Knight KE / Mbed OS Game_Master
Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl_tls.c Source File

ssl_tls.c

00001 /*
00002  *  SSLv3/TLSv1 shared functions
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 /*
00022  *  The SSL 3.0 specification was drafted by Netscape in 1996,
00023  *  and became an IETF standard in 1999.
00024  *
00025  *  http://wp.netscape.com/eng/ssl3/
00026  *  http://www.ietf.org/rfc/rfc2246.txt
00027  *  http://www.ietf.org/rfc/rfc4346.txt
00028  */
00029 
00030 #if !defined(MBEDTLS_CONFIG_FILE)
00031 #include "mbedtls/config.h"
00032 #else
00033 #include MBEDTLS_CONFIG_FILE
00034 #endif
00035 
00036 #if defined(MBEDTLS_SSL_TLS_C)
00037 
00038 #if defined(MBEDTLS_PLATFORM_C)
00039 #include "mbedtls/platform.h"
00040 #else
00041 #include <stdlib.h>
00042 #define mbedtls_calloc    calloc
00043 #define mbedtls_free      free
00044 #endif
00045 
00046 #include "mbedtls/debug.h"
00047 #include "mbedtls/ssl.h"
00048 #include "mbedtls/ssl_internal.h"
00049 #include "mbedtls/platform_util.h"
00050 
00051 #include <string.h>
00052 
00053 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00054 #include "mbedtls/oid.h"
00055 #endif
00056 
00057 /* Length of the "epoch" field in the record header */
00058 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
00059 {
00060 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00061     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
00062         return( 2 );
00063 #else
00064     ((void) ssl);
00065 #endif
00066     return( 0 );
00067 }
00068 
00069 /*
00070  * Start a timer.
00071  * Passing millisecs = 0 cancels a running timer.
00072  */
00073 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
00074 {
00075     if( ssl->f_set_timer == NULL )
00076         return;
00077 
00078     MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
00079     ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
00080 }
00081 
00082 /*
00083  * Return -1 is timer is expired, 0 if it isn't.
00084  */
00085 static int ssl_check_timer( mbedtls_ssl_context *ssl )
00086 {
00087     if( ssl->f_get_timer == NULL )
00088         return( 0 );
00089 
00090     if( ssl->f_get_timer( ssl->p_timer ) == 2 )
00091     {
00092         MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
00093         return( -1 );
00094     }
00095 
00096     return( 0 );
00097 }
00098 
00099 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00100 /*
00101  * Double the retransmit timeout value, within the allowed range,
00102  * returning -1 if the maximum value has already been reached.
00103  */
00104 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
00105 {
00106     uint32_t new_timeout;
00107 
00108     if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
00109         return( -1 );
00110 
00111     new_timeout = 2 * ssl->handshake->retransmit_timeout;
00112 
00113     /* Avoid arithmetic overflow and range overflow */
00114     if( new_timeout < ssl->handshake->retransmit_timeout ||
00115         new_timeout > ssl->conf->hs_timeout_max )
00116     {
00117         new_timeout = ssl->conf->hs_timeout_max;
00118     }
00119 
00120     ssl->handshake->retransmit_timeout = new_timeout;
00121     MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
00122                         ssl->handshake->retransmit_timeout ) );
00123 
00124     return( 0 );
00125 }
00126 
00127 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
00128 {
00129     ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
00130     MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
00131                         ssl->handshake->retransmit_timeout ) );
00132 }
00133 #endif /* MBEDTLS_SSL_PROTO_DTLS */
00134 
00135 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
00136 /*
00137  * Convert max_fragment_length codes to length.
00138  * RFC 6066 says:
00139  *    enum{
00140  *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
00141  *    } MaxFragmentLength;
00142  * and we add 0 -> extension unused
00143  */
00144 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
00145 {
00146     MBEDTLS_SSL_MAX_CONTENT_LEN,    /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
00147     512,                    /* MBEDTLS_SSL_MAX_FRAG_LEN_512  */
00148     1024,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
00149     2048,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
00150     4096,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
00151 };
00152 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
00153 
00154 #if defined(MBEDTLS_SSL_CLI_C)
00155 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
00156 {
00157     mbedtls_ssl_session_free( dst );
00158     memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
00159 
00160 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00161     if( src->peer_cert != NULL )
00162     {
00163         int ret;
00164 
00165         dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
00166         if( dst->peer_cert == NULL )
00167             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00168 
00169         mbedtls_x509_crt_init( dst->peer_cert );
00170 
00171         if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
00172                                         src->peer_cert->raw.len ) ) != 0 )
00173         {
00174             mbedtls_free( dst->peer_cert );
00175             dst->peer_cert = NULL;
00176             return( ret );
00177         }
00178     }
00179 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00180 
00181 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
00182     if( src->ticket != NULL )
00183     {
00184         dst->ticket = mbedtls_calloc( 1, src->ticket_len );
00185         if( dst->ticket == NULL )
00186             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00187 
00188         memcpy( dst->ticket, src->ticket, src->ticket_len );
00189     }
00190 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
00191 
00192     return( 0 );
00193 }
00194 #endif /* MBEDTLS_SSL_CLI_C */
00195 
00196 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
00197 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
00198                      const unsigned char *key_enc, const unsigned char *key_dec,
00199                      size_t keylen,
00200                      const unsigned char *iv_enc,  const unsigned char *iv_dec,
00201                      size_t ivlen,
00202                      const unsigned char *mac_enc, const unsigned char *mac_dec,
00203                      size_t maclen ) = NULL;
00204 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
00205 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
00206 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
00207 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
00208 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
00209 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
00210 
00211 /*
00212  * Key material generation
00213  */
00214 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00215 static int ssl3_prf( const unsigned char *secret, size_t slen,
00216                      const char *label,
00217                      const unsigned char *random, size_t rlen,
00218                      unsigned char *dstbuf, size_t dlen )
00219 {
00220     int ret = 0;
00221     size_t i;
00222     mbedtls_md5_context md5;
00223     mbedtls_sha1_context sha1;
00224     unsigned char padding[16];
00225     unsigned char sha1sum[20];
00226     ((void)label);
00227 
00228     mbedtls_md5_init(  &md5  );
00229     mbedtls_sha1_init( &sha1 );
00230 
00231     /*
00232      *  SSLv3:
00233      *    block =
00234      *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
00235      *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
00236      *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
00237      *      ...
00238      */
00239     for( i = 0; i < dlen / 16; i++ )
00240     {
00241         memset( padding, (unsigned char) ('A' + i), 1 + i );
00242 
00243         if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
00244             goto exit;
00245         if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
00246             goto exit;
00247         if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
00248             goto exit;
00249         if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
00250             goto exit;
00251         if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
00252             goto exit;
00253 
00254         if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
00255             goto exit;
00256         if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
00257             goto exit;
00258         if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
00259             goto exit;
00260         if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
00261             goto exit;
00262     }
00263 
00264 exit:
00265     mbedtls_md5_free(  &md5  );
00266     mbedtls_sha1_free( &sha1 );
00267 
00268     mbedtls_platform_zeroize( padding, sizeof( padding ) );
00269     mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
00270 
00271     return( ret );
00272 }
00273 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
00274 
00275 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
00276 static int tls1_prf( const unsigned char *secret, size_t slen,
00277                      const char *label,
00278                      const unsigned char *random, size_t rlen,
00279                      unsigned char *dstbuf, size_t dlen )
00280 {
00281     size_t nb, hs;
00282     size_t i, j, k;
00283     const unsigned char *S1, *S2;
00284     unsigned char tmp[128];
00285     unsigned char h_i[20];
00286     const mbedtls_md_info_t *md_info;
00287     mbedtls_md_context_t md_ctx;
00288     int ret;
00289 
00290     mbedtls_md_init( &md_ctx );
00291 
00292     if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
00293         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00294 
00295     hs = ( slen + 1 ) / 2;
00296     S1 = secret;
00297     S2 = secret + slen - hs;
00298 
00299     nb = strlen( label );
00300     memcpy( tmp + 20, label, nb );
00301     memcpy( tmp + 20 + nb, random, rlen );
00302     nb += rlen;
00303 
00304     /*
00305      * First compute P_md5(secret,label+random)[0..dlen]
00306      */
00307     if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
00308         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00309 
00310     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
00311         return( ret );
00312 
00313     mbedtls_md_hmac_starts( &md_ctx, S1, hs );
00314     mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
00315     mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
00316 
00317     for( i = 0; i < dlen; i += 16 )
00318     {
00319         mbedtls_md_hmac_reset ( &md_ctx );
00320         mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
00321         mbedtls_md_hmac_finish( &md_ctx, h_i );
00322 
00323         mbedtls_md_hmac_reset ( &md_ctx );
00324         mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
00325         mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
00326 
00327         k = ( i + 16 > dlen ) ? dlen % 16 : 16;
00328 
00329         for( j = 0; j < k; j++ )
00330             dstbuf[i + j]  = h_i[j];
00331     }
00332 
00333     mbedtls_md_free( &md_ctx );
00334 
00335     /*
00336      * XOR out with P_sha1(secret,label+random)[0..dlen]
00337      */
00338     if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
00339         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00340 
00341     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
00342         return( ret );
00343 
00344     mbedtls_md_hmac_starts( &md_ctx, S2, hs );
00345     mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
00346     mbedtls_md_hmac_finish( &md_ctx, tmp );
00347 
00348     for( i = 0; i < dlen; i += 20 )
00349     {
00350         mbedtls_md_hmac_reset ( &md_ctx );
00351         mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
00352         mbedtls_md_hmac_finish( &md_ctx, h_i );
00353 
00354         mbedtls_md_hmac_reset ( &md_ctx );
00355         mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
00356         mbedtls_md_hmac_finish( &md_ctx, tmp );
00357 
00358         k = ( i + 20 > dlen ) ? dlen % 20 : 20;
00359 
00360         for( j = 0; j < k; j++ )
00361             dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
00362     }
00363 
00364     mbedtls_md_free( &md_ctx );
00365 
00366     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
00367     mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
00368 
00369     return( 0 );
00370 }
00371 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
00372 
00373 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00374 static int tls_prf_generic( mbedtls_md_type_t md_type,
00375                             const unsigned char *secret, size_t slen,
00376                             const char *label,
00377                             const unsigned char *random, size_t rlen,
00378                             unsigned char *dstbuf, size_t dlen )
00379 {
00380     size_t nb;
00381     size_t i, j, k, md_len;
00382     unsigned char tmp[128];
00383     unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
00384     const mbedtls_md_info_t *md_info;
00385     mbedtls_md_context_t md_ctx;
00386     int ret;
00387 
00388     mbedtls_md_init( &md_ctx );
00389 
00390     if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
00391         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00392 
00393     md_len = mbedtls_md_get_size( md_info );
00394 
00395     if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
00396         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00397 
00398     nb = strlen( label );
00399     memcpy( tmp + md_len, label, nb );
00400     memcpy( tmp + md_len + nb, random, rlen );
00401     nb += rlen;
00402 
00403     /*
00404      * Compute P_<hash>(secret, label + random)[0..dlen]
00405      */
00406     if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
00407         return( ret );
00408 
00409     mbedtls_md_hmac_starts( &md_ctx, secret, slen );
00410     mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
00411     mbedtls_md_hmac_finish( &md_ctx, tmp );
00412 
00413     for( i = 0; i < dlen; i += md_len )
00414     {
00415         mbedtls_md_hmac_reset ( &md_ctx );
00416         mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
00417         mbedtls_md_hmac_finish( &md_ctx, h_i );
00418 
00419         mbedtls_md_hmac_reset ( &md_ctx );
00420         mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
00421         mbedtls_md_hmac_finish( &md_ctx, tmp );
00422 
00423         k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
00424 
00425         for( j = 0; j < k; j++ )
00426             dstbuf[i + j]  = h_i[j];
00427     }
00428 
00429     mbedtls_md_free( &md_ctx );
00430 
00431     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
00432     mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
00433 
00434     return( 0 );
00435 }
00436 
00437 #if defined(MBEDTLS_SHA256_C)
00438 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
00439                            const char *label,
00440                            const unsigned char *random, size_t rlen,
00441                            unsigned char *dstbuf, size_t dlen )
00442 {
00443     return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
00444                              label, random, rlen, dstbuf, dlen ) );
00445 }
00446 #endif /* MBEDTLS_SHA256_C */
00447 
00448 #if defined(MBEDTLS_SHA512_C)
00449 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
00450                            const char *label,
00451                            const unsigned char *random, size_t rlen,
00452                            unsigned char *dstbuf, size_t dlen )
00453 {
00454     return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
00455                              label, random, rlen, dstbuf, dlen ) );
00456 }
00457 #endif /* MBEDTLS_SHA512_C */
00458 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00459 
00460 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
00461 
00462 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
00463     defined(MBEDTLS_SSL_PROTO_TLS1_1)
00464 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
00465 #endif
00466 
00467 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00468 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
00469 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
00470 #endif
00471 
00472 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
00473 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
00474 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
00475 #endif
00476 
00477 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00478 #if defined(MBEDTLS_SHA256_C)
00479 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
00480 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
00481 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
00482 #endif
00483 
00484 #if defined(MBEDTLS_SHA512_C)
00485 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
00486 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
00487 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
00488 #endif
00489 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00490 
00491 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
00492 {
00493     int ret = 0;
00494     unsigned char tmp[64];
00495     unsigned char keyblk[256];
00496     unsigned char *key1;
00497     unsigned char *key2;
00498     unsigned char *mac_enc;
00499     unsigned char *mac_dec;
00500     size_t mac_key_len;
00501     size_t iv_copy_len;
00502     const mbedtls_cipher_info_t *cipher_info;
00503     const mbedtls_md_info_t *md_info;
00504 
00505     mbedtls_ssl_session *session = ssl->session_negotiate;
00506     mbedtls_ssl_transform *transform = ssl->transform_negotiate;
00507     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
00508 
00509     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
00510 
00511     cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
00512     if( cipher_info == NULL )
00513     {
00514         MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
00515                             transform->ciphersuite_info->cipher ) );
00516         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00517     }
00518 
00519     md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
00520     if( md_info == NULL )
00521     {
00522         MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
00523                             transform->ciphersuite_info->mac ) );
00524         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00525     }
00526 
00527     /*
00528      * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
00529      */
00530 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00531     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
00532     {
00533         handshake->tls_prf = ssl3_prf;
00534         handshake->calc_verify = ssl_calc_verify_ssl;
00535         handshake->calc_finished = ssl_calc_finished_ssl;
00536     }
00537     else
00538 #endif
00539 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
00540     if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
00541     {
00542         handshake->tls_prf = tls1_prf;
00543         handshake->calc_verify = ssl_calc_verify_tls;
00544         handshake->calc_finished = ssl_calc_finished_tls;
00545     }
00546     else
00547 #endif
00548 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00549 #if defined(MBEDTLS_SHA512_C)
00550     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
00551         transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
00552     {
00553         handshake->tls_prf = tls_prf_sha384;
00554         handshake->calc_verify = ssl_calc_verify_tls_sha384;
00555         handshake->calc_finished = ssl_calc_finished_tls_sha384;
00556     }
00557     else
00558 #endif
00559 #if defined(MBEDTLS_SHA256_C)
00560     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00561     {
00562         handshake->tls_prf = tls_prf_sha256;
00563         handshake->calc_verify = ssl_calc_verify_tls_sha256;
00564         handshake->calc_finished = ssl_calc_finished_tls_sha256;
00565     }
00566     else
00567 #endif
00568 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00569     {
00570         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00571         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00572     }
00573 
00574     /*
00575      * SSLv3:
00576      *   master =
00577      *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
00578      *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
00579      *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
00580      *
00581      * TLSv1+:
00582      *   master = PRF( premaster, "master secret", randbytes )[0..47]
00583      */
00584     if( handshake->resume == 0 )
00585     {
00586         MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
00587                        handshake->pmslen );
00588 
00589 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
00590         if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
00591         {
00592             unsigned char session_hash[48];
00593             size_t hash_len;
00594 
00595             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
00596 
00597             ssl->handshake->calc_verify( ssl, session_hash );
00598 
00599 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00600             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00601             {
00602 #if defined(MBEDTLS_SHA512_C)
00603                 if( ssl->transform_negotiate->ciphersuite_info->mac ==
00604                     MBEDTLS_MD_SHA384 )
00605                 {
00606                     hash_len = 48;
00607                 }
00608                 else
00609 #endif
00610                     hash_len = 32;
00611             }
00612             else
00613 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00614                 hash_len = 36;
00615 
00616             MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
00617 
00618             ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
00619                                       "extended master secret",
00620                                       session_hash, hash_len,
00621                                       session->master, 48 );
00622             if( ret != 0 )
00623             {
00624                 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
00625                 return( ret );
00626             }
00627 
00628         }
00629         else
00630 #endif
00631         ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
00632                                   "master secret",
00633                                   handshake->randbytes, 64,
00634                                   session->master, 48 );
00635         if( ret != 0 )
00636         {
00637             MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
00638             return( ret );
00639         }
00640 
00641         mbedtls_platform_zeroize( handshake->premaster,
00642                                   sizeof(handshake->premaster) );
00643     }
00644     else
00645         MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
00646 
00647     /*
00648      * Swap the client and server random values.
00649      */
00650     memcpy( tmp, handshake->randbytes, 64 );
00651     memcpy( handshake->randbytes, tmp + 32, 32 );
00652     memcpy( handshake->randbytes + 32, tmp, 32 );
00653     mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
00654 
00655     /*
00656      *  SSLv3:
00657      *    key block =
00658      *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
00659      *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
00660      *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
00661      *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
00662      *      ...
00663      *
00664      *  TLSv1:
00665      *    key block = PRF( master, "key expansion", randbytes )
00666      */
00667     ret = handshake->tls_prf( session->master, 48, "key expansion",
00668                               handshake->randbytes, 64, keyblk, 256 );
00669     if( ret != 0 )
00670     {
00671         MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
00672         return( ret );
00673     }
00674 
00675     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
00676                    mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
00677     MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
00678     MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
00679     MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
00680 
00681     mbedtls_platform_zeroize( handshake->randbytes,
00682                               sizeof( handshake->randbytes ) );
00683 
00684     /*
00685      * Determine the appropriate key, IV and MAC length.
00686      */
00687 
00688     transform->keylen = cipher_info->key_bitlen / 8;
00689 
00690     if( cipher_info->mode == MBEDTLS_MODE_GCM ||
00691         cipher_info->mode == MBEDTLS_MODE_CCM )
00692     {
00693         transform->maclen = 0;
00694         mac_key_len = 0;
00695 
00696         transform->ivlen = 12;
00697         transform->fixed_ivlen = 4;
00698 
00699         /* Minimum length is expicit IV + tag */
00700         transform->minlen = transform->ivlen - transform->fixed_ivlen
00701                             + ( transform->ciphersuite_info->flags &
00702                                 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
00703     }
00704     else
00705     {
00706         /* Initialize HMAC contexts */
00707         if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
00708             ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
00709         {
00710             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
00711             return( ret );
00712         }
00713 
00714         /* Get MAC length */
00715         mac_key_len = mbedtls_md_get_size( md_info );
00716         transform->maclen = mac_key_len;
00717 
00718 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
00719         /*
00720          * If HMAC is to be truncated, we shall keep the leftmost bytes,
00721          * (rfc 6066 page 13 or rfc 2104 section 4),
00722          * so we only need to adjust the length here.
00723          */
00724         if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
00725         {
00726             transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
00727 
00728 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
00729             /* Fall back to old, non-compliant version of the truncated
00730              * HMAC implementation which also truncates the key
00731              * (Mbed TLS versions from 1.3 to 2.6.0) */
00732             mac_key_len = transform->maclen;
00733 #endif
00734         }
00735 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
00736 
00737         /* IV length */
00738         transform->ivlen = cipher_info->iv_size;
00739 
00740         /* Minimum length */
00741         if( cipher_info->mode == MBEDTLS_MODE_STREAM )
00742             transform->minlen = transform->maclen;
00743         else
00744         {
00745             /*
00746              * GenericBlockCipher:
00747              * 1. if EtM is in use: one block plus MAC
00748              *    otherwise: * first multiple of blocklen greater than maclen
00749              * 2. IV except for SSL3 and TLS 1.0
00750              */
00751 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00752             if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
00753             {
00754                 transform->minlen = transform->maclen
00755                                   + cipher_info->block_size;
00756             }
00757             else
00758 #endif
00759             {
00760                 transform->minlen = transform->maclen
00761                                   + cipher_info->block_size
00762                                   - transform->maclen % cipher_info->block_size;
00763             }
00764 
00765 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
00766             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
00767                 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
00768                 ; /* No need to adjust minlen */
00769             else
00770 #endif
00771 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
00772             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
00773                 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00774             {
00775                 transform->minlen += transform->ivlen;
00776             }
00777             else
00778 #endif
00779             {
00780                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00781                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00782             }
00783         }
00784     }
00785 
00786     MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
00787                    transform->keylen, transform->minlen, transform->ivlen,
00788                    transform->maclen ) );
00789 
00790     /*
00791      * Finally setup the cipher contexts, IVs and MAC secrets.
00792      */
00793 #if defined(MBEDTLS_SSL_CLI_C)
00794     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
00795     {
00796         key1 = keyblk + mac_key_len * 2;
00797         key2 = keyblk + mac_key_len * 2 + transform->keylen;
00798 
00799         mac_enc = keyblk;
00800         mac_dec = keyblk + mac_key_len;
00801 
00802         /*
00803          * This is not used in TLS v1.1.
00804          */
00805         iv_copy_len = ( transform->fixed_ivlen ) ?
00806                             transform->fixed_ivlen : transform->ivlen;
00807         memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
00808         memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
00809                 iv_copy_len );
00810     }
00811     else
00812 #endif /* MBEDTLS_SSL_CLI_C */
00813 #if defined(MBEDTLS_SSL_SRV_C)
00814     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
00815     {
00816         key1 = keyblk + mac_key_len * 2 + transform->keylen;
00817         key2 = keyblk + mac_key_len * 2;
00818 
00819         mac_enc = keyblk + mac_key_len;
00820         mac_dec = keyblk;
00821 
00822         /*
00823          * This is not used in TLS v1.1.
00824          */
00825         iv_copy_len = ( transform->fixed_ivlen ) ?
00826                             transform->fixed_ivlen : transform->ivlen;
00827         memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
00828         memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
00829                 iv_copy_len );
00830     }
00831     else
00832 #endif /* MBEDTLS_SSL_SRV_C */
00833     {
00834         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00835         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00836     }
00837 
00838 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00839     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
00840     {
00841         if( mac_key_len > sizeof transform->mac_enc )
00842         {
00843             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00844             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00845         }
00846 
00847         memcpy( transform->mac_enc, mac_enc, mac_key_len );
00848         memcpy( transform->mac_dec, mac_dec, mac_key_len );
00849     }
00850     else
00851 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
00852 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
00853     defined(MBEDTLS_SSL_PROTO_TLS1_2)
00854     if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
00855     {
00856         /* For HMAC-based ciphersuites, initialize the HMAC transforms.
