mbedtls - mbedtls ported to mbed-classic

sandbox » Code » mbedtls

mbedtls ported to mbed-classic

Fork of mbedtls by Christopher Haster

source/ssl_cli.c@4:bef26f687287, 2016-04-07 (annotated)

Committer:: Brian Daniels
Date:: Thu Apr 07 11:11:18 2016 +0100
Revision:: 4:bef26f687287
Parent:: 1:24750b9ad5ef

Adding ported selftest test case

Who changed what in which revision?

User	Revision	Line number	New contents of line
Christopher Haster	1:24750b9ad5ef	1	/*
Christopher Haster	1:24750b9ad5ef	2	* SSLv3/TLSv1 client-side functions
Christopher Haster	1:24750b9ad5ef	3	*
Christopher Haster	1:24750b9ad5ef	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Christopher Haster	1:24750b9ad5ef	5	* SPDX-License-Identifier: Apache-2.0
Christopher Haster	1:24750b9ad5ef	6	*
Christopher Haster	1:24750b9ad5ef	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
Christopher Haster	1:24750b9ad5ef	8	* not use this file except in compliance with the License.
Christopher Haster	1:24750b9ad5ef	9	* You may obtain a copy of the License at
Christopher Haster	1:24750b9ad5ef	10	*
Christopher Haster	1:24750b9ad5ef	11	* http://www.apache.org/licenses/LICENSE-2.0
Christopher Haster	1:24750b9ad5ef	12	*
Christopher Haster	1:24750b9ad5ef	13	* Unless required by applicable law or agreed to in writing, software
Christopher Haster	1:24750b9ad5ef	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
Christopher Haster	1:24750b9ad5ef	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Christopher Haster	1:24750b9ad5ef	16	* See the License for the specific language governing permissions and
Christopher Haster	1:24750b9ad5ef	17	* limitations under the License.
Christopher Haster	1:24750b9ad5ef	18	*
Christopher Haster	1:24750b9ad5ef	19	* This file is part of mbed TLS (https://tls.mbed.org)
Christopher Haster	1:24750b9ad5ef	20	*/
Christopher Haster	1:24750b9ad5ef	21
Christopher Haster	1:24750b9ad5ef	22	#if !defined(MBEDTLS_CONFIG_FILE)
Christopher Haster	1:24750b9ad5ef	23	#include "mbedtls/config.h"
Christopher Haster	1:24750b9ad5ef	24	#else
Christopher Haster	1:24750b9ad5ef	25	#include MBEDTLS_CONFIG_FILE
Christopher Haster	1:24750b9ad5ef	26	#endif
Christopher Haster	1:24750b9ad5ef	27
Christopher Haster	1:24750b9ad5ef	28	#if defined(MBEDTLS_SSL_CLI_C)
Christopher Haster	1:24750b9ad5ef	29
Christopher Haster	1:24750b9ad5ef	30	#include "mbedtls/debug.h"
Christopher Haster	1:24750b9ad5ef	31	#include "mbedtls/ssl.h"
Christopher Haster	1:24750b9ad5ef	32	#include "mbedtls/ssl_internal.h"
Christopher Haster	1:24750b9ad5ef	33
Christopher Haster	1:24750b9ad5ef	34	#include <string.h>
Christopher Haster	1:24750b9ad5ef	35
Christopher Haster	1:24750b9ad5ef	36	#if defined(MBEDTLS_PLATFORM_C)
Christopher Haster	1:24750b9ad5ef	37	#include "mbedtls/platform.h"
Christopher Haster	1:24750b9ad5ef	38	#else
Christopher Haster	1:24750b9ad5ef	39	#include <stdlib.h>
Christopher Haster	1:24750b9ad5ef	40	#define mbedtls_calloc calloc
Christopher Haster	1:24750b9ad5ef	41	#define mbedtls_free free
Christopher Haster	1:24750b9ad5ef	42	#endif
Christopher Haster	1:24750b9ad5ef	43
Christopher Haster	1:24750b9ad5ef	44	#include <stdint.h>
Christopher Haster	1:24750b9ad5ef	45
Christopher Haster	1:24750b9ad5ef	46	#if defined(MBEDTLS_HAVE_TIME)
Christopher Haster	1:24750b9ad5ef	47	#include <time.h>
Christopher Haster	1:24750b9ad5ef	48	#endif
Christopher Haster	1:24750b9ad5ef	49
Christopher Haster	1:24750b9ad5ef	50	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	51	/* Implementation that should never be optimized out by the compiler */
Christopher Haster	1:24750b9ad5ef	52	static void mbedtls_zeroize( void *v, size_t n ) {
Christopher Haster	1:24750b9ad5ef	53	volatile unsigned char p = v; while( n-- ) p++ = 0;
Christopher Haster	1:24750b9ad5ef	54	}
Christopher Haster	1:24750b9ad5ef	55	#endif
Christopher Haster	1:24750b9ad5ef	56
Christopher Haster	1:24750b9ad5ef	57	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Christopher Haster	1:24750b9ad5ef	58	static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	59	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	60	size_t *olen )
Christopher Haster	1:24750b9ad5ef	61	{
Christopher Haster	1:24750b9ad5ef	62	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	63	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	64	size_t hostname_len;
Christopher Haster	1:24750b9ad5ef	65
Christopher Haster	1:24750b9ad5ef	66	*olen = 0;
Christopher Haster	1:24750b9ad5ef	67
Christopher Haster	1:24750b9ad5ef	68	if( ssl->hostname == NULL )
Christopher Haster	1:24750b9ad5ef	69	return;
Christopher Haster	1:24750b9ad5ef	70
Christopher Haster	1:24750b9ad5ef	71	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Christopher Haster	1:24750b9ad5ef	72	ssl->hostname ) );
Christopher Haster	1:24750b9ad5ef	73
Christopher Haster	1:24750b9ad5ef	74	hostname_len = strlen( ssl->hostname );
Christopher Haster	1:24750b9ad5ef	75
Christopher Haster	1:24750b9ad5ef	76	if( end < p \|\| (size_t)( end - p ) < hostname_len + 9 )
Christopher Haster	1:24750b9ad5ef	77	{
Christopher Haster	1:24750b9ad5ef	78	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	79	return;
Christopher Haster	1:24750b9ad5ef	80	}
Christopher Haster	1:24750b9ad5ef	81
Christopher Haster	1:24750b9ad5ef	82	/*
Christopher Haster	1:24750b9ad5ef	83	* struct {
Christopher Haster	1:24750b9ad5ef	84	* NameType name_type;
Christopher Haster	1:24750b9ad5ef	85	* select (name_type) {
Christopher Haster	1:24750b9ad5ef	86	* case host_name: HostName;
Christopher Haster	1:24750b9ad5ef	87	* } name;
Christopher Haster	1:24750b9ad5ef	88	* } ServerName;
Christopher Haster	1:24750b9ad5ef	89	*
Christopher Haster	1:24750b9ad5ef	90	* enum {
Christopher Haster	1:24750b9ad5ef	91	* host_name(0), (255)
Christopher Haster	1:24750b9ad5ef	92	* } NameType;
Christopher Haster	1:24750b9ad5ef	93	*
Christopher Haster	1:24750b9ad5ef	94	* opaque HostName<1..2^16-1>;
Christopher Haster	1:24750b9ad5ef	95	*
Christopher Haster	1:24750b9ad5ef	96	* struct {
Christopher Haster	1:24750b9ad5ef	97	* ServerName server_name_list<1..2^16-1>
Christopher Haster	1:24750b9ad5ef	98	* } ServerNameList;
Christopher Haster	1:24750b9ad5ef	99	*/
Christopher Haster	1:24750b9ad5ef	100	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	101	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	102
Christopher Haster	1:24750b9ad5ef	103	*p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	104	*p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	105
Christopher Haster	1:24750b9ad5ef	106	*p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	107	*p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	108
Christopher Haster	1:24750b9ad5ef	109	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	110	*p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	111	*p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	112
Christopher Haster	1:24750b9ad5ef	113	memcpy( p, ssl->hostname, hostname_len );
Christopher Haster	1:24750b9ad5ef	114
Christopher Haster	1:24750b9ad5ef	115	*olen = hostname_len + 9;
Christopher Haster	1:24750b9ad5ef	116	}
Christopher Haster	1:24750b9ad5ef	117	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Christopher Haster	1:24750b9ad5ef	118
Christopher Haster	1:24750b9ad5ef	119	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	120	static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	121	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	122	size_t *olen )
Christopher Haster	1:24750b9ad5ef	123	{
Christopher Haster	1:24750b9ad5ef	124	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	125	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	126
Christopher Haster	1:24750b9ad5ef	127	*olen = 0;
Christopher Haster	1:24750b9ad5ef	128
Christopher Haster	1:24750b9ad5ef	129	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Christopher Haster	1:24750b9ad5ef	130	return;
Christopher Haster	1:24750b9ad5ef	131
Christopher Haster	1:24750b9ad5ef	132	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Christopher Haster	1:24750b9ad5ef	133
Christopher Haster	1:24750b9ad5ef	134	if( end < p \|\| (size_t)( end - p ) < 5 + ssl->verify_data_len )
Christopher Haster	1:24750b9ad5ef	135	{
Christopher Haster	1:24750b9ad5ef	136	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	137	return;
Christopher Haster	1:24750b9ad5ef	138	}
Christopher Haster	1:24750b9ad5ef	139
Christopher Haster	1:24750b9ad5ef	140	/*
Christopher Haster	1:24750b9ad5ef	141	* Secure renegotiation
Christopher Haster	1:24750b9ad5ef	142	*/
Christopher Haster	1:24750b9ad5ef	143	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	144	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	145
Christopher Haster	1:24750b9ad5ef	146	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	147	*p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
Christopher Haster	1:24750b9ad5ef	148	*p++ = ssl->verify_data_len & 0xFF;
Christopher Haster	1:24750b9ad5ef	149
Christopher Haster	1:24750b9ad5ef	150	memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
Christopher Haster	1:24750b9ad5ef	151
Christopher Haster	1:24750b9ad5ef	152	*olen = 5 + ssl->verify_data_len;
Christopher Haster	1:24750b9ad5ef	153	}
Christopher Haster	1:24750b9ad5ef	154	#endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster	1:24750b9ad5ef	155
Christopher Haster	1:24750b9ad5ef	156	/*
Christopher Haster	1:24750b9ad5ef	157	* Only if we handle at least one key exchange that needs signatures.
Christopher Haster	1:24750b9ad5ef	158	*/
Christopher Haster	1:24750b9ad5ef	159	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Christopher Haster	1:24750b9ad5ef	160	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Christopher Haster	1:24750b9ad5ef	161	static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	162	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	163	size_t *olen )
Christopher Haster	1:24750b9ad5ef	164	{
Christopher Haster	1:24750b9ad5ef	165	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	166	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	167	size_t sig_alg_len = 0;
Christopher Haster	1:24750b9ad5ef	168	const int *md;
Christopher Haster	1:24750b9ad5ef	169	#if defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C)
Christopher Haster	1:24750b9ad5ef	170	unsigned char *sig_alg_list = buf + 6;
Christopher Haster	1:24750b9ad5ef	171	#endif
Christopher Haster	1:24750b9ad5ef	172
Christopher Haster	1:24750b9ad5ef	173	*olen = 0;
Christopher Haster	1:24750b9ad5ef	174
Christopher Haster	1:24750b9ad5ef	175	if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	176	return;
Christopher Haster	1:24750b9ad5ef	177
Christopher Haster	1:24750b9ad5ef	178	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Christopher Haster	1:24750b9ad5ef	179
Christopher Haster	1:24750b9ad5ef	180	for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
Christopher Haster	1:24750b9ad5ef	181	{
Christopher Haster	1:24750b9ad5ef	182	#if defined(MBEDTLS_ECDSA_C)
Christopher Haster	1:24750b9ad5ef	183	sig_alg_len += 2;
Christopher Haster	1:24750b9ad5ef	184	#endif
Christopher Haster	1:24750b9ad5ef	185	#if defined(MBEDTLS_RSA_C)
Christopher Haster	1:24750b9ad5ef	186	sig_alg_len += 2;
Christopher Haster	1:24750b9ad5ef	187	#endif
Christopher Haster	1:24750b9ad5ef	188	}
Christopher Haster	1:24750b9ad5ef	189
Christopher Haster	1:24750b9ad5ef	190	if( end < p \|\| (size_t)( end - p ) < sig_alg_len + 6 )
Christopher Haster	1:24750b9ad5ef	191	{
Christopher Haster	1:24750b9ad5ef	192	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	193	return;
Christopher Haster	1:24750b9ad5ef	194	}
Christopher Haster	1:24750b9ad5ef	195
Christopher Haster	1:24750b9ad5ef	196	/*
Christopher Haster	1:24750b9ad5ef	197	* Prepare signature_algorithms extension (TLS 1.2)
Christopher Haster	1:24750b9ad5ef	198	*/
Christopher Haster	1:24750b9ad5ef	199	sig_alg_len = 0;
Christopher Haster	1:24750b9ad5ef	200
Christopher Haster	1:24750b9ad5ef	201	for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
Christopher Haster	1:24750b9ad5ef	202	{
Christopher Haster	1:24750b9ad5ef	203	#if defined(MBEDTLS_ECDSA_C)
Christopher Haster	1:24750b9ad5ef	204	sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
Christopher Haster	1:24750b9ad5ef	205	sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Christopher Haster	1:24750b9ad5ef	206	#endif
Christopher Haster	1:24750b9ad5ef	207	#if defined(MBEDTLS_RSA_C)
Christopher Haster	1:24750b9ad5ef	208	sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
Christopher Haster	1:24750b9ad5ef	209	sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Christopher Haster	1:24750b9ad5ef	210	#endif
Christopher Haster	1:24750b9ad5ef	211	}
Christopher Haster	1:24750b9ad5ef	212
Christopher Haster	1:24750b9ad5ef	213	/*
Christopher Haster	1:24750b9ad5ef	214	* enum {
Christopher Haster	1:24750b9ad5ef	215	* none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
Christopher Haster	1:24750b9ad5ef	216	* sha512(6), (255)
Christopher Haster	1:24750b9ad5ef	217	* } HashAlgorithm;
Christopher Haster	1:24750b9ad5ef	218	*
Christopher Haster	1:24750b9ad5ef	219	* enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
Christopher Haster	1:24750b9ad5ef	220	* SignatureAlgorithm;
Christopher Haster	1:24750b9ad5ef	221	*
Christopher Haster	1:24750b9ad5ef	222	* struct {
Christopher Haster	1:24750b9ad5ef	223	* HashAlgorithm hash;
Christopher Haster	1:24750b9ad5ef	224	* SignatureAlgorithm signature;
Christopher Haster	1:24750b9ad5ef	225	* } SignatureAndHashAlgorithm;
Christopher Haster	1:24750b9ad5ef	226	*
Christopher Haster	1:24750b9ad5ef	227	* SignatureAndHashAlgorithm
Christopher Haster	1:24750b9ad5ef	228	* supported_signature_algorithms<2..2^16-2>;
Christopher Haster	1:24750b9ad5ef	229	*/
Christopher Haster	1:24750b9ad5ef	230	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	231	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	232
Christopher Haster	1:24750b9ad5ef	233	*p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	234	*p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	235
Christopher Haster	1:24750b9ad5ef	236	*p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	237	*p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	238
Christopher Haster	1:24750b9ad5ef	239	*olen = 6 + sig_alg_len;
Christopher Haster	1:24750b9ad5ef	240	}
Christopher Haster	1:24750b9ad5ef	241	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Christopher Haster	1:24750b9ad5ef	242	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Christopher Haster	1:24750b9ad5ef	243
Christopher Haster	1:24750b9ad5ef	244	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
Christopher Haster	1:24750b9ad5ef	245	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	246	static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	247	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	248	size_t *olen )
Christopher Haster	1:24750b9ad5ef	249	{
Christopher Haster	1:24750b9ad5ef	250	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	251	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	252	unsigned char *elliptic_curve_list = p + 6;
Christopher Haster	1:24750b9ad5ef	253	size_t elliptic_curve_len = 0;
Christopher Haster	1:24750b9ad5ef	254	const mbedtls_ecp_curve_info *info;
Christopher Haster	1:24750b9ad5ef	255	#if defined(MBEDTLS_ECP_C)
Christopher Haster	1:24750b9ad5ef	256	const mbedtls_ecp_group_id *grp_id;
Christopher Haster	1:24750b9ad5ef	257	#else
Christopher Haster	1:24750b9ad5ef	258	((void) ssl);
Christopher Haster	1:24750b9ad5ef	259	#endif
Christopher Haster	1:24750b9ad5ef	260
Christopher Haster	1:24750b9ad5ef	261	*olen = 0;
Christopher Haster	1:24750b9ad5ef	262
Christopher Haster	1:24750b9ad5ef	263	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Christopher Haster	1:24750b9ad5ef	264
Christopher Haster	1:24750b9ad5ef	265	#if defined(MBEDTLS_ECP_C)
Christopher Haster	1:24750b9ad5ef	266	for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Christopher Haster	1:24750b9ad5ef	267	{
Christopher Haster	1:24750b9ad5ef	268	info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Christopher Haster	1:24750b9ad5ef	269	#else
Christopher Haster	1:24750b9ad5ef	270	for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Christopher Haster	1:24750b9ad5ef	271	{
Christopher Haster	1:24750b9ad5ef	272	#endif
Christopher Haster	1:24750b9ad5ef	273	elliptic_curve_len += 2;
Christopher Haster	1:24750b9ad5ef	274	}
Christopher Haster	1:24750b9ad5ef	275
Christopher Haster	1:24750b9ad5ef	276	if( end < p \|\| (size_t)( end - p ) < 6 + elliptic_curve_len )
Christopher Haster	1:24750b9ad5ef	277	{
Christopher Haster	1:24750b9ad5ef	278	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	279	return;
Christopher Haster	1:24750b9ad5ef	280	}
Christopher Haster	1:24750b9ad5ef	281
Christopher Haster	1:24750b9ad5ef	282	elliptic_curve_len = 0;
Christopher Haster	1:24750b9ad5ef	283
Christopher Haster	1:24750b9ad5ef	284	#if defined(MBEDTLS_ECP_C)
Christopher Haster	1:24750b9ad5ef	285	for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Christopher Haster	1:24750b9ad5ef	286	{
Christopher Haster	1:24750b9ad5ef	287	info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Christopher Haster	1:24750b9ad5ef	288	#else
Christopher Haster	1:24750b9ad5ef	289	for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Christopher Haster	1:24750b9ad5ef	290	{
Christopher Haster	1:24750b9ad5ef	291	#endif
Christopher Haster	1:24750b9ad5ef	292
Christopher Haster	1:24750b9ad5ef	293	elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
Christopher Haster	1:24750b9ad5ef	294	elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Christopher Haster	1:24750b9ad5ef	295	}
Christopher Haster	1:24750b9ad5ef	296
Christopher Haster	1:24750b9ad5ef	297	if( elliptic_curve_len == 0 )
Christopher Haster	1:24750b9ad5ef	298	return;
Christopher Haster	1:24750b9ad5ef	299
Christopher Haster	1:24750b9ad5ef	300	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	301	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	302
Christopher Haster	1:24750b9ad5ef	303	*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	304	*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	305
Christopher Haster	1:24750b9ad5ef	306	*p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	307	*p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	308
Christopher Haster	1:24750b9ad5ef	309	*olen = 6 + elliptic_curve_len;
Christopher Haster	1:24750b9ad5ef	310	}
Christopher Haster	1:24750b9ad5ef	311
Christopher Haster	1:24750b9ad5ef	312	static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	313	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	314	size_t *olen )
Christopher Haster	1:24750b9ad5ef	315	{
Christopher Haster	1:24750b9ad5ef	316	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	317	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	318
Christopher Haster	1:24750b9ad5ef	319	*olen = 0;
Christopher Haster	1:24750b9ad5ef	320
Christopher Haster	1:24750b9ad5ef	321	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Christopher Haster	1:24750b9ad5ef	322
Christopher Haster	1:24750b9ad5ef	323	if( end < p \|\| (size_t)( end - p ) < 6 )
Christopher Haster	1:24750b9ad5ef	324	{
Christopher Haster	1:24750b9ad5ef	325	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	326	return;
Christopher Haster	1:24750b9ad5ef	327	}
Christopher Haster	1:24750b9ad5ef	328
Christopher Haster	1:24750b9ad5ef	329	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	330	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	331
Christopher Haster	1:24750b9ad5ef	332	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	333	*p++ = 2;
Christopher Haster	1:24750b9ad5ef	334
Christopher Haster	1:24750b9ad5ef	335	*p++ = 1;
Christopher Haster	1:24750b9ad5ef	336	*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Christopher Haster	1:24750b9ad5ef	337
Christopher Haster	1:24750b9ad5ef	338	*olen = 6;
Christopher Haster	1:24750b9ad5ef	339	}
Christopher Haster	1:24750b9ad5ef	340	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
Christopher Haster	1:24750b9ad5ef	341	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	342
Christopher Haster	1:24750b9ad5ef	343	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	344	static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	345	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	346	size_t *olen )
Christopher Haster	1:24750b9ad5ef	347	{
Christopher Haster	1:24750b9ad5ef	348	int ret;
Christopher Haster	1:24750b9ad5ef	349	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	350	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	351	size_t kkpp_len;
Christopher Haster	1:24750b9ad5ef	352
Christopher Haster	1:24750b9ad5ef	353	*olen = 0;
Christopher Haster	1:24750b9ad5ef	354
Christopher Haster	1:24750b9ad5ef	355	/* Skip costly extension if we can't use EC J-PAKE anyway */
Christopher Haster	1:24750b9ad5ef	356	if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
Christopher Haster	1:24750b9ad5ef	357	return;
Christopher Haster	1:24750b9ad5ef	358
Christopher Haster	1:24750b9ad5ef	359	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
Christopher Haster	1:24750b9ad5ef	360
Christopher Haster	1:24750b9ad5ef	361	if( end - p < 4 )
Christopher Haster	1:24750b9ad5ef	362	{
Christopher Haster	1:24750b9ad5ef	363	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	364	return;
Christopher Haster	1:24750b9ad5ef	365	}
Christopher Haster	1:24750b9ad5ef	366
Christopher Haster	1:24750b9ad5ef	367	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	368	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	369
Christopher Haster	1:24750b9ad5ef	370	/*
Christopher Haster	1:24750b9ad5ef	371	* We may need to send ClientHello multiple times for Hello verification.
Christopher Haster	1:24750b9ad5ef	372	* We don't want to compute fresh values every time (both for performance
Christopher Haster	1:24750b9ad5ef	373	* and consistency reasons), so cache the extension content.
