Knight KE / Mbed OS Game_Master
Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl_srv.c Source File

ssl_srv.c

00001 /*
00002  *  SSLv3/TLSv1 server-side functions
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 
00022 #if !defined(MBEDTLS_CONFIG_FILE)
00023 #include "mbedtls/config.h"
00024 #else
00025 #include MBEDTLS_CONFIG_FILE
00026 #endif
00027 
00028 #if defined(MBEDTLS_SSL_SRV_C)
00029 
00030 #if defined(MBEDTLS_PLATFORM_C)
00031 #include "mbedtls/platform.h"
00032 #else
00033 #include <stdlib.h>
00034 #define mbedtls_calloc    calloc
00035 #define mbedtls_free      free
00036 #endif
00037 
00038 #include "mbedtls/debug.h"
00039 #include "mbedtls/ssl.h"
00040 #include "mbedtls/ssl_internal.h"
00041 #include "mbedtls/platform_util.h"
00042 
00043 #include <string.h>
00044 
00045 #if defined(MBEDTLS_ECP_C)
00046 #include "mbedtls/ecp.h"
00047 #endif
00048 
00049 #if defined(MBEDTLS_HAVE_TIME)
00050 #include "mbedtls/platform_time.h"
00051 #endif
00052 
00053 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
00054 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
00055                                  const unsigned char *info,
00056                                  size_t ilen )
00057 {
00058     if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
00059         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00060 
00061     mbedtls_free( ssl->cli_id );
00062 
00063     if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
00064         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00065 
00066     memcpy( ssl->cli_id, info, ilen );
00067     ssl->cli_id_len = ilen;
00068 
00069     return( 0 );
00070 }
00071 
00072 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
00073                            mbedtls_ssl_cookie_write_t *f_cookie_write,
00074                            mbedtls_ssl_cookie_check_t *f_cookie_check,
00075                            void *p_cookie )
00076 {
00077     conf->f_cookie_write = f_cookie_write;
00078     conf->f_cookie_check = f_cookie_check;
00079     conf->p_cookie        = p_cookie;
00080 }
00081 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
00082 
00083 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00084 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
00085                                      const unsigned char *buf,
00086                                      size_t len )
00087 {
00088     int ret;
00089     size_t servername_list_size, hostname_len;
00090     const unsigned char *p;
00091 
00092     MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
00093 
00094     servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00095     if( servername_list_size + 2 != len )
00096     {
00097         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00098         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00099                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00100         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00101     }
00102 
00103     p = buf + 2;
00104     while( servername_list_size > 0 )
00105     {
00106         hostname_len = ( ( p[1] << 8 ) | p[2] );
00107         if( hostname_len + 3 > servername_list_size )
00108         {
00109             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00110             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00111                                             MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00112             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00113         }
00114 
00115         if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
00116         {
00117             ret = ssl->conf->f_sni( ssl->conf->p_sni,
00118                                     ssl, p + 3, hostname_len );
00119             if( ret != 0 )
00120             {
00121                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
00122                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00123                         MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
00124                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00125             }
00126             return( 0 );
00127         }
00128 
00129         servername_list_size -= hostname_len + 3;
00130         p += hostname_len + 3;
00131     }
00132 
00133     if( servername_list_size != 0 )
00134     {
00135         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00136         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00137                                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00138         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00139     }
00140 
00141     return( 0 );
00142 }
00143 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
00144 
00145 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
00146                                          const unsigned char *buf,
00147                                          size_t len )
00148 {
00149 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00150     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00151     {
00152         /* Check verify-data in constant-time. The length OTOH is no secret */
00153         if( len    != 1 + ssl->verify_data_len ||
00154             buf[0] !=     ssl->verify_data_len ||
00155             mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
00156                           ssl->verify_data_len ) != 0 )
00157         {
00158             MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
00159             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00160                                             MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
00161             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00162         }
00163     }
00164     else
00165 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00166     {
00167         if( len != 1 || buf[0] != 0x0 )
00168         {
00169             MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
00170             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00171                                             MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
00172             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00173         }
00174 
00175         ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
00176     }
00177 
00178     return( 0 );
00179 }
00180 
00181 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00182     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00183 
00184 /*
00185  * Status of the implementation of signature-algorithms extension:
00186  *
00187  * Currently, we are only considering the signature-algorithm extension
00188  * to pick a ciphersuite which allows us to send the ServerKeyExchange
00189  * message with a signature-hash combination that the user allows.
00190  *
00191  * We do *not* check whether all certificates in our certificate
00192  * chain are signed with an allowed signature-hash pair.
00193  * This needs to be done at a later stage.
00194  *
00195  */
00196 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
00197                                                const unsigned char *buf,
00198                                                size_t len )
00199 {
00200     size_t sig_alg_list_size;
00201 
00202     const unsigned char *p;
00203     const unsigned char *end = buf + len;
00204 
00205     mbedtls_md_type_t md_cur;
00206     mbedtls_pk_type_t sig_cur;
00207 
00208     sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00209     if( sig_alg_list_size + 2 != len ||
00210         sig_alg_list_size % 2 != 0 )
00211     {
00212         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00213         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00214                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00215         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00216     }
00217 
00218     /* Currently we only guarantee signing the ServerKeyExchange message according
00219      * to the constraints specified in this extension (see above), so it suffices
00220      * to remember only one suitable hash for each possible signature algorithm.
00221      *
00222      * This will change when we also consider certificate signatures,
00223      * in which case we will need to remember the whole signature-hash
00224      * pair list from the extension.
00225      */
00226 
00227     for( p = buf + 2; p < end; p += 2 )
00228     {
00229         /* Silently ignore unknown signature or hash algorithms. */
00230 
00231         if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
00232         {
00233             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
00234                                         " unknown sig alg encoding %d", p[1] ) );
00235             continue;
00236         }
00237 
00238         /* Check if we support the hash the user proposes */
00239         md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
00240         if( md_cur == MBEDTLS_MD_NONE )
00241         {
00242             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
00243                                         " unknown hash alg encoding %d", p[0] ) );
00244             continue;
00245         }
00246 
00247         if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
00248         {
00249             mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
00250             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
00251                                         " match sig %d and hash %d",
00252                                         sig_cur, md_cur ) );
00253         }
00254         else
00255         {
00256             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
00257                                         "hash alg %d not supported", md_cur ) );
00258         }
00259     }
00260 
00261     return( 0 );
00262 }
00263 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
00264           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00265 
00266 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
00267     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00268 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
00269                                                 const unsigned char *buf,
00270                                                 size_t len )
00271 {
00272     size_t list_size, our_size;
00273     const unsigned char *p;
00274     const mbedtls_ecp_curve_info *curve_info, **curves;
00275 
00276     list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00277     if( list_size + 2 != len ||
00278         list_size % 2 != 0 )
00279     {
00280         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00281         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00282                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00283         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00284     }
00285 
00286     /* Should never happen unless client duplicates the extension */
00287     if( ssl->handshake->curves != NULL )
00288     {
00289         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00290         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00291                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00292         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00293     }
00294 
00295     /* Don't allow our peer to make us allocate too much memory,
00296      * and leave room for a final 0 */
00297     our_size = list_size / 2 + 1;
00298     if( our_size > MBEDTLS_ECP_DP_MAX )
00299         our_size = MBEDTLS_ECP_DP_MAX;
00300 
00301     if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
00302     {
00303         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00304                                         MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
00305         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00306     }
00307 
00308     ssl->handshake->curves = curves;
00309 
00310     p = buf + 2;
00311     while( list_size > 0 && our_size > 1 )
00312     {
00313         curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
00314 
00315         if( curve_info != NULL )
00316         {
00317             *curves++ = curve_info;
00318             our_size--;
00319         }
00320 
00321         list_size -= 2;
00322         p += 2;
00323     }
00324 
00325     return( 0 );
00326 }
00327 
00328 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
00329                                               const unsigned char *buf,
00330                                               size_t len )
00331 {
00332     size_t list_size;
00333     const unsigned char *p;
00334 
00335     list_size = buf[0];
00336     if( list_size + 1 != len )
00337     {
00338         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00339         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00340                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00341         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00342     }
00343 
00344     p = buf + 1;
00345     while( list_size > 0 )
00346     {
00347         if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
00348             p[0] == MBEDTLS_ECP_PF_COMPRESSED )
00349         {
00350 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
00351             ssl->handshake->ecdh_ctx.point_format = p[0];
00352 #endif
00353 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00354             ssl->handshake->ecjpake_ctx.point_format = p[0];
00355 #endif
00356             MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00357             return( 0 );
00358         }
00359 
00360         list_size--;
00361         p++;
00362     }
00363 
00364     return( 0 );
00365 }
00366 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
00367           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00368 
00369 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00370 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
00371                                    const unsigned char *buf,
00372                                    size_t len )
00373 {
00374     int ret;
00375 
00376     if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
00377     {
00378         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
00379         return( 0 );
00380     }
00381 
00382     if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
00383                                                 buf, len ) ) != 0 )
00384     {
00385         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
00386         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00387                                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00388         return( ret );
00389     }
00390 
00391     /* Only mark the extension as OK when we're sure it is */
00392     ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
00393 
00394     return( 0 );
00395 }
00396 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00397 
00398 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
00399 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
00400                                               const unsigned char *buf,
00401                                               size_t len )
00402 {
00403     if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
00404     {
00405         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00406         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00407                                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00408         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00409     }
00410 
00411     ssl->session_negotiate->mfl_code = buf[0];
00412 
00413     return( 0 );
00414 }
00415 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
00416 
00417 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
00418 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
00419                                          const unsigned char *buf,
00420                                          size_t len )
00421 {
00422     if( len != 0 )
00423     {
00424         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00425         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00426                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00427         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00428     }
00429 
00430     ((void) buf);
00431 
00432     if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
00433         ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
00434 
00435     return( 0 );
00436 }
00437 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
00438 
00439 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00440 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
00441                                       const unsigned char *buf,
00442                                       size_t len )
00443 {
00444     if( len != 0 )
00445     {
00446         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00447         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00448                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00449         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00450     }
00451 
00452     ((void) buf);
00453 
00454     if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
00455         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
00456     {
00457         ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
00458     }
00459 
00460     return( 0 );
00461 }
00462 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
00463 
00464 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
00465 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
00466                                       const unsigned char *buf,
00467                                       size_t len )
00468 {
00469     if( len != 0 )
00470     {
00471         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00472         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00473                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00474         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00475     }
00476 
00477     ((void) buf);
00478 
00479     if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
00480         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
00481     {
00482         ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
00483     }
00484 
00485     return( 0 );
00486 }
00487 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
00488 
00489 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
00490 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
00491                                          unsigned char *buf,
00492                                          size_t len )
00493 {
00494     int ret;
00495     mbedtls_ssl_session session;
00496 
00497     mbedtls_ssl_session_init( &session );
00498 
00499     if( ssl->conf->f_ticket_parse == NULL ||
00500         ssl->conf->f_ticket_write == NULL )
00501     {
00502         return( 0 );
00503     }
00504 
00505     /* Remember the client asked us to send a new ticket */
00506     ssl->handshake->new_session_ticket = 1;
00507 
00508     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
00509 
00510     if( len == 0 )
00511         return( 0 );
00512 
00513 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00514     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00515     {
00516         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
00517         return( 0 );
00518     }
00519 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00520 
00521     /*
00522      * Failures are ok: just ignore the ticket and proceed.
