a	674	{
JMF	12:0071cb144c7a	675	if( fallback == NULL )
JMF	12:0071cb144c7a	676	fallback = cur;
JMF	12:0071cb144c7a	677	{
JMF	12:0071cb144c7a	678	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
JMF	12:0071cb144c7a	679	"sha-2 with pre-TLS 1.2 client" ) );
JMF	12:0071cb144c7a	680	continue;
JMF	12:0071cb144c7a	681	}
JMF	12:0071cb144c7a	682	}
JMF	12:0071cb144c7a	683
JMF	12:0071cb144c7a	684	/* If we get there, we got a winner */
JMF	12:0071cb144c7a	685	break;
JMF	12:0071cb144c7a	686	}
JMF	12:0071cb144c7a	687
JMF	12:0071cb144c7a	688	if( cur == NULL )
JMF	12:0071cb144c7a	689	cur = fallback;
JMF	12:0071cb144c7a	690
JMF	12:0071cb144c7a	691	/* Do not update ssl->handshake->key_cert unless there is a match */
JMF	12:0071cb144c7a	692	if( cur != NULL )
JMF	12:0071cb144c7a	693	{
JMF	12:0071cb144c7a	694	ssl->handshake->key_cert = cur;
JMF	12:0071cb144c7a	695	MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
JMF	12:0071cb144c7a	696	ssl->handshake->key_cert->cert );
JMF	12:0071cb144c7a	697	return( 0 );
JMF	12:0071cb144c7a	698	}
JMF	12:0071cb144c7a	699
JMF	12:0071cb144c7a	700	return( -1 );
JMF	12:0071cb144c7a	701	}
JMF	12:0071cb144c7a	702	#endif /* MBEDTLS_X509_CRT_PARSE_C */
JMF	12:0071cb144c7a	703
JMF	12:0071cb144c7a	704	/*
JMF	12:0071cb144c7a	705	* Check if a given ciphersuite is suitable for use with our config/keys/etc
JMF	12:0071cb144c7a	706	* Sets ciphersuite_info only if the suite matches.
JMF	12:0071cb144c7a	707	*/
JMF	12:0071cb144c7a	708	static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
JMF	12:0071cb144c7a	709	const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
JMF	12:0071cb144c7a	710	{
JMF	12:0071cb144c7a	711	const mbedtls_ssl_ciphersuite_t *suite_info;
JMF	12:0071cb144c7a	712
JMF	12:0071cb144c7a	713	suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
JMF	12:0071cb144c7a	714	if( suite_info == NULL )
JMF	12:0071cb144c7a	715	{
JMF	12:0071cb144c7a	716	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	717	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	718	}
JMF	12:0071cb144c7a	719
JMF	12:0071cb144c7a	720	MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
JMF	12:0071cb144c7a	721
JMF	12:0071cb144c7a	722	if( suite_info->min_minor_ver > ssl->minor_ver \|\|
JMF	12:0071cb144c7a	723	suite_info->max_minor_ver < ssl->minor_ver )
JMF	12:0071cb144c7a	724	{
JMF	12:0071cb144c7a	725	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
JMF	12:0071cb144c7a	726	return( 0 );
JMF	12:0071cb144c7a	727	}
JMF	12:0071cb144c7a	728
JMF	12:0071cb144c7a	729	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	730	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
JMF	12:0071cb144c7a	731	( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
JMF	12:0071cb144c7a	732	return( 0 );
JMF	12:0071cb144c7a	733	#endif
JMF	12:0071cb144c7a	734
JMF	12:0071cb144c7a	735	#if defined(MBEDTLS_ARC4_C)
JMF	12:0071cb144c7a	736	if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
JMF	12:0071cb144c7a	737	suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
JMF	12:0071cb144c7a	738	{
JMF	12:0071cb144c7a	739	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
JMF	12:0071cb144c7a	740	return( 0 );
JMF	12:0071cb144c7a	741	}
JMF	12:0071cb144c7a	742	#endif
JMF	12:0071cb144c7a	743
JMF	12:0071cb144c7a	744	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	745	if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
JMF	12:0071cb144c7a	746	( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
JMF	12:0071cb144c7a	747	{
JMF	12:0071cb144c7a	748	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
JMF	12:0071cb144c7a	749	"not configured or ext missing" ) );
JMF	12:0071cb144c7a	750	return( 0 );
JMF	12:0071cb144c7a	751	}
JMF	12:0071cb144c7a	752	#endif
JMF	12:0071cb144c7a	753
JMF	12:0071cb144c7a	754
JMF	12:0071cb144c7a	755	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
JMF	12:0071cb144c7a	756	if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
JMF	12:0071cb144c7a	757	( ssl->handshake->curves == NULL \|\|
JMF	12:0071cb144c7a	758	ssl->handshake->curves[0] == NULL ) )
JMF	12:0071cb144c7a	759	{
JMF	12:0071cb144c7a	760	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
JMF	12:0071cb144c7a	761	"no common elliptic curve" ) );
JMF	12:0071cb144c7a	762	return( 0 );
JMF	12:0071cb144c7a	763	}
JMF	12:0071cb144c7a	764	#endif
JMF	12:0071cb144c7a	765
JMF	12:0071cb144c7a	766	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
JMF	12:0071cb144c7a	767	/* If the ciphersuite requires a pre-shared key and we don't
JMF	12:0071cb144c7a	768	* have one, skip it now rather than failing later */
JMF	12:0071cb144c7a	769	if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
JMF	12:0071cb144c7a	770	ssl->conf->f_psk == NULL &&
JMF	12:0071cb144c7a	771	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
JMF	12:0071cb144c7a	772	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
JMF	12:0071cb144c7a	773	{
JMF	12:0071cb144c7a	774	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
JMF	12:0071cb144c7a	775	return( 0 );
JMF	12:0071cb144c7a	776	}
JMF	12:0071cb144c7a	777	#endif
JMF	12:0071cb144c7a	778
JMF	12:0071cb144c7a	779	#if defined(MBEDTLS_X509_CRT_PARSE_C)
JMF	12:0071cb144c7a	780	/*
JMF	12:0071cb144c7a	781	* Final check: if ciphersuite requires us to have a
JMF	12:0071cb144c7a	782	* certificate/key of a particular type:
JMF	12:0071cb144c7a	783	* - select the appropriate certificate if we have one, or
JMF	12:0071cb144c7a	784	* - try the next ciphersuite if we don't
JMF	12:0071cb144c7a	785	* This must be done last since we modify the key_cert list.
JMF	12:0071cb144c7a	786	*/
JMF	12:0071cb144c7a	787	if( ssl_pick_cert( ssl, suite_info ) != 0 )
JMF	12:0071cb144c7a	788	{
JMF	12:0071cb144c7a	789	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
JMF	12:0071cb144c7a	790	"no suitable certificate" ) );
JMF	12:0071cb144c7a	791	return( 0 );
JMF	12:0071cb144c7a	792	}
JMF	12:0071cb144c7a	793	#endif
JMF	12:0071cb144c7a	794
JMF	12:0071cb144c7a	795	*ciphersuite_info = suite_info;
JMF	12:0071cb144c7a	796	return( 0 );
JMF	12:0071cb144c7a	797	}
JMF	12:0071cb144c7a	798
JMF	12:0071cb144c7a	799	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
JMF	12:0071cb144c7a	800	static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	801	{
JMF	12:0071cb144c7a	802	int ret, got_common_suite;
JMF	12:0071cb144c7a	803	unsigned int i, j;
JMF	12:0071cb144c7a	804	size_t n;
JMF	12:0071cb144c7a	805	unsigned int ciph_len, sess_len, chal_len;
JMF	12:0071cb144c7a	806	unsigned char buf, p;
JMF	12:0071cb144c7a	807	const int *ciphersuites;
JMF	12:0071cb144c7a	808	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
JMF	12:0071cb144c7a	809
JMF	12:0071cb144c7a	810	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
JMF	12:0071cb144c7a	811
JMF	12:0071cb144c7a	812	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	813	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
JMF	12:0071cb144c7a	814	{
JMF	12:0071cb144c7a	815	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
JMF	12:0071cb144c7a	816
JMF	12:0071cb144c7a	817	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	818	return( ret );
JMF	12:0071cb144c7a	819
JMF	12:0071cb144c7a	820	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	821	}
JMF	12:0071cb144c7a	822	#endif /* MBEDTLS_SSL_RENEGOTIATION */
JMF	12:0071cb144c7a	823
JMF	12:0071cb144c7a	824	buf = ssl->in_hdr;
JMF	12:0071cb144c7a	825
JMF	12:0071cb144c7a	826	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
JMF	12:0071cb144c7a	827
JMF	12:0071cb144c7a	828	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
JMF	12:0071cb144c7a	829	buf[2] ) );
JMF	12:0071cb144c7a	830	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
JMF	12:0071cb144c7a	831	( ( buf[0] & 0x7F ) << 8 ) \| buf[1] ) );
JMF	12:0071cb144c7a	832	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
JMF	12:0071cb144c7a	833	buf[3], buf[4] ) );
JMF	12:0071cb144c7a	834
JMF	12:0071cb144c7a	835	/*
JMF	12:0071cb144c7a	836	* SSLv2 Client Hello
JMF	12:0071cb144c7a	837	*
JMF	12:0071cb144c7a	838	* Record layer:
JMF	12:0071cb144c7a	839	* 0 . 1 message length
JMF	12:0071cb144c7a	840	*
JMF	12:0071cb144c7a	841	* SSL layer:
JMF	12:0071cb144c7a	842	* 2 . 2 message type
JMF	12:0071cb144c7a	843	* 3 . 4 protocol version
JMF	12:0071cb144c7a	844	*/
JMF	12:0071cb144c7a	845	if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO \|\|
JMF	12:0071cb144c7a	846	buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
JMF	12:0071cb144c7a	847	{
JMF	12:0071cb144c7a	848	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	849	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	850	}
JMF	12:0071cb144c7a	851
JMF	12:0071cb144c7a	852	n = ( ( buf[0] << 8 ) \| buf[1] ) & 0x7FFF;
JMF	12:0071cb144c7a	853
JMF	12:0071cb144c7a	854	if( n < 17 \|\| n > 512 )
JMF	12:0071cb144c7a	855	{
JMF	12:0071cb144c7a	856	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	857	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	858	}
JMF	12:0071cb144c7a	859
JMF	12:0071cb144c7a	860	ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
JMF	12:0071cb144c7a	861	ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
JMF	12:0071cb144c7a	862	? buf[4] : ssl->conf->max_minor_ver;
JMF	12:0071cb144c7a	863
JMF	12:0071cb144c7a	864	if( ssl->minor_ver < ssl->conf->min_minor_ver )
JMF	12:0071cb144c7a	865	{
JMF	12:0071cb144c7a	866	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
JMF	12:0071cb144c7a	867	" [%d:%d] < [%d:%d]",
JMF	12:0071cb144c7a	868	ssl->major_ver, ssl->minor_ver,
JMF	12:0071cb144c7a	869	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
JMF	12:0071cb144c7a	870
JMF	12:0071cb144c7a	871	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	872	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
JMF	12:0071cb144c7a	873	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
JMF	12:0071cb144c7a	874	}
JMF	12:0071cb144c7a	875
JMF	12:0071cb144c7a	876	ssl->handshake->max_major_ver = buf[3];
JMF	12:0071cb144c7a	877	ssl->handshake->max_minor_ver = buf[4];
JMF	12:0071cb144c7a	878
JMF	12:0071cb144c7a	879	if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
JMF	12:0071cb144c7a	880	{
JMF	12:0071cb144c7a	881	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
JMF	12:0071cb144c7a	882	return( ret );
JMF	12:0071cb144c7a	883	}
JMF	12:0071cb144c7a	884
JMF	12:0071cb144c7a	885	ssl->handshake->update_checksum( ssl, buf + 2, n );
JMF	12:0071cb144c7a	886
JMF	12:0071cb144c7a	887	buf = ssl->in_msg;
JMF	12:0071cb144c7a	888	n = ssl->in_left - 5;
JMF	12:0071cb144c7a	889
JMF	12:0071cb144c7a	890	/*
JMF	12:0071cb144c7a	891	* 0 . 1 ciphersuitelist length
JMF	12:0071cb144c7a	892	* 2 . 3 session id length
JMF	12:0071cb144c7a	893	* 4 . 5 challenge length
JMF	12:0071cb144c7a	894	* 6 . .. ciphersuitelist
JMF	12:0071cb144c7a	895	* .. . .. session id
JMF	12:0071cb144c7a	896	* .. . .. challenge
JMF	12:0071cb144c7a	897	*/
JMF	12:0071cb144c7a	898	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
JMF	12:0071cb144c7a	899
JMF	12:0071cb144c7a	900	ciph_len = ( buf[0] << 8 ) \| buf[1];
JMF	12:0071cb144c7a	901	sess_len = ( buf[2] << 8 ) \| buf[3];
JMF	12:0071cb144c7a	902	chal_len = ( buf[4] << 8 ) \| buf[5];
JMF	12:0071cb144c7a	903
JMF	12:0071cb144c7a	904	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
JMF	12:0071cb144c7a	905	ciph_len, sess_len, chal_len ) );
JMF	12:0071cb144c7a	906
JMF	12:0071cb144c7a	907	/*
JMF	12:0071cb144c7a	908	* Make sure each parameter length is valid
JMF	12:0071cb144c7a	909	*/
JMF	12:0071cb144c7a	910	if( ciph_len < 3 \|\| ( ciph_len % 3 ) != 0 )
JMF	12:0071cb144c7a	911	{
JMF	12:0071cb144c7a	912	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	913	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	914	}
JMF	12:0071cb144c7a	915
JMF	12:0071cb144c7a	916	if( sess_len > 32 )
JMF	12:0071cb144c7a	917	{
JMF	12:0071cb144c7a	918	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	919	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	920	}
JMF	12:0071cb144c7a	921
JMF	12:0071cb144c7a	922	if( chal_len < 8 \|\| chal_len > 32 )
JMF	12:0071cb144c7a	923	{
JMF	12:0071cb144c7a	924	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	925	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	926	}
JMF	12:0071cb144c7a	927
JMF	12:0071cb144c7a	928	if( n != 6 + ciph_len + sess_len + chal_len )
JMF	12:0071cb144c7a	929	{
JMF	12:0071cb144c7a	930	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	931	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	932	}
JMF	12:0071cb144c7a	933
JMF	12:0071cb144c7a	934	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
JMF	12:0071cb144c7a	935	buf + 6, ciph_len );
JMF	12:0071cb144c7a	936	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
JMF	12:0071cb144c7a	937	buf + 6 + ciph_len, sess_len );
JMF	12:0071cb144c7a	938	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
JMF	12:0071cb144c7a	939	buf + 6 + ciph_len + sess_len, chal_len );
JMF	12:0071cb144c7a	940
JMF	12:0071cb144c7a	941	p = buf + 6 + ciph_len;
JMF	12:0071cb144c7a	942	ssl->session_negotiate->id_len = sess_len;
JMF	12:0071cb144c7a	943	memset( ssl->session_negotiate->id, 0,
JMF	12:0071cb144c7a	944	sizeof( ssl->session_negotiate->id ) );
JMF	12:0071cb144c7a	945	memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
JMF	12:0071cb144c7a	946
JMF	12:0071cb144c7a	947	p += sess_len;
JMF	12:0071cb144c7a	948	memset( ssl->handshake->randbytes, 0, 64 );
JMF	12:0071cb144c7a	949	memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
JMF	12:0071cb144c7a	950
JMF	12:0071cb144c7a	951	/*
JMF	12:0071cb144c7a	952	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
JMF	12:0071cb144c7a	953	*/
JMF	12:0071cb144c7a	954	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
JMF	12:0071cb144c7a	955	{
JMF	12:0071cb144c7a	956	if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
JMF	12:0071cb144c7a	957	{
JMF	12:0071cb144c7a	958	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
JMF	12:0071cb144c7a	959	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	960	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
JMF	12:0071cb144c7a	961	{
JMF	12:0071cb144c7a	962	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
JMF	12:0071cb144c7a	963	"during renegotiation" ) );
JMF	12:0071cb144c7a	964
JMF	12:0071cb144c7a	965	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	966	return( ret );
JMF	12:0071cb144c7a	967
JMF	12:0071cb144c7a	968	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	969	}
JMF	12:0071cb144c7a	970	#endif /* MBEDTLS_SSL_RENEGOTIATION */
JMF	12:0071cb144c7a	971	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
JMF	12:0071cb144c7a	972	break;
JMF	12:0071cb144c7a	973	}
JMF	12:0071cb144c7a	974	}
JMF	12:0071cb144c7a	975
JMF	12:0071cb144c7a	976	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
JMF	12:0071cb144c7a	977	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
JMF	12:0071cb144c7a	978	{
JMF	12:0071cb144c7a	979	if( p[0] == 0 &&
JMF	12:0071cb144c7a	980	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
JMF	12:0071cb144c7a	981	p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
JMF	12:0071cb144c7a	982	{
JMF	12:0071cb144c7a	983	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
JMF	12:0071cb144c7a	984
JMF	12:0071cb144c7a	985	if( ssl->minor_ver < ssl->conf->max_minor_ver )
JMF	12:0071cb144c7a	986	{
JMF	12:0071cb144c7a	987	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
JMF	12:0071cb144c7a	988
JMF	12:0071cb144c7a	989	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	990	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
JMF	12:0071cb144c7a	991
JMF	12:0071cb144c7a	992	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	993	}
JMF	12:0071cb144c7a	994
JMF	12:0071cb144c7a	995	break;
JMF	12:0071cb144c7a	996	}
JMF	12:0071cb144c7a	997	}
JMF	12:0071cb144c7a	998	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
JMF	12:0071cb144c7a	999
JMF	12:0071cb144c7a	1000	got_common_suite = 0;
JMF	12:0071cb144c7a	1001	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
JMF	12:0071cb144c7a	1002	ciphersuite_info = NULL;
JMF	12:0071cb144c7a	1003	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
JMF	12:0071cb144c7a	1004	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
JMF	12:0071cb144c7a	1005	{
JMF	12:0071cb144c7a	1006	for( i = 0; ciphersuites[i] != 0; i++ )
JMF	12:0071cb144c7a	1007	#else
JMF	12:0071cb144c7a	1008	for( i = 0; ciphersuites[i] != 0; i++ )
JMF	12:0071cb144c7a	1009	{
JMF	12:0071cb144c7a	1010	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
JMF	12:0071cb144c7a	1011	#endif
JMF	12:0071cb144c7a	1012	{
JMF	12:0071cb144c7a	1013	if( p[0] != 0 \|\|
JMF	12:0071cb144c7a	1014	p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
JMF	12:0071cb144c7a	1015	p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
JMF	12:0071cb144c7a	1016	continue;
JMF	12:0071cb144c7a	1017
JMF	12:0071cb144c7a	1018	got_common_suite = 1;
JMF	12:0071cb144c7a	1019
JMF	12:0071cb144c7a	1020	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
JMF	12:0071cb144c7a	1021	&ciphersuite_info ) ) != 0 )
JMF	12:0071cb144c7a	1022	return( ret );
JMF	12:0071cb144c7a	1023
JMF	12:0071cb144c7a	1024	if( ciphersuite_info != NULL )
JMF	12:0071cb144c7a	1025	goto have_ciphersuite_v2;
JMF	12:0071cb144c7a	1026	}
JMF	12:0071cb144c7a	1027	}
JMF	12:0071cb144c7a	1028
JMF	12:0071cb144c7a	1029	if( got_common_suite )
JMF	12:0071cb144c7a	1030	{
JMF	12:0071cb144c7a	1031	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
JMF	12:0071cb144c7a	1032	"but none of them usable" ) );
JMF	12:0071cb144c7a	1033	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
JMF	12:0071cb144c7a	1034	}
JMF	12:0071cb144c7a	1035	else
JMF	12:0071cb144c7a	1036	{
JMF	12:0071cb144c7a	1037	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
JMF	12:0071cb144c7a	1038	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
JMF	12:0071cb144c7a	1039	}
JMF	12:0071cb144c7a	1040
JMF	12:0071cb144c7a	1041	have_ciphersuite_v2:
JMF	12:0071cb144c7a	1042	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
JMF	12:0071cb144c7a	1043
JMF	12:0071cb144c7a	1044	ssl->session_negotiate->ciphersuite = ciphersuites[i];
JMF	12:0071cb144c7a	1045	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
JMF	12:0071cb144c7a	1046	mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
JMF	12:0071cb144c7a	1047
JMF	12:0071cb144c7a	1048	/*
JMF	12:0071cb144c7a	1049	* SSLv2 Client Hello relevant renegotiation security checks
JMF	12:0071cb144c7a	1050	*/
JMF	12:0071cb144c7a	1051	if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
JMF	12:0071cb144c7a	1052	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
JMF	12:0071cb144c7a	1053	{
JMF	12:0071cb144c7a	1054	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
JMF	12:0071cb144c7a	1055
JMF	12:0071cb144c7a	1056	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	1057	return( ret );
JMF	12:0071cb144c7a	1058
JMF	12:0071cb144c7a	1059	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1060	}
JMF	12:0071cb144c7a	1061
JMF	12:0071cb144c7a	1062	ssl->in_left = 0;
JMF	12:0071cb144c7a	1063	ssl->state++;
JMF	12:0071cb144c7a	1064
JMF	12:0071cb144c7a	1065	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
JMF	12:0071cb144c7a	1066
JMF	12:0071cb144c7a	1067	return( 0 );
JMF	12:0071cb144c7a	1068	}
JMF	12:0071cb144c7a	1069	#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
JMF	12:0071cb144c7a	1070
JMF	12:0071cb144c7a	1071	static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	1072	{
JMF	12:0071cb144c7a	1073	int ret, got_common_suite;
JMF	12:0071cb144c7a	1074	size_t i, j;
JMF	12:0071cb144c7a	1075	size_t ciph_offset, comp_offset, ext_offset;
JMF	12:0071cb144c7a	1076	size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
JMF	12:0071cb144c7a	1077	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1078	size_t cookie_offset, cookie_len;
JMF	12:0071cb144c7a	1079	#endif
JMF	12:0071cb144c7a	1080	unsigned char buf, p, *ext;
JMF	12:0071cb144c7a	1081	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1082	int renegotiation_info_seen = 0;
JMF	12:0071cb144c7a	1083	#endif
JMF	12:0071cb144c7a	1084	int handshake_failure = 0;
JMF	12:0071cb144c7a	1085	const int *ciphersuites;
JMF	12:0071cb144c7a	1086	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
JMF	12:0071cb144c7a	1087	int major, minor;
JMF	12:0071cb144c7a	1088
JMF	12:0071cb144c7a	1089	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
JMF	12:0071cb144c7a	1090
JMF	12:0071cb144c7a	1091	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
JMF	12:0071cb144c7a	1092	read_record_header:
JMF	12:0071cb144c7a	1093	#endif
JMF	12:0071cb144c7a	1094	/*
JMF	12:0071cb144c7a	1095	* If renegotiating, then the input was read with mbedtls_ssl_read_record(),
JMF	12:0071cb144c7a	1096	* otherwise read it ourselves manually in order to support SSLv2
JMF	12:0071cb144c7a	1097	* ClientHello, which doesn't use the same record layer format.