Christopher Haster	1:24750b9ad5ef	374	*/
Christopher Haster	1:24750b9ad5ef	375	if( ssl->handshake->ecjpake_cache == NULL \|\|
Christopher Haster	1:24750b9ad5ef	376	ssl->handshake->ecjpake_cache_len == 0 )
Christopher Haster	1:24750b9ad5ef	377	{
Christopher Haster	1:24750b9ad5ef	378	MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
Christopher Haster	1:24750b9ad5ef	379
Christopher Haster	1:24750b9ad5ef	380	ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
Christopher Haster	1:24750b9ad5ef	381	p + 2, end - p - 2, &kkpp_len,
Christopher Haster	1:24750b9ad5ef	382	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	383	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	384	{
Christopher Haster	1:24750b9ad5ef	385	MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
Christopher Haster	1:24750b9ad5ef	386	return;
Christopher Haster	1:24750b9ad5ef	387	}
Christopher Haster	1:24750b9ad5ef	388
Christopher Haster	1:24750b9ad5ef	389	ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
Christopher Haster	1:24750b9ad5ef	390	if( ssl->handshake->ecjpake_cache == NULL )
Christopher Haster	1:24750b9ad5ef	391	{
Christopher Haster	1:24750b9ad5ef	392	MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
Christopher Haster	1:24750b9ad5ef	393	return;
Christopher Haster	1:24750b9ad5ef	394	}
Christopher Haster	1:24750b9ad5ef	395
Christopher Haster	1:24750b9ad5ef	396	memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
Christopher Haster	1:24750b9ad5ef	397	ssl->handshake->ecjpake_cache_len = kkpp_len;
Christopher Haster	1:24750b9ad5ef	398	}
Christopher Haster	1:24750b9ad5ef	399	else
Christopher Haster	1:24750b9ad5ef	400	{
Christopher Haster	1:24750b9ad5ef	401	MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
Christopher Haster	1:24750b9ad5ef	402
Christopher Haster	1:24750b9ad5ef	403	kkpp_len = ssl->handshake->ecjpake_cache_len;
Christopher Haster	1:24750b9ad5ef	404
Christopher Haster	1:24750b9ad5ef	405	if( (size_t)( end - p - 2 ) < kkpp_len )
Christopher Haster	1:24750b9ad5ef	406	{
Christopher Haster	1:24750b9ad5ef	407	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	408	return;
Christopher Haster	1:24750b9ad5ef	409	}
Christopher Haster	1:24750b9ad5ef	410
Christopher Haster	1:24750b9ad5ef	411	memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Christopher Haster	1:24750b9ad5ef	412	}
Christopher Haster	1:24750b9ad5ef	413
Christopher Haster	1:24750b9ad5ef	414	*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	415	*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	416
Christopher Haster	1:24750b9ad5ef	417	*olen = kkpp_len + 4;
Christopher Haster	1:24750b9ad5ef	418	}
Christopher Haster	1:24750b9ad5ef	419	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	420
Christopher Haster	1:24750b9ad5ef	421	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster	1:24750b9ad5ef	422	static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	423	unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	424	size_t *olen )
Christopher Haster	1:24750b9ad5ef	425	{
Christopher Haster	1:24750b9ad5ef	426	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	427	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	428
Christopher Haster	1:24750b9ad5ef	429	*olen = 0;
Christopher Haster	1:24750b9ad5ef	430
Christopher Haster	1:24750b9ad5ef	431	if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Christopher Haster	1:24750b9ad5ef	432	return;
Christopher Haster	1:24750b9ad5ef	433	}
Christopher Haster	1:24750b9ad5ef	434
Christopher Haster	1:24750b9ad5ef	435	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Christopher Haster	1:24750b9ad5ef	436
Christopher Haster	1:24750b9ad5ef	437	if( end < p \|\| (size_t)( end - p ) < 5 )
Christopher Haster	1:24750b9ad5ef	438	{
Christopher Haster	1:24750b9ad5ef	439	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	440	return;
Christopher Haster	1:24750b9ad5ef	441	}
Christopher Haster	1:24750b9ad5ef	442
Christopher Haster	1:24750b9ad5ef	443	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	444	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	445
Christopher Haster	1:24750b9ad5ef	446	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	447	*p++ = 1;
Christopher Haster	1:24750b9ad5ef	448
Christopher Haster	1:24750b9ad5ef	449	*p++ = ssl->conf->mfl_code;
Christopher Haster	1:24750b9ad5ef	450
Christopher Haster	1:24750b9ad5ef	451	*olen = 5;
Christopher Haster	1:24750b9ad5ef	452	}
Christopher Haster	1:24750b9ad5ef	453	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Christopher Haster	1:24750b9ad5ef	454
Christopher Haster	1:24750b9ad5ef	455	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster	1:24750b9ad5ef	456	static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	457	unsigned char buf, size_t olen )
Christopher Haster	1:24750b9ad5ef	458	{
Christopher Haster	1:24750b9ad5ef	459	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	460	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	461
Christopher Haster	1:24750b9ad5ef	462	*olen = 0;
Christopher Haster	1:24750b9ad5ef	463
Christopher Haster	1:24750b9ad5ef	464	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Christopher Haster	1:24750b9ad5ef	465	{
Christopher Haster	1:24750b9ad5ef	466	return;
Christopher Haster	1:24750b9ad5ef	467	}
Christopher Haster	1:24750b9ad5ef	468
Christopher Haster	1:24750b9ad5ef	469	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Christopher Haster	1:24750b9ad5ef	470
Christopher Haster	1:24750b9ad5ef	471	if( end < p \|\| (size_t)( end - p ) < 4 )
Christopher Haster	1:24750b9ad5ef	472	{
Christopher Haster	1:24750b9ad5ef	473	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	474	return;
Christopher Haster	1:24750b9ad5ef	475	}
Christopher Haster	1:24750b9ad5ef	476
Christopher Haster	1:24750b9ad5ef	477	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	478	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	479
Christopher Haster	1:24750b9ad5ef	480	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	481	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	482
Christopher Haster	1:24750b9ad5ef	483	*olen = 4;
Christopher Haster	1:24750b9ad5ef	484	}
Christopher Haster	1:24750b9ad5ef	485	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Christopher Haster	1:24750b9ad5ef	486
Christopher Haster	1:24750b9ad5ef	487	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster	1:24750b9ad5ef	488	static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	489	unsigned char buf, size_t olen )
Christopher Haster	1:24750b9ad5ef	490	{
Christopher Haster	1:24750b9ad5ef	491	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	492	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	493
Christopher Haster	1:24750b9ad5ef	494	*olen = 0;
Christopher Haster	1:24750b9ad5ef	495
Christopher Haster	1:24750b9ad5ef	496	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED \|\|
Christopher Haster	1:24750b9ad5ef	497	ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Christopher Haster	1:24750b9ad5ef	498	{
Christopher Haster	1:24750b9ad5ef	499	return;
Christopher Haster	1:24750b9ad5ef	500	}
Christopher Haster	1:24750b9ad5ef	501
Christopher Haster	1:24750b9ad5ef	502	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Christopher Haster	1:24750b9ad5ef	503	"extension" ) );
Christopher Haster	1:24750b9ad5ef	504
Christopher Haster	1:24750b9ad5ef	505	if( end < p \|\| (size_t)( end - p ) < 4 )
Christopher Haster	1:24750b9ad5ef	506	{
Christopher Haster	1:24750b9ad5ef	507	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	508	return;
Christopher Haster	1:24750b9ad5ef	509	}
Christopher Haster	1:24750b9ad5ef	510
Christopher Haster	1:24750b9ad5ef	511	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	512	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	513
Christopher Haster	1:24750b9ad5ef	514	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	515	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	516
Christopher Haster	1:24750b9ad5ef	517	*olen = 4;
Christopher Haster	1:24750b9ad5ef	518	}
Christopher Haster	1:24750b9ad5ef	519	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Christopher Haster	1:24750b9ad5ef	520
Christopher Haster	1:24750b9ad5ef	521	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster	1:24750b9ad5ef	522	static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	523	unsigned char buf, size_t olen )
Christopher Haster	1:24750b9ad5ef	524	{
Christopher Haster	1:24750b9ad5ef	525	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	526	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	527
Christopher Haster	1:24750b9ad5ef	528	*olen = 0;
Christopher Haster	1:24750b9ad5ef	529
Christopher Haster	1:24750b9ad5ef	530	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
Christopher Haster	1:24750b9ad5ef	531	ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Christopher Haster	1:24750b9ad5ef	532	{
Christopher Haster	1:24750b9ad5ef	533	return;
Christopher Haster	1:24750b9ad5ef	534	}
Christopher Haster	1:24750b9ad5ef	535
Christopher Haster	1:24750b9ad5ef	536	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Christopher Haster	1:24750b9ad5ef	537	"extension" ) );
Christopher Haster	1:24750b9ad5ef	538
Christopher Haster	1:24750b9ad5ef	539	if( end < p \|\| (size_t)( end - p ) < 4 )
Christopher Haster	1:24750b9ad5ef	540	{
Christopher Haster	1:24750b9ad5ef	541	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	542	return;
Christopher Haster	1:24750b9ad5ef	543	}
Christopher Haster	1:24750b9ad5ef	544
Christopher Haster	1:24750b9ad5ef	545	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	546	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	547
Christopher Haster	1:24750b9ad5ef	548	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	549	*p++ = 0x00;
Christopher Haster	1:24750b9ad5ef	550
Christopher Haster	1:24750b9ad5ef	551	*olen = 4;
Christopher Haster	1:24750b9ad5ef	552	}
Christopher Haster	1:24750b9ad5ef	553	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Christopher Haster	1:24750b9ad5ef	554
Christopher Haster	1:24750b9ad5ef	555	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	556	static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	557	unsigned char buf, size_t olen )
Christopher Haster	1:24750b9ad5ef	558	{
Christopher Haster	1:24750b9ad5ef	559	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	560	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	561	size_t tlen = ssl->session_negotiate->ticket_len;
Christopher Haster	1:24750b9ad5ef	562
Christopher Haster	1:24750b9ad5ef	563	*olen = 0;
Christopher Haster	1:24750b9ad5ef	564
Christopher Haster	1:24750b9ad5ef	565	if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Christopher Haster	1:24750b9ad5ef	566	{
Christopher Haster	1:24750b9ad5ef	567	return;
Christopher Haster	1:24750b9ad5ef	568	}
Christopher Haster	1:24750b9ad5ef	569
Christopher Haster	1:24750b9ad5ef	570	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Christopher Haster	1:24750b9ad5ef	571
Christopher Haster	1:24750b9ad5ef	572	if( end < p \|\| (size_t)( end - p ) < 4 + tlen )
Christopher Haster	1:24750b9ad5ef	573	{
Christopher Haster	1:24750b9ad5ef	574	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	575	return;
Christopher Haster	1:24750b9ad5ef	576	}
Christopher Haster	1:24750b9ad5ef	577
Christopher Haster	1:24750b9ad5ef	578	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	579	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	580
Christopher Haster	1:24750b9ad5ef	581	*p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	582	*p++ = (unsigned char)( ( tlen ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	583
Christopher Haster	1:24750b9ad5ef	584	*olen = 4;
Christopher Haster	1:24750b9ad5ef	585
Christopher Haster	1:24750b9ad5ef	586	if( ssl->session_negotiate->ticket == NULL \|\| tlen == 0 )
Christopher Haster	1:24750b9ad5ef	587	{
Christopher Haster	1:24750b9ad5ef	588	return;
Christopher Haster	1:24750b9ad5ef	589	}
Christopher Haster	1:24750b9ad5ef	590
Christopher Haster	1:24750b9ad5ef	591	MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Christopher Haster	1:24750b9ad5ef	592
Christopher Haster	1:24750b9ad5ef	593	memcpy( p, ssl->session_negotiate->ticket, tlen );
Christopher Haster	1:24750b9ad5ef	594
Christopher Haster	1:24750b9ad5ef	595	*olen += tlen;
Christopher Haster	1:24750b9ad5ef	596	}
Christopher Haster	1:24750b9ad5ef	597	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster	1:24750b9ad5ef	598
Christopher Haster	1:24750b9ad5ef	599	#if defined(MBEDTLS_SSL_ALPN)
Christopher Haster	1:24750b9ad5ef	600	static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	601	unsigned char buf, size_t olen )
Christopher Haster	1:24750b9ad5ef	602	{
Christopher Haster	1:24750b9ad5ef	603	unsigned char *p = buf;
Christopher Haster	1:24750b9ad5ef	604	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster	1:24750b9ad5ef	605	size_t alpnlen = 0;
Christopher Haster	1:24750b9ad5ef	606	const char **cur;
Christopher Haster	1:24750b9ad5ef	607
Christopher Haster	1:24750b9ad5ef	608	*olen = 0;
Christopher Haster	1:24750b9ad5ef	609
Christopher Haster	1:24750b9ad5ef	610	if( ssl->conf->alpn_list == NULL )
Christopher Haster	1:24750b9ad5ef	611	{
Christopher Haster	1:24750b9ad5ef	612	return;
Christopher Haster	1:24750b9ad5ef	613	}
Christopher Haster	1:24750b9ad5ef	614
Christopher Haster	1:24750b9ad5ef	615	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Christopher Haster	1:24750b9ad5ef	616
Christopher Haster	1:24750b9ad5ef	617	for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Christopher Haster	1:24750b9ad5ef	618	alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Christopher Haster	1:24750b9ad5ef	619
Christopher Haster	1:24750b9ad5ef	620	if( end < p \|\| (size_t)( end - p ) < 6 + alpnlen )
Christopher Haster	1:24750b9ad5ef	621	{
Christopher Haster	1:24750b9ad5ef	622	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster	1:24750b9ad5ef	623	return;
Christopher Haster	1:24750b9ad5ef	624	}
Christopher Haster	1:24750b9ad5ef	625
Christopher Haster	1:24750b9ad5ef	626	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	627	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	628
Christopher Haster	1:24750b9ad5ef	629	/*
Christopher Haster	1:24750b9ad5ef	630	* opaque ProtocolName<1..2^8-1>;
Christopher Haster	1:24750b9ad5ef	631	*
Christopher Haster	1:24750b9ad5ef	632	* struct {
Christopher Haster	1:24750b9ad5ef	633	* ProtocolName protocol_name_list<2..2^16-1>
Christopher Haster	1:24750b9ad5ef	634	* } ProtocolNameList;
Christopher Haster	1:24750b9ad5ef	635	*/
Christopher Haster	1:24750b9ad5ef	636
Christopher Haster	1:24750b9ad5ef	637	/* Skip writing extension and list length for now */
Christopher Haster	1:24750b9ad5ef	638	p += 4;
Christopher Haster	1:24750b9ad5ef	639
Christopher Haster	1:24750b9ad5ef	640	for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Christopher Haster	1:24750b9ad5ef	641	{
Christopher Haster	1:24750b9ad5ef	642	p = (unsigned char)( strlen( cur ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	643	memcpy( p + 1, cur, p );
Christopher Haster	1:24750b9ad5ef	644	p += 1 + *p;
Christopher Haster	1:24750b9ad5ef	645	}
Christopher Haster	1:24750b9ad5ef	646
Christopher Haster	1:24750b9ad5ef	647	*olen = p - buf;
Christopher Haster	1:24750b9ad5ef	648
Christopher Haster	1:24750b9ad5ef	649	/* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
Christopher Haster	1:24750b9ad5ef	650	buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	651	buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	652
Christopher Haster	1:24750b9ad5ef	653	/* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
Christopher Haster	1:24750b9ad5ef	654	buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	655	buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	656	}
Christopher Haster	1:24750b9ad5ef	657	#endif /* MBEDTLS_SSL_ALPN */
Christopher Haster	1:24750b9ad5ef	658
Christopher Haster	1:24750b9ad5ef	659	/*
Christopher Haster	1:24750b9ad5ef	660	* Generate random bytes for ClientHello
Christopher Haster	1:24750b9ad5ef	661	*/
Christopher Haster	1:24750b9ad5ef	662	static int ssl_generate_random( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	663	{
Christopher Haster	1:24750b9ad5ef	664	int ret;
Christopher Haster	1:24750b9ad5ef	665	unsigned char *p = ssl->handshake->randbytes;
Christopher Haster	1:24750b9ad5ef	666	#if defined(MBEDTLS_HAVE_TIME)
Christopher Haster	1:24750b9ad5ef	667	time_t t;
Christopher Haster	1:24750b9ad5ef	668	#endif
Christopher Haster	1:24750b9ad5ef	669
Christopher Haster	1:24750b9ad5ef	670	/*
Christopher Haster	1:24750b9ad5ef	671	* When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
Christopher Haster	1:24750b9ad5ef	672	*/
Christopher Haster	1:24750b9ad5ef	673	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	674	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Christopher Haster	1:24750b9ad5ef	675	ssl->handshake->verify_cookie != NULL )
Christopher Haster	1:24750b9ad5ef	676	{
Christopher Haster	1:24750b9ad5ef	677	return( 0 );
Christopher Haster	1:24750b9ad5ef	678	}
Christopher Haster	1:24750b9ad5ef	679	#endif
Christopher Haster	1:24750b9ad5ef	680
Christopher Haster	1:24750b9ad5ef	681	#if defined(MBEDTLS_HAVE_TIME)
Christopher Haster	1:24750b9ad5ef	682	t = time( NULL );
Christopher Haster	1:24750b9ad5ef	683	*p++ = (unsigned char)( t >> 24 );
Christopher Haster	1:24750b9ad5ef	684	*p++ = (unsigned char)( t >> 16 );
Christopher Haster	1:24750b9ad5ef	685	*p++ = (unsigned char)( t >> 8 );
Christopher Haster	1:24750b9ad5ef	686	*p++ = (unsigned char)( t );
Christopher Haster	1:24750b9ad5ef	687
Christopher Haster	1:24750b9ad5ef	688	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Christopher Haster	1:24750b9ad5ef	689	#else
Christopher Haster	1:24750b9ad5ef	690	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	691	return( ret );
Christopher Haster	1:24750b9ad5ef	692
Christopher Haster	1:24750b9ad5ef	693	p += 4;
Christopher Haster	1:24750b9ad5ef	694	#endif /* MBEDTLS_HAVE_TIME */
Christopher Haster	1:24750b9ad5ef	695
Christopher Haster	1:24750b9ad5ef	696	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	697	return( ret );
Christopher Haster	1:24750b9ad5ef	698
Christopher Haster	1:24750b9ad5ef	699	return( 0 );
Christopher Haster	1:24750b9ad5ef	700	}
Christopher Haster	1:24750b9ad5ef	701
Christopher Haster	1:24750b9ad5ef	702	static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	703	{
Christopher Haster	1:24750b9ad5ef	704	int ret;
Christopher Haster	1:24750b9ad5ef	705	size_t i, n, olen, ext_len = 0;
Christopher Haster	1:24750b9ad5ef	706	unsigned char *buf;
Christopher Haster	1:24750b9ad5ef	707	unsigned char p, q;
Christopher Haster	1:24750b9ad5ef	708	unsigned char offer_compress;
Christopher Haster	1:24750b9ad5ef	709	const int *ciphersuites;
Christopher Haster	1:24750b9ad5ef	710	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	711
Christopher Haster	1:24750b9ad5ef	712	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Christopher Haster	1:24750b9ad5ef	713
Christopher Haster	1:24750b9ad5ef	714	if( ssl->conf->f_rng == NULL )
Christopher Haster	1:24750b9ad5ef	715	{
Christopher Haster	1:24750b9ad5ef	716	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
Christopher Haster	1:24750b9ad5ef	717	return( MBEDTLS_ERR_SSL_NO_RNG );
Christopher Haster	1:24750b9ad5ef	718	}
Christopher Haster	1:24750b9ad5ef	719
Christopher Haster	1:24750b9ad5ef	720	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	721	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	722	#endif
Christopher Haster	1:24750b9ad5ef	723	{
Christopher Haster	1:24750b9ad5ef	724	ssl->major_ver = ssl->conf->min_major_ver;
Christopher Haster	1:24750b9ad5ef	725	ssl->minor_ver = ssl->conf->min_minor_ver;
Christopher Haster	1:24750b9ad5ef	726	}
Christopher Haster	1:24750b9ad5ef	727
Christopher Haster	1:24750b9ad5ef	728	if( ssl->conf->max_major_ver == 0 )
Christopher Haster	1:24750b9ad5ef	729	{
Christopher Haster	1:24750b9ad5ef	730	MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
Christopher Haster	1:24750b9ad5ef	731	"consider using mbedtls_ssl_config_defaults()" ) );
Christopher Haster	1:24750b9ad5ef	732	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster	1:24750b9ad5ef	733	}
Christopher Haster	1:24750b9ad5ef	734
Christopher Haster	1:24750b9ad5ef	735	/*
Christopher Haster	1:24750b9ad5ef	736	* 0 . 0 handshake type
Christopher Haster	1:24750b9ad5ef	737	* 1 . 3 handshake length
Christopher Haster	1:24750b9ad5ef	738	* 4 . 5 highest version supported
Christopher Haster	1:24750b9ad5ef	739	* 6 . 9 current UNIX time
Christopher Haster	1:24750b9ad5ef	740	* 10 . 37 random bytes
Christopher Haster	1:24750b9ad5ef	741	*/
Christopher Haster	1:24750b9ad5ef	742	buf = ssl->out_msg;
Christopher Haster	1:24750b9ad5ef	743	p = buf + 4;
Christopher Haster	1:24750b9ad5ef	744
Christopher Haster	1:24750b9ad5ef	745	mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
Christopher Haster	1:24750b9ad5ef	746	ssl->conf->transport, p );
Christopher Haster	1:24750b9ad5ef	747	p += 2;
Christopher Haster	1:24750b9ad5ef	748
Christopher Haster	1:24750b9ad5ef	749	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Christopher Haster	1:24750b9ad5ef	750	buf[4], buf[5] ) );
Christopher Haster	1:24750b9ad5ef	751
Christopher Haster	1:24750b9ad5ef	752	if( ( ret = ssl_generate_random( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	753	{
Christopher Haster	1:24750b9ad5ef	754	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Christopher Haster	1:24750b9ad5ef	755	return( ret );
Christopher Haster	1:24750b9ad5ef	756	}
Christopher Haster	1:24750b9ad5ef	757
Christopher Haster	1:24750b9ad5ef	758	memcpy( p, ssl->handshake->randbytes, 32 );
Christopher Haster	1:24750b9ad5ef	759	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Christopher Haster	1:24750b9ad5ef	760	p += 32;
Christopher Haster	1:24750b9ad5ef	761
Christopher Haster	1:24750b9ad5ef	762	/*
Christopher Haster	1:24750b9ad5ef	763	* 38 . 38 session id length
Christopher Haster	1:24750b9ad5ef	764	* 39 . 39+n session id
Christopher Haster	1:24750b9ad5ef	765	* 39+n . 39+n DTLS only: cookie length (1 byte)
Christopher Haster	1:24750b9ad5ef	766	* 40+n . .. DTSL only: cookie
Christopher Haster	1:24750b9ad5ef	767	* .. . .. ciphersuitelist length (2 bytes)
Christopher Haster	1:24750b9ad5ef	768	* .. . .. ciphersuitelist
Christopher Haster	1:24750b9ad5ef	769	* .. . .. compression methods length (1 byte)
Christopher Haster	1:24750b9ad5ef	770	* .. . .. compression methods
Christopher Haster	1:24750b9ad5ef	771	* .. . .. extensions length (2 bytes)
Christopher Haster	1:24750b9ad5ef	772	* .. . .. extensions
Christopher Haster	1:24750b9ad5ef	773	*/
Christopher Haster	1:24750b9ad5ef	774	n = ssl->session_negotiate->id_len;
Christopher Haster	1:24750b9ad5ef	775
Christopher Haster	1:24750b9ad5ef	776	if( n < 16 \|\| n > 32 \|\|
Christopher Haster	1:24750b9ad5ef	777	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	778	ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE \|\|
Christopher Haster	1:24750b9ad5ef	779	#endif
Christopher Haster	1:24750b9ad5ef	780	ssl->handshake->resume == 0 )
Christopher Haster	1:24750b9ad5ef	781	{
Christopher Haster	1:24750b9ad5ef	782	n = 0;
Christopher Haster	1:24750b9ad5ef	783	}
Christopher Haster	1:24750b9ad5ef	784
Christopher Haster	1:24750b9ad5ef	785	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	786	/*
Christopher Haster	1:24750b9ad5ef	787	* RFC 5077 section 3.4: "When presenting a ticket, the client MAY
Christopher Haster	1:24750b9ad5ef	788	* generate and include a Session ID in the TLS ClientHello."
Christopher Haster	1:24750b9ad5ef	789	*/
Christopher Haster	1:24750b9ad5ef	790	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	791	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	792	#endif
Christopher Haster	1:24750b9ad5ef	793	{
Christopher Haster	1:24750b9ad5ef	794	if( ssl->session_negotiate->ticket != NULL &&
Christopher Haster	1:24750b9ad5ef	795	ssl->session_negotiate->ticket_len != 0 )
Christopher Haster	1:24750b9ad5ef	796	{
Christopher Haster	1:24750b9ad5ef	797	ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Christopher Haster	1:24750b9ad5ef	798
Christopher Haster	1:24750b9ad5ef	799	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	800	return( ret );
Christopher Haster	1:24750b9ad5ef	801
Christopher Haster	1:24750b9ad5ef	802	ssl->session_negotiate->id_len = n = 32;
Christopher Haster	1:24750b9ad5ef	803	}
Christopher Haster	1:24750b9ad5ef	804	}
Christopher Haster	1:24750b9ad5ef	805	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster	1:24750b9ad5ef	806
Christopher Haster	1:24750b9ad5ef	807	*p++ = (unsigned char) n;
Christopher Haster	1:24750b9ad5ef	808
Christopher Haster	1:24750b9ad5ef	809	for( i = 0; i < n; i++ )
Christopher Haster	1:24750b9ad5ef	810	*p++ = ssl->session_negotiate->id[i];
Christopher Haster	1:24750b9ad5ef	811
Christopher Haster	1:24750b9ad5ef	812	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
Christopher Haster	1:24750b9ad5ef	813	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Christopher Haster	1:24750b9ad5ef	814
Christopher Haster	1:24750b9ad5ef	815	/*
Christopher Haster	1:24750b9ad5ef	816	* DTLS cookie
Christopher Haster	1:24750b9ad5ef	817	*/
Christopher Haster	1:24750b9ad5ef	818	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	819	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster	1:24750b9ad5ef	820	{
Christopher Haster	1:24750b9ad5ef	821	if( ssl->handshake->verify_cookie == NULL )
Christopher Haster	1:24750b9ad5ef	822	{
Christopher Haster	1:24750b9ad5ef	823	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Christopher Haster	1:24750b9ad5ef	824	*p++ = 0;
Christopher Haster	1:24750b9ad5ef	825	}
Christopher Haster	1:24750b9ad5ef	826	else
Christopher Haster	1:24750b9ad5ef	827	{
Christopher Haster	1:24750b9ad5ef	828	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Christopher Haster	1:24750b9ad5ef	829	ssl->handshake->verify_cookie,
Christopher Haster	1:24750b9ad5ef	830	ssl->handshake->verify_cookie_len );
Christopher Haster	1:24750b9ad5ef	831
Christopher Haster	1:24750b9ad5ef	832	*p++ = ssl->handshake->verify_cookie_len;
Christopher Haster	1:24750b9ad5ef	833	memcpy( p, ssl->handshake->verify_cookie,
Christopher Haster	1:24750b9ad5ef	834	ssl->handshake->verify_cookie_len );
Christopher Haster	1:24750b9ad5ef	835	p += ssl->handshake->verify_cookie_len;
Christopher Haster	1:24750b9ad5ef	836	}
Christopher Haster	1:24750b9ad5ef	837	}
Christopher Haster	1:24750b9ad5ef	838	#endif
Christopher Haster	1:24750b9ad5ef	839
Christopher Haster	1:24750b9ad5ef	840	/*
Christopher Haster	1:24750b9ad5ef	841	* Ciphersuite list
Christopher Haster	1:24750b9ad5ef	842	*/
Christopher Haster	1:24750b9ad5ef	843	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Christopher Haster	1:24750b9ad5ef	844
Christopher Haster	1:24750b9ad5ef	845	/* Skip writing ciphersuite length for now */
Christopher Haster	1:24750b9ad5ef	846	n = 0;
Christopher Haster	1:24750b9ad5ef	847	q = p;
Christopher Haster	1:24750b9ad5ef	848	p += 2;
Christopher Haster	1:24750b9ad5ef	849
Christopher Haster	1:24750b9ad5ef	850	for( i = 0; ciphersuites[i] != 0; i++ )
Christopher Haster	1:24750b9ad5ef	851	{
Christopher Haster	1:24750b9ad5ef	852	ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Christopher Haster	1:24750b9ad5ef	853
Christopher Haster	1:24750b9ad5ef	854	if( ciphersuite_info == NULL )
Christopher Haster	1:24750b9ad5ef	855	continue;
Christopher Haster	1:24750b9ad5ef	856
Christopher Haster	1:24750b9ad5ef	857	if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver \|\|
Christopher Haster	1:24750b9ad5ef	858	ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
Christopher Haster	1:24750b9ad5ef	859	continue;
Christopher Haster	1:24750b9ad5ef	860
Christopher Haster	1:24750b9ad5ef	861	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	862	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Christopher Haster	1:24750b9ad5ef	863	( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
Christopher Haster	1:24750b9ad5ef	864	continue;
Christopher Haster	1:24750b9ad5ef	865	#endif
Christopher Haster	1:24750b9ad5ef	866
Christopher Haster	1:24750b9ad5ef	867	#if defined(MBEDTLS_ARC4_C)
Christopher Haster	1:24750b9ad5ef	868	if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Christopher Haster	1:24750b9ad5ef	869	ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
Christopher Haster	1:24750b9ad5ef	870	continue;
Christopher Haster	1:24750b9ad5ef	871	#endif
Christopher Haster	1:24750b9ad5ef	872
Christopher Haster	1:24750b9ad5ef	873	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	874	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
Christopher Haster	1:24750b9ad5ef	875	mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
Christopher Haster	1:24750b9ad5ef	876	continue;
Christopher Haster	1:24750b9ad5ef	877	#endif
Christopher Haster	1:24750b9ad5ef	878
Christopher Haster	1:24750b9ad5ef	879	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
Christopher Haster	1:24750b9ad5ef	880	ciphersuites[i] ) );
Christopher Haster	1:24750b9ad5ef	881
Christopher Haster	1:24750b9ad5ef	882	n++;
Christopher Haster	1:24750b9ad5ef	883	*p++ = (unsigned char)( ciphersuites[i] >> 8 );
Christopher Haster	1:24750b9ad5ef	884	*p++ = (unsigned char)( ciphersuites[i] );
Christopher Haster	1:24750b9ad5ef	885	}
Christopher Haster	1:24750b9ad5ef	886
Christopher Haster	1:24750b9ad5ef	887	/*
Christopher Haster	1:24750b9ad5ef	888	* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Christopher Haster	1:24750b9ad5ef	889	*/
Christopher Haster	1:24750b9ad5ef	890	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	891	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	892	#endif
Christopher Haster	1:24750b9ad5ef	893	{
Christopher Haster	1:24750b9ad5ef	894	*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
Christopher Haster	1:24750b9ad5ef	895	*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Christopher Haster	1:24750b9ad5ef	896	n++;
Christopher Haster	1:24750b9ad5ef	897	}
Christopher Haster	1:24750b9ad5ef	898
Christopher Haster	1:24750b9ad5ef	899	/* Some versions of OpenSSL don't handle it correctly if not at end */
Christopher Haster	1:24750b9ad5ef	900	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Christopher Haster	1:24750b9ad5ef	901	if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Christopher Haster	1:24750b9ad5ef	902	{
Christopher Haster	1:24750b9ad5ef	903	MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
Christopher Haster	1:24750b9ad5ef	904	*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
Christopher Haster	1:24750b9ad5ef	905	*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Christopher Haster	1:24750b9ad5ef	906	n++;
Christopher Haster	1:24750b9ad5ef	907	}
Christopher Haster	1:24750b9ad5ef	908	#endif
Christopher Haster	1:24750b9ad5ef	909
Christopher Haster	1:24750b9ad5ef	910	*q++ = (unsigned char)( n >> 7 );
Christopher Haster	1:24750b9ad5ef	911	*q++ = (unsigned char)( n << 1 );
Christopher Haster	1:24750b9ad5ef	912
Christopher Haster	1:24750b9ad5ef	913	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
Christopher Haster	1:24750b9ad5ef	914
Christopher Haster	1:24750b9ad5ef	915	#if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster	1:24750b9ad5ef	916	offer_compress = 1;
Christopher Haster	1:24750b9ad5ef	917	#else
Christopher Haster	1:24750b9ad5ef	918	offer_compress = 0;
Christopher Haster	1:24750b9ad5ef	919	#endif
Christopher Haster	1:24750b9ad5ef	920
Christopher Haster	1:24750b9ad5ef	921	/*
Christopher Haster	1:24750b9ad5ef	922	* We don't support compression with DTLS right now: is many records come
Christopher Haster	1:24750b9ad5ef	923	* in the same datagram, uncompressing one could overwrite the next one.