00523      */
00524     if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
00525                                            buf, len ) ) != 0 )
00526     {
00527         mbedtls_ssl_session_free( &session );
00528 
00529         if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
00530             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
00531         else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
00532             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
00533         else
00534             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
00535 
00536         return( 0 );
00537     }
00538 
00539     /*
00540      * Keep the session ID sent by the client, since we MUST send it back to
00541      * inform them we're accepting the ticket  (RFC 5077 section 3.4)
00542      */
00543     session.id_len = ssl->session_negotiate->id_len;
00544     memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
00545 
00546     mbedtls_ssl_session_free( ssl->session_negotiate );
00547     memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
00548 
00549     /* Zeroize instead of free as we copied the content */
00550     mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
00551 
00552     MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
00553 
00554     ssl->handshake->resume = 1;
00555 
00556     /* Don't send a new ticket after all, this one is OK */
00557     ssl->handshake->new_session_ticket = 0;
00558 
00559     return( 0 );
00560 }
00561 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
00562 
00563 #if defined(MBEDTLS_SSL_ALPN)
00564 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
00565                                const unsigned char *buf, size_t len )
00566 {
00567     size_t list_len, cur_len, ours_len;
00568     const unsigned char *theirs, *start, *end;
00569     const char **ours;
00570 
00571     /* If ALPN not configured, just ignore the extension */
00572     if( ssl->conf->alpn_list == NULL )
00573         return( 0 );
00574 
00575     /*
00576      * opaque ProtocolName<1..2^8-1>;
00577      *
00578      * struct {
00579      *     ProtocolName protocol_name_list<2..2^16-1>
00580      * } ProtocolNameList;
00581      */
00582 
00583     /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
00584     if( len < 4 )
00585     {
00586         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00587                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00588         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00589     }
00590 
00591     list_len = ( buf[0] << 8 ) | buf[1];
00592     if( list_len != len - 2 )
00593     {
00594         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00595                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00596         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00597     }
00598 
00599     /*
00600      * Validate peer's list (lengths)
00601      */
00602     start = buf + 2;
00603     end = buf + len;
00604     for( theirs = start; theirs != end; theirs += cur_len )
00605     {
00606         cur_len = *theirs++;
00607 
00608         /* Current identifier must fit in list */
00609         if( cur_len > (size_t)( end - theirs ) )
00610         {
00611             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00612                                             MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00613             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00614         }
00615 
00616         /* Empty strings MUST NOT be included */
00617         if( cur_len == 0 )
00618         {
00619             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00620                                             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00621             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00622         }
00623     }
00624 
00625     /*
00626      * Use our order of preference
00627      */
00628     for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
00629     {
00630         ours_len = strlen( *ours );
00631         for( theirs = start; theirs != end; theirs += cur_len )
00632         {
00633             cur_len = *theirs++;
00634 
00635             if( cur_len == ours_len &&
00636                 memcmp( theirs, *ours, cur_len ) == 0 )
00637             {
00638                 ssl->alpn_chosen = *ours;
00639                 return( 0 );
00640             }
00641         }
00642     }
00643 
00644     /* If we get there, no match was found */
00645     mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00646                             MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
00647     return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00648 }
00649 #endif /* MBEDTLS_SSL_ALPN */
00650 
00651 /*
00652  * Auxiliary functions for ServerHello parsing and related actions
00653  */
00654 
00655 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00656 /*
00657  * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
00658  */
00659 #if defined(MBEDTLS_ECDSA_C)
00660 static int ssl_check_key_curve( mbedtls_pk_context *pk,
00661                                 const mbedtls_ecp_curve_info **curves )
00662 {
00663     const mbedtls_ecp_curve_info **crv = curves;
00664     mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ;
00665 
00666     while( *crv != NULL )
00667     {
00668         if( (*crv)->grp_id == grp_id )
00669             return( 0 );
00670         crv++;
00671     }
00672 
00673     return( -1 );
00674 }
00675 #endif /* MBEDTLS_ECDSA_C */
00676 
00677 /*
00678  * Try picking a certificate for this ciphersuite,
00679  * return 0 on success and -1 on failure.
00680  */
00681 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
00682                           const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
00683 {
00684     mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
00685     mbedtls_pk_type_t pk_alg =
00686         mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
00687     uint32_t flags;
00688 
00689 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00690     if( ssl->handshake->sni_key_cert != NULL )
00691         list = ssl->handshake->sni_key_cert;
00692     else
00693 #endif
00694         list = ssl->conf->key_cert;
00695 
00696     if( pk_alg == MBEDTLS_PK_NONE )
00697         return( 0 );
00698 
00699     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
00700 
00701     if( list == NULL )
00702     {
00703         MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
00704         return( -1 );
00705     }
00706 
00707     for( cur = list; cur != NULL; cur = cur->next )
00708     {
00709         MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
00710                           cur->cert );
00711 
00712         if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
00713         {
00714             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
00715             continue;
00716         }
00717 
00718         /*
00719          * This avoids sending the client a cert it'll reject based on
00720          * keyUsage or other extensions.
00721          *
00722          * It also allows the user to provision different certificates for
00723          * different uses based on keyUsage, eg if they want to avoid signing
00724          * and decrypting with the same RSA key.
00725          */
00726         if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
00727                                   MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
00728         {
00729             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
00730                                 "(extended) key usage extension" ) );
00731             continue;
00732         }
00733 
00734 #if defined(MBEDTLS_ECDSA_C)
00735         if( pk_alg == MBEDTLS_PK_ECDSA &&
00736             ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
00737         {
00738             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
00739             continue;
00740         }
00741 #endif
00742 
00743         /*
00744          * Try to select a SHA-1 certificate for pre-1.2 clients, but still
00745          * present them a SHA-higher cert rather than failing if it's the only
00746          * one we got that satisfies the other conditions.
00747          */
00748         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
00749             cur->cert->sig_md != MBEDTLS_MD_SHA1 )
00750         {
00751             if( fallback == NULL )
00752                 fallback = cur;
00753             {
00754                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
00755                                     "sha-2 with pre-TLS 1.2 client" ) );
00756             continue;
00757             }
00758         }
00759 
00760         /* If we get there, we got a winner */
00761         break;
00762     }
00763 
00764     if( cur == NULL )
00765         cur = fallback;
00766 
00767     /* Do not update ssl->handshake->key_cert unless there is a match */
00768     if( cur != NULL )
00769     {
00770         ssl->handshake->key_cert = cur;
00771         MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
00772                           ssl->handshake->key_cert->cert );
00773         return( 0 );
00774     }
00775 
00776     return( -1 );
00777 }
00778 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00779 
00780 /*
00781  * Check if a given ciphersuite is suitable for use with our config/keys/etc
00782  * Sets ciphersuite_info only if the suite matches.
00783  */
00784 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
00785                                   const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
00786 {
00787     const mbedtls_ssl_ciphersuite_t *suite_info;
00788 
00789 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00790     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00791     mbedtls_pk_type_t sig_type;
00792 #endif
00793 
00794     suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
00795     if( suite_info == NULL )
00796     {
00797         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00798         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00799     }
00800 
00801     MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
00802 
00803     if( suite_info->min_minor_ver > ssl->minor_ver ||
00804         suite_info->max_minor_ver < ssl->minor_ver )
00805     {
00806         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
00807         return( 0 );
00808     }
00809 
00810 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00811     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
00812         ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
00813         return( 0 );
00814 #endif
00815 
00816 #if defined(MBEDTLS_ARC4_C)
00817     if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
00818             suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
00819     {
00820         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
00821         return( 0 );
00822     }
00823 #endif
00824 
00825 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00826     if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
00827         ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
00828     {
00829         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
00830                                     "not configured or ext missing" ) );
00831         return( 0 );
00832     }
00833 #endif
00834 
00835 
00836 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
00837     if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
00838         ( ssl->handshake->curves == NULL ||
00839           ssl->handshake->curves[0] == NULL ) )
00840     {
00841         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00842                             "no common elliptic curve" ) );
00843         return( 0 );
00844     }
00845 #endif
00846 
00847 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
00848     /* If the ciphersuite requires a pre-shared key and we don't
00849      * have one, skip it now rather than failing later */
00850     if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
00851         ssl->conf->f_psk == NULL &&
00852         ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
00853           ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
00854     {
00855         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
00856         return( 0 );
00857     }
00858 #endif
00859 
00860 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00861     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00862     /* If the ciphersuite requires signing, check whether
00863      * a suitable hash algorithm is present. */
00864     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00865     {
00866         sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
00867         if( sig_type != MBEDTLS_PK_NONE &&
00868             mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
00869         {
00870             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
00871                                         "for signature algorithm %d", sig_type ) );
00872             return( 0 );
00873         }
00874     }
00875 
00876 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
00877           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00878 
00879 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00880     /*
00881      * Final check: if ciphersuite requires us to have a
00882      * certificate/key of a particular type:
00883      * - select the appropriate certificate if we have one, or
00884      * - try the next ciphersuite if we don't
00885      * This must be done last since we modify the key_cert list.