JMF	12:0071cb144c7a	1098	*/
JMF	12:0071cb144c7a	1099	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1100	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
JMF	12:0071cb144c7a	1101	#endif
JMF	12:0071cb144c7a	1102	{
JMF	12:0071cb144c7a	1103	if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
JMF	12:0071cb144c7a	1104	{
JMF	12:0071cb144c7a	1105	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
JMF	12:0071cb144c7a	1106	return( ret );
JMF	12:0071cb144c7a	1107	}
JMF	12:0071cb144c7a	1108	}
JMF	12:0071cb144c7a	1109
JMF	12:0071cb144c7a	1110	buf = ssl->in_hdr;
JMF	12:0071cb144c7a	1111
JMF	12:0071cb144c7a	1112	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
JMF	12:0071cb144c7a	1113	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1114	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
JMF	12:0071cb144c7a	1115	#endif
JMF	12:0071cb144c7a	1116	if( ( buf[0] & 0x80 ) != 0 )
JMF	12:0071cb144c7a	1117	return ssl_parse_client_hello_v2( ssl );
JMF	12:0071cb144c7a	1118	#endif
JMF	12:0071cb144c7a	1119
JMF	12:0071cb144c7a	1120	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
JMF	12:0071cb144c7a	1121
JMF	12:0071cb144c7a	1122	/*
JMF	12:0071cb144c7a	1123	* SSLv3/TLS Client Hello
JMF	12:0071cb144c7a	1124	*
JMF	12:0071cb144c7a	1125	* Record layer:
JMF	12:0071cb144c7a	1126	* 0 . 0 message type
JMF	12:0071cb144c7a	1127	* 1 . 2 protocol version
JMF	12:0071cb144c7a	1128	* 3 . 11 DTLS: epoch + record sequence number
JMF	12:0071cb144c7a	1129	* 3 . 4 message length
JMF	12:0071cb144c7a	1130	*/
JMF	12:0071cb144c7a	1131	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
JMF	12:0071cb144c7a	1132	buf[0] ) );
JMF	12:0071cb144c7a	1133
JMF	12:0071cb144c7a	1134	if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
JMF	12:0071cb144c7a	1135	{
JMF	12:0071cb144c7a	1136	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1137	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1138	}
JMF	12:0071cb144c7a	1139
JMF	12:0071cb144c7a	1140	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
JMF	12:0071cb144c7a	1141	( ssl->in_len[0] << 8 ) \| ssl->in_len[1] ) );
JMF	12:0071cb144c7a	1142
JMF	12:0071cb144c7a	1143	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
JMF	12:0071cb144c7a	1144	buf[1], buf[2] ) );
JMF	12:0071cb144c7a	1145
JMF	12:0071cb144c7a	1146	mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
JMF	12:0071cb144c7a	1147
JMF	12:0071cb144c7a	1148	/* According to RFC 5246 Appendix E.1, the version here is typically
JMF	12:0071cb144c7a	1149	* "{03,00}, the lowest version number supported by the client, [or] the
JMF	12:0071cb144c7a	1150	* value of ClientHello.client_version", so the only meaningful check here
JMF	12:0071cb144c7a	1151	* is the major version shouldn't be less than 3 */
JMF	12:0071cb144c7a	1152	if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
JMF	12:0071cb144c7a	1153	{
JMF	12:0071cb144c7a	1154	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1155	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1156	}
JMF	12:0071cb144c7a	1157
JMF	12:0071cb144c7a	1158	/* For DTLS if this is the initial handshake, remember the client sequence
JMF	12:0071cb144c7a	1159	* number to use it in our next message (RFC 6347 4.2.1) */
JMF	12:0071cb144c7a	1160	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1161	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
JMF	12:0071cb144c7a	1162	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1163	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
JMF	12:0071cb144c7a	1164	#endif
JMF	12:0071cb144c7a	1165	)
JMF	12:0071cb144c7a	1166	{
JMF	12:0071cb144c7a	1167	/* Epoch should be 0 for initial handshakes */
JMF	12:0071cb144c7a	1168	if( ssl->in_ctr[0] != 0 \|\| ssl->in_ctr[1] != 0 )
JMF	12:0071cb144c7a	1169	{
JMF	12:0071cb144c7a	1170	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1171	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1172	}
JMF	12:0071cb144c7a	1173
JMF	12:0071cb144c7a	1174	memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
JMF	12:0071cb144c7a	1175
JMF	12:0071cb144c7a	1176	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
JMF	12:0071cb144c7a	1177	if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
JMF	12:0071cb144c7a	1178	{
JMF	12:0071cb144c7a	1179	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
JMF	12:0071cb144c7a	1180	ssl->next_record_offset = 0;
JMF	12:0071cb144c7a	1181	ssl->in_left = 0;
JMF	12:0071cb144c7a	1182	goto read_record_header;
JMF	12:0071cb144c7a	1183	}
JMF	12:0071cb144c7a	1184
JMF	12:0071cb144c7a	1185	/* No MAC to check yet, so we can update right now */
JMF	12:0071cb144c7a	1186	mbedtls_ssl_dtls_replay_update( ssl );
JMF	12:0071cb144c7a	1187	#endif
JMF	12:0071cb144c7a	1188	}
JMF	12:0071cb144c7a	1189	#endif /* MBEDTLS_SSL_PROTO_DTLS */
JMF	12:0071cb144c7a	1190
JMF	12:0071cb144c7a	1191	msg_len = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
JMF	12:0071cb144c7a	1192
JMF	12:0071cb144c7a	1193	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1194	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
JMF	12:0071cb144c7a	1195	{
JMF	12:0071cb144c7a	1196	/* Set by mbedtls_ssl_read_record() */
JMF	12:0071cb144c7a	1197	msg_len = ssl->in_hslen;
JMF	12:0071cb144c7a	1198	}
JMF	12:0071cb144c7a	1199	else
JMF	12:0071cb144c7a	1200	#endif
JMF	12:0071cb144c7a	1201	{
JMF	12:0071cb144c7a	1202	if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
JMF	12:0071cb144c7a	1203	{
JMF	12:0071cb144c7a	1204	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1205	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1206	}
JMF	12:0071cb144c7a	1207
JMF	12:0071cb144c7a	1208	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
JMF	12:0071cb144c7a	1209	{
JMF	12:0071cb144c7a	1210	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
JMF	12:0071cb144c7a	1211	return( ret );
JMF	12:0071cb144c7a	1212	}
JMF	12:0071cb144c7a	1213
JMF	12:0071cb144c7a	1214	/* Done reading this record, get ready for the next one */
JMF	12:0071cb144c7a	1215	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1216	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
JMF	12:0071cb144c7a	1217	ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
JMF	12:0071cb144c7a	1218	else
JMF	12:0071cb144c7a	1219	#endif
JMF	12:0071cb144c7a	1220	ssl->in_left = 0;
JMF	12:0071cb144c7a	1221	}
JMF	12:0071cb144c7a	1222
JMF	12:0071cb144c7a	1223	buf = ssl->in_msg;
JMF	12:0071cb144c7a	1224
JMF	12:0071cb144c7a	1225	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
JMF	12:0071cb144c7a	1226
JMF	12:0071cb144c7a	1227	ssl->handshake->update_checksum( ssl, buf, msg_len );
JMF	12:0071cb144c7a	1228
JMF	12:0071cb144c7a	1229	/*
JMF	12:0071cb144c7a	1230	* Handshake layer:
JMF	12:0071cb144c7a	1231	* 0 . 0 handshake type
JMF	12:0071cb144c7a	1232	* 1 . 3 handshake length
JMF	12:0071cb144c7a	1233	* 4 . 5 DTLS only: message seqence number
JMF	12:0071cb144c7a	1234	* 6 . 8 DTLS only: fragment offset
JMF	12:0071cb144c7a	1235	* 9 . 11 DTLS only: fragment length
JMF	12:0071cb144c7a	1236	*/
JMF	12:0071cb144c7a	1237	if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
JMF	12:0071cb144c7a	1238	{
JMF	12:0071cb144c7a	1239	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1240	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1241	}
JMF	12:0071cb144c7a	1242
JMF	12:0071cb144c7a	1243	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
JMF	12:0071cb144c7a	1244
JMF	12:0071cb144c7a	1245	if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
JMF	12:0071cb144c7a	1246	{
JMF	12:0071cb144c7a	1247	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1248	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1249	}
JMF	12:0071cb144c7a	1250
JMF	12:0071cb144c7a	1251	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
JMF	12:0071cb144c7a	1252	( buf[1] << 16 ) \| ( buf[2] << 8 ) \| buf[3] ) );
JMF	12:0071cb144c7a	1253
JMF	12:0071cb144c7a	1254	/* We don't support fragmentation of ClientHello (yet?) */
JMF	12:0071cb144c7a	1255	if( buf[1] != 0 \|\|
JMF	12:0071cb144c7a	1256	msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) \| buf[3] ) )
JMF	12:0071cb144c7a	1257	{
JMF	12:0071cb144c7a	1258	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1259	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1260	}
JMF	12:0071cb144c7a	1261
JMF	12:0071cb144c7a	1262	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1263	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
JMF	12:0071cb144c7a	1264	{
JMF	12:0071cb144c7a	1265	/*
JMF	12:0071cb144c7a	1266	* Copy the client's handshake message_seq on initial handshakes,
JMF	12:0071cb144c7a	1267	* check sequence number on renego.
JMF	12:0071cb144c7a	1268	*/
JMF	12:0071cb144c7a	1269	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1270	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
JMF	12:0071cb144c7a	1271	{
JMF	12:0071cb144c7a	1272	/* This couldn't be done in ssl_prepare_handshake_record() */
JMF	12:0071cb144c7a	1273	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
JMF	12:0071cb144c7a	1274	ssl->in_msg[5];
JMF	12:0071cb144c7a	1275
JMF	12:0071cb144c7a	1276	if( cli_msg_seq != ssl->handshake->in_msg_seq )
JMF	12:0071cb144c7a	1277	{
JMF	12:0071cb144c7a	1278	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
JMF	12:0071cb144c7a	1279	"%d (expected %d)", cli_msg_seq,
JMF	12:0071cb144c7a	1280	ssl->handshake->in_msg_seq ) );
JMF	12:0071cb144c7a	1281	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1282	}
JMF	12:0071cb144c7a	1283
JMF	12:0071cb144c7a	1284	ssl->handshake->in_msg_seq++;
JMF	12:0071cb144c7a	1285	}
JMF	12:0071cb144c7a	1286	else
JMF	12:0071cb144c7a	1287	#endif
JMF	12:0071cb144c7a	1288	{
JMF	12:0071cb144c7a	1289	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
JMF	12:0071cb144c7a	1290	ssl->in_msg[5];
JMF	12:0071cb144c7a	1291	ssl->handshake->out_msg_seq = cli_msg_seq;
JMF	12:0071cb144c7a	1292	ssl->handshake->in_msg_seq = cli_msg_seq + 1;
JMF	12:0071cb144c7a	1293	}
JMF	12:0071cb144c7a	1294
JMF	12:0071cb144c7a	1295	/*
JMF	12:0071cb144c7a	1296	* For now we don't support fragmentation, so make sure
JMF	12:0071cb144c7a	1297	* fragment_offset == 0 and fragment_length == length
JMF	12:0071cb144c7a	1298	*/
JMF	12:0071cb144c7a	1299	if( ssl->in_msg[6] != 0 \|\| ssl->in_msg[7] != 0 \|\| ssl->in_msg[8] != 0 \|\|
JMF	12:0071cb144c7a	1300	memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
JMF	12:0071cb144c7a	1301	{
JMF	12:0071cb144c7a	1302	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
JMF	12:0071cb144c7a	1303	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
JMF	12:0071cb144c7a	1304	}
JMF	12:0071cb144c7a	1305	}
JMF	12:0071cb144c7a	1306	#endif /* MBEDTLS_SSL_PROTO_DTLS */
JMF	12:0071cb144c7a	1307
JMF	12:0071cb144c7a	1308	buf += mbedtls_ssl_hs_hdr_len( ssl );
JMF	12:0071cb144c7a	1309	msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
JMF	12:0071cb144c7a	1310
JMF	12:0071cb144c7a	1311	/*
JMF	12:0071cb144c7a	1312	* ClientHello layer:
JMF	12:0071cb144c7a	1313	* 0 . 1 protocol version
JMF	12:0071cb144c7a	1314	* 2 . 33 random bytes (starting with 4 bytes of Unix time)
JMF	12:0071cb144c7a	1315	* 34 . 35 session id length (1 byte)
JMF	12:0071cb144c7a	1316	* 35 . 34+x session id
JMF	12:0071cb144c7a	1317	* 35+x . 35+x DTLS only: cookie length (1 byte)
JMF	12:0071cb144c7a	1318	* 36+x . .. DTLS only: cookie
JMF	12:0071cb144c7a	1319	* .. . .. ciphersuite list length (2 bytes)
JMF	12:0071cb144c7a	1320	* .. . .. ciphersuite list
JMF	12:0071cb144c7a	1321	* .. . .. compression alg. list length (1 byte)
JMF	12:0071cb144c7a	1322	* .. . .. compression alg. list
JMF	12:0071cb144c7a	1323	* .. . .. extensions length (2 bytes, optional)
JMF	12:0071cb144c7a	1324	* .. . .. extensions (optional)
JMF	12:0071cb144c7a	1325	*/
JMF	12:0071cb144c7a	1326
JMF	12:0071cb144c7a	1327	/*
JMF	12:0071cb144c7a	1328	* Minimal length (with everything empty and extensions ommitted) is
JMF	12:0071cb144c7a	1329	* 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
JMF	12:0071cb144c7a	1330	* read at least up to session id length without worrying.
JMF	12:0071cb144c7a	1331	*/
JMF	12:0071cb144c7a	1332	if( msg_len < 38 )
JMF	12:0071cb144c7a	1333	{
JMF	12:0071cb144c7a	1334	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1335	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1336	}
JMF	12:0071cb144c7a	1337
JMF	12:0071cb144c7a	1338	/*
JMF	12:0071cb144c7a	1339	* Check and save the protocol version
JMF	12:0071cb144c7a	1340	*/
JMF	12:0071cb144c7a	1341	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
JMF	12:0071cb144c7a	1342
JMF	12:0071cb144c7a	1343	mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
JMF	12:0071cb144c7a	1344	ssl->conf->transport, buf );
JMF	12:0071cb144c7a	1345
JMF	12:0071cb144c7a	1346	ssl->handshake->max_major_ver = ssl->major_ver;
JMF	12:0071cb144c7a	1347	ssl->handshake->max_minor_ver = ssl->minor_ver;
JMF	12:0071cb144c7a	1348
JMF	12:0071cb144c7a	1349	if( ssl->major_ver < ssl->conf->min_major_ver \|\|
JMF	12:0071cb144c7a	1350	ssl->minor_ver < ssl->conf->min_minor_ver )
JMF	12:0071cb144c7a	1351	{
JMF	12:0071cb144c7a	1352	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
JMF	12:0071cb144c7a	1353	" [%d:%d] < [%d:%d]",
JMF	12:0071cb144c7a	1354	ssl->major_ver, ssl->minor_ver,
JMF	12:0071cb144c7a	1355	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
JMF	12:0071cb144c7a	1356
JMF	12:0071cb144c7a	1357	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	1358	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
JMF	12:0071cb144c7a	1359
JMF	12:0071cb144c7a	1360	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
JMF	12:0071cb144c7a	1361	}
JMF	12:0071cb144c7a	1362
JMF	12:0071cb144c7a	1363	if( ssl->major_ver > ssl->conf->max_major_ver )
JMF	12:0071cb144c7a	1364	{
JMF	12:0071cb144c7a	1365	ssl->major_ver = ssl->conf->max_major_ver;
JMF	12:0071cb144c7a	1366	ssl->minor_ver = ssl->conf->max_minor_ver;
JMF	12:0071cb144c7a	1367	}
JMF	12:0071cb144c7a	1368	else if( ssl->minor_ver > ssl->conf->max_minor_ver )
JMF	12:0071cb144c7a	1369	ssl->minor_ver = ssl->conf->max_minor_ver;
JMF	12:0071cb144c7a	1370
JMF	12:0071cb144c7a	1371	/*
JMF	12:0071cb144c7a	1372	* Save client random (inc. Unix time)
JMF	12:0071cb144c7a	1373	*/
JMF	12:0071cb144c7a	1374	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
JMF	12:0071cb144c7a	1375
JMF	12:0071cb144c7a	1376	memcpy( ssl->handshake->randbytes, buf + 2, 32 );
JMF	12:0071cb144c7a	1377
JMF	12:0071cb144c7a	1378	/*
JMF	12:0071cb144c7a	1379	* Check the session ID length and save session ID
JMF	12:0071cb144c7a	1380	*/
JMF	12:0071cb144c7a	1381	sess_len = buf[34];
JMF	12:0071cb144c7a	1382
JMF	12:0071cb144c7a	1383	if( sess_len > sizeof( ssl->session_negotiate->id ) \|\|
JMF	12:0071cb144c7a	1384	sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
JMF	12:0071cb144c7a	1385	{
JMF	12:0071cb144c7a	1386	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1387	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1388	}
JMF	12:0071cb144c7a	1389
JMF	12:0071cb144c7a	1390	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
JMF	12:0071cb144c7a	1391
JMF	12:0071cb144c7a	1392	ssl->session_negotiate->id_len = sess_len;
JMF	12:0071cb144c7a	1393	memset( ssl->session_negotiate->id, 0,
JMF	12:0071cb144c7a	1394	sizeof( ssl->session_negotiate->id ) );
JMF	12:0071cb144c7a	1395	memcpy( ssl->session_negotiate->id, buf + 35,
JMF	12:0071cb144c7a	1396	ssl->session_negotiate->id_len );
JMF	12:0071cb144c7a	1397
JMF	12:0071cb144c7a	1398	/*
JMF	12:0071cb144c7a	1399	* Check the cookie length and content
JMF	12:0071cb144c7a	1400	*/
JMF	12:0071cb144c7a	1401	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1402	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
JMF	12:0071cb144c7a	1403	{
JMF	12:0071cb144c7a	1404	cookie_offset = 35 + sess_len;
JMF	12:0071cb144c7a	1405	cookie_len = buf[cookie_offset];
JMF	12:0071cb144c7a	1406
JMF	12:0071cb144c7a	1407	if( cookie_offset + 1 + cookie_len + 2 > msg_len )
JMF	12:0071cb144c7a	1408	{
JMF	12:0071cb144c7a	1409	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1410	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1411	}
JMF	12:0071cb144c7a	1412
JMF	12:0071cb144c7a	1413	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
JMF	12:0071cb144c7a	1414	buf + cookie_offset + 1, cookie_len );
JMF	12:0071cb144c7a	1415
JMF	12:0071cb144c7a	1416	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
JMF	12:0071cb144c7a	1417	if( ssl->conf->f_cookie_check != NULL
JMF	12:0071cb144c7a	1418	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1419	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
JMF	12:0071cb144c7a	1420	#endif
JMF	12:0071cb144c7a	1421	)
JMF	12:0071cb144c7a	1422	{
JMF	12:0071cb144c7a	1423	if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
JMF	12:0071cb144c7a	1424	buf + cookie_offset + 1, cookie_len,
JMF	12:0071cb144c7a	1425	ssl->cli_id, ssl->cli_id_len ) != 0 )
JMF	12:0071cb144c7a	1426	{
JMF	12:0071cb144c7a	1427	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
JMF	12:0071cb144c7a	1428	ssl->handshake->verify_cookie_len = 1;
JMF	12:0071cb144c7a	1429	}
JMF	12:0071cb144c7a	1430	else
JMF	12:0071cb144c7a	1431	{
JMF	12:0071cb144c7a	1432	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
JMF	12:0071cb144c7a	1433	ssl->handshake->verify_cookie_len = 0;
JMF	12:0071cb144c7a	1434	}
JMF	12:0071cb144c7a	1435	}
JMF	12:0071cb144c7a	1436	else
JMF	12:0071cb144c7a	1437	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
JMF	12:0071cb144c7a	1438	{
JMF	12:0071cb144c7a	1439	/* We know we didn't send a cookie, so it should be empty */
JMF	12:0071cb144c7a	1440	if( cookie_len != 0 )
JMF	12:0071cb144c7a	1441	{
JMF	12:0071cb144c7a	1442	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1443	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1444	}
JMF	12:0071cb144c7a	1445
JMF	12:0071cb144c7a	1446	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
JMF	12:0071cb144c7a	1447	}
JMF	12:0071cb144c7a	1448
JMF	12:0071cb144c7a	1449	/*
JMF	12:0071cb144c7a	1450	* Check the ciphersuitelist length (will be parsed later)
JMF	12:0071cb144c7a	1451	*/
JMF	12:0071cb144c7a	1452	ciph_offset = cookie_offset + 1 + cookie_len;
JMF	12:0071cb144c7a	1453	}
JMF	12:0071cb144c7a	1454	else
JMF	12:0071cb144c7a	1455	#endif /* MBEDTLS_SSL_PROTO_DTLS */
JMF	12:0071cb144c7a	1456	ciph_offset = 35 + sess_len;
JMF	12:0071cb144c7a	1457
JMF	12:0071cb144c7a	1458	ciph_len = ( buf[ciph_offset + 0] << 8 )
JMF	12:0071cb144c7a	1459	\| ( buf[ciph_offset + 1] );
JMF	12:0071cb144c7a	1460
JMF	12:0071cb144c7a	1461	if( ciph_len < 2 \|\|
JMF	12:0071cb144c7a	1462	ciph_len + 2 + ciph_offset + 1 > msg_len \|\| /* 1 for comp. alg. len */
JMF	12:0071cb144c7a	1463	( ciph_len % 2 ) != 0 )
JMF	12:0071cb144c7a	1464	{
JMF	12:0071cb144c7a	1465	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1466	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1467	}
JMF	12:0071cb144c7a	1468
JMF	12:0071cb144c7a	1469	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
JMF	12:0071cb144c7a	1470	buf + ciph_offset + 2, ciph_len );
JMF	12:0071cb144c7a	1471
JMF	12:0071cb144c7a	1472	/*
JMF	12:0071cb144c7a	1473	* Check the compression algorithms length and pick one
JMF	12:0071cb144c7a	1474	*/
JMF	12:0071cb144c7a	1475	comp_offset = ciph_offset + 2 + ciph_len;
JMF	12:0071cb144c7a	1476
JMF	12:0071cb144c7a	1477	comp_len = buf[comp_offset];
JMF	12:0071cb144c7a	1478
JMF	12:0071cb144c7a	1479	if( comp_len < 1 \|\|
JMF	12:0071cb144c7a	1480	comp_len > 16 \|\|
JMF	12:0071cb144c7a	1481	comp_len + comp_offset + 1 > msg_len )
JMF	12:0071cb144c7a	1482	{
JMF	12:0071cb144c7a	1483	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1484	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1485	}
JMF	12:0071cb144c7a	1486
JMF	12:0071cb144c7a	1487	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
JMF	12:0071cb144c7a	1488	buf + comp_offset + 1, comp_len );
JMF	12:0071cb144c7a	1489
JMF	12:0071cb144c7a	1490	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
JMF	12:0071cb144c7a	1491	#if defined(MBEDTLS_ZLIB_SUPPORT)
JMF	12:0071cb144c7a	1492	for( i = 0; i < comp_len; ++i )
JMF	12:0071cb144c7a	1493	{
JMF	12:0071cb144c7a	1494	if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
JMF	12:0071cb144c7a	1495	{
JMF	12:0071cb144c7a	1496	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
JMF	12:0071cb144c7a	1497	break;
JMF	12:0071cb144c7a	1498	}
