joey shelton / LED_Demo

Dependencies:   MAX44000 PWM_Tone_Library nexpaq_mdk

Fork of LED_Demo by Maxim nexpaq

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl_srv.c Source File

ssl_srv.c

00001 /*
00002  *  SSLv3/TLSv1 server-side functions
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 
00022 #if !defined(MBEDTLS_CONFIG_FILE)
00023 #include "mbedtls/config.h"
00024 #else
00025 #include MBEDTLS_CONFIG_FILE
00026 #endif
00027 
00028 #if defined(MBEDTLS_SSL_SRV_C)
00029 
00030 #if defined(MBEDTLS_PLATFORM_C)
00031 #include "mbedtls/platform.h"
00032 #else
00033 #include <stdlib.h>
00034 #define mbedtls_calloc    calloc
00035 #define mbedtls_free      free
00036 #define mbedtls_time      time
00037 #define mbedtls_time_t    time_t
00038 #endif
00039 
00040 #include "mbedtls/debug.h"
00041 #include "mbedtls/ssl.h"
00042 #include "mbedtls/ssl_internal.h"
00043 
00044 #include <string.h>
00045 
00046 #if defined(MBEDTLS_ECP_C)
00047 #include "mbedtls/ecp.h"
00048 #endif
00049 
00050 #if defined(MBEDTLS_HAVE_TIME)
00051 #include <time.h>
00052 #endif
00053 
00054 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
00055 /* Implementation that should never be optimized out by the compiler */
00056 static void mbedtls_zeroize( void *v, size_t n ) {
00057     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
00058 }
00059 #endif
00060 
00061 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
00062 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
00063                                  const unsigned char *info,
00064                                  size_t ilen )
00065 {
00066     if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
00067         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00068 
00069     mbedtls_free( ssl->cli_id );
00070 
00071     if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
00072         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00073 
00074     memcpy( ssl->cli_id, info, ilen );
00075     ssl->cli_id_len = ilen;
00076 
00077     return( 0 );
00078 }
00079 
00080 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
00081                            mbedtls_ssl_cookie_write_t *f_cookie_write,
00082                            mbedtls_ssl_cookie_check_t *f_cookie_check,
00083                            void *p_cookie )
00084 {
00085     conf->f_cookie_write = f_cookie_write;
00086     conf->f_cookie_check = f_cookie_check;
00087     conf->p_cookie        = p_cookie;
00088 }
00089 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
00090 
00091 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00092 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
00093                                      const unsigned char *buf,
00094                                      size_t len )
00095 {
00096     int ret;
00097     size_t servername_list_size, hostname_len;
00098     const unsigned char *p;
00099 
00100     MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
00101 
00102     servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00103     if( servername_list_size + 2 != len )
00104     {
00105         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00106         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00107     }
00108 
00109     p = buf + 2;
00110     while( servername_list_size > 0 )
00111     {
00112         hostname_len = ( ( p[1] << 8 ) | p[2] );
00113         if( hostname_len + 3 > servername_list_size )
00114         {
00115             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00116             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00117         }
00118 
00119         if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
00120         {
00121             ret = ssl->conf->f_sni( ssl->conf->p_sni,
00122                                     ssl, p + 3, hostname_len );
00123             if( ret != 0 )
00124             {
00125                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
00126                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00127                         MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
00128                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00129             }
00130             return( 0 );
00131         }
00132 
00133         servername_list_size -= hostname_len + 3;
00134         p += hostname_len + 3;
00135     }
00136 
00137     if( servername_list_size != 0 )
00138     {
00139         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00140         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00141     }
00142 
00143     return( 0 );
00144 }
00145 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
00146 
00147 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
00148                                          const unsigned char *buf,
00149                                          size_t len )
00150 {
00151     int ret;
00152 
00153 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00154     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00155     {
00156         /* Check verify-data in constant-time. The length OTOH is no secret */
00157         if( len    != 1 + ssl->verify_data_len ||
00158             buf[0] !=     ssl->verify_data_len ||
00159             mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
00160                           ssl->verify_data_len ) != 0 )
00161         {
00162             MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
00163 
00164             if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00165                 return( ret );
00166 
00167             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00168         }
00169     }
00170     else
00171 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00172     {
00173         if( len != 1 || buf[0] != 0x0 )
00174         {
00175             MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
00176 
00177             if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00178                 return( ret );
00179 
00180             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00181         }
00182 
00183         ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
00184     }
00185 
00186     return( 0 );
00187 }
00188 
00189 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00190     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00191 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
00192                                                const unsigned char *buf,
00193                                                size_t len )
00194 {
00195     size_t sig_alg_list_size;
00196     const unsigned char *p;
00197     const unsigned char *end = buf + len;
00198     const int *md_cur;
00199 
00200 
00201     sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00202     if( sig_alg_list_size + 2 != len ||
00203         sig_alg_list_size % 2 != 0 )
00204     {
00205         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00206         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00207     }
00208 
00209     /*
00210      * For now, ignore the SignatureAlgorithm part and rely on offered
00211      * ciphersuites only for that part. To be fixed later.
00212      *
00213      * So, just look at the HashAlgorithm part.
00214      */
00215     for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
00216         for( p = buf + 2; p < end; p += 2 ) {
00217             if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
00218                 ssl->handshake->sig_alg = p[0];
00219                 goto have_sig_alg;
00220             }
00221         }
00222     }
00223 
00224     /* Some key echanges do not need signatures at all */
00225     MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
00226     return( 0 );
00227 
00228 have_sig_alg:
00229     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
00230                    ssl->handshake->sig_alg ) );
00231 
00232     return( 0 );
00233 }
00234 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
00235           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00236 
00237 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
00238     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00239 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
00240                                                 const unsigned char *buf,
00241                                                 size_t len )
00242 {
00243     size_t list_size, our_size;
00244     const unsigned char *p;
00245     const mbedtls_ecp_curve_info *curve_info, **curves;
00246 
00247     list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00248     if( list_size + 2 != len ||
00249         list_size % 2 != 0 )
00250     {
00251         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00252         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00253     }
00254 
00255     /* Should never happen unless client duplicates the extension */
00256     if( ssl->handshake->curves != NULL )
00257     {
00258         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00259         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00260     }
00261 
00262     /* Don't allow our peer to make us allocate too much memory,
00263      * and leave room for a final 0 */
00264     our_size = list_size / 2 + 1;
00265     if( our_size > MBEDTLS_ECP_DP_MAX )
00266         our_size = MBEDTLS_ECP_DP_MAX;
00267 
00268     if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
00269         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00270 
00271     ssl->handshake->curves = curves;
00272 
00273     p = buf + 2;
00274     while( list_size > 0 && our_size > 1 )
00275     {
00276         curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
00277 
00278         if( curve_info != NULL )
00279         {
00280             *curves++ = curve_info;
00281             our_size--;
00282         }
00283 
00284         list_size -= 2;
00285         p += 2;
00286     }
00287 
00288     return( 0 );
00289 }
00290 
00291 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
00292                                               const unsigned char *buf,
00293                                               size_t len )
00294 {
00295     size_t list_size;
00296     const unsigned char *p;
00297 
00298     list_size = buf[0];
00299     if( list_size + 1 != len )
00300     {
00301         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00302         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00303     }
00304 
00305     p = buf + 1;
00306     while( list_size > 0 )
00307     {
00308         if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
00309             p[0] == MBEDTLS_ECP_PF_COMPRESSED )
00310         {
00311 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
00312             ssl->handshake->ecdh_ctx.point_format = p[0];
00313 #endif
00314 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00315             ssl->handshake->ecjpake_ctx.point_format = p[0];
00316 #endif
00317             MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00318             return( 0 );
00319         }
00320 
00321         list_size--;
00322         p++;
00323     }
00324 
00325     return( 0 );
00326 }
00327 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
00328           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00329 
00330 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00331 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
00332                                    const unsigned char *buf,
00333                                    size_t len )
00334 {
00335     int ret;
00336 
00337     if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
00338     {
00339         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
00340         return( 0 );
00341     }
00342 
00343     if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
00344                                                 buf, len ) ) != 0 )
00345     {
00346         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
00347         return( ret );
00348     }
00349 
00350     /* Only mark the extension as OK when we're sure it is */
00351     ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
00352 
00353     return( 0 );
00354 }
00355 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00356 
00357 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
00358 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
00359                                               const unsigned char *buf,
00360                                               size_t len )
00361 {
00362     if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
00363     {
00364         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00365         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00366     }
00367 
00368     ssl->session_negotiate->mfl_code = buf[0];
00369 
00370     return( 0 );
00371 }
00372 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
00373 
00374 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
00375 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
00376                                          const unsigned char *buf,
00377                                          size_t len )
00378 {
00379     if( len != 0 )
00380     {
00381         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00382         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00383     }
00384 
00385     ((void) buf);
00386 
00387     if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
00388         ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
00389 
00390     return( 0 );
00391 }
00392 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
00393 
00394 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00395 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
00396                                       const unsigned char *buf,
00397                                       size_t len )
00398 {
00399     if( len != 0 )
00400     {
00401         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00402         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00403     }
00404 
00405     ((void) buf);
00406 
00407     if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
00408         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
00409     {
00410         ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
00411     }
00412 
00413     return( 0 );
00414 }
00415 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
00416 
00417 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
00418 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
00419                                       const unsigned char *buf,
00420                                       size_t len )
00421 {
00422     if( len != 0 )
00423     {
00424         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00425         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00426     }
00427 
00428     ((void) buf);
00429 
00430     if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
00431         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
00432     {
00433         ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
00434     }
00435 
00436     return( 0 );
00437 }
00438 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
00439 
00440 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
00441 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
00442                                          unsigned char *buf,
00443                                          size_t len )
00444 {
00445     int ret;
00446     mbedtls_ssl_session session;
00447 
00448     mbedtls_ssl_session_init( &session );
00449 
00450     if( ssl->conf->f_ticket_parse == NULL ||
00451         ssl->conf->f_ticket_write == NULL )
00452     {
00453         return( 0 );
00454     }
00455 
00456     /* Remember the client asked us to send a new ticket */
00457     ssl->handshake->new_session_ticket = 1;
00458 
00459     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
00460 
00461     if( len == 0 )
00462         return( 0 );
00463 
00464 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00465     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00466     {
00467         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
00468         return( 0 );
00469     }
00470 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00471 
00472     /*
00473      * Failures are ok: just ignore the ticket and proceed.