Christopher Haster	1:24750b9ad5ef	924	* We don't want to add complexity for handling that case unless there is
Christopher Haster	1:24750b9ad5ef	925	* an actual need for it.
Christopher Haster	1:24750b9ad5ef	926	*/
Christopher Haster	1:24750b9ad5ef	927	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	928	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster	1:24750b9ad5ef	929	offer_compress = 0;
Christopher Haster	1:24750b9ad5ef	930	#endif
Christopher Haster	1:24750b9ad5ef	931
Christopher Haster	1:24750b9ad5ef	932	if( offer_compress )
Christopher Haster	1:24750b9ad5ef	933	{
Christopher Haster	1:24750b9ad5ef	934	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
Christopher Haster	1:24750b9ad5ef	935	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
Christopher Haster	1:24750b9ad5ef	936	MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Christopher Haster	1:24750b9ad5ef	937
Christopher Haster	1:24750b9ad5ef	938	*p++ = 2;
Christopher Haster	1:24750b9ad5ef	939	*p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
Christopher Haster	1:24750b9ad5ef	940	*p++ = MBEDTLS_SSL_COMPRESS_NULL;
Christopher Haster	1:24750b9ad5ef	941	}
Christopher Haster	1:24750b9ad5ef	942	else
Christopher Haster	1:24750b9ad5ef	943	{
Christopher Haster	1:24750b9ad5ef	944	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
Christopher Haster	1:24750b9ad5ef	945	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
Christopher Haster	1:24750b9ad5ef	946	MBEDTLS_SSL_COMPRESS_NULL ) );
Christopher Haster	1:24750b9ad5ef	947
Christopher Haster	1:24750b9ad5ef	948	*p++ = 1;
Christopher Haster	1:24750b9ad5ef	949	*p++ = MBEDTLS_SSL_COMPRESS_NULL;
Christopher Haster	1:24750b9ad5ef	950	}
Christopher Haster	1:24750b9ad5ef	951
Christopher Haster	1:24750b9ad5ef	952	// First write extensions, then the total length
Christopher Haster	1:24750b9ad5ef	953	//
Christopher Haster	1:24750b9ad5ef	954	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Christopher Haster	1:24750b9ad5ef	955	ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	956	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	957	#endif
Christopher Haster	1:24750b9ad5ef	958
Christopher Haster	1:24750b9ad5ef	959	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	960	ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	961	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	962	#endif
Christopher Haster	1:24750b9ad5ef	963
Christopher Haster	1:24750b9ad5ef	964	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Christopher Haster	1:24750b9ad5ef	965	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Christopher Haster	1:24750b9ad5ef	966	ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	967	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	968	#endif
Christopher Haster	1:24750b9ad5ef	969
Christopher Haster	1:24750b9ad5ef	970	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
Christopher Haster	1:24750b9ad5ef	971	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	972	ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	973	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	974
Christopher Haster	1:24750b9ad5ef	975	ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	976	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	977	#endif
Christopher Haster	1:24750b9ad5ef	978
Christopher Haster	1:24750b9ad5ef	979	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	980	ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	981	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	982	#endif
Christopher Haster	1:24750b9ad5ef	983
Christopher Haster	1:24750b9ad5ef	984	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster	1:24750b9ad5ef	985	ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	986	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	987	#endif
Christopher Haster	1:24750b9ad5ef	988
Christopher Haster	1:24750b9ad5ef	989	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster	1:24750b9ad5ef	990	ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	991	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	992	#endif
Christopher Haster	1:24750b9ad5ef	993
Christopher Haster	1:24750b9ad5ef	994	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster	1:24750b9ad5ef	995	ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	996	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	997	#endif
Christopher Haster	1:24750b9ad5ef	998
Christopher Haster	1:24750b9ad5ef	999	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster	1:24750b9ad5ef	1000	ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	1001	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	1002	#endif
Christopher Haster	1:24750b9ad5ef	1003
Christopher Haster	1:24750b9ad5ef	1004	#if defined(MBEDTLS_SSL_ALPN)
Christopher Haster	1:24750b9ad5ef	1005	ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	1006	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	1007	#endif
Christopher Haster	1:24750b9ad5ef	1008
Christopher Haster	1:24750b9ad5ef	1009	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	1010	ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster	1:24750b9ad5ef	1011	ext_len += olen;
Christopher Haster	1:24750b9ad5ef	1012	#endif
Christopher Haster	1:24750b9ad5ef	1013
Christopher Haster	1:24750b9ad5ef	1014	/* olen unused if all extensions are disabled */
Christopher Haster	1:24750b9ad5ef	1015	((void) olen);
Christopher Haster	1:24750b9ad5ef	1016
Christopher Haster	1:24750b9ad5ef	1017	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Christopher Haster	1:24750b9ad5ef	1018	ext_len ) );
Christopher Haster	1:24750b9ad5ef	1019
Christopher Haster	1:24750b9ad5ef	1020	if( ext_len > 0 )
Christopher Haster	1:24750b9ad5ef	1021	{
Christopher Haster	1:24750b9ad5ef	1022	*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	1023	*p++ = (unsigned char)( ( ext_len ) & 0xFF );
Christopher Haster	1:24750b9ad5ef	1024	p += ext_len;
Christopher Haster	1:24750b9ad5ef	1025	}
Christopher Haster	1:24750b9ad5ef	1026
Christopher Haster	1:24750b9ad5ef	1027	ssl->out_msglen = p - buf;
Christopher Haster	1:24750b9ad5ef	1028	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
Christopher Haster	1:24750b9ad5ef	1029	ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Christopher Haster	1:24750b9ad5ef	1030
Christopher Haster	1:24750b9ad5ef	1031	ssl->state++;
Christopher Haster	1:24750b9ad5ef	1032
Christopher Haster	1:24750b9ad5ef	1033	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	1034	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster	1:24750b9ad5ef	1035	mbedtls_ssl_send_flight_completed( ssl );
Christopher Haster	1:24750b9ad5ef	1036	#endif
Christopher Haster	1:24750b9ad5ef	1037
Christopher Haster	1:24750b9ad5ef	1038	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1039	{
Christopher Haster	1:24750b9ad5ef	1040	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Christopher Haster	1:24750b9ad5ef	1041	return( ret );
Christopher Haster	1:24750b9ad5ef	1042	}
Christopher Haster	1:24750b9ad5ef	1043
Christopher Haster	1:24750b9ad5ef	1044	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Christopher Haster	1:24750b9ad5ef	1045
Christopher Haster	1:24750b9ad5ef	1046	return( 0 );
Christopher Haster	1:24750b9ad5ef	1047	}
Christopher Haster	1:24750b9ad5ef	1048
Christopher Haster	1:24750b9ad5ef	1049	static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1050	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1051	size_t len )
Christopher Haster	1:24750b9ad5ef	1052	{
Christopher Haster	1:24750b9ad5ef	1053	int ret;
Christopher Haster	1:24750b9ad5ef	1054
Christopher Haster	1:24750b9ad5ef	1055	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	1056	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	1057	{
Christopher Haster	1:24750b9ad5ef	1058	/* Check verify-data in constant-time. The length OTOH is no secret */
Christopher Haster	1:24750b9ad5ef	1059	if( len != 1 + ssl->verify_data_len * 2 \|\|
Christopher Haster	1:24750b9ad5ef	1060	buf[0] != ssl->verify_data_len * 2 \|\|
Christopher Haster	1:24750b9ad5ef	1061	mbedtls_ssl_safer_memcmp( buf + 1,
Christopher Haster	1:24750b9ad5ef	1062	ssl->own_verify_data, ssl->verify_data_len ) != 0 \|\|
Christopher Haster	1:24750b9ad5ef	1063	mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Christopher Haster	1:24750b9ad5ef	1064	ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Christopher Haster	1:24750b9ad5ef	1065	{
Christopher Haster	1:24750b9ad5ef	1066	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Christopher Haster	1:24750b9ad5ef	1067
Christopher Haster	1:24750b9ad5ef	1068	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1069	return( ret );
Christopher Haster	1:24750b9ad5ef	1070
Christopher Haster	1:24750b9ad5ef	1071	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1072	}
Christopher Haster	1:24750b9ad5ef	1073	}
Christopher Haster	1:24750b9ad5ef	1074	else
Christopher Haster	1:24750b9ad5ef	1075	#endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster	1:24750b9ad5ef	1076	{
Christopher Haster	1:24750b9ad5ef	1077	if( len != 1 \|\| buf[0] != 0x00 )
Christopher Haster	1:24750b9ad5ef	1078	{
Christopher Haster	1:24750b9ad5ef	1079	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Christopher Haster	1:24750b9ad5ef	1080
Christopher Haster	1:24750b9ad5ef	1081	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1082	return( ret );
Christopher Haster	1:24750b9ad5ef	1083
Christopher Haster	1:24750b9ad5ef	1084	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1085	}
Christopher Haster	1:24750b9ad5ef	1086
Christopher Haster	1:24750b9ad5ef	1087	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Christopher Haster	1:24750b9ad5ef	1088	}
Christopher Haster	1:24750b9ad5ef	1089
Christopher Haster	1:24750b9ad5ef	1090	return( 0 );
Christopher Haster	1:24750b9ad5ef	1091	}
Christopher Haster	1:24750b9ad5ef	1092
Christopher Haster	1:24750b9ad5ef	1093	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster	1:24750b9ad5ef	1094	static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1095	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1096	size_t len )
Christopher Haster	1:24750b9ad5ef	1097	{
Christopher Haster	1:24750b9ad5ef	1098	/*
Christopher Haster	1:24750b9ad5ef	1099	* server should use the extension only if we did,
Christopher Haster	1:24750b9ad5ef	1100	* and if so the server's value should match ours (and len is always 1)
Christopher Haster	1:24750b9ad5ef	1101	*/
Christopher Haster	1:24750b9ad5ef	1102	if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE \|\|
Christopher Haster	1:24750b9ad5ef	1103	len != 1 \|\|
Christopher Haster	1:24750b9ad5ef	1104	buf[0] != ssl->conf->mfl_code )
Christopher Haster	1:24750b9ad5ef	1105	{
Christopher Haster	1:24750b9ad5ef	1106	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1107	}
Christopher Haster	1:24750b9ad5ef	1108
Christopher Haster	1:24750b9ad5ef	1109	return( 0 );
Christopher Haster	1:24750b9ad5ef	1110	}
Christopher Haster	1:24750b9ad5ef	1111	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Christopher Haster	1:24750b9ad5ef	1112
Christopher Haster	1:24750b9ad5ef	1113	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster	1:24750b9ad5ef	1114	static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1115	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1116	size_t len )
Christopher Haster	1:24750b9ad5ef	1117	{
Christopher Haster	1:24750b9ad5ef	1118	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED \|\|
Christopher Haster	1:24750b9ad5ef	1119	len != 0 )
Christopher Haster	1:24750b9ad5ef	1120	{
Christopher Haster	1:24750b9ad5ef	1121	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1122	}
Christopher Haster	1:24750b9ad5ef	1123
Christopher Haster	1:24750b9ad5ef	1124	((void) buf);
Christopher Haster	1:24750b9ad5ef	1125
Christopher Haster	1:24750b9ad5ef	1126	ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Christopher Haster	1:24750b9ad5ef	1127
Christopher Haster	1:24750b9ad5ef	1128	return( 0 );
Christopher Haster	1:24750b9ad5ef	1129	}
Christopher Haster	1:24750b9ad5ef	1130	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Christopher Haster	1:24750b9ad5ef	1131
Christopher Haster	1:24750b9ad5ef	1132	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster	1:24750b9ad5ef	1133	static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1134	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1135	size_t len )
Christopher Haster	1:24750b9ad5ef	1136	{
Christopher Haster	1:24750b9ad5ef	1137	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED \|\|
Christopher Haster	1:24750b9ad5ef	1138	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
Christopher Haster	1:24750b9ad5ef	1139	len != 0 )
Christopher Haster	1:24750b9ad5ef	1140	{
Christopher Haster	1:24750b9ad5ef	1141	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1142	}
Christopher Haster	1:24750b9ad5ef	1143
Christopher Haster	1:24750b9ad5ef	1144	((void) buf);
Christopher Haster	1:24750b9ad5ef	1145
Christopher Haster	1:24750b9ad5ef	1146	ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Christopher Haster	1:24750b9ad5ef	1147
Christopher Haster	1:24750b9ad5ef	1148	return( 0 );
Christopher Haster	1:24750b9ad5ef	1149	}
Christopher Haster	1:24750b9ad5ef	1150	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Christopher Haster	1:24750b9ad5ef	1151
Christopher Haster	1:24750b9ad5ef	1152	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster	1:24750b9ad5ef	1153	static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1154	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1155	size_t len )
Christopher Haster	1:24750b9ad5ef	1156	{
Christopher Haster	1:24750b9ad5ef	1157	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
Christopher Haster	1:24750b9ad5ef	1158	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
Christopher Haster	1:24750b9ad5ef	1159	len != 0 )
Christopher Haster	1:24750b9ad5ef	1160	{
Christopher Haster	1:24750b9ad5ef	1161	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1162	}
Christopher Haster	1:24750b9ad5ef	1163
Christopher Haster	1:24750b9ad5ef	1164	((void) buf);
Christopher Haster	1:24750b9ad5ef	1165
Christopher Haster	1:24750b9ad5ef	1166	ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Christopher Haster	1:24750b9ad5ef	1167
Christopher Haster	1:24750b9ad5ef	1168	return( 0 );
Christopher Haster	1:24750b9ad5ef	1169	}
Christopher Haster	1:24750b9ad5ef	1170	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Christopher Haster	1:24750b9ad5ef	1171
Christopher Haster	1:24750b9ad5ef	1172	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	1173	static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1174	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1175	size_t len )
Christopher Haster	1:24750b9ad5ef	1176	{
Christopher Haster	1:24750b9ad5ef	1177	if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED \|\|
Christopher Haster	1:24750b9ad5ef	1178	len != 0 )
Christopher Haster	1:24750b9ad5ef	1179	{
Christopher Haster	1:24750b9ad5ef	1180	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1181	}
Christopher Haster	1:24750b9ad5ef	1182
Christopher Haster	1:24750b9ad5ef	1183	((void) buf);
Christopher Haster	1:24750b9ad5ef	1184
Christopher Haster	1:24750b9ad5ef	1185	ssl->handshake->new_session_ticket = 1;
Christopher Haster	1:24750b9ad5ef	1186
Christopher Haster	1:24750b9ad5ef	1187	return( 0 );
Christopher Haster	1:24750b9ad5ef	1188	}
Christopher Haster	1:24750b9ad5ef	1189	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster	1:24750b9ad5ef	1190
Christopher Haster	1:24750b9ad5ef	1191	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
Christopher Haster	1:24750b9ad5ef	1192	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	1193	static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1194	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1195	size_t len )
Christopher Haster	1:24750b9ad5ef	1196	{
Christopher Haster	1:24750b9ad5ef	1197	size_t list_size;
Christopher Haster	1:24750b9ad5ef	1198	const unsigned char *p;
Christopher Haster	1:24750b9ad5ef	1199
Christopher Haster	1:24750b9ad5ef	1200	list_size = buf[0];
Christopher Haster	1:24750b9ad5ef	1201	if( list_size + 1 != len )
Christopher Haster	1:24750b9ad5ef	1202	{
Christopher Haster	1:24750b9ad5ef	1203	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1204	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1205	}
Christopher Haster	1:24750b9ad5ef	1206
Christopher Haster	1:24750b9ad5ef	1207	p = buf + 1;
Christopher Haster	1:24750b9ad5ef	1208	while( list_size > 0 )
Christopher Haster	1:24750b9ad5ef	1209	{
Christopher Haster	1:24750b9ad5ef	1210	if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED \|\|
Christopher Haster	1:24750b9ad5ef	1211	p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Christopher Haster	1:24750b9ad5ef	1212	{
Christopher Haster	1:24750b9ad5ef	1213	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
Christopher Haster	1:24750b9ad5ef	1214	ssl->handshake->ecdh_ctx.point_format = p[0];
Christopher Haster	1:24750b9ad5ef	1215	#endif
Christopher Haster	1:24750b9ad5ef	1216	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	1217	ssl->handshake->ecjpake_ctx.point_format = p[0];
Christopher Haster	1:24750b9ad5ef	1218	#endif
Christopher Haster	1:24750b9ad5ef	1219	MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Christopher Haster	1:24750b9ad5ef	1220	return( 0 );
Christopher Haster	1:24750b9ad5ef	1221	}
Christopher Haster	1:24750b9ad5ef	1222
Christopher Haster	1:24750b9ad5ef	1223	list_size--;
Christopher Haster	1:24750b9ad5ef	1224	p++;
Christopher Haster	1:24750b9ad5ef	1225	}
Christopher Haster	1:24750b9ad5ef	1226
Christopher Haster	1:24750b9ad5ef	1227	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Christopher Haster	1:24750b9ad5ef	1228	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1229	}
Christopher Haster	1:24750b9ad5ef	1230	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
Christopher Haster	1:24750b9ad5ef	1231	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	1232
Christopher Haster	1:24750b9ad5ef	1233	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	1234	static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1235	const unsigned char *buf,
Christopher Haster	1:24750b9ad5ef	1236	size_t len )
Christopher Haster	1:24750b9ad5ef	1237	{
Christopher Haster	1:24750b9ad5ef	1238	int ret;
Christopher Haster	1:24750b9ad5ef	1239
Christopher Haster	1:24750b9ad5ef	1240	if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
Christopher Haster	1:24750b9ad5ef	1241	MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	1242	{
Christopher Haster	1:24750b9ad5ef	1243	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
Christopher Haster	1:24750b9ad5ef	1244	return( 0 );
Christopher Haster	1:24750b9ad5ef	1245	}
Christopher Haster	1:24750b9ad5ef	1246
Christopher Haster	1:24750b9ad5ef	1247	/* If we got here, we no longer need our cached extension */
Christopher Haster	1:24750b9ad5ef	1248	mbedtls_free( ssl->handshake->ecjpake_cache );
Christopher Haster	1:24750b9ad5ef	1249	ssl->handshake->ecjpake_cache = NULL;
Christopher Haster	1:24750b9ad5ef	1250	ssl->handshake->ecjpake_cache_len = 0;
Christopher Haster	1:24750b9ad5ef	1251
Christopher Haster	1:24750b9ad5ef	1252	if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
Christopher Haster	1:24750b9ad5ef	1253	buf, len ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1254	{
Christopher Haster	1:24750b9ad5ef	1255	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Christopher Haster	1:24750b9ad5ef	1256	return( ret );
Christopher Haster	1:24750b9ad5ef	1257	}
Christopher Haster	1:24750b9ad5ef	1258
Christopher Haster	1:24750b9ad5ef	1259	return( 0 );
Christopher Haster	1:24750b9ad5ef	1260	}
Christopher Haster	1:24750b9ad5ef	1261	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	1262
Christopher Haster	1:24750b9ad5ef	1263	#if defined(MBEDTLS_SSL_ALPN)
Christopher Haster	1:24750b9ad5ef	1264	static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1265	const unsigned char *buf, size_t len )
Christopher Haster	1:24750b9ad5ef	1266	{
Christopher Haster	1:24750b9ad5ef	1267	size_t list_len, name_len;
Christopher Haster	1:24750b9ad5ef	1268	const char **p;
Christopher Haster	1:24750b9ad5ef	1269
Christopher Haster	1:24750b9ad5ef	1270	/* If we didn't send it, the server shouldn't send it */
Christopher Haster	1:24750b9ad5ef	1271	if( ssl->conf->alpn_list == NULL )
Christopher Haster	1:24750b9ad5ef	1272	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1273
Christopher Haster	1:24750b9ad5ef	1274	/*
Christopher Haster	1:24750b9ad5ef	1275	* opaque ProtocolName<1..2^8-1>;
Christopher Haster	1:24750b9ad5ef	1276	*
Christopher Haster	1:24750b9ad5ef	1277	* struct {
Christopher Haster	1:24750b9ad5ef	1278	* ProtocolName protocol_name_list<2..2^16-1>
Christopher Haster	1:24750b9ad5ef	1279	* } ProtocolNameList;
Christopher Haster	1:24750b9ad5ef	1280	*
Christopher Haster	1:24750b9ad5ef	1281	* the "ProtocolNameList" MUST contain exactly one "ProtocolName"
Christopher Haster	1:24750b9ad5ef	1282	*/
Christopher Haster	1:24750b9ad5ef	1283
Christopher Haster	1:24750b9ad5ef	1284	/* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Christopher Haster	1:24750b9ad5ef	1285	if( len < 4 )
Christopher Haster	1:24750b9ad5ef	1286	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1287
Christopher Haster	1:24750b9ad5ef	1288	list_len = ( buf[0] << 8 ) \| buf[1];
Christopher Haster	1:24750b9ad5ef	1289	if( list_len != len - 2 )
Christopher Haster	1:24750b9ad5ef	1290	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1291
Christopher Haster	1:24750b9ad5ef	1292	name_len = buf[2];
Christopher Haster	1:24750b9ad5ef	1293	if( name_len != list_len - 1 )
Christopher Haster	1:24750b9ad5ef	1294	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1295
Christopher Haster	1:24750b9ad5ef	1296	/* Check that the server chosen protocol was in our list and save it */
Christopher Haster	1:24750b9ad5ef	1297	for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Christopher Haster	1:24750b9ad5ef	1298	{
Christopher Haster	1:24750b9ad5ef	1299	if( name_len == strlen( *p ) &&
Christopher Haster	1:24750b9ad5ef	1300	memcmp( buf + 3, *p, name_len ) == 0 )
Christopher Haster	1:24750b9ad5ef	1301	{
Christopher Haster	1:24750b9ad5ef	1302	ssl->alpn_chosen = *p;
Christopher Haster	1:24750b9ad5ef	1303	return( 0 );
Christopher Haster	1:24750b9ad5ef	1304	}
Christopher Haster	1:24750b9ad5ef	1305	}
Christopher Haster	1:24750b9ad5ef	1306
Christopher Haster	1:24750b9ad5ef	1307	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1308	}
Christopher Haster	1:24750b9ad5ef	1309	#endif /* MBEDTLS_SSL_ALPN */
Christopher Haster	1:24750b9ad5ef	1310
Christopher Haster	1:24750b9ad5ef	1311	/*
Christopher Haster	1:24750b9ad5ef	1312	* Parse HelloVerifyRequest. Only called after verifying the HS type.