00886      */
00887     if( ssl_pick_cert( ssl, suite_info ) != 0 )
00888     {
00889         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00890                             "no suitable certificate" ) );
00891         return( 0 );
00892     }
00893 #endif
00894 
00895     *ciphersuite_info = suite_info;
00896     return( 0 );
00897 }
00898 
00899 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
00900 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
00901 {
00902     int ret, got_common_suite;
00903     unsigned int i, j;
00904     size_t n;
00905     unsigned int ciph_len, sess_len, chal_len;
00906     unsigned char *buf, *p;
00907     const int *ciphersuites;
00908     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
00909 
00910     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
00911 
00912 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00913     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00914     {
00915         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
00916         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00917                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
00918         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00919     }
00920 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00921 
00922     buf = ssl->in_hdr;
00923 
00924     MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00925 
00926     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00927                    buf[2] ) );
00928     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00929                    ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00930     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00931                    buf[3], buf[4] ) );
00932 
00933     /*
00934      * SSLv2 Client Hello
00935      *
00936      * Record layer:
00937      *     0  .   1   message length
00938      *
00939      * SSL layer:
00940      *     2  .   2   message type
00941      *     3  .   4   protocol version
00942      */
00943     if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
00944         buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
00945     {
00946         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00947         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00948     }
00949 
00950     n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00951 
00952     if( n < 17 || n > 512 )
00953     {
00954         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00955         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00956     }
00957 
00958     ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
00959     ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
00960                      ? buf[4]  : ssl->conf->max_minor_ver;
00961 
00962     if( ssl->minor_ver < ssl->conf->min_minor_ver )
00963     {
00964         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
00965                             " [%d:%d] < [%d:%d]",
00966                             ssl->major_ver, ssl->minor_ver,
00967                             ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
00968 
00969         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00970                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
00971         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
00972     }
00973 
00974     ssl->handshake->max_major_ver = buf[3];
00975     ssl->handshake->max_minor_ver = buf[4];
00976 
00977     if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00978     {
00979         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
00980         return( ret );
00981     }
00982 
00983     ssl->handshake->update_checksum( ssl, buf + 2, n );
00984 
00985     buf = ssl->in_msg;
00986     n = ssl->in_left - 5;
00987 
00988     /*
00989      *    0  .   1   ciphersuitelist length
00990      *    2  .   3   session id length
00991      *    4  .   5   challenge length
00992      *    6  .  ..   ciphersuitelist
00993      *   ..  .  ..   session id
00994      *   ..  .  ..   challenge
00995      */
00996     MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
00997 
00998     ciph_len = ( buf[0] << 8 ) | buf[1];
00999     sess_len = ( buf[2] << 8 ) | buf[3];
01000     chal_len = ( buf[4] << 8 ) | buf[5];
01001 
01002     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
01003                    ciph_len, sess_len, chal_len ) );
01004 
01005     /*
01006      * Make sure each parameter length is valid
01007      */
01008     if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
01009     {
01010         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01011         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01012     }
01013 
01014     if( sess_len > 32 )
01015     {
01016         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01017         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01018     }
01019 
01020     if( chal_len < 8 || chal_len > 32 )
01021     {
01022         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01023         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01024     }
01025 
01026     if( n != 6 + ciph_len + sess_len + chal_len )
01027     {
01028         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01029         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01030     }
01031 
01032     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01033                    buf + 6, ciph_len );
01034     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
01035                    buf + 6 + ciph_len, sess_len );
01036     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
01037                    buf + 6 + ciph_len + sess_len, chal_len );
01038 
01039     p = buf + 6 + ciph_len;
01040     ssl->session_negotiate->id_len = sess_len;
01041     memset( ssl->session_negotiate->id, 0,
01042             sizeof( ssl->session_negotiate->id ) );
01043     memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
01044 
01045     p += sess_len;
01046     memset( ssl->handshake->randbytes, 0, 64 );
01047     memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
01048 
01049     /*
01050      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01051      */
01052     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
01053     {
01054         if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
01055         {
01056             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01057 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01058             if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01059             {
01060                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
01061                                     "during renegotiation" ) );
01062 
01063                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01064                                                 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01065                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01066             }
01067 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01068             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
01069             break;
01070         }
01071     }
01072 
01073 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
01074     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
01075     {
01076         if( p[0] == 0 &&
01077             p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
01078             p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
01079         {
01080             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
01081 
01082             if( ssl->minor_ver < ssl->conf->max_minor_ver )
01083             {
01084                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
01085 
01086                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01087                                         MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01088 
01089                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01090             }
01091 
01092             break;
01093         }
01094     }
01095 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
01096 
01097     got_common_suite = 0;
01098     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
01099     ciphersuite_info = NULL;
01100 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01101     for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01102         for( i = 0; ciphersuites[i] != 0; i++ )
01103 #else
01104     for( i = 0; ciphersuites[i] != 0; i++ )
01105         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01106 #endif
01107         {
01108             if( p[0] != 0 ||
01109                 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01110                 p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
01111                 continue;
01112 
01113             got_common_suite = 1;
01114 
01115             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01116                                                &ciphersuite_info ) ) != 0 )
01117                 return( ret );
01118 
01119             if( ciphersuite_info != NULL )
01120                 goto have_ciphersuite_v2;
01121         }
01122 
01123     if( got_common_suite )
01124     {
01125         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01126                             "but none of them usable" ) );
01127         return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
01128     }
01129     else
01130     {
01131         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01132         return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
01133     }
01134 
01135 have_ciphersuite_v2:
01136     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01137 
01138     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01139     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01140 
01141     /*
01142      * SSLv2 Client Hello relevant renegotiation security checks
01143      */
01144     if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01145         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
01146     {
01147         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01148         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01149                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01150         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01151     }
01152 
01153     ssl->in_left = 0;
01154     ssl->state++;
01155 
01156     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
01157 
01158     return( 0 );
01159 }
01160 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
01161 
01162 /* This function doesn't alert on errors that happen early during
01163    ClientHello parsing because they might indicate that the client is
01164    not talking SSL/TLS at all and would not understand our alert. */
01165 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
01166 {
01167     int ret, got_common_suite;
01168     size_t i, j;
01169     size_t ciph_offset, comp_offset, ext_offset;
01170     size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
01171 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01172     size_t cookie_offset, cookie_len;
01173 #endif
01174     unsigned char *buf, *p, *ext;
01175 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01176     int renegotiation_info_seen = 0;
01177 #endif
01178     int handshake_failure = 0;
01179     const int *ciphersuites;
01180     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
01181     int major, minor;
01182 
01183     /* If there is no signature-algorithm extension present,
01184      * we need to fall back to the default values for allowed
01185      * signature-hash pairs. */
01186 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01187     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01188     int sig_hash_alg_ext_present = 0;
01189 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01190           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01191 
01192     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
01193 
01194 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01195 read_record_header:
01196 #endif
01197     /*
01198      * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
01199      * otherwise read it ourselves manually in order to support SSLv2
01200      * ClientHello, which doesn't use the same record layer format.
01201      */
01202 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01203     if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
01204 #endif
01205     {
01206         if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
01207         {
01208             /* No alert on a read error. */
01209             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
01210             return( ret );
01211         }
01212     }
01213 
01214     buf = ssl->in_hdr;
01215 
01216 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
01217 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01218     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
01219 #endif
01220         if( ( buf[0] & 0x80 ) != 0 )
01221             return( ssl_parse_client_hello_v2( ssl ) );
01222 #endif
01223 
01224     MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
01225 
01226     /*
01227      * SSLv3/TLS Client Hello
01228      *
01229      * Record layer:
01230      *     0  .   0   message type
01231      *     1  .   2   protocol version
01232      *     3  .   11  DTLS: epoch + record sequence number
01233      *     3  .   4   message length
01234      */
01235     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
01236                    buf[0] ) );
01237 
01238     if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
01239     {
01240         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01241         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01242     }
01243 
01244     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
01245                    ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
01246 
01247     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
01248                    buf[1], buf[2] ) );
01249 
01250     mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
01251 
01252     /* According to RFC 5246 Appendix E.1, the version here is typically
01253      * "{03,00}, the lowest version number supported by the client, [or] the
01254      * value of ClientHello.client_version", so the only meaningful check here
01255      * is the major version shouldn't be less than 3 */
01256     if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
01257     {
01258         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01259         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01260     }
01261 
01262     /* For DTLS if this is the initial handshake, remember the client sequence
01263      * number to use it in our next message (RFC 6347 4.2.1) */
01264 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01265     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
01266 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01267         && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
01268 #endif
01269         )
01270     {
01271         /* Epoch should be 0 for initial handshakes */
01272         if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
01273         {
01274             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01275             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01276         }
01277 
01278         memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
01279 
01280 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01281         if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
01282         {
01283             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
01284             ssl->next_record_offset = 0;
01285             ssl->in_left = 0;
01286             goto read_record_header;
01287         }
01288 
01289         /* No MAC to check yet, so we can update right now */
01290         mbedtls_ssl_dtls_replay_update( ssl );
01291 #endif
01292     }
01293 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01294 
01295     msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
01296 
01297 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01298     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
01299     {
01300         /* Set by mbedtls_ssl_read_record() */
01301         msg_len = ssl->in_hslen;
01302     }
01303     else
01304 #endif
01305     {
01306         if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
01307         {
01308             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01309             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01310         }
01311 
01312         if( ( ret = mbedtls_ssl_fetch_input( ssl,
01313                        mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
01314         {
01315             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
01316             return( ret );
01317         }
01318 
01319     /* Done reading this record, get ready for the next one */
01320 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01321         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01322             ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
01323         else
01324 #endif
01325             ssl->in_left = 0;
01326     }
01327 
01328     buf = ssl->in_msg;
01329 
01330     MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
01331 
01332     ssl->handshake->update_checksum( ssl, buf, msg_len );
01333 
01334     /*
01335      * Handshake layer:
01336      *     0  .   0   handshake type
01337      *     1  .   3   handshake length
01338      *     4  .   5   DTLS only: message seqence number
01339      *     6  .   8   DTLS only: fragment offset
01340      *     9  .  11   DTLS only: fragment length
01341      */
01342     if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
01343     {
01344         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01345         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01346     }
01347 
01348     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
01349 
01350     if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
01351     {
01352         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01353         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01354     }
01355 
01356     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
01357                    ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
01358 
01359     /* We don't support fragmentation of ClientHello (yet?) */
01360     if( buf[1] != 0 ||
01361         msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
01362     {
01363         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01364         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01365     }
01366 
01367 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01368     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01369     {
01370         /*
01371          * Copy the client's handshake message_seq on initial handshakes,
01372          * check sequence number on renego.
01373          */
01374 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01375         if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01376         {
01377             /* This couldn't be done in ssl_prepare_handshake_record() */
01378             unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
01379                                          ssl->in_msg[5];
01380 
01381             if( cli_msg_seq != ssl->handshake->in_msg_seq )
01382             {
01383                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
01384                                     "%d (expected %d)", cli_msg_seq,
01385                                     ssl->handshake->in_msg_seq ) );
01386                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01387             }
01388 
01389             ssl->handshake->in_msg_seq++;
01390         }
01391         else
01392 #endif
01393         {
01394             unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
01395                                          ssl->in_msg[5];
01396             ssl->handshake->out_msg_seq = cli_msg_seq;
01397             ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
01398         }
01399 
01400         /*
01401          * For now we don't support fragmentation, so make sure
01402          * fragment_offset == 0 and fragment_length == length
01403          */
01404         if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
01405             memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
01406         {
01407             MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
01408             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
01409         }
01410     }
01411 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01412 
01413     buf += mbedtls_ssl_hs_hdr_len( ssl );
01414     msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
01415 
01416     /*
01417      * ClientHello layer:
01418      *     0  .   1   protocol version
01419      *     2  .  33   random bytes (starting with 4 bytes of Unix time)
01420      *    34  .  35   session id length (1 byte)
01421      *    35  . 34+x  session id
01422      *   35+x . 35+x  DTLS only: cookie length (1 byte)
01423      *   36+x .  ..   DTLS only: cookie
01424      *    ..  .  ..   ciphersuite list length (2 bytes)
01425      *    ..  .  ..   ciphersuite list
01426      *    ..  .  ..   compression alg. list length (1 byte)
01427      *    ..  .  ..   compression alg. list
01428      *    ..  .  ..   extensions length (2 bytes, optional)
01429      *    ..  .  ..   extensions (optional)
01430      */
01431 
01432     /*
01433      * Minimal length (with everything empty and extensions ommitted) is
01434      * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
01435      * read at least up to session id length without worrying.