00857            For AEAD-based ciphersuites, there is nothing to do here. */
00858         if( mac_key_len != 0 )
00859         {
00860             mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
00861             mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
00862         }
00863     }
00864     else
00865 #endif
00866     {
00867         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00868         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00869     }
00870 
00871 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
00872     if( mbedtls_ssl_hw_record_init != NULL )
00873     {
00874         int ret = 0;
00875 
00876         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
00877 
00878         if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
00879                                         transform->iv_enc, transform->iv_dec,
00880                                         iv_copy_len,
00881                                         mac_enc, mac_dec,
00882                                         mac_key_len ) ) != 0 )
00883         {
00884             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
00885             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
00886         }
00887     }
00888 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
00889 
00890 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
00891     if( ssl->conf->f_export_keys != NULL )
00892     {
00893         ssl->conf->f_export_keys( ssl->conf->p_export_keys,
00894                                   session->master, keyblk,
00895                                   mac_key_len, transform->keylen,
00896                                   iv_copy_len );
00897     }
00898 #endif
00899 
00900     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
00901                                  cipher_info ) ) != 0 )
00902     {
00903         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
00904         return( ret );
00905     }
00906 
00907     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
00908                                  cipher_info ) ) != 0 )
00909     {
00910         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
00911         return( ret );
00912     }
00913 
00914     if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
00915                                cipher_info->key_bitlen,
00916                                MBEDTLS_ENCRYPT ) ) != 0 )
00917     {
00918         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
00919         return( ret );
00920     }
00921 
00922     if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
00923                                cipher_info->key_bitlen,
00924                                MBEDTLS_DECRYPT ) ) != 0 )
00925     {
00926         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
00927         return( ret );
00928     }
00929 
00930 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00931     if( cipher_info->mode == MBEDTLS_MODE_CBC )
00932     {
00933         if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
00934                                              MBEDTLS_PADDING_NONE ) ) != 0 )
00935         {
00936             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
00937             return( ret );
00938         }
00939 
00940         if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
00941                                              MBEDTLS_PADDING_NONE ) ) != 0 )
00942         {
00943             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
00944             return( ret );
00945         }
00946     }
00947 #endif /* MBEDTLS_CIPHER_MODE_CBC */
00948 
00949     mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
00950 
00951 #if defined(MBEDTLS_ZLIB_SUPPORT)
00952     // Initialize compression
00953     //
00954     if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
00955     {
00956         if( ssl->compress_buf == NULL )
00957         {
00958             MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
00959             ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
00960             if( ssl->compress_buf == NULL )
00961             {
00962                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
00963                                     MBEDTLS_SSL_BUFFER_LEN ) );
00964                 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00965             }
00966         }
00967 
00968         MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
00969 
00970         memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
00971         memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
00972 
00973         if( deflateInit( &transform->ctx_deflate,
00974                          Z_DEFAULT_COMPRESSION )   != Z_OK ||
00975             inflateInit( &transform->ctx_inflate ) != Z_OK )
00976         {
00977             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
00978             return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
00979         }
00980     }
00981 #endif /* MBEDTLS_ZLIB_SUPPORT */
00982 
00983     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
00984 
00985     return( 0 );
00986 }
00987 
00988 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00989 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
00990 {
00991     mbedtls_md5_context md5;
00992     mbedtls_sha1_context sha1;
00993     unsigned char pad_1[48];
00994     unsigned char pad_2[48];
00995 
00996     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
00997 
00998     mbedtls_md5_init( &md5 );
00999     mbedtls_sha1_init( &sha1 );
01000 
01001     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
01002     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
01003 
01004     memset( pad_1, 0x36, 48 );
01005     memset( pad_2, 0x5C, 48 );
01006 
01007     mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
01008     mbedtls_md5_update_ret( &md5, pad_1, 48 );
01009     mbedtls_md5_finish_ret( &md5, hash );
01010 
01011     mbedtls_md5_starts_ret( &md5 );
01012     mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
01013     mbedtls_md5_update_ret( &md5, pad_2, 48 );
01014     mbedtls_md5_update_ret( &md5, hash,  16 );
01015     mbedtls_md5_finish_ret( &md5, hash );
01016 
01017     mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
01018     mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
01019     mbedtls_sha1_finish_ret( &sha1, hash + 16 );
01020 
01021     mbedtls_sha1_starts_ret( &sha1 );
01022     mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
01023     mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
01024     mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
01025     mbedtls_sha1_finish_ret( &sha1, hash + 16 );
01026 
01027     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
01028     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01029 
01030     mbedtls_md5_free(  &md5  );
01031     mbedtls_sha1_free( &sha1 );
01032 
01033     return;
01034 }
01035 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01036 
01037 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
01038 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
01039 {
01040     mbedtls_md5_context md5;
01041     mbedtls_sha1_context sha1;
01042 
01043     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
01044 
01045     mbedtls_md5_init( &md5 );
01046     mbedtls_sha1_init( &sha1 );
01047 
01048     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
01049     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
01050 
01051      mbedtls_md5_finish_ret( &md5,  hash );
01052     mbedtls_sha1_finish_ret( &sha1, hash + 16 );
01053 
01054     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
01055     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01056 
01057     mbedtls_md5_free(  &md5  );
01058     mbedtls_sha1_free( &sha1 );
01059 
01060     return;
01061 }
01062 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
01063 
01064 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
01065 #if defined(MBEDTLS_SHA256_C)
01066 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
01067 {
01068     mbedtls_sha256_context sha256;
01069 
01070     mbedtls_sha256_init( &sha256 );
01071 
01072     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
01073 
01074     mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
01075     mbedtls_sha256_finish_ret( &sha256, hash );
01076 
01077     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
01078     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01079 
01080     mbedtls_sha256_free( &sha256 );
01081 
01082     return;
01083 }
01084 #endif /* MBEDTLS_SHA256_C */
01085 
01086 #if defined(MBEDTLS_SHA512_C)
01087 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
01088 {
01089     mbedtls_sha512_context sha512;
01090 
01091     mbedtls_sha512_init( &sha512 );
01092 
01093     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
01094 
01095     mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
01096     mbedtls_sha512_finish_ret( &sha512, hash );
01097 
01098     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
01099     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01100 
01101     mbedtls_sha512_free( &sha512 );
01102 
01103     return;
01104 }
01105 #endif /* MBEDTLS_SHA512_C */
01106 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
01107 
01108 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
01109 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
01110 {
01111     unsigned char *p = ssl->handshake->premaster;
01112     unsigned char *end = p + sizeof( ssl->handshake->premaster );
01113     const unsigned char *psk = ssl->conf->psk;
01114     size_t psk_len = ssl->conf->psk_len;
01115 
01116     /* If the psk callback was called, use its result */
01117     if( ssl->handshake->psk != NULL )
01118     {
01119         psk = ssl->handshake->psk;
01120         psk_len = ssl->handshake->psk_len;
01121     }
01122 
01123     /*
01124      * PMS = struct {
01125      *     opaque other_secret<0..2^16-1>;
01126      *     opaque psk<0..2^16-1>;
01127      * };
01128      * with "other_secret" depending on the particular key exchange
01129      */
01130 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
01131     if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
01132     {
01133         if( end - p < 2 )
01134             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01135 
01136         *(p++) = (unsigned char)( psk_len >> 8 );
01137         *(p++) = (unsigned char)( psk_len      );
01138 
01139         if( end < p || (size_t)( end - p ) < psk_len )
01140             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01141 
01142         memset( p, 0, psk_len );
01143         p += psk_len;
01144     }
01145     else
01146 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
01147 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
01148     if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
01149     {
01150         /*
01151          * other_secret already set by the ClientKeyExchange message,
01152          * and is 48 bytes long
01153          */
01154         *p++ = 0;
01155         *p++ = 48;
01156         p += 48;
01157     }
01158     else
01159 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
01160 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
01161     if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
01162     {
01163         int ret;
01164         size_t len;
01165 
01166         /* Write length only when we know the actual value */
01167         if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
01168                                       p + 2, end - ( p + 2 ), &len,
01169                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
01170         {
01171             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
01172             return( ret );
01173         }
01174         *(p++) = (unsigned char)( len >> 8 );
01175         *(p++) = (unsigned char)( len );
01176         p += len;
01177 
01178         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
01179     }
01180     else
01181 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
01182 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
01183     if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
01184     {
01185         int ret;
01186         size_t zlen;
01187 
01188         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
01189                                        p + 2, end - ( p + 2 ),
01190                                        ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
01191         {
01192             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
01193             return( ret );
01194         }
01195 
01196         *(p++) = (unsigned char)( zlen >> 8 );
01197         *(p++) = (unsigned char)( zlen      );
01198         p += zlen;
01199 
01200         MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
01201     }
01202     else
01203 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
01204     {
01205         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01206         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01207     }
01208 
01209     /* opaque psk<0..2^16-1>; */
01210     if( end - p < 2 )
01211         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01212 
01213     *(p++) = (unsigned char)( psk_len >> 8 );
01214     *(p++) = (unsigned char)( psk_len      );
01215 
01216     if( end < p || (size_t)( end - p ) < psk_len )
01217         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01218 
01219     memcpy( p, psk, psk_len );
01220     p += psk_len;
01221 
01222     ssl->handshake->pmslen = p - ssl->handshake->premaster;
01223 
01224     return( 0 );
01225 }
01226 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
01227 
01228 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01229 /*
01230  * SSLv3.0 MAC functions
01231  */
01232 #define SSL_MAC_MAX_BYTES   20  /* MD-5 or SHA-1 */
01233 static void ssl_mac( mbedtls_md_context_t *md_ctx,
01234                      const unsigned char *secret,
01235                      const unsigned char *buf, size_t len,
01236                      const unsigned char *ctr, int type,
01237                      unsigned char out[SSL_MAC_MAX_BYTES] )
01238 {
01239     unsigned char header[11];
01240     unsigned char padding[48];
01241     int padlen;
01242     int md_size = mbedtls_md_get_size( md_ctx->md_info );
01243     int md_type = mbedtls_md_get_type( md_ctx->md_info );
01244 
01245     /* Only MD5 and SHA-1 supported */
01246     if( md_type == MBEDTLS_MD_MD5 )
01247         padlen = 48;
01248     else
01249         padlen = 40;
01250 
01251     memcpy( header, ctr, 8 );
01252     header[ 8] = (unsigned char)  type;
01253     header[ 9] = (unsigned char)( len >> 8 );
01254     header[10] = (unsigned char)( len      );
01255 
01256     memset( padding, 0x36, padlen );
01257     mbedtls_md_starts( md_ctx );
01258     mbedtls_md_update( md_ctx, secret,  md_size );
01259     mbedtls_md_update( md_ctx, padding, padlen  );
01260     mbedtls_md_update( md_ctx, header,  11      );
01261     mbedtls_md_update( md_ctx, buf,     len     );
01262     mbedtls_md_finish( md_ctx, out              );
01263 
01264     memset( padding, 0x5C, padlen );
01265     mbedtls_md_starts( md_ctx );
01266     mbedtls_md_update( md_ctx, secret,    md_size );
01267     mbedtls_md_update( md_ctx, padding,   padlen  );
01268     mbedtls_md_update( md_ctx, out,       md_size );
01269     mbedtls_md_finish( md_ctx, out                );
01270 }
01271 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01272 
01273 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||     \
01274     ( defined(MBEDTLS_CIPHER_MODE_CBC) &&                                  \
01275       ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
01276 #define SSL_SOME_MODES_USE_MAC
01277 #endif
01278 
01279 /*
01280  * Encryption/decryption functions
01281  */
01282 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
01283 {
01284     mbedtls_cipher_mode_t mode;
01285     int auth_done = 0;
01286 
01287     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
01288 
01289     if( ssl->session_out == NULL || ssl->transform_out == NULL )
01290     {
01291         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01292         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01293     }
01294 
01295     mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
01296 
01297     MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
01298                       ssl->out_msg, ssl->out_msglen );
01299 
01300     if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
01301     {
01302         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
01303                                     (unsigned) ssl->out_msglen,
01304                                     MBEDTLS_SSL_MAX_CONTENT_LEN ) );
01305         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01306     }
01307 
01308     /*
01309      * Add MAC before if needed
01310      */
01311 #if defined(SSL_SOME_MODES_USE_MAC)
01312     if( mode == MBEDTLS_MODE_STREAM ||
01313         ( mode == MBEDTLS_MODE_CBC
01314 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01315           && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
01316 #endif
01317         ) )
01318     {
01319 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01320         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01321         {
01322             unsigned char mac[SSL_MAC_MAX_BYTES];
01323 
01324             ssl_mac( &ssl->transform_out->md_ctx_enc,
01325                       ssl->transform_out->mac_enc,
01326                       ssl->out_msg, ssl->out_msglen,
01327                       ssl->out_ctr, ssl->out_msgtype,
01328                       mac );
01329 
01330             memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
01331         }
01332         else
01333 #endif
01334 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01335         defined(MBEDTLS_SSL_PROTO_TLS1_2)
01336         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
01337         {
01338             unsigned char mac[MBEDTLS_SSL_MAC_ADD];
01339 
01340             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
01341             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
01342             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
01343             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
01344                              ssl->out_msg, ssl->out_msglen );
01345             mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
01346             mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
01347 
01348             memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
01349         }
01350         else
01351 #endif
01352         {
01353             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01354             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01355         }
01356 
01357         MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
01358                        ssl->out_msg + ssl->out_msglen,
01359                        ssl->transform_out->maclen );
01360 
01361         ssl->out_msglen += ssl->transform_out->maclen;
01362         auth_done++;
01363     }
01364 #endif /* AEAD not the only option */
01365 
01366     /*
01367      * Encrypt
01368      */
01369 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
01370     if( mode == MBEDTLS_MODE_STREAM )
01371     {
01372         int ret;
01373         size_t olen = 0;
01374 
01375         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
01376                             "including %d bytes of padding",
01377                        ssl->out_msglen, 0 ) );
01378 
01379         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
01380                                    ssl->transform_out->iv_enc,
01381                                    ssl->transform_out->ivlen,
01382                                    ssl->out_msg, ssl->out_msglen,
01383                                    ssl->out_msg, &olen ) ) != 0 )
01384         {
01385             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01386             return( ret );
01387         }
01388 
01389         if( ssl->out_msglen != olen )
01390         {
01391             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01392             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01393         }
01394     }
01395     else
01396 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
01397 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
01398     if( mode == MBEDTLS_MODE_GCM ||
01399         mode == MBEDTLS_MODE_CCM )
01400     {
01401         int ret;
01402         size_t enc_msglen, olen;
01403         unsigned char *enc_msg;
01404         unsigned char add_data[13];
01405         unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
01406                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
01407 
01408         memcpy( add_data, ssl->out_ctr, 8 );
01409         add_data[8]  = ssl->out_msgtype;
01410         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
01411                            ssl->conf->transport, add_data + 9 );
01412         add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
01413         add_data[12] = ssl->out_msglen & 0xFF;
01414 
01415         MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
01416                        add_data, 13 );
01417 
01418         /*
01419          * Generate IV
01420          */
01421         if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
01422         {
01423             /* Reminder if we ever add an AEAD mode with a different size */
01424             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01425             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01426         }
01427 
01428         memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
01429                              ssl->out_ctr, 8 );
01430         memcpy( ssl->out_iv, ssl->out_ctr, 8 );
01431 
01432         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
01433                 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
01434 
01435         /*
01436          * Fix pointer positions and message length with added IV
01437          */
01438         enc_msg = ssl->out_msg;
01439         enc_msglen = ssl->out_msglen;
01440         ssl->out_msglen += ssl->transform_out->ivlen -
01441                            ssl->transform_out->fixed_ivlen;
01442 
01443         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
01444                             "including %d bytes of padding",
01445                        ssl->out_msglen, 0 ) );
01446 
01447         /*
01448          * Encrypt and authenticate
01449          */
01450         if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
01451                                          ssl->transform_out->iv_enc,
01452                                          ssl->transform_out->ivlen,
01453                                          add_data, 13,
01454                                          enc_msg, enc_msglen,
01455                                          enc_msg, &olen,
01456                                          enc_msg + enc_msglen, taglen ) ) != 0 )
01457         {
01458             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
01459             return( ret );
01460         }
01461 
01462         if( olen != enc_msglen )
01463         {
01464             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01465             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01466         }
01467 
01468         ssl->out_msglen += taglen;
01469         auth_done++;
01470 
01471         MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
01472     }
01473     else
01474 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
01475 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
01476     ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
01477     if( mode == MBEDTLS_MODE_CBC )
01478     {
01479         int ret;
01480         unsigned char *enc_msg;
01481         size_t enc_msglen, padlen, olen = 0, i;
01482 
01483         padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
01484                  ssl->transform_out->ivlen;
01485         if( padlen == ssl->transform_out->ivlen )
01486             padlen = 0;
01487 
01488         for( i = 0; i <= padlen; i++ )
01489             ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
01490 
01491         ssl->out_msglen += padlen + 1;
01492 
01493         enc_msglen = ssl->out_msglen;
01494         enc_msg = ssl->out_msg;
01495 
01496 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
01497         /*
01498          * Prepend per-record IV for block cipher in TLS v1.1 and up as per
01499          * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
01500          */
01501         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
01502         {
01503             /*
01504              * Generate IV
01505              */
01506             ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
01507                                   ssl->transform_out->ivlen );
01508             if( ret != 0 )
01509                 return( ret );
01510 
01511             memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
01512                     ssl->transform_out->ivlen );
01513 
01514             /*
01515              * Fix pointer positions and message length with added IV
01516              */
01517             enc_msg = ssl->out_msg;
01518             enc_msglen = ssl->out_msglen;
01519             ssl->out_msglen += ssl->transform_out->ivlen;
01520         }
01521 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
01522 
01523         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
01524                             "including %d bytes of IV and %d bytes of padding",
01525                             ssl->out_msglen, ssl->transform_out->ivlen,
01526                             padlen + 1 ) );
01527 
01528         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
01529                                    ssl->transform_out->iv_enc,
01530                                    ssl->transform_out->ivlen,
01531                                    enc_msg, enc_msglen,
01532                                    enc_msg, &olen ) ) != 0 )
01533         {
01534             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01535             return( ret );
01536         }
01537 
01538         if( enc_msglen != olen )
01539         {
01540             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01541             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01542         }
01543 
01544 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
01545         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
01546         {
01547             /*
01548              * Save IV in SSL3 and TLS1
01549              */
01550             memcpy( ssl->transform_out->iv_enc,
01551                     ssl->transform_out->cipher_ctx_enc.iv,
01552                     ssl->transform_out->ivlen );
01553         }
01554 #endif
01555 
01556 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01557         if( auth_done == 0 )
01558         {
01559             /*
01560              * MAC(MAC_write_key, seq_num +
01561              *     TLSCipherText.type +
01562              *     TLSCipherText.version +
01563              *     length_of( (IV +) ENC(...) ) +
01564              *     IV + // except for TLS 1.0
01565              *     ENC(content + padding + padding_length));
01566              */
01567             unsigned char pseudo_hdr[13];
01568 
01569             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
01570 
01571             memcpy( pseudo_hdr +  0, ssl->out_ctr, 8 );
01572             memcpy( pseudo_hdr +  8, ssl->out_hdr, 3 );
01573             pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
01574             pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen      ) & 0xFF );
01575 
01576             MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
01577 
01578             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
01579             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
01580                              ssl->out_iv, ssl->out_msglen );
01581             mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
01582                              ssl->out_iv + ssl->out_msglen );
01583             mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
01584 
01585             ssl->out_msglen += ssl->transform_out->maclen;
01586             auth_done++;
01587         }
01588 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01589     }
01590     else
01591 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
01592           ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
01593     {
01594         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01595         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01596     }
01597 
01598     /* Make extra sure authentication was performed, exactly once */
01599     if( auth_done != 1 )
01600     {
01601         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01602         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01603     }
01604 
01605     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
01606 
01607     return( 0 );
01608 }
01609 
01610 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
01611 {
01612     size_t i;
01613     mbedtls_cipher_mode_t mode;
01614     int auth_done = 0;
01615 #if defined(SSL_SOME_MODES_USE_MAC)
01616     size_t padlen = 0, correct = 1;
01617 #endif
01618 
01619     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
01620 
01621     if( ssl->session_in == NULL || ssl->transform_in == NULL )
01622     {
01623         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01624         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01625     }
01626 
01627     mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
01628 
01629     if( ssl->in_msglen < ssl->transform_in->minlen )
01630     {
01631         MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
01632                        ssl->in_msglen, ssl->transform_in->minlen ) );
01633         return( MBEDTLS_ERR_SSL_INVALID_MAC );
01634     }
01635 
01636 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
01637     if( mode == MBEDTLS_MODE_STREAM )
01638     {
01639         int ret;
01640         size_t olen = 0;
01641 
01642         padlen = 0;
01643 
01644         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
01645                                    ssl->transform_in->iv_dec,
01646                                    ssl->transform_in->ivlen,
01647                                    ssl->in_msg, ssl->in_msglen,
01648                                    ssl->in_msg, &olen ) ) != 0 )
01649         {
01650             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01651             return( ret );
01652         }
01653 
01654         if( ssl->in_msglen != olen )
01655         {
01656             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01657             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01658         }
01659     }
01660     else
01661 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
01662 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
01663     if( mode == MBEDTLS_MODE_GCM ||
01664         mode == MBEDTLS_MODE_CCM )
01665     {
01666         int ret;
01667         size_t dec_msglen, olen;
01668         unsigned char *dec_msg;
01669         unsigned char *dec_msg_result;
01670         unsigned char add_data[13];
01671         unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
01672                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
01673         size_t explicit_iv_len = ssl->transform_in->ivlen -
01674                                  ssl->transform_in->fixed_ivlen;
01675 
01676         if( ssl->in_msglen < explicit_iv_len + taglen )
01677         {
01678             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
01679                                 "+ taglen (%d)", ssl->in_msglen,
01680                                 explicit_iv_len, taglen ) );
01681             return( MBEDTLS_ERR_SSL_INVALID_MAC );
01682         }
01683         dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
01684 
01685         dec_msg = ssl->in_msg;
01686         dec_msg_result = ssl->in_msg;
01687         ssl->in_msglen = dec_msglen;
01688 
01689         memcpy( add_data, ssl->in_ctr, 8 );
01690         add_data[8]  = ssl->in_msgtype;
01691         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
01692                            ssl->conf->transport, add_data + 9 );
01693         add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
01694         add_data[12] = ssl->in_msglen & 0xFF;
01695 
01696         MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
01697                        add_data, 13 );
01698 
01699         memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
01700                 ssl->in_iv,
01701                 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
01702 
01703         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
01704                                      ssl->transform_in->ivlen );
01705         MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
01706 
01707         /*
01708          * Decrypt and authenticate
01709          */
01710         if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
01711                                          ssl->transform_in->iv_dec,
01712                                          ssl->transform_in->ivlen,
01713                                          add_data, 13,
01714                                          dec_msg, dec_msglen,
01715                                          dec_msg_result, &olen,
01716                                          dec_msg + dec_msglen, taglen ) ) != 0 )
01717         {
01718             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
01719 
01720             if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
01721                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
01722 
01723             return( ret );
01724         }
01725         auth_done++;
01726 
01727         if( olen != dec_msglen )
01728         {
01729             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01730             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01731         }
01732     }
01733     else
01734 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
01735 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
01736     ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
01737     if( mode == MBEDTLS_MODE_CBC )
01738     {
01739         /*
01740          * Decrypt and check the padding
01741          */
01742         int ret;
01743         unsigned char *dec_msg;
01744         unsigned char *dec_msg_result;
01745         size_t dec_msglen;
01746         size_t minlen = 0;
01747         size_t olen = 0;
01748 
01749         /*
01750          * Check immediate ciphertext sanity
01751          */
01752 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
01753         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
01754             minlen += ssl->transform_in->ivlen;
01755 #endif
01756 
01757         if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
01758             ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
01759         {
01760             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
01761                                 "+ 1 ) ( + expl IV )", ssl->in_msglen,
01762                                 ssl->transform_in->ivlen,
01763                                 ssl->transform_in->maclen ) );
01764             return( MBEDTLS_ERR_SSL_INVALID_MAC );
01765         }
01766 
01767         dec_msglen = ssl->in_msglen;
01768         dec_msg = ssl->in_msg;
01769         dec_msg_result = ssl->in_msg;
01770 
01771         /*
01772          * Authenticate before decrypt if enabled
01773          */
01774 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01775         if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
01776         {
01777             unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
01778             unsigned char pseudo_hdr[13];
01779 
01780             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
01781 
01782             dec_msglen -= ssl->transform_in->maclen;
01783             ssl->in_msglen -= ssl->transform_in->maclen;
01784 
01785             memcpy( pseudo_hdr +  0, ssl->in_ctr, 8 );
01786             memcpy( pseudo_hdr +  8, ssl->in_hdr, 3 );
01787             pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
01788             pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen      ) & 0xFF );
01789 
01790             MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
01791 
01792             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
01793             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
01794                              ssl->in_iv, ssl->in_msglen );
01795             mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
01796             mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
01797 
01798             MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_iv + ssl->in_msglen,
01799                                               ssl->transform_in->maclen );
01800             MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
01801                                               ssl->transform_in->maclen );
01802 
01803             if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
01804                                           ssl->transform_in->maclen ) != 0 )
01805             {
01806                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
01807 
01808                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
01809             }
01810             auth_done++;
01811         }
01812 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01813 
01814         /*
01815          * Check length sanity
01816          */
01817         if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
01818         {
01819             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
01820                            ssl->in_msglen, ssl->transform_in->ivlen ) );
01821             return( MBEDTLS_ERR_SSL_INVALID_MAC );
01822         }
01823 
01824 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
01825         /*
01826          * Initialize for prepended IV for block cipher in TLS v1.1 and up
01827          */
01828         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
01829         {
01830             dec_msglen -= ssl->transform_in->ivlen;
01831             ssl->in_msglen -= ssl->transform_in->ivlen;
01832 
01833             for( i = 0; i < ssl->transform_in->ivlen; i++ )
01834                 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
01835         }
01836 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
01837 
01838         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
01839                                    ssl->transform_in->iv_dec,
01840                                    ssl->transform_in->ivlen,
01841                                    dec_msg, dec_msglen,
01842                                    dec_msg_result, &olen ) ) != 0 )
01843         {
01844             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01845             return( ret );
01846         }
01847 
01848         if( dec_msglen != olen )
01849         {
01850             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01851             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01852         }
01853 
01854 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
01855         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
01856         {
01857             /*
01858              * Save IV in SSL3 and TLS1
01859              */
01860             memcpy( ssl->transform_in->iv_dec,
01861                     ssl->transform_in->cipher_ctx_dec.iv,
01862                     ssl->transform_in->ivlen );
01863         }
01864 #endif
01865 
01866         padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
01867 
01868         if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
01869             auth_done == 0 )
01870         {
01871 #if defined(MBEDTLS_SSL_DEBUG_ALL)
01872             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
01873                         ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
01874 #endif
01875             padlen = 0;
01876             correct = 0;
01877         }
01878 
01879 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01880         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01881         {
01882             if( padlen > ssl->transform_in->ivlen )
01883             {
01884 #if defined(MBEDTLS_SSL_DEBUG_ALL)
01885                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
01886                                     "should be no more than %d",
01887                                padlen, ssl->transform_in->ivlen ) );
01888 #endif
01889                 correct = 0;
01890             }
01891         }
01892         else
01893 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01894 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01895     defined(MBEDTLS_SSL_PROTO_TLS1_2)
01896         if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
01897         {
01898             /*
01899              * TLSv1+: always check the padding up to the first failure
01900              * and fake check up to 256 bytes of padding
01901              */
01902             size_t pad_count = 0, real_count = 1;
01903             size_t padding_idx = ssl->in_msglen - padlen - 1;
01904 
01905             /*
01906              * Padding is guaranteed to be incorrect if:
01907              *   1. padlen >= ssl->in_msglen
01908              *
01909              *   2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
01910              *                     ssl->transform_in->maclen
01911              *
01912              * In both cases we reset padding_idx to a safe value (0) to
01913              * prevent out-of-buffer reads.
01914              */
01915             correct &= ( ssl->in_msglen >= padlen + 1 );
01916             correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
01917                                        ssl->transform_in->maclen );
01918 
01919             padding_idx *= correct;
01920 
01921             for( i = 1; i <= 256; i++ )
01922             {
01923                 real_count &= ( i <= padlen );
01924                 pad_count += real_count *
01925                              ( ssl->in_msg[padding_idx + i] == padlen - 1 );
01926             }
01927 
01928             correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
01929 
01930 #if defined(MBEDTLS_SSL_DEBUG_ALL)
01931             if( padlen > 0 && correct == 0 )
01932                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
01933 #endif
01934             padlen &= correct * 0x1FF;
01935         }
01936         else
01937 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
01938           MBEDTLS_SSL_PROTO_TLS1_2 */
01939         {
01940             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01941             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01942         }
01943 
01944         ssl->in_msglen -= padlen;
01945     }
01946     else
01947 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
01948           ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
01949     {
01950         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01951         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01952     }
01953 
01954     MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
01955                    ssl->in_msg, ssl->in_msglen );
01956 
01957     /*
01958      * Authenticate if not done yet.
01959      * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
01960      */
01961 #if defined(SSL_SOME_MODES_USE_MAC)
01962     if( auth_done == 0 )
01963     {
01964         unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
01965 
01966         ssl->in_msglen -= ssl->transform_in->maclen;
01967 
01968         ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
01969         ssl->in_len[1] = (unsigned char)( ssl->in_msglen      );
01970 
01971 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01972         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01973         {
01974             ssl_mac( &ssl->transform_in->md_ctx_dec,
01975                       ssl->transform_in->mac_dec,
01976                       ssl->in_msg, ssl->in_msglen,
01977                       ssl->in_ctr, ssl->in_msgtype,
01978                       mac_expect );
01979         }
01980         else
01981 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01982 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01983         defined(MBEDTLS_SSL_PROTO_TLS1_2)
01984         if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
01985         {
01986             /*
01987              * Process MAC and always update for padlen afterwards to make
01988              * total time independent of padlen
01989              *
01990              * extra_run compensates MAC check for padlen
01991              *
01992              * Known timing attacks:
01993              *  - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
01994              *
01995              * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
01996              * correctly. (We round down instead of up, so -56 is the correct
01997              * value for our calculations instead of -55)
01998              */
01999             size_t j, extra_run = 0;
02000             extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
02001                         ( 13 + ssl->in_msglen          + 8 ) / 64;
02002 
02003             extra_run &= correct * 0xFF;
02004 
02005             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
02006             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
02007             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
02008             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
02009                              ssl->in_msglen );
02010             mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
02011             /* Call mbedtls_md_process at least once due to cache attacks */
02012             for( j = 0; j < extra_run + 1; j++ )
02013                 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
02014 
02015             mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
02016         }
02017         else
02018 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
02019               MBEDTLS_SSL_PROTO_TLS1_2 */
02020         {
02021             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02022             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02023         }
02024 
02025         MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
02026         MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_msg + ssl->in_msglen,
02027                                ssl->transform_in->maclen );
02028 
02029         if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
02030                                       ssl->transform_in->maclen ) != 0 )
02031         {
02032 #if defined(MBEDTLS_SSL_DEBUG_ALL)
02033             MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
02034 #endif
02035             correct = 0;
02036         }
02037         auth_done++;
02038 
02039         /*
02040          * Finally check the correct flag
02041          */
02042         if( correct == 0 )
02043             return( MBEDTLS_ERR_SSL_INVALID_MAC );
02044     }
02045 #endif /* SSL_SOME_MODES_USE_MAC */
02046 
02047     /* Make extra sure authentication was performed, exactly once */
02048     if( auth_done != 1 )
02049     {
02050         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02051         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02052     }
02053 
02054     if( ssl->in_msglen == 0 )
02055     {
02056         ssl->nb_zero++;
02057 
02058         /*
02059          * Three or more empty messages may be a DoS attack
02060          * (excessive CPU consumption).