Christopher Haster	1:24750b9ad5ef	1313	*/
Christopher Haster	1:24750b9ad5ef	1314	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	1315	static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	1316	{
Christopher Haster	1:24750b9ad5ef	1317	const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster	1:24750b9ad5ef	1318	int major_ver, minor_ver;
Christopher Haster	1:24750b9ad5ef	1319	unsigned char cookie_len;
Christopher Haster	1:24750b9ad5ef	1320
Christopher Haster	1:24750b9ad5ef	1321	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Christopher Haster	1:24750b9ad5ef	1322
Christopher Haster	1:24750b9ad5ef	1323	/*
Christopher Haster	1:24750b9ad5ef	1324	* struct {
Christopher Haster	1:24750b9ad5ef	1325	* ProtocolVersion server_version;
Christopher Haster	1:24750b9ad5ef	1326	* opaque cookie<0..2^8-1>;
Christopher Haster	1:24750b9ad5ef	1327	* } HelloVerifyRequest;
Christopher Haster	1:24750b9ad5ef	1328	*/
Christopher Haster	1:24750b9ad5ef	1329	MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Christopher Haster	1:24750b9ad5ef	1330	mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Christopher Haster	1:24750b9ad5ef	1331	p += 2;
Christopher Haster	1:24750b9ad5ef	1332
Christopher Haster	1:24750b9ad5ef	1333	/*
Christopher Haster	1:24750b9ad5ef	1334	* Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
Christopher Haster	1:24750b9ad5ef	1335	* even is lower than our min version.
Christopher Haster	1:24750b9ad5ef	1336	*/
Christopher Haster	1:24750b9ad5ef	1337	if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 \|\|
Christopher Haster	1:24750b9ad5ef	1338	minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 \|\|
Christopher Haster	1:24750b9ad5ef	1339	major_ver > ssl->conf->max_major_ver \|\|
Christopher Haster	1:24750b9ad5ef	1340	minor_ver > ssl->conf->max_minor_ver )
Christopher Haster	1:24750b9ad5ef	1341	{
Christopher Haster	1:24750b9ad5ef	1342	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Christopher Haster	1:24750b9ad5ef	1343
Christopher Haster	1:24750b9ad5ef	1344	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Christopher Haster	1:24750b9ad5ef	1345	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Christopher Haster	1:24750b9ad5ef	1346
Christopher Haster	1:24750b9ad5ef	1347	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Christopher Haster	1:24750b9ad5ef	1348	}
Christopher Haster	1:24750b9ad5ef	1349
Christopher Haster	1:24750b9ad5ef	1350	cookie_len = *p++;
Christopher Haster	1:24750b9ad5ef	1351	MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Christopher Haster	1:24750b9ad5ef	1352
Christopher Haster	1:24750b9ad5ef	1353	mbedtls_free( ssl->handshake->verify_cookie );
Christopher Haster	1:24750b9ad5ef	1354
Christopher Haster	1:24750b9ad5ef	1355	ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Christopher Haster	1:24750b9ad5ef	1356	if( ssl->handshake->verify_cookie == NULL )
Christopher Haster	1:24750b9ad5ef	1357	{
Christopher Haster	1:24750b9ad5ef	1358	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Christopher Haster	1:24750b9ad5ef	1359	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Christopher Haster	1:24750b9ad5ef	1360	}
Christopher Haster	1:24750b9ad5ef	1361
Christopher Haster	1:24750b9ad5ef	1362	memcpy( ssl->handshake->verify_cookie, p, cookie_len );
Christopher Haster	1:24750b9ad5ef	1363	ssl->handshake->verify_cookie_len = cookie_len;
Christopher Haster	1:24750b9ad5ef	1364
Christopher Haster	1:24750b9ad5ef	1365	/* Start over at ClientHello */
Christopher Haster	1:24750b9ad5ef	1366	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Christopher Haster	1:24750b9ad5ef	1367	mbedtls_ssl_reset_checksum( ssl );
Christopher Haster	1:24750b9ad5ef	1368
Christopher Haster	1:24750b9ad5ef	1369	mbedtls_ssl_recv_flight_completed( ssl );
Christopher Haster	1:24750b9ad5ef	1370
Christopher Haster	1:24750b9ad5ef	1371	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Christopher Haster	1:24750b9ad5ef	1372
Christopher Haster	1:24750b9ad5ef	1373	return( 0 );
Christopher Haster	1:24750b9ad5ef	1374	}
Christopher Haster	1:24750b9ad5ef	1375	#endif /* MBEDTLS_SSL_PROTO_DTLS */
Christopher Haster	1:24750b9ad5ef	1376
Christopher Haster	1:24750b9ad5ef	1377	static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	1378	{
Christopher Haster	1:24750b9ad5ef	1379	int ret, i;
Christopher Haster	1:24750b9ad5ef	1380	size_t n;
Christopher Haster	1:24750b9ad5ef	1381	size_t ext_len;
Christopher Haster	1:24750b9ad5ef	1382	unsigned char buf, ext;
Christopher Haster	1:24750b9ad5ef	1383	unsigned char comp;
Christopher Haster	1:24750b9ad5ef	1384	#if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster	1:24750b9ad5ef	1385	int accept_comp;
Christopher Haster	1:24750b9ad5ef	1386	#endif
Christopher Haster	1:24750b9ad5ef	1387	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	1388	int renegotiation_info_seen = 0;
Christopher Haster	1:24750b9ad5ef	1389	#endif
Christopher Haster	1:24750b9ad5ef	1390	int handshake_failure = 0;
Christopher Haster	1:24750b9ad5ef	1391	const mbedtls_ssl_ciphersuite_t *suite_info;
Christopher Haster	1:24750b9ad5ef	1392	#if defined(MBEDTLS_DEBUG_C)
Christopher Haster	1:24750b9ad5ef	1393	uint32_t t;
Christopher Haster	1:24750b9ad5ef	1394	#endif
Christopher Haster	1:24750b9ad5ef	1395
Christopher Haster	1:24750b9ad5ef	1396	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Christopher Haster	1:24750b9ad5ef	1397
Christopher Haster	1:24750b9ad5ef	1398	buf = ssl->in_msg;
Christopher Haster	1:24750b9ad5ef	1399
Christopher Haster	1:24750b9ad5ef	1400	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1401	{
Christopher Haster	1:24750b9ad5ef	1402	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster	1:24750b9ad5ef	1403	return( ret );
Christopher Haster	1:24750b9ad5ef	1404	}
Christopher Haster	1:24750b9ad5ef	1405
Christopher Haster	1:24750b9ad5ef	1406	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	1407	{
Christopher Haster	1:24750b9ad5ef	1408	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	1409	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Christopher Haster	1:24750b9ad5ef	1410	{
Christopher Haster	1:24750b9ad5ef	1411	ssl->renego_records_seen++;
Christopher Haster	1:24750b9ad5ef	1412
Christopher Haster	1:24750b9ad5ef	1413	if( ssl->conf->renego_max_records >= 0 &&
Christopher Haster	1:24750b9ad5ef	1414	ssl->renego_records_seen > ssl->conf->renego_max_records )
Christopher Haster	1:24750b9ad5ef	1415	{
Christopher Haster	1:24750b9ad5ef	1416	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Christopher Haster	1:24750b9ad5ef	1417	"but not honored by server" ) );
Christopher Haster	1:24750b9ad5ef	1418	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	1419	}
Christopher Haster	1:24750b9ad5ef	1420
Christopher Haster	1:24750b9ad5ef	1421	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Christopher Haster	1:24750b9ad5ef	1422	return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Christopher Haster	1:24750b9ad5ef	1423	}
Christopher Haster	1:24750b9ad5ef	1424	#endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster	1:24750b9ad5ef	1425
Christopher Haster	1:24750b9ad5ef	1426	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1427	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	1428	}
Christopher Haster	1:24750b9ad5ef	1429
Christopher Haster	1:24750b9ad5ef	1430	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	1431	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster	1:24750b9ad5ef	1432	{
Christopher Haster	1:24750b9ad5ef	1433	if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Christopher Haster	1:24750b9ad5ef	1434	{
Christopher Haster	1:24750b9ad5ef	1435	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
Christopher Haster	1:24750b9ad5ef	1436	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Christopher Haster	1:24750b9ad5ef	1437	return( ssl_parse_hello_verify_request( ssl ) );
Christopher Haster	1:24750b9ad5ef	1438	}
Christopher Haster	1:24750b9ad5ef	1439	else
Christopher Haster	1:24750b9ad5ef	1440	{
Christopher Haster	1:24750b9ad5ef	1441	/* We made it through the verification process */
Christopher Haster	1:24750b9ad5ef	1442	mbedtls_free( ssl->handshake->verify_cookie );
Christopher Haster	1:24750b9ad5ef	1443	ssl->handshake->verify_cookie = NULL;
Christopher Haster	1:24750b9ad5ef	1444	ssl->handshake->verify_cookie_len = 0;
Christopher Haster	1:24750b9ad5ef	1445	}
Christopher Haster	1:24750b9ad5ef	1446	}
Christopher Haster	1:24750b9ad5ef	1447	#endif /* MBEDTLS_SSL_PROTO_DTLS */
Christopher Haster	1:24750b9ad5ef	1448
Christopher Haster	1:24750b9ad5ef	1449	if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) \|\|
Christopher Haster	1:24750b9ad5ef	1450	buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Christopher Haster	1:24750b9ad5ef	1451	{
Christopher Haster	1:24750b9ad5ef	1452	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1453	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1454	}
Christopher Haster	1:24750b9ad5ef	1455
Christopher Haster	1:24750b9ad5ef	1456	/*
Christopher Haster	1:24750b9ad5ef	1457	* 0 . 1 server_version
Christopher Haster	1:24750b9ad5ef	1458	* 2 . 33 random (maybe including 4 bytes of Unix time)
Christopher Haster	1:24750b9ad5ef	1459	* 34 . 34 session_id length = n
Christopher Haster	1:24750b9ad5ef	1460	* 35 . 34+n session_id
Christopher Haster	1:24750b9ad5ef	1461	* 35+n . 36+n cipher_suite
Christopher Haster	1:24750b9ad5ef	1462	* 37+n . 37+n compression_method
Christopher Haster	1:24750b9ad5ef	1463	*
Christopher Haster	1:24750b9ad5ef	1464	* 38+n . 39+n extensions length (optional)
Christopher Haster	1:24750b9ad5ef	1465	* 40+n . .. extensions
Christopher Haster	1:24750b9ad5ef	1466	*/
Christopher Haster	1:24750b9ad5ef	1467	buf += mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster	1:24750b9ad5ef	1468
Christopher Haster	1:24750b9ad5ef	1469	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
Christopher Haster	1:24750b9ad5ef	1470	mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Christopher Haster	1:24750b9ad5ef	1471	ssl->conf->transport, buf + 0 );
Christopher Haster	1:24750b9ad5ef	1472
Christopher Haster	1:24750b9ad5ef	1473	if( ssl->major_ver < ssl->conf->min_major_ver \|\|
Christopher Haster	1:24750b9ad5ef	1474	ssl->minor_ver < ssl->conf->min_minor_ver \|\|
Christopher Haster	1:24750b9ad5ef	1475	ssl->major_ver > ssl->conf->max_major_ver \|\|
Christopher Haster	1:24750b9ad5ef	1476	ssl->minor_ver > ssl->conf->max_minor_ver )
Christopher Haster	1:24750b9ad5ef	1477	{
Christopher Haster	1:24750b9ad5ef	1478	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Christopher Haster	1:24750b9ad5ef	1479	" min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Christopher Haster	1:24750b9ad5ef	1480	ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Christopher Haster	1:24750b9ad5ef	1481	ssl->major_ver, ssl->minor_ver,
Christopher Haster	1:24750b9ad5ef	1482	ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Christopher Haster	1:24750b9ad5ef	1483
Christopher Haster	1:24750b9ad5ef	1484	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Christopher Haster	1:24750b9ad5ef	1485	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Christopher Haster	1:24750b9ad5ef	1486
Christopher Haster	1:24750b9ad5ef	1487	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Christopher Haster	1:24750b9ad5ef	1488	}
Christopher Haster	1:24750b9ad5ef	1489
Christopher Haster	1:24750b9ad5ef	1490	#if defined(MBEDTLS_DEBUG_C)
Christopher Haster	1:24750b9ad5ef	1491	t = ( (uint32_t) buf[2] << 24 )
Christopher Haster	1:24750b9ad5ef	1492	\| ( (uint32_t) buf[3] << 16 )
Christopher Haster	1:24750b9ad5ef	1493	\| ( (uint32_t) buf[4] << 8 )
Christopher Haster	1:24750b9ad5ef	1494	\| ( (uint32_t) buf[5] );
Christopher Haster	1:24750b9ad5ef	1495	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Christopher Haster	1:24750b9ad5ef	1496	#endif
Christopher Haster	1:24750b9ad5ef	1497
Christopher Haster	1:24750b9ad5ef	1498	memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Christopher Haster	1:24750b9ad5ef	1499
Christopher Haster	1:24750b9ad5ef	1500	n = buf[34];
Christopher Haster	1:24750b9ad5ef	1501
Christopher Haster	1:24750b9ad5ef	1502	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Christopher Haster	1:24750b9ad5ef	1503
Christopher Haster	1:24750b9ad5ef	1504	if( n > 32 )
Christopher Haster	1:24750b9ad5ef	1505	{
Christopher Haster	1:24750b9ad5ef	1506	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1507	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1508	}
Christopher Haster	1:24750b9ad5ef	1509
Christopher Haster	1:24750b9ad5ef	1510	if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Christopher Haster	1:24750b9ad5ef	1511	{
Christopher Haster	1:24750b9ad5ef	1512	ext_len = ( ( buf[38 + n] << 8 )
Christopher Haster	1:24750b9ad5ef	1513	\| ( buf[39 + n] ) );
Christopher Haster	1:24750b9ad5ef	1514
Christopher Haster	1:24750b9ad5ef	1515	if( ( ext_len > 0 && ext_len < 4 ) \|\|
Christopher Haster	1:24750b9ad5ef	1516	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Christopher Haster	1:24750b9ad5ef	1517	{
Christopher Haster	1:24750b9ad5ef	1518	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1519	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1520	}
Christopher Haster	1:24750b9ad5ef	1521	}
Christopher Haster	1:24750b9ad5ef	1522	else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Christopher Haster	1:24750b9ad5ef	1523	{
Christopher Haster	1:24750b9ad5ef	1524	ext_len = 0;
Christopher Haster	1:24750b9ad5ef	1525	}
Christopher Haster	1:24750b9ad5ef	1526	else
Christopher Haster	1:24750b9ad5ef	1527	{
Christopher Haster	1:24750b9ad5ef	1528	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1529	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1530	}
Christopher Haster	1:24750b9ad5ef	1531
Christopher Haster	1:24750b9ad5ef	1532	/* ciphersuite (used later) */
Christopher Haster	1:24750b9ad5ef	1533	i = ( buf[35 + n] << 8 ) \| buf[36 + n];
Christopher Haster	1:24750b9ad5ef	1534
Christopher Haster	1:24750b9ad5ef	1535	/*
Christopher Haster	1:24750b9ad5ef	1536	* Read and check compression
Christopher Haster	1:24750b9ad5ef	1537	*/
Christopher Haster	1:24750b9ad5ef	1538	comp = buf[37 + n];
Christopher Haster	1:24750b9ad5ef	1539
Christopher Haster	1:24750b9ad5ef	1540	#if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster	1:24750b9ad5ef	1541	/* See comments in ssl_write_client_hello() */
Christopher Haster	1:24750b9ad5ef	1542	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	1543	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster	1:24750b9ad5ef	1544	accept_comp = 0;
Christopher Haster	1:24750b9ad5ef	1545	else
Christopher Haster	1:24750b9ad5ef	1546	#endif
Christopher Haster	1:24750b9ad5ef	1547	accept_comp = 1;
Christopher Haster	1:24750b9ad5ef	1548
Christopher Haster	1:24750b9ad5ef	1549	if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
Christopher Haster	1:24750b9ad5ef	1550	( comp != MBEDTLS_SSL_COMPRESS_DEFLATE \|\| accept_comp == 0 ) )
Christopher Haster	1:24750b9ad5ef	1551	#else /* MBEDTLS_ZLIB_SUPPORT */
Christopher Haster	1:24750b9ad5ef	1552	if( comp != MBEDTLS_SSL_COMPRESS_NULL )
Christopher Haster	1:24750b9ad5ef	1553	#endif/* MBEDTLS_ZLIB_SUPPORT */
Christopher Haster	1:24750b9ad5ef	1554	{
Christopher Haster	1:24750b9ad5ef	1555	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Christopher Haster	1:24750b9ad5ef	1556	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Christopher Haster	1:24750b9ad5ef	1557	}
Christopher Haster	1:24750b9ad5ef	1558
Christopher Haster	1:24750b9ad5ef	1559	/*
Christopher Haster	1:24750b9ad5ef	1560	* Initialize update checksum functions
Christopher Haster	1:24750b9ad5ef	1561	*/
Christopher Haster	1:24750b9ad5ef	1562	ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
Christopher Haster	1:24750b9ad5ef	1563
Christopher Haster	1:24750b9ad5ef	1564	if( ssl->transform_negotiate->ciphersuite_info == NULL )
Christopher Haster	1:24750b9ad5ef	1565	{
Christopher Haster	1:24750b9ad5ef	1566	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Christopher Haster	1:24750b9ad5ef	1567	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster	1:24750b9ad5ef	1568	}
Christopher Haster	1:24750b9ad5ef	1569
Christopher Haster	1:24750b9ad5ef	1570	mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Christopher Haster	1:24750b9ad5ef	1571
Christopher Haster	1:24750b9ad5ef	1572	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
Christopher Haster	1:24750b9ad5ef	1573	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Christopher Haster	1:24750b9ad5ef	1574
Christopher Haster	1:24750b9ad5ef	1575	/*
Christopher Haster	1:24750b9ad5ef	1576	* Check if the session can be resumed
Christopher Haster	1:24750b9ad5ef	1577	*/
Christopher Haster	1:24750b9ad5ef	1578	if( ssl->handshake->resume == 0 \|\| n == 0 \|\|
Christopher Haster	1:24750b9ad5ef	1579	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	1580	ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE \|\|
Christopher Haster	1:24750b9ad5ef	1581	#endif
Christopher Haster	1:24750b9ad5ef	1582	ssl->session_negotiate->ciphersuite != i \|\|
Christopher Haster	1:24750b9ad5ef	1583	ssl->session_negotiate->compression != comp \|\|
Christopher Haster	1:24750b9ad5ef	1584	ssl->session_negotiate->id_len != n \|\|
Christopher Haster	1:24750b9ad5ef	1585	memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Christopher Haster	1:24750b9ad5ef	1586	{
Christopher Haster	1:24750b9ad5ef	1587	ssl->state++;
Christopher Haster	1:24750b9ad5ef	1588	ssl->handshake->resume = 0;
Christopher Haster	1:24750b9ad5ef	1589	#if defined(MBEDTLS_HAVE_TIME)
Christopher Haster	1:24750b9ad5ef	1590	ssl->session_negotiate->start = time( NULL );
Christopher Haster	1:24750b9ad5ef	1591	#endif
Christopher Haster	1:24750b9ad5ef	1592	ssl->session_negotiate->ciphersuite = i;
Christopher Haster	1:24750b9ad5ef	1593	ssl->session_negotiate->compression = comp;
Christopher Haster	1:24750b9ad5ef	1594	ssl->session_negotiate->id_len = n;
Christopher Haster	1:24750b9ad5ef	1595	memcpy( ssl->session_negotiate->id, buf + 35, n );
Christopher Haster	1:24750b9ad5ef	1596	}
Christopher Haster	1:24750b9ad5ef	1597	else
Christopher Haster	1:24750b9ad5ef	1598	{
Christopher Haster	1:24750b9ad5ef	1599	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Christopher Haster	1:24750b9ad5ef	1600
Christopher Haster	1:24750b9ad5ef	1601	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1602	{
Christopher Haster	1:24750b9ad5ef	1603	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Christopher Haster	1:24750b9ad5ef	1604	return( ret );
Christopher Haster	1:24750b9ad5ef	1605	}
Christopher Haster	1:24750b9ad5ef	1606	}
Christopher Haster	1:24750b9ad5ef	1607
Christopher Haster	1:24750b9ad5ef	1608	MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Christopher Haster	1:24750b9ad5ef	1609	ssl->handshake->resume ? "a" : "no" ) );
Christopher Haster	1:24750b9ad5ef	1610
Christopher Haster	1:24750b9ad5ef	1611	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Christopher Haster	1:24750b9ad5ef	1612	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Christopher Haster	1:24750b9ad5ef	1613
Christopher Haster	1:24750b9ad5ef	1614	suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
Christopher Haster	1:24750b9ad5ef	1615	if( suite_info == NULL
Christopher Haster	1:24750b9ad5ef	1616	#if defined(MBEDTLS_ARC4_C)
Christopher Haster	1:24750b9ad5ef	1617	\|\| ( ssl->conf->arc4_disabled &&
Christopher Haster	1:24750b9ad5ef	1618	suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
Christopher Haster	1:24750b9ad5ef	1619	#endif
Christopher Haster	1:24750b9ad5ef	1620	)
Christopher Haster	1:24750b9ad5ef	1621	{
Christopher Haster	1:24750b9ad5ef	1622	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1623	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1624	}
Christopher Haster	1:24750b9ad5ef	1625
Christopher Haster	1:24750b9ad5ef	1626	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
Christopher Haster	1:24750b9ad5ef	1627
Christopher Haster	1:24750b9ad5ef	1628	i = 0;
Christopher Haster	1:24750b9ad5ef	1629	while( 1 )
Christopher Haster	1:24750b9ad5ef	1630	{
Christopher Haster	1:24750b9ad5ef	1631	if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
Christopher Haster	1:24750b9ad5ef	1632	{
Christopher Haster	1:24750b9ad5ef	1633	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1634	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1635	}
Christopher Haster	1:24750b9ad5ef	1636
Christopher Haster	1:24750b9ad5ef	1637	if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
Christopher Haster	1:24750b9ad5ef	1638	ssl->session_negotiate->ciphersuite )
Christopher Haster	1:24750b9ad5ef	1639	{
Christopher Haster	1:24750b9ad5ef	1640	break;
Christopher Haster	1:24750b9ad5ef	1641	}
Christopher Haster	1:24750b9ad5ef	1642	}
Christopher Haster	1:24750b9ad5ef	1643
Christopher Haster	1:24750b9ad5ef	1644	if( comp != MBEDTLS_SSL_COMPRESS_NULL
Christopher Haster	1:24750b9ad5ef	1645	#if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster	1:24750b9ad5ef	1646	&& comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Christopher Haster	1:24750b9ad5ef	1647	#endif
Christopher Haster	1:24750b9ad5ef	1648	)
Christopher Haster	1:24750b9ad5ef	1649	{
Christopher Haster	1:24750b9ad5ef	1650	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1651	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1652	}
Christopher Haster	1:24750b9ad5ef	1653	ssl->session_negotiate->compression = comp;
Christopher Haster	1:24750b9ad5ef	1654
Christopher Haster	1:24750b9ad5ef	1655	ext = buf + 40 + n;
Christopher Haster	1:24750b9ad5ef	1656
Christopher Haster	1:24750b9ad5ef	1657	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Christopher Haster	1:24750b9ad5ef	1658
Christopher Haster	1:24750b9ad5ef	1659	while( ext_len )
Christopher Haster	1:24750b9ad5ef	1660	{
Christopher Haster	1:24750b9ad5ef	1661	unsigned int ext_id = ( ( ext[0] << 8 )
Christopher Haster	1:24750b9ad5ef	1662	\| ( ext[1] ) );
Christopher Haster	1:24750b9ad5ef	1663	unsigned int ext_size = ( ( ext[2] << 8 )
Christopher Haster	1:24750b9ad5ef	1664	\| ( ext[3] ) );
Christopher Haster	1:24750b9ad5ef	1665
Christopher Haster	1:24750b9ad5ef	1666	if( ext_size + 4 > ext_len )
Christopher Haster	1:24750b9ad5ef	1667	{
Christopher Haster	1:24750b9ad5ef	1668	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1669	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1670	}
Christopher Haster	1:24750b9ad5ef	1671
Christopher Haster	1:24750b9ad5ef	1672	switch( ext_id )
Christopher Haster	1:24750b9ad5ef	1673	{
Christopher Haster	1:24750b9ad5ef	1674	case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Christopher Haster	1:24750b9ad5ef	1675	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
Christopher Haster	1:24750b9ad5ef	1676	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	1677	renegotiation_info_seen = 1;
Christopher Haster	1:24750b9ad5ef	1678	#endif
Christopher Haster	1:24750b9ad5ef	1679
Christopher Haster	1:24750b9ad5ef	1680	if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
Christopher Haster	1:24750b9ad5ef	1681	ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1682	return( ret );
Christopher Haster	1:24750b9ad5ef	1683
Christopher Haster	1:24750b9ad5ef	1684	break;
Christopher Haster	1:24750b9ad5ef	1685
Christopher Haster	1:24750b9ad5ef	1686	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster	1:24750b9ad5ef	1687	case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Christopher Haster	1:24750b9ad5ef	1688	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Christopher Haster	1:24750b9ad5ef	1689
Christopher Haster	1:24750b9ad5ef	1690	if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
Christopher Haster	1:24750b9ad5ef	1691	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1692	{
Christopher Haster	1:24750b9ad5ef	1693	return( ret );
Christopher Haster	1:24750b9ad5ef	1694	}
Christopher Haster	1:24750b9ad5ef	1695
Christopher Haster	1:24750b9ad5ef	1696	break;
Christopher Haster	1:24750b9ad5ef	1697	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Christopher Haster	1:24750b9ad5ef	1698
Christopher Haster	1:24750b9ad5ef	1699	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster	1:24750b9ad5ef	1700	case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
Christopher Haster	1:24750b9ad5ef	1701	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Christopher Haster	1:24750b9ad5ef	1702
Christopher Haster	1:24750b9ad5ef	1703	if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
Christopher Haster	1:24750b9ad5ef	1704	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1705	{
Christopher Haster	1:24750b9ad5ef	1706	return( ret );
Christopher Haster	1:24750b9ad5ef	1707	}
Christopher Haster	1:24750b9ad5ef	1708
Christopher Haster	1:24750b9ad5ef	1709	break;
Christopher Haster	1:24750b9ad5ef	1710	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Christopher Haster	1:24750b9ad5ef	1711
Christopher Haster	1:24750b9ad5ef	1712	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster	1:24750b9ad5ef	1713	case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Christopher Haster	1:24750b9ad5ef	1714	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Christopher Haster	1:24750b9ad5ef	1715
Christopher Haster	1:24750b9ad5ef	1716	if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
Christopher Haster	1:24750b9ad5ef	1717	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1718	{
Christopher Haster	1:24750b9ad5ef	1719	return( ret );
Christopher Haster	1:24750b9ad5ef	1720	}
Christopher Haster	1:24750b9ad5ef	1721
Christopher Haster	1:24750b9ad5ef	1722	break;
Christopher Haster	1:24750b9ad5ef	1723	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Christopher Haster	1:24750b9ad5ef	1724
Christopher Haster	1:24750b9ad5ef	1725	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster	1:24750b9ad5ef	1726	case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Christopher Haster	1:24750b9ad5ef	1727	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Christopher Haster	1:24750b9ad5ef	1728
Christopher Haster	1:24750b9ad5ef	1729	if( ( ret = ssl_parse_extended_ms_ext( ssl,
Christopher Haster	1:24750b9ad5ef	1730	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1731	{
Christopher Haster	1:24750b9ad5ef	1732	return( ret );
Christopher Haster	1:24750b9ad5ef	1733	}
Christopher Haster	1:24750b9ad5ef	1734
Christopher Haster	1:24750b9ad5ef	1735	break;
Christopher Haster	1:24750b9ad5ef	1736	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Christopher Haster	1:24750b9ad5ef	1737
Christopher Haster	1:24750b9ad5ef	1738	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	1739	case MBEDTLS_TLS_EXT_SESSION_TICKET:
Christopher Haster	1:24750b9ad5ef	1740	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Christopher Haster	1:24750b9ad5ef	1741
Christopher Haster	1:24750b9ad5ef	1742	if( ( ret = ssl_parse_session_ticket_ext( ssl,
Christopher Haster	1:24750b9ad5ef	1743	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1744	{
Christopher Haster	1:24750b9ad5ef	1745	return( ret );