01436      */
01437     if( msg_len < 38 )
01438     {
01439         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01440         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01441     }
01442 
01443     /*
01444      * Check and save the protocol version
01445      */
01446     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
01447 
01448     mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
01449                       ssl->conf->transport, buf );
01450 
01451     ssl->handshake->max_major_ver = ssl->major_ver;
01452     ssl->handshake->max_minor_ver = ssl->minor_ver;
01453 
01454     if( ssl->major_ver < ssl->conf->min_major_ver ||
01455         ssl->minor_ver < ssl->conf->min_minor_ver )
01456     {
01457         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01458                             " [%d:%d] < [%d:%d]",
01459                             ssl->major_ver, ssl->minor_ver,
01460                             ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
01461         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01462                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
01463         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01464     }
01465 
01466     if( ssl->major_ver > ssl->conf->max_major_ver )
01467     {
01468         ssl->major_ver = ssl->conf->max_major_ver;
01469         ssl->minor_ver = ssl->conf->max_minor_ver;
01470     }
01471     else if( ssl->minor_ver > ssl->conf->max_minor_ver )
01472         ssl->minor_ver = ssl->conf->max_minor_ver;
01473 
01474     /*
01475      * Save client random (inc. Unix time)
01476      */
01477     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
01478 
01479     memcpy( ssl->handshake->randbytes, buf + 2, 32 );
01480 
01481     /*
01482      * Check the session ID length and save session ID
01483      */
01484     sess_len = buf[34];
01485 
01486     if( sess_len > sizeof( ssl->session_negotiate->id ) ||
01487         sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
01488     {
01489         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01490         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01491                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01492         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01493     }
01494 
01495     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
01496 
01497     ssl->session_negotiate->id_len = sess_len;
01498     memset( ssl->session_negotiate->id, 0,
01499             sizeof( ssl->session_negotiate->id ) );
01500     memcpy( ssl->session_negotiate->id, buf + 35,
01501             ssl->session_negotiate->id_len );
01502 
01503     /*
01504      * Check the cookie length and content
01505      */
01506 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01507     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01508     {
01509         cookie_offset = 35 + sess_len;
01510         cookie_len = buf[cookie_offset];
01511 
01512         if( cookie_offset + 1 + cookie_len + 2 > msg_len )
01513         {
01514             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01515             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01516                                             MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
01517             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01518         }
01519 
01520         MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
01521                        buf + cookie_offset + 1, cookie_len );
01522 
01523 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
01524         if( ssl->conf->f_cookie_check != NULL
01525 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01526             && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
01527 #endif
01528             )
01529         {
01530             if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
01531                                      buf + cookie_offset + 1, cookie_len,
01532                                      ssl->cli_id, ssl->cli_id_len ) != 0 )
01533             {
01534                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
01535                 ssl->handshake->verify_cookie_len = 1;
01536             }
01537             else
01538             {
01539                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
01540                 ssl->handshake->verify_cookie_len = 0;
01541             }
01542         }
01543         else
01544 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
01545         {
01546             /* We know we didn't send a cookie, so it should be empty */
01547             if( cookie_len != 0 )
01548             {
01549                 /* This may be an attacker's probe, so don't send an alert */
01550                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01551                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01552             }
01553 
01554             MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
01555         }
01556 
01557     /*
01558      * Check the ciphersuitelist length (will be parsed later)
01559      */
01560         ciph_offset = cookie_offset + 1 + cookie_len;
01561     }
01562     else
01563 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01564         ciph_offset = 35 + sess_len;
01565 
01566     ciph_len = ( buf[ciph_offset + 0] << 8 )
01567              | ( buf[ciph_offset + 1]      );
01568 
01569     if( ciph_len < 2 ||
01570         ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
01571         ( ciph_len % 2 ) != 0 )
01572     {
01573         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01574         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01575                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01576         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01577     }
01578 
01579     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01580                    buf + ciph_offset + 2,  ciph_len );
01581 
01582     /*
01583      * Check the compression algorithms length and pick one
01584      */
01585     comp_offset = ciph_offset + 2 + ciph_len;
01586 
01587     comp_len = buf[comp_offset];
01588 
01589     if( comp_len < 1 ||
01590         comp_len > 16 ||
01591         comp_len + comp_offset + 1 > msg_len )
01592     {
01593         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01594         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01595                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01596         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01597     }
01598 
01599     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
01600                       buf + comp_offset + 1, comp_len );
01601 
01602     ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
01603 #if defined(MBEDTLS_ZLIB_SUPPORT)
01604     for( i = 0; i < comp_len; ++i )
01605     {
01606         if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
01607         {
01608             ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
01609             break;
01610         }
01611     }
01612 #endif
01613 
01614     /* See comments in ssl_write_client_hello() */
01615 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01616     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01617         ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
01618 #endif
01619 
01620     /* Do not parse the extensions if the protocol is SSLv3 */
01621 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01622     if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
01623     {
01624 #endif
01625         /*
01626          * Check the extension length
01627          */
01628         ext_offset = comp_offset + 1 + comp_len;
01629         if( msg_len > ext_offset )
01630         {
01631             if( msg_len < ext_offset + 2 )
01632             {
01633                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01634                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01635                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01636                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01637             }
01638 
01639             ext_len = ( buf[ext_offset + 0] << 8 )
01640                     | ( buf[ext_offset + 1]      );
01641 
01642             if( ( ext_len > 0 && ext_len < 4 ) ||
01643                 msg_len != ext_offset + 2 + ext_len )
01644             {
01645                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01646                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01647                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01648                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01649             }
01650         }
01651         else
01652             ext_len = 0;
01653 
01654         ext = buf + ext_offset + 2;
01655         MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
01656 
01657         while( ext_len != 0 )
01658         {
01659             unsigned int ext_id   = ( ( ext[0] <<  8 )
01660                                     | ( ext[1]       ) );
01661             unsigned int ext_size = ( ( ext[2] <<  8 )
01662                                     | ( ext[3]       ) );
01663 
01664             if( ext_size + 4 > ext_len )
01665             {
01666                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01667                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01668                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01669                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01670             }
01671             switch( ext_id )
01672             {
01673 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
01674             case MBEDTLS_TLS_EXT_SERVERNAME:
01675                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
01676                 if( ssl->conf->f_sni == NULL )
01677                     break;
01678 
01679                 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
01680                 if( ret != 0 )
01681                     return( ret );
01682                 break;
01683 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
01684 
01685             case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
01686                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
01687 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01688                 renegotiation_info_seen = 1;
01689 #endif
01690 
01691                 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
01692                 if( ret != 0 )
01693                     return( ret );
01694                 break;
01695 
01696 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01697     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01698             case MBEDTLS_TLS_EXT_SIG_ALG:
01699                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
01700 
01701                 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
01702                 if( ret != 0 )
01703                     return( ret );
01704 
01705                 sig_hash_alg_ext_present = 1;
01706                 break;
01707 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01708           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01709 
01710 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
01711     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
01712             case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
01713                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
01714 
01715                 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
01716                 if( ret != 0 )
01717                     return( ret );
01718                 break;
01719 
01720             case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
01721                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
01722                 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
01723 
01724                 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
01725                 if( ret != 0 )
01726                     return( ret );
01727                 break;
01728 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
01729           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
01730 
01731 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
01732             case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
01733                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
01734 
01735                 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
01736                 if( ret != 0 )
01737                     return( ret );
01738                 break;
01739 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
01740 
01741 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
01742             case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
01743                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
01744 
01745                 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
01746                 if( ret != 0 )
01747                     return( ret );
01748                 break;
01749 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
01750 
01751 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
01752             case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
01753                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
01754 
01755                 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
01756                 if( ret != 0 )
01757                     return( ret );
01758                 break;
01759 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
01760 
01761 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01762             case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
01763                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
01764 
01765                 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
01766                 if( ret != 0 )
01767                     return( ret );
01768                 break;
01769 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01770 
01771 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
01772             case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
01773                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
01774 
01775                 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
01776                 if( ret != 0 )
01777                     return( ret );
01778                 break;
01779 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
01780 
01781 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
01782             case MBEDTLS_TLS_EXT_SESSION_TICKET:
01783                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
01784 
01785                 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
01786                 if( ret != 0 )
01787                     return( ret );
01788                 break;
01789 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01790 
01791 #if defined(MBEDTLS_SSL_ALPN)
01792             case MBEDTLS_TLS_EXT_ALPN:
01793                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
01794 
01795                 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
01796                 if( ret != 0 )
01797                     return( ret );
01798                 break;
01799 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01800 
01801             default:
01802                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01803                                ext_id ) );
01804             }
01805 
01806             ext_len -= 4 + ext_size;
01807             ext += 4 + ext_size;
01808 
01809             if( ext_len > 0 && ext_len < 4 )
01810             {
01811                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01812                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01813                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01814                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01815             }
01816         }
01817 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01818     }
01819 #endif
01820 
01821 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
01822     for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
01823     {
01824         if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
01825             p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
01826         {
01827             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
01828 
01829             if( ssl->minor_ver < ssl->conf->max_minor_ver )
01830             {
01831                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
01832 
01833                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01834                                         MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01835 
01836                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01837             }
01838 
01839             break;
01840         }
01841     }
01842 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
01843 
01844 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01845     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01846 
01847     /*
01848      * Try to fall back to default hash SHA1 if the client
01849      * hasn't provided any preferred signature-hash combinations.
01850      */
01851     if( sig_hash_alg_ext_present == 0 )
01852     {
01853         mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
01854 
01855         if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
01856             md_default = MBEDTLS_MD_NONE;
01857 
01858         mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
01859     }
01860 
01861 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01862           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01863 
01864     /*
01865      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01866      */
01867     for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
01868     {
01869         if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
01870         {
01871             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01872 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01873             if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01874             {
01875                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
01876                                             "during renegotiation" ) );
01877                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01878                                                 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01879                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01880             }
01881 #endif
01882             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
01883             break;
01884         }
01885     }
01886 
01887     /*
01888      * Renegotiation security checks
01889      */
01890     if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
01891         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
01892     {
01893         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01894         handshake_failure = 1;
01895     }
01896 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01897     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01898              ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
01899              renegotiation_info_seen == 0 )
01900     {
01901         MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01902         handshake_failure = 1;
01903     }
01904     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01905              ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01906              ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
01907     {
01908         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01909         handshake_failure = 1;
01910     }
01911     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01912              ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01913              renegotiation_info_seen == 1 )
01914     {
01915         MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01916         handshake_failure = 1;
01917     }
01918 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01919 
01920     if( handshake_failure == 1 )
01921     {
01922         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01923                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01924         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01925     }
01926 
01927     /*
01928      * Search for a matching ciphersuite
01929      * (At the end because we need information from the EC-based extensions
01930      * and certificate from the SNI callback triggered by the SNI extension.)
01931      */
01932     got_common_suite = 0;
01933     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
01934     ciphersuite_info = NULL;
01935 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01936     for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
01937         for( i = 0; ciphersuites[i] != 0; i++ )
01938 #else
01939     for( i = 0; ciphersuites[i] != 0; i++ )
01940         for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
01941 #endif
01942         {
01943             if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01944                 p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
01945                 continue;
01946 
01947             got_common_suite = 1;
01948 
01949             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01950                                                &ciphersuite_info ) ) != 0 )
01951                 return( ret );
01952 
01953             if( ciphersuite_info != NULL )
01954                 goto have_ciphersuite;
01955         }
01956 
01957     if( got_common_suite )
01958     {
01959         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01960                             "but none of them usable" ) );
01961         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01962                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01963         return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
01964     }
01965     else
01966     {
01967         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01968         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01969                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01970         return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
01971     }
01972 
01973 have_ciphersuite:
01974     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01975 
01976     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01977     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01978 
01979     ssl->state++;
01980 
01981 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01982     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01983         mbedtls_ssl_recv_flight_completed( ssl );
01984 #endif
01985 
01986     /* Debugging-only output for testsuite */
01987 #if defined(MBEDTLS_DEBUG_C)                         && \
01988     defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
01989     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01990     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
01991     {
01992         mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
01993         if( sig_alg != MBEDTLS_PK_NONE )
01994         {
01995             mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
01996                                                                   sig_alg );
01997             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
01998                                         mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
01999         }
02000         else
02001         {
02002             MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
02003                                         "%d - should not happen", sig_alg ) );
02004         }
02005     }
02006 #endif
02007 
02008     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
02009 
02010     return( 0 );
02011 }
02012 
02013 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
02014 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
02015                                           unsigned char *buf,
02016                                           size_t *olen )
02017 {
02018     unsigned char *p = buf;
02019 
02020     if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
02021     {
02022         *olen = 0;
02023         return;
02024     }
02025 
02026     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
02027 
02028     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
02029     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
02030 
02031     *p++ = 0x00;
02032     *p++ = 0x00;
02033 
02034     *olen = 4;
02035 }
02036 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
02037 
02038 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
02039 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
02040                                             unsigned char *buf,
02041                                             size_t *olen )
02042 {
02043     unsigned char *p = buf;
02044     const mbedtls_ssl_ciphersuite_t *suite = NULL;
02045     const mbedtls_cipher_info_t *cipher = NULL;
02046 
02047     if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
02048         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
02049     {
02050         *olen = 0;
02051         return;
02052     }
02053 
02054     /*
02055      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
02056      * from a client and then selects a stream or Authenticated Encryption
02057      * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
02058      * encrypt-then-MAC response extension back to the client."