02061          */
02062         if( ssl->nb_zero > 3 )
02063         {
02064             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
02065                                 "messages, possible DoS attack" ) );
02066             return( MBEDTLS_ERR_SSL_INVALID_MAC );
02067         }
02068     }
02069     else
02070         ssl->nb_zero = 0;
02071 
02072 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02073     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
02074     {
02075         ; /* in_ctr read from peer, not maintained internally */
02076     }
02077     else
02078 #endif
02079     {
02080         for( i = 8; i > ssl_ep_len( ssl ); i-- )
02081             if( ++ssl->in_ctr[i - 1] != 0 )
02082                 break;
02083 
02084         /* The loop goes to its end iff the counter is wrapping */
02085         if( i == ssl_ep_len( ssl ) )
02086         {
02087             MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
02088             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
02089         }
02090     }
02091 
02092     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
02093 
02094     return( 0 );
02095 }
02096 
02097 #undef MAC_NONE
02098 #undef MAC_PLAINTEXT
02099 #undef MAC_CIPHERTEXT
02100 
02101 #if defined(MBEDTLS_ZLIB_SUPPORT)
02102 /*
02103  * Compression/decompression functions
02104  */
02105 static int ssl_compress_buf( mbedtls_ssl_context *ssl )
02106 {
02107     int ret;
02108     unsigned char *msg_post = ssl->out_msg;
02109     ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
02110     size_t len_pre = ssl->out_msglen;
02111     unsigned char *msg_pre = ssl->compress_buf;
02112 
02113     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
02114 
02115     if( len_pre == 0 )
02116         return( 0 );
02117 
02118     memcpy( msg_pre, ssl->out_msg, len_pre );
02119 
02120     MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
02121                    ssl->out_msglen ) );
02122 
02123     MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
02124                    ssl->out_msg, ssl->out_msglen );
02125 
02126     ssl->transform_out->ctx_deflate.next_in = msg_pre;
02127     ssl->transform_out->ctx_deflate.avail_in = len_pre;
02128     ssl->transform_out->ctx_deflate.next_out = msg_post;
02129     ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written;
02130 
02131     ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
02132     if( ret != Z_OK )
02133     {
02134         MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
02135         return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
02136     }
02137 
02138     ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
02139                       ssl->transform_out->ctx_deflate.avail_out - bytes_written;
02140 
02141     MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
02142                    ssl->out_msglen ) );
02143 
02144     MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
02145                    ssl->out_msg, ssl->out_msglen );
02146 
02147     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
02148 
02149     return( 0 );
02150 }
02151 
02152 static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
02153 {
02154     int ret;
02155     unsigned char *msg_post = ssl->in_msg;
02156     ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
02157     size_t len_pre = ssl->in_msglen;
02158     unsigned char *msg_pre = ssl->compress_buf;
02159 
02160     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
02161 
02162     if( len_pre == 0 )
02163         return( 0 );
02164 
02165     memcpy( msg_pre, ssl->in_msg, len_pre );
02166 
02167     MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
02168                    ssl->in_msglen ) );
02169 
02170     MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
02171                    ssl->in_msg, ssl->in_msglen );
02172 
02173     ssl->transform_in->ctx_inflate.next_in = msg_pre;
02174     ssl->transform_in->ctx_inflate.avail_in = len_pre;
02175     ssl->transform_in->ctx_inflate.next_out = msg_post;
02176     ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN -
02177                                                header_bytes;
02178 
02179     ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
02180     if( ret != Z_OK )
02181     {
02182         MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
02183         return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
02184     }
02185 
02186     ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN -
02187                      ssl->transform_in->ctx_inflate.avail_out - header_bytes;
02188 
02189     MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
02190                    ssl->in_msglen ) );
02191 
02192     MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
02193                    ssl->in_msg, ssl->in_msglen );
02194 
02195     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
02196 
02197     return( 0 );
02198 }
02199 #endif /* MBEDTLS_ZLIB_SUPPORT */
02200 
02201 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
02202 static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
02203 
02204 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02205 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
02206 {
02207     /* If renegotiation is not enforced, retransmit until we would reach max
02208      * timeout if we were using the usual handshake doubling scheme */
02209     if( ssl->conf->renego_max_records < 0 )
02210     {
02211         uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
02212         unsigned char doublings = 1;
02213 
02214         while( ratio != 0 )
02215         {
02216             ++doublings;
02217             ratio >>= 1;
02218         }
02219 
02220         if( ++ssl->renego_records_seen > doublings )
02221         {
02222             MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
02223             return( 0 );
02224         }
02225     }
02226 
02227     return( ssl_write_hello_request( ssl ) );
02228 }
02229 #endif
02230 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
02231 
02232 /*
02233  * Fill the input message buffer by appending data to it.
02234  * The amount of data already fetched is in ssl->in_left.
02235  *
02236  * If we return 0, is it guaranteed that (at least) nb_want bytes are
02237  * available (from this read and/or a previous one). Otherwise, an error code
02238  * is returned (possibly EOF or WANT_READ).
02239  *
02240  * With stream transport (TLS) on success ssl->in_left == nb_want, but
02241  * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
02242  * since we always read a whole datagram at once.
02243  *
02244  * For DTLS, it is up to the caller to set ssl->next_record_offset when
02245  * they're done reading a record.
02246  */
02247 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
02248 {
02249     int ret;
02250     size_t len;
02251 
02252     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
02253 
02254     if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
02255     {
02256         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
02257                             "or mbedtls_ssl_set_bio()" ) );
02258         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02259     }
02260 
02261     if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
02262     {
02263         MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
02264         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02265     }
02266 
02267 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02268     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
02269     {
02270         uint32_t timeout;
02271 
02272         /* Just to be sure */
02273         if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
02274         {
02275             MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
02276                         "mbedtls_ssl_set_timer_cb() for DTLS" ) );
02277             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02278         }
02279 
02280         /*
02281          * The point is, we need to always read a full datagram at once, so we
02282          * sometimes read more then requested, and handle the additional data.
02283          * It could be the rest of the current record (while fetching the
02284          * header) and/or some other records in the same datagram.
02285          */
02286 
02287         /*
02288          * Move to the next record in the already read datagram if applicable
02289          */
02290         if( ssl->next_record_offset != 0 )
02291         {
02292             if( ssl->in_left < ssl->next_record_offset )
02293             {
02294                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02295                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02296             }
02297 
02298             ssl->in_left -= ssl->next_record_offset;
02299 
02300             if( ssl->in_left != 0 )
02301             {
02302                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
02303                                     ssl->next_record_offset ) );
02304                 memmove( ssl->in_hdr,
02305                          ssl->in_hdr + ssl->next_record_offset,
02306                          ssl->in_left );
02307             }
02308 
02309             ssl->next_record_offset = 0;
02310         }
02311 
02312         MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
02313                        ssl->in_left, nb_want ) );
02314 
02315         /*
02316          * Done if we already have enough data.
02317          */
02318         if( nb_want <= ssl->in_left)
02319         {
02320             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
02321             return( 0 );
02322         }
02323 
02324         /*
02325          * A record can't be split accross datagrams. If we need to read but
02326          * are not at the beginning of a new record, the caller did something
02327          * wrong.
02328          */
02329         if( ssl->in_left != 0 )
02330         {
02331             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02332             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02333         }
02334 
02335         /*
02336          * Don't even try to read if time's out already.
02337          * This avoids by-passing the timer when repeatedly receiving messages
02338          * that will end up being dropped.
02339          */
02340         if( ssl_check_timer( ssl ) != 0 )
02341         {
02342             MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
02343             ret = MBEDTLS_ERR_SSL_TIMEOUT;
02344         }
02345         else
02346         {
02347             len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
02348 
02349             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
02350                 timeout = ssl->handshake->retransmit_timeout;
02351             else
02352                 timeout = ssl->conf->read_timeout;
02353 
02354             MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
02355 
02356             if( ssl->f_recv_timeout != NULL )
02357                 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
02358                                                                     timeout );
02359             else
02360                 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
02361 
02362             MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
02363 
02364             if( ret == 0 )
02365                 return( MBEDTLS_ERR_SSL_CONN_EOF );
02366         }
02367 
02368         if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
02369         {
02370             MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
02371             ssl_set_timer( ssl, 0 );
02372 
02373             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
02374             {
02375                 if( ssl_double_retransmit_timeout( ssl ) != 0 )
02376                 {
02377                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
02378                     return( MBEDTLS_ERR_SSL_TIMEOUT );
02379                 }
02380 
02381                 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
02382                 {
02383                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
02384                     return( ret );
02385                 }
02386 
02387                 return( MBEDTLS_ERR_SSL_WANT_READ );
02388             }
02389 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
02390             else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
02391                      ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
02392             {
02393                 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
02394                 {
02395                     MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
02396                     return( ret );
02397                 }
02398 
02399                 return( MBEDTLS_ERR_SSL_WANT_READ );
02400             }
02401 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
02402         }
02403 
02404         if( ret < 0 )
02405             return( ret );
02406 
02407         ssl->in_left = ret;
02408     }
02409     else
02410 #endif
02411     {
02412         MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
02413                        ssl->in_left, nb_want ) );
02414 
02415         while( ssl->in_left < nb_want )
02416         {
02417             len = nb_want - ssl->in_left;
02418 
02419             if( ssl_check_timer( ssl ) != 0 )
02420                 ret = MBEDTLS_ERR_SSL_TIMEOUT;
02421             else
02422             {
02423                 if( ssl->f_recv_timeout != NULL )
02424                 {
02425                     ret = ssl->f_recv_timeout( ssl->p_bio,
02426                                                ssl->in_hdr + ssl->in_left, len,
02427                                                ssl->conf->read_timeout );
02428                 }
02429                 else
02430                 {
02431                     ret = ssl->f_recv( ssl->p_bio,
02432                                        ssl->in_hdr + ssl->in_left, len );
02433                 }
02434             }
02435 
02436             MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
02437                                         ssl->in_left, nb_want ) );
02438             MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
02439 
02440             if( ret == 0 )
02441                 return( MBEDTLS_ERR_SSL_CONN_EOF );
02442 
02443             if( ret < 0 )
02444                 return( ret );
02445 
02446             if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
02447             {
02448                 MBEDTLS_SSL_DEBUG_MSG( 1,
02449                     ( "f_recv returned %d bytes but only %lu were requested",
02450                     ret, (unsigned long)len ) );
02451                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02452             }
02453 
02454             ssl->in_left += ret;
02455         }
02456     }
02457 
02458     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
02459 
02460     return( 0 );
02461 }
02462 
02463 /*
02464  * Flush any data not yet written
02465  */
02466 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
02467 {
02468     int ret;
02469     unsigned char *buf, i;
02470 
02471     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
02472 
02473     if( ssl->f_send == NULL )
02474     {
02475         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
02476                             "or mbedtls_ssl_set_bio()" ) );
02477         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02478     }
02479 
02480     /* Avoid incrementing counter if data is flushed */
02481     if( ssl->out_left == 0 )
02482     {
02483         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
02484         return( 0 );
02485     }
02486 
02487     while( ssl->out_left > 0 )
02488     {
02489         MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
02490                        mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
02491 
02492         buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
02493               ssl->out_msglen - ssl->out_left;
02494         ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
02495 
02496         MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
02497 
02498         if( ret <= 0 )
02499             return( ret );
02500 
02501         if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
02502         {
02503             MBEDTLS_SSL_DEBUG_MSG( 1,
02504                 ( "f_send returned %d bytes but only %lu bytes were sent",
02505                 ret, (unsigned long)ssl->out_left ) );
02506             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02507         }
02508 
02509         ssl->out_left -= ret;
02510     }
02511 
02512     for( i = 8; i > ssl_ep_len( ssl ); i-- )
02513         if( ++ssl->out_ctr[i - 1] != 0 )
02514             break;
02515 
02516     /* The loop goes to its end iff the counter is wrapping */
02517     if( i == ssl_ep_len( ssl ) )
02518     {
02519         MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
02520         return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
02521     }
02522 
02523     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
02524 
02525     return( 0 );
02526 }
02527 
02528 /*
02529  * Functions to handle the DTLS retransmission state machine
02530  */
02531 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02532 /*
02533  * Append current handshake message to current outgoing flight
02534  */
02535 static int ssl_flight_append( mbedtls_ssl_context *ssl )
02536 {
02537     mbedtls_ssl_flight_item *msg;
02538 
02539     /* Allocate space for current message */
02540     if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
02541     {
02542         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
02543                             sizeof( mbedtls_ssl_flight_item ) ) );
02544         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
02545     }
02546 
02547     if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
02548     {
02549         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
02550         mbedtls_free( msg );
02551         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
02552     }
02553 
02554     /* Copy current handshake message with headers */
02555     memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
02556     msg->len = ssl->out_msglen;
02557     msg->type = ssl->out_msgtype;
02558     msg->next = NULL;
02559 
02560     /* Append to the current flight */
02561     if( ssl->handshake->flight == NULL )
02562         ssl->handshake->flight = msg;
02563     else
02564     {
02565         mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
02566         while( cur->next != NULL )
02567             cur = cur->next;
02568         cur->next = msg;
02569     }
02570 
02571     return( 0 );
02572 }
02573 
02574 /*
02575  * Free the current flight of handshake messages
02576  */
02577 static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
02578 {
02579     mbedtls_ssl_flight_item *cur = flight;
02580     mbedtls_ssl_flight_item *next;
02581 
02582     while( cur != NULL )
02583     {
02584         next = cur->next;
02585 
02586         mbedtls_free( cur->p );
02587         mbedtls_free( cur );
02588 
02589         cur = next;
02590     }
02591 }
02592 
02593 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
02594 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
02595 #endif
02596 
02597 /*
02598  * Swap transform_out and out_ctr with the alternative ones
02599  */
02600 static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
02601 {
02602     mbedtls_ssl_transform *tmp_transform;
02603     unsigned char tmp_out_ctr[8];
02604 
02605     if( ssl->transform_out == ssl->handshake->alt_transform_out )
02606     {
02607         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
02608         return;
02609     }
02610 
02611     MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
02612 
02613     /* Swap transforms */
02614     tmp_transform                     = ssl->transform_out;
02615     ssl->transform_out                = ssl->handshake->alt_transform_out;
02616     ssl->handshake->alt_transform_out = tmp_transform;
02617 
02618     /* Swap epoch + sequence_number */
02619     memcpy( tmp_out_ctr,                 ssl->out_ctr,                8 );
02620     memcpy( ssl->out_ctr,                ssl->handshake->alt_out_ctr, 8 );
02621     memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
02622 
02623     /* Adjust to the newly activated transform */
02624     if( ssl->transform_out != NULL &&
02625         ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
02626     {
02627         ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
02628                                      ssl->transform_out->fixed_ivlen;
02629     }
02630     else
02631         ssl->out_msg = ssl->out_iv;
02632 
02633 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
02634     if( mbedtls_ssl_hw_record_activate != NULL )
02635     {
02636         if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
02637         {
02638             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
02639             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
02640         }
02641     }
02642 #endif
02643 }
02644 
02645 /*
02646  * Retransmit the current flight of messages.
02647  *
02648  * Need to remember the current message in case flush_output returns
02649  * WANT_WRITE, causing us to exit this function and come back later.
02650  * This function must be called until state is no longer SENDING.
02651  */
02652 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
02653 {
02654     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
02655 
02656     if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
02657     {
02658         MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
02659 
02660         ssl->handshake->cur_msg = ssl->handshake->flight;
02661         ssl_swap_epochs( ssl );
02662 
02663         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
02664     }
02665 
02666     while( ssl->handshake->cur_msg != NULL )
02667     {
02668         int ret;
02669         mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
02670 
02671         /* Swap epochs before sending Finished: we can't do it after
02672          * sending ChangeCipherSpec, in case write returns WANT_READ.
02673          * Must be done before copying, may change out_msg pointer */
02674         if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
02675             cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
02676         {
02677             ssl_swap_epochs( ssl );
02678         }
02679 
02680         memcpy( ssl->out_msg, cur->p, cur->len );
02681         ssl->out_msglen = cur->len;
02682         ssl->out_msgtype = cur->type;
02683 
02684         ssl->handshake->cur_msg = cur->next;
02685 
02686         MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
02687 
02688         if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
02689         {
02690             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
02691             return( ret );
02692         }
02693     }
02694 
02695     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
02696         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
02697     else
02698     {
02699         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
02700         ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
02701     }
02702 
02703     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
02704 
02705     return( 0 );
02706 }
02707 
02708 /*
02709  * To be called when the last message of an incoming flight is received.
02710  */
02711 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
02712 {
02713     /* We won't need to resend that one any more */
02714     ssl_flight_free( ssl->handshake->flight );
02715     ssl->handshake->flight = NULL;
02716     ssl->handshake->cur_msg = NULL;
02717 
02718     /* The next incoming flight will start with this msg_seq */
02719     ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
02720 
02721     /* Cancel timer */
02722     ssl_set_timer( ssl, 0 );
02723 
02724     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
02725         ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
02726     {
02727         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
02728     }
02729     else
02730         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
02731 }
02732 
02733 /*
02734  * To be called when the last message of an outgoing flight is send.
02735  */
02736 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
02737 {
02738     ssl_reset_retransmit_timeout( ssl );
02739     ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
02740 
02741     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
02742         ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
02743     {
02744         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
02745     }
02746     else
02747         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
02748 }
02749 #endif /* MBEDTLS_SSL_PROTO_DTLS */
02750 
02751 /*
02752  * Record layer functions
02753  */
02754 
02755 /*
02756  * Write current record.
02757  * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
02758  */
02759 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
02760 {
02761     int ret, done = 0, out_msg_type;
02762     size_t len = ssl->out_msglen;
02763 
02764     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
02765 
02766 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02767     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02768         ssl->handshake != NULL &&
02769         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
02770     {
02771         ; /* Skip special handshake treatment when resending */
02772     }
02773     else
02774 #endif
02775     if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
02776     {
02777         out_msg_type = ssl->out_msg[0];
02778 
02779         if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
02780             ssl->handshake == NULL )
02781         {
02782             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02783             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02784         }
02785 
02786         ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
02787         ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
02788         ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
02789 
02790         /*
02791          * DTLS has additional fields in the Handshake layer,
02792          * between the length field and the actual payload:
02793          *      uint16 message_seq;
02794          *      uint24 fragment_offset;
02795          *      uint24 fragment_length;
02796          */
02797 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02798         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
02799         {
02800             /* Make room for the additional DTLS fields */
02801             if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
02802             {
02803                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
02804                               "size %u, maximum %u",
02805                                (unsigned) ( ssl->in_hslen - 4 ),
02806                                (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
02807                 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02808             }
02809 
02810             memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
02811             ssl->out_msglen += 8;
02812             len += 8;
02813 
02814             /* Write message_seq and update it, except for HelloRequest */
02815             if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
02816             {
02817                 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
02818                 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq      ) & 0xFF;
02819                 ++( ssl->handshake->out_msg_seq );
02820             }
02821             else
02822             {
02823                 ssl->out_msg[4] = 0;
02824                 ssl->out_msg[5] = 0;
02825             }
02826 
02827             /* We don't fragment, so frag_offset = 0 and frag_len = len */
02828             memset( ssl->out_msg + 6, 0x00, 3 );
02829             memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
02830         }
02831 #endif /* MBEDTLS_SSL_PROTO_DTLS */
02832 
02833         if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
02834             ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
02835     }
02836 
02837     /* Save handshake and CCS messages for resending */
02838 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02839     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02840         ssl->handshake != NULL &&
02841         ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
02842         ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ||
02843           ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
02844     {
02845         if( ( ret = ssl_flight_append( ssl ) ) != 0 )
02846         {
02847             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
02848             return( ret );
02849         }
02850     }
02851 #endif
02852 
02853 #if defined(MBEDTLS_ZLIB_SUPPORT)
02854     if( ssl->transform_out != NULL &&
02855         ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
02856     {
02857         if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
02858         {
02859             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
02860             return( ret );
02861         }
02862 
02863         len = ssl->out_msglen;
02864     }
02865 #endif /*MBEDTLS_ZLIB_SUPPORT */
02866 
02867 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
02868     if( mbedtls_ssl_hw_record_write != NULL )
02869     {
02870         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
02871 
02872         ret = mbedtls_ssl_hw_record_write( ssl );
02873         if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
02874         {
02875             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
02876             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
02877         }
02878 
02879         if( ret == 0 )
02880             done = 1;
02881     }
02882 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
02883     if( !done )
02884     {
02885         ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
02886         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02887                            ssl->conf->transport, ssl->out_hdr + 1 );
02888 
02889         ssl->out_len[0] = (unsigned char)( len >> 8 );
02890         ssl->out_len[1] = (unsigned char)( len      );
02891 
02892         if( ssl->transform_out != NULL )
02893         {
02894             if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
02895             {
02896                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
02897                 return( ret );
02898             }
02899 
02900             len = ssl->out_msglen;
02901             ssl->out_len[0] = (unsigned char)( len >> 8 );
02902             ssl->out_len[1] = (unsigned char)( len      );
02903         }
02904 
02905         ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
02906 
02907         MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
02908                             "version = [%d:%d], msglen = %d",
02909                        ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
02910                      ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) );
02911 
02912         MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
02913                        ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
02914     }
02915 
02916     if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
02917     {
02918         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
02919         return( ret );
02920     }
02921 
02922     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
02923 
02924     return( 0 );
02925 }
02926 
02927 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02928 /*
02929  * Mark bits in bitmask (used for DTLS HS reassembly)
02930  */
02931 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
02932 {
02933     unsigned int start_bits, end_bits;
02934 
02935     start_bits = 8 - ( offset % 8 );
02936     if( start_bits != 8 )
02937     {
02938         size_t first_byte_idx = offset / 8;
02939 
02940         /* Special case */
02941         if( len <= start_bits )
02942         {
02943             for( ; len != 0; len-- )
02944                 mask[first_byte_idx] |= 1 << ( start_bits - len );
02945 
02946             /* Avoid potential issues with offset or len becoming invalid */
02947             return;
02948         }
02949 
02950         offset += start_bits; /* Now offset % 8 == 0 */
02951         len -= start_bits;
02952 
02953         for( ; start_bits != 0; start_bits-- )
02954             mask[first_byte_idx] |= 1 << ( start_bits - 1 );
02955     }
02956 
02957     end_bits = len % 8;
02958     if( end_bits != 0 )
02959     {
02960         size_t last_byte_idx = ( offset + len ) / 8;
02961 
02962         len -= end_bits; /* Now len % 8 == 0 */
02963 
02964         for( ; end_bits != 0; end_bits-- )
02965             mask[last_byte_idx] |= 1 << ( 8 - end_bits );
02966     }
02967 
02968     memset( mask + offset / 8, 0xFF, len / 8 );
02969 }
02970 
02971 /*
02972  * Check that bitmask is full
02973  */
02974 static int ssl_bitmask_check( unsigned char *mask, size_t len )
02975 {
02976     size_t i;
02977 
02978     for( i = 0; i < len / 8; i++ )
02979         if( mask[i] != 0xFF )
02980             return( -1 );
02981 
02982     for( i = 0; i < len % 8; i++ )
02983         if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
02984             return( -1 );
02985 
02986     return( 0 );
02987 }
02988 
02989 /*
02990  * Reassemble fragmented DTLS handshake messages.
02991  *
02992  * Use a temporary buffer for reassembly, divided in two parts:
02993  * - the first holds the reassembled message (including handshake header),
02994  * - the second holds a bitmask indicating which parts of the message
02995  *   (excluding headers) have been received so far.
02996  */
02997 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
02998 {
02999     unsigned char *msg, *bitmask;
03000     size_t frag_len, frag_off;
03001     size_t msg_len = ssl->in_hslen - 12; /* Without headers */
03002 
03003     if( ssl->handshake == NULL )
03004     {
03005         MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
03006         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
03007     }
03008 
03009     /*
03010      * For first fragment, check size and allocate buffer
03011      */
03012     if( ssl->handshake->hs_msg == NULL )
03013     {
03014         size_t alloc_len;
03015 
03016         MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
03017                             msg_len ) );
03018 
03019         if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
03020         {
03021             MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
03022             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
03023         }
03024 
03025         /* The bitmask needs one bit per byte of message excluding header */
03026         alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
03027 
03028         ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
03029         if( ssl->handshake->hs_msg == NULL )
03030         {
03031             MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
03032             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
03033         }
03034 
03035         /* Prepare final header: copy msg_type, length and message_seq,
03036          * then add standardised fragment_offset and fragment_length */
03037         memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
03038         memset( ssl->handshake->hs_msg + 6, 0, 3 );
03039         memcpy( ssl->handshake->hs_msg + 9,
03040                 ssl->handshake->hs_msg + 1, 3 );
03041     }
03042     else
03043     {
03044         /* Make sure msg_type and length are consistent */
03045         if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
03046         {
03047             MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
03048             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03049         }
03050     }
03051 
03052     msg = ssl->handshake->hs_msg + 12;
03053     bitmask = msg + msg_len;
03054 
03055     /*
03056      * Check and copy current fragment
03057      */
03058     frag_off = ( ssl->in_msg[6]  << 16 ) |
03059                ( ssl->in_msg[7]  << 8  ) |
03060                  ssl->in_msg[8];
03061     frag_len = ( ssl->in_msg[9]  << 16 ) |
03062                ( ssl->in_msg[10] << 8  ) |
03063                  ssl->in_msg[11];
03064 
03065     if( frag_off + frag_len > msg_len )
03066     {
03067         MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
03068                           frag_off, frag_len, msg_len ) );
03069         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03070     }
03071 
03072     if( frag_len + 12 > ssl->in_msglen )
03073     {
03074         MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
03075                           frag_len, ssl->in_msglen ) );
03076         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03077     }
03078 
03079     MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
03080                         frag_off, frag_len ) );
03081 
03082     memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
03083     ssl_bitmask_set( bitmask, frag_off, frag_len );
03084 
03085     /*
03086      * Do we have the complete message by now?
03087      * If yes, finalize it, else ask to read the next record.
03088      */
03089     if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
03090     {
03091         MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
03092         return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
03093     }
03094 
03095     MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
03096 
03097     if( frag_len + 12 < ssl->in_msglen )
03098     {
03099         /*
03100          * We'got more handshake messages in the same record.
03101          * This case is not handled now because no know implementation does
03102          * that and it's hard to test, so we prefer to fail cleanly for now.
03103          */
03104         MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
03105         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
03106     }
03107 
03108     if( ssl->in_left > ssl->next_record_offset )
03109     {
03110         /*
03111          * We've got more data in the buffer after the current record,
03112          * that we don't want to overwrite. Move it before writing the
03113          * reassembled message, and adjust in_left and next_record_offset.
03114          */
03115         unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
03116         unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
03117         size_t remain_len = ssl->in_left - ssl->next_record_offset;
03118 
03119         /* First compute and check new lengths */
03120         ssl->next_record_offset = new_remain - ssl->in_hdr;
03121         ssl->in_left = ssl->next_record_offset + remain_len;
03122 
03123         if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
03124                            (size_t)( ssl->in_hdr - ssl->in_buf ) )
03125         {
03126             MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
03127             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
03128         }
03129 
03130         memmove( new_remain, cur_remain, remain_len );
03131     }
03132 
03133     memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
03134 
03135     mbedtls_free( ssl->handshake->hs_msg );
03136     ssl->handshake->hs_msg = NULL;
03137 
03138     MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
03139                    ssl->in_msg, ssl->in_hslen );
03140 
03141     return( 0 );
03142 }
03143 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03144 
03145 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
03146 {
03147     if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
03148     {
03149         MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
03150                             ssl->in_msglen ) );
03151         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03152     }
03153 
03154     ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
03155                     ( ssl->in_msg[1] << 16 ) |
03156                     ( ssl->in_msg[2] << 8  ) |
03157                       ssl->in_msg[3] );
03158 
03159     MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
03160                         " %d, type = %d, hslen = %d",
03161                         ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
03162 
03163 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03164     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03165     {
03166         int ret;
03167         unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
03168 
03169         if( ssl->handshake != NULL &&
03170             ( ( ssl->state   != MBEDTLS_SSL_HANDSHAKE_OVER &&
03171                 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
03172               ( ssl->state  == MBEDTLS_SSL_HANDSHAKE_OVER &&
03173                 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
03174         {
03175             /* Retransmit only on last message from previous flight, to avoid
03176              * too many retransmissions.
03177              * Besides, No sane server ever retransmits HelloVerifyRequest */
03178             if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
03179                 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
03180             {
03181                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
03182                                     "message_seq = %d, start_of_flight = %d",
03183                                     recv_msg_seq,
03184                                     ssl->handshake->in_flight_start_seq ) );
03185 
03186                 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
03187                 {
03188                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
03189                     return( ret );
03190                 }
03191             }
03192             else
03193             {
03194                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
03195                                     "message_seq = %d, expected = %d",
03196                                     recv_msg_seq,
03197                                     ssl->handshake->in_msg_seq ) );
03198             }
03199 
03200             return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
03201         }
03202         /* Wait until message completion to increment in_msg_seq */
03203 
03204         /* Reassemble if current message is fragmented or reassembly is
03205          * already in progress */
03206         if( ssl->in_msglen < ssl->in_hslen ||
03207             memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
03208             memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ||
03209             ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
03210         {
03211             MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
03212 
03213             if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
03214             {
03215                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
03216                 return( ret );
03217             }
03218         }
03219     }
03220     else
03221 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03222     /* With TLS we don't handle fragmentation (for now) */
03223     if( ssl->in_msglen < ssl->in_hslen )
03224     {
03225         MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
03226         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
03227     }
03228 
03229     return( 0 );
03230 }
03231 
03232 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
03233 {
03234 
03235     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
03236         ssl->handshake != NULL )
03237     {
03238         ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
03239     }
03240 
03241     /* Handshake message is complete, increment counter */
03242 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03243     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03244         ssl->handshake != NULL )
03245     {
03246         ssl->handshake->in_msg_seq++;
03247     }
03248 #endif
03249 }
03250 
03251 /*
03252  * DTLS anti-replay: RFC 6347 4.1.2.6
03253  *
03254  * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
03255  * Bit n is set iff record number in_window_top - n has been seen.
03256  *
03257  * Usually, in_window_top is the last record number seen and the lsb of
03258  * in_window is set. The only exception is the initial state (record number 0
03259  * not seen yet).
03260  */
03261 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
03262 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
03263 {
03264     ssl->in_window_top = 0;
03265     ssl->in_window = 0;
03266 }
03267 
03268 static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
03269 {
03270     return( ( (uint64_t) buf[0] << 40 ) |
03271             ( (uint64_t) buf[1] << 32 ) |
03272             ( (uint64_t) buf[2] << 24 ) |
03273             ( (uint64_t) buf[3] << 16 ) |
03274             ( (uint64_t) buf[4] <<  8 ) |
03275             ( (uint64_t) buf[5]       ) );
03276 }
03277 
03278 /*
03279  * Return 0 if sequence number is acceptable, -1 otherwise
03280  */
03281 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
03282 {
03283     uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
03284     uint64_t bit;
03285 
03286     if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
03287         return( 0 );
03288 
03289     if( rec_seqnum > ssl->in_window_top )
03290         return( 0 );
03291 
03292     bit = ssl->in_window_top - rec_seqnum;
03293 
03294     if( bit >= 64 )
03295         return( -1 );
03296 
03297     if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
03298         return( -1 );
03299 
03300     return( 0 );
03301 }
03302 
03303 /*
03304  * Update replay window on new validated record
03305  */
03306 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
03307 {
03308     uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
03309 
03310     if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
03311         return;
03312 
03313     if( rec_seqnum > ssl->in_window_top )
03314     {
03315         /* Update window_top and the contents of the window */
03316         uint64_t shift = rec_seqnum - ssl->in_window_top;
03317 
03318         if( shift >= 64 )
03319             ssl->in_window = 1;
03320         else
03321         {
03322             ssl->in_window <<= shift;
03323             ssl->in_window |= 1;
03324         }
03325 
03326         ssl->in_window_top = rec_seqnum;
03327     }
03328     else
03329     {
03330         /* Mark that number as seen in the current window */
03331         uint64_t bit = ssl->in_window_top - rec_seqnum;
03332 
03333         if( bit < 64 ) /* Always true, but be extra sure */
03334             ssl->in_window |= (uint64_t) 1 << bit;
03335     }
03336 }
03337 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
03338 
03339 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
03340 /* Forward declaration */
03341 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
03342 
03343 /*
03344  * Without any SSL context, check if a datagram looks like a ClientHello with
03345  * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
03346  * Both input and output include full DTLS headers.
03347  *
03348  * - if cookie is valid, return 0
03349  * - if ClientHello looks superficially valid but cookie is not,
03350  *   fill obuf and set olen, then
03351  *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
03352  * - otherwise return a specific error code
03353  */
03354 static int ssl_check_dtls_clihlo_cookie(
03355                            mbedtls_ssl_cookie_write_t *f_cookie_write,
03356                            mbedtls_ssl_cookie_check_t *f_cookie_check,
03357                            void *p_cookie,
03358                            const unsigned char *cli_id, size_t cli_id_len,
03359                            const unsigned char *in, size_t in_len,
03360                            unsigned char *obuf, size_t buf_len, size_t *olen )
03361 {
03362     size_t sid_len, cookie_len;
03363     unsigned char *p;
03364 
03365     if( f_cookie_write == NULL || f_cookie_check == NULL )
03366         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
03367 
03368     /*
03369      * Structure of ClientHello with record and handshake headers,
03370      * and expected values. We don't need to check a lot, more checks will be
03371      * done when actually parsing the ClientHello - skipping those checks
03372      * avoids code duplication and does not make cookie forging any easier.
03373      *
03374      *  0-0  ContentType type;                  copied, must be handshake
03375      *  1-2  ProtocolVersion version;           copied
03376      *  3-4  uint16 epoch;                      copied, must be 0
03377      *  5-10 uint48 sequence_number;            copied
03378      * 11-12 uint16 length;                     (ignored)
03379      *
03380      * 13-13 HandshakeType msg_type;            (ignored)
03381      * 14-16 uint24 length;                     (ignored)
03382      * 17-18 uint16 message_seq;                copied
03383      * 19-21 uint24 fragment_offset;            copied, must be 0
03384      * 22-24 uint24 fragment_length;            (ignored)
03385      *
03386      * 25-26 ProtocolVersion client_version;    (ignored)
03387      * 27-58 Random random;                     (ignored)
03388      * 59-xx SessionID session_id;              1 byte len + sid_len content
03389      * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
03390      *       ...
03391      *
03392      * Minimum length is 61 bytes.
03393      */
03394     if( in_len < 61 ||
03395         in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
03396         in[3] != 0 || in[4] != 0 ||
03397         in[19] != 0 || in[20] != 0 || in[21] != 0 )
03398     {
03399         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
03400     }
03401 
03402     sid_len = in[59];
03403     if( sid_len > in_len - 61 )
03404         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
03405 
03406     cookie_len = in[60 + sid_len];
03407     if( cookie_len > in_len - 60 )
03408         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
03409 
03410     if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
03411                         cli_id, cli_id_len ) == 0 )
03412     {
03413         /* Valid cookie */
03414         return( 0 );
03415     }
03416 
03417     /*
03418      * If we get here, we've got an invalid cookie, let's prepare HVR.
03419      *
03420      *  0-0  ContentType type;                  copied
03421      *  1-2  ProtocolVersion version;           copied
03422      *  3-4  uint16 epoch;                      copied
03423      *  5-10 uint48 sequence_number;            copied
03424      * 11-12 uint16 length;                     olen - 13
03425      *
03426      * 13-13 HandshakeType msg_type;            hello_verify_request
03427      * 14-16 uint24 length;                     olen - 25
03428      * 17-18 uint16 message_seq;                copied
03429      * 19-21 uint24 fragment_offset;            copied
03430      * 22-24 uint24 fragment_length;            olen - 25
03431      *
03432      * 25-26 ProtocolVersion server_version;    0xfe 0xff
03433      * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
03434      *
03435      * Minimum length is 28.
03436      */
03437     if( buf_len < 28 )
03438         return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
03439 
03440     /* Copy most fields and adapt others */
03441     memcpy( obuf, in, 25 );
03442     obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
03443     obuf[25] = 0xfe;
03444     obuf[26] = 0xff;
03445 
03446     /* Generate and write actual cookie */
03447     p = obuf + 28;
03448     if( f_cookie_write( p_cookie,
03449                         &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
03450     {
03451         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03452     }
03453 
03454     *olen = p - obuf;
03455 
03456     /* Go back and fill length fields */
03457     obuf[27] = (unsigned char)( *olen - 28 );
03458 
03459     obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
03460     obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >>  8 );
03461     obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 )       );
03462 
03463     obuf[11] = (unsigned char)( ( *olen - 13 ) >>  8 );
03464     obuf[12] = (unsigned char)( ( *olen - 13 )       );
03465 
03466     return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
03467 }
03468 
03469 /*
03470  * Handle possible client reconnect with the same UDP quadruplet
03471  * (RFC 6347 Section 4.2.8).
03472  *
03473  * Called by ssl_parse_record_header() in case we receive an epoch 0 record
03474  * that looks like a ClientHello.
03475  *
03476  * - if the input looks like a ClientHello without cookies,
03477  *   send back HelloVerifyRequest, then
03478  *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
03479  * - if the input looks like a ClientHello with a valid cookie,
03480  *   reset the session of the current context, and
03481  *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
03482  * - if anything goes wrong, return a specific error code
03483  *
03484  * mbedtls_ssl_read_record() will ignore the record if anything else than
03485  * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
03486  * cannot not return 0.
03487  */
03488 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
03489 {
03490     int ret;
03491     size_t len;
03492 
03493     ret = ssl_check_dtls_clihlo_cookie(
03494             ssl->conf->f_cookie_write,
03495             ssl->conf->f_cookie_check,
03496             ssl->conf->p_cookie,
03497             ssl->cli_id, ssl->cli_id_len,
03498             ssl->in_buf, ssl->in_left,
03499             ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
03500 
03501     MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
03502 
03503     if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
03504     {
03505         /* Don't check write errors as we can't do anything here.
03506          * If the error is permanent we'll catch it later,
03507          * if it's not, then hopefully it'll work next time. */
03508         (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
03509 
03510         return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
03511     }
03512 
03513     if( ret == 0 )
03514     {
03515         /* Got a valid cookie, partially reset context */
03516         if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
03517         {
03518             MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
03519             return( ret );
03520         }
03521 
03522         return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
03523     }
03524 
03525     return( ret );
03526 }
03527 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
03528 
03529 /*
03530  * ContentType type;
03531  * ProtocolVersion version;
03532  * uint16 epoch;            // DTLS only
03533  * uint48 sequence_number;  // DTLS only
03534  * uint16 length;
03535  *
03536  * Return 0 if header looks sane (and, for DTLS, the record is expected)
03537  * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
03538  * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
03539  *
03540  * With DTLS, mbedtls_ssl_read_record() will:
03541  * 1. proceed with the record if this function returns 0
03542  * 2. drop only the current record if this function returns UNEXPECTED_RECORD
03543  * 3. return CLIENT_RECONNECT if this function return that value
03544  * 4. drop the whole datagram if this function returns anything else.
03545  * Point 2 is needed when the peer is resending, and we have already received
03546  * the first record from a datagram but are still waiting for the others.
03547  */
03548 static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
03549 {
03550     int major_ver, minor_ver;
03551 
03552     MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
03553 
03554     ssl->in_msgtype =  ssl->in_hdr[0];
03555     ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
03556     mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
03557 
03558     MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
03559                         "version = [%d:%d], msglen = %d",
03560                         ssl->in_msgtype,
03561                         major_ver, minor_ver, ssl->in_msglen ) );
03562 
03563     /* Check record type */
03564     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
03565         ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
03566         ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
03567         ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
03568     {
03569         MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
03570 
03571 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03572         /* Silently ignore invalid DTLS records as recommended by RFC 6347
03573          * Section 4.1.2.7 */
03574         if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03575 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03576             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03577                                     MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
03578 
03579         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03580     }
03581 
03582     /* Check version */
03583     if( major_ver != ssl->major_ver )
03584     {
03585         MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
03586         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03587     }
03588 
03589     if( minor_ver > ssl->conf->max_minor_ver )
03590     {
03591         MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
03592         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03593     }
03594 
03595     /* Check length against the size of our buffer */
03596     if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
03597                          - (size_t)( ssl->in_msg - ssl->in_buf ) )
03598     {
03599         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03600         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03601     }
03602 
03603     /*
03604      * DTLS-related tests.
03605      * Check epoch before checking length constraint because
03606      * the latter varies with the epoch. E.g., if a ChangeCipherSpec
03607      * message gets duplicated before the corresponding Finished message,
03608      * the second ChangeCipherSpec should be discarded because it belongs
03609      * to an old epoch, but not because its length is shorter than
03610      * the minimum record length for packets using the new record transform.
03611      * Note that these two kinds of failures are handled differently,
03612      * as an unexpected record is silently skipped but an invalid
03613      * record leads to the entire datagram being dropped.
03614      */
03615 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03616     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03617     {
03618         unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
03619 
03620         /* Check epoch (and sequence number) with DTLS */
03621         if( rec_epoch != ssl->in_epoch )
03622         {
03623             MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
03624                                         "expected %d, received %d",
03625                                         ssl->in_epoch, rec_epoch ) );
03626 
03627 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
03628             /*
03629              * Check for an epoch 0 ClientHello. We can't use in_msg here to
03630              * access the first byte of record content (handshake type), as we
03631              * have an active transform (possibly iv_len != 0), so use the
03632              * fact that the record header len is 13 instead.
03633              */
03634             if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
03635                 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
03636                 rec_epoch == 0 &&
03637                 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
03638                 ssl->in_left > 13 &&
03639                 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
03640             {
03641                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
03642                                             "from the same port" ) );
03643                 return( ssl_handle_possible_reconnect( ssl ) );
03644             }
03645             else
03646 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
03647                 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03648         }
03649 
03650 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
03651         /* Replay detection only works for the current epoch */
03652         if( rec_epoch == ssl->in_epoch &&
03653             mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
03654         {
03655             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
03656             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03657         }
03658 #endif
03659 
03660         /* Drop unexpected ChangeCipherSpec messages */
03661         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
03662             ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
03663             ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
03664         {
03665             MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
03666             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03667         }
03668 
03669         /* Drop unexpected ApplicationData records,
03670          * except at the beginning of renegotiations */
03671         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
03672             ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
03673 #if defined(MBEDTLS_SSL_RENEGOTIATION)
03674             && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
03675                    ssl->state == MBEDTLS_SSL_SERVER_HELLO )
03676 #endif
03677             )
03678         {
03679             MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
03680             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03681         }
03682     }
03683 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03684 
03685 
03686     /* Check length against bounds of the current transform and version */
03687     if( ssl->transform_in == NULL )
03688     {
03689         if( ssl->in_msglen < 1 ||
03690             ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
03691         {
03692             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03693             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03694         }
03695     }
03696     else
03697     {
03698         if( ssl->in_msglen < ssl->transform_in->minlen )
03699         {
03700             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03701             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03702         }
03703 
03704 #if defined(MBEDTLS_SSL_PROTO_SSL3)
03705         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
03706             ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
03707         {
03708             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03709             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03710         }
03711 #endif
03712 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03713     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03714         /*
03715          * TLS encrypted messages can have up to 256 bytes of padding
03716          */
03717         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
03718             ssl->in_msglen > ssl->transform_in->minlen +
03719                              MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
03720         {
03721             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03722             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03723         }
03724 #endif
03725     }
03726 
03727     return( 0 );
03728 }
03729 
03730 /*
03731  * If applicable, decrypt (and decompress) record content
03732  */
03733 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
03734 {
03735     int ret, done = 0;
03736 
03737     MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
03738                    ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
03739 
03740 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
03741     if( mbedtls_ssl_hw_record_read != NULL )
03742     {
03743         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
03744 
03745         ret = mbedtls_ssl_hw_record_read( ssl );
03746         if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
03747         {
03748             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
03749             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
03750         }
03751 
03752         if( ret == 0 )
03753             done = 1;
03754     }
03755 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
03756     if( !done && ssl->transform_in != NULL )
03757     {
03758         if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
03759         {
03760             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
03761             return( ret );
03762         }
03763 
03764         MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
03765                        ssl->in_msg, ssl->in_msglen );
03766 
03767         if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
03768         {
03769             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03770             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03771         }
03772     }
03773 
03774 #if defined(MBEDTLS_ZLIB_SUPPORT)
03775     if( ssl->transform_in != NULL &&
03776         ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
03777     {
03778         if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
03779         {
03780             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
03781             return( ret );
03782         }
03783     }
03784 #endif /* MBEDTLS_ZLIB_SUPPORT */
03785 
03786 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
03787     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03788     {
03789         mbedtls_ssl_dtls_replay_update( ssl );
03790     }
03791 #endif
03792 
03793     return( 0 );
03794 }
03795 
03796 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
03797 
03798 /*
03799  * Read a record.
03800  *
03801  * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
03802  * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
03803  *
03804  */
03805 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
03806 {
03807     int ret;
03808 
03809     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
03810 
03811     if( ssl->keep_current_message == 0 )
03812     {
03813         do {
03814 
03815             do ret = mbedtls_ssl_read_record_layer( ssl );
03816             while( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
03817 
03818             if( ret != 0 )
03819             {
03820                 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
03821                 return( ret );
03822             }
03823 
03824             ret = mbedtls_ssl_handle_message_type( ssl );
03825 
03826         } while( MBEDTLS_ERR_SSL_NON_FATAL           == ret  ||
03827                  MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
03828 
03829         if( 0 != ret )
03830         {
03831             MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
03832             return( ret );
03833         }
03834 
03835         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
03836         {
03837             mbedtls_ssl_update_handshake_status( ssl );
03838         }
03839     }
03840     else
03841     {
03842         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= reuse previously read message" ) );
03843         ssl->keep_current_message = 0;
03844     }
03845 
03846     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
03847 
03848     return( 0 );
03849 }
03850 
03851 int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
03852 {
03853     int ret;
03854 
03855     /*
03856      * Step A
03857      *
03858      * Consume last content-layer message and potentially
03859      * update in_msglen which keeps track of the contents'
03860      * consumption state.
03861      *
03862      * (1) Handshake messages:
03863      *     Remove last handshake message, move content
03864      *     and adapt in_msglen.
03865      *
03866      * (2) Alert messages:
03867      *     Consume whole record content, in_msglen = 0.
03868      *
03869      * (3) Change cipher spec:
03870      *     Consume whole record content, in_msglen = 0.
03871      *
03872      * (4) Application data:
03873      *     Don't do anything - the record layer provides
03874      *     the application data as a stream transport
03875      *     and consumes through mbedtls_ssl_read only.
03876      *
03877      */
03878 
03879     /* Case (1): Handshake messages */
03880     if( ssl->in_hslen != 0 )
03881     {
03882         /* Hard assertion to be sure that no application data
03883          * is in flight, as corrupting ssl->in_msglen during
03884          * ssl->in_offt != NULL is fatal. */
03885         if( ssl->in_offt != NULL )
03886         {
03887             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03888             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03889         }
03890 
03891         /*
03892          * Get next Handshake message in the current record
03893          */
03894 
03895         /* Notes:
03896          * (1) in_hslen is not necessarily the size of the
03897          *     current handshake content: If DTLS handshake
03898          *     fragmentation is used, that's the fragment
03899          *     size instead. Using the total handshake message
03900          *     size here is faulty and should be changed at
03901          *     some point.
03902          * (2) While it doesn't seem to cause problems, one
03903          *     has to be very careful not to assume that in_hslen
03904          *     is always <= in_msglen in a sensible communication.
03905          *     Again, it's wrong for DTLS handshake fragmentation.
03906          *     The following check is therefore mandatory, and
03907          *     should not be treated as a silently corrected assertion.
03908          *     Additionally, ssl->in_hslen might be arbitrarily out of
03909          *     bounds after handling a DTLS message with an unexpected
03910          *     sequence number, see mbedtls_ssl_prepare_handshake_record.
03911          */
03912         if( ssl->in_hslen < ssl->in_msglen )
03913         {
03914             ssl->in_msglen -= ssl->in_hslen;
03915             memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
03916                      ssl->in_msglen );
03917 
03918             MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
03919                                    ssl->in_msg, ssl->in_msglen );
03920         }
03921         else
03922         {
03923             ssl->in_msglen = 0;
03924         }
03925 
03926         ssl->in_hslen   = 0;
03927     }
03928     /* Case (4): Application data */
03929     else if( ssl->in_offt != NULL )
03930     {
03931         return( 0 );
03932     }
03933     /* Everything else (CCS & Alerts) */
03934     else
03935     {
03936         ssl->in_msglen = 0;
03937     }
03938 
03939     /*
03940      * Step B
03941      *
03942      * Fetch and decode new record if current one is fully consumed.
03943      *
03944      */
03945 
03946     if( ssl->in_msglen > 0 )
03947     {
03948         /* There's something left to be processed in the current record. */
03949         return( 0 );
03950     }
03951 
03952     /* Current record either fully processed or to be discarded. */
03953 
03954     if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
03955     {
03956         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
03957         return( ret );
03958     }
03959 
03960     if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
03961     {
03962 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03963         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03964             ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
03965         {
03966             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
03967             {
03968                 /* Skip unexpected record (but not whole datagram) */
03969                 ssl->next_record_offset = ssl->in_msglen
03970                                         + mbedtls_ssl_hdr_len( ssl );
03971 
03972                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
03973                                             "(header)" ) );
03974             }
03975             else
03976             {
03977                 /* Skip invalid record and the rest of the datagram */
03978                 ssl->next_record_offset = 0;
03979                 ssl->in_left = 0;
03980 
03981                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
03982                                             "(header)" ) );
03983             }
03984 
03985             /* Get next record */
03986             return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
03987         }
03988 #endif
03989         return( ret );
03990     }
03991 
03992     /*
03993      * Read and optionally decrypt the message contents
03994      */
03995     if( ( ret = mbedtls_ssl_fetch_input( ssl,
03996                                  mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
03997     {
03998         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
03999         return( ret );
04000     }
04001 
04002     /* Done reading this record, get ready for the next one */
04003 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04004     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
04005     {
04006         ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
04007         if( ssl->next_record_offset < ssl->in_left )
04008         {
04009             MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
04010         }
04011     }
04012     else
04013 #endif
04014         ssl->in_left = 0;
04015 
04016     if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
04017     {
04018 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04019         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
04020         {
04021             /* Silently discard invalid records */
04022             if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
04023                 ret == MBEDTLS_ERR_SSL_INVALID_MAC )
04024             {
04025                 /* Except when waiting for Finished as a bad mac here
04026                  * probably means something went wrong in the handshake
04027                  * (eg wrong psk used, mitm downgrade attempt, etc.) */
04028                 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
04029                     ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
04030                 {
04031 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
04032                     if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
04033                     {
04034                         mbedtls_ssl_send_alert_message( ssl,
04035                                 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04036                                 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
04037                     }
04038 #endif
04039                     return( ret );
04040                 }
04041 
04042 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
04043                 if( ssl->conf->badmac_limit != 0 &&
04044                     ++ssl->badmac_seen >= ssl->conf->badmac_limit )
04045                 {
04046                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
04047                     return( MBEDTLS_ERR_SSL_INVALID_MAC );
04048                 }
04049 #endif
04050 
04051                 /* As above, invalid records cause
04052                  * dismissal of the whole datagram. */
04053 
04054                 ssl->next_record_offset = 0;
04055                 ssl->in_left = 0;
04056 
04057                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
04058                 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
04059             }
04060 
04061             return( ret );
04062         }
04063         else
04064 #endif
04065         {
04066             /* Error out (and send alert) on invalid records */
04067 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
04068             if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
04069             {
04070                 mbedtls_ssl_send_alert_message( ssl,
04071                         MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04072                         MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
04073             }
04074 #endif
04075             return( ret );
04076         }
04077     }
04078 
04079     return( 0 );
04080 }
04081 
04082 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
04083 {
04084     int ret;
04085 
04086     /*
04087      * Handle particular types of records
04088      */
04089     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
04090     {
04091         if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
04092         {
04093             return( ret );
04094         }
04095     }
04096 
04097     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
04098     {
04099         MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
04100                        ssl->in_msg[0], ssl->in_msg[1] ) );
04101 
04102         /*
04103          * Ignore non-fatal alerts, except close_notify and no_renegotiation
04104          */
04105         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
04106         {
04107             MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
04108                            ssl->in_msg[1] ) );
04109             return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
04110         }
04111 
04112         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
04113             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
04114         {
04115             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
04116             return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
04117         }
04118 
04119 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
04120         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
04121             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
04122         {
04123             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
04124             /* Will be handled when trying to parse ServerHello */
04125             return( 0 );
04126         }
04127 #endif
04128 
04129 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
04130         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
04131             ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
04132             ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
04133             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
04134         {
04135             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
04136             /* Will be handled in mbedtls_ssl_parse_certificate() */
04137             return( 0 );
04138         }
04139 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
04140 
04141         /* Silently ignore: fetch new message */
04142         return MBEDTLS_ERR_SSL_NON_FATAL;
04143     }
04144 
04145 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04146     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
04147         ssl->handshake != NULL &&
04148         ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER  )
04149     {
04150         ssl_handshake_wrapup_free_hs_transform( ssl );
04151     }
04152 #endif
04153 
04154     return( 0 );
04155 }
04156 
04157 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
04158 {
04159     int ret;
04160 
04161     if( ( ret = mbedtls_ssl_send_alert_message( ssl,
04162                     MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04163                     MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
04164     {
04165         return( ret );
04166     }
04167 
04168     return( 0 );
04169 }
04170 
04171 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
04172                             unsigned char level,
04173                             unsigned char message )
04174 {
04175     int ret;
04176 
04177     if( ssl == NULL || ssl->conf == NULL )
04178         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
04179 
04180     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
04181     MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
04182 
04183     ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
04184     ssl->out_msglen = 2;
04185     ssl->out_msg[0] = level;
04186     ssl->out_msg[1] = message;
04187 
04188     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
04189     {
04190         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
04191         return( ret );
04192     }
04193     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
04194 
04195     return( 0 );
04196 }
04197 
04198 /*
04199  * Handshake functions
04200  */
04201 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)         && \
04202     !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)     && \
04203     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)     && \
04204     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)   && \
04205     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
04206     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)    && \
04207     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
04208 /* No certificate support -> dummy functions */
04209 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
04210 {
04211     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04212 
04213     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
04214 
04215     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04216         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04217         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04218         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04219     {
04220         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
04221         ssl->state++;
04222         return( 0 );
04223     }
04224 
04225     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
04226     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
04227 }
04228 
04229 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
04230 {
04231     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04232 
04233     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
04234 
04235     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04236         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04237         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04238         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04239     {
04240         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04241         ssl->state++;
04242         return( 0 );
04243     }
04244 
04245     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
04246     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
04247 }
04248 
04249 #else
04250 /* Some certificate support -> implement write and parse */
04251 
04252 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
04253 {
04254     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
04255     size_t i, n;
04256     const mbedtls_x509_crt *crt;
04257     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04258 
04259     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
04260 
04261     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04262         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04263         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04264         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04265     {
04266         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
04267         ssl->state++;
04268         return( 0 );
04269     }
04270 
04271 #if defined(MBEDTLS_SSL_CLI_C)
04272     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
04273     {
04274         if( ssl->client_auth == 0 )
04275         {
04276             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
04277             ssl->state++;
04278             return( 0 );
04279         }
04280 
04281 #if defined(MBEDTLS_SSL_PROTO_SSL3)
04282         /*
04283          * If using SSLv3 and got no cert, send an Alert message
04284          * (otherwise an empty Certificate message will be sent).
04285          */
04286         if( mbedtls_ssl_own_cert( ssl )  == NULL &&
04287             ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
04288         {
04289             ssl->out_msglen  = 2;
04290             ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
04291             ssl->out_msg[0]  = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
04292             ssl->out_msg[1]  = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
04293 
04294             MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
04295             goto write_msg;
04296         }
04297 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
04298     }
04299 #endif /* MBEDTLS_SSL_CLI_C */
04300 #if defined(MBEDTLS_SSL_SRV_C)
04301     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
04302     {
04303         if( mbedtls_ssl_own_cert( ssl ) == NULL )
04304         {
04305             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
04306             return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
04307         }
04308     }
04309 #endif
04310 
04311     MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
04312 
04313     /*
04314      *     0  .  0    handshake type
04315      *     1  .  3    handshake length
04316      *     4  .  6    length of all certs
04317      *     7  .  9    length of cert. 1
04318      *    10  . n-1   peer certificate
04319      *     n  . n+2   length of cert. 2
04320      *    n+3 . ...   upper level cert, etc.
04321      */
04322     i = 7;
04323     crt = mbedtls_ssl_own_cert( ssl );
04324 
04325     while( crt != NULL )
04326     {
04327         n = crt->raw.len;
04328         if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
04329         {
04330             MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
04331                            i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
04332             return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
04333         }
04334 
04335         ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
04336         ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
04337         ssl->out_msg[i + 2] = (unsigned char)( n       );
04338 
04339         i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
04340         i += n; crt = crt->next;
04341     }
04342 
04343     ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
04344     ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
04345     ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
04346 
04347     ssl->out_msglen  = i;
04348     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
04349     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE;
04350 
04351 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
04352 write_msg:
04353 #endif
04354 
04355     ssl->state++;
04356 
04357     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
04358     {
04359         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
04360         return( ret );
04361     }
04362 
04363     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
04364 
04365     return( ret );
04366 }
04367 
04368 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
04369 {
04370     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
04371     size_t i, n;
04372     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04373     int authmode = ssl->conf->authmode;
04374     uint8_t alert;
04375 
04376     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
04377 
04378     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04379         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04380         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04381         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04382     {
04383         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04384         ssl->state++;
04385         return( 0 );
04386     }
04387 
04388 #if defined(MBEDTLS_SSL_SRV_C)
04389     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
04390         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
04391     {
04392         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04393         ssl->state++;
04394         return( 0 );
04395     }
04396 
04397 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
04398     if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
04399         authmode = ssl->handshake->sni_authmode;
04400 #endif
04401 
04402     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
04403         authmode == MBEDTLS_SSL_VERIFY_NONE )
04404     {
04405         ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
04406         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04407         ssl->state++;
04408         return( 0 );
04409     }
04410 #endif
04411 
04412     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
04413     {
04414         /* mbedtls_ssl_read_record may have sent an alert already. We
04415            let it decide whether to alert. */
04416         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
04417         return( ret );
04418     }
04419 
04420     ssl->state++;
04421 
04422 #if defined(MBEDTLS_SSL_SRV_C)
04423 #if defined(MBEDTLS_SSL_PROTO_SSL3)
04424     /*
04425      * Check if the client sent an empty certificate
04426      */
04427     if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
04428         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
04429     {
04430         if( ssl->in_msglen  == 2                        &&
04431             ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT            &&
04432             ssl->in_msg[0]  == MBEDTLS_SSL_ALERT_LEVEL_WARNING  &&
04433             ssl->in_msg[1]  == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
04434         {
04435             MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
04436 
04437             /* The client was asked for a certificate but didn't send
04438                one. The client should know what's going on, so we
04439                don't send an alert. */
04440             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
04441             if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
04442                 return( 0 );
04443             else
04444                 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
04445         }
04446     }
04447 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
04448 
04449 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
04450     defined(MBEDTLS_SSL_PROTO_TLS1_2)
04451     if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
04452         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
04453     {
04454         if( ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
04455             ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
04456             ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
04457             memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
04458         {
04459             MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
04460 
04461             /* The client was asked for a certificate but didn't send
04462                one. The client should know what's going on, so we
04463                don't send an alert. */
04464             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
04465             if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
04466                 return( 0 );
04467             else
04468                 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
04469         }
04470     }
04471 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
04472           MBEDTLS_SSL_PROTO_TLS1_2 */
04473 #endif /* MBEDTLS_SSL_SRV_C */
04474 
04475     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
04476     {
04477         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04478         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04479                                         MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
04480         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
04481     }
04482 
04483     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
04484         ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
04485     {
04486         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04487         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04488                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
04489         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04490     }
04491 
04492     i = mbedtls_ssl_hs_hdr_len( ssl );
04493 
04494     /*
04495      * Same message structure as in mbedtls_ssl_write_certificate()
04496      */
04497     n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
04498 
04499     if( ssl->in_msg[i] != 0 ||
04500         ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
04501     {
04502         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04503         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04504                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
04505         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04506     }
04507 
04508     /* In case we tried to reuse a session but it failed */
04509     if( ssl->session_negotiate->peer_cert != NULL )
04510     {
04511         mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
04512         mbedtls_free( ssl->session_negotiate->peer_cert );
04513     }
04514 
04515     if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
04516                     sizeof( mbedtls_x509_crt ) ) ) == NULL )
04517     {
04518         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
04519                        sizeof( mbedtls_x509_crt ) ) );
04520         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04521                                         MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
04522         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
04523     }
04524 
04525     mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
04526 
04527     i += 3;
04528 
04529     while( i < ssl->in_hslen )
04530     {
04531         if( ssl->in_msg[i] != 0 )
04532         {
04533             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04534             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04535                                             MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
04536             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04537         }
04538 
04539         n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
04540             | (unsigned int) ssl->in_msg[i + 2];
04541         i += 3;
04542 
04543         if( n < 128 || i + n > ssl->in_hslen )
04544         {
04545             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04546             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04547                                             MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
04548             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04549         }
04550 
04551         ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
04552                                   ssl->in_msg + i, n );
04553         switch( ret )
04554         {
04555         case 0: /*ok*/
04556         case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
04557             /* Ignore certificate with an unknown algorithm: maybe a
04558                prior certificate was already trusted. */
04559             break;
04560 
04561         case MBEDTLS_ERR_X509_ALLOC_FAILED:
04562             alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
04563             goto crt_parse_der_failed;
04564 
04565         case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
04566             alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
04567             goto crt_parse_der_failed;
04568 
04569         default:
04570             alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
04571         crt_parse_der_failed:
04572             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
04573             MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
04574             return( ret );
04575         }
04576 
04577         i += n;
04578     }
04579 
04580     MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
04581 
04582     /*
04583      * On client, make sure the server cert doesn't change during renego to
04584      * avoid "triple handshake" attack: https://secure-resumption.com/
04585      */
04586 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
04587     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
04588         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
04589     {
04590         if( ssl->session->peer_cert == NULL )
04591         {
04592             MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
04593             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04594                                             MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
04595             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04596         }
04597 
04598         if( ssl->session->peer_cert->raw.len !=
04599             ssl->session_negotiate->peer_cert->raw.len ||
04600             memcmp( ssl->session->peer_cert->raw.p,
04601                     ssl->session_negotiate->peer_cert->raw.p,
04602                     ssl->session->peer_cert->raw.len ) != 0 )
04603         {
04604             MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
04605             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04606                                             MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
04607             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04608         }
04609     }
04610 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
04611 
04612     if( authmode != MBEDTLS_SSL_VERIFY_NONE )
04613     {
04614         mbedtls_x509_crt *ca_chain;
04615         mbedtls_x509_crl *ca_crl;
04616 
04617 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
04618         if( ssl->handshake->sni_ca_chain != NULL )
04619         {
04620             ca_chain = ssl->handshake->sni_ca_chain;
04621             ca_crl   = ssl->handshake->sni_ca_crl;
04622         }
04623         else
04624 #endif
04625         {
04626             ca_chain = ssl->conf->ca_chain;
04627             ca_crl   = ssl->conf->ca_crl;
04628         }
04629 
04630         /*
04631          * Main check: verify certificate
04632          */
04633         ret = mbedtls_x509_crt_verify_with_profile(
04634                                 ssl->session_negotiate->peer_cert,
04635                                 ca_chain, ca_crl,
04636                                 ssl->conf->cert_profile,
04637                                 ssl->hostname,
04638                                &ssl->session_negotiate->verify_result,
04639                                 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
04640 
04641         if( ret != 0 )
04642         {
04643             MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
04644         }
04645 
04646         /*
04647          * Secondary checks: always done, but change 'ret' only if it was 0
04648          */
04649 
04650 #if defined(MBEDTLS_ECP_C)
04651         {
04652             const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
04653 
04654             /* If certificate uses an EC key, make sure the curve is OK */
04655             if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
04656                 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id  ) != 0 )
04657             {
04658                 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
04659 
04660                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
04661                 if( ret == 0 )
04662                     ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
04663             }
04664         }
04665 #endif /* MBEDTLS_ECP_C */
04666 
04667         if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
04668                                  ciphersuite_info,
04669                                  ! ssl->conf->endpoint,
04670                                  &ssl->session_negotiate->verify_result ) != 0 )
04671         {
04672             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
04673             if( ret == 0 )
04674                 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
04675         }
04676 
04677         /* mbedtls_x509_crt_verify_with_profile is supposed to report a
04678          * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
04679          * with details encoded in the verification flags. All other kinds
04680          * of error codes, including those from the user provided f_vrfy
04681          * functions, are treated as fatal and lead to a failure of
04682          * ssl_parse_certificate even if verification was optional. */
04683         if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
04684             ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
04685               ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
04686         {
04687             ret = 0;
04688         }
04689 
04690         if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
04691         {
04692             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
04693             ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
04694         }
04695 
04696         if( ret != 0 )
04697         {
04698             /* The certificate may have been rejected for several reasons.
04699                Pick one and send the corresponding alert. Which alert to send
04700                may be a subject of debate in some cases. */
04701             if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
04702                 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
04703             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
04704                 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
04705             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
04706                 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
04707             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
04708                 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
04709             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
04710                 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
04711             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
04712                 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
04713             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
04714                 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
04715             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
04716                 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
04717             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
04718                 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
04719             else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
04720                 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
04721             else
04722                 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
04723             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04724                                             alert );
04725         }
04726 
04727 #if defined(MBEDTLS_DEBUG_C)
04728         if( ssl->session_negotiate->verify_result != 0 )
04729         {
04730             MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
04731                                         ssl->session_negotiate->verify_result ) );
04732         }
04733         else
04734         {
04735             MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
04736         }
04737 #endif /* MBEDTLS_DEBUG_C */
04738     }
04739 
04740     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
04741 
04742     return( ret );
04743 }
04744 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
04745           !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
04746           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
04747           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
04748           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
04749           !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
04750           !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
04751 
04752 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
04753 {
04754     int ret;
04755 
04756     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
04757 
04758     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
04759     ssl->out_msglen  = 1;
04760     ssl->out_msg[0]  = 1;
04761 
04762     ssl->state++;
04763 
04764     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
04765     {
04766         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
04767         return( ret );
04768     }
04769 
04770     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
04771 
04772     return( 0 );
04773 }
04774 
04775 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
04776 {
04777     int ret;
04778 
04779     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
04780 
04781     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
04782     {
04783         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
04784         return( ret );
04785     }
04786 
04787     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
04788     {
04789         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
04790         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04791                                         MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
04792         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
04793     }
04794 
04795     if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
04796     {
04797         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
04798         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04799                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
04800         return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
04801     }
04802 
04803     /*
04804      * Switch to our negotiated transform and session parameters for inbound
04805      * data.
04806      */
04807     MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
04808     ssl->transform_in = ssl->transform_negotiate;
04809     ssl->session_in = ssl->session_negotiate;
04810 
04811 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04812     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
04813     {
04814 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
04815         ssl_dtls_replay_reset( ssl );
04816 #endif
04817 
04818         /* Increment epoch */
04819         if( ++ssl->in_epoch == 0 )
04820         {
04821             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
04822             /* This is highly unlikely to happen for legitimate reasons, so
04823                treat it as an attack and don't send an alert. */
04824             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
04825         }
04826     }
04827     else
04828 #endif /* MBEDTLS_SSL_PROTO_DTLS */
04829     memset( ssl->in_ctr, 0, 8 );
04830 
04831     /*
04832      * Set the in_msg pointer to the correct location based on IV length
04833      */
04834     if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
04835     {
04836         ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
04837                       ssl->transform_negotiate->fixed_ivlen;
04838     }
04839     else
04840         ssl->in_msg = ssl->in_iv;
04841 
04842 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
04843     if( mbedtls_ssl_hw_record_activate != NULL )
04844     {
04845         if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
04846         {
04847             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
04848             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
04849                                             MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
04850             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
04851         }
04852     }
04853 #endif
04854 
04855     ssl->state++;
04856 
04857     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
04858 
04859     return( 0 );
04860 }
04861 
04862 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
04863                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
04864 {
04865     ((void) ciphersuite_info);
04866 
04867 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04868     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04869     if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
04870         ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
04871     else
04872 #endif
04873 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04874 #if defined(MBEDTLS_SHA512_C)
04875     if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
04876         ssl->handshake->update_checksum = ssl_update_checksum_sha384;
04877     else
04878 #endif
04879 #if defined(MBEDTLS_SHA256_C)
04880     if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
04881         ssl->handshake->update_checksum = ssl_update_checksum_sha256;
04882     else
04883 #endif
04884 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04885     {
04886         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
04887         return;
04888     }
04889 }
04890 
04891 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
04892 {
04893 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04894     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04895      mbedtls_md5_starts_ret( &ssl->handshake->fin_md5  );
04896     mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
04897 #endif
04898 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04899 #if defined(MBEDTLS_SHA256_C)
04900     mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
04901 #endif
04902 #if defined(MBEDTLS_SHA512_C)
04903     mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
04904 #endif
04905 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04906 }
04907 
04908 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
04909                                        const unsigned char *buf, size_t len )
04910 {
04911 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04912     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04913      mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
04914     mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
04915 #endif
04916 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04917 #if defined(MBEDTLS_SHA256_C)
04918     mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
04919 #endif
04920 #if defined(MBEDTLS_SHA512_C)
04921     mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
04922 #endif
04923 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04924 }
04925 
04926 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04927     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04928 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
04929                                          const unsigned char *buf, size_t len )
04930 {
04931      mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
04932     mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
04933 }
04934 #endif
04935 
04936 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04937 #if defined(MBEDTLS_SHA256_C)
04938 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
04939                                         const unsigned char *buf, size_t len )
04940 {
04941     mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
04942 }
04943 #endif
04944 
04945 #if defined(MBEDTLS_SHA512_C)
04946 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
04947                                         const unsigned char *buf, size_t len )
04948 {
04949     mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
04950 }
04951 #endif
04952 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04953 
04954 #if defined(MBEDTLS_SSL_PROTO_SSL3)
04955 static void ssl_calc_finished_ssl(
04956                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
04957 {
04958     const char *sender;
04959     mbedtls_md5_context  md5;
04960     mbedtls_sha1_context sha1;
04961 
04962     unsigned char padbuf[48];
04963     unsigned char md5sum[16];
04964     unsigned char sha1sum[20];
04965 
04966     mbedtls_ssl_session *session = ssl->session_negotiate;
04967     if( !session )
04968         session = ssl->session;
04969 
04970     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished ssl" ) );
04971 
04972     mbedtls_md5_init( &md5 );
04973     mbedtls_sha1_init( &sha1 );
04974 
04975     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
04976     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
04977 
04978     /*
04979      * SSLv3:
04980      *   hash =
04981      *      MD5( master + pad2 +
04982      *          MD5( handshake + sender + master + pad1 ) )
04983      *   + SHA1( master + pad2 +
04984      *         SHA1( handshake + sender + master + pad1 ) )
04985      */
04986 
04987 #if !defined(MBEDTLS_MD5_ALT)
04988     MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
04989                     md5.state , sizeof(  md5.state  ) );
04990 #endif
04991 
04992 #if !defined(MBEDTLS_SHA1_ALT)
04993     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
04994                    sha1.state , sizeof( sha1.state  ) );
04995 #endif
04996 
04997     sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
04998                                        : "SRVR";
04999 
05000     memset( padbuf, 0x36, 48 );
05001 
05002     mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
05003     mbedtls_md5_update_ret( &md5, session->master, 48 );
05004     mbedtls_md5_update_ret( &md5, padbuf, 48 );
05005     mbedtls_md5_finish_ret( &md5, md5sum );
05006 
05007     mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
05008     mbedtls_sha1_update_ret( &sha1, session->master, 48 );
05009     mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
05010     mbedtls_sha1_finish_ret( &sha1, sha1sum );
05011 
05012     memset( padbuf, 0x5C, 48 );
05013 
05014     mbedtls_md5_starts_ret( &md5 );
05015     mbedtls_md5_update_ret( &md5, session->master, 48 );
05016     mbedtls_md5_update_ret( &md5, padbuf, 48 );
05017     mbedtls_md5_update_ret( &md5, md5sum, 16 );
05018     mbedtls_md5_finish_ret( &md5, buf );
05019 
05020     mbedtls_sha1_starts_ret( &sha1 );
05021     mbedtls_sha1_update_ret( &sha1, session->master, 48 );
05022     mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
05023     mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
05024     mbedtls_sha1_finish_ret( &sha1, buf + 16 );
05025 
05026     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
05027 
05028     mbedtls_md5_free(  &md5  );
05029     mbedtls_sha1_free( &sha1 );
05030 
05031     mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
05032     mbedtls_platform_zeroize(  md5sum, sizeof(  md5sum ) );
05033     mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
05034 
05035     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
05036 }
05037 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
05038 
05039 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
05040 static void ssl_calc_finished_tls(
05041                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
05042 {
05043     int len = 12;
05044     const char *sender;
05045     mbedtls_md5_context  md5;
05046     mbedtls_sha1_context sha1;
05047     unsigned char padbuf[36];
05048 
05049     mbedtls_ssl_session *session = ssl->session_negotiate;
05050     if( !session )
05051         session = ssl->session;
05052 
05053     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls" ) );
05054 
05055     mbedtls_md5_init( &md5 );
05056     mbedtls_sha1_init( &sha1 );
05057 
05058     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
05059     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
05060 
05061     /*
05062      * TLSv1:
05063      *   hash = PRF( master, finished_label,
05064      *               MD5( handshake ) + SHA1( handshake ) )[0..11]
05065      */
05066 
05067 #if !defined(MBEDTLS_MD5_ALT)
05068     MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
05069                     md5.state , sizeof(  md5.state  ) );
05070 #endif
05071 
05072 #if !defined(MBEDTLS_SHA1_ALT)
05073     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
05074                    sha1.state , sizeof( sha1.state  ) );
05075 #endif
05076 
05077     sender = ( from == MBEDTLS_SSL_IS_CLIENT )
05078              ? "client finished"
05079              : "server finished";
05080 
05081     mbedtls_md5_finish_ret(  &md5, padbuf );
05082     mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
05083 
05084     ssl->handshake->tls_prf( session->master, 48, sender,
05085                              padbuf, 36, buf, len );
05086 
05087     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
05088 
05089     mbedtls_md5_free(  &md5  );
05090     mbedtls_sha1_free( &sha1 );
05091 
05092     mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
05093 
05094     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
05095 }
05096 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
05097 
05098 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
05099 #if defined(MBEDTLS_SHA256_C)
05100 static void ssl_calc_finished_tls_sha256(
05101                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
05102 {
05103     int len = 12;
05104     const char *sender;
05105     mbedtls_sha256_context sha256;
05106     unsigned char padbuf[32];
05107 
05108     mbedtls_ssl_session *session = ssl->session_negotiate;
05109     if( !session )
05110         session = ssl->session;
05111 
05112     mbedtls_sha256_init( &sha256 );
05113 
05114     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha256" ) );
05115 
05116     mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
05117 
05118     /*
05119      * TLSv1.2:
05120      *   hash = PRF( master, finished_label,
05121      *               Hash( handshake ) )[0.11]
05122      */
05123 
05124 #if !defined(MBEDTLS_SHA256_ALT)
05125     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
05126                    sha256.state , sizeof( sha256.state  ) );
05127 #endif
05128 
05129     sender = ( from == MBEDTLS_SSL_IS_CLIENT )
05130              ? "client finished"
05131              : "server finished";
05132 
05133     mbedtls_sha256_finish_ret( &sha256, padbuf );
05134 
05135     ssl->handshake->tls_prf( session->master, 48, sender,
05136                              padbuf, 32, buf, len );
05137 
05138     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
05139 
05140     mbedtls_sha256_free( &sha256 );
05141 
05142     mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
05143 
05144     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
05145 }
05146 #endif /* MBEDTLS_SHA256_C */
05147 
05148 #if defined(MBEDTLS_SHA512_C)
05149 static void ssl_calc_finished_tls_sha384(
05150                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
05151 {
05152     int len = 12;
05153     const char *sender;
05154     mbedtls_sha512_context sha512;
05155     unsigned char padbuf[48];
05156 
05157     mbedtls_ssl_session *session = ssl->session_negotiate;
05158     if( !session )
05159         session = ssl->session;
05160 
05161     mbedtls_sha512_init( &sha512 );
05162 
05163     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha384" ) );
05164 
05165     mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
05166 
05167     /*
05168      * TLSv1.2:
05169      *   hash = PRF( master, finished_label,
05170      *               Hash( handshake ) )[0.11]
05171      */
05172 
05173 #if !defined(MBEDTLS_SHA512_ALT)
05174     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
05175                    sha512.state , sizeof( sha512.state  ) );
05176 #endif
05177 
05178     sender = ( from == MBEDTLS_SSL_IS_CLIENT )
05179              ? "client finished"
05180              : "server finished";
05181 
05182     mbedtls_sha512_finish_ret( &sha512, padbuf );
05183 
05184     ssl->handshake->tls_prf( session->master, 48, sender,
05185                              padbuf, 48, buf, len );
05186 
05187     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
05188 
05189     mbedtls_sha512_free( &sha512 );
05190 
05191     mbedtls_platform_zeroize(  padbuf, sizeof( padbuf ) );
05192 
05193     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
05194 }
05195 #endif /* MBEDTLS_SHA512_C */
05196 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
05197 
05198 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
05199 {
05200     MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
05201 
05202     /*
05203      * Free our handshake params
05204      */
05205     mbedtls_ssl_handshake_free( ssl->handshake );
05206     mbedtls_free( ssl->handshake );
05207     ssl->handshake = NULL;
05208 
05209     /*
05210      * Free the previous transform and swith in the current one
05211      */
05212     if( ssl->transform )
05213     {
05214         mbedtls_ssl_transform_free( ssl->transform );
05215         mbedtls_free( ssl->transform );
05216     }
05217     ssl->transform = ssl->transform_negotiate;
05218     ssl->transform_negotiate = NULL;
05219 
05220     MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
05221 }
05222 
05223 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
05224 {
05225     int resume = ssl->handshake->resume;
05226 
05227     MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
05228 
05229 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05230     if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
05231     {
05232         ssl->renego_status =  MBEDTLS_SSL_RENEGOTIATION_DONE;
05233         ssl->renego_records_seen = 0;
05234     }
05235 #endif
05236 
05237     /*
05238      * Free the previous session and switch in the current one
05239      */
05240     if( ssl->session )
05241     {
05242 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
05243         /* RFC 7366 3.1: keep the EtM state */
05244         ssl->session_negotiate->encrypt_then_mac =
05245                   ssl->session->encrypt_then_mac;
05246 #endif
05247 
05248         mbedtls_ssl_session_free( ssl->session );
05249         mbedtls_free( ssl->session );
05250     }
05251     ssl->session = ssl->session_negotiate;
05252     ssl->session_negotiate = NULL;
05253 
05254     /*
05255      * Add cache entry
05256      */
05257     if( ssl->conf->f_set_cache != NULL &&
05258         ssl->session->id_len != 0 &&
05259         resume == 0 )
05260     {
05261         if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
05262             MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
05263     }
05264 
05265 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05266     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
05267         ssl->handshake->flight != NULL )
05268     {
05269         /* Cancel handshake timer */
05270         ssl_set_timer( ssl, 0 );
05271 
05272         /* Keep last flight around in case we need to resend it:
05273          * we need the handshake and transform structures for that */
05274         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
05275     }
05276     else
05277 #endif
05278         ssl_handshake_wrapup_free_hs_transform( ssl );
05279 
05280     ssl->state++;
05281 
05282     MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
05283 }
05284 
05285 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
05286 {
05287     int ret, hash_len;
05288 
05289     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
05290 
05291     /*
05292      * Set the out_msg pointer to the correct location based on IV length
05293      */
05294     if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
05295     {
05296         ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
05297                        ssl->transform_negotiate->fixed_ivlen;
05298     }
05299     else
05300         ssl->out_msg = ssl->out_iv;
05301 
05302     ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
05303 
05304     /*
05305      * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
05306      * may define some other value. Currently (early 2016), no defined
05307      * ciphersuite does this (and this is unlikely to change as activity has
05308      * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
05309      */
05310     hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
05311 
05312 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05313     ssl->verify_data_len = hash_len;
05314     memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
05315 #endif
05316 
05317     ssl->out_msglen  = 4 + hash_len;
05318     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
05319     ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;
05320 
05321     /*
05322      * In case of session resuming, invert the client and server
05323      * ChangeCipherSpec messages order.
05324      */
05325     if( ssl->handshake->resume != 0 )
05326     {
05327 #if defined(MBEDTLS_SSL_CLI_C)
05328         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
05329             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
05330 #endif
05331 #if defined(MBEDTLS_SSL_SRV_C)
05332         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
05333             ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
05334 #endif
05335     }
05336     else
05337         ssl->state++;
05338 
05339     /*
05340      * Switch to our negotiated transform and session parameters for outbound
05341      * data.
05342      */
05343     MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
05344 
05345 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05346     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05347     {
05348         unsigned char i;
05349 
05350         /* Remember current epoch settings for resending */
05351         ssl->handshake->alt_transform_out = ssl->transform_out;
05352         memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
05353 
05354         /* Set sequence_number to zero */
05355         memset( ssl->out_ctr + 2, 0, 6 );
05356 
05357         /* Increment epoch */
05358         for( i = 2; i > 0; i-- )
05359             if( ++ssl->out_ctr[i - 1] != 0 )
05360                 break;
05361 
05362         /* The loop goes to its end iff the counter is wrapping */
05363         if( i == 0 )
05364         {
05365             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
05366             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
05367         }
05368     }
05369     else
05370 #endif /* MBEDTLS_SSL_PROTO_DTLS */
05371     memset( ssl->out_ctr, 0, 8 );
05372 
05373     ssl->transform_out = ssl->transform_negotiate;
05374     ssl->session_out = ssl->session_negotiate;
05375 
05376 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
05377     if( mbedtls_ssl_hw_record_activate != NULL )
05378     {
05379         if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
05380         {
05381             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
05382             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
05383         }
05384     }
05385 #endif
05386 
05387 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05388     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05389         mbedtls_ssl_send_flight_completed( ssl );
05390 #endif
05391 
05392     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
05393     {
05394         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
05395         return( ret );
05396     }
05397 
05398     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
05399 
05400     return( 0 );
05401 }
05402 
05403 #if defined(MBEDTLS_SSL_PROTO_SSL3)
05404 #define SSL_MAX_HASH_LEN 36
05405 #else
05406 #define SSL_MAX_HASH_LEN 12
05407 #endif
05408 
05409 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
05410 {
05411     int ret;
05412     unsigned int hash_len;
05413     unsigned char buf[SSL_MAX_HASH_LEN];
05414 
05415     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
05416 
05417     ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
05418 
05419     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
05420     {
05421         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
05422         return( ret );
05423     }
05424 
05425     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
05426     {
05427         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
05428         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
05429                                         MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
05430         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
05431     }
05432 
05433     /* There is currently no ciphersuite using another length with TLS 1.2 */
05434 #if defined(MBEDTLS_SSL_PROTO_SSL3)
05435     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
05436         hash_len = 36;
05437     else
05438 #endif
05439         hash_len = 12;
05440 
05441     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
05442         ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
05443     {
05444         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
05445         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
05446                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
05447         return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
05448     }
05449 
05450     if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
05451                       buf, hash_len ) != 0 )
05452     {
05453         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
05454         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
05455                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
05456         return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
05457     }
05458 
05459 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05460     ssl->verify_data_len = hash_len;
05461     memcpy( ssl->peer_verify_data, buf, hash_len );
05462 #endif
05463 
05464     if( ssl->handshake->resume != 0 )
05465     {
05466 #if defined(MBEDTLS_SSL_CLI_C)
05467         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
05468             ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
05469 #endif
05470 #if defined(MBEDTLS_SSL_SRV_C)
05471         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
05472             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
05473 #endif
05474     }
05475     else
05476         ssl->state++;
05477 
05478 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05479     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05480         mbedtls_ssl_recv_flight_completed( ssl );
05481 #endif
05482 
05483     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
05484 
05485     return( 0 );
05486 }
05487 
05488 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
05489 {
05490     memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
05491 
05492 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
05493     defined(MBEDTLS_SSL_PROTO_TLS1_1)
05494      mbedtls_md5_init(   &handshake->fin_md5  );
05495     mbedtls_sha1_init(   &handshake->fin_sha1 );
05496      mbedtls_md5_starts_ret( &handshake->fin_md5  );
05497     mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
05498 #endif
05499 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
05500 #if defined(MBEDTLS_SHA256_C)
05501     mbedtls_sha256_init(   &handshake->fin_sha256    );
05502     mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
05503 #endif
05504 #if defined(MBEDTLS_SHA512_C)
05505     mbedtls_sha512_init(   &handshake->fin_sha512    );
05506     mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
05507 #endif
05508 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
05509 
05510     handshake->update_checksum = ssl_update_checksum_start;
05511 
05512 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
05513     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
05514     mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
05515 #endif
05516 
05517 #if defined(MBEDTLS_DHM_C)
05518     mbedtls_dhm_init( &handshake->dhm_ctx );
05519 #endif
05520 #if defined(MBEDTLS_ECDH_C)
05521     mbedtls_ecdh_init( &handshake->ecdh_ctx );
05522 #endif
05523 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
05524     mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
05525 #if defined(MBEDTLS_SSL_CLI_C)
05526     handshake->ecjpake_cache = NULL;
05527     handshake->ecjpake_cache_len = 0;
05528 #endif
05529 #endif
05530 
05531 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
05532     handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
05533 #endif
05534 }
05535 
05536 static void ssl_transform_init( mbedtls_ssl_transform *transform )
05537 {
05538     memset( transform, 0, sizeof(mbedtls_ssl_transform) );
05539 
05540     mbedtls_cipher_init( &transform->cipher_ctx_enc );
05541     mbedtls_cipher_init( &transform->cipher_ctx_dec );
05542 
05543     mbedtls_md_init( &transform->md_ctx_enc );
05544     mbedtls_md_init( &transform->md_ctx_dec );
05545 }
05546 
05547 void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
05548 {
05549     memset( session, 0, sizeof(mbedtls_ssl_session) );
05550 }
05551 
05552 static int ssl_handshake_init( mbedtls_ssl_context *ssl )
05553 {
05554     /* Clear old handshake information if present */
05555     if( ssl->transform_negotiate )
05556         mbedtls_ssl_transform_free( ssl->transform_negotiate );
05557     if( ssl->session_negotiate )
05558         mbedtls_ssl_session_free( ssl->session_negotiate );
05559     if( ssl->handshake )
05560         mbedtls_ssl_handshake_free( ssl->handshake );
05561 
05562     /*
05563      * Either the pointers are now NULL or cleared properly and can be freed.
05564      * Now allocate missing structures.
05565      */
05566     if( ssl->transform_negotiate == NULL )
05567     {
05568         ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
05569     }
05570 
05571     if( ssl->session_negotiate == NULL )
05572     {
05573         ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
05574     }
05575 
05576     if( ssl->handshake == NULL )
05577     {
05578         ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
05579     }
05580 
05581     /* All pointers should exist and can be directly freed without issue */
05582     if( ssl->handshake == NULL ||
05583         ssl->transform_negotiate == NULL ||
05584         ssl->session_negotiate == NULL )
05585     {
05586         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
05587 
05588         mbedtls_free( ssl->handshake );
05589         mbedtls_free( ssl->transform_negotiate );
05590         mbedtls_free( ssl->session_negotiate );
05591 
05592         ssl->handshake = NULL;
05593         ssl->transform_negotiate = NULL;
05594         ssl->session_negotiate = NULL;
05595 
05596         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05597     }
05598 
05599     /* Initialize structures */
05600     mbedtls_ssl_session_init( ssl->session_negotiate );
05601     ssl_transform_init( ssl->transform_negotiate );
05602     ssl_handshake_params_init( ssl->handshake );
05603 
05604 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05605     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05606     {
05607         ssl->handshake->alt_transform_out = ssl->transform_out;
05608 
05609         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
05610             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
05611         else
05612             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
05613 
05614         ssl_set_timer( ssl, 0 );
05615     }
05616 #endif
05617 
05618     return( 0 );
05619 }
05620 
05621 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
05622 /* Dummy cookie callbacks for defaults */
05623 static int ssl_cookie_write_dummy( void *ctx,
05624                       unsigned char **p, unsigned char *end,
05625                       const unsigned char *cli_id, size_t cli_id_len )
05626 {
05627     ((void) ctx);
05628     ((void) p);
05629     ((void) end);
05630     ((void) cli_id);
05631     ((void) cli_id_len);
05632 
05633     return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
05634 }
05635 
05636 static int ssl_cookie_check_dummy( void *ctx,
05637                       const unsigned char *cookie, size_t cookie_len,
05638                       const unsigned char *cli_id, size_t cli_id_len )
05639 {
05640     ((void) ctx);
05641     ((void) cookie);
05642     ((void) cookie_len);
05643     ((void) cli_id);
05644     ((void) cli_id_len);
05645 
05646     return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
05647 }
05648 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
05649 
05650 /*
05651  * Initialize an SSL context
05652  */
05653 void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
05654 {
05655     memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
05656 }
05657 
05658 /*
05659  * Setup an SSL context
05660  */
05661 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
05662                        const mbedtls_ssl_config *conf )
05663 {
05664     int ret;
05665     const size_t len = MBEDTLS_SSL_BUFFER_LEN;
05666 
05667     ssl->conf = conf;
05668 
05669     /*
05670      * Prepare base structures
05671      */
05672     if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
05673         ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
05674     {
05675         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
05676         mbedtls_free( ssl->in_buf );
05677         ssl->in_buf = NULL;
05678         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05679     }
05680 
05681 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05682     if( conf->transport  == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05683     {
05684         ssl->out_hdr = ssl->out_buf;
05685         ssl->out_ctr = ssl->out_buf +  3;
05686         ssl->out_len = ssl->out_buf + 11;
05687         ssl->out_iv  = ssl->out_buf + 13;
05688         ssl->out_msg = ssl->out_buf + 13;
05689 
05690         ssl->in_hdr = ssl->in_buf;
05691         ssl->in_ctr = ssl->in_buf +  3;
05692         ssl->in_len = ssl->in_buf + 11;
05693         ssl->in_iv  = ssl->in_buf + 13;
05694         ssl->in_msg = ssl->in_buf + 13;
05695     }
05696     else
05697 #endif
05698     {
05699         ssl->out_ctr = ssl->out_buf;
05700         ssl->out_hdr = ssl->out_buf +  8;
05701         ssl->out_len = ssl->out_buf + 11;
05702         ssl->out_iv  = ssl->out_buf + 13;
05703         ssl->out_msg = ssl->out_buf + 13;
05704 
05705         ssl->in_ctr = ssl->in_buf;
05706         ssl->in_hdr = ssl->in_buf +  8;
05707         ssl->in_len = ssl->in_buf + 11;
05708         ssl->in_iv  = ssl->in_buf + 13;
05709         ssl->in_msg = ssl->in_buf + 13;
05710     }
05711 
05712     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
05713         return( ret );
05714 
05715     return( 0 );
05716 }
05717 
05718 /*
05719  * Reset an initialized and used SSL context for re-use while retaining
05720  * all application-set variables, function pointers and data.
05721  *
05722  * If partial is non-zero, keep data in the input buffer and client ID.
05723  * (Use when a DTLS client reconnects from the same port.)
05724  */
05725 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
05726 {
05727     int ret;
05728 
05729     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
05730 
05731     /* Cancel any possibly running timer */
05732     ssl_set_timer( ssl, 0 );
05733 
05734 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05735     ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
05736     ssl->renego_records_seen = 0;
05737 
05738     ssl->verify_data_len = 0;
05739     memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
05740     memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
05741 #endif
05742     ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
05743 
05744     ssl->in_offt = NULL;
05745 
05746     ssl->in_msg = ssl->in_buf + 13;
05747     ssl->in_msgtype = 0;
05748     ssl->in_msglen = 0;
05749     if( partial == 0 )
05750         ssl->in_left = 0;
05751 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05752     ssl->next_record_offset = 0;
05753     ssl->in_epoch = 0;
05754 #endif
05755 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
05756     ssl_dtls_replay_reset( ssl );
05757 #endif
05758 
05759     ssl->in_hslen = 0;
05760     ssl->nb_zero = 0;
05761 
05762     ssl->keep_current_message = 0;
05763 
05764     ssl->out_msg = ssl->out_buf + 13;
05765     ssl->out_msgtype = 0;
05766     ssl->out_msglen = 0;
05767     ssl->out_left = 0;
05768 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
05769     if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
05770         ssl->split_done = 0;
05771 #endif
05772 
05773     ssl->transform_in = NULL;
05774     ssl->transform_out = NULL;
05775 
05776     memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
05777     if( partial == 0 )
05778         memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
05779 
05780 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
05781     if( mbedtls_ssl_hw_record_reset != NULL )
05782     {
05783         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
05784         if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
05785         {
05786             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
05787             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
05788         }
05789     }
05790 #endif
05791 
05792     if( ssl->transform )
05793     {
05794         mbedtls_ssl_transform_free( ssl->transform );
05795         mbedtls_free( ssl->transform );
05796         ssl->transform = NULL;
05797     }
05798 
05799     if( ssl->session )
05800     {
05801         mbedtls_ssl_session_free( ssl->session );
05802         mbedtls_free( ssl->session );
05803         ssl->session = NULL;
05804     }
05805 
05806 #if defined(MBEDTLS_SSL_ALPN)
05807     ssl->alpn_chosen = NULL;
05808 #endif
05809 
05810 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
05811     if( partial == 0 )
05812     {
05813         mbedtls_free( ssl->cli_id );
05814         ssl->cli_id = NULL;
05815         ssl->cli_id_len = 0;
05816     }
05817 #endif
05818 
05819     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
05820         return( ret );
05821 
05822     return( 0 );
05823 }
05824 
05825 /*
05826  * Reset an initialized and used SSL context for re-use while retaining
05827  * all application-set variables, function pointers and data.
05828  */
05829 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
05830 {
05831     return( ssl_session_reset_int( ssl, 0 ) );
05832 }
05833 
05834 /*
05835  * SSL set accessors
05836  */
05837 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
05838 {
05839     conf->endpoint    = endpoint;
05840 }
05841 
05842 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
05843 {
05844     conf->transport  = transport;
05845 }
05846 
05847 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
05848 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
05849 {
05850     conf->anti_replay  = mode;
05851 }
05852 #endif
05853 
05854 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
05855 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
05856 {
05857     conf->badmac_limit  = limit;
05858 }
05859 #endif
05860 
05861 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05862 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
05863 {
05864     conf->hs_timeout_min  = min;
05865     conf->hs_timeout_max  = max;
05866 }
05867 #endif
05868 
05869 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
05870 {
05871     conf->authmode    = authmode;
05872 }
05873 
05874 #if defined(MBEDTLS_X509_CRT_PARSE_C)
05875 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
05876                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
05877                      void *p_vrfy )
05878 {
05879     conf->f_vrfy      = f_vrfy;
05880     conf->p_vrfy       = p_vrfy;
05881 }
05882 #endif /* MBEDTLS_X509_CRT_PARSE_C */
05883 
05884 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
05885                   int (*f_rng)(void *, unsigned char *, size_t),
05886                   void *p_rng )
05887 {
05888     conf->f_rng      = f_rng;
05889     conf->p_rng       = p_rng;
05890 }
05891 
05892 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
05893                   void (*f_dbg)(void *, int, const char *, int, const char *),
05894                   void  *p_dbg )
05895 {
05896     conf->f_dbg      = f_dbg;
05897     conf->p_dbg       = p_dbg;
05898 }
05899 
05900 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
05901         void *p_bio,
05902         mbedtls_ssl_send_t *f_send,
05903         mbedtls_ssl_recv_t *f_recv,
05904         mbedtls_ssl_recv_timeout_t *f_recv_timeout )
05905 {
05906     ssl->p_bio          = p_bio;
05907     ssl->f_send         = f_send;
05908     ssl->f_recv         = f_recv;
05909     ssl->f_recv_timeout = f_recv_timeout;
05910 }
05911 
05912 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
05913 {
05914     conf->read_timeout    = timeout;
05915 }
05916 
05917 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
05918                                void *p_timer,
05919                                mbedtls_ssl_set_timer_t *f_set_timer,
05920                                mbedtls_ssl_get_timer_t *f_get_timer )
05921 {
05922     ssl->p_timer        = p_timer;
05923     ssl->f_set_timer    = f_set_timer;
05924     ssl->f_get_timer    = f_get_timer;
05925 
05926     /* Make sure we start with no timer running */
05927     ssl_set_timer( ssl, 0 );
05928 }
05929 
05930 #if defined(MBEDTLS_SSL_SRV_C)
05931 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
05932         void *p_cache,
05933         int (*f_get_cache)(void *, mbedtls_ssl_session *),
05934         int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
05935 {
05936     conf->p_cache  = p_cache;
05937     conf->f_get_cache = f_get_cache;
05938     conf->f_set_cache = f_set_cache;
05939 }
05940 #endif /* MBEDTLS_SSL_SRV_C */
05941 
05942 #if defined(MBEDTLS_SSL_CLI_C)
05943 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
05944 {
05945     int ret;
05946 
05947     if( ssl == NULL ||
05948         session == NULL ||
05949         ssl->session_negotiate == NULL ||
05950         ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
05951     {
05952         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05953     }
05954 
05955     if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
05956         return( ret );
05957 
05958     ssl->handshake->resume = 1;
05959 
05960     return( 0 );
05961 }
05962 #endif /* MBEDTLS_SSL_CLI_C */
05963 
05964 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
05965                                    const int *ciphersuites )
05966 {
05967     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
05968     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
05969     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
05970     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
05971 }
05972 
05973 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
05974                                        const int *ciphersuites,
05975                                        int major, int minor )
05976 {
05977     if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
05978         return;
05979 
05980     if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
05981         return;
05982 
05983     conf->ciphersuite_list [minor] = ciphersuites;
05984 }
05985 
05986 #if defined(MBEDTLS_X509_CRT_PARSE_C)
05987 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
05988                                     const mbedtls_x509_crt_profile *profile )
05989 {
05990     conf->cert_profile  = profile;
05991 }
05992 
05993 /* Append a new keycert entry to a (possibly empty) list */
05994 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
05995                                 mbedtls_x509_crt *cert,
05996                                 mbedtls_pk_context *key )
05997 {
05998     mbedtls_ssl_key_cert *new;
05999 
06000     new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
06001     if( new == NULL )
06002         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
06003 
06004     new->cert = cert;
06005     new->key  = key;
06006     new->next = NULL;
06007 
06008     /* Update head is the list was null, else add to the end */
06009     if( *head == NULL )
06010     {
06011         *head = new;
06012     }
06013     else
06014     {
06015         mbedtls_ssl_key_cert *cur = *head;
06016         while( cur->next != NULL )
06017             cur = cur->next;
06018         cur->next = new;
06019     }
06020 
06021     return( 0 );
06022 }
06023 
06024 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
06025                               mbedtls_x509_crt *own_cert,
06026                               mbedtls_pk_context *pk_key )
06027 {
06028     return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) );
06029 }
06030 
06031 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
06032                                mbedtls_x509_crt *ca_chain,
06033                                mbedtls_x509_crl *ca_crl )
06034 {
06035     conf->ca_chain    = ca_chain;
06036     conf->ca_crl      = ca_crl;
06037 }
06038 #endif /* MBEDTLS_X509_CRT_PARSE_C */
06039 
06040 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
06041 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
06042                                  mbedtls_x509_crt *own_cert,
06043                                  mbedtls_pk_context *pk_key )
06044 {
06045     return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
06046                                  own_cert, pk_key ) );
06047 }
06048 
06049 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
06050                                   mbedtls_x509_crt *ca_chain,
06051                                   mbedtls_x509_crl *ca_crl )
06052 {
06053     ssl->handshake->sni_ca_chain   = ca_chain;
06054     ssl->handshake->sni_ca_crl     = ca_crl;
06055 }
06056 
06057 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
06058                                   int authmode )
06059 {
06060     ssl->handshake->sni_authmode = authmode;
06061 }
06062 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
06063 
06064 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
06065 /*
06066  * Set EC J-PAKE password for current handshake
06067  */
06068 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
06069                                          const unsigned char *pw,
06070                                          size_t pw_len )
06071 {
06072     mbedtls_ecjpake_role role;
06073 
06074     if( ssl->handshake == NULL || ssl->conf == NULL )
06075         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06076 
06077     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06078         role = MBEDTLS_ECJPAKE_SERVER;
06079     else
06080         role = MBEDTLS_ECJPAKE_CLIENT;
06081 
06082     return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
06083                                    role,
06084                                    MBEDTLS_MD_SHA256,
06085                                    MBEDTLS_ECP_DP_SECP256R1,
06086                                    pw, pw_len ) );
06087 }
06088 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
06089 
06090 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
06091 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
06092                 const unsigned char *psk, size_t psk_len,
06093                 const unsigned char *psk_identity, size_t psk_identity_len )
06094 {
06095     if( psk == NULL || psk_identity == NULL )
06096         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06097 
06098     if( psk_len > MBEDTLS_PSK_MAX_LEN )
06099         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06100 
06101     /* Identity len will be encoded on two bytes */
06102     if( ( psk_identity_len >> 16 ) != 0 ||
06103         psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
06104     {
06105         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06106     }
06107 
06108     if( conf->psk  != NULL )
06109     {
06110         mbedtls_platform_zeroize( conf->psk , conf->psk_len  );
06111 
06112         mbedtls_free( conf->psk  );
06113         conf->psk  = NULL;
06114         conf->psk_len  = 0;
06115     }
06116     if( conf->psk_identity  != NULL )
06117     {
06118         mbedtls_free( conf->psk_identity  );
06119         conf->psk_identity  = NULL;
06120         conf->psk_identity_len  = 0;
06121     }
06122 
06123     if( ( conf->psk  = mbedtls_calloc( 1, psk_len ) ) == NULL ||
06124         ( conf->psk_identity  = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
06125     {
06126         mbedtls_free( conf->psk  );
06127         mbedtls_free( conf->psk_identity  );
06128         conf->psk  = NULL;
06129         conf->psk_identity  = NULL;
06130         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
06131     }
06132 
06133     conf->psk_len  = psk_len;
06134     conf->psk_identity_len  = psk_identity_len;
06135 
06136     memcpy( conf->psk , psk, conf->psk_len  );
06137     memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len  );
06138 
06139     return( 0 );
06140 }
06141 
06142 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
06143                             const unsigned char *psk, size_t psk_len )
06144 {
06145     if( psk == NULL || ssl->handshake == NULL )
06146         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06147 
06148     if( psk_len > MBEDTLS_PSK_MAX_LEN )
06149         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06150 
06151     if( ssl->handshake->psk != NULL )
06152     {
06153         mbedtls_platform_zeroize( ssl->handshake->psk,
06154                                   ssl->handshake->psk_len );
06155         mbedtls_free( ssl->handshake->psk );
06156         ssl->handshake->psk_len = 0;
06157     }
06158 
06159     if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
06160         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
06161 
06162     ssl->handshake->psk_len = psk_len;
06163     memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
06164 
06165     return( 0 );
06166 }
06167 
06168 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
06169                      int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
06170                      size_t),
06171                      void *p_psk )
06172 {
06173     conf->f_psk = f_psk;
06174     conf->p_psk  = p_psk;
06175 }
06176 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
06177 
06178 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
06179 
06180 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
06181 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
06182 {
06183     int ret;
06184 
06185     if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 ||
06186         ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 )
06187     {
06188         mbedtls_mpi_free( &conf->dhm_P  );
06189         mbedtls_mpi_free( &conf->dhm_G  );
06190         return( ret );
06191     }
06192 
06193     return( 0 );
06194 }
06195 #endif /* MBEDTLS_DEPRECATED_REMOVED */
06196 
06197 int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
06198                                    const unsigned char *dhm_P, size_t P_len,
06199                                    const unsigned char *dhm_G, size_t G_len )
06200 {
06201     int ret;
06202 
06203     if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P , dhm_P, P_len ) ) != 0 ||
06204         ( ret = mbedtls_mpi_read_binary( &conf->dhm_G , dhm_G, G_len ) ) != 0 )
06205     {
06206         mbedtls_mpi_free( &conf->dhm_P  );
06207         mbedtls_mpi_free( &conf->dhm_G  );
06208         return( ret );
06209     }
06210 
06211     return( 0 );
06212 }
06213 
06214 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
06215 {
06216     int ret;
06217 
06218     if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P  ) ) != 0 ||
06219         ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G  ) ) != 0 )
06220     {
06221         mbedtls_mpi_free( &conf->dhm_P  );
06222         mbedtls_mpi_free( &conf->dhm_G  );
06223         return( ret );
06224     }
06225 
06226     return( 0 );
06227 }
06228 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
06229 
06230 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
06231 /*
06232  * Set the minimum length for Diffie-Hellman parameters
06233  */
06234 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
06235                                       unsigned int bitlen )
06236 {
06237     conf->dhm_min_bitlen  = bitlen;
06238 }
06239 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
06240 
06241 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
06242 /*
06243  * Set allowed/preferred hashes for handshake signatures
06244  */
06245 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
06246                                   const int *hashes )
06247 {
06248     conf->sig_hashes  = hashes;
06249 }
06250 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
06251 
06252 #if defined(MBEDTLS_ECP_C)
06253 /*
06254  * Set the allowed elliptic curves
06255  */
06256 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
06257                              const mbedtls_ecp_group_id *curve_list )
06258 {
06259     conf->curve_list  = curve_list;
06260 }
06261 #endif /* MBEDTLS_ECP_C */
06262 
06263 #if defined(MBEDTLS_X509_CRT_PARSE_C)
06264 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
06265 {
06266     /* Initialize to suppress unnecessary compiler warning */
06267     size_t hostname_len = 0;
06268 
06269     /* Check if new hostname is valid before
06270      * making any change to current one */
06271     if( hostname != NULL )
06272     {
06273         hostname_len = strlen( hostname );
06274 
06275         if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
06276             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06277     }
06278 
06279     /* Now it's clear that we will overwrite the old hostname,
06280      * so we can free it safely */
06281 
06282     if( ssl->hostname != NULL )
06283     {
06284         mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
06285         mbedtls_free( ssl->hostname );
06286     }
06287 
06288     /* Passing NULL as hostname shall clear the old one */
06289 
06290     if( hostname == NULL )
06291     {
06292         ssl->hostname = NULL;
06293     }
06294     else
06295     {
06296         ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
06297         if( ssl->hostname == NULL )
06298             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
06299 
06300         memcpy( ssl->hostname, hostname, hostname_len );
06301 
06302         ssl->hostname[hostname_len] = '\0';
06303     }
06304 
06305     return( 0 );
06306 }
06307 #endif /* MBEDTLS_X509_CRT_PARSE_C */
06308 
06309 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
06310 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
06311                   int (*f_sni)(void *, mbedtls_ssl_context *,
06312                                 const unsigned char *, size_t),
06313                   void *p_sni )
06314 {
06315     conf->f_sni = f_sni;
06316     conf->p_sni  = p_sni;
06317 }
06318 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
06319 
06320 #if defined(MBEDTLS_SSL_ALPN)
06321 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
06322 {
06323     size_t cur_len, tot_len;
06324     const char **p;
06325 
06326     /*
06327      * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
06328      * MUST NOT be truncated."
06329      * We check lengths now rather than later.
06330      */
06331     tot_len = 0;
06332     for( p = protos; *p != NULL; p++ )
06333     {
06334         cur_len = strlen( *p );
06335         tot_len += cur_len;
06336 
06337         if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
06338             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06339     }
06340 
06341     conf->alpn_list  = protos;
06342 
06343     return( 0 );
06344 }
06345 
06346 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
06347 {
06348     return( ssl->alpn_chosen );
06349 }
06350 #endif /* MBEDTLS_SSL_ALPN */
06351 
06352 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
06353 {
06354     conf->max_major_ver  = major;
06355     conf->max_minor_ver  = minor;
06356 }
06357 
06358 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
06359 {
06360     conf->min_major_ver  = major;
06361     conf->min_minor_ver  = minor;
06362 }
06363 
06364 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
06365 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
06366 {
06367     conf->fallback  = fallback;
06368 }
06369 #endif
06370 
06371 #if defined(MBEDTLS_SSL_SRV_C)
06372 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
06373                                           char cert_req_ca_list )
06374 {
06375     conf->cert_req_ca_list  = cert_req_ca_list;
06376 }
06377 #endif
06378 
06379 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
06380 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
06381 {
06382     conf->encrypt_then_mac  = etm;
06383 }
06384 #endif
06385 
06386 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
06387 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
06388 {
06389     conf->extended_ms  = ems;
06390 }
06391 #endif
06392 
06393 #if defined(MBEDTLS_ARC4_C)
06394 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
06395 {
06396     conf->arc4_disabled  = arc4;
06397 }
06398 #endif
06399 
06400 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
06401 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
06402 {
06403     if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
06404         mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
06405     {
06406         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06407     }
06408 
06409     conf->mfl_code  = mfl_code;
06410 
06411     return( 0 );
06412 }
06413 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
06414 
06415 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
06416 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
06417 {
06418     conf->trunc_hmac  = truncate;
06419 }
06420 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
06421 
06422 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
06423 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
06424 {
06425     conf->cbc_record_splitting  = split;
06426 }
06427 #endif
06428 
06429 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
06430 {
06431     conf->allow_legacy_renegotiation  = allow_legacy;
06432 }
06433 
06434 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06435 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
06436 {
06437     conf->disable_renegotiation  = renegotiation;
06438 }
06439 
06440 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
06441 {
06442     conf->renego_max_records  = max_records;
06443 }
06444 
06445 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
06446                                    const unsigned char period[8] )
06447 {
06448     memcpy( conf->renego_period , period, 8 );
06449 }
06450 #endif /* MBEDTLS_SSL_RENEGOTIATION */
06451 
06452 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
06453 #if defined(MBEDTLS_SSL_CLI_C)
06454 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
06455 {
06456     conf->session_tickets  = use_tickets;
06457 }
06458 #endif
06459 
06460 #if defined(MBEDTLS_SSL_SRV_C)
06461 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
06462         mbedtls_ssl_ticket_write_t *f_ticket_write,
06463         mbedtls_ssl_ticket_parse_t *f_ticket_parse,
06464         void *p_ticket )
06465 {
06466     conf->f_ticket_write = f_ticket_write;
06467     conf->f_ticket_parse = f_ticket_parse;
06468     conf->p_ticket        = p_ticket;
06469 }
06470 #endif
06471 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
06472 
06473 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
06474 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
06475         mbedtls_ssl_export_keys_t *f_export_keys,
06476         void *p_export_keys )
06477 {
06478     conf->f_export_keys = f_export_keys;
06479     conf->p_export_keys  = p_export_keys;
06480 }
06481 #endif
06482 
06483 /*
06484  * SSL get accessors
06485  */
06486 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
06487 {
06488     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
06489 }
06490 
06491 int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
06492 {
06493     /*
06494      * Case A: We're currently holding back
06495      * a message for further processing.
06496      */
06497 
06498     if( ssl->keep_current_message == 1 )
06499     {
06500         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
06501         return( 1 );
06502     }
06503 
06504     /*
06505      * Case B: Further records are pending in the current datagram.
06506      */
06507 
06508 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06509     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
06510         ssl->in_left > ssl->next_record_offset )
06511     {
06512         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
06513         return( 1 );
06514     }
06515 #endif /* MBEDTLS_SSL_PROTO_DTLS */
06516 
06517     /*
06518      * Case C: A handshake message is being processed.
06519      */
06520 
06521     if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
06522     {
06523         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
06524         return( 1 );
06525     }
06526 
06527     /*
06528      * Case D: An application data message is being processed
06529      */
06530     if( ssl->in_offt != NULL )
06531     {
06532         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
06533         return( 1 );
06534     }
06535 
06536     /*
06537      * In all other cases, the rest of the message can be dropped.
06538      * As in ssl_read_record_layer, this needs to be adapted if
06539      * we implement support for multiple alerts in single records.
06540      */
06541 
06542     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
06543     return( 0 );
06544 }
06545 
06546 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
06547 {
06548     if( ssl->session != NULL )
06549         return( ssl->session->verify_result );
06550 
06551     if( ssl->session_negotiate != NULL )
06552         return( ssl->session_negotiate->verify_result );
06553 
06554     return( 0xFFFFFFFF );
06555 }
06556 
06557 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
06558 {
06559     if( ssl == NULL || ssl->session == NULL )
06560         return( NULL );
06561 
06562     return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
06563 }
06564 
06565 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
06566 {
06567 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06568     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06569     {
06570         switch( ssl->minor_ver )
06571         {
06572             case MBEDTLS_SSL_MINOR_VERSION_2:
06573                 return( "DTLSv1.0" );
06574 
06575             case MBEDTLS_SSL_MINOR_VERSION_3:
06576                 return( "DTLSv1.2" );
06577 
06578             default:
06579                 return( "unknown (DTLS)" );
06580         }
06581     }
06582 #endif
06583 
06584     switch( ssl->minor_ver )
06585     {
06586         case MBEDTLS_SSL_MINOR_VERSION_0:
06587             return( "SSLv3.0" );
06588 
06589         case MBEDTLS_SSL_MINOR_VERSION_1:
06590             return( "TLSv1.0" );
06591 
06592         case MBEDTLS_SSL_MINOR_VERSION_2:
06593             return( "TLSv1.1" );
06594 
06595         case MBEDTLS_SSL_MINOR_VERSION_3:
06596             return( "TLSv1.2" );
06597 
06598         default:
06599             return( "unknown" );
06600     }
06601 }
06602 
06603 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
06604 {
06605     size_t transform_expansion;
06606     const mbedtls_ssl_transform *transform = ssl->transform_out;
06607 
06608 #if defined(MBEDTLS_ZLIB_SUPPORT)
06609     if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
06610         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
06611 #endif
06612 
06613     if( transform == NULL )
06614         return( (int) mbedtls_ssl_hdr_len( ssl ) );
06615 
06616     switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
06617     {
06618         case MBEDTLS_MODE_GCM:
06619         case MBEDTLS_MODE_CCM:
06620         case MBEDTLS_MODE_STREAM:
06621             transform_expansion = transform->minlen;
06622             break;
06623 
06624         case MBEDTLS_MODE_CBC:
06625             transform_expansion = transform->maclen
06626                       + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc );
06627             break;
06628 
06629         default:
06630             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
06631             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
06632     }
06633 
06634     return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
06635 }
06636 
06637 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
06638 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
06639 {
06640     size_t max_len;
06641 
06642     /*
06643      * Assume mfl_code is correct since it was checked when set
06644      */
06645     max_len = mfl_code_to_length[ssl->conf->mfl_code];
06646 
06647     /*
06648      * Check if a smaller max length was negotiated
06649      */
06650     if( ssl->session_out != NULL &&
06651         mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
06652     {
06653         max_len = mfl_code_to_length[ssl->session_out->mfl_code];
06654     }
06655 
06656     return max_len;
06657 }
06658 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
06659 
06660 #if defined(MBEDTLS_X509_CRT_PARSE_C)
06661 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
06662 {
06663     if( ssl == NULL || ssl->session == NULL )
06664         return( NULL );
06665 
06666     return( ssl->session->peer_cert );
06667 }
06668 #endif /* MBEDTLS_X509_CRT_PARSE_C */
06669 
06670 #if defined(MBEDTLS_SSL_CLI_C)
06671 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
06672 {
06673     if( ssl == NULL ||
06674         dst == NULL ||
06675         ssl->session == NULL ||
06676         ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
06677     {
06678         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06679     }
06680 
06681     return( ssl_session_copy( dst, ssl->session ) );
06682 }
06683 #endif /* MBEDTLS_SSL_CLI_C */
06684 
06685 /*
06686  * Perform a single step of the SSL handshake
06687  */
06688 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
06689 {
06690     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
06691 
06692     if( ssl == NULL || ssl->conf == NULL )
06693         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06694 
06695 #if defined(MBEDTLS_SSL_CLI_C)
06696     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
06697         ret = mbedtls_ssl_handshake_client_step( ssl );
06698 #endif
06699 #if defined(MBEDTLS_SSL_SRV_C)
06700     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06701         ret = mbedtls_ssl_handshake_server_step( ssl );
06702 #endif
06703 
06704     return( ret );
06705 }
06706 
06707 /*
06708  * Perform the SSL handshake
06709  */
06710 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
06711 {
06712     int ret = 0;
06713 
06714     if( ssl == NULL || ssl->conf == NULL )
06715         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06716 
06717     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
06718 
06719     while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06720     {
06721         ret = mbedtls_ssl_handshake_step( ssl );
06722 
06723         if( ret != 0 )
06724             break;
06725     }
06726 
06727     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
06728 
06729     return( ret );
06730 }
06731 
06732 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06733 #if defined(MBEDTLS_SSL_SRV_C)
06734 /*
06735  * Write HelloRequest to request renegotiation on server
06736  */
06737 static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
06738 {
06739     int ret;
06740 
06741     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
06742 
06743     ssl->out_msglen  = 4;
06744     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
06745     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
06746 
06747     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
06748     {
06749         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
06750         return( ret );
06751     }
06752 
06753     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
06754 
06755     return( 0 );
06756 }
06757 #endif /* MBEDTLS_SSL_SRV_C */
06758 
06759 /*
06760  * Actually renegotiate current connection, triggered by either:
06761  * - any side: calling mbedtls_ssl_renegotiate(),
06762  * - client: receiving a HelloRequest during mbedtls_ssl_read(),
06763  * - server: receiving any handshake message on server during mbedtls_ssl_read() after
06764  *   the initial handshake is completed.
06765  * If the handshake doesn't complete due to waiting for I/O, it will continue
06766  * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
06767  */
06768 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
06769 {
06770     int ret;
06771 
06772     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
06773 
06774     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
06775         return( ret );
06776 
06777     /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
06778      * the ServerHello will have message_seq = 1" */
06779 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06780     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
06781         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
06782     {
06783         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06784             ssl->handshake->out_msg_seq = 1;
06785         else
06786             ssl->handshake->in_msg_seq = 1;
06787     }
06788 #endif
06789 
06790     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
06791     ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
06792 
06793     if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
06794     {
06795         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06796         return( ret );
06797     }
06798 
06799     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
06800 
06801     return( 0 );
06802 }
06803 
06804 /*
06805  * Renegotiate current connection on client,
06806  * or request renegotiation on server
06807  */
06808 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
06809 {
06810     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
06811 
06812     if( ssl == NULL || ssl->conf == NULL )
06813         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06814 
06815 #if defined(MBEDTLS_SSL_SRV_C)
06816     /* On server, just send the request */
06817     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06818     {
06819         if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06820             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06821 
06822         ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
06823 
06824         /* Did we already try/start sending HelloRequest? */
06825         if( ssl->out_left != 0 )
06826             return( mbedtls_ssl_flush_output( ssl ) );
06827 
06828         return( ssl_write_hello_request( ssl ) );
06829     }
06830 #endif /* MBEDTLS_SSL_SRV_C */
06831 
06832 #if defined(MBEDTLS_SSL_CLI_C)
06833     /*
06834      * On client, either start the renegotiation process or,
06835      * if already in progress, continue the handshake
06836      */
06837     if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
06838     {
06839         if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06840             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06841 
06842         if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
06843         {
06844             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
06845             return( ret );
06846         }
06847     }
06848     else
06849     {
06850         if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
06851         {
06852             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06853             return( ret );
06854         }
06855     }
06856 #endif /* MBEDTLS_SSL_CLI_C */
06857 
06858     return( ret );
06859 }
06860 
06861 /*
06862  * Check record counters and renegotiate if they're above the limit.
06863  */
06864 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
06865 {
06866     size_t ep_len = ssl_ep_len( ssl );
06867     int in_ctr_cmp;
06868     int out_ctr_cmp;
06869 
06870     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
06871         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
06872         ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
06873     {
06874         return( 0 );
06875     }
06876 
06877     in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
06878                         ssl->conf->renego_period + ep_len, 8 - ep_len );
06879     out_ctr_cmp = memcmp( ssl->out_ctr + ep_len,
06880                           ssl->conf->renego_period + ep_len, 8 - ep_len );
06881 
06882     if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
06883     {
06884         return( 0 );
06885     }
06886 
06887     MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
06888     return( mbedtls_ssl_renegotiate( ssl ) );
06889 }
06890 #endif /* MBEDTLS_SSL_RENEGOTIATION */
06891 
06892 /*
06893  * Receive application data decrypted from the SSL layer
06894  */
06895 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
06896 {
06897     int ret;
06898     size_t n;
06899 
06900     if( ssl == NULL || ssl->conf == NULL )
06901         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06902 
06903     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
06904 
06905 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06906     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06907     {
06908         if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
06909             return( ret );
06910 
06911         if( ssl->handshake != NULL &&
06912             ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
06913         {
06914             if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
06915                 return( ret );
06916         }
06917     }
06918 #endif
06919 
06920     /*
06921      * Check if renegotiation is necessary and/or handshake is
06922      * in process. If yes, perform/continue, and fall through
06923      * if an unexpected packet is received while the client
06924      * is waiting for the ServerHello.
06925      *
06926      * (There is no equivalent to the last condition on
06927      *  the server-side as it is not treated as within
06928      *  a handshake while waiting for the ClientHello
06929      *  after a renegotiation request.)
06930      */
06931 
06932 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06933     ret = ssl_check_ctr_renegotiate( ssl );
06934     if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
06935         ret != 0 )
06936     {
06937         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
06938         return( ret );
06939     }
06940 #endif
06941 
06942     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06943     {
06944         ret = mbedtls_ssl_handshake( ssl );
06945         if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
06946             ret != 0 )
06947         {
06948             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06949             return( ret );
06950         }
06951     }
06952 
06953     /* Loop as long as no application data record is available */
06954     while( ssl->in_offt == NULL )
06955     {
06956         /* Start timer if not already running */
06957         if( ssl->f_get_timer != NULL &&
06958             ssl->f_get_timer( ssl->p_timer ) == -1 )
06959         {
06960             ssl_set_timer( ssl, ssl->conf->read_timeout );
06961         }
06962 
06963         if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
06964         {
06965             if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
06966                 return( 0 );
06967 
06968             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
06969             return( ret );
06970         }
06971 
06972         if( ssl->in_msglen  == 0 &&
06973             ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
06974         {
06975             /*
06976              * OpenSSL sends empty messages to randomize the IV
06977              */
06978             if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
06979             {
06980                 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
06981                     return( 0 );
06982 
06983                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
06984                 return( ret );
06985             }
06986         }
06987 
06988         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
06989         {
06990             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
06991 
06992             /*
06993              * - For client-side, expect SERVER_HELLO_REQUEST.
06994              * - For server-side, expect CLIENT_HELLO.
06995              * - Fail (TLS) or silently drop record (DTLS) in other cases.
06996              */
06997 
06998 #if defined(MBEDTLS_SSL_CLI_C)
06999             if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
07000                 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
07001                   ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ) )
07002             {
07003                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
07004 
07005                 /* With DTLS, drop the packet (probably from last handshake) */
07006 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07007                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07008                 {
07009                     continue;
07010                 }
07011 #endif
07012                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
07013             }
07014 #endif /* MBEDTLS_SSL_CLI_C */
07015 
07016 #if defined(MBEDTLS_SSL_SRV_C)
07017             if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
07018                 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
07019             {
07020                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
07021 
07022                 /* With DTLS, drop the packet (probably from last handshake) */
07023 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07024                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07025                 {
07026                     continue;
07027                 }
07028 #endif
07029                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
07030             }
07031 #endif /* MBEDTLS_SSL_SRV_C */
07032 
07033 #if defined(MBEDTLS_SSL_RENEGOTIATION)
07034             /* Determine whether renegotiation attempt should be accepted */
07035             if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
07036                     ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
07037                       ssl->conf->allow_legacy_renegotiation ==
07038                                                    MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
07039             {
07040                 /*
07041                  * Accept renegotiation request
07042                  */
07043 
07044                 /* DTLS clients need to know renego is server-initiated */
07045 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07046                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
07047                     ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
07048                 {
07049                     ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
07050                 }
07051 #endif
07052                 ret = ssl_start_renegotiation( ssl );
07053                 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
07054                     ret != 0 )
07055                 {
07056                     MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
07057                     return( ret );
07058                 }
07059             }
07060             else
07061 #endif /* MBEDTLS_SSL_RENEGOTIATION */
07062             {
07063                 /*
07064                  * Refuse renegotiation
07065                  */
07066 
07067                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
07068 
07069 #if defined(MBEDTLS_SSL_PROTO_SSL3)
07070                 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
07071                 {
07072                     /* SSLv3 does not have a "no_renegotiation" warning, so
07073                        we send a fatal alert and abort the connection. */
07074                     mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
07075                                                     MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
07076                     return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
07077                 }
07078                 else
07079 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
07080 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
07081     defined(MBEDTLS_SSL_PROTO_TLS1_2)
07082                 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
07083                 {
07084                     if( ( ret = mbedtls_ssl_send_alert_message( ssl,
07085                                     MBEDTLS_SSL_ALERT_LEVEL_WARNING,
07086                                     MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
07087                     {
07088                         return( ret );
07089                     }
07090                 }
07091                 else
07092 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
07093           MBEDTLS_SSL_PROTO_TLS1_2 */
07094                 {
07095                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
07096                     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
07097                 }
07098             }
07099 
07100             /* At this point, we don't know whether the renegotiation has been
07101              * completed or not. The cases to consider are the following:
07102              * 1) The renegotiation is complete. In this case, no new record
07103              *    has been read yet.
07104              * 2) The renegotiation is incomplete because the client received
07105              *    an application data record while awaiting the ServerHello.
07106              * 3) The renegotiation is incomplete because the client received
07107              *    a non-handshake, non-application data message while awaiting
07108              *    the ServerHello.
07109              * In each of these case, looping will be the proper action:
07110              * - For 1), the next iteration will read a new record and check
07111              *   if it's application data.
07112              * - For 2), the loop condition isn't satisfied as application data
07113              *   is present, hence continue is the same as break
07114              * - For 3), the loop condition is satisfied and read_record
07115              *   will re-deliver the message that was held back by the client
07116              *   when expecting the ServerHello.
07117              */
07118             continue;
07119         }
07120 #if defined(MBEDTLS_SSL_RENEGOTIATION)
07121         else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
07122         {
07123             if( ssl->conf->renego_max_records >= 0 )
07124             {
07125                 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
07126                 {
07127                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
07128                                         "but not honored by client" ) );
07129                     return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
07130                 }
07131             }
07132         }
07133 #endif /* MBEDTLS_SSL_RENEGOTIATION */
07134 
07135         /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
07136         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
07137         {
07138             MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
07139             return( MBEDTLS_ERR_SSL_WANT_READ );
07140         }
07141 
07142         if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
07143         {
07144             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
07145             return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
07146         }
07147 
07148         ssl->in_offt = ssl->in_msg;
07149 
07150         /* We're going to return something now, cancel timer,
07151          * except if handshake (renegotiation) is in progress */
07152         if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
07153             ssl_set_timer( ssl, 0 );
07154 
07155 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07156         /* If we requested renego but received AppData, resend HelloRequest.
07157          * Do it now, after setting in_offt, to avoid taking this branch
07158          * again if ssl_write_hello_request() returns WANT_WRITE */
07159 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
07160         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
07161             ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
07162         {
07163             if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
07164             {
07165                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
07166                 return( ret );
07167             }
07168         }
07169 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
07170 #endif /* MBEDTLS_SSL_PROTO_DTLS */
07171     }
07172 
07173     n = ( len < ssl->in_msglen )
07174         ? len : ssl->in_msglen;
07175 
07176     memcpy( buf, ssl->in_offt, n );
07177     ssl->in_msglen -= n;
07178 
07179     if( ssl->in_msglen == 0 )
07180     {
07181         /* all bytes consumed */
07182         ssl->in_offt = NULL;
07183         ssl->keep_current_message = 0;
07184     }
07185     else
07186     {
07187         /* more data available */
07188         ssl->in_offt += n;
07189     }
07190 
07191     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
07192 
07193     return( (int) n );
07194 }
07195 
07196 /*
07197  * Send application data to be encrypted by the SSL layer,
07198  * taking care of max fragment length and buffer size
07199  */
07200 static int ssl_write_real( mbedtls_ssl_context *ssl,
07201                            const unsigned char *buf, size_t len )
07202 {
07203     int ret;
07204 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
07205     size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
07206 #else
07207     size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
07208 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
07209     if( len > max_len )
07210     {
07211 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07212         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07213         {
07214             MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
07215                                 "maximum fragment length: %d > %d",
07216                                 len, max_len ) );
07217             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
07218         }
07219         else
07220 #endif
07221             len = max_len;
07222     }
07223 
07224     if( ssl->out_left != 0 )
07225     {
07226         if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
07227         {
07228             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
07229             return( ret );
07230         }
07231     }
07232     else
07233     {
07234         ssl->out_msglen  = len;
07235         ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
07236         memcpy( ssl->out_msg, buf, len );
07237 
07238         if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
07239         {
07240             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
07241             return( ret );
07242         }
07243     }
07244 
07245     return( (int) len );
07246 }
07247 
07248 /*
07249  * Write application data, doing 1/n-1 splitting if necessary.
07250  *
07251  * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
07252  * then the caller will call us again with the same arguments, so
07253  * remember whether we already did the split or not.
07254  */
07255 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
07256 static int ssl_write_split( mbedtls_ssl_context *ssl,
07257                             const unsigned char *buf, size_t len )
07258 {
07259     int ret;
07260 
07261     if( ssl->conf->cbc_record_splitting ==
07262             MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
07263         len <= 1 ||
07264         ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
07265         mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
07266                                 != MBEDTLS_MODE_CBC )
07267     {
07268         return( ssl_write_real( ssl, buf, len ) );
07269     }
07270 
07271     if( ssl->split_done == 0 )
07272     {
07273         if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
07274             return( ret );
07275         ssl->split_done = 1;
07276     }
07277 
07278     if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
07279         return( ret );
07280     ssl->split_done = 0;
07281 
07282     return( ret + 1 );
07283 }
07284 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
07285 
07286 /*
07287  * Write application data (public-facing wrapper)
07288  */
07289 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
07290 {
07291     int ret;
07292 
07293     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
07294 
07295     if( ssl == NULL || ssl->conf == NULL )
07296         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
07297 
07298 #if defined(MBEDTLS_SSL_RENEGOTIATION)
07299     if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
07300     {
07301         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
07302         return( ret );
07303     }
07304 #endif
07305 
07306     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
07307     {
07308         if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
07309         {
07310             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
07311             return( ret );
07312         }
07313     }
07314 
07315 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
07316     ret = ssl_write_split( ssl, buf, len );
07317 #else
07318     ret = ssl_write_real( ssl, buf, len );
07319 #endif
07320 
07321     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
07322 
07323     return( ret );
07324 }
07325 
07326 /*
07327  * Notify the peer that the connection is being closed
07328  */
07329 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
07330 {
07331     int ret;
07332 
07333     if( ssl == NULL || ssl->conf == NULL )
07334         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
07335 
07336     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
07337 
07338     if( ssl->out_left != 0 )
07339         return( mbedtls_ssl_flush_output( ssl ) );
07340 
07341     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
07342     {
07343         if( ( ret = mbedtls_ssl_send_alert_message( ssl,
07344                         MBEDTLS_SSL_ALERT_LEVEL_WARNING,
07345                         MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
07346         {
07347             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
07348             return( ret );
07349         }
07350     }
07351 
07352     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
07353 
07354     return( 0 );
07355 }
07356 
07357 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
07358 {
07359     if( transform == NULL )
07360         return;
07361 
07362 #if defined(MBEDTLS_ZLIB_SUPPORT)
07363     deflateEnd( &transform->ctx_deflate );
07364     inflateEnd( &transform->ctx_inflate );
07365 #endif
07366 
07367     mbedtls_cipher_free( &transform->cipher_ctx_enc );
07368     mbedtls_cipher_free( &transform->cipher_ctx_dec );
07369 
07370     mbedtls_md_free( &transform->md_ctx_enc );
07371     mbedtls_md_free( &transform->md_ctx_dec );
07372 
07373     mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
07374 }
07375 
07376 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07377 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
07378 {
07379     mbedtls_ssl_key_cert *cur = key_cert, *next;
07380 
07381     while( cur != NULL )
07382     {
07383         next = cur->next;
07384         mbedtls_free( cur );
07385         cur = next;
07386     }
07387 }
07388 #endif /* MBEDTLS_X509_CRT_PARSE_C */
07389 
07390 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
07391 {
07392     if( handshake == NULL )
07393         return;
07394 
07395 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
07396     defined(MBEDTLS_SSL_PROTO_TLS1_1)
07397     mbedtls_md5_free(    &handshake->fin_md5  );
07398     mbedtls_sha1_free(   &handshake->fin_sha1 );
07399 #endif
07400 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
07401 #if defined(MBEDTLS_SHA256_C)
07402     mbedtls_sha256_free(   &handshake->fin_sha256    );
07403 #endif
07404 #if defined(MBEDTLS_SHA512_C)
07405     mbedtls_sha512_free(   &handshake->fin_sha512    );
07406 #endif
07407 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
07408 
07409 #if defined(MBEDTLS_DHM_C)
07410     mbedtls_dhm_free( &handshake->dhm_ctx );
07411 #endif
07412 #if defined(MBEDTLS_ECDH_C)
07413     mbedtls_ecdh_free( &handshake->ecdh_ctx );
07414 #endif
07415 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
07416     mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
07417 #if defined(MBEDTLS_SSL_CLI_C)
07418     mbedtls_free( handshake->ecjpake_cache );
07419     handshake->ecjpake_cache = NULL;
07420     handshake->ecjpake_cache_len = 0;
07421 #endif
07422 #endif
07423 
07424 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
07425     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
07426     /* explicit void pointer cast for buggy MS compiler */
07427     mbedtls_free( (void *) handshake->curves );
07428 #endif
07429 
07430 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
07431     if( handshake->psk != NULL )
07432     {
07433         mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
07434         mbedtls_free( handshake->psk );
07435     }
07436 #endif
07437 
07438 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
07439     defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
07440     /*
07441      * Free only the linked list wrapper, not the keys themselves
07442      * since the belong to the SNI callback
07443      */
07444     if( handshake->sni_key_cert != NULL )
07445     {
07446         mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
07447 
07448         while( cur != NULL )
07449         {
07450             next = cur->next;
07451             mbedtls_free( cur );
07452             cur = next;
07453         }
07454     }
07455 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
07456 
07457 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07458     mbedtls_free( handshake->verify_cookie );
07459     mbedtls_free( handshake->hs_msg );
07460     ssl_flight_free( handshake->flight );
07461 #endif
07462 
07463     mbedtls_platform_zeroize( handshake,
07464                               sizeof( mbedtls_ssl_handshake_params ) );
07465 }
07466 
07467 void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
07468 {
07469     if( session == NULL )
07470         return;
07471 
07472 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07473     if( session->peer_cert != NULL )
07474     {
07475         mbedtls_x509_crt_free( session->peer_cert );
07476         mbedtls_free( session->peer_cert );
07477     }
07478 #endif
07479 
07480 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
07481     mbedtls_free( session->ticket );
07482 #endif
07483 
07484     mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
07485 }
07486 
07487 /*
07488  * Free an SSL context
07489  */
07490 void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
07491 {
07492     if( ssl == NULL )
07493         return;
07494 
07495     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
07496 
07497     if( ssl->out_buf != NULL )
07498     {
07499         mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
07500         mbedtls_free( ssl->out_buf );
07501     }
07502 
07503     if( ssl->in_buf != NULL )
07504     {
07505         mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
07506         mbedtls_free( ssl->in_buf );
07507     }
07508 
07509 #if defined(MBEDTLS_ZLIB_SUPPORT)
07510     if( ssl->compress_buf != NULL )
07511     {
07512         mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
07513         mbedtls_free( ssl->compress_buf );
07514     }
07515 #endif
07516 
07517     if( ssl->transform )
07518     {
07519         mbedtls_ssl_transform_free( ssl->transform );
07520         mbedtls_free( ssl->transform );
07521     }
07522 
07523     if( ssl->handshake )
07524     {
07525         mbedtls_ssl_handshake_free( ssl->handshake );
07526         mbedtls_ssl_transform_free( ssl->transform_negotiate );
07527         mbedtls_ssl_session_free( ssl->session_negotiate );
07528 
07529         mbedtls_free( ssl->handshake );
07530         mbedtls_free( ssl->transform_negotiate );
07531         mbedtls_free( ssl->session_negotiate );
07532     }
07533 
07534     if( ssl->session )
07535     {
07536         mbedtls_ssl_session_free( ssl->session );
07537         mbedtls_free( ssl->session );
07538     }
07539 
07540 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07541     if( ssl->hostname != NULL )
07542     {
07543         mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
07544         mbedtls_free( ssl->hostname );
07545     }
07546 #endif
07547 
07548 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
07549     if( mbedtls_ssl_hw_record_finish != NULL )
07550     {
07551         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
07552         mbedtls_ssl_hw_record_finish( ssl );
07553     }
07554 #endif
07555 
07556 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
07557     mbedtls_free( ssl->cli_id );
07558 #endif
07559 
07560     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
07561 
07562     /* Actually clear after last debug message */
07563     mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
07564 }
07565 
07566 /*
07567  * Initialze mbedtls_ssl_config
07568  */
07569 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
07570 {
07571     memset( conf, 0, sizeof( mbedtls_ssl_config ) );
07572 }
07573 
07574 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07575 static int ssl_preset_default_hashes[] = {
07576 #if defined(MBEDTLS_SHA512_C)
07577     MBEDTLS_MD_SHA512,
07578     MBEDTLS_MD_SHA384,
07579 #endif
07580 #if defined(MBEDTLS_SHA256_C)
07581     MBEDTLS_MD_SHA256,
07582     MBEDTLS_MD_SHA224,
07583 #endif
07584 #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
07585     MBEDTLS_MD_SHA1,
07586 #endif
07587     MBEDTLS_MD_NONE
07588 };
07589 #endif
07590 
07591 static int ssl_preset_suiteb_ciphersuites[] = {
07592     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
07593     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
07594     0
07595 };
07596 
07597 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07598 static int ssl_preset_suiteb_hashes[] = {
07599     MBEDTLS_MD_SHA256,
07600     MBEDTLS_MD_SHA384,
07601     MBEDTLS_MD_NONE
07602 };
07603 #endif
07604 
07605 #if defined(MBEDTLS_ECP_C)
07606 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
07607     MBEDTLS_ECP_DP_SECP256R1,
07608     MBEDTLS_ECP_DP_SECP384R1,
07609     MBEDTLS_ECP_DP_NONE
07610 };
07611 #endif
07612 
07613 /*
07614  * Load default in mbedtls_ssl_config
07615  */
07616 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
07617                                  int endpoint, int transport, int preset )
07618 {
07619 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
07620     int ret;
07621 #endif
07622 
07623     /* Use the functions here so that they are covered in tests,
07624      * but otherwise access member directly for efficiency */
07625     mbedtls_ssl_conf_endpoint( conf, endpoint );
07626     mbedtls_ssl_conf_transport( conf, transport );
07627 
07628     /*
07629      * Things that are common to all presets
07630      */
07631 #if defined(MBEDTLS_SSL_CLI_C)
07632     if( endpoint == MBEDTLS_SSL_IS_CLIENT )
07633     {
07634         conf->authmode  = MBEDTLS_SSL_VERIFY_REQUIRED;
07635 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
07636         conf->session_tickets  = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
07637 #endif
07638     }
07639 #endif
07640 
07641 #if defined(MBEDTLS_ARC4_C)
07642     conf->arc4_disabled  = MBEDTLS_SSL_ARC4_DISABLED;
07643 #endif
07644 
07645 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
07646     conf->encrypt_then_mac  = MBEDTLS_SSL_ETM_ENABLED;
07647 #endif
07648 
07649 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
07650     conf->extended_ms  = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
07651 #endif
07652 
07653 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
07654     conf->cbc_record_splitting  = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
07655 #endif
07656 
07657 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
07658     conf->f_cookie_write = ssl_cookie_write_dummy;
07659     conf->f_cookie_check = ssl_cookie_check_dummy;
07660 #endif
07661 
07662 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
07663     conf->anti_replay  = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
07664 #endif
07665 
07666 #if defined(MBEDTLS_SSL_SRV_C)
07667     conf->cert_req_ca_list  = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
07668 #endif
07669 
07670 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07671     conf->hs_timeout_min  = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
07672     conf->hs_timeout_max  = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
07673 #endif
07674 
07675 #if defined(MBEDTLS_SSL_RENEGOTIATION)
07676     conf->renego_max_records  = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
07677     memset( conf->renego_period ,     0x00, 2 );
07678     memset( conf->renego_period  + 2, 0xFF, 6 );
07679 #endif
07680 
07681 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
07682             if( endpoint == MBEDTLS_SSL_IS_SERVER )
07683             {
07684                 const unsigned char dhm_p[] =
07685                     MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
07686                 const unsigned char dhm_g[] =
07687                     MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
07688 
07689                 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
07690                                                dhm_p, sizeof( dhm_p ),
07691                                                dhm_g, sizeof( dhm_g ) ) ) != 0 )
07692                 {
07693                     return( ret );
07694                 }
07695             }
07696 #endif
07697 
07698     /*
07699      * Preset-specific defaults
07700      */
07701     switch( preset )
07702     {
07703         /*
07704          * NSA Suite B
07705          */
07706         case MBEDTLS_SSL_PRESET_SUITEB:
07707             conf->min_major_ver  = MBEDTLS_SSL_MAJOR_VERSION_3;
07708             conf->min_minor_ver  = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
07709             conf->max_major_ver  = MBEDTLS_SSL_MAX_MAJOR_VERSION;
07710             conf->max_minor_ver  = MBEDTLS_SSL_MAX_MINOR_VERSION;
07711 
07712             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] =
07713             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] =
07714             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] =
07715             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] =
07716                                    ssl_preset_suiteb_ciphersuites;
07717 
07718 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07719             conf->cert_profile  = &mbedtls_x509_crt_profile_suiteb;
07720 #endif
07721 
07722 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07723             conf->sig_hashes  = ssl_preset_suiteb_hashes;
07724 #endif
07725 
07726 #if defined(MBEDTLS_ECP_C)
07727             conf->curve_list  = ssl_preset_suiteb_curves;
07728 #endif
07729             break;
07730 
07731         /*
07732          * Default
07733          */
07734         default:
07735             conf->min_major_ver  = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
07736                                     MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
07737                                     MBEDTLS_SSL_MIN_MAJOR_VERSION :
07738                                     MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
07739             conf->min_minor_ver  = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
07740                                     MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
07741                                     MBEDTLS_SSL_MIN_MINOR_VERSION :
07742                                     MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
07743             conf->max_major_ver  = MBEDTLS_SSL_MAX_MAJOR_VERSION;
07744             conf->max_minor_ver  = MBEDTLS_SSL_MAX_MINOR_VERSION;
07745 
07746 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07747             if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07748                 conf->min_minor_ver  = MBEDTLS_SSL_MINOR_VERSION_2;
07749 #endif
07750 
07751             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] =
07752             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] =
07753             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] =
07754             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] =
07755                                    mbedtls_ssl_list_ciphersuites();
07756 
07757 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07758             conf->cert_profile  = &mbedtls_x509_crt_profile_default;
07759 #endif
07760 
07761 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07762             conf->sig_hashes  = ssl_preset_default_hashes;
07763 #endif
07764 
07765 #if defined(MBEDTLS_ECP_C)
07766             conf->curve_list  = mbedtls_ecp_grp_id_list();
07767 #endif
07768 
07769 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
07770             conf->dhm_min_bitlen  = 1024;
07771 #endif
07772     }
07773 
07774     return( 0 );
07775 }
07776 
07777 /*
07778  * Free mbedtls_ssl_config
07779  */
07780 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
07781 {
07782 #if defined(MBEDTLS_DHM_C)
07783     mbedtls_mpi_free( &conf->dhm_P  );
07784     mbedtls_mpi_free( &conf->dhm_G  );
07785 #endif
07786 
07787 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
07788     if( conf->psk  != NULL )
07789     {
07790         mbedtls_platform_zeroize( conf->psk , conf->psk_len  );
07791         mbedtls_free( conf->psk  );
07792         conf->psk  = NULL;
07793         conf->psk_len  = 0;
07794     }
07795 
07796     if( conf->psk_identity  != NULL )
07797     {
07798         mbedtls_platform_zeroize( conf->psk_identity , conf->psk_identity_len  );
07799         mbedtls_free( conf->psk_identity  );
07800         conf->psk_identity  = NULL;
07801         conf->psk_identity_len  = 0;
07802     }
07803 #endif
07804 
07805 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07806     ssl_key_cert_free( conf->key_cert  );
07807 #endif
07808 
07809     mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
07810 }
07811 
07812 #if defined(MBEDTLS_PK_C) && \
07813     ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
07814 /*
07815  * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
07816  */
07817 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
07818 {
07819 #if defined(MBEDTLS_RSA_C)
07820     if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
07821         return( MBEDTLS_SSL_SIG_RSA );
07822 #endif
07823 #if defined(MBEDTLS_ECDSA_C)
07824     if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
07825         return( MBEDTLS_SSL_SIG_ECDSA );
07826 #endif
07827     return( MBEDTLS_SSL_SIG_ANON );
07828 }
07829 
07830 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
07831 {
07832     switch( type ) {
07833         case MBEDTLS_PK_RSA:
07834             return( MBEDTLS_SSL_SIG_RSA );
07835         case MBEDTLS_PK_ECDSA:
07836         case MBEDTLS_PK_ECKEY:
07837             return( MBEDTLS_SSL_SIG_ECDSA );
07838         default:
07839             return( MBEDTLS_SSL_SIG_ANON );
07840     }
07841 }
07842 
07843 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
07844 {
07845     switch( sig )
07846     {
07847 #if defined(MBEDTLS_RSA_C)
07848         case MBEDTLS_SSL_SIG_RSA:
07849             return( MBEDTLS_PK_RSA );
07850 #endif
07851 #if defined(MBEDTLS_ECDSA_C)
07852         case MBEDTLS_SSL_SIG_ECDSA:
07853             return( MBEDTLS_PK_ECDSA );
07854 #endif
07855         default:
07856             return( MBEDTLS_PK_NONE );
07857     }
07858 }
07859 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
07860 
07861 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
07862     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07863 
07864 /* Find an entry in a signature-hash set matching a given hash algorithm. */
07865 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
07866                                                  mbedtls_pk_type_t sig_alg )
07867 {
07868     switch( sig_alg )
07869     {
07870         case MBEDTLS_PK_RSA:
07871             return( set->rsa );
07872         case MBEDTLS_PK_ECDSA:
07873             return( set->ecdsa );
07874         default:
07875             return( MBEDTLS_MD_NONE );
07876     }
07877 }
07878 
07879 /* Add a signature-hash-pair to a signature-hash set */
07880 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
07881                                    mbedtls_pk_type_t sig_alg,
07882                                    mbedtls_md_type_t md_alg )
07883 {
07884     switch( sig_alg )
07885     {
07886         case MBEDTLS_PK_RSA:
07887             if( set->rsa == MBEDTLS_MD_NONE )
07888                 set->rsa = md_alg;
07889             break;
07890 
07891         case MBEDTLS_PK_ECDSA:
07892             if( set->ecdsa == MBEDTLS_MD_NONE )
07893                 set->ecdsa = md_alg;
07894             break;
07895 
07896         default:
07897             break;
07898     }
07899 }
07900 
07901 /* Allow exactly one hash algorithm for each signature. */
07902 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
07903                                           mbedtls_md_type_t md_alg )
07904 {
07905     set->rsa   = md_alg;
07906     set->ecdsa = md_alg;
07907 }
07908 
07909 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
07910           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
07911 
07912 /*
07913  * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
07914  */
07915 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
07916 {
07917     switch( hash )
07918     {
07919 #if defined(MBEDTLS_MD5_C)
07920         case MBEDTLS_SSL_HASH_MD5:
07921             return( MBEDTLS_MD_MD5 );
07922 #endif
07923 #if defined(MBEDTLS_SHA1_C)
07924         case MBEDTLS_SSL_HASH_SHA1:
07925             return( MBEDTLS_MD_SHA1 );
07926 #endif
07927 #if defined(MBEDTLS_SHA256_C)
07928         case MBEDTLS_SSL_HASH_SHA224:
07929             return( MBEDTLS_MD_SHA224 );
07930         case MBEDTLS_SSL_HASH_SHA256:
07931             return( MBEDTLS_MD_SHA256 );
07932 #endif
07933 #if defined(MBEDTLS_SHA512_C)
07934         case MBEDTLS_SSL_HASH_SHA384:
07935             return( MBEDTLS_MD_SHA384 );
07936         case MBEDTLS_SSL_HASH_SHA512:
07937             return( MBEDTLS_MD_SHA512 );
07938 #endif
07939         default:
07940             return( MBEDTLS_MD_NONE );
07941     }
07942 }
07943 
07944 /*
07945  * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
07946  */
07947 unsigned char mbedtls_ssl_hash_from_md_alg( int md )
07948 {
07949     switch( md )
07950     {
07951 #if defined(MBEDTLS_MD5_C)
07952         case MBEDTLS_MD_MD5:
07953             return( MBEDTLS_SSL_HASH_MD5 );
07954 #endif
07955 #if defined(MBEDTLS_SHA1_C)
07956         case MBEDTLS_MD_SHA1:
07957             return( MBEDTLS_SSL_HASH_SHA1 );
07958 #endif
07959 #if defined(MBEDTLS_SHA256_C)
07960         case MBEDTLS_MD_SHA224:
07961             return( MBEDTLS_SSL_HASH_SHA224 );
07962         case MBEDTLS_MD_SHA256:
07963             return( MBEDTLS_SSL_HASH_SHA256 );
07964 #endif
07965 #if defined(MBEDTLS_SHA512_C)
07966         case MBEDTLS_MD_SHA384:
07967             return( MBEDTLS_SSL_HASH_SHA384 );
07968         case MBEDTLS_MD_SHA512:
07969             return( MBEDTLS_SSL_HASH_SHA512 );
07970 #endif
07971         default:
07972             return( MBEDTLS_SSL_HASH_NONE );
07973     }
07974 }
07975 
07976 #if defined(MBEDTLS_ECP_C)
07977 /*
07978  * Check if a curve proposed by the peer is in our list.
07979  * Return 0 if we're willing to use it, -1 otherwise.
07980  */
07981 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
07982 {
07983     const mbedtls_ecp_group_id *gid;
07984 
07985     if( ssl->conf->curve_list == NULL )
07986         return( -1 );
07987 
07988     for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
07989         if( *gid == grp_id )
07990             return( 0 );
07991 
07992     return( -1 );
07993 }
07994 #endif /* MBEDTLS_ECP_C */
07995 
07996 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07997 /*
07998  * Check if a hash proposed by the peer is in our list.
07999  * Return 0 if we're willing to use it, -1 otherwise.
08000  */
08001 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
08002                                 mbedtls_md_type_t md )
08003 {
08004     const int *cur;
08005 
08006     if( ssl->conf->sig_hashes == NULL )
08007         return( -1 );
08008 
08009     for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
08010         if( *cur == (int) md )
08011             return( 0 );
08012 
08013     return( -1 );
08014 }
08015 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
08016 
08017 #if defined(MBEDTLS_X509_CRT_PARSE_C)
08018 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
08019                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
08020                           int cert_endpoint,
08021                           uint32_t *flags )
08022 {
08023     int ret = 0;
08024 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
08025     int usage = 0;
08026 #endif
08027 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
08028     const char *ext_oid;
08029     size_t ext_len;
08030 #endif
08031 
08032 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) &&          \
08033     !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
08034     ((void) cert);
08035     ((void) cert_endpoint);
08036     ((void) flags);
08037 #endif
08038 
08039 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
08040     if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
08041     {
08042         /* Server part of the key exchange */
08043         switch( ciphersuite->key_exchange )
08044         {
08045             case MBEDTLS_KEY_EXCHANGE_RSA:
08046             case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
08047                 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
08048                 break;
08049 
08050             case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
08051             case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
08052             case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
08053                 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
08054                 break;
08055 
08056             case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
08057             case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
08058                 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
08059                 break;
08060 
08061             /* Don't use default: we want warnings when adding new values */
08062             case MBEDTLS_KEY_EXCHANGE_NONE:
08063             case MBEDTLS_KEY_EXCHANGE_PSK:
08064             case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
08065             case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
08066             case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
08067                 usage = 0;
08068         }
08069     }
08070     else
08071     {
08072         /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
08073         usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
08074     }
08075 
08076     if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
08077     {
08078         *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
08079         ret = -1;
08080     }
08081 #else
08082     ((void) ciphersuite);
08083 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
08084 
08085 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
08086     if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
08087     {
08088         ext_oid = MBEDTLS_OID_SERVER_AUTH;
08089         ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
08090     }
08091     else
08092     {
08093         ext_oid = MBEDTLS_OID_CLIENT_AUTH;
08094         ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
08095     }
08096 
08097     if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
08098     {
08099         *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
08100         ret = -1;
08101     }
08102 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
08103 
08104     return( ret );
08105 }
08106 #endif /* MBEDTLS_X509_CRT_PARSE_C */
08107 
08108 /*
08109  * Convert version numbers to/from wire format
08110  * and, for DTLS, to/from TLS equivalent.
08111  *
08112  * For TLS this is the identity.
08113  * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
08114  * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
08115  * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
08116  */
08117 void mbedtls_ssl_write_version( int major, int minor, int transport,
08118                         unsigned char ver[2] )
08119 {
08120 #if defined(MBEDTLS_SSL_PROTO_DTLS)
08121     if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
08122     {
08123         if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
08124             --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
08125 
08126         ver[0] = (unsigned char)( 255 - ( major - 2 ) );
08127         ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
08128     }
08129     else
08130 #else
08131     ((void) transport);
08132 #endif
08133     {
08134         ver[0] = (unsigned char) major;
08135         ver[1] = (unsigned char) minor;
08136     }
08137 }
08138 
08139 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
08140                        const unsigned char ver[2] )
08141 {
08142 #if defined(MBEDTLS_SSL_PROTO_DTLS)
08143     if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
08144     {
08145         *major = 255 - ver[0] + 2;
08146         *minor = 255 - ver[1] + 1;
08147 
08148         if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
08149             ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
08150     }
08151     else
08152 #else
08153     ((void) transport);
08154 #endif
08155     {
08156         *major = ver[0];
08157         *minor = ver[1];
08158     }
08159 }
08160 
08161 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
08162 {
08163 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
08164     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
08165         return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
08166 
08167     switch( md )
08168     {
08169 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
08170 #if defined(MBEDTLS_MD5_C)
08171         case MBEDTLS_SSL_HASH_MD5:
08172             return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
08173 #endif
08174 #if defined(MBEDTLS_SHA1_C)
08175         case MBEDTLS_SSL_HASH_SHA1:
08176             ssl->handshake->calc_verify = ssl_calc_verify_tls;
08177             break;
08178 #endif
08179 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
08180 #if defined(MBEDTLS_SHA512_C)
08181         case MBEDTLS_SSL_HASH_SHA384:
08182             ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
08183             break;
08184 #endif
08185 #if defined(MBEDTLS_SHA256_C)
08186         case MBEDTLS_SSL_HASH_SHA256:
08187             ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
08188             break;
08189 #endif
08190         default:
08191             return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
08192     }
08193 
08194     return 0;
08195 #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
08196     (void) ssl;
08197     (void) md;
08198 
08199     return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
08200 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
08201 }
08202 
08203 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
08204     defined(MBEDTLS_SSL_PROTO_TLS1_1)
08205 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
08206                                         unsigned char *output,
08207                                         unsigned char *data, size_t data_len )
08208 {
08209     int ret = 0;
08210     mbedtls_md5_context mbedtls_md5;
08211     mbedtls_sha1_context mbedtls_sha1;
08212 
08213     mbedtls_md5_init( &mbedtls_md5 );
08214     mbedtls_sha1_init( &mbedtls_sha1 );
08215 
08216     /*
08217      * digitally-signed struct {
08218      *     opaque md5_hash[16];
08219      *     opaque sha_hash[20];
08220      * };
08221      *
08222      * md5_hash
08223      *     MD5(ClientHello.random + ServerHello.random
08224      *                            + ServerParams);
08225      * sha_hash
08226      *     SHA(ClientHello.random + ServerHello.random
08227      *                            + ServerParams);
08228      */
08229     if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
08230     {
08231         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
08232         goto exit;
08233     }
08234     if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
08235                                         ssl->handshake->randbytes, 64 ) ) != 0 )
08236     {
08237         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
08238         goto exit;
08239     }
08240     if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
08241     {
08242         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
08243         goto exit;
08244     }
08245     if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
08246     {
08247         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
08248         goto exit;
08249     }
08250 
08251     if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
08252     {
08253         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
08254         goto exit;
08255     }
08256     if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
08257                                          ssl->handshake->randbytes, 64 ) ) != 0 )
08258     {
08259         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
08260         goto exit;
08261     }
08262     if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
08263                                          data_len ) ) != 0 )
08264     {
08265         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
08266         goto exit;
08267     }
08268     if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
08269                                          output + 16 ) ) != 0 )
08270     {
08271         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
08272         goto exit;
08273     }
08274 
08275 exit:
08276     mbedtls_md5_free( &mbedtls_md5 );
08277     mbedtls_sha1_free( &mbedtls_sha1 );
08278 
08279     if( ret != 0 )
08280         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
08281                                         MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
08282 
08283     return( ret );
08284 
08285 }
08286 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
08287           MBEDTLS_SSL_PROTO_TLS1_1 */
08288 
08289 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
08290     defined(MBEDTLS_SSL_PROTO_TLS1_2)
08291 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
08292                                        unsigned char *output,
08293                                        unsigned char *data, size_t data_len,
08294                                        mbedtls_md_type_t md_alg )
08295 {
08296     int ret = 0;
08297     mbedtls_md_context_t ctx;
08298     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
08299 
08300     mbedtls_md_init( &ctx );
08301 
08302     /*
08303      * digitally-signed struct {
08304      *     opaque client_random[32];
08305      *     opaque server_random[32];
08306      *     ServerDHParams params;
08307      * };
08308      */
08309     if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
08310     {
08311         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
08312         goto exit;
08313     }
08314     if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
08315     {
08316         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
08317         goto exit;
08318     }
08319     if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
08320     {
08321         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
08322         goto exit;
08323     }
08324     if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
08325     {
08326         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
08327         goto exit;
08328     }
08329     if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 )
08330     {
08331         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
08332         goto exit;
08333     }
08334 
08335 exit:
08336     mbedtls_md_free( &ctx );
08337 
08338     if( ret != 0 )
08339         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
08340                                         MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
08341 
08342     return( ret );
08343 }
08344 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
08345           MBEDTLS_SSL_PROTO_TLS1_2 */
08346 
08347 #endif /* MBEDTLS_SSL_TLS_C */