Christopher Haster	1:24750b9ad5ef	1746	}
Christopher Haster	1:24750b9ad5ef	1747
Christopher Haster	1:24750b9ad5ef	1748	break;
Christopher Haster	1:24750b9ad5ef	1749	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster	1:24750b9ad5ef	1750
Christopher Haster	1:24750b9ad5ef	1751	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
Christopher Haster	1:24750b9ad5ef	1752	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	1753	case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Christopher Haster	1:24750b9ad5ef	1754	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Christopher Haster	1:24750b9ad5ef	1755
Christopher Haster	1:24750b9ad5ef	1756	if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
Christopher Haster	1:24750b9ad5ef	1757	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1758	{
Christopher Haster	1:24750b9ad5ef	1759	return( ret );
Christopher Haster	1:24750b9ad5ef	1760	}
Christopher Haster	1:24750b9ad5ef	1761
Christopher Haster	1:24750b9ad5ef	1762	break;
Christopher Haster	1:24750b9ad5ef	1763	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
Christopher Haster	1:24750b9ad5ef	1764	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	1765
Christopher Haster	1:24750b9ad5ef	1766	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	1767	case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Christopher Haster	1:24750b9ad5ef	1768	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
Christopher Haster	1:24750b9ad5ef	1769
Christopher Haster	1:24750b9ad5ef	1770	if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
Christopher Haster	1:24750b9ad5ef	1771	ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1772	{
Christopher Haster	1:24750b9ad5ef	1773	return( ret );
Christopher Haster	1:24750b9ad5ef	1774	}
Christopher Haster	1:24750b9ad5ef	1775
Christopher Haster	1:24750b9ad5ef	1776	break;
Christopher Haster	1:24750b9ad5ef	1777	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	1778
Christopher Haster	1:24750b9ad5ef	1779	#if defined(MBEDTLS_SSL_ALPN)
Christopher Haster	1:24750b9ad5ef	1780	case MBEDTLS_TLS_EXT_ALPN:
Christopher Haster	1:24750b9ad5ef	1781	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Christopher Haster	1:24750b9ad5ef	1782
Christopher Haster	1:24750b9ad5ef	1783	if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1784	return( ret );
Christopher Haster	1:24750b9ad5ef	1785
Christopher Haster	1:24750b9ad5ef	1786	break;
Christopher Haster	1:24750b9ad5ef	1787	#endif /* MBEDTLS_SSL_ALPN */
Christopher Haster	1:24750b9ad5ef	1788
Christopher Haster	1:24750b9ad5ef	1789	default:
Christopher Haster	1:24750b9ad5ef	1790	MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Christopher Haster	1:24750b9ad5ef	1791	ext_id ) );
Christopher Haster	1:24750b9ad5ef	1792	}
Christopher Haster	1:24750b9ad5ef	1793
Christopher Haster	1:24750b9ad5ef	1794	ext_len -= 4 + ext_size;
Christopher Haster	1:24750b9ad5ef	1795	ext += 4 + ext_size;
Christopher Haster	1:24750b9ad5ef	1796
Christopher Haster	1:24750b9ad5ef	1797	if( ext_len > 0 && ext_len < 4 )
Christopher Haster	1:24750b9ad5ef	1798	{
Christopher Haster	1:24750b9ad5ef	1799	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster	1:24750b9ad5ef	1800	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1801	}
Christopher Haster	1:24750b9ad5ef	1802	}
Christopher Haster	1:24750b9ad5ef	1803
Christopher Haster	1:24750b9ad5ef	1804	/*
Christopher Haster	1:24750b9ad5ef	1805	* Renegotiation security checks
Christopher Haster	1:24750b9ad5ef	1806	*/
Christopher Haster	1:24750b9ad5ef	1807	if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Christopher Haster	1:24750b9ad5ef	1808	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	1809	{
Christopher Haster	1:24750b9ad5ef	1810	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Christopher Haster	1:24750b9ad5ef	1811	handshake_failure = 1;
Christopher Haster	1:24750b9ad5ef	1812	}
Christopher Haster	1:24750b9ad5ef	1813	#if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster	1:24750b9ad5ef	1814	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Christopher Haster	1:24750b9ad5ef	1815	ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Christopher Haster	1:24750b9ad5ef	1816	renegotiation_info_seen == 0 )
Christopher Haster	1:24750b9ad5ef	1817	{
Christopher Haster	1:24750b9ad5ef	1818	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Christopher Haster	1:24750b9ad5ef	1819	handshake_failure = 1;
Christopher Haster	1:24750b9ad5ef	1820	}
Christopher Haster	1:24750b9ad5ef	1821	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Christopher Haster	1:24750b9ad5ef	1822	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Christopher Haster	1:24750b9ad5ef	1823	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Christopher Haster	1:24750b9ad5ef	1824	{
Christopher Haster	1:24750b9ad5ef	1825	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Christopher Haster	1:24750b9ad5ef	1826	handshake_failure = 1;
Christopher Haster	1:24750b9ad5ef	1827	}
Christopher Haster	1:24750b9ad5ef	1828	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Christopher Haster	1:24750b9ad5ef	1829	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Christopher Haster	1:24750b9ad5ef	1830	renegotiation_info_seen == 1 )
Christopher Haster	1:24750b9ad5ef	1831	{
Christopher Haster	1:24750b9ad5ef	1832	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Christopher Haster	1:24750b9ad5ef	1833	handshake_failure = 1;
Christopher Haster	1:24750b9ad5ef	1834	}
Christopher Haster	1:24750b9ad5ef	1835	#endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster	1:24750b9ad5ef	1836
Christopher Haster	1:24750b9ad5ef	1837	if( handshake_failure == 1 )
Christopher Haster	1:24750b9ad5ef	1838	{
Christopher Haster	1:24750b9ad5ef	1839	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1840	return( ret );
Christopher Haster	1:24750b9ad5ef	1841
Christopher Haster	1:24750b9ad5ef	1842	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster	1:24750b9ad5ef	1843	}
Christopher Haster	1:24750b9ad5ef	1844
Christopher Haster	1:24750b9ad5ef	1845	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Christopher Haster	1:24750b9ad5ef	1846
Christopher Haster	1:24750b9ad5ef	1847	return( 0 );
Christopher Haster	1:24750b9ad5ef	1848	}
Christopher Haster	1:24750b9ad5ef	1849
Christopher Haster	1:24750b9ad5ef	1850	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1851	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	1852	static int ssl_parse_server_dh_params( mbedtls_ssl_context ssl, unsigned char *p,
Christopher Haster	1:24750b9ad5ef	1853	unsigned char *end )
Christopher Haster	1:24750b9ad5ef	1854	{
Christopher Haster	1:24750b9ad5ef	1855	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster	1:24750b9ad5ef	1856
Christopher Haster	1:24750b9ad5ef	1857	/*
Christopher Haster	1:24750b9ad5ef	1858	* Ephemeral DH parameters:
Christopher Haster	1:24750b9ad5ef	1859	*
Christopher Haster	1:24750b9ad5ef	1860	* struct {
Christopher Haster	1:24750b9ad5ef	1861	* opaque dh_p<1..2^16-1>;
Christopher Haster	1:24750b9ad5ef	1862	* opaque dh_g<1..2^16-1>;
Christopher Haster	1:24750b9ad5ef	1863	* opaque dh_Ys<1..2^16-1>;
Christopher Haster	1:24750b9ad5ef	1864	* } ServerDHParams;
Christopher Haster	1:24750b9ad5ef	1865	*/
Christopher Haster	1:24750b9ad5ef	1866	if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1867	{
Christopher Haster	1:24750b9ad5ef	1868	MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Christopher Haster	1:24750b9ad5ef	1869	return( ret );
Christopher Haster	1:24750b9ad5ef	1870	}
Christopher Haster	1:24750b9ad5ef	1871
Christopher Haster	1:24750b9ad5ef	1872	if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Christopher Haster	1:24750b9ad5ef	1873	{
Christopher Haster	1:24750b9ad5ef	1874	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
Christopher Haster	1:24750b9ad5ef	1875	ssl->handshake->dhm_ctx.len * 8,
Christopher Haster	1:24750b9ad5ef	1876	ssl->conf->dhm_min_bitlen ) );
Christopher Haster	1:24750b9ad5ef	1877	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	1878	}
Christopher Haster	1:24750b9ad5ef	1879
Christopher Haster	1:24750b9ad5ef	1880	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
Christopher Haster	1:24750b9ad5ef	1881	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
Christopher Haster	1:24750b9ad5ef	1882	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Christopher Haster	1:24750b9ad5ef	1883
Christopher Haster	1:24750b9ad5ef	1884	return( ret );
Christopher Haster	1:24750b9ad5ef	1885	}
Christopher Haster	1:24750b9ad5ef	1886	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1887	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	1888
Christopher Haster	1:24750b9ad5ef	1889	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1890	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1891	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1892	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1893	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	1894	static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	1895	{
Christopher Haster	1:24750b9ad5ef	1896	const mbedtls_ecp_curve_info *curve_info;
Christopher Haster	1:24750b9ad5ef	1897
Christopher Haster	1:24750b9ad5ef	1898	curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
Christopher Haster	1:24750b9ad5ef	1899	if( curve_info == NULL )
Christopher Haster	1:24750b9ad5ef	1900	{
Christopher Haster	1:24750b9ad5ef	1901	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	1902	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	1903	}
Christopher Haster	1:24750b9ad5ef	1904
Christopher Haster	1:24750b9ad5ef	1905	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Christopher Haster	1:24750b9ad5ef	1906
Christopher Haster	1:24750b9ad5ef	1907	#if defined(MBEDTLS_ECP_C)
Christopher Haster	1:24750b9ad5ef	1908	if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
Christopher Haster	1:24750b9ad5ef	1909	#else
Christopher Haster	1:24750b9ad5ef	1910	if( ssl->handshake->ecdh_ctx.grp.nbits < 163 \|\|
Christopher Haster	1:24750b9ad5ef	1911	ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Christopher Haster	1:24750b9ad5ef	1912	#endif
Christopher Haster	1:24750b9ad5ef	1913	return( -1 );
Christopher Haster	1:24750b9ad5ef	1914
Christopher Haster	1:24750b9ad5ef	1915	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
Christopher Haster	1:24750b9ad5ef	1916
Christopher Haster	1:24750b9ad5ef	1917	return( 0 );
Christopher Haster	1:24750b9ad5ef	1918	}
Christopher Haster	1:24750b9ad5ef	1919	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1920	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1921	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1922	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1923	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	1924
Christopher Haster	1:24750b9ad5ef	1925	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1926	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1927	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	1928	static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1929	unsigned char **p,
Christopher Haster	1:24750b9ad5ef	1930	unsigned char *end )
Christopher Haster	1:24750b9ad5ef	1931	{
Christopher Haster	1:24750b9ad5ef	1932	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster	1:24750b9ad5ef	1933
Christopher Haster	1:24750b9ad5ef	1934	/*
Christopher Haster	1:24750b9ad5ef	1935	* Ephemeral ECDH parameters:
Christopher Haster	1:24750b9ad5ef	1936	*
Christopher Haster	1:24750b9ad5ef	1937	* struct {
Christopher Haster	1:24750b9ad5ef	1938	* ECParameters curve_params;
Christopher Haster	1:24750b9ad5ef	1939	* ECPoint public;
Christopher Haster	1:24750b9ad5ef	1940	* } ServerECDHParams;
Christopher Haster	1:24750b9ad5ef	1941	*/
Christopher Haster	1:24750b9ad5ef	1942	if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Christopher Haster	1:24750b9ad5ef	1943	(const unsigned char **) p, end ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	1944	{
Christopher Haster	1:24750b9ad5ef	1945	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Christopher Haster	1:24750b9ad5ef	1946	return( ret );
Christopher Haster	1:24750b9ad5ef	1947	}
Christopher Haster	1:24750b9ad5ef	1948
Christopher Haster	1:24750b9ad5ef	1949	if( ssl_check_server_ecdh_params( ssl ) != 0 )
Christopher Haster	1:24750b9ad5ef	1950	{
Christopher Haster	1:24750b9ad5ef	1951	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
Christopher Haster	1:24750b9ad5ef	1952	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	1953	}
Christopher Haster	1:24750b9ad5ef	1954
Christopher Haster	1:24750b9ad5ef	1955	return( ret );
Christopher Haster	1:24750b9ad5ef	1956	}
Christopher Haster	1:24750b9ad5ef	1957	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1958	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	1959	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	1960
Christopher Haster	1:24750b9ad5ef	1961	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	1962	static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1963	unsigned char **p,
Christopher Haster	1:24750b9ad5ef	1964	unsigned char *end )
Christopher Haster	1:24750b9ad5ef	1965	{
Christopher Haster	1:24750b9ad5ef	1966	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster	1:24750b9ad5ef	1967	size_t len;
Christopher Haster	1:24750b9ad5ef	1968	((void) ssl);
Christopher Haster	1:24750b9ad5ef	1969
Christopher Haster	1:24750b9ad5ef	1970	/*
Christopher Haster	1:24750b9ad5ef	1971	* PSK parameters:
Christopher Haster	1:24750b9ad5ef	1972	*
Christopher Haster	1:24750b9ad5ef	1973	* opaque psk_identity_hint<0..2^16-1>;
Christopher Haster	1:24750b9ad5ef	1974	*/
Christopher Haster	1:24750b9ad5ef	1975	len = (p)[0] << 8 \| (p)[1];
Christopher Haster	1:24750b9ad5ef	1976	*p += 2;
Christopher Haster	1:24750b9ad5ef	1977
Christopher Haster	1:24750b9ad5ef	1978	if( (*p) + len > end )
Christopher Haster	1:24750b9ad5ef	1979	{
Christopher Haster	1:24750b9ad5ef	1980	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
Christopher Haster	1:24750b9ad5ef	1981	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	1982	}
Christopher Haster	1:24750b9ad5ef	1983
Christopher Haster	1:24750b9ad5ef	1984	// TODO: Retrieve PSK identity hint and callback to app
Christopher Haster	1:24750b9ad5ef	1985	//
Christopher Haster	1:24750b9ad5ef	1986	*p += len;
Christopher Haster	1:24750b9ad5ef	1987	ret = 0;
Christopher Haster	1:24750b9ad5ef	1988
Christopher Haster	1:24750b9ad5ef	1989	return( ret );
Christopher Haster	1:24750b9ad5ef	1990	}
Christopher Haster	1:24750b9ad5ef	1991	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	1992
Christopher Haster	1:24750b9ad5ef	1993	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	1994	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	1995	/*
Christopher Haster	1:24750b9ad5ef	1996	* Generate a pre-master secret and encrypt it with the server's RSA key
Christopher Haster	1:24750b9ad5ef	1997	*/
Christopher Haster	1:24750b9ad5ef	1998	static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	1999	size_t offset, size_t *olen,
Christopher Haster	1:24750b9ad5ef	2000	size_t pms_offset )
Christopher Haster	1:24750b9ad5ef	2001	{
Christopher Haster	1:24750b9ad5ef	2002	int ret;
Christopher Haster	1:24750b9ad5ef	2003	size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Christopher Haster	1:24750b9ad5ef	2004	unsigned char *p = ssl->handshake->premaster + pms_offset;
Christopher Haster	1:24750b9ad5ef	2005
Christopher Haster	1:24750b9ad5ef	2006	if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
Christopher Haster	1:24750b9ad5ef	2007	{
Christopher Haster	1:24750b9ad5ef	2008	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
Christopher Haster	1:24750b9ad5ef	2009	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Christopher Haster	1:24750b9ad5ef	2010	}
Christopher Haster	1:24750b9ad5ef	2011
Christopher Haster	1:24750b9ad5ef	2012	/*
Christopher Haster	1:24750b9ad5ef	2013	* Generate (part of) the pre-master as
Christopher Haster	1:24750b9ad5ef	2014	* struct {
Christopher Haster	1:24750b9ad5ef	2015	* ProtocolVersion client_version;
Christopher Haster	1:24750b9ad5ef	2016	* opaque random[46];
Christopher Haster	1:24750b9ad5ef	2017	* } PreMasterSecret;
Christopher Haster	1:24750b9ad5ef	2018	*/
Christopher Haster	1:24750b9ad5ef	2019	mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
Christopher Haster	1:24750b9ad5ef	2020	ssl->conf->transport, p );
Christopher Haster	1:24750b9ad5ef	2021
Christopher Haster	1:24750b9ad5ef	2022	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2023	{
Christopher Haster	1:24750b9ad5ef	2024	MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Christopher Haster	1:24750b9ad5ef	2025	return( ret );
Christopher Haster	1:24750b9ad5ef	2026	}
Christopher Haster	1:24750b9ad5ef	2027
Christopher Haster	1:24750b9ad5ef	2028	ssl->handshake->pmslen = 48;
Christopher Haster	1:24750b9ad5ef	2029
Christopher Haster	1:24750b9ad5ef	2030	if( ssl->session_negotiate->peer_cert == NULL )
Christopher Haster	1:24750b9ad5ef	2031	{
Christopher Haster	1:24750b9ad5ef	2032	MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Christopher Haster	1:24750b9ad5ef	2033	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2034	}
Christopher Haster	1:24750b9ad5ef	2035
Christopher Haster	1:24750b9ad5ef	2036	/*
Christopher Haster	1:24750b9ad5ef	2037	* Now write it out, encrypted
Christopher Haster	1:24750b9ad5ef	2038	*/
Christopher Haster	1:24750b9ad5ef	2039	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster	1:24750b9ad5ef	2040	MBEDTLS_PK_RSA ) )
Christopher Haster	1:24750b9ad5ef	2041	{
Christopher Haster	1:24750b9ad5ef	2042	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
Christopher Haster	1:24750b9ad5ef	2043	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Christopher Haster	1:24750b9ad5ef	2044	}
Christopher Haster	1:24750b9ad5ef	2045
Christopher Haster	1:24750b9ad5ef	2046	if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster	1:24750b9ad5ef	2047	p, ssl->handshake->pmslen,
Christopher Haster	1:24750b9ad5ef	2048	ssl->out_msg + offset + len_bytes, olen,
Christopher Haster	1:24750b9ad5ef	2049	MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
Christopher Haster	1:24750b9ad5ef	2050	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2051	{
Christopher Haster	1:24750b9ad5ef	2052	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Christopher Haster	1:24750b9ad5ef	2053	return( ret );
Christopher Haster	1:24750b9ad5ef	2054	}
Christopher Haster	1:24750b9ad5ef	2055
Christopher Haster	1:24750b9ad5ef	2056	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
Christopher Haster	1:24750b9ad5ef	2057	defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster	1:24750b9ad5ef	2058	if( len_bytes == 2 )
Christopher Haster	1:24750b9ad5ef	2059	{
Christopher Haster	1:24750b9ad5ef	2060	ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
Christopher Haster	1:24750b9ad5ef	2061	ssl->out_msg[offset+1] = (unsigned char)( *olen );
Christopher Haster	1:24750b9ad5ef	2062	*olen += 2;
Christopher Haster	1:24750b9ad5ef	2063	}
Christopher Haster	1:24750b9ad5ef	2064	#endif
Christopher Haster	1:24750b9ad5ef	2065
Christopher Haster	1:24750b9ad5ef	2066	return( 0 );
Christopher Haster	1:24750b9ad5ef	2067	}
Christopher Haster	1:24750b9ad5ef	2068	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2069	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2070
Christopher Haster	1:24750b9ad5ef	2071	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster	1:24750b9ad5ef	2072	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2073	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2074	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2075	static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Christopher Haster	1:24750b9ad5ef	2076	unsigned char **p,
Christopher Haster	1:24750b9ad5ef	2077	unsigned char *end,
Christopher Haster	1:24750b9ad5ef	2078	mbedtls_md_type_t *md_alg,
Christopher Haster	1:24750b9ad5ef	2079	mbedtls_pk_type_t *pk_alg )
Christopher Haster	1:24750b9ad5ef	2080	{
Christopher Haster	1:24750b9ad5ef	2081	((void) ssl);
Christopher Haster	1:24750b9ad5ef	2082	*md_alg = MBEDTLS_MD_NONE;
Christopher Haster	1:24750b9ad5ef	2083	*pk_alg = MBEDTLS_PK_NONE;
Christopher Haster	1:24750b9ad5ef	2084
Christopher Haster	1:24750b9ad5ef	2085	/* Only in TLS 1.2 */
Christopher Haster	1:24750b9ad5ef	2086	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	2087	{
Christopher Haster	1:24750b9ad5ef	2088	return( 0 );
Christopher Haster	1:24750b9ad5ef	2089	}
Christopher Haster	1:24750b9ad5ef	2090
Christopher Haster	1:24750b9ad5ef	2091	if( (*p) + 2 > end )
Christopher Haster	1:24750b9ad5ef	2092	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2093
Christopher Haster	1:24750b9ad5ef	2094	/*
Christopher Haster	1:24750b9ad5ef	2095	* Get hash algorithm
Christopher Haster	1:24750b9ad5ef	2096	*/
Christopher Haster	1:24750b9ad5ef	2097	if( ( md_alg = mbedtls_ssl_md_alg_from_hash( (p)[0] ) ) == MBEDTLS_MD_NONE )
Christopher Haster	1:24750b9ad5ef	2098	{
Christopher Haster	1:24750b9ad5ef	2099	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported "
Christopher Haster	1:24750b9ad5ef	2100	"HashAlgorithm %d", *(p)[0] ) );
Christopher Haster	1:24750b9ad5ef	2101	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2102	}
Christopher Haster	1:24750b9ad5ef	2103
Christopher Haster	1:24750b9ad5ef	2104	/*
Christopher Haster	1:24750b9ad5ef	2105	* Get signature algorithm
Christopher Haster	1:24750b9ad5ef	2106	*/
Christopher Haster	1:24750b9ad5ef	2107	if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( (p)[1] ) ) == MBEDTLS_PK_NONE )
Christopher Haster	1:24750b9ad5ef	2108	{
Christopher Haster	1:24750b9ad5ef	2109	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported "
Christopher Haster	1:24750b9ad5ef	2110	"SignatureAlgorithm %d", (*p)[1] ) );
Christopher Haster	1:24750b9ad5ef	2111	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2112	}
Christopher Haster	1:24750b9ad5ef	2113
Christopher Haster	1:24750b9ad5ef	2114	/*
Christopher Haster	1:24750b9ad5ef	2115	* Check if the hash is acceptable
Christopher Haster	1:24750b9ad5ef	2116	*/
Christopher Haster	1:24750b9ad5ef	2117	if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
Christopher Haster	1:24750b9ad5ef	2118	{
Christopher Haster	1:24750b9ad5ef	2119	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm "
Christopher Haster	1:24750b9ad5ef	2120	"that was not offered" ) );
Christopher Haster	1:24750b9ad5ef	2121	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2122	}
Christopher Haster	1:24750b9ad5ef	2123
Christopher Haster	1:24750b9ad5ef	2124	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
Christopher Haster	1:24750b9ad5ef	2125	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Christopher Haster	1:24750b9ad5ef	2126	*p += 2;
Christopher Haster	1:24750b9ad5ef	2127
Christopher Haster	1:24750b9ad5ef	2128	return( 0 );
Christopher Haster	1:24750b9ad5ef	2129	}
Christopher Haster	1:24750b9ad5ef	2130	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2131	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2132	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2133	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster	1:24750b9ad5ef	2134
Christopher Haster	1:24750b9ad5ef	2135	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2136	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2137	static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2138	{
Christopher Haster	1:24750b9ad5ef	2139	int ret;
Christopher Haster	1:24750b9ad5ef	2140	const mbedtls_ecp_keypair *peer_key;
Christopher Haster	1:24750b9ad5ef	2141
Christopher Haster	1:24750b9ad5ef	2142	if( ssl->session_negotiate->peer_cert == NULL )
Christopher Haster	1:24750b9ad5ef	2143	{
Christopher Haster	1:24750b9ad5ef	2144	MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Christopher Haster	1:24750b9ad5ef	2145	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2146	}
Christopher Haster	1:24750b9ad5ef	2147
Christopher Haster	1:24750b9ad5ef	2148	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster	1:24750b9ad5ef	2149	MBEDTLS_PK_ECKEY ) )
Christopher Haster	1:24750b9ad5ef	2150	{
Christopher Haster	1:24750b9ad5ef	2151	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
Christopher Haster	1:24750b9ad5ef	2152	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Christopher Haster	1:24750b9ad5ef	2153	}
Christopher Haster	1:24750b9ad5ef	2154
Christopher Haster	1:24750b9ad5ef	2155	peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
Christopher Haster	1:24750b9ad5ef	2156
Christopher Haster	1:24750b9ad5ef	2157	if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
Christopher Haster	1:24750b9ad5ef	2158	MBEDTLS_ECDH_THEIRS ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2159	{
Christopher Haster	1:24750b9ad5ef	2160	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Christopher Haster	1:24750b9ad5ef	2161	return( ret );
Christopher Haster	1:24750b9ad5ef	2162	}
Christopher Haster	1:24750b9ad5ef	2163
Christopher Haster	1:24750b9ad5ef	2164	if( ssl_check_server_ecdh_params( ssl ) != 0 )
Christopher Haster	1:24750b9ad5ef	2165	{
Christopher Haster	1:24750b9ad5ef	2166	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Christopher Haster	1:24750b9ad5ef	2167	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Christopher Haster	1:24750b9ad5ef	2168	}
Christopher Haster	1:24750b9ad5ef	2169
Christopher Haster	1:24750b9ad5ef	2170	return( ret );
Christopher Haster	1:24750b9ad5ef	2171	}
Christopher Haster	1:24750b9ad5ef	2172	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\|
Christopher Haster	1:24750b9ad5ef	2173	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2174
Christopher Haster	1:24750b9ad5ef	2175	static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2176	{
Christopher Haster	1:24750b9ad5ef	2177	int ret;
Christopher Haster	1:24750b9ad5ef	2178	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	2179	unsigned char p, end;
Christopher Haster	1:24750b9ad5ef	2180
Christopher Haster	1:24750b9ad5ef	2181	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Christopher Haster	1:24750b9ad5ef	2182
Christopher Haster	1:24750b9ad5ef	2183	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2184	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Christopher Haster	1:24750b9ad5ef	2185	{
Christopher Haster	1:24750b9ad5ef	2186	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Christopher Haster	1:24750b9ad5ef	2187	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2188	return( 0 );
Christopher Haster	1:24750b9ad5ef	2189	}
Christopher Haster	1:24750b9ad5ef	2190	((void) p);
Christopher Haster	1:24750b9ad5ef	2191	((void) end);
Christopher Haster	1:24750b9ad5ef	2192	#endif
Christopher Haster	1:24750b9ad5ef	2193
Christopher Haster	1:24750b9ad5ef	2194	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2195	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2196	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2197	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Christopher Haster	1:24750b9ad5ef	2198	{