JMF	12:0071cb144c7a	1499	}
JMF	12:0071cb144c7a	1500	#endif
JMF	12:0071cb144c7a	1501
JMF	12:0071cb144c7a	1502	/* See comments in ssl_write_client_hello() */
JMF	12:0071cb144c7a	1503	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1504	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
JMF	12:0071cb144c7a	1505	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
JMF	12:0071cb144c7a	1506	#endif
JMF	12:0071cb144c7a	1507
JMF	12:0071cb144c7a	1508	/* Do not parse the extensions if the protocol is SSLv3 */
JMF	12:0071cb144c7a	1509	#if defined(MBEDTLS_SSL_PROTO_SSL3)
JMF	12:0071cb144c7a	1510	if( ( ssl->major_ver != 3 ) \|\| ( ssl->minor_ver != 0 ) )
JMF	12:0071cb144c7a	1511	{
JMF	12:0071cb144c7a	1512	#endif
JMF	12:0071cb144c7a	1513	/*
JMF	12:0071cb144c7a	1514	* Check the extension length
JMF	12:0071cb144c7a	1515	*/
JMF	12:0071cb144c7a	1516	ext_offset = comp_offset + 1 + comp_len;
JMF	12:0071cb144c7a	1517	if( msg_len > ext_offset )
JMF	12:0071cb144c7a	1518	{
JMF	12:0071cb144c7a	1519	if( msg_len < ext_offset + 2 )
JMF	12:0071cb144c7a	1520	{
JMF	12:0071cb144c7a	1521	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1522	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1523	}
JMF	12:0071cb144c7a	1524
JMF	12:0071cb144c7a	1525	ext_len = ( buf[ext_offset + 0] << 8 )
JMF	12:0071cb144c7a	1526	\| ( buf[ext_offset + 1] );
JMF	12:0071cb144c7a	1527
JMF	12:0071cb144c7a	1528	if( ( ext_len > 0 && ext_len < 4 ) \|\|
JMF	12:0071cb144c7a	1529	msg_len != ext_offset + 2 + ext_len )
JMF	12:0071cb144c7a	1530	{
JMF	12:0071cb144c7a	1531	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1532	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1533	}
JMF	12:0071cb144c7a	1534	}
JMF	12:0071cb144c7a	1535	else
JMF	12:0071cb144c7a	1536	ext_len = 0;
JMF	12:0071cb144c7a	1537
JMF	12:0071cb144c7a	1538	ext = buf + ext_offset + 2;
JMF	12:0071cb144c7a	1539	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
JMF	12:0071cb144c7a	1540
JMF	12:0071cb144c7a	1541	while( ext_len != 0 )
JMF	12:0071cb144c7a	1542	{
JMF	12:0071cb144c7a	1543	unsigned int ext_id = ( ( ext[0] << 8 )
JMF	12:0071cb144c7a	1544	\| ( ext[1] ) );
JMF	12:0071cb144c7a	1545	unsigned int ext_size = ( ( ext[2] << 8 )
JMF	12:0071cb144c7a	1546	\| ( ext[3] ) );
JMF	12:0071cb144c7a	1547
JMF	12:0071cb144c7a	1548	if( ext_size + 4 > ext_len )
JMF	12:0071cb144c7a	1549	{
JMF	12:0071cb144c7a	1550	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1551	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1552	}
JMF	12:0071cb144c7a	1553	switch( ext_id )
JMF	12:0071cb144c7a	1554	{
JMF	12:0071cb144c7a	1555	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
JMF	12:0071cb144c7a	1556	case MBEDTLS_TLS_EXT_SERVERNAME:
JMF	12:0071cb144c7a	1557	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
JMF	12:0071cb144c7a	1558	if( ssl->conf->f_sni == NULL )
JMF	12:0071cb144c7a	1559	break;
JMF	12:0071cb144c7a	1560
JMF	12:0071cb144c7a	1561	ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1562	if( ret != 0 )
JMF	12:0071cb144c7a	1563	return( ret );
JMF	12:0071cb144c7a	1564	break;
JMF	12:0071cb144c7a	1565	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
JMF	12:0071cb144c7a	1566
JMF	12:0071cb144c7a	1567	case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
JMF	12:0071cb144c7a	1568	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
JMF	12:0071cb144c7a	1569	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1570	renegotiation_info_seen = 1;
JMF	12:0071cb144c7a	1571	#endif
JMF	12:0071cb144c7a	1572
JMF	12:0071cb144c7a	1573	ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1574	if( ret != 0 )
JMF	12:0071cb144c7a	1575	return( ret );
JMF	12:0071cb144c7a	1576	break;
JMF	12:0071cb144c7a	1577
JMF	12:0071cb144c7a	1578	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
JMF	12:0071cb144c7a	1579	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
JMF	12:0071cb144c7a	1580	case MBEDTLS_TLS_EXT_SIG_ALG:
JMF	12:0071cb144c7a	1581	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
JMF	12:0071cb144c7a	1582	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1583	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
JMF	12:0071cb144c7a	1584	break;
JMF	12:0071cb144c7a	1585	#endif
JMF	12:0071cb144c7a	1586
JMF	12:0071cb144c7a	1587	ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1588	if( ret != 0 )
JMF	12:0071cb144c7a	1589	return( ret );
JMF	12:0071cb144c7a	1590	break;
JMF	12:0071cb144c7a	1591	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
JMF	12:0071cb144c7a	1592	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
JMF	12:0071cb144c7a	1593
JMF	12:0071cb144c7a	1594	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
JMF	12:0071cb144c7a	1595	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	1596	case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
JMF	12:0071cb144c7a	1597	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
JMF	12:0071cb144c7a	1598
JMF	12:0071cb144c7a	1599	ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1600	if( ret != 0 )
JMF	12:0071cb144c7a	1601	return( ret );
JMF	12:0071cb144c7a	1602	break;
JMF	12:0071cb144c7a	1603
JMF	12:0071cb144c7a	1604	case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
JMF	12:0071cb144c7a	1605	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
JMF	12:0071cb144c7a	1606	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
JMF	12:0071cb144c7a	1607
JMF	12:0071cb144c7a	1608	ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1609	if( ret != 0 )
JMF	12:0071cb144c7a	1610	return( ret );
JMF	12:0071cb144c7a	1611	break;
JMF	12:0071cb144c7a	1612	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
JMF	12:0071cb144c7a	1613	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	1614
JMF	12:0071cb144c7a	1615	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	1616	case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
JMF	12:0071cb144c7a	1617	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
JMF	12:0071cb144c7a	1618
JMF	12:0071cb144c7a	1619	ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1620	if( ret != 0 )
JMF	12:0071cb144c7a	1621	return( ret );
JMF	12:0071cb144c7a	1622	break;
JMF	12:0071cb144c7a	1623	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	1624
JMF	12:0071cb144c7a	1625	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
JMF	12:0071cb144c7a	1626	case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
JMF	12:0071cb144c7a	1627	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
JMF	12:0071cb144c7a	1628
JMF	12:0071cb144c7a	1629	ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1630	if( ret != 0 )
JMF	12:0071cb144c7a	1631	return( ret );
JMF	12:0071cb144c7a	1632	break;
JMF	12:0071cb144c7a	1633	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
JMF	12:0071cb144c7a	1634
JMF	12:0071cb144c7a	1635	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
JMF	12:0071cb144c7a	1636	case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
JMF	12:0071cb144c7a	1637	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
JMF	12:0071cb144c7a	1638
JMF	12:0071cb144c7a	1639	ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1640	if( ret != 0 )
JMF	12:0071cb144c7a	1641	return( ret );
JMF	12:0071cb144c7a	1642	break;
JMF	12:0071cb144c7a	1643	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
JMF	12:0071cb144c7a	1644
JMF	12:0071cb144c7a	1645	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
JMF	12:0071cb144c7a	1646	case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
JMF	12:0071cb144c7a	1647	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
JMF	12:0071cb144c7a	1648
JMF	12:0071cb144c7a	1649	ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1650	if( ret != 0 )
JMF	12:0071cb144c7a	1651	return( ret );
JMF	12:0071cb144c7a	1652	break;
JMF	12:0071cb144c7a	1653	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
JMF	12:0071cb144c7a	1654
JMF	12:0071cb144c7a	1655	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
JMF	12:0071cb144c7a	1656	case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
JMF	12:0071cb144c7a	1657	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
JMF	12:0071cb144c7a	1658
JMF	12:0071cb144c7a	1659	ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1660	if( ret != 0 )
JMF	12:0071cb144c7a	1661	return( ret );
JMF	12:0071cb144c7a	1662	break;
JMF	12:0071cb144c7a	1663	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
JMF	12:0071cb144c7a	1664
JMF	12:0071cb144c7a	1665	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	1666	case MBEDTLS_TLS_EXT_SESSION_TICKET:
JMF	12:0071cb144c7a	1667	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
JMF	12:0071cb144c7a	1668
JMF	12:0071cb144c7a	1669	ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1670	if( ret != 0 )
JMF	12:0071cb144c7a	1671	return( ret );
JMF	12:0071cb144c7a	1672	break;
JMF	12:0071cb144c7a	1673	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
JMF	12:0071cb144c7a	1674
JMF	12:0071cb144c7a	1675	#if defined(MBEDTLS_SSL_ALPN)
JMF	12:0071cb144c7a	1676	case MBEDTLS_TLS_EXT_ALPN:
JMF	12:0071cb144c7a	1677	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
JMF	12:0071cb144c7a	1678
JMF	12:0071cb144c7a	1679	ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
JMF	12:0071cb144c7a	1680	if( ret != 0 )
JMF	12:0071cb144c7a	1681	return( ret );
JMF	12:0071cb144c7a	1682	break;
JMF	12:0071cb144c7a	1683	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
JMF	12:0071cb144c7a	1684
JMF	12:0071cb144c7a	1685	default:
JMF	12:0071cb144c7a	1686	MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
JMF	12:0071cb144c7a	1687	ext_id ) );
JMF	12:0071cb144c7a	1688	}
JMF	12:0071cb144c7a	1689
JMF	12:0071cb144c7a	1690	ext_len -= 4 + ext_size;
JMF	12:0071cb144c7a	1691	ext += 4 + ext_size;
JMF	12:0071cb144c7a	1692
JMF	12:0071cb144c7a	1693	if( ext_len > 0 && ext_len < 4 )
JMF	12:0071cb144c7a	1694	{
JMF	12:0071cb144c7a	1695	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
JMF	12:0071cb144c7a	1696	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1697	}
JMF	12:0071cb144c7a	1698	}
JMF	12:0071cb144c7a	1699	#if defined(MBEDTLS_SSL_PROTO_SSL3)
JMF	12:0071cb144c7a	1700	}
JMF	12:0071cb144c7a	1701	#endif
JMF	12:0071cb144c7a	1702
JMF	12:0071cb144c7a	1703	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
JMF	12:0071cb144c7a	1704	for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
JMF	12:0071cb144c7a	1705	{
JMF	12:0071cb144c7a	1706	if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
JMF	12:0071cb144c7a	1707	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
JMF	12:0071cb144c7a	1708	{
JMF	12:0071cb144c7a	1709	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
JMF	12:0071cb144c7a	1710
JMF	12:0071cb144c7a	1711	if( ssl->minor_ver < ssl->conf->max_minor_ver )
JMF	12:0071cb144c7a	1712	{
JMF	12:0071cb144c7a	1713	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
JMF	12:0071cb144c7a	1714
JMF	12:0071cb144c7a	1715	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	1716	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
JMF	12:0071cb144c7a	1717
JMF	12:0071cb144c7a	1718	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1719	}
JMF	12:0071cb144c7a	1720
JMF	12:0071cb144c7a	1721	break;
JMF	12:0071cb144c7a	1722	}
JMF	12:0071cb144c7a	1723	}
JMF	12:0071cb144c7a	1724	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
JMF	12:0071cb144c7a	1725
JMF	12:0071cb144c7a	1726	/*
JMF	12:0071cb144c7a	1727	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
JMF	12:0071cb144c7a	1728	*/
JMF	12:0071cb144c7a	1729	for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
JMF	12:0071cb144c7a	1730	{
JMF	12:0071cb144c7a	1731	if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
JMF	12:0071cb144c7a	1732	{
JMF	12:0071cb144c7a	1733	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
JMF	12:0071cb144c7a	1734	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1735	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
JMF	12:0071cb144c7a	1736	{
JMF	12:0071cb144c7a	1737	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
JMF	12:0071cb144c7a	1738
JMF	12:0071cb144c7a	1739	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	1740	return( ret );
JMF	12:0071cb144c7a	1741
JMF	12:0071cb144c7a	1742	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1743	}
JMF	12:0071cb144c7a	1744	#endif
JMF	12:0071cb144c7a	1745	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
JMF	12:0071cb144c7a	1746	break;
JMF	12:0071cb144c7a	1747	}
JMF	12:0071cb144c7a	1748	}
JMF	12:0071cb144c7a	1749
JMF	12:0071cb144c7a	1750	/*
JMF	12:0071cb144c7a	1751	* Renegotiation security checks
JMF	12:0071cb144c7a	1752	*/
JMF	12:0071cb144c7a	1753	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
JMF	12:0071cb144c7a	1754	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
JMF	12:0071cb144c7a	1755	{
JMF	12:0071cb144c7a	1756	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
JMF	12:0071cb144c7a	1757	handshake_failure = 1;
JMF	12:0071cb144c7a	1758	}
JMF	12:0071cb144c7a	1759	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1760	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
JMF	12:0071cb144c7a	1761	ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
JMF	12:0071cb144c7a	1762	renegotiation_info_seen == 0 )
JMF	12:0071cb144c7a	1763	{
JMF	12:0071cb144c7a	1764	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
JMF	12:0071cb144c7a	1765	handshake_failure = 1;
JMF	12:0071cb144c7a	1766	}
JMF	12:0071cb144c7a	1767	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
JMF	12:0071cb144c7a	1768	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
JMF	12:0071cb144c7a	1769	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
JMF	12:0071cb144c7a	1770	{
JMF	12:0071cb144c7a	1771	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
JMF	12:0071cb144c7a	1772	handshake_failure = 1;
JMF	12:0071cb144c7a	1773	}
JMF	12:0071cb144c7a	1774	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
JMF	12:0071cb144c7a	1775	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
JMF	12:0071cb144c7a	1776	renegotiation_info_seen == 1 )
JMF	12:0071cb144c7a	1777	{
JMF	12:0071cb144c7a	1778	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
JMF	12:0071cb144c7a	1779	handshake_failure = 1;
JMF	12:0071cb144c7a	1780	}
JMF	12:0071cb144c7a	1781	#endif /* MBEDTLS_SSL_RENEGOTIATION */
JMF	12:0071cb144c7a	1782
JMF	12:0071cb144c7a	1783	if( handshake_failure == 1 )
JMF	12:0071cb144c7a	1784	{
JMF	12:0071cb144c7a	1785	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
JMF	12:0071cb144c7a	1786	return( ret );
JMF	12:0071cb144c7a	1787
JMF	12:0071cb144c7a	1788	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
JMF	12:0071cb144c7a	1789	}
JMF	12:0071cb144c7a	1790
JMF	12:0071cb144c7a	1791	/*
JMF	12:0071cb144c7a	1792	* Search for a matching ciphersuite
JMF	12:0071cb144c7a	1793	* (At the end because we need information from the EC-based extensions
JMF	12:0071cb144c7a	1794	* and certificate from the SNI callback triggered by the SNI extension.)
JMF	12:0071cb144c7a	1795	*/
JMF	12:0071cb144c7a	1796	got_common_suite = 0;
JMF	12:0071cb144c7a	1797	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
JMF	12:0071cb144c7a	1798	ciphersuite_info = NULL;
JMF	12:0071cb144c7a	1799	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
JMF	12:0071cb144c7a	1800	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
JMF	12:0071cb144c7a	1801	{
JMF	12:0071cb144c7a	1802	for( i = 0; ciphersuites[i] != 0; i++ )
JMF	12:0071cb144c7a	1803	#else
JMF	12:0071cb144c7a	1804	for( i = 0; ciphersuites[i] != 0; i++ )
JMF	12:0071cb144c7a	1805	{
JMF	12:0071cb144c7a	1806	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
JMF	12:0071cb144c7a	1807	#endif
JMF	12:0071cb144c7a	1808	{
JMF	12:0071cb144c7a	1809	if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
JMF	12:0071cb144c7a	1810	p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
JMF	12:0071cb144c7a	1811	continue;
JMF	12:0071cb144c7a	1812
JMF	12:0071cb144c7a	1813	got_common_suite = 1;
JMF	12:0071cb144c7a	1814
JMF	12:0071cb144c7a	1815	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
JMF	12:0071cb144c7a	1816	&ciphersuite_info ) ) != 0 )
JMF	12:0071cb144c7a	1817	return( ret );
JMF	12:0071cb144c7a	1818
JMF	12:0071cb144c7a	1819	if( ciphersuite_info != NULL )
JMF	12:0071cb144c7a	1820	goto have_ciphersuite;
JMF	12:0071cb144c7a	1821	}
JMF	12:0071cb144c7a	1822	}
JMF	12:0071cb144c7a	1823
JMF	12:0071cb144c7a	1824	if( got_common_suite )
JMF	12:0071cb144c7a	1825	{
JMF	12:0071cb144c7a	1826	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
JMF	12:0071cb144c7a	1827	"but none of them usable" ) );
JMF	12:0071cb144c7a	1828	mbedtls_ssl_send_fatal_handshake_failure( ssl );
JMF	12:0071cb144c7a	1829	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
JMF	12:0071cb144c7a	1830	}
JMF	12:0071cb144c7a	1831	else
JMF	12:0071cb144c7a	1832	{
JMF	12:0071cb144c7a	1833	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
JMF	12:0071cb144c7a	1834	mbedtls_ssl_send_fatal_handshake_failure( ssl );
JMF	12:0071cb144c7a	1835	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
JMF	12:0071cb144c7a	1836	}
JMF	12:0071cb144c7a	1837
JMF	12:0071cb144c7a	1838	have_ciphersuite:
JMF	12:0071cb144c7a	1839	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
JMF	12:0071cb144c7a	1840
JMF	12:0071cb144c7a	1841	ssl->session_negotiate->ciphersuite = ciphersuites[i];
JMF	12:0071cb144c7a	1842	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
JMF	12:0071cb144c7a	1843	mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
JMF	12:0071cb144c7a	1844
JMF	12:0071cb144c7a	1845	ssl->state++;
JMF	12:0071cb144c7a	1846
JMF	12:0071cb144c7a	1847	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	1848	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
JMF	12:0071cb144c7a	1849	mbedtls_ssl_recv_flight_completed( ssl );
JMF	12:0071cb144c7a	1850	#endif
JMF	12:0071cb144c7a	1851
JMF	12:0071cb144c7a	1852	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
JMF	12:0071cb144c7a	1853
JMF	12:0071cb144c7a	1854	return( 0 );
JMF	12:0071cb144c7a	1855	}
JMF	12:0071cb144c7a	1856
JMF	12:0071cb144c7a	1857	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
JMF	12:0071cb144c7a	1858	static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	1859	unsigned char *buf,
JMF	12:0071cb144c7a	1860	size_t *olen )
JMF	12:0071cb144c7a	1861	{
JMF	12:0071cb144c7a	1862	unsigned char *p = buf;
JMF	12:0071cb144c7a	1863
JMF	12:0071cb144c7a	1864	if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
JMF	12:0071cb144c7a	1865	{
JMF	12:0071cb144c7a	1866	*olen = 0;
JMF	12:0071cb144c7a	1867	return;
JMF	12:0071cb144c7a	1868	}
JMF	12:0071cb144c7a	1869
JMF	12:0071cb144c7a	1870	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
JMF	12:0071cb144c7a	1871
JMF	12:0071cb144c7a	1872	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	1873	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
JMF	12:0071cb144c7a	1874
JMF	12:0071cb144c7a	1875	*p++ = 0x00;
JMF	12:0071cb144c7a	1876	*p++ = 0x00;
JMF	12:0071cb144c7a	1877
JMF	12:0071cb144c7a	1878	*olen = 4;
JMF	12:0071cb144c7a	1879	}
JMF	12:0071cb144c7a	1880	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
JMF	12:0071cb144c7a	1881
JMF	12:0071cb144c7a	1882	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
JMF	12:0071cb144c7a	1883	static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	1884	unsigned char *buf,
JMF	12:0071cb144c7a	1885	size_t *olen )
JMF	12:0071cb144c7a	1886	{
JMF	12:0071cb144c7a	1887	unsigned char *p = buf;
JMF	12:0071cb144c7a	1888	const mbedtls_ssl_ciphersuite_t *suite = NULL;
JMF	12:0071cb144c7a	1889	const mbedtls_cipher_info_t *cipher = NULL;
JMF	12:0071cb144c7a	1890
JMF	12:0071cb144c7a	1891	if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
JMF	12:0071cb144c7a	1892	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
JMF	12:0071cb144c7a	1893	{
JMF	12:0071cb144c7a	1894	*olen = 0;
JMF	12:0071cb144c7a	1895	return;
JMF	12:0071cb144c7a	1896	}
JMF	12:0071cb144c7a	1897
JMF	12:0071cb144c7a	1898	/*
JMF	12:0071cb144c7a	1899	* RFC 7366: "If a server receives an encrypt-then-MAC request extension
JMF	12:0071cb144c7a	1900	* from a client and then selects a stream or Authenticated Encryption
JMF	12:0071cb144c7a	1901	* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
JMF	12:0071cb144c7a	1902	* encrypt-then-MAC response extension back to the client."