02059      */
02060     if( ( suite = mbedtls_ssl_ciphersuite_from_id(
02061                     ssl->session_negotiate->ciphersuite ) ) == NULL ||
02062         ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
02063         cipher->mode != MBEDTLS_MODE_CBC )
02064     {
02065         *olen = 0;
02066         return;
02067     }
02068 
02069     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
02070 
02071     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
02072     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
02073 
02074     *p++ = 0x00;
02075     *p++ = 0x00;
02076 
02077     *olen = 4;
02078 }
02079 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
02080 
02081 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
02082 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
02083                                        unsigned char *buf,
02084                                        size_t *olen )
02085 {
02086     unsigned char *p = buf;
02087 
02088     if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
02089         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
02090     {
02091         *olen = 0;
02092         return;
02093     }
02094 
02095     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
02096                         "extension" ) );
02097 
02098     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
02099     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
02100 
02101     *p++ = 0x00;
02102     *p++ = 0x00;
02103 
02104     *olen = 4;
02105 }
02106 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
02107 
02108 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02109 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
02110                                           unsigned char *buf,
02111                                           size_t *olen )
02112 {
02113     unsigned char *p = buf;
02114 
02115     if( ssl->handshake->new_session_ticket == 0 )
02116     {
02117         *olen = 0;
02118         return;
02119     }
02120 
02121     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
02122 
02123     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
02124     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
02125 
02126     *p++ = 0x00;
02127     *p++ = 0x00;
02128 
02129     *olen = 4;
02130 }
02131 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
02132 
02133 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
02134                                          unsigned char *buf,
02135                                          size_t *olen )
02136 {
02137     unsigned char *p = buf;
02138 
02139     if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
02140     {
02141         *olen = 0;
02142         return;
02143     }
02144 
02145     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
02146 
02147     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
02148     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
02149 
02150 #if defined(MBEDTLS_SSL_RENEGOTIATION)
02151     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
02152     {
02153         *p++ = 0x00;
02154         *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
02155         *p++ = ssl->verify_data_len * 2 & 0xFF;
02156 
02157         memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
02158         p += ssl->verify_data_len;
02159         memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
02160         p += ssl->verify_data_len;
02161     }
02162     else
02163 #endif /* MBEDTLS_SSL_RENEGOTIATION */
02164     {
02165         *p++ = 0x00;
02166         *p++ = 0x01;
02167         *p++ = 0x00;
02168     }
02169 
02170     *olen = p - buf;
02171 }
02172 
02173 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
02174 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
02175                                                unsigned char *buf,
02176                                                size_t *olen )
02177 {
02178     unsigned char *p = buf;
02179 
02180     if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
02181     {
02182         *olen = 0;
02183         return;
02184     }
02185 
02186     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
02187 
02188     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
02189     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
02190 
02191     *p++ = 0x00;
02192     *p++ = 1;
02193 
02194     *p++ = ssl->session_negotiate->mfl_code;
02195 
02196     *olen = 5;
02197 }
02198 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
02199 
02200 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
02201     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02202 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
02203                                                    unsigned char *buf,
02204                                                    size_t *olen )
02205 {
02206     unsigned char *p = buf;
02207     ((void) ssl);
02208 
02209     if( ( ssl->handshake->cli_exts &
02210           MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
02211     {
02212         *olen = 0;
02213         return;
02214     }
02215 
02216     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
02217 
02218     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
02219     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
02220 
02221     *p++ = 0x00;
02222     *p++ = 2;
02223 
02224     *p++ = 1;
02225     *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
02226 
02227     *olen = 6;
02228 }
02229 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02230 
02231 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02232 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
02233                                         unsigned char *buf,
02234                                         size_t *olen )
02235 {
02236     int ret;
02237     unsigned char *p = buf;
02238     const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02239     size_t kkpp_len;
02240 
02241     *olen = 0;
02242 
02243     /* Skip costly computation if not needed */
02244     if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
02245         MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02246         return;
02247 
02248     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
02249 
02250     if( end - p < 4 )
02251     {
02252         MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
02253         return;
02254     }
02255 
02256     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
02257     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
02258 
02259     ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
02260                                         p + 2, end - p - 2, &kkpp_len,
02261                                         ssl->conf->f_rng, ssl->conf->p_rng );
02262     if( ret != 0 )
02263     {
02264         MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
02265         return;
02266     }
02267 
02268     *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
02269     *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
02270 
02271     *olen = kkpp_len + 4;
02272 }
02273 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02274 
02275 #if defined(MBEDTLS_SSL_ALPN )
02276 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
02277                                 unsigned char *buf, size_t *olen )
02278 {
02279     if( ssl->alpn_chosen == NULL )
02280     {
02281         *olen = 0;
02282         return;
02283     }
02284 
02285     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
02286 
02287     /*
02288      * 0 . 1    ext identifier
02289      * 2 . 3    ext length
02290      * 4 . 5    protocol list length
02291      * 6 . 6    protocol name length
02292      * 7 . 7+n  protocol name
02293      */
02294     buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
02295     buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
02296 
02297     *olen = 7 + strlen( ssl->alpn_chosen );
02298 
02299     buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
02300     buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
02301 
02302     buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
02303     buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
02304 
02305     buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
02306 
02307     memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
02308 }
02309 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
02310 
02311 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
02312 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
02313 {
02314     int ret;
02315     unsigned char *p = ssl->out_msg + 4;
02316     unsigned char *cookie_len_byte;
02317 
02318     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
02319 
02320     /*
02321      * struct {
02322      *   ProtocolVersion server_version;
02323      *   opaque cookie<0..2^8-1>;
02324      * } HelloVerifyRequest;
02325      */
02326 
02327     /* The RFC is not clear on this point, but sending the actual negotiated
02328      * version looks like the most interoperable thing to do. */
02329     mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02330                        ssl->conf->transport, p );
02331     MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
02332     p += 2;
02333 
02334     /* If we get here, f_cookie_check is not null */
02335     if( ssl->conf->f_cookie_write == NULL )
02336     {
02337         MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
02338         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02339     }
02340 
02341     /* Skip length byte until we know the length */
02342     cookie_len_byte = p++;
02343 
02344     if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
02345                                      &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
02346                                      ssl->cli_id, ssl->cli_id_len ) ) != 0 )
02347     {
02348         MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
02349         return( ret );
02350     }
02351 
02352     *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
02353 
02354     MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
02355 
02356     ssl->out_msglen  = p - ssl->out_msg;
02357     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02358     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
02359 
02360     ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
02361 
02362     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
02363     {
02364         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
02365         return( ret );
02366     }
02367 
02368     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
02369 
02370     return( 0 );
02371 }
02372 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
02373 
02374 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
02375 {
02376 #if defined(MBEDTLS_HAVE_TIME)
02377     mbedtls_time_t t;
02378 #endif
02379     int ret;
02380     size_t olen, ext_len = 0, n;
02381     unsigned char *buf, *p;
02382 
02383     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
02384 
02385 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
02386     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02387         ssl->handshake->verify_cookie_len != 0 )
02388     {
02389         MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
02390         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02391 
02392         return( ssl_write_hello_verify_request( ssl ) );
02393     }
02394 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
02395 
02396     if( ssl->conf->f_rng == NULL )
02397     {
02398         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
02399         return( MBEDTLS_ERR_SSL_NO_RNG );
02400     }
02401 
02402     /*
02403      *     0  .   0   handshake type
02404      *     1  .   3   handshake length
02405      *     4  .   5   protocol version
02406      *     6  .   9   UNIX time()
02407      *    10  .  37   random bytes
02408      */
02409     buf = ssl->out_msg;
02410     p = buf + 4;
02411 
02412     mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02413                        ssl->conf->transport, p );
02414     p += 2;
02415 
02416     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
02417                         buf[4], buf[5] ) );
02418 
02419 #if defined(MBEDTLS_HAVE_TIME)
02420     t = mbedtls_time( NULL );
02421     *p++ = (unsigned char)( t >> 24 );
02422     *p++ = (unsigned char)( t >> 16 );
02423     *p++ = (unsigned char)( t >>  8 );
02424     *p++ = (unsigned char)( t       );
02425 
02426     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
02427 #else
02428     if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
02429         return( ret );
02430 
02431     p += 4;
02432 #endif /* MBEDTLS_HAVE_TIME */
02433 
02434     if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
02435         return( ret );
02436 
02437     p += 28;
02438 
02439     memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
02440 
02441     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
02442 
02443     /*
02444      * Resume is 0  by default, see ssl_handshake_init().
02445      * It may be already set to 1 by ssl_parse_session_ticket_ext().
02446      * If not, try looking up session ID in our cache.
02447      */
02448     if( ssl->handshake->resume == 0 &&
02449 #if defined(MBEDTLS_SSL_RENEGOTIATION)
02450         ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
02451 #endif
02452         ssl->session_negotiate->id_len != 0 &&
02453         ssl->conf->f_get_cache != NULL &&
02454         ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
02455     {
02456         MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
02457         ssl->handshake->resume = 1;
02458     }
02459 
02460     if( ssl->handshake->resume == 0 )
02461     {
02462         /*
02463          * New session, create a new session id,
02464          * unless we're about to issue a session ticket
02465          */
02466         ssl->state++;
02467 
02468 #if defined(MBEDTLS_HAVE_TIME)
02469         ssl->session_negotiate->start = mbedtls_time( NULL );
02470 #endif
02471 
02472 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02473         if( ssl->handshake->new_session_ticket != 0 )
02474         {
02475             ssl->session_negotiate->id_len = n = 0;
02476             memset( ssl->session_negotiate->id, 0, 32 );
02477         }
02478         else
02479 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
02480         {
02481             ssl->session_negotiate->id_len = n = 32;
02482             if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
02483                                     n ) ) != 0 )
02484                 return( ret );
02485         }
02486     }
02487     else
02488     {
02489         /*
02490          * Resuming a session
02491          */
02492         n = ssl->session_negotiate->id_len;
02493         ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
02494 
02495         if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
02496         {
02497             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
02498             return( ret );
02499         }
02500     }
02501 
02502     /*
02503      *    38  .  38     session id length
02504      *    39  . 38+n    session id
02505      *   39+n . 40+n    chosen ciphersuite
02506      *   41+n . 41+n    chosen compression alg.