Christopher Haster	1:24750b9ad5ef	2199	if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2200	{
Christopher Haster	1:24750b9ad5ef	2201	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Christopher Haster	1:24750b9ad5ef	2202	return( ret );
Christopher Haster	1:24750b9ad5ef	2203	}
Christopher Haster	1:24750b9ad5ef	2204
Christopher Haster	1:24750b9ad5ef	2205	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Christopher Haster	1:24750b9ad5ef	2206	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2207	return( 0 );
Christopher Haster	1:24750b9ad5ef	2208	}
Christopher Haster	1:24750b9ad5ef	2209	((void) p);
Christopher Haster	1:24750b9ad5ef	2210	((void) end);
Christopher Haster	1:24750b9ad5ef	2211	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2212	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2213
Christopher Haster	1:24750b9ad5ef	2214	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2215	{
Christopher Haster	1:24750b9ad5ef	2216	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster	1:24750b9ad5ef	2217	return( ret );
Christopher Haster	1:24750b9ad5ef	2218	}
Christopher Haster	1:24750b9ad5ef	2219
Christopher Haster	1:24750b9ad5ef	2220	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	2221	{
Christopher Haster	1:24750b9ad5ef	2222	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2223	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2224	}
Christopher Haster	1:24750b9ad5ef	2225
Christopher Haster	1:24750b9ad5ef	2226	/*
Christopher Haster	1:24750b9ad5ef	2227	* ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
Christopher Haster	1:24750b9ad5ef	2228	* doesn't use a psk_identity_hint
Christopher Haster	1:24750b9ad5ef	2229	*/
Christopher Haster	1:24750b9ad5ef	2230	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Christopher Haster	1:24750b9ad5ef	2231	{
Christopher Haster	1:24750b9ad5ef	2232	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2233	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Christopher Haster	1:24750b9ad5ef	2234	{
Christopher Haster	1:24750b9ad5ef	2235	ssl->record_read = 1;
Christopher Haster	1:24750b9ad5ef	2236	goto exit;
Christopher Haster	1:24750b9ad5ef	2237	}
Christopher Haster	1:24750b9ad5ef	2238
Christopher Haster	1:24750b9ad5ef	2239	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2240	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2241	}
Christopher Haster	1:24750b9ad5ef	2242
Christopher Haster	1:24750b9ad5ef	2243	p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster	1:24750b9ad5ef	2244	end = ssl->in_msg + ssl->in_hslen;
Christopher Haster	1:24750b9ad5ef	2245	MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Christopher Haster	1:24750b9ad5ef	2246
Christopher Haster	1:24750b9ad5ef	2247	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2248	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2249	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2250	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2251	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Christopher Haster	1:24750b9ad5ef	2252	{
Christopher Haster	1:24750b9ad5ef	2253	if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
Christopher Haster	1:24750b9ad5ef	2254	{
Christopher Haster	1:24750b9ad5ef	2255	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2256	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2257	}
Christopher Haster	1:24750b9ad5ef	2258	} /* FALLTROUGH */
Christopher Haster	1:24750b9ad5ef	2259	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2260
Christopher Haster	1:24750b9ad5ef	2261	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2262	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2263	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2264	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Christopher Haster	1:24750b9ad5ef	2265	; /* nothing more to do */
Christopher Haster	1:24750b9ad5ef	2266	else
Christopher Haster	1:24750b9ad5ef	2267	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2268	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2269	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2270	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2271	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2272	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Christopher Haster	1:24750b9ad5ef	2273	{
Christopher Haster	1:24750b9ad5ef	2274	if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Christopher Haster	1:24750b9ad5ef	2275	{
Christopher Haster	1:24750b9ad5ef	2276	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2277	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2278	}
Christopher Haster	1:24750b9ad5ef	2279	}
Christopher Haster	1:24750b9ad5ef	2280	else
Christopher Haster	1:24750b9ad5ef	2281	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2282	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2283	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2284	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2285	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2286	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2287	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2288	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Christopher Haster	1:24750b9ad5ef	2289	{
Christopher Haster	1:24750b9ad5ef	2290	if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
Christopher Haster	1:24750b9ad5ef	2291	{
Christopher Haster	1:24750b9ad5ef	2292	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2293	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2294	}
Christopher Haster	1:24750b9ad5ef	2295	}
Christopher Haster	1:24750b9ad5ef	2296	else
Christopher Haster	1:24750b9ad5ef	2297	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2298	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2299	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2300	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	2301	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	2302	{
Christopher Haster	1:24750b9ad5ef	2303	ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
Christopher Haster	1:24750b9ad5ef	2304	p, end - p );
Christopher Haster	1:24750b9ad5ef	2305	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2306	{
Christopher Haster	1:24750b9ad5ef	2307	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Christopher Haster	1:24750b9ad5ef	2308	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2309	}
Christopher Haster	1:24750b9ad5ef	2310	}
Christopher Haster	1:24750b9ad5ef	2311	else
Christopher Haster	1:24750b9ad5ef	2312	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster	1:24750b9ad5ef	2313	{
Christopher Haster	1:24750b9ad5ef	2314	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	2315	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	2316	}
Christopher Haster	1:24750b9ad5ef	2317
Christopher Haster	1:24750b9ad5ef	2318	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2319	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2320	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2321	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2322	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2323	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Christopher Haster	1:24750b9ad5ef	2324	{
Christopher Haster	1:24750b9ad5ef	2325	size_t sig_len, hashlen;
Christopher Haster	1:24750b9ad5ef	2326	unsigned char hash[64];
Christopher Haster	1:24750b9ad5ef	2327	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Christopher Haster	1:24750b9ad5ef	2328	mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Christopher Haster	1:24750b9ad5ef	2329	unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster	1:24750b9ad5ef	2330	size_t params_len = p - params;
Christopher Haster	1:24750b9ad5ef	2331
Christopher Haster	1:24750b9ad5ef	2332	/*
Christopher Haster	1:24750b9ad5ef	2333	* Handle the digitally-signed structure
Christopher Haster	1:24750b9ad5ef	2334	*/
Christopher Haster	1:24750b9ad5ef	2335	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster	1:24750b9ad5ef	2336	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	2337	{
Christopher Haster	1:24750b9ad5ef	2338	if( ssl_parse_signature_algorithm( ssl, &p, end,
Christopher Haster	1:24750b9ad5ef	2339	&md_alg, &pk_alg ) != 0 )
Christopher Haster	1:24750b9ad5ef	2340	{
Christopher Haster	1:24750b9ad5ef	2341	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2342	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2343	}
Christopher Haster	1:24750b9ad5ef	2344
Christopher Haster	1:24750b9ad5ef	2345	if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Christopher Haster	1:24750b9ad5ef	2346	{
Christopher Haster	1:24750b9ad5ef	2347	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2348	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2349	}
Christopher Haster	1:24750b9ad5ef	2350	}
Christopher Haster	1:24750b9ad5ef	2351	else
Christopher Haster	1:24750b9ad5ef	2352	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster	1:24750b9ad5ef	2353	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
Christopher Haster	1:24750b9ad5ef	2354	defined(MBEDTLS_SSL_PROTO_TLS1_1)
Christopher Haster	1:24750b9ad5ef	2355	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	2356	{
Christopher Haster	1:24750b9ad5ef	2357	pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Christopher Haster	1:24750b9ad5ef	2358
Christopher Haster	1:24750b9ad5ef	2359	/* Default hash for ECDSA is SHA-1 */
Christopher Haster	1:24750b9ad5ef	2360	if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
Christopher Haster	1:24750b9ad5ef	2361	md_alg = MBEDTLS_MD_SHA1;
Christopher Haster	1:24750b9ad5ef	2362	}
Christopher Haster	1:24750b9ad5ef	2363	else
Christopher Haster	1:24750b9ad5ef	2364	#endif
Christopher Haster	1:24750b9ad5ef	2365	{
Christopher Haster	1:24750b9ad5ef	2366	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	2367	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	2368	}
Christopher Haster	1:24750b9ad5ef	2369
Christopher Haster	1:24750b9ad5ef	2370	/*
Christopher Haster	1:24750b9ad5ef	2371	* Read signature
Christopher Haster	1:24750b9ad5ef	2372	*/
Christopher Haster	1:24750b9ad5ef	2373	sig_len = ( p[0] << 8 ) \| p[1];
Christopher Haster	1:24750b9ad5ef	2374	p += 2;
Christopher Haster	1:24750b9ad5ef	2375
Christopher Haster	1:24750b9ad5ef	2376	if( end != p + sig_len )
Christopher Haster	1:24750b9ad5ef	2377	{
Christopher Haster	1:24750b9ad5ef	2378	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2379	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster	1:24750b9ad5ef	2380	}
Christopher Haster	1:24750b9ad5ef	2381
Christopher Haster	1:24750b9ad5ef	2382	MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Christopher Haster	1:24750b9ad5ef	2383
Christopher Haster	1:24750b9ad5ef	2384	/*
Christopher Haster	1:24750b9ad5ef	2385	* Compute the hash that has been signed
Christopher Haster	1:24750b9ad5ef	2386	*/
Christopher Haster	1:24750b9ad5ef	2387	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
Christopher Haster	1:24750b9ad5ef	2388	defined(MBEDTLS_SSL_PROTO_TLS1_1)
Christopher Haster	1:24750b9ad5ef	2389	if( md_alg == MBEDTLS_MD_NONE )
Christopher Haster	1:24750b9ad5ef	2390	{
Christopher Haster	1:24750b9ad5ef	2391	mbedtls_md5_context mbedtls_md5;
Christopher Haster	1:24750b9ad5ef	2392	mbedtls_sha1_context mbedtls_sha1;
Christopher Haster	1:24750b9ad5ef	2393
Christopher Haster	1:24750b9ad5ef	2394	mbedtls_md5_init( &mbedtls_md5 );
Christopher Haster	1:24750b9ad5ef	2395	mbedtls_sha1_init( &mbedtls_sha1 );
Christopher Haster	1:24750b9ad5ef	2396
Christopher Haster	1:24750b9ad5ef	2397	hashlen = 36;
Christopher Haster	1:24750b9ad5ef	2398
Christopher Haster	1:24750b9ad5ef	2399	/*
Christopher Haster	1:24750b9ad5ef	2400	* digitally-signed struct {
Christopher Haster	1:24750b9ad5ef	2401	* opaque md5_hash[16];
Christopher Haster	1:24750b9ad5ef	2402	* opaque sha_hash[20];
Christopher Haster	1:24750b9ad5ef	2403	* };
Christopher Haster	1:24750b9ad5ef	2404	*
Christopher Haster	1:24750b9ad5ef	2405	* md5_hash
Christopher Haster	1:24750b9ad5ef	2406	* MD5(ClientHello.random + ServerHello.random
Christopher Haster	1:24750b9ad5ef	2407	* + ServerParams);
Christopher Haster	1:24750b9ad5ef	2408	* sha_hash
Christopher Haster	1:24750b9ad5ef	2409	* SHA(ClientHello.random + ServerHello.random
Christopher Haster	1:24750b9ad5ef	2410	* + ServerParams);
Christopher Haster	1:24750b9ad5ef	2411	*/
Christopher Haster	1:24750b9ad5ef	2412	mbedtls_md5_starts( &mbedtls_md5 );
Christopher Haster	1:24750b9ad5ef	2413	mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
Christopher Haster	1:24750b9ad5ef	2414	mbedtls_md5_update( &mbedtls_md5, params, params_len );
Christopher Haster	1:24750b9ad5ef	2415	mbedtls_md5_finish( &mbedtls_md5, hash );
Christopher Haster	1:24750b9ad5ef	2416
Christopher Haster	1:24750b9ad5ef	2417	mbedtls_sha1_starts( &mbedtls_sha1 );
Christopher Haster	1:24750b9ad5ef	2418	mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
Christopher Haster	1:24750b9ad5ef	2419	mbedtls_sha1_update( &mbedtls_sha1, params, params_len );
Christopher Haster	1:24750b9ad5ef	2420	mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
Christopher Haster	1:24750b9ad5ef	2421
Christopher Haster	1:24750b9ad5ef	2422	mbedtls_md5_free( &mbedtls_md5 );
Christopher Haster	1:24750b9ad5ef	2423	mbedtls_sha1_free( &mbedtls_sha1 );
Christopher Haster	1:24750b9ad5ef	2424	}
Christopher Haster	1:24750b9ad5ef	2425	else
Christopher Haster	1:24750b9ad5ef	2426	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
Christopher Haster	1:24750b9ad5ef	2427	MBEDTLS_SSL_PROTO_TLS1_1 */
Christopher Haster	1:24750b9ad5ef	2428	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
Christopher Haster	1:24750b9ad5ef	2429	defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster	1:24750b9ad5ef	2430	if( md_alg != MBEDTLS_MD_NONE )
Christopher Haster	1:24750b9ad5ef	2431	{
Christopher Haster	1:24750b9ad5ef	2432	mbedtls_md_context_t ctx;
Christopher Haster	1:24750b9ad5ef	2433
Christopher Haster	1:24750b9ad5ef	2434	mbedtls_md_init( &ctx );
Christopher Haster	1:24750b9ad5ef	2435
Christopher Haster	1:24750b9ad5ef	2436	/* Info from md_alg will be used instead */
Christopher Haster	1:24750b9ad5ef	2437	hashlen = 0;
Christopher Haster	1:24750b9ad5ef	2438
Christopher Haster	1:24750b9ad5ef	2439	/*
Christopher Haster	1:24750b9ad5ef	2440	* digitally-signed struct {
Christopher Haster	1:24750b9ad5ef	2441	* opaque client_random[32];
Christopher Haster	1:24750b9ad5ef	2442	* opaque server_random[32];
Christopher Haster	1:24750b9ad5ef	2443	* ServerDHParams params;
Christopher Haster	1:24750b9ad5ef	2444	* };
Christopher Haster	1:24750b9ad5ef	2445	*/
Christopher Haster	1:24750b9ad5ef	2446	if( ( ret = mbedtls_md_setup( &ctx,
Christopher Haster	1:24750b9ad5ef	2447	mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2448	{
Christopher Haster	1:24750b9ad5ef	2449	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Christopher Haster	1:24750b9ad5ef	2450	return( ret );
Christopher Haster	1:24750b9ad5ef	2451	}
Christopher Haster	1:24750b9ad5ef	2452
Christopher Haster	1:24750b9ad5ef	2453	mbedtls_md_starts( &ctx );
Christopher Haster	1:24750b9ad5ef	2454	mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
Christopher Haster	1:24750b9ad5ef	2455	mbedtls_md_update( &ctx, params, params_len );
Christopher Haster	1:24750b9ad5ef	2456	mbedtls_md_finish( &ctx, hash );
Christopher Haster	1:24750b9ad5ef	2457	mbedtls_md_free( &ctx );
Christopher Haster	1:24750b9ad5ef	2458	}
Christopher Haster	1:24750b9ad5ef	2459	else
Christopher Haster	1:24750b9ad5ef	2460	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
Christopher Haster	1:24750b9ad5ef	2461	MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster	1:24750b9ad5ef	2462	{
Christopher Haster	1:24750b9ad5ef	2463	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	2464	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	2465	}
Christopher Haster	1:24750b9ad5ef	2466
Christopher Haster	1:24750b9ad5ef	2467	MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
Christopher Haster	1:24750b9ad5ef	2468	(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
Christopher Haster	1:24750b9ad5ef	2469
Christopher Haster	1:24750b9ad5ef	2470	if( ssl->session_negotiate->peer_cert == NULL )
Christopher Haster	1:24750b9ad5ef	2471	{
Christopher Haster	1:24750b9ad5ef	2472	MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Christopher Haster	1:24750b9ad5ef	2473	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2474	}
Christopher Haster	1:24750b9ad5ef	2475
Christopher Haster	1:24750b9ad5ef	2476	/*
Christopher Haster	1:24750b9ad5ef	2477	* Verify signature
Christopher Haster	1:24750b9ad5ef	2478	*/
Christopher Haster	1:24750b9ad5ef	2479	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
Christopher Haster	1:24750b9ad5ef	2480	{
Christopher Haster	1:24750b9ad5ef	2481	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster	1:24750b9ad5ef	2482	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Christopher Haster	1:24750b9ad5ef	2483	}
Christopher Haster	1:24750b9ad5ef	2484
Christopher Haster	1:24750b9ad5ef	2485	if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster	1:24750b9ad5ef	2486	md_alg, hash, hashlen, p, sig_len ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2487	{
Christopher Haster	1:24750b9ad5ef	2488	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Christopher Haster	1:24750b9ad5ef	2489	return( ret );
Christopher Haster	1:24750b9ad5ef	2490	}
Christopher Haster	1:24750b9ad5ef	2491	}
Christopher Haster	1:24750b9ad5ef	2492	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2493	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2494	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2495
Christopher Haster	1:24750b9ad5ef	2496	exit:
Christopher Haster	1:24750b9ad5ef	2497	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2498
Christopher Haster	1:24750b9ad5ef	2499	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Christopher Haster	1:24750b9ad5ef	2500
Christopher Haster	1:24750b9ad5ef	2501	return( 0 );
Christopher Haster	1:24750b9ad5ef	2502	}
Christopher Haster	1:24750b9ad5ef	2503
Christopher Haster	1:24750b9ad5ef	2504	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
Christopher Haster	1:24750b9ad5ef	2505	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Christopher Haster	1:24750b9ad5ef	2506	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
Christopher Haster	1:24750b9ad5ef	2507	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2508	static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2509	{
Christopher Haster	1:24750b9ad5ef	2510	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	2511
Christopher Haster	1:24750b9ad5ef	2512	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Christopher Haster	1:24750b9ad5ef	2513
Christopher Haster	1:24750b9ad5ef	2514	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2515	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2516	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2517	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2518	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	2519	{
Christopher Haster	1:24750b9ad5ef	2520	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Christopher Haster	1:24750b9ad5ef	2521	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2522	return( 0 );
Christopher Haster	1:24750b9ad5ef	2523	}
Christopher Haster	1:24750b9ad5ef	2524
Christopher Haster	1:24750b9ad5ef	2525	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	2526	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	2527	}
Christopher Haster	1:24750b9ad5ef	2528	#else
Christopher Haster	1:24750b9ad5ef	2529	static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2530	{
Christopher Haster	1:24750b9ad5ef	2531	int ret;
Christopher Haster	1:24750b9ad5ef	2532	unsigned char buf, p;
Christopher Haster	1:24750b9ad5ef	2533	size_t n = 0, m = 0;
Christopher Haster	1:24750b9ad5ef	2534	size_t cert_type_len = 0, dn_len = 0;
Christopher Haster	1:24750b9ad5ef	2535	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	2536
Christopher Haster	1:24750b9ad5ef	2537	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Christopher Haster	1:24750b9ad5ef	2538
Christopher Haster	1:24750b9ad5ef	2539	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2540	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2541	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2542	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2543	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	2544	{
Christopher Haster	1:24750b9ad5ef	2545	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Christopher Haster	1:24750b9ad5ef	2546	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2547	return( 0 );
Christopher Haster	1:24750b9ad5ef	2548	}
Christopher Haster	1:24750b9ad5ef	2549
Christopher Haster	1:24750b9ad5ef	2550	if( ssl->record_read == 0 )
Christopher Haster	1:24750b9ad5ef	2551	{
Christopher Haster	1:24750b9ad5ef	2552	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2553	{
Christopher Haster	1:24750b9ad5ef	2554	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster	1:24750b9ad5ef	2555	return( ret );
Christopher Haster	1:24750b9ad5ef	2556	}
Christopher Haster	1:24750b9ad5ef	2557
Christopher Haster	1:24750b9ad5ef	2558	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	2559	{
Christopher Haster	1:24750b9ad5ef	2560	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster	1:24750b9ad5ef	2561	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2562	}
Christopher Haster	1:24750b9ad5ef	2563
Christopher Haster	1:24750b9ad5ef	2564	ssl->record_read = 1;
Christopher Haster	1:24750b9ad5ef	2565	}
Christopher Haster	1:24750b9ad5ef	2566
Christopher Haster	1:24750b9ad5ef	2567	ssl->client_auth = 0;
Christopher Haster	1:24750b9ad5ef	2568	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2569
Christopher Haster	1:24750b9ad5ef	2570	if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST )
Christopher Haster	1:24750b9ad5ef	2571	ssl->client_auth++;
Christopher Haster	1:24750b9ad5ef	2572
Christopher Haster	1:24750b9ad5ef	2573	MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Christopher Haster	1:24750b9ad5ef	2574	ssl->client_auth ? "a" : "no" ) );
Christopher Haster	1:24750b9ad5ef	2575
Christopher Haster	1:24750b9ad5ef	2576	if( ssl->client_auth == 0 )
Christopher Haster	1:24750b9ad5ef	2577	goto exit;
Christopher Haster	1:24750b9ad5ef	2578
Christopher Haster	1:24750b9ad5ef	2579	ssl->record_read = 0;
Christopher Haster	1:24750b9ad5ef	2580
Christopher Haster	1:24750b9ad5ef	2581	// TODO: handshake_failure alert for an anonymous server to request
Christopher Haster	1:24750b9ad5ef	2582	// client authentication
Christopher Haster	1:24750b9ad5ef	2583
Christopher Haster	1:24750b9ad5ef	2584	/*
Christopher Haster	1:24750b9ad5ef	2585	* struct {
Christopher Haster	1:24750b9ad5ef	2586	* ClientCertificateType certificate_types<1..2^8-1>;
Christopher Haster	1:24750b9ad5ef	2587	* SignatureAndHashAlgorithm
Christopher Haster	1:24750b9ad5ef	2588	* supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
Christopher Haster	1:24750b9ad5ef	2589	* DistinguishedName certificate_authorities<0..2^16-1>;
Christopher Haster	1:24750b9ad5ef	2590	* } CertificateRequest;
Christopher Haster	1:24750b9ad5ef	2591	*/
Christopher Haster	1:24750b9ad5ef	2592	buf = ssl->in_msg;
Christopher Haster	1:24750b9ad5ef	2593
Christopher Haster	1:24750b9ad5ef	2594	// Retrieve cert types
Christopher Haster	1:24750b9ad5ef	2595	//
Christopher Haster	1:24750b9ad5ef	2596	cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Christopher Haster	1:24750b9ad5ef	2597	n = cert_type_len;
Christopher Haster	1:24750b9ad5ef	2598
Christopher Haster	1:24750b9ad5ef	2599	if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Christopher Haster	1:24750b9ad5ef	2600	{
Christopher Haster	1:24750b9ad5ef	2601	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster	1:24750b9ad5ef	2602	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Christopher Haster	1:24750b9ad5ef	2603	}
Christopher Haster	1:24750b9ad5ef	2604
Christopher Haster	1:24750b9ad5ef	2605	p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1;
Christopher Haster	1:24750b9ad5ef	2606	while( cert_type_len > 0 )
Christopher Haster	1:24750b9ad5ef	2607	{
Christopher Haster	1:24750b9ad5ef	2608	#if defined(MBEDTLS_RSA_C)
Christopher Haster	1:24750b9ad5ef	2609	if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN &&
Christopher Haster	1:24750b9ad5ef	2610	mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
Christopher Haster	1:24750b9ad5ef	2611	{
Christopher Haster	1:24750b9ad5ef	2612	ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Christopher Haster	1:24750b9ad5ef	2613	break;
Christopher Haster	1:24750b9ad5ef	2614	}
Christopher Haster	1:24750b9ad5ef	2615	else
Christopher Haster	1:24750b9ad5ef	2616	#endif
Christopher Haster	1:24750b9ad5ef	2617	#if defined(MBEDTLS_ECDSA_C)
Christopher Haster	1:24750b9ad5ef	2618	if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN &&
Christopher Haster	1:24750b9ad5ef	2619	mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Christopher Haster	1:24750b9ad5ef	2620	{
Christopher Haster	1:24750b9ad5ef	2621	ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Christopher Haster	1:24750b9ad5ef	2622	break;
Christopher Haster	1:24750b9ad5ef	2623	}
Christopher Haster	1:24750b9ad5ef	2624	else
Christopher Haster	1:24750b9ad5ef	2625	#endif
Christopher Haster	1:24750b9ad5ef	2626	{
Christopher Haster	1:24750b9ad5ef	2627	; /* Unsupported cert type, ignore */
Christopher Haster	1:24750b9ad5ef	2628	}
Christopher Haster	1:24750b9ad5ef	2629
Christopher Haster	1:24750b9ad5ef	2630	cert_type_len--;
Christopher Haster	1:24750b9ad5ef	2631	p++;
Christopher Haster	1:24750b9ad5ef	2632	}
Christopher Haster	1:24750b9ad5ef	2633
Christopher Haster	1:24750b9ad5ef	2634	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster	1:24750b9ad5ef	2635	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	2636	{
Christopher Haster	1:24750b9ad5ef	2637	/* Ignored, see comments about hash in write_certificate_verify */
Christopher Haster	1:24750b9ad5ef	2638	// TODO: should check the signature part against our pk_key though
Christopher Haster	1:24750b9ad5ef	2639	size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
Christopher Haster	1:24750b9ad5ef	2640	\| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Christopher Haster	1:24750b9ad5ef	2641
Christopher Haster	1:24750b9ad5ef	2642	m += 2;
Christopher Haster	1:24750b9ad5ef	2643	n += sig_alg_len;
Christopher Haster	1:24750b9ad5ef	2644
Christopher Haster	1:24750b9ad5ef	2645	if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Christopher Haster	1:24750b9ad5ef	2646	{
Christopher Haster	1:24750b9ad5ef	2647	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster	1:24750b9ad5ef	2648	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Christopher Haster	1:24750b9ad5ef	2649	}
Christopher Haster	1:24750b9ad5ef	2650	}