JMF	12:0071cb144c7a	1903	*/
JMF	12:0071cb144c7a	1904	if( ( suite = mbedtls_ssl_ciphersuite_from_id(
JMF	12:0071cb144c7a	1905	ssl->session_negotiate->ciphersuite ) ) == NULL \|\|
JMF	12:0071cb144c7a	1906	( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL \|\|
JMF	12:0071cb144c7a	1907	cipher->mode != MBEDTLS_MODE_CBC )
JMF	12:0071cb144c7a	1908	{
JMF	12:0071cb144c7a	1909	*olen = 0;
JMF	12:0071cb144c7a	1910	return;
JMF	12:0071cb144c7a	1911	}
JMF	12:0071cb144c7a	1912
JMF	12:0071cb144c7a	1913	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
JMF	12:0071cb144c7a	1914
JMF	12:0071cb144c7a	1915	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	1916	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
JMF	12:0071cb144c7a	1917
JMF	12:0071cb144c7a	1918	*p++ = 0x00;
JMF	12:0071cb144c7a	1919	*p++ = 0x00;
JMF	12:0071cb144c7a	1920
JMF	12:0071cb144c7a	1921	*olen = 4;
JMF	12:0071cb144c7a	1922	}
JMF	12:0071cb144c7a	1923	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
JMF	12:0071cb144c7a	1924
JMF	12:0071cb144c7a	1925	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
JMF	12:0071cb144c7a	1926	static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	1927	unsigned char *buf,
JMF	12:0071cb144c7a	1928	size_t *olen )
JMF	12:0071cb144c7a	1929	{
JMF	12:0071cb144c7a	1930	unsigned char *p = buf;
JMF	12:0071cb144c7a	1931
JMF	12:0071cb144c7a	1932	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
JMF	12:0071cb144c7a	1933	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
JMF	12:0071cb144c7a	1934	{
JMF	12:0071cb144c7a	1935	*olen = 0;
JMF	12:0071cb144c7a	1936	return;
JMF	12:0071cb144c7a	1937	}
JMF	12:0071cb144c7a	1938
JMF	12:0071cb144c7a	1939	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
JMF	12:0071cb144c7a	1940	"extension" ) );
JMF	12:0071cb144c7a	1941
JMF	12:0071cb144c7a	1942	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	1943	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
JMF	12:0071cb144c7a	1944
JMF	12:0071cb144c7a	1945	*p++ = 0x00;
JMF	12:0071cb144c7a	1946	*p++ = 0x00;
JMF	12:0071cb144c7a	1947
JMF	12:0071cb144c7a	1948	*olen = 4;
JMF	12:0071cb144c7a	1949	}
JMF	12:0071cb144c7a	1950	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
JMF	12:0071cb144c7a	1951
JMF	12:0071cb144c7a	1952	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	1953	static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	1954	unsigned char *buf,
JMF	12:0071cb144c7a	1955	size_t *olen )
JMF	12:0071cb144c7a	1956	{
JMF	12:0071cb144c7a	1957	unsigned char *p = buf;
JMF	12:0071cb144c7a	1958
JMF	12:0071cb144c7a	1959	if( ssl->handshake->new_session_ticket == 0 )
JMF	12:0071cb144c7a	1960	{
JMF	12:0071cb144c7a	1961	*olen = 0;
JMF	12:0071cb144c7a	1962	return;
JMF	12:0071cb144c7a	1963	}
JMF	12:0071cb144c7a	1964
JMF	12:0071cb144c7a	1965	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
JMF	12:0071cb144c7a	1966
JMF	12:0071cb144c7a	1967	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	1968	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
JMF	12:0071cb144c7a	1969
JMF	12:0071cb144c7a	1970	*p++ = 0x00;
JMF	12:0071cb144c7a	1971	*p++ = 0x00;
JMF	12:0071cb144c7a	1972
JMF	12:0071cb144c7a	1973	*olen = 4;
JMF	12:0071cb144c7a	1974	}
JMF	12:0071cb144c7a	1975	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
JMF	12:0071cb144c7a	1976
JMF	12:0071cb144c7a	1977	static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	1978	unsigned char *buf,
JMF	12:0071cb144c7a	1979	size_t *olen )
JMF	12:0071cb144c7a	1980	{
JMF	12:0071cb144c7a	1981	unsigned char *p = buf;
JMF	12:0071cb144c7a	1982
JMF	12:0071cb144c7a	1983	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
JMF	12:0071cb144c7a	1984	{
JMF	12:0071cb144c7a	1985	*olen = 0;
JMF	12:0071cb144c7a	1986	return;
JMF	12:0071cb144c7a	1987	}
JMF	12:0071cb144c7a	1988
JMF	12:0071cb144c7a	1989	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
JMF	12:0071cb144c7a	1990
JMF	12:0071cb144c7a	1991	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	1992	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
JMF	12:0071cb144c7a	1993
JMF	12:0071cb144c7a	1994	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	1995	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
JMF	12:0071cb144c7a	1996	{
JMF	12:0071cb144c7a	1997	*p++ = 0x00;
JMF	12:0071cb144c7a	1998	p++ = ( ssl->verify_data_len 2 + 1 ) & 0xFF;
JMF	12:0071cb144c7a	1999	p++ = ssl->verify_data_len 2 & 0xFF;
JMF	12:0071cb144c7a	2000
JMF	12:0071cb144c7a	2001	memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
JMF	12:0071cb144c7a	2002	p += ssl->verify_data_len;
JMF	12:0071cb144c7a	2003	memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
JMF	12:0071cb144c7a	2004	p += ssl->verify_data_len;
JMF	12:0071cb144c7a	2005	}
JMF	12:0071cb144c7a	2006	else
JMF	12:0071cb144c7a	2007	#endif /* MBEDTLS_SSL_RENEGOTIATION */
JMF	12:0071cb144c7a	2008	{
JMF	12:0071cb144c7a	2009	*p++ = 0x00;
JMF	12:0071cb144c7a	2010	*p++ = 0x01;
JMF	12:0071cb144c7a	2011	*p++ = 0x00;
JMF	12:0071cb144c7a	2012	}
JMF	12:0071cb144c7a	2013
JMF	12:0071cb144c7a	2014	*olen = p - buf;
JMF	12:0071cb144c7a	2015	}
JMF	12:0071cb144c7a	2016
JMF	12:0071cb144c7a	2017	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
JMF	12:0071cb144c7a	2018	static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	2019	unsigned char *buf,
JMF	12:0071cb144c7a	2020	size_t *olen )
JMF	12:0071cb144c7a	2021	{
JMF	12:0071cb144c7a	2022	unsigned char *p = buf;
JMF	12:0071cb144c7a	2023
JMF	12:0071cb144c7a	2024	if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
JMF	12:0071cb144c7a	2025	{
JMF	12:0071cb144c7a	2026	*olen = 0;
JMF	12:0071cb144c7a	2027	return;
JMF	12:0071cb144c7a	2028	}
JMF	12:0071cb144c7a	2029
JMF	12:0071cb144c7a	2030	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
JMF	12:0071cb144c7a	2031
JMF	12:0071cb144c7a	2032	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2033	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
JMF	12:0071cb144c7a	2034
JMF	12:0071cb144c7a	2035	*p++ = 0x00;
JMF	12:0071cb144c7a	2036	*p++ = 1;
JMF	12:0071cb144c7a	2037
JMF	12:0071cb144c7a	2038	*p++ = ssl->session_negotiate->mfl_code;
JMF	12:0071cb144c7a	2039
JMF	12:0071cb144c7a	2040	*olen = 5;
JMF	12:0071cb144c7a	2041	}
JMF	12:0071cb144c7a	2042	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
JMF	12:0071cb144c7a	2043
JMF	12:0071cb144c7a	2044	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
JMF	12:0071cb144c7a	2045	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	2046	static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	2047	unsigned char *buf,
JMF	12:0071cb144c7a	2048	size_t *olen )
JMF	12:0071cb144c7a	2049	{
JMF	12:0071cb144c7a	2050	unsigned char *p = buf;
JMF	12:0071cb144c7a	2051	((void) ssl);
JMF	12:0071cb144c7a	2052
JMF	12:0071cb144c7a	2053	if( ( ssl->handshake->cli_exts &
JMF	12:0071cb144c7a	2054	MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
JMF	12:0071cb144c7a	2055	{
JMF	12:0071cb144c7a	2056	*olen = 0;
JMF	12:0071cb144c7a	2057	return;
JMF	12:0071cb144c7a	2058	}
JMF	12:0071cb144c7a	2059
JMF	12:0071cb144c7a	2060	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
JMF	12:0071cb144c7a	2061
JMF	12:0071cb144c7a	2062	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2063	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
JMF	12:0071cb144c7a	2064
JMF	12:0071cb144c7a	2065	*p++ = 0x00;
JMF	12:0071cb144c7a	2066	*p++ = 2;
JMF	12:0071cb144c7a	2067
JMF	12:0071cb144c7a	2068	*p++ = 1;
JMF	12:0071cb144c7a	2069	*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
JMF	12:0071cb144c7a	2070
JMF	12:0071cb144c7a	2071	*olen = 6;
JMF	12:0071cb144c7a	2072	}
JMF	12:0071cb144c7a	2073	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\| MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	2074
JMF	12:0071cb144c7a	2075	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	2076	static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	2077	unsigned char *buf,
JMF	12:0071cb144c7a	2078	size_t *olen )
JMF	12:0071cb144c7a	2079	{
JMF	12:0071cb144c7a	2080	int ret;
JMF	12:0071cb144c7a	2081	unsigned char *p = buf;
JMF	12:0071cb144c7a	2082	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
JMF	12:0071cb144c7a	2083	size_t kkpp_len;
JMF	12:0071cb144c7a	2084
JMF	12:0071cb144c7a	2085	*olen = 0;
JMF	12:0071cb144c7a	2086
JMF	12:0071cb144c7a	2087	/* Skip costly computation if not needed */
JMF	12:0071cb144c7a	2088	if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
JMF	12:0071cb144c7a	2089	MBEDTLS_KEY_EXCHANGE_ECJPAKE )
JMF	12:0071cb144c7a	2090	return;
JMF	12:0071cb144c7a	2091
JMF	12:0071cb144c7a	2092	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
JMF	12:0071cb144c7a	2093
JMF	12:0071cb144c7a	2094	if( end - p < 4 )
JMF	12:0071cb144c7a	2095	{
JMF	12:0071cb144c7a	2096	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
JMF	12:0071cb144c7a	2097	return;
JMF	12:0071cb144c7a	2098	}
JMF	12:0071cb144c7a	2099
JMF	12:0071cb144c7a	2100	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2101	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
JMF	12:0071cb144c7a	2102
JMF	12:0071cb144c7a	2103	ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
JMF	12:0071cb144c7a	2104	p + 2, end - p - 2, &kkpp_len,
JMF	12:0071cb144c7a	2105	ssl->conf->f_rng, ssl->conf->p_rng );
JMF	12:0071cb144c7a	2106	if( ret != 0 )
JMF	12:0071cb144c7a	2107	{
JMF	12:0071cb144c7a	2108	MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
JMF	12:0071cb144c7a	2109	return;
JMF	12:0071cb144c7a	2110	}
JMF	12:0071cb144c7a	2111
JMF	12:0071cb144c7a	2112	*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2113	*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
JMF	12:0071cb144c7a	2114
JMF	12:0071cb144c7a	2115	*olen = kkpp_len + 4;
JMF	12:0071cb144c7a	2116	}
JMF	12:0071cb144c7a	2117	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	2118
JMF	12:0071cb144c7a	2119	#if defined(MBEDTLS_SSL_ALPN )
JMF	12:0071cb144c7a	2120	static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	2121	unsigned char buf, size_t olen )
JMF	12:0071cb144c7a	2122	{
JMF	12:0071cb144c7a	2123	if( ssl->alpn_chosen == NULL )
JMF	12:0071cb144c7a	2124	{
JMF	12:0071cb144c7a	2125	*olen = 0;
JMF	12:0071cb144c7a	2126	return;
JMF	12:0071cb144c7a	2127	}
JMF	12:0071cb144c7a	2128
JMF	12:0071cb144c7a	2129	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
JMF	12:0071cb144c7a	2130
JMF	12:0071cb144c7a	2131	/*
JMF	12:0071cb144c7a	2132	* 0 . 1 ext identifier
JMF	12:0071cb144c7a	2133	* 2 . 3 ext length
JMF	12:0071cb144c7a	2134	* 4 . 5 protocol list length
JMF	12:0071cb144c7a	2135	* 6 . 6 protocol name length
JMF	12:0071cb144c7a	2136	* 7 . 7+n protocol name
JMF	12:0071cb144c7a	2137	*/
JMF	12:0071cb144c7a	2138	buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2139	buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
JMF	12:0071cb144c7a	2140
JMF	12:0071cb144c7a	2141	*olen = 7 + strlen( ssl->alpn_chosen );
JMF	12:0071cb144c7a	2142
JMF	12:0071cb144c7a	2143	buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2144	buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
JMF	12:0071cb144c7a	2145
JMF	12:0071cb144c7a	2146	buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2147	buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
JMF	12:0071cb144c7a	2148
JMF	12:0071cb144c7a	2149	buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
JMF	12:0071cb144c7a	2150
JMF	12:0071cb144c7a	2151	memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
JMF	12:0071cb144c7a	2152	}
JMF	12:0071cb144c7a	2153	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C */
JMF	12:0071cb144c7a	2154
JMF	12:0071cb144c7a	2155	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
JMF	12:0071cb144c7a	2156	static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	2157	{
JMF	12:0071cb144c7a	2158	int ret;
JMF	12:0071cb144c7a	2159	unsigned char *p = ssl->out_msg + 4;
JMF	12:0071cb144c7a	2160	unsigned char *cookie_len_byte;
JMF	12:0071cb144c7a	2161
JMF	12:0071cb144c7a	2162	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
JMF	12:0071cb144c7a	2163
JMF	12:0071cb144c7a	2164	/*
JMF	12:0071cb144c7a	2165	* struct {
JMF	12:0071cb144c7a	2166	* ProtocolVersion server_version;
JMF	12:0071cb144c7a	2167	* opaque cookie<0..2^8-1>;
JMF	12:0071cb144c7a	2168	* } HelloVerifyRequest;
JMF	12:0071cb144c7a	2169	*/
JMF	12:0071cb144c7a	2170
JMF	12:0071cb144c7a	2171	/* The RFC is not clear on this point, but sending the actual negotiated
JMF	12:0071cb144c7a	2172	* version looks like the most interoperable thing to do. */
JMF	12:0071cb144c7a	2173	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
JMF	12:0071cb144c7a	2174	ssl->conf->transport, p );
JMF	12:0071cb144c7a	2175	MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
JMF	12:0071cb144c7a	2176	p += 2;
JMF	12:0071cb144c7a	2177
JMF	12:0071cb144c7a	2178	/* If we get here, f_cookie_check is not null */
JMF	12:0071cb144c7a	2179	if( ssl->conf->f_cookie_write == NULL )
JMF	12:0071cb144c7a	2180	{
JMF	12:0071cb144c7a	2181	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
JMF	12:0071cb144c7a	2182	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	2183	}
JMF	12:0071cb144c7a	2184
JMF	12:0071cb144c7a	2185	/* Skip length byte until we know the length */
JMF	12:0071cb144c7a	2186	cookie_len_byte = p++;
JMF	12:0071cb144c7a	2187
JMF	12:0071cb144c7a	2188	if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
JMF	12:0071cb144c7a	2189	&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
JMF	12:0071cb144c7a	2190	ssl->cli_id, ssl->cli_id_len ) ) != 0 )
JMF	12:0071cb144c7a	2191	{
JMF	12:0071cb144c7a	2192	MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
JMF	12:0071cb144c7a	2193	return( ret );
JMF	12:0071cb144c7a	2194	}
JMF	12:0071cb144c7a	2195
JMF	12:0071cb144c7a	2196	*cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
JMF	12:0071cb144c7a	2197
JMF	12:0071cb144c7a	2198	MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
JMF	12:0071cb144c7a	2199
JMF	12:0071cb144c7a	2200	ssl->out_msglen = p - ssl->out_msg;
JMF	12:0071cb144c7a	2201	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
JMF	12:0071cb144c7a	2202	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
JMF	12:0071cb144c7a	2203
JMF	12:0071cb144c7a	2204	ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
JMF	12:0071cb144c7a	2205
JMF	12:0071cb144c7a	2206	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
JMF	12:0071cb144c7a	2207	{
JMF	12:0071cb144c7a	2208	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
JMF	12:0071cb144c7a	2209	return( ret );
JMF	12:0071cb144c7a	2210	}
JMF	12:0071cb144c7a	2211
JMF	12:0071cb144c7a	2212	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
JMF	12:0071cb144c7a	2213
JMF	12:0071cb144c7a	2214	return( 0 );
JMF	12:0071cb144c7a	2215	}
JMF	12:0071cb144c7a	2216	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
JMF	12:0071cb144c7a	2217
JMF	12:0071cb144c7a	2218	static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	2219	{
JMF	12:0071cb144c7a	2220	#if defined(MBEDTLS_HAVE_TIME)
JMF	12:0071cb144c7a	2221	mbedtls_time_t t;
JMF	12:0071cb144c7a	2222	#endif
JMF	12:0071cb144c7a	2223	int ret;
JMF	12:0071cb144c7a	2224	size_t olen, ext_len = 0, n;
JMF	12:0071cb144c7a	2225	unsigned char buf, p;
JMF	12:0071cb144c7a	2226
JMF	12:0071cb144c7a	2227	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
JMF	12:0071cb144c7a	2228
JMF	12:0071cb144c7a	2229	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
JMF	12:0071cb144c7a	2230	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
JMF	12:0071cb144c7a	2231	ssl->handshake->verify_cookie_len != 0 )
JMF	12:0071cb144c7a	2232	{
JMF	12:0071cb144c7a	2233	MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
JMF	12:0071cb144c7a	2234	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
JMF	12:0071cb144c7a	2235
JMF	12:0071cb144c7a	2236	return( ssl_write_hello_verify_request( ssl ) );
JMF	12:0071cb144c7a	2237	}
JMF	12:0071cb144c7a	2238	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
JMF	12:0071cb144c7a	2239
JMF	12:0071cb144c7a	2240	if( ssl->conf->f_rng == NULL )
JMF	12:0071cb144c7a	2241	{
JMF	12:0071cb144c7a	2242	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
JMF	12:0071cb144c7a	2243	return( MBEDTLS_ERR_SSL_NO_RNG );
JMF	12:0071cb144c7a	2244	}
JMF	12:0071cb144c7a	2245
JMF	12:0071cb144c7a	2246	/*
JMF	12:0071cb144c7a	2247	* 0 . 0 handshake type
JMF	12:0071cb144c7a	2248	* 1 . 3 handshake length
JMF	12:0071cb144c7a	2249	* 4 . 5 protocol version
JMF	12:0071cb144c7a	2250	* 6 . 9 UNIX time()
JMF	12:0071cb144c7a	2251	* 10 . 37 random bytes
JMF	12:0071cb144c7a	2252	*/
JMF	12:0071cb144c7a	2253	buf = ssl->out_msg;
JMF	12:0071cb144c7a	2254	p = buf + 4;
JMF	12:0071cb144c7a	2255
JMF	12:0071cb144c7a	2256	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
JMF	12:0071cb144c7a	2257	ssl->conf->transport, p );
JMF	12:0071cb144c7a	2258	p += 2;
JMF	12:0071cb144c7a	2259
JMF	12:0071cb144c7a	2260	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
JMF	12:0071cb144c7a	2261	buf[4], buf[5] ) );
JMF	12:0071cb144c7a	2262
JMF	12:0071cb144c7a	2263	#if defined(MBEDTLS_HAVE_TIME)
JMF	12:0071cb144c7a	2264	t = mbedtls_time( NULL );
JMF	12:0071cb144c7a	2265	*p++ = (unsigned char)( t >> 24 );
JMF	12:0071cb144c7a	2266	*p++ = (unsigned char)( t >> 16 );
JMF	12:0071cb144c7a	2267	*p++ = (unsigned char)( t >> 8 );
JMF	12:0071cb144c7a	2268	*p++ = (unsigned char)( t );
JMF	12:0071cb144c7a	2269
JMF	12:0071cb144c7a	2270	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
JMF	12:0071cb144c7a	2271	#else
JMF	12:0071cb144c7a	2272	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
JMF	12:0071cb144c7a	2273	return( ret );
JMF	12:0071cb144c7a	2274
JMF	12:0071cb144c7a	2275	p += 4;
JMF	12:0071cb144c7a	2276	#endif /* MBEDTLS_HAVE_TIME */
JMF	12:0071cb144c7a	2277
JMF	12:0071cb144c7a	2278	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
JMF	12:0071cb144c7a	2279	return( ret );
JMF	12:0071cb144c7a	2280
JMF	12:0071cb144c7a	2281	p += 28;
JMF	12:0071cb144c7a	2282
JMF	12:0071cb144c7a	2283	memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
JMF	12:0071cb144c7a	2284
JMF	12:0071cb144c7a	2285	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
JMF	12:0071cb144c7a	2286
JMF	12:0071cb144c7a	2287	/*
JMF	12:0071cb144c7a	2288	* Resume is 0 by default, see ssl_handshake_init().
JMF	12:0071cb144c7a	2289	* It may be already set to 1 by ssl_parse_session_ticket_ext().
JMF	12:0071cb144c7a	2290	* If not, try looking up session ID in our cache.