00474      */
00475     if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
00476                                            buf, len ) ) != 0 )
00477     {
00478         mbedtls_ssl_session_free( &session );
00479 
00480         if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
00481             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
00482         else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
00483             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
00484         else
00485             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
00486 
00487         return( 0 );
00488     }
00489 
00490     /*
00491      * Keep the session ID sent by the client, since we MUST send it back to
00492      * inform them we're accepting the ticket  (RFC 5077 section 3.4)
00493      */
00494     session.id_len = ssl->session_negotiate->id_len;
00495     memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
00496 
00497     mbedtls_ssl_session_free( ssl->session_negotiate );
00498     memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
00499 
00500     /* Zeroize instead of free as we copied the content */
00501     mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
00502 
00503     MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
00504 
00505     ssl->handshake->resume = 1;
00506 
00507     /* Don't send a new ticket after all, this one is OK */
00508     ssl->handshake->new_session_ticket = 0;
00509 
00510     return( 0 );
00511 }
00512 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
00513 
00514 #if defined(MBEDTLS_SSL_ALPN)
00515 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
00516                                const unsigned char *buf, size_t len )
00517 {
00518     size_t list_len, cur_len, ours_len;
00519     const unsigned char *theirs, *start, *end;
00520     const char **ours;
00521 
00522     /* If ALPN not configured, just ignore the extension */
00523     if( ssl->conf->alpn_list == NULL )
00524         return( 0 );
00525 
00526     /*
00527      * opaque ProtocolName<1..2^8-1>;
00528      *
00529      * struct {
00530      *     ProtocolName protocol_name_list<2..2^16-1>
00531      * } ProtocolNameList;
00532      */
00533 
00534     /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
00535     if( len < 4 )
00536         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00537 
00538     list_len = ( buf[0] << 8 ) | buf[1];
00539     if( list_len != len - 2 )
00540         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00541 
00542     /*
00543      * Use our order of preference
00544      */
00545     start = buf + 2;
00546     end = buf + len;
00547     for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
00548     {
00549         ours_len = strlen( *ours );
00550         for( theirs = start; theirs != end; theirs += cur_len )
00551         {
00552             /* If the list is well formed, we should get equality first */
00553             if( theirs > end )
00554                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00555 
00556             cur_len = *theirs++;
00557 
00558             /* Empty strings MUST NOT be included */
00559             if( cur_len == 0 )
00560                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00561 
00562             if( cur_len == ours_len &&
00563                 memcmp( theirs, *ours, cur_len ) == 0 )
00564             {
00565                 ssl->alpn_chosen = *ours;
00566                 return( 0 );
00567             }
00568         }
00569     }
00570 
00571     /* If we get there, no match was found */
00572     mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00573                             MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
00574     return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00575 }
00576 #endif /* MBEDTLS_SSL_ALPN */
00577 
00578 /*
00579  * Auxiliary functions for ServerHello parsing and related actions
00580  */
00581 
00582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00583 /*
00584  * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
00585  */
00586 #if defined(MBEDTLS_ECDSA_C)
00587 static int ssl_check_key_curve( mbedtls_pk_context *pk,
00588                                 const mbedtls_ecp_curve_info **curves )
00589 {
00590     const mbedtls_ecp_curve_info **crv = curves;
00591     mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ;
00592 
00593     while( *crv != NULL )
00594     {
00595         if( (*crv)->grp_id == grp_id )
00596             return( 0 );
00597         crv++;
00598     }
00599 
00600     return( -1 );
00601 }
00602 #endif /* MBEDTLS_ECDSA_C */
00603 
00604 /*
00605  * Try picking a certificate for this ciphersuite,
00606  * return 0 on success and -1 on failure.
00607  */
00608 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
00609                           const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
00610 {
00611     mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
00612     mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
00613     uint32_t flags;
00614 
00615 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00616     if( ssl->handshake->sni_key_cert != NULL )
00617         list = ssl->handshake->sni_key_cert;
00618     else
00619 #endif
00620         list = ssl->conf->key_cert;
00621 
00622     if( pk_alg == MBEDTLS_PK_NONE )
00623         return( 0 );
00624 
00625     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
00626 
00627     if( list == NULL )
00628     {
00629         MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
00630         return( -1 );
00631     }
00632 
00633     for( cur = list; cur != NULL; cur = cur->next )
00634     {
00635         MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
00636                           cur->cert );
00637 
00638         if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
00639         {
00640             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
00641             continue;
00642         }
00643 
00644         /*
00645          * This avoids sending the client a cert it'll reject based on
00646          * keyUsage or other extensions.
00647          *
00648          * It also allows the user to provision different certificates for
00649          * different uses based on keyUsage, eg if they want to avoid signing
00650          * and decrypting with the same RSA key.
00651          */
00652         if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
00653                                   MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
00654         {
00655             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
00656                                 "(extended) key usage extension" ) );
00657             continue;
00658         }
00659 
00660 #if defined(MBEDTLS_ECDSA_C)
00661         if( pk_alg == MBEDTLS_PK_ECDSA &&
00662             ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
00663         {
00664             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
00665             continue;
00666         }
00667 #endif
00668 
00669         /*
00670          * Try to select a SHA-1 certificate for pre-1.2 clients, but still
00671          * present them a SHA-higher cert rather than failing if it's the only
00672          * one we got that satisfies the other conditions.
00673          */
00674         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
00675             cur->cert->sig_md != MBEDTLS_MD_SHA1 )
00676         {
00677             if( fallback == NULL )
00678                 fallback = cur;
00679             {
00680                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
00681                                     "sha-2 with pre-TLS 1.2 client" ) );
00682             continue;
00683             }
00684         }
00685 
00686         /* If we get there, we got a winner */
00687         break;
00688     }
00689 
00690     if( cur == NULL )
00691         cur = fallback;
00692 
00693     /* Do not update ssl->handshake->key_cert unless there is a match */
00694     if( cur != NULL )
00695     {
00696         ssl->handshake->key_cert = cur;
00697         MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
00698                           ssl->handshake->key_cert->cert );
00699         return( 0 );
00700     }
00701 
00702     return( -1 );
00703 }
00704 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00705 
00706 /*
00707  * Check if a given ciphersuite is suitable for use with our config/keys/etc
00708  * Sets ciphersuite_info only if the suite matches.
00709  */
00710 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
00711                                   const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
00712 {
00713     const mbedtls_ssl_ciphersuite_t *suite_info;
00714 
00715     suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
00716     if( suite_info == NULL )
00717     {
00718         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00719         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00720     }
00721 
00722     MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
00723 
00724     if( suite_info->min_minor_ver > ssl->minor_ver ||
00725         suite_info->max_minor_ver < ssl->minor_ver )
00726     {
00727         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
00728         return( 0 );
00729     }
00730 
00731 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00732     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
00733         ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
00734         return( 0 );
00735 #endif
00736 
00737 #if defined(MBEDTLS_ARC4_C)
00738     if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
00739             suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
00740     {
00741         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
00742         return( 0 );
00743     }
00744 #endif
00745 
00746 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00747     if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
00748         ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
00749     {
00750         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
00751                                     "not configured or ext missing" ) );
00752         return( 0 );
00753     }
00754 #endif
00755 
00756 
00757 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
00758     if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
00759         ( ssl->handshake->curves == NULL ||
00760           ssl->handshake->curves[0] == NULL ) )
00761     {
00762         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00763                             "no common elliptic curve" ) );
00764         return( 0 );
00765     }
00766 #endif
00767 
00768 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
00769     /* If the ciphersuite requires a pre-shared key and we don't
00770      * have one, skip it now rather than failing later */
00771     if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
00772         ssl->conf->f_psk == NULL &&
00773         ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
00774           ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
00775     {
00776         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
00777         return( 0 );
00778     }
00779 #endif
00780 
00781 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00782     /*
00783      * Final check: if ciphersuite requires us to have a
00784      * certificate/key of a particular type:
00785      * - select the appropriate certificate if we have one, or
00786      * - try the next ciphersuite if we don't
00787      * This must be done last since we modify the key_cert list.
00788      */
00789     if( ssl_pick_cert( ssl, suite_info ) != 0 )
00790     {
00791         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00792                             "no suitable certificate" ) );
00793         return( 0 );
00794     }
00795 #endif
00796 
00797     *ciphersuite_info = suite_info;
00798     return( 0 );
00799 }
00800 
00801 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
00802 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
00803 {
00804     int ret, got_common_suite;
00805     unsigned int i, j;
00806     size_t n;
00807     unsigned int ciph_len, sess_len, chal_len;
00808     unsigned char *buf, *p;
00809     const int *ciphersuites;
00810     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
00811 
00812     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
00813 
00814 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00815     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00816     {
00817         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
00818 
00819         if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00820             return( ret );
00821 
00822         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00823     }
00824 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00825 
00826     buf = ssl->in_hdr;
00827 
00828     MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00829 
00830     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00831                    buf[2] ) );
00832     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00833                    ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00834     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00835                    buf[3], buf[4] ) );
00836 
00837     /*
00838      * SSLv2 Client Hello
00839      *
00840      * Record layer:
00841      *     0  .   1   message length
00842      *
00843      * SSL layer:
00844      *     2  .   2   message type
00845      *     3  .   4   protocol version
00846      */
00847     if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
00848         buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
00849     {
00850         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00851         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00852     }
00853 
00854     n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00855 
00856     if( n < 17 || n > 512 )
00857     {
00858         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00859         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00860     }
00861 
00862     ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
00863     ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
00864                      ? buf[4]  : ssl->conf->max_minor_ver;
00865 
00866     if( ssl->minor_ver < ssl->conf->min_minor_ver )
00867     {
00868         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
00869                             " [%d:%d] < [%d:%d]",
00870                             ssl->major_ver, ssl->minor_ver,
00871                             ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
00872 
00873         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00874                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
00875         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
00876     }
00877 
00878     ssl->handshake->max_major_ver = buf[3];
00879     ssl->handshake->max_minor_ver = buf[4];
00880 
00881     if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00882     {
00883         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
00884         return( ret );
00885     }
00886 
00887     ssl->handshake->update_checksum( ssl, buf + 2, n );
00888 
00889     buf = ssl->in_msg;
00890     n = ssl->in_left - 5;
00891 
00892     /*
00893      *    0  .   1   ciphersuitelist length
00894      *    2  .   3   session id length
00895      *    4  .   5   challenge length
00896      *    6  .  ..   ciphersuitelist
00897      *   ..  .  ..   session id
00898      *   ..  .  ..   challenge
00899      */
00900     MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
00901 
00902     ciph_len = ( buf[0] << 8 ) | buf[1];
00903     sess_len = ( buf[2] << 8 ) | buf[3];
00904     chal_len = ( buf[4] << 8 ) | buf[5];
00905 
00906     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
00907                    ciph_len, sess_len, chal_len ) );
00908 
00909     /*
00910      * Make sure each parameter length is valid
00911      */
00912     if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
00913     {
00914         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00915         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00916     }
00917 
00918     if( sess_len > 32 )
00919     {
00920         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00921         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00922     }
00923 
00924     if( chal_len < 8 || chal_len > 32 )
00925     {
00926         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00927         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00928     }
00929 
00930     if( n != 6 + ciph_len + sess_len + chal_len )
00931     {
00932         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00933         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00934     }
00935 
00936     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
00937                    buf + 6, ciph_len );
00938     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
00939                    buf + 6 + ciph_len, sess_len );
00940     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
00941                    buf + 6 + ciph_len + sess_len, chal_len );
00942 
00943     p = buf + 6 + ciph_len;
00944     ssl->session_negotiate->id_len = sess_len;
00945     memset( ssl->session_negotiate->id, 0,
00946             sizeof( ssl->session_negotiate->id ) );
00947     memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
00948 
00949     p += sess_len;
00950     memset( ssl->handshake->randbytes, 0, 64 );
00951     memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
00952 
00953     /*
00954      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
00955      */
00956     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
00957     {
00958         if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
00959         {
00960             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
00961 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00962             if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
00963             {
00964                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
00965                                     "during renegotiation" ) );
00966 
00967                 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00968                     return( ret );
00969 
00970                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00971             }
00972 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00973             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
00974             break;
00975         }
00976     }
00977 
00978 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
00979     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
00980     {
00981         if( p[0] == 0 &&
00982             p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
00983             p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
00984         {
00985             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
00986 
00987             if( ssl->minor_ver < ssl->conf->max_minor_ver )
00988             {
00989                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
00990 
00991                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00992                                         MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
00993 
00994                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00995             }
00996 
00997             break;
00998         }
00999     }
01000 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
01001 
01002     got_common_suite = 0;
01003     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
01004     ciphersuite_info = NULL;
01005 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01006     for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01007     {
01008         for( i = 0; ciphersuites[i] != 0; i++ )
01009 #else
01010     for( i = 0; ciphersuites[i] != 0; i++ )
01011     {
01012         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01013 #endif
01014         {
01015             if( p[0] != 0 ||
01016                 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01017                 p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
01018                 continue;
01019 
01020             got_common_suite = 1;
01021 
01022             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01023                                                &ciphersuite_info ) ) != 0 )
01024                 return( ret );
01025 
01026             if( ciphersuite_info != NULL )
01027                 goto have_ciphersuite_v2;
01028         }
01029     }
01030 
01031     if( got_common_suite )
01032     {
01033         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01034                             "but none of them usable" ) );
01035         return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
01036     }
01037     else
01038     {
01039         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01040         return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
01041     }
01042 
01043 have_ciphersuite_v2:
01044     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01045 
01046     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01047     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01048     mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
01049 
01050     /*
01051      * SSLv2 Client Hello relevant renegotiation security checks
01052      */
01053     if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01054         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
01055     {
01056         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01057 
01058         if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01059             return( ret );
01060 
01061         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01062     }
01063 
01064     ssl->in_left = 0;
01065     ssl->state++;
01066 
01067     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
01068 
01069     return( 0 );
01070 }
01071 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
01072 
01073 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
01074 {
01075     int ret, got_common_suite;
01076     size_t i, j;
01077     size_t ciph_offset, comp_offset, ext_offset;
01078     size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
01079 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01080     size_t cookie_offset, cookie_len;
01081 #endif
01082     unsigned char *buf, *p, *ext;
01083 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01084     int renegotiation_info_seen = 0;
01085 #endif
01086     int handshake_failure = 0;
01087     const int *ciphersuites;
01088     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
01089     int major, minor;
01090 
01091     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
01092 
01093 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01094 read_record_header:
01095 #endif
01096     /*
01097      * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
01098      * otherwise read it ourselves manually in order to support SSLv2
01099      * ClientHello, which doesn't use the same record layer format.
01100      */
01101 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01102     if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
01103 #endif
01104     {
01105         if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
01106         {
01107             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
01108             return( ret );
01109         }
01110     }
01111 
01112     buf = ssl->in_hdr;
01113 
01114 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
01115 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01116     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
01117 #endif
01118         if( ( buf[0] & 0x80 ) != 0 )
01119             return ssl_parse_client_hello_v2( ssl );
01120 #endif
01121 
01122     MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
01123 
01124     /*
01125      * SSLv3/TLS Client Hello
01126      *
01127      * Record layer:
01128      *     0  .   0   message type
01129      *     1  .   2   protocol version
01130      *     3  .   11  DTLS: epoch + record sequence number
01131      *     3  .   4   message length
01132      */
01133     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
01134                    buf[0] ) );
01135 
01136     if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
01137     {
01138         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01139         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01140     }
01141 
01142     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
01143                    ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
01144 
01145     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
01146                    buf[1], buf[2] ) );
01147 
01148     mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
01149 
01150     /* According to RFC 5246 Appendix E.1, the version here is typically
01151      * "{03,00}, the lowest version number supported by the client, [or] the
01152      * value of ClientHello.client_version", so the only meaningful check here
01153      * is the major version shouldn't be less than 3 */
01154     if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
01155     {
01156         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01157         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01158     }
01159 
01160     /* For DTLS if this is the initial handshake, remember the client sequence
01161      * number to use it in our next message (RFC 6347 4.2.1) */
01162 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01163     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
01164 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01165         && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
01166 #endif
01167         )
01168     {
01169         /* Epoch should be 0 for initial handshakes */
01170         if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
01171         {
01172             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01173             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01174         }
01175 
01176         memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
01177 
01178 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01179         if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
01180         {
01181             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
01182             ssl->next_record_offset = 0;
01183             ssl->in_left = 0;
01184             goto read_record_header;
01185         }
01186 
01187         /* No MAC to check yet, so we can update right now */
01188         mbedtls_ssl_dtls_replay_update( ssl );
01189 #endif
01190     }
01191 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01192 
01193     msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
01194 
01195 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01196     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
01197     {
01198         /* Set by mbedtls_ssl_read_record() */
01199         msg_len = ssl->in_hslen;
01200     }
01201     else
01202 #endif
01203     {
01204         if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
01205         {
01206             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01207             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01208         }
01209 
01210         if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
01211         {
01212             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
01213             return( ret );
01214         }
01215 
01216     /* Done reading this record, get ready for the next one */
01217 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01218         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01219             ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
01220         else
01221 #endif
01222             ssl->in_left = 0;
01223     }
01224 
01225     buf = ssl->in_msg;
01226 
01227     MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
01228 
01229     ssl->handshake->update_checksum( ssl, buf, msg_len );
01230 
01231     /*
01232      * Handshake layer:
01233      *     0  .   0   handshake type
01234      *     1  .   3   handshake length
01235      *     4  .   5   DTLS only: message seqence number
01236      *     6  .   8   DTLS only: fragment offset
01237      *     9  .  11   DTLS only: fragment length
01238      */
01239     if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
01240     {
01241         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01242         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01243     }
01244 
01245     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
01246 
01247     if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
01248     {
01249         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01250         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01251     }
01252 
01253     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
01254                    ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
01255 
01256     /* We don't support fragmentation of ClientHello (yet?) */
01257     if( buf[1] != 0 ||
01258         msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
01259     {
01260         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01261         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01262     }
01263 
01264 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01265     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01266     {
01267         /*
01268          * Copy the client's handshake message_seq on initial handshakes,
01269          * check sequence number on renego.
01270          */
01271 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01272         if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01273         {
01274             /* This couldn't be done in ssl_prepare_handshake_record() */
01275             unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
01276                                          ssl->in_msg[5];
01277 
01278             if( cli_msg_seq != ssl->handshake->in_msg_seq )
01279             {
01280                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
01281                                     "%d (expected %d)", cli_msg_seq,
01282                                     ssl->handshake->in_msg_seq ) );
01283                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01284             }
01285 
01286             ssl->handshake->in_msg_seq++;
01287         }
01288         else
01289 #endif
01290         {
01291             unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
01292                                          ssl->in_msg[5];
01293             ssl->handshake->out_msg_seq = cli_msg_seq;
01294             ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
01295         }
01296 
01297         /*
01298          * For now we don't support fragmentation, so make sure
01299          * fragment_offset == 0 and fragment_length == length
01300          */
01301         if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
01302             memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
01303         {
01304             MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
01305             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
01306         }
01307     }
01308 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01309 
01310     buf += mbedtls_ssl_hs_hdr_len( ssl );
01311     msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
01312 
01313     /*
01314      * ClientHello layer:
01315      *     0  .   1   protocol version
01316      *     2  .  33   random bytes (starting with 4 bytes of Unix time)
01317      *    34  .  35   session id length (1 byte)
01318      *    35  . 34+x  session id
01319      *   35+x . 35+x  DTLS only: cookie length (1 byte)
01320      *   36+x .  ..   DTLS only: cookie
01321      *    ..  .  ..   ciphersuite list length (2 bytes)
01322      *    ..  .  ..   ciphersuite list
01323      *    ..  .  ..   compression alg. list length (1 byte)
01324      *    ..  .  ..   compression alg. list
01325      *    ..  .  ..   extensions length (2 bytes, optional)
01326      *    ..  .  ..   extensions (optional)
01327      */
01328 
01329     /*
01330      * Minimal length (with everything empty and extensions ommitted) is
01331      * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
01332      * read at least up to session id length without worrying.