Christopher Haster	1:24750b9ad5ef	2651	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster	1:24750b9ad5ef	2652
Christopher Haster	1:24750b9ad5ef	2653	/* Ignore certificate_authorities, we only have one cert anyway */
Christopher Haster	1:24750b9ad5ef	2654	// TODO: should not send cert if no CA matches
Christopher Haster	1:24750b9ad5ef	2655	dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 )
Christopher Haster	1:24750b9ad5ef	2656	\| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) );
Christopher Haster	1:24750b9ad5ef	2657
Christopher Haster	1:24750b9ad5ef	2658	n += dn_len;
Christopher Haster	1:24750b9ad5ef	2659	if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n )
Christopher Haster	1:24750b9ad5ef	2660	{
Christopher Haster	1:24750b9ad5ef	2661	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster	1:24750b9ad5ef	2662	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Christopher Haster	1:24750b9ad5ef	2663	}
Christopher Haster	1:24750b9ad5ef	2664
Christopher Haster	1:24750b9ad5ef	2665	exit:
Christopher Haster	1:24750b9ad5ef	2666	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Christopher Haster	1:24750b9ad5ef	2667
Christopher Haster	1:24750b9ad5ef	2668	return( 0 );
Christopher Haster	1:24750b9ad5ef	2669	}
Christopher Haster	1:24750b9ad5ef	2670	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
Christopher Haster	1:24750b9ad5ef	2671	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Christopher Haster	1:24750b9ad5ef	2672	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
Christopher Haster	1:24750b9ad5ef	2673	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2674
Christopher Haster	1:24750b9ad5ef	2675	static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2676	{
Christopher Haster	1:24750b9ad5ef	2677	int ret;
Christopher Haster	1:24750b9ad5ef	2678
Christopher Haster	1:24750b9ad5ef	2679	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Christopher Haster	1:24750b9ad5ef	2680
Christopher Haster	1:24750b9ad5ef	2681	if( ssl->record_read == 0 )
Christopher Haster	1:24750b9ad5ef	2682	{
Christopher Haster	1:24750b9ad5ef	2683	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2684	{
Christopher Haster	1:24750b9ad5ef	2685	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster	1:24750b9ad5ef	2686	return( ret );
Christopher Haster	1:24750b9ad5ef	2687	}
Christopher Haster	1:24750b9ad5ef	2688
Christopher Haster	1:24750b9ad5ef	2689	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	2690	{
Christopher Haster	1:24750b9ad5ef	2691	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Christopher Haster	1:24750b9ad5ef	2692	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	2693	}
Christopher Haster	1:24750b9ad5ef	2694	}
Christopher Haster	1:24750b9ad5ef	2695	ssl->record_read = 0;
Christopher Haster	1:24750b9ad5ef	2696
Christopher Haster	1:24750b9ad5ef	2697	if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) \|\|
Christopher Haster	1:24750b9ad5ef	2698	ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Christopher Haster	1:24750b9ad5ef	2699	{
Christopher Haster	1:24750b9ad5ef	2700	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Christopher Haster	1:24750b9ad5ef	2701	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Christopher Haster	1:24750b9ad5ef	2702	}
Christopher Haster	1:24750b9ad5ef	2703
Christopher Haster	1:24750b9ad5ef	2704	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2705
Christopher Haster	1:24750b9ad5ef	2706	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	2707	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster	1:24750b9ad5ef	2708	mbedtls_ssl_recv_flight_completed( ssl );
Christopher Haster	1:24750b9ad5ef	2709	#endif
Christopher Haster	1:24750b9ad5ef	2710
Christopher Haster	1:24750b9ad5ef	2711	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Christopher Haster	1:24750b9ad5ef	2712
Christopher Haster	1:24750b9ad5ef	2713	return( 0 );
Christopher Haster	1:24750b9ad5ef	2714	}
Christopher Haster	1:24750b9ad5ef	2715
Christopher Haster	1:24750b9ad5ef	2716	static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2717	{
Christopher Haster	1:24750b9ad5ef	2718	int ret;
Christopher Haster	1:24750b9ad5ef	2719	size_t i, n;
Christopher Haster	1:24750b9ad5ef	2720	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	2721
Christopher Haster	1:24750b9ad5ef	2722	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Christopher Haster	1:24750b9ad5ef	2723
Christopher Haster	1:24750b9ad5ef	2724	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2725	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Christopher Haster	1:24750b9ad5ef	2726	{
Christopher Haster	1:24750b9ad5ef	2727	/*
Christopher Haster	1:24750b9ad5ef	2728	* DHM key exchange -- send G^X mod P
Christopher Haster	1:24750b9ad5ef	2729	*/
Christopher Haster	1:24750b9ad5ef	2730	n = ssl->handshake->dhm_ctx.len;
Christopher Haster	1:24750b9ad5ef	2731
Christopher Haster	1:24750b9ad5ef	2732	ssl->out_msg[4] = (unsigned char)( n >> 8 );
Christopher Haster	1:24750b9ad5ef	2733	ssl->out_msg[5] = (unsigned char)( n );
Christopher Haster	1:24750b9ad5ef	2734	i = 6;
Christopher Haster	1:24750b9ad5ef	2735
Christopher Haster	1:24750b9ad5ef	2736	ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Christopher Haster	1:24750b9ad5ef	2737	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Christopher Haster	1:24750b9ad5ef	2738	&ssl->out_msg[i], n,
Christopher Haster	1:24750b9ad5ef	2739	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	2740	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2741	{
Christopher Haster	1:24750b9ad5ef	2742	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Christopher Haster	1:24750b9ad5ef	2743	return( ret );
Christopher Haster	1:24750b9ad5ef	2744	}
Christopher Haster	1:24750b9ad5ef	2745
Christopher Haster	1:24750b9ad5ef	2746	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
Christopher Haster	1:24750b9ad5ef	2747	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Christopher Haster	1:24750b9ad5ef	2748
Christopher Haster	1:24750b9ad5ef	2749	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Christopher Haster	1:24750b9ad5ef	2750	ssl->handshake->premaster,
Christopher Haster	1:24750b9ad5ef	2751	MBEDTLS_PREMASTER_SIZE,
Christopher Haster	1:24750b9ad5ef	2752	&ssl->handshake->pmslen,
Christopher Haster	1:24750b9ad5ef	2753	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2754	{
Christopher Haster	1:24750b9ad5ef	2755	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Christopher Haster	1:24750b9ad5ef	2756	return( ret );
Christopher Haster	1:24750b9ad5ef	2757	}
Christopher Haster	1:24750b9ad5ef	2758
Christopher Haster	1:24750b9ad5ef	2759	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Christopher Haster	1:24750b9ad5ef	2760	}
Christopher Haster	1:24750b9ad5ef	2761	else
Christopher Haster	1:24750b9ad5ef	2762	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2763	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2764	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2765	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
Christopher Haster	1:24750b9ad5ef	2766	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2767	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2768	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
Christopher Haster	1:24750b9ad5ef	2769	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
Christopher Haster	1:24750b9ad5ef	2770	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Christopher Haster	1:24750b9ad5ef	2771	{
Christopher Haster	1:24750b9ad5ef	2772	/*
Christopher Haster	1:24750b9ad5ef	2773	* ECDH key exchange -- send client public value
Christopher Haster	1:24750b9ad5ef	2774	*/
Christopher Haster	1:24750b9ad5ef	2775	i = 4;
Christopher Haster	1:24750b9ad5ef	2776
Christopher Haster	1:24750b9ad5ef	2777	ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Christopher Haster	1:24750b9ad5ef	2778	&n,
Christopher Haster	1:24750b9ad5ef	2779	&ssl->out_msg[i], 1000,
Christopher Haster	1:24750b9ad5ef	2780	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	2781	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2782	{
Christopher Haster	1:24750b9ad5ef	2783	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Christopher Haster	1:24750b9ad5ef	2784	return( ret );
Christopher Haster	1:24750b9ad5ef	2785	}
Christopher Haster	1:24750b9ad5ef	2786
Christopher Haster	1:24750b9ad5ef	2787	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Christopher Haster	1:24750b9ad5ef	2788
Christopher Haster	1:24750b9ad5ef	2789	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Christopher Haster	1:24750b9ad5ef	2790	&ssl->handshake->pmslen,
Christopher Haster	1:24750b9ad5ef	2791	ssl->handshake->premaster,
Christopher Haster	1:24750b9ad5ef	2792	MBEDTLS_MPI_MAX_SIZE,
Christopher Haster	1:24750b9ad5ef	2793	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2794	{
Christopher Haster	1:24750b9ad5ef	2795	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Christopher Haster	1:24750b9ad5ef	2796	return( ret );
Christopher Haster	1:24750b9ad5ef	2797	}
Christopher Haster	1:24750b9ad5ef	2798
Christopher Haster	1:24750b9ad5ef	2799	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
Christopher Haster	1:24750b9ad5ef	2800	}
Christopher Haster	1:24750b9ad5ef	2801	else
Christopher Haster	1:24750b9ad5ef	2802	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2803	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2804	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
Christopher Haster	1:24750b9ad5ef	2805	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2806	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2807	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2808	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2809	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2810	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Christopher Haster	1:24750b9ad5ef	2811	{
Christopher Haster	1:24750b9ad5ef	2812	/*
Christopher Haster	1:24750b9ad5ef	2813	* opaque psk_identity<0..2^16-1>;
Christopher Haster	1:24750b9ad5ef	2814	*/
Christopher Haster	1:24750b9ad5ef	2815	if( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL )
Christopher Haster	1:24750b9ad5ef	2816	{
Christopher Haster	1:24750b9ad5ef	2817	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Christopher Haster	1:24750b9ad5ef	2818	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Christopher Haster	1:24750b9ad5ef	2819	}
Christopher Haster	1:24750b9ad5ef	2820
Christopher Haster	1:24750b9ad5ef	2821	i = 4;
Christopher Haster	1:24750b9ad5ef	2822	n = ssl->conf->psk_identity_len;
Christopher Haster	1:24750b9ad5ef	2823
Christopher Haster	1:24750b9ad5ef	2824	if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
Christopher Haster	1:24750b9ad5ef	2825	{
Christopher Haster	1:24750b9ad5ef	2826	MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
Christopher Haster	1:24750b9ad5ef	2827	"SSL buffer too short" ) );
Christopher Haster	1:24750b9ad5ef	2828	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Christopher Haster	1:24750b9ad5ef	2829	}
Christopher Haster	1:24750b9ad5ef	2830
Christopher Haster	1:24750b9ad5ef	2831	ssl->out_msg[i++] = (unsigned char)( n >> 8 );
Christopher Haster	1:24750b9ad5ef	2832	ssl->out_msg[i++] = (unsigned char)( n );
Christopher Haster	1:24750b9ad5ef	2833
Christopher Haster	1:24750b9ad5ef	2834	memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
Christopher Haster	1:24750b9ad5ef	2835	i += ssl->conf->psk_identity_len;
Christopher Haster	1:24750b9ad5ef	2836
Christopher Haster	1:24750b9ad5ef	2837	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2838	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Christopher Haster	1:24750b9ad5ef	2839	{
Christopher Haster	1:24750b9ad5ef	2840	n = 0;
Christopher Haster	1:24750b9ad5ef	2841	}
Christopher Haster	1:24750b9ad5ef	2842	else
Christopher Haster	1:24750b9ad5ef	2843	#endif
Christopher Haster	1:24750b9ad5ef	2844	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2845	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Christopher Haster	1:24750b9ad5ef	2846	{
Christopher Haster	1:24750b9ad5ef	2847	if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2848	return( ret );
Christopher Haster	1:24750b9ad5ef	2849	}
Christopher Haster	1:24750b9ad5ef	2850	else
Christopher Haster	1:24750b9ad5ef	2851	#endif
Christopher Haster	1:24750b9ad5ef	2852	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2853	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Christopher Haster	1:24750b9ad5ef	2854	{
Christopher Haster	1:24750b9ad5ef	2855	/*
Christopher Haster	1:24750b9ad5ef	2856	* ClientDiffieHellmanPublic public (DHM send G^X mod P)
Christopher Haster	1:24750b9ad5ef	2857	*/
Christopher Haster	1:24750b9ad5ef	2858	n = ssl->handshake->dhm_ctx.len;
Christopher Haster	1:24750b9ad5ef	2859
Christopher Haster	1:24750b9ad5ef	2860	if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
Christopher Haster	1:24750b9ad5ef	2861	{
Christopher Haster	1:24750b9ad5ef	2862	MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
Christopher Haster	1:24750b9ad5ef	2863	" or SSL buffer too short" ) );
Christopher Haster	1:24750b9ad5ef	2864	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Christopher Haster	1:24750b9ad5ef	2865	}
Christopher Haster	1:24750b9ad5ef	2866
Christopher Haster	1:24750b9ad5ef	2867	ssl->out_msg[i++] = (unsigned char)( n >> 8 );
Christopher Haster	1:24750b9ad5ef	2868	ssl->out_msg[i++] = (unsigned char)( n );
Christopher Haster	1:24750b9ad5ef	2869
Christopher Haster	1:24750b9ad5ef	2870	ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Christopher Haster	1:24750b9ad5ef	2871	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Christopher Haster	1:24750b9ad5ef	2872	&ssl->out_msg[i], n,
Christopher Haster	1:24750b9ad5ef	2873	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	2874	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2875	{
Christopher Haster	1:24750b9ad5ef	2876	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Christopher Haster	1:24750b9ad5ef	2877	return( ret );
Christopher Haster	1:24750b9ad5ef	2878	}
Christopher Haster	1:24750b9ad5ef	2879	}
Christopher Haster	1:24750b9ad5ef	2880	else
Christopher Haster	1:24750b9ad5ef	2881	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2882	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Christopher Haster	1:24750b9ad5ef	2883	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Christopher Haster	1:24750b9ad5ef	2884	{
Christopher Haster	1:24750b9ad5ef	2885	/*
Christopher Haster	1:24750b9ad5ef	2886	* ClientECDiffieHellmanPublic public;
Christopher Haster	1:24750b9ad5ef	2887	*/
Christopher Haster	1:24750b9ad5ef	2888	ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Christopher Haster	1:24750b9ad5ef	2889	&ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
Christopher Haster	1:24750b9ad5ef	2890	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	2891	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2892	{
Christopher Haster	1:24750b9ad5ef	2893	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Christopher Haster	1:24750b9ad5ef	2894	return( ret );
Christopher Haster	1:24750b9ad5ef	2895	}
Christopher Haster	1:24750b9ad5ef	2896
Christopher Haster	1:24750b9ad5ef	2897	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Christopher Haster	1:24750b9ad5ef	2898	}
Christopher Haster	1:24750b9ad5ef	2899	else
Christopher Haster	1:24750b9ad5ef	2900	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2901	{
Christopher Haster	1:24750b9ad5ef	2902	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	2903	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	2904	}
Christopher Haster	1:24750b9ad5ef	2905
Christopher Haster	1:24750b9ad5ef	2906	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Christopher Haster	1:24750b9ad5ef	2907	ciphersuite_info->key_exchange ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2908	{
Christopher Haster	1:24750b9ad5ef	2909	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Christopher Haster	1:24750b9ad5ef	2910	return( ret );
Christopher Haster	1:24750b9ad5ef	2911	}
Christopher Haster	1:24750b9ad5ef	2912	}
Christopher Haster	1:24750b9ad5ef	2913	else
Christopher Haster	1:24750b9ad5ef	2914	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Christopher Haster	1:24750b9ad5ef	2915	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2916	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Christopher Haster	1:24750b9ad5ef	2917	{
Christopher Haster	1:24750b9ad5ef	2918	i = 4;
Christopher Haster	1:24750b9ad5ef	2919	if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2920	return( ret );
Christopher Haster	1:24750b9ad5ef	2921	}
Christopher Haster	1:24750b9ad5ef	2922	else
Christopher Haster	1:24750b9ad5ef	2923	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2924	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster	1:24750b9ad5ef	2925	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	2926	{
Christopher Haster	1:24750b9ad5ef	2927	i = 4;
Christopher Haster	1:24750b9ad5ef	2928
Christopher Haster	1:24750b9ad5ef	2929	ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Christopher Haster	1:24750b9ad5ef	2930	ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
Christopher Haster	1:24750b9ad5ef	2931	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	2932	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2933	{
Christopher Haster	1:24750b9ad5ef	2934	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
Christopher Haster	1:24750b9ad5ef	2935	return( ret );
Christopher Haster	1:24750b9ad5ef	2936	}
Christopher Haster	1:24750b9ad5ef	2937
Christopher Haster	1:24750b9ad5ef	2938	ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
Christopher Haster	1:24750b9ad5ef	2939	ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
Christopher Haster	1:24750b9ad5ef	2940	ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster	1:24750b9ad5ef	2941	if( ret != 0 )
Christopher Haster	1:24750b9ad5ef	2942	{
Christopher Haster	1:24750b9ad5ef	2943	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
Christopher Haster	1:24750b9ad5ef	2944	return( ret );
Christopher Haster	1:24750b9ad5ef	2945	}
Christopher Haster	1:24750b9ad5ef	2946	}
Christopher Haster	1:24750b9ad5ef	2947	else
Christopher Haster	1:24750b9ad5ef	2948	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	2949	{
Christopher Haster	1:24750b9ad5ef	2950	((void) ciphersuite_info);
Christopher Haster	1:24750b9ad5ef	2951	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	2952	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	2953	}
Christopher Haster	1:24750b9ad5ef	2954
Christopher Haster	1:24750b9ad5ef	2955	ssl->out_msglen = i + n;
Christopher Haster	1:24750b9ad5ef	2956	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
Christopher Haster	1:24750b9ad5ef	2957	ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Christopher Haster	1:24750b9ad5ef	2958
Christopher Haster	1:24750b9ad5ef	2959	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2960
Christopher Haster	1:24750b9ad5ef	2961	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2962	{
Christopher Haster	1:24750b9ad5ef	2963	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Christopher Haster	1:24750b9ad5ef	2964	return( ret );
Christopher Haster	1:24750b9ad5ef	2965	}
Christopher Haster	1:24750b9ad5ef	2966
Christopher Haster	1:24750b9ad5ef	2967	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Christopher Haster	1:24750b9ad5ef	2968
Christopher Haster	1:24750b9ad5ef	2969	return( 0 );
Christopher Haster	1:24750b9ad5ef	2970	}
Christopher Haster	1:24750b9ad5ef	2971
Christopher Haster	1:24750b9ad5ef	2972	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
Christopher Haster	1:24750b9ad5ef	2973	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Christopher Haster	1:24750b9ad5ef	2974	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
Christopher Haster	1:24750b9ad5ef	2975	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster	1:24750b9ad5ef	2976	static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	2977	{
Christopher Haster	1:24750b9ad5ef	2978	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	2979	int ret;
Christopher Haster	1:24750b9ad5ef	2980
Christopher Haster	1:24750b9ad5ef	2981	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Christopher Haster	1:24750b9ad5ef	2982
Christopher Haster	1:24750b9ad5ef	2983	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	2984	{
Christopher Haster	1:24750b9ad5ef	2985	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Christopher Haster	1:24750b9ad5ef	2986	return( ret );
Christopher Haster	1:24750b9ad5ef	2987	}
Christopher Haster	1:24750b9ad5ef	2988
Christopher Haster	1:24750b9ad5ef	2989	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2990	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2991	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2992	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	2993	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	2994	{
Christopher Haster	1:24750b9ad5ef	2995	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Christopher Haster	1:24750b9ad5ef	2996	ssl->state++;
Christopher Haster	1:24750b9ad5ef	2997	return( 0 );
Christopher Haster	1:24750b9ad5ef	2998	}
Christopher Haster	1:24750b9ad5ef	2999
Christopher Haster	1:24750b9ad5ef	3000	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	3001	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	3002	}
Christopher Haster	1:24750b9ad5ef	3003	#else
Christopher Haster	1:24750b9ad5ef	3004	static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	3005	{
Christopher Haster	1:24750b9ad5ef	3006	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster	1:24750b9ad5ef	3007	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster	1:24750b9ad5ef	3008	size_t n = 0, offset = 0;
Christopher Haster	1:24750b9ad5ef	3009	unsigned char hash[48];
Christopher Haster	1:24750b9ad5ef	3010	unsigned char *hash_start = hash;
Christopher Haster	1:24750b9ad5ef	3011	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Christopher Haster	1:24750b9ad5ef	3012	unsigned int hashlen;
Christopher Haster	1:24750b9ad5ef	3013
Christopher Haster	1:24750b9ad5ef	3014	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Christopher Haster	1:24750b9ad5ef	3015
Christopher Haster	1:24750b9ad5ef	3016	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	3017	{
Christopher Haster	1:24750b9ad5ef	3018	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Christopher Haster	1:24750b9ad5ef	3019	return( ret );
Christopher Haster	1:24750b9ad5ef	3020	}
Christopher Haster	1:24750b9ad5ef	3021
Christopher Haster	1:24750b9ad5ef	3022	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	3023	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
Christopher Haster	1:24750b9ad5ef	3024	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	3025	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
Christopher Haster	1:24750b9ad5ef	3026	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster	1:24750b9ad5ef	3027	{
Christopher Haster	1:24750b9ad5ef	3028	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Christopher Haster	1:24750b9ad5ef	3029	ssl->state++;
Christopher Haster	1:24750b9ad5ef	3030	return( 0 );
Christopher Haster	1:24750b9ad5ef	3031	}
Christopher Haster	1:24750b9ad5ef	3032
Christopher Haster	1:24750b9ad5ef	3033	if( ssl->client_auth == 0 \|\| mbedtls_ssl_own_cert( ssl ) == NULL )
Christopher Haster	1:24750b9ad5ef	3034	{
Christopher Haster	1:24750b9ad5ef	3035	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Christopher Haster	1:24750b9ad5ef	3036	ssl->state++;
Christopher Haster	1:24750b9ad5ef	3037	return( 0 );
Christopher Haster	1:24750b9ad5ef	3038	}
Christopher Haster	1:24750b9ad5ef	3039
Christopher Haster	1:24750b9ad5ef	3040	if( mbedtls_ssl_own_key( ssl ) == NULL )
Christopher Haster	1:24750b9ad5ef	3041	{
Christopher Haster	1:24750b9ad5ef	3042	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Christopher Haster	1:24750b9ad5ef	3043	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Christopher Haster	1:24750b9ad5ef	3044	}
Christopher Haster	1:24750b9ad5ef	3045
Christopher Haster	1:24750b9ad5ef	3046	/*
Christopher Haster	1:24750b9ad5ef	3047	* Make an RSA signature of the handshake digests
Christopher Haster	1:24750b9ad5ef	3048	*/
Christopher Haster	1:24750b9ad5ef	3049	ssl->handshake->calc_verify( ssl, hash );
Christopher Haster	1:24750b9ad5ef	3050
Christopher Haster	1:24750b9ad5ef	3051	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
Christopher Haster	1:24750b9ad5ef	3052	defined(MBEDTLS_SSL_PROTO_TLS1_1)
Christopher Haster	1:24750b9ad5ef	3053	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	3054	{
Christopher Haster	1:24750b9ad5ef	3055	/*
Christopher Haster	1:24750b9ad5ef	3056	* digitally-signed struct {
Christopher Haster	1:24750b9ad5ef	3057	* opaque md5_hash[16];
Christopher Haster	1:24750b9ad5ef	3058	* opaque sha_hash[20];
Christopher Haster	1:24750b9ad5ef	3059	* };
Christopher Haster	1:24750b9ad5ef	3060	*
Christopher Haster	1:24750b9ad5ef	3061	* md5_hash
Christopher Haster	1:24750b9ad5ef	3062	* MD5(handshake_messages);
Christopher Haster	1:24750b9ad5ef	3063	*
Christopher Haster	1:24750b9ad5ef	3064	* sha_hash
Christopher Haster	1:24750b9ad5ef	3065	* SHA(handshake_messages);
Christopher Haster	1:24750b9ad5ef	3066	*/
Christopher Haster	1:24750b9ad5ef	3067	hashlen = 36;
Christopher Haster	1:24750b9ad5ef	3068	md_alg = MBEDTLS_MD_NONE;
Christopher Haster	1:24750b9ad5ef	3069
Christopher Haster	1:24750b9ad5ef	3070	/*
Christopher Haster	1:24750b9ad5ef	3071	* For ECDSA, default hash is SHA-1 only
Christopher Haster	1:24750b9ad5ef	3072	*/
Christopher Haster	1:24750b9ad5ef	3073	if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Christopher Haster	1:24750b9ad5ef	3074	{
Christopher Haster	1:24750b9ad5ef	3075	hash_start += 16;
Christopher Haster	1:24750b9ad5ef	3076	hashlen -= 16;
Christopher Haster	1:24750b9ad5ef	3077	md_alg = MBEDTLS_MD_SHA1;
Christopher Haster	1:24750b9ad5ef	3078	}
Christopher Haster	1:24750b9ad5ef	3079	}
Christopher Haster	1:24750b9ad5ef	3080	else
Christopher Haster	1:24750b9ad5ef	3081	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
Christopher Haster	1:24750b9ad5ef	3082	MBEDTLS_SSL_PROTO_TLS1_1 */
Christopher Haster	1:24750b9ad5ef	3083	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster	1:24750b9ad5ef	3084	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster	1:24750b9ad5ef	3085	{
Christopher Haster	1:24750b9ad5ef	3086	/*
Christopher Haster	1:24750b9ad5ef	3087	* digitally-signed struct {
Christopher Haster	1:24750b9ad5ef	3088	* opaque handshake_messages[handshake_messages_length];
Christopher Haster	1:24750b9ad5ef	3089	* };
Christopher Haster	1:24750b9ad5ef	3090	*
Christopher Haster	1:24750b9ad5ef	3091	* Taking shortcut here. We assume that the server always allows the
Christopher Haster	1:24750b9ad5ef	3092	* PRF Hash function and has sent it in the allowed signature
Christopher Haster	1:24750b9ad5ef	3093	* algorithms list received in the Certificate Request message.