JMF	12:0071cb144c7a	2291	*/
JMF	12:0071cb144c7a	2292	if( ssl->handshake->resume == 0 &&
JMF	12:0071cb144c7a	2293	#if defined(MBEDTLS_SSL_RENEGOTIATION)
JMF	12:0071cb144c7a	2294	ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
JMF	12:0071cb144c7a	2295	#endif
JMF	12:0071cb144c7a	2296	ssl->session_negotiate->id_len != 0 &&
JMF	12:0071cb144c7a	2297	ssl->conf->f_get_cache != NULL &&
JMF	12:0071cb144c7a	2298	ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
JMF	12:0071cb144c7a	2299	{
JMF	12:0071cb144c7a	2300	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
JMF	12:0071cb144c7a	2301	ssl->handshake->resume = 1;
JMF	12:0071cb144c7a	2302	}
JMF	12:0071cb144c7a	2303
JMF	12:0071cb144c7a	2304	if( ssl->handshake->resume == 0 )
JMF	12:0071cb144c7a	2305	{
JMF	12:0071cb144c7a	2306	/*
JMF	12:0071cb144c7a	2307	* New session, create a new session id,
JMF	12:0071cb144c7a	2308	* unless we're about to issue a session ticket
JMF	12:0071cb144c7a	2309	*/
JMF	12:0071cb144c7a	2310	ssl->state++;
JMF	12:0071cb144c7a	2311
JMF	12:0071cb144c7a	2312	#if defined(MBEDTLS_HAVE_TIME)
JMF	12:0071cb144c7a	2313	ssl->session_negotiate->start = mbedtls_time( NULL );
JMF	12:0071cb144c7a	2314	#endif
JMF	12:0071cb144c7a	2315
JMF	12:0071cb144c7a	2316	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	2317	if( ssl->handshake->new_session_ticket != 0 )
JMF	12:0071cb144c7a	2318	{
JMF	12:0071cb144c7a	2319	ssl->session_negotiate->id_len = n = 0;
JMF	12:0071cb144c7a	2320	memset( ssl->session_negotiate->id, 0, 32 );
JMF	12:0071cb144c7a	2321	}
JMF	12:0071cb144c7a	2322	else
JMF	12:0071cb144c7a	2323	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
JMF	12:0071cb144c7a	2324	{
JMF	12:0071cb144c7a	2325	ssl->session_negotiate->id_len = n = 32;
JMF	12:0071cb144c7a	2326	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
JMF	12:0071cb144c7a	2327	n ) ) != 0 )
JMF	12:0071cb144c7a	2328	return( ret );
JMF	12:0071cb144c7a	2329	}
JMF	12:0071cb144c7a	2330	}
JMF	12:0071cb144c7a	2331	else
JMF	12:0071cb144c7a	2332	{
JMF	12:0071cb144c7a	2333	/*
JMF	12:0071cb144c7a	2334	* Resuming a session
JMF	12:0071cb144c7a	2335	*/
JMF	12:0071cb144c7a	2336	n = ssl->session_negotiate->id_len;
JMF	12:0071cb144c7a	2337	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
JMF	12:0071cb144c7a	2338
JMF	12:0071cb144c7a	2339	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
JMF	12:0071cb144c7a	2340	{
JMF	12:0071cb144c7a	2341	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
JMF	12:0071cb144c7a	2342	return( ret );
JMF	12:0071cb144c7a	2343	}
JMF	12:0071cb144c7a	2344	}
JMF	12:0071cb144c7a	2345
JMF	12:0071cb144c7a	2346	/*
JMF	12:0071cb144c7a	2347	* 38 . 38 session id length
JMF	12:0071cb144c7a	2348	* 39 . 38+n session id
JMF	12:0071cb144c7a	2349	* 39+n . 40+n chosen ciphersuite
JMF	12:0071cb144c7a	2350	* 41+n . 41+n chosen compression alg.
JMF	12:0071cb144c7a	2351	* 42+n . 43+n extensions length
JMF	12:0071cb144c7a	2352	* 44+n . 43+n+m extensions
JMF	12:0071cb144c7a	2353	*/
JMF	12:0071cb144c7a	2354	*p++ = (unsigned char) ssl->session_negotiate->id_len;
JMF	12:0071cb144c7a	2355	memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
JMF	12:0071cb144c7a	2356	p += ssl->session_negotiate->id_len;
JMF	12:0071cb144c7a	2357
JMF	12:0071cb144c7a	2358	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
JMF	12:0071cb144c7a	2359	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
JMF	12:0071cb144c7a	2360	MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
JMF	12:0071cb144c7a	2361	ssl->handshake->resume ? "a" : "no" ) );
JMF	12:0071cb144c7a	2362
JMF	12:0071cb144c7a	2363	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
JMF	12:0071cb144c7a	2364	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
JMF	12:0071cb144c7a	2365	*p++ = (unsigned char)( ssl->session_negotiate->compression );
JMF	12:0071cb144c7a	2366
JMF	12:0071cb144c7a	2367	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
JMF	12:0071cb144c7a	2368	mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
JMF	12:0071cb144c7a	2369	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
JMF	12:0071cb144c7a	2370	ssl->session_negotiate->compression ) );
JMF	12:0071cb144c7a	2371
JMF	12:0071cb144c7a	2372	/* Do not write the extensions if the protocol is SSLv3 */
JMF	12:0071cb144c7a	2373	#if defined(MBEDTLS_SSL_PROTO_SSL3)
JMF	12:0071cb144c7a	2374	if( ( ssl->major_ver != 3 ) \|\| ( ssl->minor_ver != 0 ) )
JMF	12:0071cb144c7a	2375	{
JMF	12:0071cb144c7a	2376	#endif
JMF	12:0071cb144c7a	2377
JMF	12:0071cb144c7a	2378	/*
JMF	12:0071cb144c7a	2379	* First write extensions, then the total length
JMF	12:0071cb144c7a	2380	*/
JMF	12:0071cb144c7a	2381	ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2382	ext_len += olen;
JMF	12:0071cb144c7a	2383
JMF	12:0071cb144c7a	2384	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
JMF	12:0071cb144c7a	2385	ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2386	ext_len += olen;
JMF	12:0071cb144c7a	2387	#endif
JMF	12:0071cb144c7a	2388
JMF	12:0071cb144c7a	2389	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
JMF	12:0071cb144c7a	2390	ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2391	ext_len += olen;
JMF	12:0071cb144c7a	2392	#endif
JMF	12:0071cb144c7a	2393
JMF	12:0071cb144c7a	2394	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
JMF	12:0071cb144c7a	2395	ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2396	ext_len += olen;
JMF	12:0071cb144c7a	2397	#endif
JMF	12:0071cb144c7a	2398
JMF	12:0071cb144c7a	2399	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
JMF	12:0071cb144c7a	2400	ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2401	ext_len += olen;
JMF	12:0071cb144c7a	2402	#endif
JMF	12:0071cb144c7a	2403
JMF	12:0071cb144c7a	2404	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	2405	ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2406	ext_len += olen;
JMF	12:0071cb144c7a	2407	#endif
JMF	12:0071cb144c7a	2408
JMF	12:0071cb144c7a	2409	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
JMF	12:0071cb144c7a	2410	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	2411	ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2412	ext_len += olen;
JMF	12:0071cb144c7a	2413	#endif
JMF	12:0071cb144c7a	2414
JMF	12:0071cb144c7a	2415	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	2416	ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2417	ext_len += olen;
JMF	12:0071cb144c7a	2418	#endif
JMF	12:0071cb144c7a	2419
JMF	12:0071cb144c7a	2420	#if defined(MBEDTLS_SSL_ALPN)
JMF	12:0071cb144c7a	2421	ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
JMF	12:0071cb144c7a	2422	ext_len += olen;
JMF	12:0071cb144c7a	2423	#endif
JMF	12:0071cb144c7a	2424
JMF	12:0071cb144c7a	2425	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
JMF	12:0071cb144c7a	2426
JMF	12:0071cb144c7a	2427	if( ext_len > 0 )
JMF	12:0071cb144c7a	2428	{
JMF	12:0071cb144c7a	2429	*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	2430	*p++ = (unsigned char)( ( ext_len ) & 0xFF );
JMF	12:0071cb144c7a	2431	p += ext_len;
JMF	12:0071cb144c7a	2432	}
JMF	12:0071cb144c7a	2433
JMF	12:0071cb144c7a	2434	#if defined(MBEDTLS_SSL_PROTO_SSL3)
JMF	12:0071cb144c7a	2435	}
JMF	12:0071cb144c7a	2436	#endif
JMF	12:0071cb144c7a	2437
JMF	12:0071cb144c7a	2438	ssl->out_msglen = p - buf;
JMF	12:0071cb144c7a	2439	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
JMF	12:0071cb144c7a	2440	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
JMF	12:0071cb144c7a	2441
JMF	12:0071cb144c7a	2442	ret = mbedtls_ssl_write_record( ssl );
JMF	12:0071cb144c7a	2443
JMF	12:0071cb144c7a	2444	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
JMF	12:0071cb144c7a	2445
JMF	12:0071cb144c7a	2446	return( ret );
JMF	12:0071cb144c7a	2447	}
JMF	12:0071cb144c7a	2448
JMF	12:0071cb144c7a	2449	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
JMF	12:0071cb144c7a	2450	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
JMF	12:0071cb144c7a	2451	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
JMF	12:0071cb144c7a	2452	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
JMF	12:0071cb144c7a	2453	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	2454	{
JMF	12:0071cb144c7a	2455	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
JMF	12:0071cb144c7a	2456
JMF	12:0071cb144c7a	2457	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
JMF	12:0071cb144c7a	2458
JMF	12:0071cb144c7a	2459	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
JMF	12:0071cb144c7a	2460	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
JMF	12:0071cb144c7a	2461	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
JMF	12:0071cb144c7a	2462	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
JMF	12:0071cb144c7a	2463	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
JMF	12:0071cb144c7a	2464	{
JMF	12:0071cb144c7a	2465	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
JMF	12:0071cb144c7a	2466	ssl->state++;
JMF	12:0071cb144c7a	2467	return( 0 );
JMF	12:0071cb144c7a	2468	}
JMF	12:0071cb144c7a	2469
JMF	12:0071cb144c7a	2470	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	2471	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	2472	}
JMF	12:0071cb144c7a	2473	#else
JMF	12:0071cb144c7a	2474	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	2475	{
JMF	12:0071cb144c7a	2476	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
JMF	12:0071cb144c7a	2477	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
JMF	12:0071cb144c7a	2478	size_t dn_size, total_dn_size; /* excluding length bytes */
JMF	12:0071cb144c7a	2479	size_t ct_len, sa_len; /* including length bytes */
JMF	12:0071cb144c7a	2480	unsigned char buf, p;
JMF	12:0071cb144c7a	2481	const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
JMF	12:0071cb144c7a	2482	const mbedtls_x509_crt *crt;
JMF	12:0071cb144c7a	2483	int authmode;
JMF	12:0071cb144c7a	2484
JMF	12:0071cb144c7a	2485	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
JMF	12:0071cb144c7a	2486
JMF	12:0071cb144c7a	2487	ssl->state++;
JMF	12:0071cb144c7a	2488
JMF	12:0071cb144c7a	2489	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
JMF	12:0071cb144c7a	2490	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
JMF	12:0071cb144c7a	2491	authmode = ssl->handshake->sni_authmode;
JMF	12:0071cb144c7a	2492	else
JMF	12:0071cb144c7a	2493	#endif
JMF	12:0071cb144c7a	2494	authmode = ssl->conf->authmode;
JMF	12:0071cb144c7a	2495
JMF	12:0071cb144c7a	2496	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
JMF	12:0071cb144c7a	2497	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
JMF	12:0071cb144c7a	2498	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
JMF	12:0071cb144c7a	2499	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
JMF	12:0071cb144c7a	2500	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
JMF	12:0071cb144c7a	2501	authmode == MBEDTLS_SSL_VERIFY_NONE )
JMF	12:0071cb144c7a	2502	{
JMF	12:0071cb144c7a	2503	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
JMF	12:0071cb144c7a	2504	return( 0 );
JMF	12:0071cb144c7a	2505	}
JMF	12:0071cb144c7a	2506
JMF	12:0071cb144c7a	2507	/*
JMF	12:0071cb144c7a	2508	* 0 . 0 handshake type
JMF	12:0071cb144c7a	2509	* 1 . 3 handshake length
JMF	12:0071cb144c7a	2510	* 4 . 4 cert type count
JMF	12:0071cb144c7a	2511	* 5 .. m-1 cert types
JMF	12:0071cb144c7a	2512	* m .. m+1 sig alg length (TLS 1.2 only)
JMF	12:0071cb144c7a	2513	* m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
JMF	12:0071cb144c7a	2514	* n .. n+1 length of all DNs
JMF	12:0071cb144c7a	2515	* n+2 .. n+3 length of DN 1
JMF	12:0071cb144c7a	2516	* n+4 .. ... Distinguished Name #1
JMF	12:0071cb144c7a	2517	* ... .. ... length of DN 2, etc.
JMF	12:0071cb144c7a	2518	*/
JMF	12:0071cb144c7a	2519	buf = ssl->out_msg;
JMF	12:0071cb144c7a	2520	p = buf + 4;
JMF	12:0071cb144c7a	2521
JMF	12:0071cb144c7a	2522	/*
JMF	12:0071cb144c7a	2523	* Supported certificate types
JMF	12:0071cb144c7a	2524	*
JMF	12:0071cb144c7a	2525	* ClientCertificateType certificate_types<1..2^8-1>;
JMF	12:0071cb144c7a	2526	* enum { (255) } ClientCertificateType;
JMF	12:0071cb144c7a	2527	*/
JMF	12:0071cb144c7a	2528	ct_len = 0;
JMF	12:0071cb144c7a	2529
JMF	12:0071cb144c7a	2530	#if defined(MBEDTLS_RSA_C)
JMF	12:0071cb144c7a	2531	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
JMF	12:0071cb144c7a	2532	#endif
JMF	12:0071cb144c7a	2533	#if defined(MBEDTLS_ECDSA_C)
JMF	12:0071cb144c7a	2534	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
JMF	12:0071cb144c7a	2535	#endif
JMF	12:0071cb144c7a	2536
JMF	12:0071cb144c7a	2537	p[0] = (unsigned char) ct_len++;
JMF	12:0071cb144c7a	2538	p += ct_len;
JMF	12:0071cb144c7a	2539
JMF	12:0071cb144c7a	2540	sa_len = 0;
JMF	12:0071cb144c7a	2541	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	2542	/*
JMF	12:0071cb144c7a	2543	* Add signature_algorithms for verify (TLS 1.2)
JMF	12:0071cb144c7a	2544	*
JMF	12:0071cb144c7a	2545	* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
JMF	12:0071cb144c7a	2546	*
JMF	12:0071cb144c7a	2547	* struct {
JMF	12:0071cb144c7a	2548	* HashAlgorithm hash;
JMF	12:0071cb144c7a	2549	* SignatureAlgorithm signature;
JMF	12:0071cb144c7a	2550	* } SignatureAndHashAlgorithm;
JMF	12:0071cb144c7a	2551	*
JMF	12:0071cb144c7a	2552	* enum { (255) } HashAlgorithm;
JMF	12:0071cb144c7a	2553	* enum { (255) } SignatureAlgorithm;
JMF	12:0071cb144c7a	2554	*/
JMF	12:0071cb144c7a	2555	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
JMF	12:0071cb144c7a	2556	{
JMF	12:0071cb144c7a	2557	/*
JMF	12:0071cb144c7a	2558	* Only use current running hash algorithm that is already required
JMF	12:0071cb144c7a	2559	* for requested ciphersuite.
JMF	12:0071cb144c7a	2560	*/
JMF	12:0071cb144c7a	2561	ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256;
JMF	12:0071cb144c7a	2562
JMF	12:0071cb144c7a	2563	if( ssl->transform_negotiate->ciphersuite_info->mac ==
JMF	12:0071cb144c7a	2564	MBEDTLS_MD_SHA384 )
JMF	12:0071cb144c7a	2565	{
JMF	12:0071cb144c7a	2566	ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384;
JMF	12:0071cb144c7a	2567	}
JMF	12:0071cb144c7a	2568
JMF	12:0071cb144c7a	2569	/*
JMF	12:0071cb144c7a	2570	* Supported signature algorithms
JMF	12:0071cb144c7a	2571	*/
JMF	12:0071cb144c7a	2572	#if defined(MBEDTLS_RSA_C)
JMF	12:0071cb144c7a	2573	p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
JMF	12:0071cb144c7a	2574	p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
JMF	12:0071cb144c7a	2575	#endif
JMF	12:0071cb144c7a	2576	#if defined(MBEDTLS_ECDSA_C)
JMF	12:0071cb144c7a	2577	p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
JMF	12:0071cb144c7a	2578	p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
JMF	12:0071cb144c7a	2579	#endif
JMF	12:0071cb144c7a	2580
JMF	12:0071cb144c7a	2581	p[0] = (unsigned char)( sa_len >> 8 );
JMF	12:0071cb144c7a	2582	p[1] = (unsigned char)( sa_len );
JMF	12:0071cb144c7a	2583	sa_len += 2;
JMF	12:0071cb144c7a	2584	p += sa_len;
JMF	12:0071cb144c7a	2585	}
JMF	12:0071cb144c7a	2586	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
JMF	12:0071cb144c7a	2587
JMF	12:0071cb144c7a	2588	/*
JMF	12:0071cb144c7a	2589	* DistinguishedName certificate_authorities<0..2^16-1>;
JMF	12:0071cb144c7a	2590	* opaque DistinguishedName<1..2^16-1>;
JMF	12:0071cb144c7a	2591	*/
JMF	12:0071cb144c7a	2592	p += 2;
JMF	12:0071cb144c7a	2593	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
JMF	12:0071cb144c7a	2594	if( ssl->handshake->sni_ca_chain != NULL )
JMF	12:0071cb144c7a	2595	crt = ssl->handshake->sni_ca_chain;
JMF	12:0071cb144c7a	2596	else
JMF	12:0071cb144c7a	2597	#endif
JMF	12:0071cb144c7a	2598	crt = ssl->conf->ca_chain;
JMF	12:0071cb144c7a	2599
JMF	12:0071cb144c7a	2600	total_dn_size = 0;
JMF	12:0071cb144c7a	2601	while( crt != NULL && crt->version != 0 )
JMF	12:0071cb144c7a	2602	{
JMF	12:0071cb144c7a	2603	dn_size = crt->subject_raw.len;
JMF	12:0071cb144c7a	2604
JMF	12:0071cb144c7a	2605	if( end < p \|\|
JMF	12:0071cb144c7a	2606	(size_t)( end - p ) < dn_size \|\|
JMF	12:0071cb144c7a	2607	(size_t)( end - p ) < 2 + dn_size )
JMF	12:0071cb144c7a	2608	{
JMF	12:0071cb144c7a	2609	MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
JMF	12:0071cb144c7a	2610	break;
JMF	12:0071cb144c7a	2611	}
JMF	12:0071cb144c7a	2612
JMF	12:0071cb144c7a	2613	*p++ = (unsigned char)( dn_size >> 8 );
JMF	12:0071cb144c7a	2614	*p++ = (unsigned char)( dn_size );
JMF	12:0071cb144c7a	2615	memcpy( p, crt->subject_raw.p, dn_size );
JMF	12:0071cb144c7a	2616	p += dn_size;
JMF	12:0071cb144c7a	2617
JMF	12:0071cb144c7a	2618	MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
JMF	12:0071cb144c7a	2619
JMF	12:0071cb144c7a	2620	total_dn_size += 2 + dn_size;
JMF	12:0071cb144c7a	2621	crt = crt->next;
JMF	12:0071cb144c7a	2622	}
JMF	12:0071cb144c7a	2623
JMF	12:0071cb144c7a	2624	ssl->out_msglen = p - buf;
JMF	12:0071cb144c7a	2625	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
JMF	12:0071cb144c7a	2626	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
JMF	12:0071cb144c7a	2627	ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
JMF	12:0071cb144c7a	2628	ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
JMF	12:0071cb144c7a	2629
JMF	12:0071cb144c7a	2630	ret = mbedtls_ssl_write_record( ssl );
JMF	12:0071cb144c7a	2631
JMF	12:0071cb144c7a	2632	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
JMF	12:0071cb144c7a	2633
JMF	12:0071cb144c7a	2634	return( ret );
JMF	12:0071cb144c7a	2635	}
JMF	12:0071cb144c7a	2636	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
JMF	12:0071cb144c7a	2637	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
JMF	12:0071cb144c7a	2638	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
JMF	12:0071cb144c7a	2639	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
JMF	12:0071cb144c7a	2640
JMF	12:0071cb144c7a	2641	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2642	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
JMF	12:0071cb144c7a	2643	static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	2644	{
JMF	12:0071cb144c7a	2645	int ret;
JMF	12:0071cb144c7a	2646
JMF	12:0071cb144c7a	2647	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
JMF	12:0071cb144c7a	2648	{
JMF	12:0071cb144c7a	2649	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
JMF	12:0071cb144c7a	2650	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
JMF	12:0071cb144c7a	2651	}
JMF	12:0071cb144c7a	2652
JMF	12:0071cb144c7a	2653	if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
JMF	12:0071cb144c7a	2654	mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
JMF	12:0071cb144c7a	2655	MBEDTLS_ECDH_OURS ) ) != 0 )
JMF	12:0071cb144c7a	2656	{
JMF	12:0071cb144c7a	2657	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
JMF	12:0071cb144c7a	2658	return( ret );
JMF	12:0071cb144c7a	2659	}
JMF	12:0071cb144c7a	2660
JMF	12:0071cb144c7a	2661	return( 0 );
JMF	12:0071cb144c7a	2662	}
JMF	12:0071cb144c7a	2663	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\|
JMF	12:0071cb144c7a	2664	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
JMF	12:0071cb144c7a	2665
JMF	12:0071cb144c7a	2666	static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	2667	{
JMF	12:0071cb144c7a	2668	int ret;
JMF	12:0071cb144c7a	2669	size_t n = 0;
JMF	12:0071cb144c7a	2670	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
JMF	12:0071cb144c7a	2671	ssl->transform_negotiate->ciphersuite_info;
JMF	12:0071cb144c7a	2672
JMF	12:0071cb144c7a	2673	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2674	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
JMF	12:0071cb144c7a	2675	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2676	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
JMF	12:0071cb144c7a	2677	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2678	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	2679	unsigned char *p = ssl->out_msg + 4;
JMF	12:0071cb144c7a	2680	unsigned char *dig_signed = p;
JMF	12:0071cb144c7a	2681	size_t dig_signed_len = 0, len;
JMF	12:0071cb144c7a	2682	((void) dig_signed);
JMF	12:0071cb144c7a	2683	((void) dig_signed_len);
JMF	12:0071cb144c7a	2684	((void) len);
JMF	12:0071cb144c7a	2685	#endif
JMF	12:0071cb144c7a	2686
JMF	12:0071cb144c7a	2687	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
JMF	12:0071cb144c7a	2688
JMF	12:0071cb144c7a	2689	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2690	defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) \|\| \
JMF	12:0071cb144c7a	2691	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
JMF	12:0071cb144c7a	2692	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA \|\|
JMF	12:0071cb144c7a	2693	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
JMF	12:0071cb144c7a	2694	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
JMF	12:0071cb144c7a	2695	{
JMF	12:0071cb144c7a	2696	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
JMF	12:0071cb144c7a	2697	ssl->state++;
JMF	12:0071cb144c7a	2698	return( 0 );
JMF	12:0071cb144c7a	2699	}
JMF	12:0071cb144c7a	2700	#endif
JMF	12:0071cb144c7a	2701
JMF	12:0071cb144c7a	2702	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2703	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
JMF	12:0071cb144c7a	2704	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
JMF	12:0071cb144c7a	2705	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
JMF	12:0071cb144c7a	2706	{
JMF	12:0071cb144c7a	2707	ssl_get_ecdh_params_from_cert( ssl );
JMF	12:0071cb144c7a	2708
JMF	12:0071cb144c7a	2709	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
JMF	12:0071cb144c7a	2710	ssl->state++;
JMF	12:0071cb144c7a	2711	return( 0 );
JMF	12:0071cb144c7a	2712	}
JMF	12:0071cb144c7a	2713	#endif
JMF	12:0071cb144c7a	2714
JMF	12:0071cb144c7a	2715	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	2716	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
JMF	12:0071cb144c7a	2717	{
JMF	12:0071cb144c7a	2718	size_t jlen;
JMF	12:0071cb144c7a	2719	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