02507      *   42+n . 43+n    extensions length
02508      *   44+n . 43+n+m  extensions
02509      */
02510     *p++ = (unsigned char) ssl->session_negotiate->id_len;
02511     memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
02512     p += ssl->session_negotiate->id_len;
02513 
02514     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
02515     MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
02516     MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
02517                    ssl->handshake->resume ? "a" : "no" ) );
02518 
02519     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
02520     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
02521     *p++ = (unsigned char)( ssl->session_negotiate->compression      );
02522 
02523     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
02524            mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
02525     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
02526                    ssl->session_negotiate->compression ) );
02527 
02528     /* Do not write the extensions if the protocol is SSLv3 */
02529 #if defined(MBEDTLS_SSL_PROTO_SSL3)
02530     if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
02531     {
02532 #endif
02533 
02534     /*
02535      *  First write extensions, then the total length
02536      */
02537     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
02538     ext_len += olen;
02539 
02540 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
02541     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
02542     ext_len += olen;
02543 #endif
02544 
02545 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
02546     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
02547     ext_len += olen;
02548 #endif
02549 
02550 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
02551     ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
02552     ext_len += olen;
02553 #endif
02554 
02555 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
02556     ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
02557     ext_len += olen;
02558 #endif
02559 
02560 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02561     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
02562     ext_len += olen;
02563 #endif
02564 
02565 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
02566     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02567     ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
02568     ext_len += olen;
02569 #endif
02570 
02571 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02572     ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
02573     ext_len += olen;
02574 #endif
02575 
02576 #if defined(MBEDTLS_SSL_ALPN)
02577     ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
02578     ext_len += olen;
02579 #endif
02580 
02581     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
02582 
02583     if( ext_len > 0 )
02584     {
02585         *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
02586         *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
02587         p += ext_len;
02588     }
02589 
02590 #if defined(MBEDTLS_SSL_PROTO_SSL3)
02591     }
02592 #endif
02593 
02594     ssl->out_msglen  = p - buf;
02595     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02596     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
02597 
02598     ret = mbedtls_ssl_write_record( ssl );
02599 
02600     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02601 
02602     return( ret );
02603 }
02604 
02605 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
02606     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
02607     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
02608     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
02609     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
02610     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02611 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
02612 {
02613     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02614         ssl->transform_negotiate->ciphersuite_info;
02615 
02616     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02617 
02618     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02619         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
02620         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02621         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
02622         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02623     {
02624         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02625         ssl->state++;
02626         return( 0 );
02627     }
02628 
02629     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02630     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02631 }
02632 #else
02633 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
02634 {
02635     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
02636     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02637         ssl->transform_negotiate->ciphersuite_info;
02638     size_t dn_size, total_dn_size; /* excluding length bytes */
02639     size_t ct_len, sa_len; /* including length bytes */
02640     unsigned char *buf, *p;
02641     const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02642     const mbedtls_x509_crt *crt;
02643     int authmode;
02644 
02645     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02646 
02647     ssl->state++;
02648 
02649 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02650     if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
02651         authmode = ssl->handshake->sni_authmode;
02652     else
02653 #endif
02654         authmode = ssl->conf->authmode;
02655 
02656     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02657         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
02658         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02659         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
02660         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
02661         authmode == MBEDTLS_SSL_VERIFY_NONE )
02662     {
02663         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02664         return( 0 );
02665     }
02666 
02667     /*
02668      *     0  .   0   handshake type
02669      *     1  .   3   handshake length
02670      *     4  .   4   cert type count
02671      *     5  .. m-1  cert types
02672      *     m  .. m+1  sig alg length (TLS 1.2 only)
02673      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
02674      *     n  .. n+1  length of all DNs
02675      *    n+2 .. n+3  length of DN 1
02676      *    n+4 .. ...  Distinguished Name #1
02677      *    ... .. ...  length of DN 2, etc.
02678      */
02679     buf = ssl->out_msg;
02680     p = buf + 4;
02681 
02682     /*
02683      * Supported certificate types
02684      *
02685      *     ClientCertificateType certificate_types<1..2^8-1>;
02686      *     enum { (255) } ClientCertificateType;
02687      */
02688     ct_len = 0;
02689 
02690 #if defined(MBEDTLS_RSA_C)
02691     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
02692 #endif
02693 #if defined(MBEDTLS_ECDSA_C)
02694     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
02695 #endif
02696 
02697     p[0] = (unsigned char) ct_len++;
02698     p += ct_len;
02699 
02700     sa_len = 0;
02701 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
02702     /*
02703      * Add signature_algorithms for verify (TLS 1.2)
02704      *
02705      *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
02706      *
02707      *     struct {
02708      *           HashAlgorithm hash;
02709      *           SignatureAlgorithm signature;
02710      *     } SignatureAndHashAlgorithm;
02711      *
02712      *     enum { (255) } HashAlgorithm;
02713      *     enum { (255) } SignatureAlgorithm;
02714      */
02715     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
02716     {
02717         const int *cur;
02718 
02719         /*
02720          * Supported signature algorithms
02721          */
02722         for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
02723         {
02724             unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
02725 
02726             if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
02727                 continue;
02728 
02729 #if defined(MBEDTLS_RSA_C)
02730             p[2 + sa_len++] = hash;
02731             p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
02732 #endif
02733 #if defined(MBEDTLS_ECDSA_C)
02734             p[2 + sa_len++] = hash;
02735             p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
02736 #endif
02737         }
02738 
02739         p[0] = (unsigned char)( sa_len >> 8 );
02740         p[1] = (unsigned char)( sa_len      );
02741         sa_len += 2;
02742         p += sa_len;
02743     }
02744 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
02745 
02746     /*
02747      * DistinguishedName certificate_authorities<0..2^16-1>;
02748      * opaque DistinguishedName<1..2^16-1>;
02749      */
02750     p += 2;
02751 
02752     total_dn_size = 0;
02753 
02754     if( ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
02755     {
02756 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02757         if( ssl->handshake->sni_ca_chain != NULL )
02758             crt = ssl->handshake->sni_ca_chain;
02759         else
02760 #endif
02761             crt = ssl->conf->ca_chain;
02762 
02763         while( crt != NULL && crt->version != 0 )
02764         {
02765             dn_size = crt->subject_raw.len;
02766 
02767             if( end < p ||
02768                 (size_t)( end - p ) < dn_size ||
02769                 (size_t)( end - p ) < 2 + dn_size )
02770             {
02771                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
02772                 break;
02773             }
02774 
02775             *p++ = (unsigned char)( dn_size >> 8 );
02776             *p++ = (unsigned char)( dn_size      );
02777             memcpy( p, crt->subject_raw.p, dn_size );
02778             p += dn_size;
02779 
02780             MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
02781 
02782             total_dn_size += 2 + dn_size;
02783             crt = crt->next;
02784         }
02785     }
02786 
02787     ssl->out_msglen  = p - buf;
02788     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02789     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
02790     ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
02791     ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
02792 
02793     ret = mbedtls_ssl_write_record( ssl );
02794 
02795     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
02796 
02797     return( ret );
02798 }
02799 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
02800           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
02801           !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
02802           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
02803           !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
02804           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
02805 
02806 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
02807     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
02808 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
02809 {
02810     int ret;
02811 
02812     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
02813     {
02814         MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
02815         return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
02816     }
02817 
02818     if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
02819                                  mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
02820                                  MBEDTLS_ECDH_OURS ) ) != 0 )
02821     {
02822         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
02823         return( ret );
02824     }
02825 
02826     return( 0 );
02827 }
02828 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
02829           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
02830 
02831 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
02832 {
02833     int ret;
02834     size_t n = 0;
02835     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02836                             ssl->transform_negotiate->ciphersuite_info;
02837 
02838 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
02839     unsigned char *p = ssl->out_msg + 4;
02840     size_t len;
02841 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
02842     unsigned char *dig_signed = p;
02843     size_t dig_signed_len = 0;
02844 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
02845 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
02846 
02847     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
02848 
02849     /*
02850      *
02851      * Part 1: Extract static ECDH parameters and abort
02852      *         if ServerKeyExchange not needed.
02853      *
02854      */
02855 
02856     /* For suites involving ECDH, extract DH parameters
02857      * from certificate at this point. */
02858 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
02859     if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
02860     {
02861         ssl_get_ecdh_params_from_cert( ssl );
02862     }
02863 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
02864 
02865     /* Key exchanges not involving ephemeral keys don't use
02866      * ServerKeyExchange, so end here. */
02867 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
02868     if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
02869     {
02870         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
02871         ssl->state++;
02872         return( 0 );
02873     }
02874 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
02875 
02876     /*
02877      *
02878      * Part 2: Provide key exchange parameters for chosen ciphersuite.
02879      *
02880      */
02881 
02882     /*
02883      * - ECJPAKE key exchanges
02884      */
02885 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02886     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02887     {
02888         const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02889 
02890         ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
02891                 p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
02892         if( ret != 0 )
02893         {
02894             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
02895             return( ret );
02896         }
02897 
02898         p += len;
02899         n += len;
02900     }
02901 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02902 
02903     /*
02904      * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
02905      * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
02906      * we use empty support identity hints here.
02907      **/
02908 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
02909     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02910     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02911         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
02912     {
02913         *(p++) = 0x00;
02914         *(p++) = 0x00;
02915 
02916         n += 2;
02917     }
02918 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
02919           MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
02920 
02921     /*
02922      * - DHE key exchanges
02923      */
02924 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
02925     if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
02926     {
02927         if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
02928         {
02929             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
02930             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02931         }
02932 
02933         /*
02934          * Ephemeral DH parameters:
02935          *
02936          * struct {
02937          *     opaque dh_p<1..2^16-1>;
02938          *     opaque dh_g<1..2^16-1>;
02939          *     opaque dh_Ys<1..2^16-1>;
02940          * } ServerDHParams;
02941          */
02942         if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
02943                                            &ssl->conf->dhm_P,
02944                                            &ssl->conf->dhm_G ) ) != 0 )
02945         {
02946             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
02947             return( ret );
02948         }
02949 
02950         if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
02951                         (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
02952                         p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
02953         {
02954             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
02955             return( ret );
02956         }
02957 
02958 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
02959         dig_signed = p;
02960         dig_signed_len = len;
02961 #endif
02962 
02963         p += len;
02964         n += len;
02965 
02966         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
02967         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
02968         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
02969         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
02970     }
02971 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
02972 
02973     /*
02974      * - ECDHE key exchanges
02975      */
02976 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
02977     if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
02978     {
02979         /*
02980          * Ephemeral ECDH parameters:
02981          *
02982          * struct {
02983          *     ECParameters curve_params;
02984          *     ECPoint      public;
02985          * } ServerECDHParams;
02986          */
02987         const mbedtls_ecp_curve_info **curve = NULL;
02988         const mbedtls_ecp_group_id *gid;
02989 
02990         /* Match our preference list against the offered curves */
02991         for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
02992             for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
02993                 if( (*curve)->grp_id == *gid )
02994                     goto curve_matching_done;
02995 
02996 curve_matching_done:
02997         if( curve == NULL || *curve == NULL )
02998         {
02999             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
03000             return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
03001         }
03002 
03003         MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
03004 
03005         if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
03006                                        (*curve)->grp_id ) ) != 0 )
03007         {
03008             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
03009             return( ret );
03010         }
03011 
03012         if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
03013                                       p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
03014                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03015         {
03016             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
03017             return( ret );
03018         }
03019 
03020 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
03021         dig_signed     = p;
03022         dig_signed_len = len;
03023 #endif
03024 
03025         p += len;
03026         n += len;
03027 
03028         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
03029     }
03030 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
03031 
03032     /*
03033      *
03034      * Part 3: For key exchanges involving the server signing the
03035      *         exchange parameters, compute and add the signature here.