01333      */
01334     if( msg_len < 38 )
01335     {
01336         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01337         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01338     }
01339 
01340     /*
01341      * Check and save the protocol version
01342      */
01343     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
01344 
01345     mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
01346                       ssl->conf->transport, buf );
01347 
01348     ssl->handshake->max_major_ver = ssl->major_ver;
01349     ssl->handshake->max_minor_ver = ssl->minor_ver;
01350 
01351     if( ssl->major_ver < ssl->conf->min_major_ver ||
01352         ssl->minor_ver < ssl->conf->min_minor_ver )
01353     {
01354         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01355                             " [%d:%d] < [%d:%d]",
01356                             ssl->major_ver, ssl->minor_ver,
01357                             ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
01358 
01359         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01360                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
01361 
01362         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01363     }
01364 
01365     if( ssl->major_ver > ssl->conf->max_major_ver )
01366     {
01367         ssl->major_ver = ssl->conf->max_major_ver;
01368         ssl->minor_ver = ssl->conf->max_minor_ver;
01369     }
01370     else if( ssl->minor_ver > ssl->conf->max_minor_ver )
01371         ssl->minor_ver = ssl->conf->max_minor_ver;
01372 
01373     /*
01374      * Save client random (inc. Unix time)
01375      */
01376     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
01377 
01378     memcpy( ssl->handshake->randbytes, buf + 2, 32 );
01379 
01380     /*
01381      * Check the session ID length and save session ID
01382      */
01383     sess_len = buf[34];
01384 
01385     if( sess_len > sizeof( ssl->session_negotiate->id ) ||
01386         sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
01387     {
01388         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01389         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01390     }
01391 
01392     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
01393 
01394     ssl->session_negotiate->id_len = sess_len;
01395     memset( ssl->session_negotiate->id, 0,
01396             sizeof( ssl->session_negotiate->id ) );
01397     memcpy( ssl->session_negotiate->id, buf + 35,
01398             ssl->session_negotiate->id_len );
01399 
01400     /*
01401      * Check the cookie length and content
01402      */
01403 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01404     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01405     {
01406         cookie_offset = 35 + sess_len;
01407         cookie_len = buf[cookie_offset];
01408 
01409         if( cookie_offset + 1 + cookie_len + 2 > msg_len )
01410         {
01411             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01412             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01413         }
01414 
01415         MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
01416                        buf + cookie_offset + 1, cookie_len );
01417 
01418 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
01419         if( ssl->conf->f_cookie_check != NULL
01420 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01421             && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
01422 #endif
01423             )
01424         {
01425             if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
01426                                      buf + cookie_offset + 1, cookie_len,
01427                                      ssl->cli_id, ssl->cli_id_len ) != 0 )
01428             {
01429                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
01430                 ssl->handshake->verify_cookie_len = 1;
01431             }
01432             else
01433             {
01434                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
01435                 ssl->handshake->verify_cookie_len = 0;
01436             }
01437         }
01438         else
01439 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
01440         {
01441             /* We know we didn't send a cookie, so it should be empty */
01442             if( cookie_len != 0 )
01443             {
01444                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01445                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01446             }
01447 
01448             MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
01449         }
01450 
01451     /*
01452      * Check the ciphersuitelist length (will be parsed later)
01453      */
01454         ciph_offset = cookie_offset + 1 + cookie_len;
01455     }
01456     else
01457 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01458         ciph_offset = 35 + sess_len;
01459 
01460     ciph_len = ( buf[ciph_offset + 0] << 8 )
01461              | ( buf[ciph_offset + 1]      );
01462 
01463     if( ciph_len < 2 ||
01464         ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
01465         ( ciph_len % 2 ) != 0 )
01466     {
01467         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01468         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01469     }
01470 
01471     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01472                    buf + ciph_offset + 2,  ciph_len );
01473 
01474     /*
01475      * Check the compression algorithms length and pick one
01476      */
01477     comp_offset = ciph_offset + 2 + ciph_len;
01478 
01479     comp_len = buf[comp_offset];
01480 
01481     if( comp_len < 1 ||
01482         comp_len > 16 ||
01483         comp_len + comp_offset + 1 > msg_len )
01484     {
01485         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01486         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01487     }
01488 
01489     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
01490                       buf + comp_offset + 1, comp_len );
01491 
01492     ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
01493 #if defined(MBEDTLS_ZLIB_SUPPORT)
01494     for( i = 0; i < comp_len; ++i )
01495     {
01496         if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
01497         {
01498             ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
01499             break;
01500         }
01501     }
01502 #endif
01503 
01504     /* See comments in ssl_write_client_hello() */
01505 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01506     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01507         ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
01508 #endif
01509 
01510     /* Do not parse the extensions if the protocol is SSLv3 */
01511 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01512     if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
01513     {
01514 #endif
01515         /*
01516          * Check the extension length
01517          */
01518         ext_offset = comp_offset + 1 + comp_len;
01519         if( msg_len > ext_offset )
01520         {
01521             if( msg_len < ext_offset + 2 )
01522             {
01523                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01524                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01525             }
01526 
01527             ext_len = ( buf[ext_offset + 0] << 8 )
01528                     | ( buf[ext_offset + 1]      );
01529 
01530             if( ( ext_len > 0 && ext_len < 4 ) ||
01531                 msg_len != ext_offset + 2 + ext_len )
01532             {
01533                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01534                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01535             }
01536         }
01537         else
01538             ext_len = 0;
01539 
01540         ext = buf + ext_offset + 2;
01541         MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
01542 
01543         while( ext_len != 0 )
01544         {
01545             unsigned int ext_id   = ( ( ext[0] <<  8 )
01546                                     | ( ext[1]       ) );
01547             unsigned int ext_size = ( ( ext[2] <<  8 )
01548                                     | ( ext[3]       ) );
01549 
01550             if( ext_size + 4 > ext_len )
01551             {
01552                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01553                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01554             }
01555             switch( ext_id )
01556             {
01557 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
01558             case MBEDTLS_TLS_EXT_SERVERNAME:
01559                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
01560                 if( ssl->conf->f_sni == NULL )
01561                     break;
01562 
01563                 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
01564                 if( ret != 0 )
01565                     return( ret );
01566                 break;
01567 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
01568 
01569             case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
01570                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
01571 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01572                 renegotiation_info_seen = 1;
01573 #endif
01574 
01575                 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
01576                 if( ret != 0 )
01577                     return( ret );
01578                 break;
01579 
01580 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01581     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01582             case MBEDTLS_TLS_EXT_SIG_ALG:
01583                     MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
01584 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01585                 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01586                     break;
01587 #endif
01588 
01589                 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
01590                 if( ret != 0 )
01591                     return( ret );
01592                 break;
01593 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01594           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01595 
01596 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
01597     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
01598             case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
01599                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
01600 
01601                 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
01602                 if( ret != 0 )
01603                     return( ret );
01604                 break;
01605 
01606             case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
01607                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
01608                 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
01609 
01610                 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
01611                 if( ret != 0 )
01612                     return( ret );
01613                 break;
01614 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
01615           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
01616 
01617 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
01618             case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
01619                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
01620 
01621                 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
01622                 if( ret != 0 )
01623                     return( ret );
01624                 break;
01625 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
01626 
01627 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
01628             case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
01629                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
01630 
01631                 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
01632                 if( ret != 0 )
01633                     return( ret );
01634                 break;
01635 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
01636 
01637 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
01638             case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
01639                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
01640 
01641                 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
01642                 if( ret != 0 )
01643                     return( ret );
01644                 break;
01645 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
01646 
01647 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01648             case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
01649                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
01650 
01651                 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
01652                 if( ret != 0 )
01653                     return( ret );
01654                 break;
01655 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01656 
01657 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
01658             case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
01659                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
01660 
01661                 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
01662                 if( ret != 0 )
01663                     return( ret );
01664                 break;
01665 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
01666 
01667 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
01668             case MBEDTLS_TLS_EXT_SESSION_TICKET:
01669                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
01670 
01671                 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
01672                 if( ret != 0 )
01673                     return( ret );
01674                 break;
01675 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01676 
01677 #if defined(MBEDTLS_SSL_ALPN)
01678             case MBEDTLS_TLS_EXT_ALPN:
01679                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
01680 
01681                 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
01682                 if( ret != 0 )
01683                     return( ret );
01684                 break;
01685 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01686 
01687             default:
01688                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01689                                ext_id ) );
01690             }
01691 
01692             ext_len -= 4 + ext_size;
01693             ext += 4 + ext_size;
01694 
01695             if( ext_len > 0 && ext_len < 4 )
01696             {
01697                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01698                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01699             }
01700         }
01701 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01702     }
01703 #endif
01704 
01705 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
01706     for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
01707     {
01708         if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
01709             p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
01710         {
01711             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
01712 
01713             if( ssl->minor_ver < ssl->conf->max_minor_ver )
01714             {
01715                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
01716 
01717                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01718                                         MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01719 
01720                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01721             }
01722 
01723             break;
01724         }
01725     }
01726 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
01727 
01728     /*
01729      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01730      */
01731     for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
01732     {
01733         if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
01734         {
01735             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01736 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01737             if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01738             {
01739                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
01740 
01741                 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01742                     return( ret );
01743 
01744                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01745             }
01746 #endif
01747             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
01748             break;
01749         }
01750     }
01751 
01752     /*
01753      * Renegotiation security checks
01754      */
01755     if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
01756         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
01757     {
01758         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01759         handshake_failure = 1;
01760     }
01761 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01762     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01763              ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
01764              renegotiation_info_seen == 0 )
01765     {
01766         MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01767         handshake_failure = 1;
01768     }
01769     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01770              ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01771              ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
01772     {
01773         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01774         handshake_failure = 1;
01775     }
01776     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01777              ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01778              renegotiation_info_seen == 1 )
01779     {
01780         MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01781         handshake_failure = 1;
01782     }
01783 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01784 
01785     if( handshake_failure == 1 )
01786     {
01787         if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01788             return( ret );
01789 
01790         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01791     }
01792 
01793     /*
01794      * Search for a matching ciphersuite
01795      * (At the end because we need information from the EC-based extensions
01796      * and certificate from the SNI callback triggered by the SNI extension.)
01797      */
01798     got_common_suite = 0;
01799     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
01800     ciphersuite_info = NULL;
01801 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01802     for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
01803     {
01804         for( i = 0; ciphersuites[i] != 0; i++ )
01805 #else
01806     for( i = 0; ciphersuites[i] != 0; i++ )
01807     {
01808         for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
01809 #endif
01810         {
01811             if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01812                 p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
01813                 continue;
01814 
01815             got_common_suite = 1;
01816 
01817             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01818                                                &ciphersuite_info ) ) != 0 )
01819                 return( ret );
01820 
01821             if( ciphersuite_info != NULL )
01822                 goto have_ciphersuite;
01823         }
01824     }
01825 
01826     if( got_common_suite )
01827     {
01828         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01829                             "but none of them usable" ) );
01830         mbedtls_ssl_send_fatal_handshake_failure( ssl );
01831         return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
01832     }
01833     else
01834     {
01835         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01836         mbedtls_ssl_send_fatal_handshake_failure( ssl );
01837         return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
01838     }
01839 
01840 have_ciphersuite:
01841     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01842 
01843     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01844     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01845     mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
01846 
01847     ssl->state++;
01848 
01849 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01850     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01851         mbedtls_ssl_recv_flight_completed( ssl );
01852 #endif
01853 
01854     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
01855 
01856     return( 0 );
01857 }
01858 
01859 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
01860 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
01861                                           unsigned char *buf,
01862                                           size_t *olen )
01863 {
01864     unsigned char *p = buf;
01865 
01866     if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
01867     {
01868         *olen = 0;
01869         return;
01870     }
01871 
01872     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
01873 
01874     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
01875     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
01876 
01877     *p++ = 0x00;
01878     *p++ = 0x00;
01879 
01880     *olen = 4;
01881 }
01882 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
01883 
01884 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01885 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
01886                                             unsigned char *buf,
01887                                             size_t *olen )
01888 {
01889     unsigned char *p = buf;
01890     const mbedtls_ssl_ciphersuite_t *suite = NULL;
01891     const mbedtls_cipher_info_t *cipher = NULL;
01892 
01893     if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
01894         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01895     {
01896         *olen = 0;
01897         return;
01898     }
01899 
01900     /*
01901      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
01902      * from a client and then selects a stream or Authenticated Encryption
01903      * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
01904      * encrypt-then-MAC response extension back to the client."
01905      */
01906     if( ( suite = mbedtls_ssl_ciphersuite_from_id(
01907                     ssl->session_negotiate->ciphersuite ) ) == NULL ||
01908         ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
01909         cipher->mode != MBEDTLS_MODE_CBC )
01910     {
01911         *olen = 0;
01912         return;
01913     }
01914 
01915     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
01916 
01917     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
01918     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
01919 
01920     *p++ = 0x00;
01921     *p++ = 0x00;
01922 
01923     *olen = 4;
01924 }
01925 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01926 
01927 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
01928 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
01929                                        unsigned char *buf,
01930                                        size_t *olen )
01931 {
01932     unsigned char *p = buf;
01933 
01934     if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
01935         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01936     {
01937         *olen = 0;
01938         return;
01939     }
01940 
01941     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
01942                         "extension" ) );
01943 
01944     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
01945     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
01946 
01947     *p++ = 0x00;
01948     *p++ = 0x00;
01949 
01950     *olen = 4;
01951 }
01952 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
01953 
01954 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
01955 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
01956                                           unsigned char *buf,
01957                                           size_t *olen )
01958 {
01959     unsigned char *p = buf;
01960 
01961     if( ssl->handshake->new_session_ticket == 0 )
01962     {
01963         *olen = 0;
01964         return;
01965     }
01966 
01967     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
01968 
01969     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
01970     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
01971 
01972     *p++ = 0x00;
01973     *p++ = 0x00;
01974 
01975     *olen = 4;
01976 }
01977 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01978 
01979 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
01980                                          unsigned char *buf,
01981                                          size_t *olen )
01982 {
01983     unsigned char *p = buf;
01984 
01985     if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
01986     {
01987         *olen = 0;
01988         return;
01989     }
01990 
01991     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
01992 
01993     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
01994     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
01995 
01996 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01997     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
01998     {
01999         *p++ = 0x00;
02000         *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
02001         *p++ = ssl->verify_data_len * 2 & 0xFF;
02002 
02003         memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
02004         p += ssl->verify_data_len;
02005         memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
02006         p += ssl->verify_data_len;
02007     }
02008     else
02009 #endif /* MBEDTLS_SSL_RENEGOTIATION */
02010     {
02011         *p++ = 0x00;
02012         *p++ = 0x01;
02013         *p++ = 0x00;
02014     }
02015 
02016     *olen = p - buf;
02017 }
02018 
02019 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
02020 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
02021                                                unsigned char *buf,
02022                                                size_t *olen )
02023 {
02024     unsigned char *p = buf;
02025 
02026     if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
02027     {
02028         *olen = 0;
02029         return;
02030     }
02031 
02032     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
02033 
02034     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
02035     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
02036 
02037     *p++ = 0x00;
02038     *p++ = 1;
02039 
02040     *p++ = ssl->session_negotiate->mfl_code;
02041 
02042     *olen = 5;
02043 }
02044 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
02045 
02046 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
02047     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02048 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
02049                                                    unsigned char *buf,
02050                                                    size_t *olen )
02051 {
02052     unsigned char *p = buf;
02053     ((void) ssl);
02054 
02055     if( ( ssl->handshake->cli_exts &
02056           MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
02057     {
02058         *olen = 0;
02059         return;
02060     }
02061 
02062     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
02063 
02064     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
02065     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
02066 
02067     *p++ = 0x00;
02068     *p++ = 2;
02069 
02070     *p++ = 1;
02071     *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
02072 
02073     *olen = 6;
02074 }
02075 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02076 
02077 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02078 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
02079                                         unsigned char *buf,
02080                                         size_t *olen )
02081 {
02082     int ret;
02083     unsigned char *p = buf;
02084     const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02085     size_t kkpp_len;
02086 
02087     *olen = 0;
02088 
02089     /* Skip costly computation if not needed */
02090     if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
02091         MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02092         return;
02093 
02094     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
02095 
02096     if( end - p < 4 )
02097     {
02098         MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
02099         return;
02100     }
02101 
02102     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
02103     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
02104 
02105     ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
02106                                         p + 2, end - p - 2, &kkpp_len,
02107                                         ssl->conf->f_rng, ssl->conf->p_rng );
02108     if( ret != 0 )
02109     {
02110         MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
02111         return;
02112     }
02113 
02114     *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
02115     *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
02116 
02117     *olen = kkpp_len + 4;
02118 }
02119 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02120 
02121 #if defined(MBEDTLS_SSL_ALPN )
02122 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
02123                                 unsigned char *buf, size_t *olen )
02124 {
02125     if( ssl->alpn_chosen == NULL )
02126     {
02127         *olen = 0;
02128         return;
02129     }
02130 
02131     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
02132 
02133     /*
02134      * 0 . 1    ext identifier
02135      * 2 . 3    ext length
02136      * 4 . 5    protocol list length
02137      * 6 . 6    protocol name length
02138      * 7 . 7+n  protocol name
02139      */
02140     buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
02141     buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
02142 
02143     *olen = 7 + strlen( ssl->alpn_chosen );
02144 
02145     buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
02146     buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
02147 
02148     buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
02149     buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
02150 
02151     buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
02152 
02153     memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
02154 }
02155 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
02156 
02157 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
02158 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
02159 {
02160     int ret;
02161     unsigned char *p = ssl->out_msg + 4;
02162     unsigned char *cookie_len_byte;
02163 
02164     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
02165 
02166     /*
02167      * struct {
02168      *   ProtocolVersion server_version;
02169      *   opaque cookie<0..2^8-1>;
02170      * } HelloVerifyRequest;
02171      */
02172 
02173     /* The RFC is not clear on this point, but sending the actual negotiated
02174      * version looks like the most interoperable thing to do. */
02175     mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02176                        ssl->conf->transport, p );
02177     MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
02178     p += 2;
02179 
02180     /* If we get here, f_cookie_check is not null */
02181     if( ssl->conf->f_cookie_write == NULL )
02182     {
02183         MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
02184         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02185     }
02186 
02187     /* Skip length byte until we know the length */
02188     cookie_len_byte = p++;
02189 
02190     if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
02191                                      &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
02192                                      ssl->cli_id, ssl->cli_id_len ) ) != 0 )
02193     {
02194         MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
02195         return( ret );
02196     }
02197 
02198     *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
02199 
02200     MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
02201 
02202     ssl->out_msglen  = p - ssl->out_msg;
02203     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02204     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
02205 
02206     ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
02207 
02208     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
02209     {
02210         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
02211         return( ret );
02212     }
02213 
02214     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
02215 
02216     return( 0 );
02217 }
02218 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
02219 
02220 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
02221 {
02222 #if defined(MBEDTLS_HAVE_TIME)
02223     mbedtls_time_t t;
02224 #endif
02225     int ret;
02226     size_t olen, ext_len = 0, n;
02227     unsigned char *buf, *p;
02228 
02229     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
02230 
02231 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
02232     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02233         ssl->handshake->verify_cookie_len != 0 )
02234     {
02235         MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
02236         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02237 
02238         return( ssl_write_hello_verify_request( ssl ) );
02239     }
02240 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
02241 
02242     if( ssl->conf->f_rng == NULL )
02243     {
02244         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
02245         return( MBEDTLS_ERR_SSL_NO_RNG );
02246     }
02247 
02248     /*
02249      *     0  .   0   handshake type
02250      *     1  .   3   handshake length
02251      *     4  .   5   protocol version
02252      *     6  .   9   UNIX time()
02253      *    10  .  37   random bytes
02254      */
02255     buf = ssl->out_msg;
02256     p = buf + 4;
02257 
02258     mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02259                        ssl->conf->transport, p );
02260     p += 2;
02261 
02262     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
02263                         buf[4], buf[5] ) );
02264 
02265 #if defined(MBEDTLS_HAVE_TIME)
02266     t = mbedtls_time( NULL );
02267     *p++ = (unsigned char)( t >> 24 );
02268     *p++ = (unsigned char)( t >> 16 );
02269     *p++ = (unsigned char)( t >>  8 );
02270     *p++ = (unsigned char)( t       );
02271 
02272     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
02273 #else
02274     if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
02275         return( ret );
02276 
02277     p += 4;
02278 #endif /* MBEDTLS_HAVE_TIME */
02279 
02280     if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
02281         return( ret );
02282 
02283     p += 28;
02284 
02285     memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
02286 
02287     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
02288 
02289     /*
02290      * Resume is 0  by default, see ssl_handshake_init().
02291      * It may be already set to 1 by ssl_parse_session_ticket_ext().
02292      * If not, try looking up session ID in our cache.
02293      */
02294     if( ssl->handshake->resume == 0 &&
02295 #if defined(MBEDTLS_SSL_RENEGOTIATION)
02296         ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
02297 #endif
02298         ssl->session_negotiate->id_len != 0 &&
02299         ssl->conf->f_get_cache != NULL &&
02300         ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
02301     {
02302         MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
02303         ssl->handshake->resume = 1;
02304     }
02305 
02306     if( ssl->handshake->resume == 0 )
02307     {
02308         /*
02309          * New session, create a new session id,
02310          * unless we're about to issue a session ticket
02311          */
02312         ssl->state++;
02313 
02314 #if defined(MBEDTLS_HAVE_TIME)
02315         ssl->session_negotiate->start = mbedtls_time( NULL );
02316 #endif
02317 
02318 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02319         if( ssl->handshake->new_session_ticket != 0 )
02320         {
02321             ssl->session_negotiate->id_len = n = 0;
02322             memset( ssl->session_negotiate->id, 0, 32 );
02323         }
02324         else
02325 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
02326         {
02327             ssl->session_negotiate->id_len = n = 32;
02328             if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
02329                                     n ) ) != 0 )
02330                 return( ret );
02331         }
02332     }
02333     else
02334     {
02335         /*
02336          * Resuming a session
02337          */
02338         n = ssl->session_negotiate->id_len;
02339         ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
02340 
02341         if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
02342         {
02343             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
02344             return( ret );
02345         }
02346     }
02347 
02348     /*
02349      *    38  .  38     session id length
02350      *    39  . 38+n    session id
02351      *   39+n . 40+n    chosen ciphersuite
02352      *   41+n . 41+n    chosen compression alg.
02353      *   42+n . 43+n    extensions length
02354      *   44+n . 43+n+m  extensions
02355      */
02356     *p++ = (unsigned char) ssl->session_negotiate->id_len;
02357     memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
02358     p += ssl->session_negotiate->id_len;
02359 
02360     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
02361     MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
02362     MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
02363                    ssl->handshake->resume ? "a" : "no" ) );
02364 
02365     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
02366     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
02367     *p++ = (unsigned char)( ssl->session_negotiate->compression      );
02368 
02369     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
02370            mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
02371     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
02372                    ssl->session_negotiate->compression ) );
02373 
02374     /* Do not write the extensions if the protocol is SSLv3 */
02375 #if defined(MBEDTLS_SSL_PROTO_SSL3)
02376     if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
02377     {
02378 #endif
02379 
02380     /*
02381      *  First write extensions, then the total length
02382      */
02383     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
02384     ext_len += olen;
02385 
02386 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
02387     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
02388     ext_len += olen;
02389 #endif
02390 
02391 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
02392     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
02393     ext_len += olen;
02394 #endif
02395 
02396 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
02397     ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
02398     ext_len += olen;
02399 #endif
02400 
02401 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
02402     ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
02403     ext_len += olen;
02404 #endif
02405 
02406 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02407     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
02408     ext_len += olen;
02409 #endif
02410 
02411 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
02412     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02413     ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
02414     ext_len += olen;
02415 #endif
02416 
02417 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02418     ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
02419     ext_len += olen;
02420 #endif
02421 
02422 #if defined(MBEDTLS_SSL_ALPN)
02423     ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
02424     ext_len += olen;
02425 #endif
02426 
02427     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
02428 
02429     if( ext_len > 0 )
02430     {
02431         *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
02432         *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
02433         p += ext_len;
02434     }
02435 
02436 #if defined(MBEDTLS_SSL_PROTO_SSL3)
02437     }
02438 #endif
02439 
02440     ssl->out_msglen  = p - buf;
02441     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02442     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
02443 
02444     ret = mbedtls_ssl_write_record( ssl );
02445 
02446     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02447 
02448     return( ret );
02449 }
02450 
02451 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
02452     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
02453     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
02454     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02455 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
02456 {
02457     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02458 
02459     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02460 
02461     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02462         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
02463         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02464         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
02465         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02466     {
02467         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02468         ssl->state++;
02469         return( 0 );
02470     }
02471 
02472     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02473     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02474 }
02475 #else
02476 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
02477 {
02478     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
02479     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02480     size_t dn_size, total_dn_size; /* excluding length bytes */
02481     size_t ct_len, sa_len; /* including length bytes */
02482     unsigned char *buf, *p;
02483     const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02484     const mbedtls_x509_crt *crt;
02485     int authmode;
02486 
02487     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02488 
02489     ssl->state++;
02490 
02491 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02492     if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
02493         authmode = ssl->handshake->sni_authmode;
02494     else
02495 #endif
02496         authmode = ssl->conf->authmode;
02497 
02498     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02499         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
02500         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02501         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
02502         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
02503         authmode == MBEDTLS_SSL_VERIFY_NONE )
02504     {
02505         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02506         return( 0 );
02507     }
02508 
02509     /*
02510      *     0  .   0   handshake type
02511      *     1  .   3   handshake length
02512      *     4  .   4   cert type count
02513      *     5  .. m-1  cert types
02514      *     m  .. m+1  sig alg length (TLS 1.2 only)
02515      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
02516      *     n  .. n+1  length of all DNs
02517      *    n+2 .. n+3  length of DN 1
02518      *    n+4 .. ...  Distinguished Name #1
02519      *    ... .. ...  length of DN 2, etc.
02520      */
02521     buf = ssl->out_msg;
02522     p = buf + 4;
02523 
02524     /*
02525      * Supported certificate types
02526      *
02527      *     ClientCertificateType certificate_types<1..2^8-1>;
02528      *     enum { (255) } ClientCertificateType;
02529      */
02530     ct_len = 0;
02531 
02532 #if defined(MBEDTLS_RSA_C)
02533     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
02534 #endif
02535 #if defined(MBEDTLS_ECDSA_C)
02536     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
02537 #endif
02538 
02539     p[0] = (unsigned char) ct_len++;
02540     p += ct_len;
02541 
02542     sa_len = 0;
02543 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
02544     /*
02545      * Add signature_algorithms for verify (TLS 1.2)
02546      *
02547      *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
02548      *
02549      *     struct {
02550      *           HashAlgorithm hash;
02551      *           SignatureAlgorithm signature;
02552      *     } SignatureAndHashAlgorithm;
02553      *
02554      *     enum { (255) } HashAlgorithm;
02555      *     enum { (255) } SignatureAlgorithm;
02556      */
02557     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
02558     {
02559         /*
02560          * Only use current running hash algorithm that is already required
02561          * for requested ciphersuite.
02562          */
02563         ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256;
02564 
02565         if( ssl->transform_negotiate->ciphersuite_info->mac ==
02566             MBEDTLS_MD_SHA384 )
02567         {
02568             ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384;
02569         }
02570 
02571         /*
02572          * Supported signature algorithms
02573          */
02574 #if defined(MBEDTLS_RSA_C)
02575         p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
02576         p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
02577 #endif
02578 #if defined(MBEDTLS_ECDSA_C)
02579         p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
02580         p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
02581 #endif
02582 
02583         p[0] = (unsigned char)( sa_len >> 8 );
02584         p[1] = (unsigned char)( sa_len      );
02585         sa_len += 2;
02586         p += sa_len;
02587     }
02588 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
02589 
02590     /*
02591      * DistinguishedName certificate_authorities<0..2^16-1>;
02592      * opaque DistinguishedName<1..2^16-1>;
02593      */
02594     p += 2;
02595 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02596     if( ssl->handshake->sni_ca_chain != NULL )
02597         crt = ssl->handshake->sni_ca_chain;
02598     else
02599 #endif
02600         crt = ssl->conf->ca_chain;
02601 
02602     total_dn_size = 0;
02603     while( crt != NULL && crt->version != 0 )
02604     {
02605         dn_size = crt->subject_raw.len;
02606 
02607         if( end < p ||
02608             (size_t)( end - p ) < dn_size ||
02609             (size_t)( end - p ) < 2 + dn_size )
02610         {
02611             MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
02612             break;
02613         }
02614 
02615         *p++ = (unsigned char)( dn_size >> 8 );
02616         *p++ = (unsigned char)( dn_size      );
02617         memcpy( p, crt->subject_raw.p, dn_size );
02618         p += dn_size;
02619 
02620         MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
02621 
02622         total_dn_size += 2 + dn_size;
02623         crt = crt->next;
02624     }
02625 
02626     ssl->out_msglen  = p - buf;
02627     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02628     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
02629     ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
02630     ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
02631 
02632     ret = mbedtls_ssl_write_record( ssl );
02633 
02634     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
02635 
02636     return( ret );
02637 }
02638 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
02639           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
02640           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
02641           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
02642 
02643 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
02644     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
02645 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
02646 {
02647     int ret;
02648 
02649     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
02650     {
02651         MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
02652         return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
02653     }
02654 
02655     if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
02656                                  mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
02657                                  MBEDTLS_ECDH_OURS ) ) != 0 )
02658     {
02659         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
02660         return( ret );
02661     }
02662 
02663     return( 0 );
02664 }
02665 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
02666           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
02667 
02668 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
02669 {
02670     int ret;
02671     size_t n = 0;
02672     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02673                             ssl->transform_negotiate->ciphersuite_info;
02674 
02675 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02676     defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                       \
02677     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
02678     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
02679     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
02680     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02681     unsigned char *p = ssl->out_msg + 4;
02682     unsigned char *dig_signed = p;
02683     size_t dig_signed_len = 0, len;
02684     ((void) dig_signed);
02685     ((void) dig_signed_len);
02686     ((void) len);
02687 #endif
02688 
02689     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
02690 
02691 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
02692     defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                           \
02693     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
02694     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
02695         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02696         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
02697     {
02698         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
02699         ssl->state++;
02700         return( 0 );
02701     }
02702 #endif
02703 
02704 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
02705     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
02706     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
02707         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
02708     {
02709         ssl_get_ecdh_params_from_cert( ssl );
02710 
02711         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
02712         ssl->state++;
02713         return( 0 );
02714     }
02715 #endif
02716 
02717 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02718     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02719     {
02720         size_t jlen;
02721         const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02722 
02723         ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
02724                 p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );
02725         if( ret != 0 )
02726         {
02727             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
02728             return( ret );
02729         }
02730 
02731         p += jlen;
02732         n += jlen;
02733     }
02734 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02735 
02736 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                       \
02737     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02738     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02739         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
02740     {
02741         /* Note: we don't support identity hints, until someone asks
02742          * for them. */
02743         *(p++) = 0x00;
02744         *(p++) = 0x00;
02745 
02746         n += 2;
02747     }
02748 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
02749           MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
02750 
02751 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02752     defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
02753     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
02754         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
02755     {
02756         if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
02757         {
02758             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
02759             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02760         }
02761 
02762         /*
02763          * Ephemeral DH parameters:
02764          *
02765          * struct {
02766          *     opaque dh_p<1..2^16-1>;
02767          *     opaque dh_g<1..2^16-1>;
02768          *     opaque dh_Ys<1..2^16-1>;
02769          * } ServerDHParams;
02770          */
02771         if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 ||
02772             ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
02773         {
02774             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
02775             return( ret );
02776         }
02777 
02778         if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
02779                         (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
02780                         p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
02781         {
02782             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
02783             return( ret );
02784         }
02785 
02786         dig_signed = p;
02787         dig_signed_len = len;
02788 
02789         p += len;
02790         n += len;
02791 
02792         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
02793         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
02794         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
02795         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
02796     }
02797 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
02798           MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
02799 
02800 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
02801     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
02802         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
02803         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
02804     {
02805         /*
02806          * Ephemeral ECDH parameters:
02807          *
02808          * struct {
02809          *     ECParameters curve_params;
02810          *     ECPoint      public;
02811          * } ServerECDHParams;
02812          */
02813         const mbedtls_ecp_curve_info **curve = NULL;
02814         const mbedtls_ecp_group_id *gid;
02815 
02816         /* Match our preference list against the offered curves */
02817         for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
02818             for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
02819                 if( (*curve)->grp_id == *gid )
02820                     goto curve_matching_done;
02821 
02822 curve_matching_done:
02823         if( curve == NULL || *curve == NULL )
02824         {
02825             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
02826             return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
02827         }
02828 
02829         MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
02830 
02831         if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
02832                                        (*curve)->grp_id ) ) != 0 )
02833         {
02834             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
02835             return( ret );
02836         }
02837 
02838         if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
02839                                       p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
02840                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
02841         {
02842             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
02843             return( ret );
02844         }
02845 
02846         dig_signed = p;
02847         dig_signed_len = len;
02848 
02849         p += len;
02850         n += len;
02851 
02852         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
02853     }
02854 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
02855 
02856 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02857     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
02858     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02859     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
02860         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
02861         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
02862     {
02863         size_t signature_len = 0;
02864         unsigned int hashlen = 0;
02865         unsigned char hash[64];
02866         mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
02867 
02868         /*
02869          * Choose hash algorithm. NONE means MD5 + SHA1 here.
02870          */
02871 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
02872         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
02873         {
02874             md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
02875 
02876             if( md_alg == MBEDTLS_MD_NONE )
02877             {
02878                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02879                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02880             }
02881         }
02882         else
02883 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
02884 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
02885     defined(MBEDTLS_SSL_PROTO_TLS1_1)
02886         if( ciphersuite_info->key_exchange ==
02887                   MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
02888         {
02889             md_alg = MBEDTLS_MD_SHA1;
02890         }
02891         else
02892 #endif
02893         {
02894             md_alg = MBEDTLS_MD_NONE;
02895         }
02896 
02897         /*
02898          * Compute the hash to be signed
02899          */
02900 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
02901     defined(MBEDTLS_SSL_PROTO_TLS1_1)
02902         if( md_alg == MBEDTLS_MD_NONE )
02903         {
02904             mbedtls_md5_context mbedtls_md5;
02905             mbedtls_sha1_context mbedtls_sha1;
02906 
02907             mbedtls_md5_init(  &mbedtls_md5  );
02908             mbedtls_sha1_init( &mbedtls_sha1 );
02909 
02910             /*
02911              * digitally-signed struct {
02912              *     opaque md5_hash[16];
02913              *     opaque sha_hash[20];
02914              * };
02915              *
02916              * md5_hash
02917              *     MD5(ClientHello.random + ServerHello.random
02918              *                            + ServerParams);
02919              * sha_hash
02920              *     SHA(ClientHello.random + ServerHello.random
02921              *                            + ServerParams);
02922              */
02923             mbedtls_md5_starts( &mbedtls_md5 );
02924             mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes,  64 );
02925             mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
02926             mbedtls_md5_finish( &mbedtls_md5, hash );
02927 
02928             mbedtls_sha1_starts( &mbedtls_sha1 );
02929             mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes,  64 );
02930             mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
02931             mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
02932 
02933             hashlen = 36;
02934 
02935             mbedtls_md5_free(  &mbedtls_md5  );
02936             mbedtls_sha1_free( &mbedtls_sha1 );
02937         }
02938         else
02939 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
02940           MBEDTLS_SSL_PROTO_TLS1_1 */
02941 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
02942     defined(MBEDTLS_SSL_PROTO_TLS1_2)
02943         if( md_alg != MBEDTLS_MD_NONE )
02944         {
02945             mbedtls_md_context_t ctx;
02946             const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
02947 
02948             mbedtls_md_init( &ctx );
02949 
02950             /* Info from md_alg will be used instead */
02951             hashlen = 0;
02952 
02953             /*
02954              * digitally-signed struct {
02955              *     opaque client_random[32];
02956              *     opaque server_random[32];
02957              *     ServerDHParams params;
02958              * };
02959              */
02960             if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
02961             {
02962                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
02963                 return( ret );
02964             }
02965 
02966             mbedtls_md_starts( &ctx );
02967             mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
02968             mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
02969             mbedtls_md_finish( &ctx, hash );
02970             mbedtls_md_free( &ctx );
02971         }
02972         else
02973 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
02974           MBEDTLS_SSL_PROTO_TLS1_2 */
02975         {
02976             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02977             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02978         }
02979 
02980         MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
02981             (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
02982 
02983         /*
02984          * Make the signature
02985          */
02986         if( mbedtls_ssl_own_key( ssl ) == NULL )
02987         {
02988             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
02989             return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
02990         }
02991 
02992 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
02993         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
02994         {
02995             *(p++) = ssl->handshake->sig_alg;
02996             *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
02997 
02998             n += 2;
02999         }
03000 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03001 
03002         if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
03003                         p + 2 , &signature_len,
03004                         ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03005         {
03006             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
03007             return( ret );
03008         }
03009 
03010         *(p++) = (unsigned char)( signature_len >> 8 );
03011         *(p++) = (unsigned char)( signature_len      );
03012         n += 2;
03013 
03014         MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
03015 
03016         n += signature_len;
03017     }
03018 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
03019           MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
03020           MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
03021 
03022     ssl->out_msglen  = 4 + n;
03023     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03024     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
03025 
03026     ssl->state++;
03027 
03028     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03029     {
03030         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03031         return( ret );
03032     }
03033 
03034     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
03035 
03036     return( 0 );
03037 }
03038 
03039 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
03040 {
03041     int ret;
03042 
03043     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
03044 
03045     ssl->out_msglen  = 4;
03046     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03047     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
03048 
03049     ssl->state++;
03050 
03051 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03052     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03053         mbedtls_ssl_send_flight_completed( ssl );
03054 #endif
03055 
03056     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03057     {
03058         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03059         return( ret );
03060     }
03061 
03062     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
03063 
03064     return( 0 );
03065 }
03066 
03067 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
03068     defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
03069 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
03070                                        const unsigned char *end )
03071 {
03072     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
03073     size_t n;
03074 
03075     /*
03076      * Receive G^Y mod P, premaster = (G^Y)^X mod P
03077      */
03078     if( *p + 2 > end )
03079     {
03080         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03081         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03082     }
03083 
03084     n = ( (*p)[0] << 8 ) | (*p)[1];
03085     *p += 2;
03086 
03087     if( *p + n > end )
03088     {
03089         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03090         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03091     }
03092 
03093     if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
03094     {
03095         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
03096         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03097     }
03098 
03099     *p += n;
03100 
03101     MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
03102 
03103     return( ret );
03104 }
03105 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
03106           MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
03107 
03108 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
03109     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
03110 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
03111                                     const unsigned char *p,
03112                                     const unsigned char *end,
03113                                     size_t pms_offset )
03114 {
03115     int ret;
03116     size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
03117     unsigned char *pms = ssl->handshake->premaster + pms_offset;
03118     unsigned char ver[2];
03119     unsigned char fake_pms[48], peer_pms[48];
03120     unsigned char mask;
03121     size_t i, peer_pmslen;
03122     unsigned int diff;
03123 
03124     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
03125     {
03126         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
03127         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03128     }
03129 
03130     /*
03131      * Decrypt the premaster using own private RSA key
03132      */
03133 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03134     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03135     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
03136     {
03137         if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
03138             *p++ != ( ( len      ) & 0xFF ) )
03139         {
03140             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03141             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03142         }
03143     }
03144 #endif
03145 
03146     if( p + len != end )
03147     {
03148         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03149         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03150     }
03151 
03152     mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
03153                        ssl->handshake->max_minor_ver,
03154                        ssl->conf->transport, ver );
03155 
03156     /*
03157      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
03158      * must not cause the connection to end immediately; instead, send a
03159      * bad_record_mac later in the handshake.
03160      * Also, avoid data-dependant branches here to protect against
03161      * timing-based variants.
03162      */
03163     ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
03164     if( ret != 0 )
03165         return( ret );
03166 
03167     ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
03168                       peer_pms, &peer_pmslen,
03169                       sizeof( peer_pms ),
03170                       ssl->conf->f_rng, ssl->conf->p_rng );
03171 
03172     diff  = (unsigned int) ret;
03173     diff |= peer_pmslen ^ 48;
03174     diff |= peer_pms[0] ^ ver[0];
03175     diff |= peer_pms[1] ^ ver[1];
03176 
03177 #if defined(MBEDTLS_SSL_DEBUG_ALL)
03178     if( diff != 0 )
03179         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03180 #endif
03181 
03182     if( sizeof( ssl->handshake->premaster ) < pms_offset ||
03183         sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
03184     {
03185         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03186         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03187     }
03188     ssl->handshake->pmslen = 48;
03189 
03190     /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
03191     /* MSVC has a warning about unary minus on unsigned, but this is
03192      * well-defined and precisely what we want to do here */
03193 #if defined(_MSC_VER)
03194 #pragma warning( push )
03195 #pragma warning( disable : 4146 )
03196 #endif
03197     mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
03198 #if defined(_MSC_VER)
03199 #pragma warning( pop )
03200 #endif
03201 
03202     for( i = 0; i < ssl->handshake->pmslen; i++ )
03203         pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
03204 
03205     return( 0 );
03206 }
03207 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
03208           MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
03209 
03210 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
03211 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
03212                                           const unsigned char *end )
03213 {
03214     int ret = 0;
03215     size_t n;
03216 
03217     if( ssl->conf->f_psk == NULL &&
03218         ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
03219           ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
03220     {
03221         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
03222         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03223     }
03224 
03225     /*
03226      * Receive client pre-shared key identity name
03227      */
03228     if( *p + 2 > end )
03229     {
03230         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03231         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03232     }
03233 
03234     n = ( (*p)[0] << 8 ) | (*p)[1];
03235     *p += 2;
03236 
03237     if( n < 1 || n > 65535 || *p + n > end )
03238     {
03239         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03240         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03241     }
03242 
03243     if( ssl->conf->f_psk != NULL )
03244     {
03245         if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
03246             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
03247     }
03248     else
03249     {
03250         /* Identity is not a big secret since clients send it in the clear,
03251          * but treat it carefully anyway, just in case */
03252         if( n != ssl->conf->psk_identity_len ||
03253             mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
03254         {
03255             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
03256         }
03257     }
03258 
03259     if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
03260     {
03261         MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
03262         if( ( ret = mbedtls_ssl_send_alert_message( ssl,
03263                               MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03264                               MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
03265         {
03266             return( ret );
03267         }
03268 
03269         return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
03270     }
03271 
03272     *p += n;
03273 
03274     return( 0 );
03275 }
03276 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
03277 
03278 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
03279 {
03280     int ret;
03281     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
03282     unsigned char *p, *end;
03283 
03284     ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03285 
03286     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
03287 
03288     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
03289     {
03290         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
03291         return( ret );
03292     }
03293 
03294     p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
03295     end = ssl->in_msg + ssl->in_hslen;
03296 
03297     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
03298     {
03299         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03300         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03301     }
03302 
03303     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
03304     {
03305         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03306         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03307     }
03308 
03309 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
03310     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
03311     {
03312         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03313         {
03314             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03315             return( ret );
03316         }
03317 
03318         if( p != end )
03319         {
03320             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03321             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03322         }
03323 
03324         if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
03325                                       ssl->handshake->premaster,
03326                                       MBEDTLS_PREMASTER_SIZE,
03327                                      &ssl->handshake->pmslen,
03328                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03329         {
03330             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
03331             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03332         }
03333 
03334         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
03335     }
03336     else
03337 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
03338 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
03339     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
03340     defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
03341     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
03342     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
03343         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
03344         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
03345         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
03346     {
03347         if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
03348                                       p, end - p) ) != 0 )
03349         {
03350             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
03351             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03352         }
03353 
03354         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03355 
03356         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
03357                                       &ssl->handshake->pmslen,
03358                                        ssl->handshake->premaster,
03359                                        MBEDTLS_MPI_MAX_SIZE,
03360                                        ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03361         {
03362             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
03363             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03364         }
03365 
03366         MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
03367     }
03368     else
03369 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
03370           MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
03371           MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
03372           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
03373 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
03374     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
03375     {
03376         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03377         {
03378             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03379             return( ret );
03380         }
03381 
03382         if( p != end )
03383         {
03384             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03385             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03386         }
03387 
03388         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03389                         ciphersuite_info->key_exchange ) ) != 0 )
03390         {
03391             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03392             return( ret );
03393         }
03394     }
03395     else
03396 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
03397 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
03398     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
03399     {
03400         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03401         {
03402             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03403             return( ret );
03404         }
03405 
03406         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
03407         {
03408             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
03409             return( ret );
03410         }
03411 
03412         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03413                         ciphersuite_info->key_exchange ) ) != 0 )
03414         {
03415             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03416             return( ret );
03417         }
03418     }
03419     else
03420 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
03421 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
03422     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
03423     {
03424         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03425         {
03426             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03427             return( ret );
03428         }
03429         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03430         {
03431             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03432             return( ret );
03433         }
03434 
03435         if( p != end )
03436         {
03437             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03438             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03439         }
03440 
03441         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03442                         ciphersuite_info->key_exchange ) ) != 0 )
03443         {
03444             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03445             return( ret );
03446         }
03447     }
03448     else
03449 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
03450 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
03451     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
03452     {
03453         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03454         {
03455             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03456             return( ret );
03457         }
03458 
03459         if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
03460                                        p, end - p ) ) != 0 )
03461         {
03462             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
03463             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03464         }
03465 
03466         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03467 
03468         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03469                         ciphersuite_info->key_exchange ) ) != 0 )
03470         {
03471             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03472             return( ret );
03473         }
03474     }
03475     else
03476 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
03477 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
03478     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
03479     {
03480         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
03481         {
03482             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
03483             return( ret );
03484         }
03485     }
03486     else
03487 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
03488 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
03489     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
03490     {
03491         ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
03492                                               p, end - p );
03493         if( ret != 0 )
03494         {
03495             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
03496             return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
03497         }
03498 
03499         ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
03500                 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
03501                 ssl->conf->f_rng, ssl->conf->p_rng );
03502         if( ret != 0 )
03503         {
03504             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
03505             return( ret );
03506         }
03507     }
03508     else
03509 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
03510     {
03511         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03512         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03513     }
03514 
03515     if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
03516     {
03517         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
03518         return( ret );
03519     }
03520 
03521     ssl->state++;
03522 
03523     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
03524 
03525     return( 0 );
03526 }
03527 
03528 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
03529     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
03530     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
03531     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
03532 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
03533 {
03534     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03535 
03536     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03537 
03538     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
03539         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
03540         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
03541         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
03542         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
03543     {
03544         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03545         ssl->state++;
03546         return( 0 );
03547     }
03548 
03549     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03550     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03551 }
03552 #else
03553 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
03554 {
03555     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
03556     size_t i, sig_len;
03557     unsigned char hash[48];
03558     unsigned char *hash_start = hash;
03559     size_t hashlen;
03560 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03561     mbedtls_pk_type_t pk_alg;
03562 #endif
03563     mbedtls_md_type_t md_alg;
03564     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03565 
03566     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03567 
03568     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
03569         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
03570         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
03571         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
03572         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
03573         ssl->session_negotiate->peer_cert == NULL )
03574     {
03575         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03576         ssl->state++;
03577         return( 0 );
03578     }
03579 
03580     /* Needs to be done before read_record() to exclude current message */
03581     ssl->handshake->calc_verify( ssl, hash );
03582 
03583     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
03584     {
03585         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
03586         return( ret );
03587     }
03588 
03589     ssl->state++;
03590 
03591     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
03592         ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
03593     {
03594         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03595         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03596     }
03597 
03598     i = mbedtls_ssl_hs_hdr_len( ssl );
03599 
03600     /*
03601      *  struct {
03602      *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
03603      *     opaque signature<0..2^16-1>;
03604      *  } DigitallySigned;
03605      */
03606 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03607     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03608     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
03609     {
03610         md_alg = MBEDTLS_MD_NONE;
03611         hashlen = 36;
03612 
03613         /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
03614         if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
03615                         MBEDTLS_PK_ECDSA ) )
03616         {
03617             hash_start += 16;
03618             hashlen -= 16;
03619             md_alg = MBEDTLS_MD_SHA1;
03620         }
03621     }
03622     else
03623 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
03624           MBEDTLS_SSL_PROTO_TLS1_1 */
03625 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03626     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03627     {
03628         if( i + 2 > ssl->in_hslen )
03629         {
03630             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03631             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03632         }
03633 
03634         /*
03635          * Hash
03636          */
03637         if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg )
03638         {
03639             MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03640                                 " for verify message" ) );
03641             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03642         }
03643 
03644         md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
03645 
03646         /* Info from md_alg will be used instead */
03647         hashlen = 0;
03648 
03649         i++;
03650 
03651         /*
03652          * Signature
03653          */
03654         if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
03655                         == MBEDTLS_PK_NONE )
03656         {
03657             MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03658                                 " for verify message" ) );
03659             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03660         }
03661 
03662         /*
03663          * Check the certificate's key type matches the signature alg
03664          */
03665         if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
03666         {
03667             MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
03668             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03669         }
03670 
03671         i++;
03672     }
03673     else
03674 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03675     {
03676         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03677         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03678     }
03679 
03680     if( i + 2 > ssl->in_hslen )
03681     {
03682         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03683         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03684     }
03685 
03686     sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
03687     i += 2;
03688 
03689     if( i + sig_len != ssl->in_hslen )
03690     {
03691         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03692         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03693     }
03694 
03695     if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
03696                            md_alg, hash_start, hashlen,
03697                            ssl->in_msg + i, sig_len ) ) != 0 )
03698     {
03699         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
03700         return( ret );
03701     }
03702 
03703     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
03704 
03705     return( ret );
03706 }
03707 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
03708           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
03709           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
03710 
03711 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
03712 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
03713 {
03714     int ret;
03715     size_t tlen;
03716     uint32_t lifetime;
03717 
03718     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
03719 
03720     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03721     ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
03722 
03723     /*
03724      * struct {
03725      *     uint32 ticket_lifetime_hint;
03726      *     opaque ticket<0..2^16-1>;
03727      * } NewSessionTicket;
03728      *
03729      * 4  .  7   ticket_lifetime_hint (0 = unspecified)
03730      * 8  .  9   ticket_len (n)
03731      * 10 .  9+n ticket content
03732      */
03733 
03734     if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
03735                                 ssl->session_negotiate,
03736                                 ssl->out_msg + 10,
03737                                 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
03738                                 &tlen, &lifetime ) ) != 0 )
03739     {
03740         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
03741         tlen = 0;
03742     }
03743 
03744     ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
03745     ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
03746     ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
03747     ssl->out_msg[7] = ( lifetime       ) & 0xFF;
03748 
03749     ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
03750     ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
03751 
03752     ssl->out_msglen = 10 + tlen;
03753 
03754     /*
03755      * Morally equivalent to updating ssl->state, but NewSessionTicket and
03756      * ChangeCipherSpec share the same state.
03757      */
03758     ssl->handshake->new_session_ticket = 0;
03759 
03760     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03761     {
03762         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03763         return( ret );
03764     }
03765 
03766     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
03767 
03768     return( 0 );
03769 }
03770 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
03771 
03772 /*
03773  * SSL handshake -- server side -- single step
03774  */
03775 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
03776 {
03777     int ret = 0;
03778 
03779     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
03780         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
03781 
03782     MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
03783 
03784     if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
03785         return( ret );
03786 
03787 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03788     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03789         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
03790     {
03791         if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
03792             return( ret );
03793     }
03794 #endif
03795 
03796     switch( ssl->state )
03797     {
03798         case MBEDTLS_SSL_HELLO_REQUEST:
03799             ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
03800             break;
03801 
03802         /*
03803          *  <==   ClientHello
03804          */
03805         case MBEDTLS_SSL_CLIENT_HELLO:
03806             ret = ssl_parse_client_hello( ssl );
03807             break;
03808 
03809 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03810         case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
03811             return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
03812 #endif
03813 
03814         /*
03815          *  ==>   ServerHello
03816          *        Certificate
03817          *      ( ServerKeyExchange  )
03818          *      ( CertificateRequest )
03819          *        ServerHelloDone
03820          */
03821         case MBEDTLS_SSL_SERVER_HELLO:
03822             ret = ssl_write_server_hello( ssl );
03823             break;
03824 
03825         case MBEDTLS_SSL_SERVER_CERTIFICATE:
03826             ret = mbedtls_ssl_write_certificate( ssl );
03827             break;
03828 
03829         case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
03830             ret = ssl_write_server_key_exchange( ssl );
03831             break;
03832 
03833         case MBEDTLS_SSL_CERTIFICATE_REQUEST:
03834             ret = ssl_write_certificate_request( ssl );
03835             break;
03836 
03837         case MBEDTLS_SSL_SERVER_HELLO_DONE:
03838             ret = ssl_write_server_hello_done( ssl );
03839             break;
03840 
03841         /*
03842          *  <== ( Certificate/Alert  )
03843          *        ClientKeyExchange
03844          *      ( CertificateVerify  )
03845          *        ChangeCipherSpec
03846          *        Finished
03847          */
03848         case MBEDTLS_SSL_CLIENT_CERTIFICATE:
03849             ret = mbedtls_ssl_parse_certificate( ssl );
03850             break;
03851 
03852         case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
03853             ret = ssl_parse_client_key_exchange( ssl );
03854             break;
03855 
03856         case MBEDTLS_SSL_CERTIFICATE_VERIFY:
03857             ret = ssl_parse_certificate_verify( ssl );
03858             break;
03859 
03860         case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
03861             ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
03862             break;
03863 
03864         case MBEDTLS_SSL_CLIENT_FINISHED:
03865             ret = mbedtls_ssl_parse_finished( ssl );
03866             break;
03867 
03868         /*
03869          *  ==> ( NewSessionTicket )
03870          *        ChangeCipherSpec
03871          *        Finished
03872          */
03873         case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
03874 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
03875             if( ssl->handshake->new_session_ticket != 0 )
03876                 ret = ssl_write_new_session_ticket( ssl );
03877             else
03878 #endif
03879                 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
03880             break;
03881 
03882         case MBEDTLS_SSL_SERVER_FINISHED:
03883             ret = mbedtls_ssl_write_finished( ssl );
03884             break;
03885 
03886         case MBEDTLS_SSL_FLUSH_BUFFERS:
03887             MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
03888             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
03889             break;
03890 
03891         case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
03892             mbedtls_ssl_handshake_wrapup( ssl );
03893             break;
03894 
03895         default:
03896             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
03897             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
03898     }
03899 
03900     return( ret );
03901 }
03902 #endif /* MBEDTLS_SSL_SRV_C */