JMF	12:0071cb144c7a	2720
JMF	12:0071cb144c7a	2721	ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
JMF	12:0071cb144c7a	2722	p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );
JMF	12:0071cb144c7a	2723	if( ret != 0 )
JMF	12:0071cb144c7a	2724	{
JMF	12:0071cb144c7a	2725	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
JMF	12:0071cb144c7a	2726	return( ret );
JMF	12:0071cb144c7a	2727	}
JMF	12:0071cb144c7a	2728
JMF	12:0071cb144c7a	2729	p += jlen;
JMF	12:0071cb144c7a	2730	n += jlen;
JMF	12:0071cb144c7a	2731	}
JMF	12:0071cb144c7a	2732	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	2733
JMF	12:0071cb144c7a	2734	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
JMF	12:0071cb144c7a	2735	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
JMF	12:0071cb144c7a	2736	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
JMF	12:0071cb144c7a	2737	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
JMF	12:0071cb144c7a	2738	{
JMF	12:0071cb144c7a	2739	/* Note: we don't support identity hints, until someone asks
JMF	12:0071cb144c7a	2740	* for them. */
JMF	12:0071cb144c7a	2741	*(p++) = 0x00;
JMF	12:0071cb144c7a	2742	*(p++) = 0x00;
JMF	12:0071cb144c7a	2743
JMF	12:0071cb144c7a	2744	n += 2;
JMF	12:0071cb144c7a	2745	}
JMF	12:0071cb144c7a	2746	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \|\|
JMF	12:0071cb144c7a	2747	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
JMF	12:0071cb144c7a	2748
JMF	12:0071cb144c7a	2749	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2750	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
JMF	12:0071cb144c7a	2751	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
JMF	12:0071cb144c7a	2752	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
JMF	12:0071cb144c7a	2753	{
JMF	12:0071cb144c7a	2754	if( ssl->conf->dhm_P.p == NULL \|\| ssl->conf->dhm_G.p == NULL )
JMF	12:0071cb144c7a	2755	{
JMF	12:0071cb144c7a	2756	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
JMF	12:0071cb144c7a	2757	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
JMF	12:0071cb144c7a	2758	}
JMF	12:0071cb144c7a	2759
JMF	12:0071cb144c7a	2760	/*
JMF	12:0071cb144c7a	2761	* Ephemeral DH parameters:
JMF	12:0071cb144c7a	2762	*
JMF	12:0071cb144c7a	2763	* struct {
JMF	12:0071cb144c7a	2764	* opaque dh_p<1..2^16-1>;
JMF	12:0071cb144c7a	2765	* opaque dh_g<1..2^16-1>;
JMF	12:0071cb144c7a	2766	* opaque dh_Ys<1..2^16-1>;
JMF	12:0071cb144c7a	2767	* } ServerDHParams;
JMF	12:0071cb144c7a	2768	*/
JMF	12:0071cb144c7a	2769	if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 \|\|
JMF	12:0071cb144c7a	2770	( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
JMF	12:0071cb144c7a	2771	{
JMF	12:0071cb144c7a	2772	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
JMF	12:0071cb144c7a	2773	return( ret );
JMF	12:0071cb144c7a	2774	}
JMF	12:0071cb144c7a	2775
JMF	12:0071cb144c7a	2776	if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
JMF	12:0071cb144c7a	2777	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
JMF	12:0071cb144c7a	2778	p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
JMF	12:0071cb144c7a	2779	{
JMF	12:0071cb144c7a	2780	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
JMF	12:0071cb144c7a	2781	return( ret );
JMF	12:0071cb144c7a	2782	}
JMF	12:0071cb144c7a	2783
JMF	12:0071cb144c7a	2784	dig_signed = p;
JMF	12:0071cb144c7a	2785	dig_signed_len = len;
JMF	12:0071cb144c7a	2786
JMF	12:0071cb144c7a	2787	p += len;
JMF	12:0071cb144c7a	2788	n += len;
JMF	12:0071cb144c7a	2789
JMF	12:0071cb144c7a	2790	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
JMF	12:0071cb144c7a	2791	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
JMF	12:0071cb144c7a	2792	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
JMF	12:0071cb144c7a	2793	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
JMF	12:0071cb144c7a	2794	}
JMF	12:0071cb144c7a	2795	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
JMF	12:0071cb144c7a	2796	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
JMF	12:0071cb144c7a	2797
JMF	12:0071cb144c7a	2798	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
JMF	12:0071cb144c7a	2799	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
JMF	12:0071cb144c7a	2800	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
JMF	12:0071cb144c7a	2801	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
JMF	12:0071cb144c7a	2802	{
JMF	12:0071cb144c7a	2803	/*
JMF	12:0071cb144c7a	2804	* Ephemeral ECDH parameters:
JMF	12:0071cb144c7a	2805	*
JMF	12:0071cb144c7a	2806	* struct {
JMF	12:0071cb144c7a	2807	* ECParameters curve_params;
JMF	12:0071cb144c7a	2808	* ECPoint public;
JMF	12:0071cb144c7a	2809	* } ServerECDHParams;
JMF	12:0071cb144c7a	2810	*/
JMF	12:0071cb144c7a	2811	const mbedtls_ecp_curve_info **curve = NULL;
JMF	12:0071cb144c7a	2812	const mbedtls_ecp_group_id *gid;
JMF	12:0071cb144c7a	2813
JMF	12:0071cb144c7a	2814	/* Match our preference list against the offered curves */
JMF	12:0071cb144c7a	2815	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
JMF	12:0071cb144c7a	2816	for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
JMF	12:0071cb144c7a	2817	if( (curve)->grp_id == gid )
JMF	12:0071cb144c7a	2818	goto curve_matching_done;
JMF	12:0071cb144c7a	2819
JMF	12:0071cb144c7a	2820	curve_matching_done:
JMF	12:0071cb144c7a	2821	if( curve == NULL \|\| *curve == NULL )
JMF	12:0071cb144c7a	2822	{
JMF	12:0071cb144c7a	2823	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
JMF	12:0071cb144c7a	2824	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
JMF	12:0071cb144c7a	2825	}
JMF	12:0071cb144c7a	2826
JMF	12:0071cb144c7a	2827	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
JMF	12:0071cb144c7a	2828
JMF	12:0071cb144c7a	2829	if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
JMF	12:0071cb144c7a	2830	(*curve)->grp_id ) ) != 0 )
JMF	12:0071cb144c7a	2831	{
JMF	12:0071cb144c7a	2832	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
JMF	12:0071cb144c7a	2833	return( ret );
JMF	12:0071cb144c7a	2834	}
JMF	12:0071cb144c7a	2835
JMF	12:0071cb144c7a	2836	if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
JMF	12:0071cb144c7a	2837	p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
JMF	12:0071cb144c7a	2838	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
JMF	12:0071cb144c7a	2839	{
JMF	12:0071cb144c7a	2840	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
JMF	12:0071cb144c7a	2841	return( ret );
JMF	12:0071cb144c7a	2842	}
JMF	12:0071cb144c7a	2843
JMF	12:0071cb144c7a	2844	dig_signed = p;
JMF	12:0071cb144c7a	2845	dig_signed_len = len;
JMF	12:0071cb144c7a	2846
JMF	12:0071cb144c7a	2847	p += len;
JMF	12:0071cb144c7a	2848	n += len;
JMF	12:0071cb144c7a	2849
JMF	12:0071cb144c7a	2850	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
JMF	12:0071cb144c7a	2851	}
JMF	12:0071cb144c7a	2852	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
JMF	12:0071cb144c7a	2853
JMF	12:0071cb144c7a	2854	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2855	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	2856	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
JMF	12:0071cb144c7a	2857	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
JMF	12:0071cb144c7a	2858	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
JMF	12:0071cb144c7a	2859	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
JMF	12:0071cb144c7a	2860	{
JMF	12:0071cb144c7a	2861	size_t signature_len = 0;
JMF	12:0071cb144c7a	2862	unsigned int hashlen = 0;
JMF	12:0071cb144c7a	2863	unsigned char hash[64];
JMF	12:0071cb144c7a	2864	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
JMF	12:0071cb144c7a	2865
JMF	12:0071cb144c7a	2866	/*
JMF	12:0071cb144c7a	2867	* Choose hash algorithm. NONE means MD5 + SHA1 here.
JMF	12:0071cb144c7a	2868	*/
JMF	12:0071cb144c7a	2869	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	2870	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
JMF	12:0071cb144c7a	2871	{
JMF	12:0071cb144c7a	2872	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
JMF	12:0071cb144c7a	2873
JMF	12:0071cb144c7a	2874	if( md_alg == MBEDTLS_MD_NONE )
JMF	12:0071cb144c7a	2875	{
JMF	12:0071cb144c7a	2876	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	2877	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	2878	}
JMF	12:0071cb144c7a	2879	}
JMF	12:0071cb144c7a	2880	else
JMF	12:0071cb144c7a	2881	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
JMF	12:0071cb144c7a	2882	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
JMF	12:0071cb144c7a	2883	defined(MBEDTLS_SSL_PROTO_TLS1_1)
JMF	12:0071cb144c7a	2884	if( ciphersuite_info->key_exchange ==
JMF	12:0071cb144c7a	2885	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
JMF	12:0071cb144c7a	2886	{
JMF	12:0071cb144c7a	2887	md_alg = MBEDTLS_MD_SHA1;
JMF	12:0071cb144c7a	2888	}
JMF	12:0071cb144c7a	2889	else
JMF	12:0071cb144c7a	2890	#endif
JMF	12:0071cb144c7a	2891	{
JMF	12:0071cb144c7a	2892	md_alg = MBEDTLS_MD_NONE;
JMF	12:0071cb144c7a	2893	}
JMF	12:0071cb144c7a	2894
JMF	12:0071cb144c7a	2895	/*
JMF	12:0071cb144c7a	2896	* Compute the hash to be signed
JMF	12:0071cb144c7a	2897	*/
JMF	12:0071cb144c7a	2898	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
JMF	12:0071cb144c7a	2899	defined(MBEDTLS_SSL_PROTO_TLS1_1)
JMF	12:0071cb144c7a	2900	if( md_alg == MBEDTLS_MD_NONE )
JMF	12:0071cb144c7a	2901	{
JMF	12:0071cb144c7a	2902	mbedtls_md5_context mbedtls_md5;
JMF	12:0071cb144c7a	2903	mbedtls_sha1_context mbedtls_sha1;
JMF	12:0071cb144c7a	2904
JMF	12:0071cb144c7a	2905	mbedtls_md5_init( &mbedtls_md5 );
JMF	12:0071cb144c7a	2906	mbedtls_sha1_init( &mbedtls_sha1 );
JMF	12:0071cb144c7a	2907
JMF	12:0071cb144c7a	2908	/*
JMF	12:0071cb144c7a	2909	* digitally-signed struct {
JMF	12:0071cb144c7a	2910	* opaque md5_hash[16];
JMF	12:0071cb144c7a	2911	* opaque sha_hash[20];
JMF	12:0071cb144c7a	2912	* };
JMF	12:0071cb144c7a	2913	*
JMF	12:0071cb144c7a	2914	* md5_hash
JMF	12:0071cb144c7a	2915	* MD5(ClientHello.random + ServerHello.random
JMF	12:0071cb144c7a	2916	* + ServerParams);
JMF	12:0071cb144c7a	2917	* sha_hash
JMF	12:0071cb144c7a	2918	* SHA(ClientHello.random + ServerHello.random
JMF	12:0071cb144c7a	2919	* + ServerParams);
JMF	12:0071cb144c7a	2920	*/
JMF	12:0071cb144c7a	2921	mbedtls_md5_starts( &mbedtls_md5 );
JMF	12:0071cb144c7a	2922	mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
JMF	12:0071cb144c7a	2923	mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
JMF	12:0071cb144c7a	2924	mbedtls_md5_finish( &mbedtls_md5, hash );
JMF	12:0071cb144c7a	2925
JMF	12:0071cb144c7a	2926	mbedtls_sha1_starts( &mbedtls_sha1 );
JMF	12:0071cb144c7a	2927	mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
JMF	12:0071cb144c7a	2928	mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
JMF	12:0071cb144c7a	2929	mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
JMF	12:0071cb144c7a	2930
JMF	12:0071cb144c7a	2931	hashlen = 36;
JMF	12:0071cb144c7a	2932
JMF	12:0071cb144c7a	2933	mbedtls_md5_free( &mbedtls_md5 );
JMF	12:0071cb144c7a	2934	mbedtls_sha1_free( &mbedtls_sha1 );
JMF	12:0071cb144c7a	2935	}
JMF	12:0071cb144c7a	2936	else
JMF	12:0071cb144c7a	2937	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
JMF	12:0071cb144c7a	2938	MBEDTLS_SSL_PROTO_TLS1_1 */
JMF	12:0071cb144c7a	2939	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
JMF	12:0071cb144c7a	2940	defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	2941	if( md_alg != MBEDTLS_MD_NONE )
JMF	12:0071cb144c7a	2942	{
JMF	12:0071cb144c7a	2943	mbedtls_md_context_t ctx;
JMF	12:0071cb144c7a	2944	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
JMF	12:0071cb144c7a	2945
JMF	12:0071cb144c7a	2946	mbedtls_md_init( &ctx );
JMF	12:0071cb144c7a	2947
JMF	12:0071cb144c7a	2948	/* Info from md_alg will be used instead */
JMF	12:0071cb144c7a	2949	hashlen = 0;
JMF	12:0071cb144c7a	2950
JMF	12:0071cb144c7a	2951	/*
JMF	12:0071cb144c7a	2952	* digitally-signed struct {
JMF	12:0071cb144c7a	2953	* opaque client_random[32];
JMF	12:0071cb144c7a	2954	* opaque server_random[32];
JMF	12:0071cb144c7a	2955	* ServerDHParams params;
JMF	12:0071cb144c7a	2956	* };
JMF	12:0071cb144c7a	2957	*/
JMF	12:0071cb144c7a	2958	if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
JMF	12:0071cb144c7a	2959	{
JMF	12:0071cb144c7a	2960	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
JMF	12:0071cb144c7a	2961	return( ret );
JMF	12:0071cb144c7a	2962	}
JMF	12:0071cb144c7a	2963
JMF	12:0071cb144c7a	2964	mbedtls_md_starts( &ctx );
JMF	12:0071cb144c7a	2965	mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
JMF	12:0071cb144c7a	2966	mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
JMF	12:0071cb144c7a	2967	mbedtls_md_finish( &ctx, hash );
JMF	12:0071cb144c7a	2968	mbedtls_md_free( &ctx );
JMF	12:0071cb144c7a	2969	}
JMF	12:0071cb144c7a	2970	else
JMF	12:0071cb144c7a	2971	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
JMF	12:0071cb144c7a	2972	MBEDTLS_SSL_PROTO_TLS1_2 */
JMF	12:0071cb144c7a	2973	{
JMF	12:0071cb144c7a	2974	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	2975	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	2976	}
JMF	12:0071cb144c7a	2977
JMF	12:0071cb144c7a	2978	MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
JMF	12:0071cb144c7a	2979	(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
JMF	12:0071cb144c7a	2980
JMF	12:0071cb144c7a	2981	/*
JMF	12:0071cb144c7a	2982	* Make the signature
JMF	12:0071cb144c7a	2983	*/
JMF	12:0071cb144c7a	2984	if( mbedtls_ssl_own_key( ssl ) == NULL )
JMF	12:0071cb144c7a	2985	{
JMF	12:0071cb144c7a	2986	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
JMF	12:0071cb144c7a	2987	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
JMF	12:0071cb144c7a	2988	}
JMF	12:0071cb144c7a	2989
JMF	12:0071cb144c7a	2990	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	2991	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
JMF	12:0071cb144c7a	2992	{
JMF	12:0071cb144c7a	2993	*(p++) = ssl->handshake->sig_alg;
JMF	12:0071cb144c7a	2994	*(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
JMF	12:0071cb144c7a	2995
JMF	12:0071cb144c7a	2996	n += 2;
JMF	12:0071cb144c7a	2997	}
JMF	12:0071cb144c7a	2998	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
JMF	12:0071cb144c7a	2999
JMF	12:0071cb144c7a	3000	if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
JMF	12:0071cb144c7a	3001	p + 2 , &signature_len,
JMF	12:0071cb144c7a	3002	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
JMF	12:0071cb144c7a	3003	{
JMF	12:0071cb144c7a	3004	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
JMF	12:0071cb144c7a	3005	return( ret );
JMF	12:0071cb144c7a	3006	}
JMF	12:0071cb144c7a	3007
JMF	12:0071cb144c7a	3008	*(p++) = (unsigned char)( signature_len >> 8 );
JMF	12:0071cb144c7a	3009	*(p++) = (unsigned char)( signature_len );
JMF	12:0071cb144c7a	3010	n += 2;
JMF	12:0071cb144c7a	3011
JMF	12:0071cb144c7a	3012	MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
JMF	12:0071cb144c7a	3013
JMF	12:0071cb144c7a	3014	n += signature_len;
JMF	12:0071cb144c7a	3015	}
JMF	12:0071cb144c7a	3016	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\|
JMF	12:0071cb144c7a	3017	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
JMF	12:0071cb144c7a	3018	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
JMF	12:0071cb144c7a	3019
JMF	12:0071cb144c7a	3020	ssl->out_msglen = 4 + n;
JMF	12:0071cb144c7a	3021	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
JMF	12:0071cb144c7a	3022	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
JMF	12:0071cb144c7a	3023
JMF	12:0071cb144c7a	3024	ssl->state++;
JMF	12:0071cb144c7a	3025
JMF	12:0071cb144c7a	3026	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3027	{
JMF	12:0071cb144c7a	3028	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
JMF	12:0071cb144c7a	3029	return( ret );
JMF	12:0071cb144c7a	3030	}
JMF	12:0071cb144c7a	3031
JMF	12:0071cb144c7a	3032	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
JMF	12:0071cb144c7a	3033
JMF	12:0071cb144c7a	3034	return( 0 );
JMF	12:0071cb144c7a	3035	}
JMF	12:0071cb144c7a	3036
JMF	12:0071cb144c7a	3037	static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	3038	{
JMF	12:0071cb144c7a	3039	int ret;
JMF	12:0071cb144c7a	3040
JMF	12:0071cb144c7a	3041	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
JMF	12:0071cb144c7a	3042
JMF	12:0071cb144c7a	3043	ssl->out_msglen = 4;
JMF	12:0071cb144c7a	3044	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
JMF	12:0071cb144c7a	3045	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
JMF	12:0071cb144c7a	3046
JMF	12:0071cb144c7a	3047	ssl->state++;
JMF	12:0071cb144c7a	3048
JMF	12:0071cb144c7a	3049	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	3050	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
JMF	12:0071cb144c7a	3051	mbedtls_ssl_send_flight_completed( ssl );
JMF	12:0071cb144c7a	3052	#endif
JMF	12:0071cb144c7a	3053
JMF	12:0071cb144c7a	3054	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3055	{
JMF	12:0071cb144c7a	3056	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
JMF	12:0071cb144c7a	3057	return( ret );
JMF	12:0071cb144c7a	3058	}
JMF	12:0071cb144c7a	3059
JMF	12:0071cb144c7a	3060	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
JMF	12:0071cb144c7a	3061
JMF	12:0071cb144c7a	3062	return( 0 );
JMF	12:0071cb144c7a	3063	}
JMF	12:0071cb144c7a	3064
JMF	12:0071cb144c7a	3065	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	3066	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
JMF	12:0071cb144c7a	3067	static int ssl_parse_client_dh_public( mbedtls_ssl_context ssl, unsigned char *p,
JMF	12:0071cb144c7a	3068	const unsigned char *end )
JMF	12:0071cb144c7a	3069	{
JMF	12:0071cb144c7a	3070	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
JMF	12:0071cb144c7a	3071	size_t n;
JMF	12:0071cb144c7a	3072
JMF	12:0071cb144c7a	3073	/*
JMF	12:0071cb144c7a	3074	* Receive G^Y mod P, premaster = (G^Y)^X mod P
JMF	12:0071cb144c7a	3075	*/
JMF	12:0071cb144c7a	3076	if( *p + 2 > end )
JMF	12:0071cb144c7a	3077	{
JMF	12:0071cb144c7a	3078	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3079	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3080	}
JMF	12:0071cb144c7a	3081
JMF	12:0071cb144c7a	3082	n = ( (p)[0] << 8 ) \| (p)[1];
JMF	12:0071cb144c7a	3083	*p += 2;
JMF	12:0071cb144c7a	3084
JMF	12:0071cb144c7a	3085	if( *p + n > end )
JMF	12:0071cb144c7a	3086	{
JMF	12:0071cb144c7a	3087	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3088	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3089	}
JMF	12:0071cb144c7a	3090
JMF	12:0071cb144c7a	3091	if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
JMF	12:0071cb144c7a	3092	{
JMF	12:0071cb144c7a	3093	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
JMF	12:0071cb144c7a	3094	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
JMF	12:0071cb144c7a	3095	}
JMF	12:0071cb144c7a	3096
JMF	12:0071cb144c7a	3097	*p += n;
JMF	12:0071cb144c7a	3098
JMF	12:0071cb144c7a	3099	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
JMF	12:0071cb144c7a	3100
JMF	12:0071cb144c7a	3101	return( ret );
JMF	12:0071cb144c7a	3102	}
JMF	12:0071cb144c7a	3103	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
JMF	12:0071cb144c7a	3104	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
JMF	12:0071cb144c7a	3105
JMF	12:0071cb144c7a	3106	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	3107	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
JMF	12:0071cb144c7a	3108	static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
JMF	12:0071cb144c7a	3109	const unsigned char *p,
JMF	12:0071cb144c7a	3110	const unsigned char *end,
JMF	12:0071cb144c7a	3111	size_t pms_offset )
JMF	12:0071cb144c7a	3112	{
JMF	12:0071cb144c7a	3113	int ret;
JMF	12:0071cb144c7a	3114	size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
JMF	12:0071cb144c7a	3115	unsigned char *pms = ssl->handshake->premaster + pms_offset;
JMF	12:0071cb144c7a	3116	unsigned char ver[2];
JMF	12:0071cb144c7a	3117	unsigned char fake_pms[48], peer_pms[48];
JMF	12:0071cb144c7a	3118	unsigned char mask;
JMF	12:0071cb144c7a	3119	size_t i, peer_pmslen;
JMF	12:0071cb144c7a	3120	unsigned int diff;
JMF	12:0071cb144c7a	3121
JMF	12:0071cb144c7a	3122	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
JMF	12:0071cb144c7a	3123	{
JMF	12:0071cb144c7a	3124	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
JMF	12:0071cb144c7a	3125	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
JMF	12:0071cb144c7a	3126	}
JMF	12:0071cb144c7a	3127
JMF	12:0071cb144c7a	3128	/*
JMF	12:0071cb144c7a	3129	* Decrypt the premaster using own private RSA key
JMF	12:0071cb144c7a	3130	*/
JMF	12:0071cb144c7a	3131	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
JMF	12:0071cb144c7a	3132	defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	3133	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
JMF	12:0071cb144c7a	3134	{
JMF	12:0071cb144c7a	3135	if( *p++ != ( ( len >> 8 ) & 0xFF ) \|\|
JMF	12:0071cb144c7a	3136	*p++ != ( ( len ) & 0xFF ) )
JMF	12:0071cb144c7a	3137	{
JMF	12:0071cb144c7a	3138	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3139	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3140	}
JMF	12:0071cb144c7a	3141	}
JMF	12:0071cb144c7a	3142	#endif
JMF	12:0071cb144c7a	3143
JMF	12:0071cb144c7a	3144	if( p + len != end )
JMF	12:0071cb144c7a	3145	{
JMF	12:0071cb144c7a	3146	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3147	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3148	}
JMF	12:0071cb144c7a	3149
JMF	12:0071cb144c7a	3150	mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
JMF	12:0071cb144c7a	3151	ssl->handshake->max_minor_ver,
JMF	12:0071cb144c7a	3152	ssl->conf->transport, ver );
JMF	12:0071cb144c7a	3153
JMF	12:0071cb144c7a	3154	/*
JMF	12:0071cb144c7a	3155	* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
JMF	12:0071cb144c7a	3156	* must not cause the connection to end immediately; instead, send a
JMF	12:0071cb144c7a	3157	* bad_record_mac later in the handshake.
JMF	12:0071cb144c7a	3158	* Also, avoid data-dependant branches here to protect against
JMF	12:0071cb144c7a	3159	* timing-based variants.
JMF	12:0071cb144c7a	3160	*/
JMF	12:0071cb144c7a	3161	ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
JMF	12:0071cb144c7a	3162	if( ret != 0 )
JMF	12:0071cb144c7a	3163	return( ret );
JMF	12:0071cb144c7a	3164
JMF	12:0071cb144c7a	3165	ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
JMF	12:0071cb144c7a	3166	peer_pms, &peer_pmslen,
JMF	12:0071cb144c7a	3167	sizeof( peer_pms ),
JMF	12:0071cb144c7a	3168	ssl->conf->f_rng, ssl->conf->p_rng );
JMF	12:0071cb144c7a	3169
JMF	12:0071cb144c7a	3170	diff = (unsigned int) ret;
JMF	12:0071cb144c7a	3171	diff \|= peer_pmslen ^ 48;
JMF	12:0071cb144c7a	3172	diff \|= peer_pms[0] ^ ver[0];
JMF	12:0071cb144c7a	3173	diff \|= peer_pms[1] ^ ver[1];
JMF	12:0071cb144c7a	3174
JMF	12:0071cb144c7a	3175	#if defined(MBEDTLS_SSL_DEBUG_ALL)
JMF	12:0071cb144c7a	3176	if( diff != 0 )
JMF	12:0071cb144c7a	3177	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3178	#endif
JMF	12:0071cb144c7a	3179
JMF	12:0071cb144c7a	3180	if( sizeof( ssl->handshake->premaster ) < pms_offset \|\|
JMF	12:0071cb144c7a	3181	sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
JMF	12:0071cb144c7a	3182	{
JMF	12:0071cb144c7a	3183	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	3184	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	3185	}
JMF	12:0071cb144c7a	3186	ssl->handshake->pmslen = 48;
JMF	12:0071cb144c7a	3187
JMF	12:0071cb144c7a	3188	/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
JMF	12:0071cb144c7a	3189	/* MSVC has a warning about unary minus on unsigned, but this is
JMF	12:0071cb144c7a	3190	* well-defined and precisely what we want to do here */
JMF	12:0071cb144c7a	3191	#if defined(_MSC_VER)
JMF	12:0071cb144c7a	3192	#pragma warning( push )
JMF	12:0071cb144c7a	3193	#pragma warning( disable : 4146 )
JMF	12:0071cb144c7a	3194	#endif
JMF	12:0071cb144c7a	3195	mask = - ( ( diff \| - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
JMF	12:0071cb144c7a	3196	#if defined(_MSC_VER)
JMF	12:0071cb144c7a	3197	#pragma warning( pop )
JMF	12:0071cb144c7a	3198	#endif
JMF	12:0071cb144c7a	3199
JMF	12:0071cb144c7a	3200	for( i = 0; i < ssl->handshake->pmslen; i++ )
JMF	12:0071cb144c7a	3201	pms[i] = ( mask & fake_pms[i] ) \| ( (~mask) & peer_pms[i] );
JMF	12:0071cb144c7a	3202
JMF	12:0071cb144c7a	3203	return( 0 );
JMF	12:0071cb144c7a	3204	}
JMF	12:0071cb144c7a	3205	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \|\|
JMF	12:0071cb144c7a	3206	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
JMF	12:0071cb144c7a	3207
JMF	12:0071cb144c7a	3208	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
JMF	12:0071cb144c7a	3209	static int ssl_parse_client_psk_identity( mbedtls_ssl_context ssl, unsigned char *p,
JMF	12:0071cb144c7a	3210	const unsigned char *end )
JMF	12:0071cb144c7a	3211	{
JMF	12:0071cb144c7a	3212	int ret = 0;
JMF	12:0071cb144c7a	3213	size_t n;
JMF	12:0071cb144c7a	3214
JMF	12:0071cb144c7a	3215	if( ssl->conf->f_psk == NULL &&
JMF	12:0071cb144c7a	3216	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
JMF	12:0071cb144c7a	3217	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
JMF	12:0071cb144c7a	3218	{
JMF	12:0071cb144c7a	3219	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
JMF	12:0071cb144c7a	3220	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
JMF	12:0071cb144c7a	3221	}
JMF	12:0071cb144c7a	3222
JMF	12:0071cb144c7a	3223	/*
JMF	12:0071cb144c7a	3224	* Receive client pre-shared key identity name
JMF	12:0071cb144c7a	3225	*/
JMF	12:0071cb144c7a	3226	if( *p + 2 > end )
JMF	12:0071cb144c7a	3227	{
JMF	12:0071cb144c7a	3228	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3229	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3230	}
JMF	12:0071cb144c7a	3231
JMF	12:0071cb144c7a	3232	n = ( (p)[0] << 8 ) \| (p)[1];
JMF	12:0071cb144c7a	3233	*p += 2;
JMF	12:0071cb144c7a	3234
JMF	12:0071cb144c7a	3235	if( n < 1 \|\| n > 65535 \|\| *p + n > end )
JMF	12:0071cb144c7a	3236	{
JMF	12:0071cb144c7a	3237	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3238	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3239	}
JMF	12:0071cb144c7a	3240
JMF	12:0071cb144c7a	3241	if( ssl->conf->f_psk != NULL )
JMF	12:0071cb144c7a	3242	{
JMF	12:0071cb144c7a	3243	if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
JMF	12:0071cb144c7a	3244	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
JMF	12:0071cb144c7a	3245	}
JMF	12:0071cb144c7a	3246	else
JMF	12:0071cb144c7a	3247	{
JMF	12:0071cb144c7a	3248	/* Identity is not a big secret since clients send it in the clear,
JMF	12:0071cb144c7a	3249	* but treat it carefully anyway, just in case */
JMF	12:0071cb144c7a	3250	if( n != ssl->conf->psk_identity_len \|\|
JMF	12:0071cb144c7a	3251	mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
JMF	12:0071cb144c7a	3252	{
JMF	12:0071cb144c7a	3253	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
JMF	12:0071cb144c7a	3254	}
JMF	12:0071cb144c7a	3255	}
JMF	12:0071cb144c7a	3256
JMF	12:0071cb144c7a	3257	if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
JMF	12:0071cb144c7a	3258	{
JMF	12:0071cb144c7a	3259	MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
JMF	12:0071cb144c7a	3260	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
JMF	12:0071cb144c7a	3261	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
JMF	12:0071cb144c7a	3262	MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
JMF	12:0071cb144c7a	3263	{
JMF	12:0071cb144c7a	3264	return( ret );
JMF	12:0071cb144c7a	3265	}
JMF	12:0071cb144c7a	3266
JMF	12:0071cb144c7a	3267	return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
JMF	12:0071cb144c7a	3268	}
JMF	12:0071cb144c7a	3269
JMF	12:0071cb144c7a	3270	*p += n;
JMF	12:0071cb144c7a	3271
JMF	12:0071cb144c7a	3272	return( 0 );
JMF	12:0071cb144c7a	3273	}
JMF	12:0071cb144c7a	3274	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
JMF	12:0071cb144c7a	3275
JMF	12:0071cb144c7a	3276	static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	3277	{
JMF	12:0071cb144c7a	3278	int ret;
JMF	12:0071cb144c7a	3279	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
JMF	12:0071cb144c7a	3280	unsigned char p, end;
JMF	12:0071cb144c7a	3281
JMF	12:0071cb144c7a	3282	ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
JMF	12:0071cb144c7a	3283
JMF	12:0071cb144c7a	3284	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
JMF	12:0071cb144c7a	3285
JMF	12:0071cb144c7a	3286	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3287	{
JMF	12:0071cb144c7a	3288	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
JMF	12:0071cb144c7a	3289	return( ret );
JMF	12:0071cb144c7a	3290	}
JMF	12:0071cb144c7a	3291
JMF	12:0071cb144c7a	3292	p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
JMF	12:0071cb144c7a	3293	end = ssl->in_msg + ssl->in_hslen;
JMF	12:0071cb144c7a	3294
JMF	12:0071cb144c7a	3295	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
JMF	12:0071cb144c7a	3296	{
JMF	12:0071cb144c7a	3297	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3298	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3299	}
JMF	12:0071cb144c7a	3300
JMF	12:0071cb144c7a	3301	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
JMF	12:0071cb144c7a	3302	{
JMF	12:0071cb144c7a	3303	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
JMF	12:0071cb144c7a	3304	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3305	}
JMF	12:0071cb144c7a	3306
JMF	12:0071cb144c7a	3307	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
JMF	12:0071cb144c7a	3308	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
JMF	12:0071cb144c7a	3309	{
JMF	12:0071cb144c7a	3310	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
JMF	12:0071cb144c7a	3311	{
JMF	12:0071cb144c7a	3312	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
JMF	12:0071cb144c7a	3313	return( ret );
JMF	12:0071cb144c7a	3314	}
JMF	12:0071cb144c7a	3315
JMF	12:0071cb144c7a	3316	if( p != end )
JMF	12:0071cb144c7a	3317	{
JMF	12:0071cb144c7a	3318	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
JMF	12:0071cb144c7a	3319	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3320	}
JMF	12:0071cb144c7a	3321
JMF	12:0071cb144c7a	3322	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
JMF	12:0071cb144c7a	3323	ssl->handshake->premaster,
JMF	12:0071cb144c7a	3324	MBEDTLS_PREMASTER_SIZE,
JMF	12:0071cb144c7a	3325	&ssl->handshake->pmslen,
JMF	12:0071cb144c7a	3326	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
JMF	12:0071cb144c7a	3327	{
JMF	12:0071cb144c7a	3328	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
JMF	12:0071cb144c7a	3329	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
JMF	12:0071cb144c7a	3330	}
JMF	12:0071cb144c7a	3331
JMF	12:0071cb144c7a	3332	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
JMF	12:0071cb144c7a	3333	}
JMF	12:0071cb144c7a	3334	else
JMF	12:0071cb144c7a	3335	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
JMF	12:0071cb144c7a	3336	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	3337	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	3338	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
JMF	12:0071cb144c7a	3339	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
JMF	12:0071cb144c7a	3340	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
JMF	12:0071cb144c7a	3341	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
JMF	12:0071cb144c7a	3342	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
JMF	12:0071cb144c7a	3343	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
JMF	12:0071cb144c7a	3344	{
JMF	12:0071cb144c7a	3345	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
JMF	12:0071cb144c7a	3346	p, end - p) ) != 0 )
JMF	12:0071cb144c7a	3347	{
JMF	12:0071cb144c7a	3348	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
JMF	12:0071cb144c7a	3349	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
JMF	12:0071cb144c7a	3350	}
JMF	12:0071cb144c7a	3351
JMF	12:0071cb144c7a	3352	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
JMF	12:0071cb144c7a	3353
JMF	12:0071cb144c7a	3354	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
JMF	12:0071cb144c7a	3355	&ssl->handshake->pmslen,
JMF	12:0071cb144c7a	3356	ssl->handshake->premaster,
JMF	12:0071cb144c7a	3357	MBEDTLS_MPI_MAX_SIZE,
JMF	12:0071cb144c7a	3358	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
JMF	12:0071cb144c7a	3359	{
JMF	12:0071cb144c7a	3360	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
JMF	12:0071cb144c7a	3361	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
JMF	12:0071cb144c7a	3362	}
JMF	12:0071cb144c7a	3363
JMF	12:0071cb144c7a	3364	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
JMF	12:0071cb144c7a	3365	}
JMF	12:0071cb144c7a	3366	else
JMF	12:0071cb144c7a	3367	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
JMF	12:0071cb144c7a	3368	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
JMF	12:0071cb144c7a	3369	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
JMF	12:0071cb144c7a	3370	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
JMF	12:0071cb144c7a	3371	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
JMF	12:0071cb144c7a	3372	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
JMF	12:0071cb144c7a	3373	{
JMF	12:0071cb144c7a	3374	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
JMF	12:0071cb144c7a	3375	{
JMF	12:0071cb144c7a	3376	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
JMF	12:0071cb144c7a	3377	return( ret );
JMF	12:0071cb144c7a	3378	}
JMF	12:0071cb144c7a	3379
JMF	12:0071cb144c7a	3380	if( p != end )
JMF	12:0071cb144c7a	3381	{
JMF	12:0071cb144c7a	3382	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
JMF	12:0071cb144c7a	3383	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3384	}
JMF	12:0071cb144c7a	3385
JMF	12:0071cb144c7a	3386	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
JMF	12:0071cb144c7a	3387	ciphersuite_info->key_exchange ) ) != 0 )
JMF	12:0071cb144c7a	3388	{
JMF	12:0071cb144c7a	3389	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
JMF	12:0071cb144c7a	3390	return( ret );
JMF	12:0071cb144c7a	3391	}
JMF	12:0071cb144c7a	3392	}
JMF	12:0071cb144c7a	3393	else
JMF	12:0071cb144c7a	3394	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
JMF	12:0071cb144c7a	3395	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
JMF	12:0071cb144c7a	3396	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
JMF	12:0071cb144c7a	3397	{
JMF	12:0071cb144c7a	3398	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
JMF	12:0071cb144c7a	3399	{
JMF	12:0071cb144c7a	3400	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
JMF	12:0071cb144c7a	3401	return( ret );
JMF	12:0071cb144c7a	3402	}
JMF	12:0071cb144c7a	3403
JMF	12:0071cb144c7a	3404	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
JMF	12:0071cb144c7a	3405	{
JMF	12:0071cb144c7a	3406	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
JMF	12:0071cb144c7a	3407	return( ret );
JMF	12:0071cb144c7a	3408	}
JMF	12:0071cb144c7a	3409
JMF	12:0071cb144c7a	3410	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
JMF	12:0071cb144c7a	3411	ciphersuite_info->key_exchange ) ) != 0 )
JMF	12:0071cb144c7a	3412	{
JMF	12:0071cb144c7a	3413	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
JMF	12:0071cb144c7a	3414	return( ret );
JMF	12:0071cb144c7a	3415	}
JMF	12:0071cb144c7a	3416	}
JMF	12:0071cb144c7a	3417	else
JMF	12:0071cb144c7a	3418	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
JMF	12:0071cb144c7a	3419	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
JMF	12:0071cb144c7a	3420	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
JMF	12:0071cb144c7a	3421	{
JMF	12:0071cb144c7a	3422	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
JMF	12:0071cb144c7a	3423	{
JMF	12:0071cb144c7a	3424	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
JMF	12:0071cb144c7a	3425	return( ret );
JMF	12:0071cb144c7a	3426	}
JMF	12:0071cb144c7a	3427	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
JMF	12:0071cb144c7a	3428	{
JMF	12:0071cb144c7a	3429	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
JMF	12:0071cb144c7a	3430	return( ret );
JMF	12:0071cb144c7a	3431	}
JMF	12:0071cb144c7a	3432
JMF	12:0071cb144c7a	3433	if( p != end )
JMF	12:0071cb144c7a	3434	{
JMF	12:0071cb144c7a	3435	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
JMF	12:0071cb144c7a	3436	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3437	}
JMF	12:0071cb144c7a	3438
JMF	12:0071cb144c7a	3439	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
JMF	12:0071cb144c7a	3440	ciphersuite_info->key_exchange ) ) != 0 )
JMF	12:0071cb144c7a	3441	{
JMF	12:0071cb144c7a	3442	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
JMF	12:0071cb144c7a	3443	return( ret );
JMF	12:0071cb144c7a	3444	}
JMF	12:0071cb144c7a	3445	}
JMF	12:0071cb144c7a	3446	else
JMF	12:0071cb144c7a	3447	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
JMF	12:0071cb144c7a	3448	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
JMF	12:0071cb144c7a	3449	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
JMF	12:0071cb144c7a	3450	{
JMF	12:0071cb144c7a	3451	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
JMF	12:0071cb144c7a	3452	{
JMF	12:0071cb144c7a	3453	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
JMF	12:0071cb144c7a	3454	return( ret );
JMF	12:0071cb144c7a	3455	}
JMF	12:0071cb144c7a	3456
JMF	12:0071cb144c7a	3457	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
JMF	12:0071cb144c7a	3458	p, end - p ) ) != 0 )
JMF	12:0071cb144c7a	3459	{
JMF	12:0071cb144c7a	3460	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
JMF	12:0071cb144c7a	3461	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
JMF	12:0071cb144c7a	3462	}
JMF	12:0071cb144c7a	3463
JMF	12:0071cb144c7a	3464	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
JMF	12:0071cb144c7a	3465
JMF	12:0071cb144c7a	3466	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
JMF	12:0071cb144c7a	3467	ciphersuite_info->key_exchange ) ) != 0 )
JMF	12:0071cb144c7a	3468	{
JMF	12:0071cb144c7a	3469	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
JMF	12:0071cb144c7a	3470	return( ret );
JMF	12:0071cb144c7a	3471	}
JMF	12:0071cb144c7a	3472	}
JMF	12:0071cb144c7a	3473	else
JMF	12:0071cb144c7a	3474	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
JMF	12:0071cb144c7a	3475	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
JMF	12:0071cb144c7a	3476	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
JMF	12:0071cb144c7a	3477	{
JMF	12:0071cb144c7a	3478	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
JMF	12:0071cb144c7a	3479	{
JMF	12:0071cb144c7a	3480	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
JMF	12:0071cb144c7a	3481	return( ret );
JMF	12:0071cb144c7a	3482	}
JMF	12:0071cb144c7a	3483	}
JMF	12:0071cb144c7a	3484	else
JMF	12:0071cb144c7a	3485	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
JMF	12:0071cb144c7a	3486	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
JMF	12:0071cb144c7a	3487	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
JMF	12:0071cb144c7a	3488	{
JMF	12:0071cb144c7a	3489	ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
JMF	12:0071cb144c7a	3490	p, end - p );
JMF	12:0071cb144c7a	3491	if( ret != 0 )
JMF	12:0071cb144c7a	3492	{
JMF	12:0071cb144c7a	3493	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
JMF	12:0071cb144c7a	3494	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
JMF	12:0071cb144c7a	3495	}
JMF	12:0071cb144c7a	3496
JMF	12:0071cb144c7a	3497	ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
JMF	12:0071cb144c7a	3498	ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
JMF	12:0071cb144c7a	3499	ssl->conf->f_rng, ssl->conf->p_rng );
JMF	12:0071cb144c7a	3500	if( ret != 0 )
JMF	12:0071cb144c7a	3501	{
JMF	12:0071cb144c7a	3502	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
JMF	12:0071cb144c7a	3503	return( ret );
JMF	12:0071cb144c7a	3504	}
JMF	12:0071cb144c7a	3505	}
JMF	12:0071cb144c7a	3506	else
JMF	12:0071cb144c7a	3507	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
JMF	12:0071cb144c7a	3508	{
JMF	12:0071cb144c7a	3509	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	3510	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	3511	}
JMF	12:0071cb144c7a	3512
JMF	12:0071cb144c7a	3513	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3514	{
JMF	12:0071cb144c7a	3515	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
JMF	12:0071cb144c7a	3516	return( ret );
JMF	12:0071cb144c7a	3517	}
JMF	12:0071cb144c7a	3518
JMF	12:0071cb144c7a	3519	ssl->state++;
JMF	12:0071cb144c7a	3520
JMF	12:0071cb144c7a	3521	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
JMF	12:0071cb144c7a	3522
JMF	12:0071cb144c7a	3523	return( 0 );
JMF	12:0071cb144c7a	3524	}
JMF	12:0071cb144c7a	3525
JMF	12:0071cb144c7a	3526	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
JMF	12:0071cb144c7a	3527	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
JMF	12:0071cb144c7a	3528	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
JMF	12:0071cb144c7a	3529	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
JMF	12:0071cb144c7a	3530	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	3531	{
JMF	12:0071cb144c7a	3532	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
JMF	12:0071cb144c7a	3533
JMF	12:0071cb144c7a	3534	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
JMF	12:0071cb144c7a	3535
JMF	12:0071cb144c7a	3536	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
JMF	12:0071cb144c7a	3537	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
JMF	12:0071cb144c7a	3538	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
JMF	12:0071cb144c7a	3539	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
JMF	12:0071cb144c7a	3540	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
JMF	12:0071cb144c7a	3541	{
JMF	12:0071cb144c7a	3542	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
JMF	12:0071cb144c7a	3543	ssl->state++;
JMF	12:0071cb144c7a	3544	return( 0 );
JMF	12:0071cb144c7a	3545	}
JMF	12:0071cb144c7a	3546
JMF	12:0071cb144c7a	3547	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	3548	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	3549	}
JMF	12:0071cb144c7a	3550	#else
JMF	12:0071cb144c7a	3551	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	3552	{
JMF	12:0071cb144c7a	3553	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
JMF	12:0071cb144c7a	3554	size_t i, sig_len;
JMF	12:0071cb144c7a	3555	unsigned char hash[48];
JMF	12:0071cb144c7a	3556	unsigned char *hash_start = hash;
JMF	12:0071cb144c7a	3557	size_t hashlen;
JMF	12:0071cb144c7a	3558	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	3559	mbedtls_pk_type_t pk_alg;
JMF	12:0071cb144c7a	3560	#endif
JMF	12:0071cb144c7a	3561	mbedtls_md_type_t md_alg;
JMF	12:0071cb144c7a	3562	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
JMF	12:0071cb144c7a	3563
JMF	12:0071cb144c7a	3564	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
JMF	12:0071cb144c7a	3565
JMF	12:0071cb144c7a	3566	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
JMF	12:0071cb144c7a	3567	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
JMF	12:0071cb144c7a	3568	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
JMF	12:0071cb144c7a	3569	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
JMF	12:0071cb144c7a	3570	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
JMF	12:0071cb144c7a	3571	ssl->session_negotiate->peer_cert == NULL )
JMF	12:0071cb144c7a	3572	{
JMF	12:0071cb144c7a	3573	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
JMF	12:0071cb144c7a	3574	ssl->state++;
JMF	12:0071cb144c7a	3575	return( 0 );
JMF	12:0071cb144c7a	3576	}
JMF	12:0071cb144c7a	3577
JMF	12:0071cb144c7a	3578	/* Needs to be done before read_record() to exclude current message */
JMF	12:0071cb144c7a	3579	ssl->handshake->calc_verify( ssl, hash );
JMF	12:0071cb144c7a	3580
JMF	12:0071cb144c7a	3581	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3582	{
JMF	12:0071cb144c7a	3583	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
JMF	12:0071cb144c7a	3584	return( ret );
JMF	12:0071cb144c7a	3585	}
JMF	12:0071cb144c7a	3586
JMF	12:0071cb144c7a	3587	ssl->state++;
JMF	12:0071cb144c7a	3588
JMF	12:0071cb144c7a	3589	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
JMF	12:0071cb144c7a	3590	ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
JMF	12:0071cb144c7a	3591	{
JMF	12:0071cb144c7a	3592	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
JMF	12:0071cb144c7a	3593	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3594	}
JMF	12:0071cb144c7a	3595
JMF	12:0071cb144c7a	3596	i = mbedtls_ssl_hs_hdr_len( ssl );
JMF	12:0071cb144c7a	3597
JMF	12:0071cb144c7a	3598	/*
JMF	12:0071cb144c7a	3599	* struct {
JMF	12:0071cb144c7a	3600	* SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
JMF	12:0071cb144c7a	3601	* opaque signature<0..2^16-1>;
JMF	12:0071cb144c7a	3602	* } DigitallySigned;
JMF	12:0071cb144c7a	3603	*/
JMF	12:0071cb144c7a	3604	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
JMF	12:0071cb144c7a	3605	defined(MBEDTLS_SSL_PROTO_TLS1_1)
JMF	12:0071cb144c7a	3606	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
JMF	12:0071cb144c7a	3607	{
JMF	12:0071cb144c7a	3608	md_alg = MBEDTLS_MD_NONE;
JMF	12:0071cb144c7a	3609	hashlen = 36;
JMF	12:0071cb144c7a	3610
JMF	12:0071cb144c7a	3611	/* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
JMF	12:0071cb144c7a	3612	if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
JMF	12:0071cb144c7a	3613	MBEDTLS_PK_ECDSA ) )
JMF	12:0071cb144c7a	3614	{
JMF	12:0071cb144c7a	3615	hash_start += 16;
JMF	12:0071cb144c7a	3616	hashlen -= 16;
JMF	12:0071cb144c7a	3617	md_alg = MBEDTLS_MD_SHA1;
JMF	12:0071cb144c7a	3618	}
JMF	12:0071cb144c7a	3619	}
JMF	12:0071cb144c7a	3620	else
JMF	12:0071cb144c7a	3621	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\|
JMF	12:0071cb144c7a	3622	MBEDTLS_SSL_PROTO_TLS1_1 */
JMF	12:0071cb144c7a	3623	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
JMF	12:0071cb144c7a	3624	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
JMF	12:0071cb144c7a	3625	{
JMF	12:0071cb144c7a	3626	if( i + 2 > ssl->in_hslen )
JMF	12:0071cb144c7a	3627	{
JMF	12:0071cb144c7a	3628	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
JMF	12:0071cb144c7a	3629	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3630	}
JMF	12:0071cb144c7a	3631
JMF	12:0071cb144c7a	3632	/*
JMF	12:0071cb144c7a	3633	* Hash
JMF	12:0071cb144c7a	3634	*/
JMF	12:0071cb144c7a	3635	if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg )
JMF	12:0071cb144c7a	3636	{
JMF	12:0071cb144c7a	3637	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
JMF	12:0071cb144c7a	3638	" for verify message" ) );
JMF	12:0071cb144c7a	3639	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3640	}
JMF	12:0071cb144c7a	3641
JMF	12:0071cb144c7a	3642	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
JMF	12:0071cb144c7a	3643
JMF	12:0071cb144c7a	3644	/* Info from md_alg will be used instead */
JMF	12:0071cb144c7a	3645	hashlen = 0;
JMF	12:0071cb144c7a	3646
JMF	12:0071cb144c7a	3647	i++;
JMF	12:0071cb144c7a	3648
JMF	12:0071cb144c7a	3649	/*
JMF	12:0071cb144c7a	3650	* Signature
JMF	12:0071cb144c7a	3651	*/
JMF	12:0071cb144c7a	3652	if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
JMF	12:0071cb144c7a	3653	== MBEDTLS_PK_NONE )
JMF	12:0071cb144c7a	3654	{
JMF	12:0071cb144c7a	3655	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
JMF	12:0071cb144c7a	3656	" for verify message" ) );
JMF	12:0071cb144c7a	3657	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3658	}
JMF	12:0071cb144c7a	3659
JMF	12:0071cb144c7a	3660	/*
JMF	12:0071cb144c7a	3661	* Check the certificate's key type matches the signature alg
JMF	12:0071cb144c7a	3662	*/
JMF	12:0071cb144c7a	3663	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
JMF	12:0071cb144c7a	3664	{
JMF	12:0071cb144c7a	3665	MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
JMF	12:0071cb144c7a	3666	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3667	}
JMF	12:0071cb144c7a	3668
JMF	12:0071cb144c7a	3669	i++;
JMF	12:0071cb144c7a	3670	}
JMF	12:0071cb144c7a	3671	else
JMF	12:0071cb144c7a	3672	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
JMF	12:0071cb144c7a	3673	{
JMF	12:0071cb144c7a	3674	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
JMF	12:0071cb144c7a	3675	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
JMF	12:0071cb144c7a	3676	}
JMF	12:0071cb144c7a	3677
JMF	12:0071cb144c7a	3678	if( i + 2 > ssl->in_hslen )
JMF	12:0071cb144c7a	3679	{
JMF	12:0071cb144c7a	3680	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
JMF	12:0071cb144c7a	3681	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3682	}
JMF	12:0071cb144c7a	3683
JMF	12:0071cb144c7a	3684	sig_len = ( ssl->in_msg[i] << 8 ) \| ssl->in_msg[i+1];
JMF	12:0071cb144c7a	3685	i += 2;
JMF	12:0071cb144c7a	3686
JMF	12:0071cb144c7a	3687	if( i + sig_len != ssl->in_hslen )
JMF	12:0071cb144c7a	3688	{
JMF	12:0071cb144c7a	3689	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
JMF	12:0071cb144c7a	3690	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
JMF	12:0071cb144c7a	3691	}
JMF	12:0071cb144c7a	3692
JMF	12:0071cb144c7a	3693	if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
JMF	12:0071cb144c7a	3694	md_alg, hash_start, hashlen,
JMF	12:0071cb144c7a	3695	ssl->in_msg + i, sig_len ) ) != 0 )
JMF	12:0071cb144c7a	3696	{
JMF	12:0071cb144c7a	3697	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
JMF	12:0071cb144c7a	3698	return( ret );
JMF	12:0071cb144c7a	3699	}
JMF	12:0071cb144c7a	3700
JMF	12:0071cb144c7a	3701	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
JMF	12:0071cb144c7a	3702
JMF	12:0071cb144c7a	3703	return( ret );
JMF	12:0071cb144c7a	3704	}
JMF	12:0071cb144c7a	3705	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
JMF	12:0071cb144c7a	3706	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
JMF	12:0071cb144c7a	3707	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
JMF	12:0071cb144c7a	3708
JMF	12:0071cb144c7a	3709	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	3710	static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	3711	{
JMF	12:0071cb144c7a	3712	int ret;
JMF	12:0071cb144c7a	3713	size_t tlen;
JMF	12:0071cb144c7a	3714	uint32_t lifetime;
JMF	12:0071cb144c7a	3715
JMF	12:0071cb144c7a	3716	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
JMF	12:0071cb144c7a	3717
JMF	12:0071cb144c7a	3718	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
JMF	12:0071cb144c7a	3719	ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
JMF	12:0071cb144c7a	3720
JMF	12:0071cb144c7a	3721	/*
JMF	12:0071cb144c7a	3722	* struct {
JMF	12:0071cb144c7a	3723	* uint32 ticket_lifetime_hint;
JMF	12:0071cb144c7a	3724	* opaque ticket<0..2^16-1>;
JMF	12:0071cb144c7a	3725	* } NewSessionTicket;
JMF	12:0071cb144c7a	3726	*
JMF	12:0071cb144c7a	3727	* 4 . 7 ticket_lifetime_hint (0 = unspecified)
JMF	12:0071cb144c7a	3728	* 8 . 9 ticket_len (n)
JMF	12:0071cb144c7a	3729	* 10 . 9+n ticket content
JMF	12:0071cb144c7a	3730	*/
JMF	12:0071cb144c7a	3731
JMF	12:0071cb144c7a	3732	if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
JMF	12:0071cb144c7a	3733	ssl->session_negotiate,
JMF	12:0071cb144c7a	3734	ssl->out_msg + 10,
JMF	12:0071cb144c7a	3735	ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
JMF	12:0071cb144c7a	3736	&tlen, &lifetime ) ) != 0 )
JMF	12:0071cb144c7a	3737	{
JMF	12:0071cb144c7a	3738	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
JMF	12:0071cb144c7a	3739	tlen = 0;
JMF	12:0071cb144c7a	3740	}
JMF	12:0071cb144c7a	3741
JMF	12:0071cb144c7a	3742	ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
JMF	12:0071cb144c7a	3743	ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
JMF	12:0071cb144c7a	3744	ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
JMF	12:0071cb144c7a	3745	ssl->out_msg[7] = ( lifetime ) & 0xFF;
JMF	12:0071cb144c7a	3746
JMF	12:0071cb144c7a	3747	ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
JMF	12:0071cb144c7a	3748	ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
JMF	12:0071cb144c7a	3749
JMF	12:0071cb144c7a	3750	ssl->out_msglen = 10 + tlen;
JMF	12:0071cb144c7a	3751
JMF	12:0071cb144c7a	3752	/*
JMF	12:0071cb144c7a	3753	* Morally equivalent to updating ssl->state, but NewSessionTicket and
JMF	12:0071cb144c7a	3754	* ChangeCipherSpec share the same state.
JMF	12:0071cb144c7a	3755	*/
JMF	12:0071cb144c7a	3756	ssl->handshake->new_session_ticket = 0;
JMF	12:0071cb144c7a	3757
JMF	12:0071cb144c7a	3758	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3759	{
JMF	12:0071cb144c7a	3760	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
JMF	12:0071cb144c7a	3761	return( ret );
JMF	12:0071cb144c7a	3762	}
JMF	12:0071cb144c7a	3763
JMF	12:0071cb144c7a	3764	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
JMF	12:0071cb144c7a	3765
JMF	12:0071cb144c7a	3766	return( 0 );
JMF	12:0071cb144c7a	3767	}
JMF	12:0071cb144c7a	3768	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
JMF	12:0071cb144c7a	3769
JMF	12:0071cb144c7a	3770	/*
JMF	12:0071cb144c7a	3771	* SSL handshake -- server side -- single step
JMF	12:0071cb144c7a	3772	*/
JMF	12:0071cb144c7a	3773	int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
JMF	12:0071cb144c7a	3774	{
JMF	12:0071cb144c7a	3775	int ret = 0;
JMF	12:0071cb144c7a	3776
JMF	12:0071cb144c7a	3777	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER \|\| ssl->handshake == NULL )
JMF	12:0071cb144c7a	3778	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
JMF	12:0071cb144c7a	3779
JMF	12:0071cb144c7a	3780	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
JMF	12:0071cb144c7a	3781
JMF	12:0071cb144c7a	3782	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3783	return( ret );
JMF	12:0071cb144c7a	3784
JMF	12:0071cb144c7a	3785	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	3786	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
JMF	12:0071cb144c7a	3787	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
JMF	12:0071cb144c7a	3788	{
JMF	12:0071cb144c7a	3789	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
JMF	12:0071cb144c7a	3790	return( ret );
JMF	12:0071cb144c7a	3791	}
JMF	12:0071cb144c7a	3792	#endif
JMF	12:0071cb144c7a	3793
JMF	12:0071cb144c7a	3794	switch( ssl->state )
JMF	12:0071cb144c7a	3795	{
JMF	12:0071cb144c7a	3796	case MBEDTLS_SSL_HELLO_REQUEST:
JMF	12:0071cb144c7a	3797	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
JMF	12:0071cb144c7a	3798	break;
JMF	12:0071cb144c7a	3799
JMF	12:0071cb144c7a	3800	/*
JMF	12:0071cb144c7a	3801	* <== ClientHello
JMF	12:0071cb144c7a	3802	*/
JMF	12:0071cb144c7a	3803	case MBEDTLS_SSL_CLIENT_HELLO:
JMF	12:0071cb144c7a	3804	ret = ssl_parse_client_hello( ssl );
JMF	12:0071cb144c7a	3805	break;
JMF	12:0071cb144c7a	3806
JMF	12:0071cb144c7a	3807	#if defined(MBEDTLS_SSL_PROTO_DTLS)
JMF	12:0071cb144c7a	3808	case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
JMF	12:0071cb144c7a	3809	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
JMF	12:0071cb144c7a	3810	#endif
JMF	12:0071cb144c7a	3811
JMF	12:0071cb144c7a	3812	/*
JMF	12:0071cb144c7a	3813	* ==> ServerHello
JMF	12:0071cb144c7a	3814	* Certificate
JMF	12:0071cb144c7a	3815	* ( ServerKeyExchange )
JMF	12:0071cb144c7a	3816	* ( CertificateRequest )
JMF	12:0071cb144c7a	3817	* ServerHelloDone
JMF	12:0071cb144c7a	3818	*/
JMF	12:0071cb144c7a	3819	case MBEDTLS_SSL_SERVER_HELLO:
JMF	12:0071cb144c7a	3820	ret = ssl_write_server_hello( ssl );
JMF	12:0071cb144c7a	3821	break;
JMF	12:0071cb144c7a	3822
JMF	12:0071cb144c7a	3823	case MBEDTLS_SSL_SERVER_CERTIFICATE:
JMF	12:0071cb144c7a	3824	ret = mbedtls_ssl_write_certificate( ssl );
JMF	12:0071cb144c7a	3825	break;
JMF	12:0071cb144c7a	3826
JMF	12:0071cb144c7a	3827	case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
JMF	12:0071cb144c7a	3828	ret = ssl_write_server_key_exchange( ssl );
JMF	12:0071cb144c7a	3829	break;
JMF	12:0071cb144c7a	3830
JMF	12:0071cb144c7a	3831	case MBEDTLS_SSL_CERTIFICATE_REQUEST:
JMF	12:0071cb144c7a	3832	ret = ssl_write_certificate_request( ssl );
JMF	12:0071cb144c7a	3833	break;
JMF	12:0071cb144c7a	3834
JMF	12:0071cb144c7a	3835	case MBEDTLS_SSL_SERVER_HELLO_DONE:
JMF	12:0071cb144c7a	3836	ret = ssl_write_server_hello_done( ssl );
JMF	12:0071cb144c7a	3837	break;
JMF	12:0071cb144c7a	3838
JMF	12:0071cb144c7a	3839	/*
JMF	12:0071cb144c7a	3840	* <== ( Certificate/Alert )
JMF	12:0071cb144c7a	3841	* ClientKeyExchange
JMF	12:0071cb144c7a	3842	* ( CertificateVerify )
JMF	12:0071cb144c7a	3843	* ChangeCipherSpec
JMF	12:0071cb144c7a	3844	* Finished
JMF	12:0071cb144c7a	3845	*/
JMF	12:0071cb144c7a	3846	case MBEDTLS_SSL_CLIENT_CERTIFICATE:
JMF	12:0071cb144c7a	3847	ret = mbedtls_ssl_parse_certificate( ssl );
JMF	12:0071cb144c7a	3848	break;
JMF	12:0071cb144c7a	3849
JMF	12:0071cb144c7a	3850	case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
JMF	12:0071cb144c7a	3851	ret = ssl_parse_client_key_exchange( ssl );
JMF	12:0071cb144c7a	3852	break;
JMF	12:0071cb144c7a	3853
JMF	12:0071cb144c7a	3854	case MBEDTLS_SSL_CERTIFICATE_VERIFY:
JMF	12:0071cb144c7a	3855	ret = ssl_parse_certificate_verify( ssl );
JMF	12:0071cb144c7a	3856	break;
JMF	12:0071cb144c7a	3857
JMF	12:0071cb144c7a	3858	case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
JMF	12:0071cb144c7a	3859	ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
JMF	12:0071cb144c7a	3860	break;
JMF	12:0071cb144c7a	3861
JMF	12:0071cb144c7a	3862	case MBEDTLS_SSL_CLIENT_FINISHED:
JMF	12:0071cb144c7a	3863	ret = mbedtls_ssl_parse_finished( ssl );
JMF	12:0071cb144c7a	3864	break;
JMF	12:0071cb144c7a	3865
JMF	12:0071cb144c7a	3866	/*
JMF	12:0071cb144c7a	3867	* ==> ( NewSessionTicket )
JMF	12:0071cb144c7a	3868	* ChangeCipherSpec
JMF	12:0071cb144c7a	3869	* Finished
JMF	12:0071cb144c7a	3870	*/
JMF	12:0071cb144c7a	3871	case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
JMF	12:0071cb144c7a	3872	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
JMF	12:0071cb144c7a	3873	if( ssl->handshake->new_session_ticket != 0 )
JMF	12:0071cb144c7a	3874	ret = ssl_write_new_session_ticket( ssl );
JMF	12:0071cb144c7a	3875	else
JMF	12:0071cb144c7a	3876	#endif
JMF	12:0071cb144c7a	3877	ret = mbedtls_ssl_write_change_cipher_spec( ssl );
JMF	12:0071cb144c7a	3878	break;
JMF	12:0071cb144c7a	3879
JMF	12:0071cb144c7a	3880	case MBEDTLS_SSL_SERVER_FINISHED:
JMF	12:0071cb144c7a	3881	ret = mbedtls_ssl_write_finished( ssl );
JMF	12:0071cb144c7a	3882	break;
JMF	12:0071cb144c7a	3883
JMF	12:0071cb144c7a	3884	case MBEDTLS_SSL_FLUSH_BUFFERS:
JMF	12:0071cb144c7a	3885	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
JMF	12:0071cb144c7a	3886	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
JMF	12:0071cb144c7a	3887	break;
JMF	12:0071cb144c7a	3888
JMF	12:0071cb144c7a	3889	case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
JMF	12:0071cb144c7a	3890	mbedtls_ssl_handshake_wrapup( ssl );
JMF	12:0071cb144c7a	3891	break;
JMF	12:0071cb144c7a	3892
JMF	12:0071cb144c7a	3893	default:
JMF	12:0071cb144c7a	3894	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
JMF	12:0071cb144c7a	3895	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
JMF	12:0071cb144c7a	3896	}
JMF	12:0071cb144c7a	3897
JMF	12:0071cb144c7a	3898	return( ret );
JMF	12:0071cb144c7a	3899	}
JMF	12:0071cb144c7a	3900	#endif /* MBEDTLS_SSL_SRV_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	21 Sep 2016
Imports:	89
Forks:	1
Commits:	30
Dependents:	17
Dependencies:	1
Followers:	17

Developers

Avnet

Fred Kellerman

mbedtls/source/ssl_srv.c@29:b278b745fb4f, 2017-03-24 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Developers

Important Information for this Arm website

Access Warning