03036      *
03037      */
03038 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
03039     if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
03040     {
03041         size_t signature_len = 0;
03042         unsigned int hashlen = 0;
03043         unsigned char hash[64];
03044 
03045         /*
03046          * 3.1: Choose hash algorithm:
03047          * A: For TLS 1.2, obey signature-hash-algorithm extension
03048          *    to choose appropriate hash.
03049          * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
03050          *    (RFC 4492, Sec. 5.4)
03051          * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
03052          */
03053 
03054         mbedtls_md_type_t md_alg;
03055 
03056 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03057         mbedtls_pk_type_t sig_alg =
03058             mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
03059         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03060         {
03061             /* A: For TLS 1.2, obey signature-hash-algorithm extension
03062              *    (RFC 5246, Sec. 7.4.1.4.1). */
03063             if( sig_alg == MBEDTLS_PK_NONE ||
03064                 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
03065                                                           sig_alg ) ) == MBEDTLS_MD_NONE )
03066             {
03067                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03068                 /* (... because we choose a cipher suite
03069                  *      only if there is a matching hash.) */
03070                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03071             }
03072         }
03073         else
03074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03075 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03076     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03077         if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
03078         {
03079             /* B: Default hash SHA1 */
03080             md_alg = MBEDTLS_MD_SHA1;
03081         }
03082         else
03083 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
03084           MBEDTLS_SSL_PROTO_TLS1_1 */
03085         {
03086             /* C: MD5 + SHA1 */
03087             md_alg = MBEDTLS_MD_NONE;
03088         }
03089 
03090         MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
03091 
03092         /*
03093          * 3.2: Compute the hash to be signed
03094          */
03095 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03096     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03097         if( md_alg == MBEDTLS_MD_NONE )
03098         {
03099             hashlen = 36;
03100             ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
03101                                                            dig_signed,
03102                                                            dig_signed_len );
03103             if( ret != 0 )
03104                 return( ret );
03105         }
03106         else
03107 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
03108           MBEDTLS_SSL_PROTO_TLS1_1 */
03109 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03110     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03111         if( md_alg != MBEDTLS_MD_NONE )
03112         {
03113             /* Info from md_alg will be used instead */
03114             hashlen = 0;
03115             ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash,
03116                                                           dig_signed,
03117                                                           dig_signed_len,
03118                                                           md_alg );
03119             if( ret != 0 )
03120                 return( ret );
03121         }
03122         else
03123 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
03124           MBEDTLS_SSL_PROTO_TLS1_2 */
03125         {
03126             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03127             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03128         }
03129 
03130         MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
03131             (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
03132 
03133         /*
03134          * 3.3: Compute and add the signature
03135          */
03136         if( mbedtls_ssl_own_key( ssl ) == NULL )
03137         {
03138             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
03139             return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03140         }
03141 
03142 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03143         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03144         {
03145             /*
03146              * For TLS 1.2, we need to specify signature and hash algorithm
03147              * explicitly through a prefix to the signature.
03148              *
03149              * struct {
03150              *    HashAlgorithm hash;
03151              *    SignatureAlgorithm signature;
03152              * } SignatureAndHashAlgorithm;
03153              *
03154              * struct {
03155              *    SignatureAndHashAlgorithm algorithm;
03156              *    opaque signature<0..2^16-1>;
03157              * } DigitallySigned;
03158              *
03159              */
03160 
03161             *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
03162             *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
03163 
03164             n += 2;
03165         }
03166 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03167 
03168         if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
03169                         p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03170         {
03171             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
03172             return( ret );
03173         }
03174 
03175         *(p++) = (unsigned char)( signature_len >> 8 );
03176         *(p++) = (unsigned char)( signature_len      );
03177         n += 2;
03178 
03179         MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
03180 
03181         n += signature_len;
03182     }
03183 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
03184 
03185     /* Done with actual work; add header and send. */
03186 
03187     ssl->out_msglen  = 4 + n;
03188     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03189     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
03190 
03191     ssl->state++;
03192 
03193     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03194     {
03195         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03196         return( ret );
03197     }
03198 
03199     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
03200 
03201     return( 0 );
03202 }
03203 
03204 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
03205 {
03206     int ret;
03207 
03208     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
03209 
03210     ssl->out_msglen  = 4;
03211     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03212     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
03213 
03214     ssl->state++;
03215 
03216 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03217     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03218         mbedtls_ssl_send_flight_completed( ssl );
03219 #endif
03220 
03221     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03222     {
03223         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03224         return( ret );
03225     }
03226 
03227     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
03228 
03229     return( 0 );
03230 }
03231 
03232 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
03233     defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
03234 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
03235                                        const unsigned char *end )
03236 {
03237     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
03238     size_t n;
03239 
03240     /*
03241      * Receive G^Y mod P, premaster = (G^Y)^X mod P
03242      */
03243     if( *p + 2 > end )
03244     {
03245         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03246         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03247     }
03248 
03249     n = ( (*p)[0] << 8 ) | (*p)[1];
03250     *p += 2;
03251 
03252     if( *p + n > end )
03253     {
03254         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03255         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03256     }
03257 
03258     if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
03259     {
03260         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
03261         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03262     }
03263 
03264     *p += n;
03265 
03266     MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
03267 
03268     return( ret );
03269 }
03270 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
03271           MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
03272 
03273 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
03274     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
03275 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
03276                                     const unsigned char *p,
03277                                     const unsigned char *end,
03278                                     size_t pms_offset )
03279 {
03280     int ret;
03281     size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
03282     unsigned char *pms = ssl->handshake->premaster + pms_offset;
03283     unsigned char ver[2];
03284     unsigned char fake_pms[48], peer_pms[48];
03285     unsigned char mask;
03286     size_t i, peer_pmslen;
03287     unsigned int diff;
03288 
03289     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
03290     {
03291         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
03292         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03293     }
03294 
03295     /*
03296      * Decrypt the premaster using own private RSA key
03297      */
03298 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03299     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03300     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
03301     {
03302         if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
03303             *p++ != ( ( len      ) & 0xFF ) )
03304         {
03305             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03306             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03307         }
03308     }
03309 #endif
03310 
03311     if( p + len != end )
03312     {
03313         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03314         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03315     }
03316 
03317     mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
03318                        ssl->handshake->max_minor_ver,
03319                        ssl->conf->transport, ver );
03320 
03321     /*
03322      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
03323      * must not cause the connection to end immediately; instead, send a
03324      * bad_record_mac later in the handshake.
03325      * Also, avoid data-dependant branches here to protect against
03326      * timing-based variants.
03327      */
03328     ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
03329     if( ret != 0 )
03330         return( ret );
03331 
03332     ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
03333                       peer_pms, &peer_pmslen,
03334                       sizeof( peer_pms ),
03335                       ssl->conf->f_rng, ssl->conf->p_rng );
03336 
03337     diff  = (unsigned int) ret;
03338     diff |= peer_pmslen ^ 48;
03339     diff |= peer_pms[0] ^ ver[0];
03340     diff |= peer_pms[1] ^ ver[1];
03341 
03342 #if defined(MBEDTLS_SSL_DEBUG_ALL)
03343     if( diff != 0 )
03344         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03345 #endif
03346 
03347     if( sizeof( ssl->handshake->premaster ) < pms_offset ||
03348         sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
03349     {
03350         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03351         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03352     }
03353     ssl->handshake->pmslen = 48;
03354 
03355     /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
03356     /* MSVC has a warning about unary minus on unsigned, but this is
03357      * well-defined and precisely what we want to do here */
03358 #if defined(_MSC_VER)
03359 #pragma warning( push )
03360 #pragma warning( disable : 4146 )
03361 #endif
03362     mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
03363 #if defined(_MSC_VER)
03364 #pragma warning( pop )
03365 #endif
03366 
03367     for( i = 0; i < ssl->handshake->pmslen; i++ )
03368         pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
03369 
03370     return( 0 );
03371 }
03372 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
03373           MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
03374 
03375 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
03376 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
03377                                           const unsigned char *end )
03378 {
03379     int ret = 0;
03380     size_t n;
03381 
03382     if( ssl->conf->f_psk == NULL &&
03383         ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
03384           ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
03385     {
03386         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
03387         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03388     }
03389 
03390     /*
03391      * Receive client pre-shared key identity name
03392      */
03393     if( end - *p < 2 )
03394     {
03395         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03396         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03397     }
03398 
03399     n = ( (*p)[0] << 8 ) | (*p)[1];
03400     *p += 2;
03401 
03402     if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
03403     {
03404         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03405         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03406     }
03407 
03408     if( ssl->conf->f_psk != NULL )
03409     {
03410         if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
03411             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
03412     }
03413     else
03414     {
03415         /* Identity is not a big secret since clients send it in the clear,
03416          * but treat it carefully anyway, just in case */
03417         if( n != ssl->conf->psk_identity_len ||
03418             mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
03419         {
03420             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
03421         }
03422     }
03423 
03424     if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
03425     {
03426         MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
03427         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03428                                         MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
03429         return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
03430     }
03431 
03432     *p += n;
03433 
03434     return( 0 );
03435 }
03436 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
03437 
03438 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
03439 {
03440     int ret;
03441     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
03442     unsigned char *p, *end;
03443 
03444     ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03445 
03446     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
03447 
03448     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
03449     {
03450         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
03451         return( ret );
03452     }
03453 
03454     p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
03455     end = ssl->in_msg + ssl->in_hslen;
03456 
03457     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
03458     {
03459         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03460         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03461     }
03462 
03463     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
03464     {
03465         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03466         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03467     }
03468 
03469 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
03470     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
03471     {
03472         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03473         {
03474             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03475             return( ret );
03476         }
03477 
03478         if( p != end )
03479         {
03480             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03481             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03482         }
03483 
03484         if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
03485                                       ssl->handshake->premaster,
03486                                       MBEDTLS_PREMASTER_SIZE,
03487                                      &ssl->handshake->pmslen,
03488                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03489         {
03490             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
03491             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03492         }
03493 
03494         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
03495     }
03496     else
03497 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
03498 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
03499     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
03500     defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
03501     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
03502     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
03503         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
03504         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
03505         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
03506     {
03507         if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
03508                                       p, end - p) ) != 0 )
03509         {
03510             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
03511             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03512         }
03513 
03514         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03515 
03516         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
03517                                       &ssl->handshake->pmslen,
03518                                        ssl->handshake->premaster,
03519                                        MBEDTLS_MPI_MAX_SIZE,
03520                                        ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03521         {
03522             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
03523             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03524         }
03525 
03526         MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
03527     }
03528     else
03529 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
03530           MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
03531           MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
03532           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
03533 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
03534     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
03535     {
03536         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03537         {
03538             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03539             return( ret );
03540         }
03541 
03542         if( p != end )
03543         {
03544             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03545             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03546         }
03547 
03548         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03549                         ciphersuite_info->key_exchange ) ) != 0 )
03550         {
03551             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03552             return( ret );
03553         }
03554     }
03555     else
03556 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
03557 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
03558     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
03559     {
03560         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03561         {
03562             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03563             return( ret );
03564         }
03565 
03566         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
03567         {
03568             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
03569             return( ret );
03570         }
03571 
03572         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03573                         ciphersuite_info->key_exchange ) ) != 0 )
03574         {
03575             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03576             return( ret );
03577         }
03578     }
03579     else
03580 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
03581 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
03582     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
03583     {
03584         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03585         {
03586             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03587             return( ret );
03588         }
03589         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03590         {
03591             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03592             return( ret );
03593         }
03594 
03595         if( p != end )
03596         {
03597             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03598             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03599         }
03600 
03601         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03602                         ciphersuite_info->key_exchange ) ) != 0 )
03603         {
03604             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03605             return( ret );
03606         }
03607     }
03608     else
03609 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
03610 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
03611     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
03612     {
03613         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03614         {
03615             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03616             return( ret );
03617         }
03618 
03619         if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
03620                                        p, end - p ) ) != 0 )
03621         {
03622             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
03623             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03624         }
03625 
03626         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03627 
03628         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03629                         ciphersuite_info->key_exchange ) ) != 0 )
03630         {
03631             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03632             return( ret );
03633         }
03634     }
03635     else
03636 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
03637 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
03638     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
03639     {
03640         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
03641         {
03642             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
03643             return( ret );
03644         }
03645     }
03646     else
03647 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
03648 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
03649     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
03650     {
03651         ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
03652                                               p, end - p );
03653         if( ret != 0 )
03654         {
03655             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
03656             return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
03657         }
03658 
03659         ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
03660                 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
03661                 ssl->conf->f_rng, ssl->conf->p_rng );
03662         if( ret != 0 )
03663         {
03664             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
03665             return( ret );
03666         }
03667     }
03668     else
03669 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
03670     {
03671         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03672         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03673     }
03674 
03675     if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
03676     {
03677         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
03678         return( ret );
03679     }
03680 
03681     ssl->state++;
03682 
03683     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
03684 
03685     return( 0 );
03686 }
03687 
03688 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
03689     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
03690     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
03691     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
03692     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
03693     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
03694 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
03695 {
03696     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
03697         ssl->transform_negotiate->ciphersuite_info;
03698 
03699     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03700 
03701     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
03702         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
03703         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
03704         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
03705         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
03706     {
03707         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03708         ssl->state++;
03709         return( 0 );
03710     }
03711 
03712     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03713     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03714 }
03715 #else
03716 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
03717 {
03718     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
03719     size_t i, sig_len;
03720     unsigned char hash[48];
03721     unsigned char *hash_start = hash;
03722     size_t hashlen;
03723 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03724     mbedtls_pk_type_t pk_alg;
03725 #endif
03726     mbedtls_md_type_t md_alg;
03727     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
03728         ssl->transform_negotiate->ciphersuite_info;
03729 
03730     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03731 
03732     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
03733         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
03734         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
03735         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
03736         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
03737         ssl->session_negotiate->peer_cert == NULL )
03738     {
03739         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03740         ssl->state++;
03741         return( 0 );
03742     }
03743 
03744     /* Read the message without adding it to the checksum */
03745     do {
03746 
03747         do ret = mbedtls_ssl_read_record_layer( ssl );
03748         while( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
03749 
03750         if( ret != 0 )
03751         {
03752             MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
03753             return( ret );
03754         }
03755 
03756         ret = mbedtls_ssl_handle_message_type( ssl );
03757 
03758     } while( MBEDTLS_ERR_SSL_NON_FATAL           == ret ||
03759              MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
03760 
03761     if( 0 != ret )
03762     {
03763         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
03764         return( ret );
03765     }
03766 
03767     ssl->state++;
03768 
03769     /* Process the message contents */
03770     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
03771         ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
03772     {
03773         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03774         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03775     }
03776 
03777     i = mbedtls_ssl_hs_hdr_len( ssl );
03778 
03779     /*
03780      *  struct {
03781      *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
03782      *     opaque signature<0..2^16-1>;
03783      *  } DigitallySigned;
03784      */
03785 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03786     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03787     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
03788     {
03789         md_alg = MBEDTLS_MD_NONE;
03790         hashlen = 36;
03791 
03792         /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
03793         if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
03794                         MBEDTLS_PK_ECDSA ) )
03795         {
03796             hash_start += 16;
03797             hashlen -= 16;
03798             md_alg = MBEDTLS_MD_SHA1;
03799         }
03800     }
03801     else
03802 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
03803           MBEDTLS_SSL_PROTO_TLS1_1 */
03804 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03805     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03806     {
03807         if( i + 2 > ssl->in_hslen )
03808         {
03809             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03810             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03811         }
03812 
03813         /*
03814          * Hash
03815          */
03816         md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
03817 
03818         if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
03819         {
03820             MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03821                                 " for verify message" ) );
03822             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03823         }
03824 
03825 #if !defined(MBEDTLS_MD_SHA1)
03826         if( MBEDTLS_MD_SHA1 == md_alg )
03827             hash_start += 16;
03828 #endif
03829 
03830         /* Info from md_alg will be used instead */
03831         hashlen = 0;
03832 
03833         i++;
03834 
03835         /*
03836          * Signature
03837          */
03838         if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
03839                         == MBEDTLS_PK_NONE )
03840         {
03841             MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03842                                 " for verify message" ) );
03843             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03844         }
03845 
03846         /*
03847          * Check the certificate's key type matches the signature alg
03848          */
03849         if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
03850         {
03851             MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
03852             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03853         }
03854 
03855         i++;
03856     }
03857     else
03858 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03859     {
03860         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03861         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03862     }
03863 
03864     if( i + 2 > ssl->in_hslen )
03865     {
03866         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03867         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03868     }
03869 
03870     sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
03871     i += 2;
03872 
03873     if( i + sig_len != ssl->in_hslen )
03874     {
03875         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03876         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03877     }
03878 
03879     /* Calculate hash and verify signature */
03880     ssl->handshake->calc_verify( ssl, hash );
03881 
03882     if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
03883                            md_alg, hash_start, hashlen,
03884                            ssl->in_msg + i, sig_len ) ) != 0 )
03885     {
03886         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
03887         return( ret );
03888     }
03889 
03890     mbedtls_ssl_update_handshake_status( ssl );
03891 
03892     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
03893 
03894     return( ret );
03895 }
03896 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
03897           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
03898           !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
03899           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
03900           !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
03901           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
03902 
03903 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
03904 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
03905 {
03906     int ret;
03907     size_t tlen;
03908     uint32_t lifetime;
03909 
03910     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
03911 
03912     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03913     ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
03914 
03915     /*
03916      * struct {
03917      *     uint32 ticket_lifetime_hint;
03918      *     opaque ticket<0..2^16-1>;
03919      * } NewSessionTicket;
03920      *
03921      * 4  .  7   ticket_lifetime_hint (0 = unspecified)
03922      * 8  .  9   ticket_len (n)
03923      * 10 .  9+n ticket content
03924      */
03925 
03926     if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
03927                                 ssl->session_negotiate,
03928                                 ssl->out_msg + 10,
03929                                 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
03930                                 &tlen, &lifetime ) ) != 0 )
03931     {
03932         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
03933         tlen = 0;
03934     }
03935 
03936     ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
03937     ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
03938     ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
03939     ssl->out_msg[7] = ( lifetime       ) & 0xFF;
03940 
03941     ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
03942     ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
03943 
03944     ssl->out_msglen = 10 + tlen;
03945 
03946     /*
03947      * Morally equivalent to updating ssl->state, but NewSessionTicket and
03948      * ChangeCipherSpec share the same state.
03949      */
03950     ssl->handshake->new_session_ticket = 0;
03951 
03952     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03953     {
03954         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03955         return( ret );
03956     }
03957 
03958     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
03959 
03960     return( 0 );
03961 }
03962 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
03963 
03964 /*
03965  * SSL handshake -- server side -- single step
03966  */
03967 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
03968 {
03969     int ret = 0;
03970 
03971     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
03972         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
03973 
03974     MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
03975 
03976     if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
03977         return( ret );
03978 
03979 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03980     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03981         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
03982     {
03983         if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
03984             return( ret );
03985     }
03986 #endif
03987 
03988     switch( ssl->state )
03989     {
03990         case MBEDTLS_SSL_HELLO_REQUEST:
03991             ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
03992             break;
03993 
03994         /*
03995          *  <==   ClientHello
03996          */
03997         case MBEDTLS_SSL_CLIENT_HELLO:
03998             ret = ssl_parse_client_hello( ssl );
03999             break;
04000 
04001 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04002         case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
04003             return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
04004 #endif
04005 
04006         /*
04007          *  ==>   ServerHello
04008          *        Certificate
04009          *      ( ServerKeyExchange  )
04010          *      ( CertificateRequest )
04011          *        ServerHelloDone
04012          */
04013         case MBEDTLS_SSL_SERVER_HELLO:
04014             ret = ssl_write_server_hello( ssl );
04015             break;
04016 
04017         case MBEDTLS_SSL_SERVER_CERTIFICATE:
04018             ret = mbedtls_ssl_write_certificate( ssl );
04019             break;
04020 
04021         case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
04022             ret = ssl_write_server_key_exchange( ssl );
04023             break;
04024 
04025         case MBEDTLS_SSL_CERTIFICATE_REQUEST:
04026             ret = ssl_write_certificate_request( ssl );
04027             break;
04028 
04029         case MBEDTLS_SSL_SERVER_HELLO_DONE:
04030             ret = ssl_write_server_hello_done( ssl );
04031             break;
04032 
04033         /*
04034          *  <== ( Certificate/Alert  )
04035          *        ClientKeyExchange
04036          *      ( CertificateVerify  )
04037          *        ChangeCipherSpec
04038          *        Finished
04039          */
04040         case MBEDTLS_SSL_CLIENT_CERTIFICATE:
04041             ret = mbedtls_ssl_parse_certificate( ssl );
04042             break;
04043 
04044         case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
04045             ret = ssl_parse_client_key_exchange( ssl );
04046             break;
04047 
04048         case MBEDTLS_SSL_CERTIFICATE_VERIFY:
04049             ret = ssl_parse_certificate_verify( ssl );
04050             break;
04051 
04052         case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
04053             ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
04054             break;
04055 
04056         case MBEDTLS_SSL_CLIENT_FINISHED:
04057             ret = mbedtls_ssl_parse_finished( ssl );
04058             break;
04059 
04060         /*
04061          *  ==> ( NewSessionTicket )
04062          *        ChangeCipherSpec
04063          *        Finished
04064          */
04065         case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
04066 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
04067             if( ssl->handshake->new_session_ticket != 0 )
04068                 ret = ssl_write_new_session_ticket( ssl );
04069             else
04070 #endif
04071                 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
04072             break;
04073 
04074         case MBEDTLS_SSL_SERVER_FINISHED:
04075             ret = mbedtls_ssl_write_finished( ssl );
04076             break;
04077 
04078         case MBEDTLS_SSL_FLUSH_BUFFERS:
04079             MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
04080             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
04081             break;
04082 
04083         case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
04084             mbedtls_ssl_handshake_wrapup( ssl );
04085             break;
04086 
04087         default:
04088             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
04089             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
04090     }
04091 
04092     return( ret );
04093 }
04094 #endif /* MBEDTLS_SSL_SRV_C */