Christopher Haster	1:24750b9ad5ef	3094	*
Christopher Haster	1:24750b9ad5ef	3095	* Until we encounter a server that does not, we will take this
Christopher Haster	1:24750b9ad5ef	3096	* shortcut.
Christopher Haster	1:24750b9ad5ef	3097	*
Christopher Haster	1:24750b9ad5ef	3098	* Reason: Otherwise we should have running hashes for SHA512 and SHA224
Christopher Haster	1:24750b9ad5ef	3099	* in order to satisfy 'weird' needs from the server side.
Christopher Haster	1:24750b9ad5ef	3100	*/
Christopher Haster	1:24750b9ad5ef	3101	if( ssl->transform_negotiate->ciphersuite_info->mac ==
Christopher Haster	1:24750b9ad5ef	3102	MBEDTLS_MD_SHA384 )
Christopher Haster	1:24750b9ad5ef	3103	{
Christopher Haster	1:24750b9ad5ef	3104	md_alg = MBEDTLS_MD_SHA384;
Christopher Haster	1:24750b9ad5ef	3105	ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Christopher Haster	1:24750b9ad5ef	3106	}
Christopher Haster	1:24750b9ad5ef	3107	else
Christopher Haster	1:24750b9ad5ef	3108	{
Christopher Haster	1:24750b9ad5ef	3109	md_alg = MBEDTLS_MD_SHA256;
Christopher Haster	1:24750b9ad5ef	3110	ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Christopher Haster	1:24750b9ad5ef	3111	}
Christopher Haster	1:24750b9ad5ef	3112	ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Christopher Haster	1:24750b9ad5ef	3113
Christopher Haster	1:24750b9ad5ef	3114	/* Info from md_alg will be used instead */
Christopher Haster	1:24750b9ad5ef	3115	hashlen = 0;
Christopher Haster	1:24750b9ad5ef	3116	offset = 2;
Christopher Haster	1:24750b9ad5ef	3117	}
Christopher Haster	1:24750b9ad5ef	3118	else
Christopher Haster	1:24750b9ad5ef	3119	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster	1:24750b9ad5ef	3120	{
Christopher Haster	1:24750b9ad5ef	3121	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster	1:24750b9ad5ef	3122	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster	1:24750b9ad5ef	3123	}
Christopher Haster	1:24750b9ad5ef	3124
Christopher Haster	1:24750b9ad5ef	3125	if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
Christopher Haster	1:24750b9ad5ef	3126	ssl->out_msg + 6 + offset, &n,
Christopher Haster	1:24750b9ad5ef	3127	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	3128	{
Christopher Haster	1:24750b9ad5ef	3129	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Christopher Haster	1:24750b9ad5ef	3130	return( ret );
Christopher Haster	1:24750b9ad5ef	3131	}
Christopher Haster	1:24750b9ad5ef	3132
Christopher Haster	1:24750b9ad5ef	3133	ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
Christopher Haster	1:24750b9ad5ef	3134	ssl->out_msg[5 + offset] = (unsigned char)( n );
Christopher Haster	1:24750b9ad5ef	3135
Christopher Haster	1:24750b9ad5ef	3136	ssl->out_msglen = 6 + n + offset;
Christopher Haster	1:24750b9ad5ef	3137	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
Christopher Haster	1:24750b9ad5ef	3138	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Christopher Haster	1:24750b9ad5ef	3139
Christopher Haster	1:24750b9ad5ef	3140	ssl->state++;
Christopher Haster	1:24750b9ad5ef	3141
Christopher Haster	1:24750b9ad5ef	3142	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	3143	{
Christopher Haster	1:24750b9ad5ef	3144	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Christopher Haster	1:24750b9ad5ef	3145	return( ret );
Christopher Haster	1:24750b9ad5ef	3146	}
Christopher Haster	1:24750b9ad5ef	3147
Christopher Haster	1:24750b9ad5ef	3148	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Christopher Haster	1:24750b9ad5ef	3149
Christopher Haster	1:24750b9ad5ef	3150	return( ret );
Christopher Haster	1:24750b9ad5ef	3151	}
Christopher Haster	1:24750b9ad5ef	3152	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
Christopher Haster	1:24750b9ad5ef	3153	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Christopher Haster	1:24750b9ad5ef	3154	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Christopher Haster	1:24750b9ad5ef	3155
Christopher Haster	1:24750b9ad5ef	3156	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	3157	static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	3158	{
Christopher Haster	1:24750b9ad5ef	3159	int ret;
Christopher Haster	1:24750b9ad5ef	3160	uint32_t lifetime;
Christopher Haster	1:24750b9ad5ef	3161	size_t ticket_len;
Christopher Haster	1:24750b9ad5ef	3162	unsigned char *ticket;
Christopher Haster	1:24750b9ad5ef	3163	const unsigned char *msg;
Christopher Haster	1:24750b9ad5ef	3164
Christopher Haster	1:24750b9ad5ef	3165	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Christopher Haster	1:24750b9ad5ef	3166
Christopher Haster	1:24750b9ad5ef	3167	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	3168	{
Christopher Haster	1:24750b9ad5ef	3169	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster	1:24750b9ad5ef	3170	return( ret );
Christopher Haster	1:24750b9ad5ef	3171	}
Christopher Haster	1:24750b9ad5ef	3172
Christopher Haster	1:24750b9ad5ef	3173	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster	1:24750b9ad5ef	3174	{
Christopher Haster	1:24750b9ad5ef	3175	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Christopher Haster	1:24750b9ad5ef	3176	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster	1:24750b9ad5ef	3177	}
Christopher Haster	1:24750b9ad5ef	3178
Christopher Haster	1:24750b9ad5ef	3179	/*
Christopher Haster	1:24750b9ad5ef	3180	* struct {
Christopher Haster	1:24750b9ad5ef	3181	* uint32 ticket_lifetime_hint;
Christopher Haster	1:24750b9ad5ef	3182	* opaque ticket<0..2^16-1>;
Christopher Haster	1:24750b9ad5ef	3183	* } NewSessionTicket;
Christopher Haster	1:24750b9ad5ef	3184	*
Christopher Haster	1:24750b9ad5ef	3185	* 0 . 3 ticket_lifetime_hint
Christopher Haster	1:24750b9ad5ef	3186	* 4 . 5 ticket_len (n)
Christopher Haster	1:24750b9ad5ef	3187	* 6 . 5+n ticket content
Christopher Haster	1:24750b9ad5ef	3188	*/
Christopher Haster	1:24750b9ad5ef	3189	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET \|\|
Christopher Haster	1:24750b9ad5ef	3190	ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Christopher Haster	1:24750b9ad5ef	3191	{
Christopher Haster	1:24750b9ad5ef	3192	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Christopher Haster	1:24750b9ad5ef	3193	return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Christopher Haster	1:24750b9ad5ef	3194	}
Christopher Haster	1:24750b9ad5ef	3195
Christopher Haster	1:24750b9ad5ef	3196	msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster	1:24750b9ad5ef	3197
Christopher Haster	1:24750b9ad5ef	3198	lifetime = ( msg[0] << 24 ) \| ( msg[1] << 16 ) \|
Christopher Haster	1:24750b9ad5ef	3199	( msg[2] << 8 ) \| ( msg[3] );
Christopher Haster	1:24750b9ad5ef	3200
Christopher Haster	1:24750b9ad5ef	3201	ticket_len = ( msg[4] << 8 ) \| ( msg[5] );
Christopher Haster	1:24750b9ad5ef	3202
Christopher Haster	1:24750b9ad5ef	3203	if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Christopher Haster	1:24750b9ad5ef	3204	{
Christopher Haster	1:24750b9ad5ef	3205	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Christopher Haster	1:24750b9ad5ef	3206	return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Christopher Haster	1:24750b9ad5ef	3207	}
Christopher Haster	1:24750b9ad5ef	3208
Christopher Haster	1:24750b9ad5ef	3209	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Christopher Haster	1:24750b9ad5ef	3210
Christopher Haster	1:24750b9ad5ef	3211	/* We're not waiting for a NewSessionTicket message any more */
Christopher Haster	1:24750b9ad5ef	3212	ssl->handshake->new_session_ticket = 0;
Christopher Haster	1:24750b9ad5ef	3213	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Christopher Haster	1:24750b9ad5ef	3214
Christopher Haster	1:24750b9ad5ef	3215	/*
Christopher Haster	1:24750b9ad5ef	3216	* Zero-length ticket means the server changed his mind and doesn't want
Christopher Haster	1:24750b9ad5ef	3217	* to send a ticket after all, so just forget it
Christopher Haster	1:24750b9ad5ef	3218	*/
Christopher Haster	1:24750b9ad5ef	3219	if( ticket_len == 0 )
Christopher Haster	1:24750b9ad5ef	3220	return( 0 );
Christopher Haster	1:24750b9ad5ef	3221
Christopher Haster	1:24750b9ad5ef	3222	mbedtls_zeroize( ssl->session_negotiate->ticket,
Christopher Haster	1:24750b9ad5ef	3223	ssl->session_negotiate->ticket_len );
Christopher Haster	1:24750b9ad5ef	3224	mbedtls_free( ssl->session_negotiate->ticket );
Christopher Haster	1:24750b9ad5ef	3225	ssl->session_negotiate->ticket = NULL;
Christopher Haster	1:24750b9ad5ef	3226	ssl->session_negotiate->ticket_len = 0;
Christopher Haster	1:24750b9ad5ef	3227
Christopher Haster	1:24750b9ad5ef	3228	if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Christopher Haster	1:24750b9ad5ef	3229	{
Christopher Haster	1:24750b9ad5ef	3230	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Christopher Haster	1:24750b9ad5ef	3231	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Christopher Haster	1:24750b9ad5ef	3232	}
Christopher Haster	1:24750b9ad5ef	3233
Christopher Haster	1:24750b9ad5ef	3234	memcpy( ticket, msg + 6, ticket_len );
Christopher Haster	1:24750b9ad5ef	3235
Christopher Haster	1:24750b9ad5ef	3236	ssl->session_negotiate->ticket = ticket;
Christopher Haster	1:24750b9ad5ef	3237	ssl->session_negotiate->ticket_len = ticket_len;
Christopher Haster	1:24750b9ad5ef	3238	ssl->session_negotiate->ticket_lifetime = lifetime;
Christopher Haster	1:24750b9ad5ef	3239
Christopher Haster	1:24750b9ad5ef	3240	/*
Christopher Haster	1:24750b9ad5ef	3241	* RFC 5077 section 3.4:
Christopher Haster	1:24750b9ad5ef	3242	* "If the client receives a session ticket from the server, then it
Christopher Haster	1:24750b9ad5ef	3243	* discards any Session ID that was sent in the ServerHello."
Christopher Haster	1:24750b9ad5ef	3244	*/
Christopher Haster	1:24750b9ad5ef	3245	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Christopher Haster	1:24750b9ad5ef	3246	ssl->session_negotiate->id_len = 0;
Christopher Haster	1:24750b9ad5ef	3247
Christopher Haster	1:24750b9ad5ef	3248	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Christopher Haster	1:24750b9ad5ef	3249
Christopher Haster	1:24750b9ad5ef	3250	return( 0 );
Christopher Haster	1:24750b9ad5ef	3251	}
Christopher Haster	1:24750b9ad5ef	3252	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster	1:24750b9ad5ef	3253
Christopher Haster	1:24750b9ad5ef	3254	/*
Christopher Haster	1:24750b9ad5ef	3255	* SSL handshake -- client side -- single step
Christopher Haster	1:24750b9ad5ef	3256	*/
Christopher Haster	1:24750b9ad5ef	3257	int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Christopher Haster	1:24750b9ad5ef	3258	{
Christopher Haster	1:24750b9ad5ef	3259	int ret = 0;
Christopher Haster	1:24750b9ad5ef	3260
Christopher Haster	1:24750b9ad5ef	3261	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER \|\| ssl->handshake == NULL )
Christopher Haster	1:24750b9ad5ef	3262	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster	1:24750b9ad5ef	3263
Christopher Haster	1:24750b9ad5ef	3264	MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Christopher Haster	1:24750b9ad5ef	3265
Christopher Haster	1:24750b9ad5ef	3266	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	3267	return( ret );
Christopher Haster	1:24750b9ad5ef	3268
Christopher Haster	1:24750b9ad5ef	3269	#if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster	1:24750b9ad5ef	3270	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Christopher Haster	1:24750b9ad5ef	3271	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Christopher Haster	1:24750b9ad5ef	3272	{
Christopher Haster	1:24750b9ad5ef	3273	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Christopher Haster	1:24750b9ad5ef	3274	return( ret );
Christopher Haster	1:24750b9ad5ef	3275	}
Christopher Haster	1:24750b9ad5ef	3276	#endif
Christopher Haster	1:24750b9ad5ef	3277
Christopher Haster	1:24750b9ad5ef	3278	/* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Christopher Haster	1:24750b9ad5ef	3279	* by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Christopher Haster	1:24750b9ad5ef	3280	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	3281	if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Christopher Haster	1:24750b9ad5ef	3282	ssl->handshake->new_session_ticket != 0 )
Christopher Haster	1:24750b9ad5ef	3283	{
Christopher Haster	1:24750b9ad5ef	3284	ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Christopher Haster	1:24750b9ad5ef	3285	}
Christopher Haster	1:24750b9ad5ef	3286	#endif
Christopher Haster	1:24750b9ad5ef	3287
Christopher Haster	1:24750b9ad5ef	3288	switch( ssl->state )
Christopher Haster	1:24750b9ad5ef	3289	{
Christopher Haster	1:24750b9ad5ef	3290	case MBEDTLS_SSL_HELLO_REQUEST:
Christopher Haster	1:24750b9ad5ef	3291	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Christopher Haster	1:24750b9ad5ef	3292	break;
Christopher Haster	1:24750b9ad5ef	3293
Christopher Haster	1:24750b9ad5ef	3294	/*
Christopher Haster	1:24750b9ad5ef	3295	* ==> ClientHello
Christopher Haster	1:24750b9ad5ef	3296	*/
Christopher Haster	1:24750b9ad5ef	3297	case MBEDTLS_SSL_CLIENT_HELLO:
Christopher Haster	1:24750b9ad5ef	3298	ret = ssl_write_client_hello( ssl );
Christopher Haster	1:24750b9ad5ef	3299	break;
Christopher Haster	1:24750b9ad5ef	3300
Christopher Haster	1:24750b9ad5ef	3301	/*
Christopher Haster	1:24750b9ad5ef	3302	* <== ServerHello
Christopher Haster	1:24750b9ad5ef	3303	* Certificate
Christopher Haster	1:24750b9ad5ef	3304	* ( ServerKeyExchange )
Christopher Haster	1:24750b9ad5ef	3305	* ( CertificateRequest )
Christopher Haster	1:24750b9ad5ef	3306	* ServerHelloDone
Christopher Haster	1:24750b9ad5ef	3307	*/
Christopher Haster	1:24750b9ad5ef	3308	case MBEDTLS_SSL_SERVER_HELLO:
Christopher Haster	1:24750b9ad5ef	3309	ret = ssl_parse_server_hello( ssl );
Christopher Haster	1:24750b9ad5ef	3310	break;
Christopher Haster	1:24750b9ad5ef	3311
Christopher Haster	1:24750b9ad5ef	3312	case MBEDTLS_SSL_SERVER_CERTIFICATE:
Christopher Haster	1:24750b9ad5ef	3313	ret = mbedtls_ssl_parse_certificate( ssl );
Christopher Haster	1:24750b9ad5ef	3314	break;
Christopher Haster	1:24750b9ad5ef	3315
Christopher Haster	1:24750b9ad5ef	3316	case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Christopher Haster	1:24750b9ad5ef	3317	ret = ssl_parse_server_key_exchange( ssl );
Christopher Haster	1:24750b9ad5ef	3318	break;
Christopher Haster	1:24750b9ad5ef	3319
Christopher Haster	1:24750b9ad5ef	3320	case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Christopher Haster	1:24750b9ad5ef	3321	ret = ssl_parse_certificate_request( ssl );
Christopher Haster	1:24750b9ad5ef	3322	break;
Christopher Haster	1:24750b9ad5ef	3323
Christopher Haster	1:24750b9ad5ef	3324	case MBEDTLS_SSL_SERVER_HELLO_DONE:
Christopher Haster	1:24750b9ad5ef	3325	ret = ssl_parse_server_hello_done( ssl );
Christopher Haster	1:24750b9ad5ef	3326	break;
Christopher Haster	1:24750b9ad5ef	3327
Christopher Haster	1:24750b9ad5ef	3328	/*
Christopher Haster	1:24750b9ad5ef	3329	* ==> ( Certificate/Alert )
Christopher Haster	1:24750b9ad5ef	3330	* ClientKeyExchange
Christopher Haster	1:24750b9ad5ef	3331	* ( CertificateVerify )
Christopher Haster	1:24750b9ad5ef	3332	* ChangeCipherSpec
Christopher Haster	1:24750b9ad5ef	3333	* Finished
Christopher Haster	1:24750b9ad5ef	3334	*/
Christopher Haster	1:24750b9ad5ef	3335	case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Christopher Haster	1:24750b9ad5ef	3336	ret = mbedtls_ssl_write_certificate( ssl );
Christopher Haster	1:24750b9ad5ef	3337	break;
Christopher Haster	1:24750b9ad5ef	3338
Christopher Haster	1:24750b9ad5ef	3339	case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Christopher Haster	1:24750b9ad5ef	3340	ret = ssl_write_client_key_exchange( ssl );
Christopher Haster	1:24750b9ad5ef	3341	break;
Christopher Haster	1:24750b9ad5ef	3342
Christopher Haster	1:24750b9ad5ef	3343	case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Christopher Haster	1:24750b9ad5ef	3344	ret = ssl_write_certificate_verify( ssl );
Christopher Haster	1:24750b9ad5ef	3345	break;
Christopher Haster	1:24750b9ad5ef	3346
Christopher Haster	1:24750b9ad5ef	3347	case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Christopher Haster	1:24750b9ad5ef	3348	ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Christopher Haster	1:24750b9ad5ef	3349	break;
Christopher Haster	1:24750b9ad5ef	3350
Christopher Haster	1:24750b9ad5ef	3351	case MBEDTLS_SSL_CLIENT_FINISHED:
Christopher Haster	1:24750b9ad5ef	3352	ret = mbedtls_ssl_write_finished( ssl );
Christopher Haster	1:24750b9ad5ef	3353	break;
Christopher Haster	1:24750b9ad5ef	3354
Christopher Haster	1:24750b9ad5ef	3355	/*
Christopher Haster	1:24750b9ad5ef	3356	* <== ( NewSessionTicket )
Christopher Haster	1:24750b9ad5ef	3357	* ChangeCipherSpec
Christopher Haster	1:24750b9ad5ef	3358	* Finished
Christopher Haster	1:24750b9ad5ef	3359	*/
Christopher Haster	1:24750b9ad5ef	3360	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster	1:24750b9ad5ef	3361	case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Christopher Haster	1:24750b9ad5ef	3362	ret = ssl_parse_new_session_ticket( ssl );
Christopher Haster	1:24750b9ad5ef	3363	break;
Christopher Haster	1:24750b9ad5ef	3364	#endif
Christopher Haster	1:24750b9ad5ef	3365
Christopher Haster	1:24750b9ad5ef	3366	case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
Christopher Haster	1:24750b9ad5ef	3367	ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Christopher Haster	1:24750b9ad5ef	3368	break;
Christopher Haster	1:24750b9ad5ef	3369
Christopher Haster	1:24750b9ad5ef	3370	case MBEDTLS_SSL_SERVER_FINISHED:
Christopher Haster	1:24750b9ad5ef	3371	ret = mbedtls_ssl_parse_finished( ssl );
Christopher Haster	1:24750b9ad5ef	3372	break;
Christopher Haster	1:24750b9ad5ef	3373
Christopher Haster	1:24750b9ad5ef	3374	case MBEDTLS_SSL_FLUSH_BUFFERS:
Christopher Haster	1:24750b9ad5ef	3375	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Christopher Haster	1:24750b9ad5ef	3376	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Christopher Haster	1:24750b9ad5ef	3377	break;
Christopher Haster	1:24750b9ad5ef	3378
Christopher Haster	1:24750b9ad5ef	3379	case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Christopher Haster	1:24750b9ad5ef	3380	mbedtls_ssl_handshake_wrapup( ssl );
Christopher Haster	1:24750b9ad5ef	3381	break;
Christopher Haster	1:24750b9ad5ef	3382
Christopher Haster	1:24750b9ad5ef	3383	default:
Christopher Haster	1:24750b9ad5ef	3384	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
Christopher Haster	1:24750b9ad5ef	3385	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster	1:24750b9ad5ef	3386	}
Christopher Haster	1:24750b9ad5ef	3387
Christopher Haster	1:24750b9ad5ef	3388	return( ret );
Christopher Haster	1:24750b9ad5ef	3389	}
Christopher Haster	1:24750b9ad5ef	3390	#endif /* MBEDTLS_SSL_CLI_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	28 Jan 2016
Imports:	47
Forks:	1
Commits:	5
Dependents:	0
Dependencies:	0
Followers:	37

This repository is Public (Unlisted).

The code in this repository is Apache licensed.

source/ssl_cli.c@4:bef26f687287, 2016-04-07 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning