joey shelton / LED_Demo

Dependencies:   MAX44000 PWM_Tone_Library nexpaq_mdk

Fork of LED_Demo by Maxim nexpaq

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl_tls.c Source File

ssl_tls.c

00001 /*
00002  *  SSLv3/TLSv1 shared functions
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 /*
00022  *  The SSL 3.0 specification was drafted by Netscape in 1996,
00023  *  and became an IETF standard in 1999.
00024  *
00025  *  http://wp.netscape.com/eng/ssl3/
00026  *  http://www.ietf.org/rfc/rfc2246.txt
00027  *  http://www.ietf.org/rfc/rfc4346.txt
00028  */
00029 
00030 #if !defined(MBEDTLS_CONFIG_FILE)
00031 #include "mbedtls/config.h"
00032 #else
00033 #include MBEDTLS_CONFIG_FILE
00034 #endif
00035 
00036 #if defined(MBEDTLS_SSL_TLS_C)
00037 
00038 #if defined(MBEDTLS_PLATFORM_C)
00039 #include "mbedtls/platform.h"
00040 #else
00041 #include <stdlib.h>
00042 #define mbedtls_calloc    calloc
00043 #define mbedtls_free      free
00044 #define mbedtls_time_t    time_t
00045 #endif
00046 
00047 #include "mbedtls/debug.h"
00048 #include "mbedtls/ssl.h"
00049 #include "mbedtls/ssl_internal.h"
00050 
00051 #include <string.h>
00052 
00053 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
00054     defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
00055 #include "mbedtls/oid.h"
00056 #endif
00057 
00058 /* Implementation that should never be optimized out by the compiler */
00059 static void mbedtls_zeroize( void *v, size_t n ) {
00060     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
00061 }
00062 
00063 /* Length of the "epoch" field in the record header */
00064 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
00065 {
00066 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00067     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
00068         return( 2 );
00069 #else
00070     ((void) ssl);
00071 #endif
00072     return( 0 );
00073 }
00074 
00075 /*
00076  * Start a timer.
00077  * Passing millisecs = 0 cancels a running timer.
00078  */
00079 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
00080 {
00081     if( ssl->f_set_timer == NULL )
00082         return;
00083 
00084     MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
00085     ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
00086 }
00087 
00088 /*
00089  * Return -1 is timer is expired, 0 if it isn't.
00090  */
00091 static int ssl_check_timer( mbedtls_ssl_context *ssl )
00092 {
00093     if( ssl->f_get_timer == NULL )
00094         return( 0 );
00095 
00096     if( ssl->f_get_timer( ssl->p_timer ) == 2 )
00097     {
00098         MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
00099         return( -1 );
00100     }
00101 
00102     return( 0 );
00103 }
00104 
00105 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00106 /*
00107  * Double the retransmit timeout value, within the allowed range,
00108  * returning -1 if the maximum value has already been reached.
00109  */
00110 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
00111 {
00112     uint32_t new_timeout;
00113 
00114     if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
00115         return( -1 );
00116 
00117     new_timeout = 2 * ssl->handshake->retransmit_timeout;
00118 
00119     /* Avoid arithmetic overflow and range overflow */
00120     if( new_timeout < ssl->handshake->retransmit_timeout ||
00121         new_timeout > ssl->conf->hs_timeout_max )
00122     {
00123         new_timeout = ssl->conf->hs_timeout_max;
00124     }
00125 
00126     ssl->handshake->retransmit_timeout = new_timeout;
00127     MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
00128                         ssl->handshake->retransmit_timeout ) );
00129 
00130     return( 0 );
00131 }
00132 
00133 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
00134 {
00135     ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
00136     MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
00137                         ssl->handshake->retransmit_timeout ) );
00138 }
00139 #endif /* MBEDTLS_SSL_PROTO_DTLS */
00140 
00141 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
00142 /*
00143  * Convert max_fragment_length codes to length.
00144  * RFC 6066 says:
00145  *    enum{
00146  *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
00147  *    } MaxFragmentLength;
00148  * and we add 0 -> extension unused
00149  */
00150 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
00151 {
00152     MBEDTLS_SSL_MAX_CONTENT_LEN,    /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
00153     512,                    /* MBEDTLS_SSL_MAX_FRAG_LEN_512  */
00154     1024,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
00155     2048,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
00156     4096,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
00157 };
00158 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
00159 
00160 #if defined(MBEDTLS_SSL_CLI_C)
00161 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
00162 {
00163     mbedtls_ssl_session_free( dst );
00164     memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
00165 
00166 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00167     if( src->peer_cert != NULL )
00168     {
00169         int ret;
00170 
00171         dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
00172         if( dst->peer_cert == NULL )
00173             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00174 
00175         mbedtls_x509_crt_init( dst->peer_cert );
00176 
00177         if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
00178                                         src->peer_cert->raw.len ) ) != 0 )
00179         {
00180             mbedtls_free( dst->peer_cert );
00181             dst->peer_cert = NULL;
00182             return( ret );
00183         }
00184     }
00185 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00186 
00187 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
00188     if( src->ticket != NULL )
00189     {
00190         dst->ticket = mbedtls_calloc( 1, src->ticket_len );
00191         if( dst->ticket == NULL )
00192             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00193 
00194         memcpy( dst->ticket, src->ticket, src->ticket_len );
00195     }
00196 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
00197 
00198     return( 0 );
00199 }
00200 #endif /* MBEDTLS_SSL_CLI_C */
00201 
00202 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
00203 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
00204                      const unsigned char *key_enc, const unsigned char *key_dec,
00205                      size_t keylen,
00206                      const unsigned char *iv_enc,  const unsigned char *iv_dec,
00207                      size_t ivlen,
00208                      const unsigned char *mac_enc, const unsigned char *mac_dec,
00209                      size_t maclen ) = NULL;
00210 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
00211 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
00212 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
00213 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
00214 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
00215 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
00216 
00217 /*
00218  * Key material generation
00219  */
00220 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00221 static int ssl3_prf( const unsigned char *secret, size_t slen,
00222                      const char *label,
00223                      const unsigned char *random, size_t rlen,
00224                      unsigned char *dstbuf, size_t dlen )
00225 {
00226     size_t i;
00227     mbedtls_md5_context md5;
00228     mbedtls_sha1_context sha1;
00229     unsigned char padding[16];
00230     unsigned char sha1sum[20];
00231     ((void)label);
00232 
00233     mbedtls_md5_init(  &md5  );
00234     mbedtls_sha1_init( &sha1 );
00235 
00236     /*
00237      *  SSLv3:
00238      *    block =
00239      *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
00240      *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
00241      *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
00242      *      ...
00243      */
00244     for( i = 0; i < dlen / 16; i++ )
00245     {
00246         memset( padding, (unsigned char) ('A' + i), 1 + i );
00247 
00248         mbedtls_sha1_starts( &sha1 );
00249         mbedtls_sha1_update( &sha1, padding, 1 + i );
00250         mbedtls_sha1_update( &sha1, secret, slen );
00251         mbedtls_sha1_update( &sha1, random, rlen );
00252         mbedtls_sha1_finish( &sha1, sha1sum );
00253 
00254         mbedtls_md5_starts( &md5 );
00255         mbedtls_md5_update( &md5, secret, slen );
00256         mbedtls_md5_update( &md5, sha1sum, 20 );
00257         mbedtls_md5_finish( &md5, dstbuf + i * 16 );
00258     }
00259 
00260     mbedtls_md5_free(  &md5  );
00261     mbedtls_sha1_free( &sha1 );
00262 
00263     mbedtls_zeroize( padding, sizeof( padding ) );
00264     mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
00265 
00266     return( 0 );
00267 }
00268 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
00269 
00270 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
00271 static int tls1_prf( const unsigned char *secret, size_t slen,
00272                      const char *label,
00273                      const unsigned char *random, size_t rlen,
00274                      unsigned char *dstbuf, size_t dlen )
00275 {
00276     size_t nb, hs;
00277     size_t i, j, k;
00278     const unsigned char *S1, *S2;
00279     unsigned char tmp[128];
00280     unsigned char h_i[20];
00281     const mbedtls_md_info_t *md_info;
00282     mbedtls_md_context_t md_ctx;
00283     int ret;
00284 
00285     mbedtls_md_init( &md_ctx );
00286 
00287     if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
00288         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00289 
00290     hs = ( slen + 1 ) / 2;
00291     S1 = secret;
00292     S2 = secret + slen - hs;
00293 
00294     nb = strlen( label );
00295     memcpy( tmp + 20, label, nb );
00296     memcpy( tmp + 20 + nb, random, rlen );
00297     nb += rlen;
00298 
00299     /*
00300      * First compute P_md5(secret,label+random)[0..dlen]
00301      */
00302     if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
00303         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00304 
00305     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
00306         return( ret );
00307 
00308     mbedtls_md_hmac_starts( &md_ctx, S1, hs );
00309     mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
00310     mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
00311 
00312     for( i = 0; i < dlen; i += 16 )
00313     {
00314         mbedtls_md_hmac_reset ( &md_ctx );
00315         mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
00316         mbedtls_md_hmac_finish( &md_ctx, h_i );
00317 
00318         mbedtls_md_hmac_reset ( &md_ctx );
00319         mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
00320         mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
00321 
00322         k = ( i + 16 > dlen ) ? dlen % 16 : 16;
00323 
00324         for( j = 0; j < k; j++ )
00325             dstbuf[i + j]  = h_i[j];
00326     }
00327 
00328     mbedtls_md_free( &md_ctx );
00329 
00330     /*
00331      * XOR out with P_sha1(secret,label+random)[0..dlen]
00332      */
00333     if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
00334         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00335 
00336     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
00337         return( ret );
00338 
00339     mbedtls_md_hmac_starts( &md_ctx, S2, hs );
00340     mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
00341     mbedtls_md_hmac_finish( &md_ctx, tmp );
00342 
00343     for( i = 0; i < dlen; i += 20 )
00344     {
00345         mbedtls_md_hmac_reset ( &md_ctx );
00346         mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
00347         mbedtls_md_hmac_finish( &md_ctx, h_i );
00348 
00349         mbedtls_md_hmac_reset ( &md_ctx );
00350         mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
00351         mbedtls_md_hmac_finish( &md_ctx, tmp );
00352 
00353         k = ( i + 20 > dlen ) ? dlen % 20 : 20;
00354 
00355         for( j = 0; j < k; j++ )
00356             dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
00357     }
00358 
00359     mbedtls_md_free( &md_ctx );
00360 
00361     mbedtls_zeroize( tmp, sizeof( tmp ) );
00362     mbedtls_zeroize( h_i, sizeof( h_i ) );
00363 
00364     return( 0 );
00365 }
00366 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
00367 
00368 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00369 static int tls_prf_generic( mbedtls_md_type_t md_type,
00370                             const unsigned char *secret, size_t slen,
00371                             const char *label,
00372                             const unsigned char *random, size_t rlen,
00373                             unsigned char *dstbuf, size_t dlen )
00374 {
00375     size_t nb;
00376     size_t i, j, k, md_len;
00377     unsigned char tmp[128];
00378     unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
00379     const mbedtls_md_info_t *md_info;
00380     mbedtls_md_context_t md_ctx;
00381     int ret;
00382 
00383     mbedtls_md_init( &md_ctx );
00384 
00385     if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
00386         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00387 
00388     md_len = mbedtls_md_get_size( md_info );
00389 
00390     if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
00391         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00392 
00393     nb = strlen( label );
00394     memcpy( tmp + md_len, label, nb );
00395     memcpy( tmp + md_len + nb, random, rlen );
00396     nb += rlen;
00397 
00398     /*
00399      * Compute P_<hash>(secret, label + random)[0..dlen]
00400      */
00401     if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
00402         return( ret );
00403 
00404     mbedtls_md_hmac_starts( &md_ctx, secret, slen );
00405     mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
00406     mbedtls_md_hmac_finish( &md_ctx, tmp );
00407 
00408     for( i = 0; i < dlen; i += md_len )
00409     {
00410         mbedtls_md_hmac_reset ( &md_ctx );
00411         mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
00412         mbedtls_md_hmac_finish( &md_ctx, h_i );
00413 
00414         mbedtls_md_hmac_reset ( &md_ctx );
00415         mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
00416         mbedtls_md_hmac_finish( &md_ctx, tmp );
00417 
00418         k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
00419 
00420         for( j = 0; j < k; j++ )
00421             dstbuf[i + j]  = h_i[j];
00422     }
00423 
00424     mbedtls_md_free( &md_ctx );
00425 
00426     mbedtls_zeroize( tmp, sizeof( tmp ) );
00427     mbedtls_zeroize( h_i, sizeof( h_i ) );
00428 
00429     return( 0 );
00430 }
00431 
00432 #if defined(MBEDTLS_SHA256_C)
00433 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
00434                            const char *label,
00435                            const unsigned char *random, size_t rlen,
00436                            unsigned char *dstbuf, size_t dlen )
00437 {
00438     return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
00439                              label, random, rlen, dstbuf, dlen ) );
00440 }
00441 #endif /* MBEDTLS_SHA256_C */
00442 
00443 #if defined(MBEDTLS_SHA512_C)
00444 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
00445                            const char *label,
00446                            const unsigned char *random, size_t rlen,
00447                            unsigned char *dstbuf, size_t dlen )
00448 {
00449     return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
00450                              label, random, rlen, dstbuf, dlen ) );
00451 }
00452 #endif /* MBEDTLS_SHA512_C */
00453 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00454 
00455 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
00456 
00457 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
00458     defined(MBEDTLS_SSL_PROTO_TLS1_1)
00459 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
00460 #endif
00461 
00462 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00463 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
00464 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
00465 #endif
00466 
00467 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
00468 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
00469 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
00470 #endif
00471 
00472 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00473 #if defined(MBEDTLS_SHA256_C)
00474 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
00475 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
00476 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
00477 #endif
00478 
00479 #if defined(MBEDTLS_SHA512_C)
00480 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
00481 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
00482 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
00483 #endif
00484 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00485 
00486 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
00487 {
00488     int ret = 0;
00489     unsigned char tmp[64];
00490     unsigned char keyblk[256];
00491     unsigned char *key1;
00492     unsigned char *key2;
00493     unsigned char *mac_enc;
00494     unsigned char *mac_dec;
00495     size_t iv_copy_len;
00496     const mbedtls_cipher_info_t *cipher_info;
00497     const mbedtls_md_info_t *md_info;
00498 
00499     mbedtls_ssl_session *session = ssl->session_negotiate;
00500     mbedtls_ssl_transform *transform = ssl->transform_negotiate;
00501     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
00502 
00503     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
00504 
00505     cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
00506     if( cipher_info == NULL )
00507     {
00508         MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
00509                             transform->ciphersuite_info->cipher ) );
00510         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00511     }
00512 
00513     md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
00514     if( md_info == NULL )
00515     {
00516         MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
00517                             transform->ciphersuite_info->mac ) );
00518         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00519     }
00520 
00521     /*
00522      * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
00523      */
00524 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00525     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
00526     {
00527         handshake->tls_prf = ssl3_prf;
00528         handshake->calc_verify = ssl_calc_verify_ssl;
00529         handshake->calc_finished = ssl_calc_finished_ssl;
00530     }
00531     else
00532 #endif
00533 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
00534     if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
00535     {
00536         handshake->tls_prf = tls1_prf;
00537         handshake->calc_verify = ssl_calc_verify_tls;
00538         handshake->calc_finished = ssl_calc_finished_tls;
00539     }
00540     else
00541 #endif
00542 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00543 #if defined(MBEDTLS_SHA512_C)
00544     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
00545         transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
00546     {
00547         handshake->tls_prf = tls_prf_sha384;
00548         handshake->calc_verify = ssl_calc_verify_tls_sha384;
00549         handshake->calc_finished = ssl_calc_finished_tls_sha384;
00550     }
00551     else
00552 #endif
00553 #if defined(MBEDTLS_SHA256_C)
00554     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00555     {
00556         handshake->tls_prf = tls_prf_sha256;
00557         handshake->calc_verify = ssl_calc_verify_tls_sha256;
00558         handshake->calc_finished = ssl_calc_finished_tls_sha256;
00559     }
00560     else
00561 #endif
00562 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00563     {
00564         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00565         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00566     }
00567 
00568     /*
00569      * SSLv3:
00570      *   master =
00571      *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
00572      *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
00573      *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
00574      *
00575      * TLSv1+:
00576      *   master = PRF( premaster, "master secret", randbytes )[0..47]
00577      */
00578     if( handshake->resume == 0 )
00579     {
00580         MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
00581                        handshake->pmslen );
00582 
00583 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
00584         if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
00585         {
00586             unsigned char session_hash[48];
00587             size_t hash_len;
00588 
00589             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
00590 
00591             ssl->handshake->calc_verify( ssl, session_hash );
00592 
00593 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
00594             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00595             {
00596 #if defined(MBEDTLS_SHA512_C)
00597                 if( ssl->transform_negotiate->ciphersuite_info->mac ==
00598                     MBEDTLS_MD_SHA384 )
00599                 {
00600                     hash_len = 48;
00601                 }
00602                 else
00603 #endif
00604                     hash_len = 32;
00605             }
00606             else
00607 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
00608                 hash_len = 36;
00609 
00610             MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
00611 
00612             ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
00613                                       "extended master secret",
00614                                       session_hash, hash_len,
00615                                       session->master, 48 );
00616             if( ret != 0 )
00617             {
00618                 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
00619                 return( ret );
00620             }
00621 
00622         }
00623         else
00624 #endif
00625         ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
00626                                   "master secret",
00627                                   handshake->randbytes, 64,
00628                                   session->master, 48 );
00629         if( ret != 0 )
00630         {
00631             MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
00632             return( ret );
00633         }
00634 
00635         mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
00636     }
00637     else
00638         MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
00639 
00640     /*
00641      * Swap the client and server random values.
00642      */
00643     memcpy( tmp, handshake->randbytes, 64 );
00644     memcpy( handshake->randbytes, tmp + 32, 32 );
00645     memcpy( handshake->randbytes + 32, tmp, 32 );
00646     mbedtls_zeroize( tmp, sizeof( tmp ) );
00647 
00648     /*
00649      *  SSLv3:
00650      *    key block =
00651      *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
00652      *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
00653      *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
00654      *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
00655      *      ...
00656      *
00657      *  TLSv1:
00658      *    key block = PRF( master, "key expansion", randbytes )
00659      */
00660     ret = handshake->tls_prf( session->master, 48, "key expansion",
00661                               handshake->randbytes, 64, keyblk, 256 );
00662     if( ret != 0 )
00663     {
00664         MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
00665         return( ret );
00666     }
00667 
00668     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
00669                    mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
00670     MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
00671     MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
00672     MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
00673 
00674     mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
00675 
00676     /*
00677      * Determine the appropriate key, IV and MAC length.
00678      */
00679 
00680     transform->keylen = cipher_info->key_bitlen / 8;
00681 
00682     if( cipher_info->mode == MBEDTLS_MODE_GCM ||
00683         cipher_info->mode == MBEDTLS_MODE_CCM )
00684     {
00685         transform->maclen = 0;
00686 
00687         transform->ivlen = 12;
00688         transform->fixed_ivlen = 4;
00689 
00690         /* Minimum length is expicit IV + tag */
00691         transform->minlen = transform->ivlen - transform->fixed_ivlen
00692                             + ( transform->ciphersuite_info->flags &
00693                                 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
00694     }
00695     else
00696     {
00697         /* Initialize HMAC contexts */
00698         if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
00699             ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
00700         {
00701             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
00702             return( ret );
00703         }
00704 
00705         /* Get MAC length */
00706         transform->maclen = mbedtls_md_get_size( md_info );
00707 
00708 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
00709         /*
00710          * If HMAC is to be truncated, we shall keep the leftmost bytes,
00711          * (rfc 6066 page 13 or rfc 2104 section 4),
00712          * so we only need to adjust the length here.
00713          */
00714         if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
00715             transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
00716 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
00717 
00718         /* IV length */
00719         transform->ivlen = cipher_info->iv_size;
00720 
00721         /* Minimum length */
00722         if( cipher_info->mode == MBEDTLS_MODE_STREAM )
00723             transform->minlen = transform->maclen;
00724         else
00725         {
00726             /*
00727              * GenericBlockCipher:
00728              * 1. if EtM is in use: one block plus MAC
00729              *    otherwise: * first multiple of blocklen greater than maclen
00730              * 2. IV except for SSL3 and TLS 1.0
00731              */
00732 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00733             if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
00734             {
00735                 transform->minlen = transform->maclen
00736                                   + cipher_info->block_size;
00737             }
00738             else
00739 #endif
00740             {
00741                 transform->minlen = transform->maclen
00742                                   + cipher_info->block_size
00743                                   - transform->maclen % cipher_info->block_size;
00744             }
00745 
00746 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
00747             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
00748                 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
00749                 ; /* No need to adjust minlen */
00750             else
00751 #endif
00752 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
00753             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
00754                 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00755             {
00756                 transform->minlen += transform->ivlen;
00757             }
00758             else
00759 #endif
00760             {
00761                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00762                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00763             }
00764         }
00765     }
00766 
00767     MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
00768                    transform->keylen, transform->minlen, transform->ivlen,
00769                    transform->maclen ) );
00770 
00771     /*
00772      * Finally setup the cipher contexts, IVs and MAC secrets.
00773      */
00774 #if defined(MBEDTLS_SSL_CLI_C)
00775     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
00776     {
00777         key1 = keyblk + transform->maclen * 2;
00778         key2 = keyblk + transform->maclen * 2 + transform->keylen;
00779 
00780         mac_enc = keyblk;
00781         mac_dec = keyblk + transform->maclen;
00782 
00783         /*
00784          * This is not used in TLS v1.1.
00785          */
00786         iv_copy_len = ( transform->fixed_ivlen ) ?
00787                             transform->fixed_ivlen : transform->ivlen;
00788         memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
00789         memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
00790                 iv_copy_len );
00791     }
00792     else
00793 #endif /* MBEDTLS_SSL_CLI_C */
00794 #if defined(MBEDTLS_SSL_SRV_C)
00795     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
00796     {
00797         key1 = keyblk + transform->maclen * 2 + transform->keylen;
00798         key2 = keyblk + transform->maclen * 2;
00799 
00800         mac_enc = keyblk + transform->maclen;
00801         mac_dec = keyblk;
00802 
00803         /*
00804          * This is not used in TLS v1.1.
00805          */
00806         iv_copy_len = ( transform->fixed_ivlen ) ?
00807                             transform->fixed_ivlen : transform->ivlen;
00808         memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
00809         memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
00810                 iv_copy_len );
00811     }
00812     else
00813 #endif /* MBEDTLS_SSL_SRV_C */
00814     {
00815         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00816         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00817     }
00818 
00819 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00820     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
00821     {
00822         if( transform->maclen > sizeof transform->mac_enc )
00823         {
00824             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00825             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00826         }
00827 
00828         memcpy( transform->mac_enc, mac_enc, transform->maclen );
00829         memcpy( transform->mac_dec, mac_dec, transform->maclen );
00830     }
00831     else
00832 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
00833 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
00834     defined(MBEDTLS_SSL_PROTO_TLS1_2)
00835     if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
00836     {
00837         mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
00838         mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
00839     }
00840     else
00841 #endif
00842     {
00843         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00844         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00845     }
00846 
00847 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
00848     if( mbedtls_ssl_hw_record_init != NULL )
00849     {
00850         int ret = 0;
00851 
00852         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
00853 
00854         if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
00855                                         transform->iv_enc, transform->iv_dec,
00856                                         iv_copy_len,
00857                                         mac_enc, mac_dec,
00858                                         transform->maclen ) ) != 0 )
00859         {
00860             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
00861             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
00862         }
00863     }
00864 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
00865 
00866 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
00867     if( ssl->conf->f_export_keys != NULL )
00868     {
00869         ssl->conf->f_export_keys( ssl->conf->p_export_keys,
00870                                   session->master, keyblk,
00871                                   transform->maclen, transform->keylen,
00872                                   iv_copy_len );
00873     }
00874 #endif
00875 
00876     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
00877                                  cipher_info ) ) != 0 )
00878     {
00879         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
00880         return( ret );
00881     }
00882 
00883     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
00884                                  cipher_info ) ) != 0 )
00885     {
00886         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
00887         return( ret );
00888     }
00889 
00890     if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
00891                                cipher_info->key_bitlen,
00892                                MBEDTLS_ENCRYPT ) ) != 0 )
00893     {
00894         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
00895         return( ret );
00896     }
00897 
00898     if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
00899                                cipher_info->key_bitlen,
00900                                MBEDTLS_DECRYPT ) ) != 0 )
00901     {
00902         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
00903         return( ret );
00904     }
00905 
00906 #if defined(MBEDTLS_CIPHER_MODE_CBC)
00907     if( cipher_info->mode == MBEDTLS_MODE_CBC )
00908     {
00909         if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
00910                                              MBEDTLS_PADDING_NONE ) ) != 0 )
00911         {
00912             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
00913             return( ret );
00914         }
00915 
00916         if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
00917                                              MBEDTLS_PADDING_NONE ) ) != 0 )
00918         {
00919             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
00920             return( ret );
00921         }
00922     }
00923 #endif /* MBEDTLS_CIPHER_MODE_CBC */
00924 
00925     mbedtls_zeroize( keyblk, sizeof( keyblk ) );
00926 
00927 #if defined(MBEDTLS_ZLIB_SUPPORT)
00928     // Initialize compression
00929     //
00930     if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
00931     {
00932         if( ssl->compress_buf == NULL )
00933         {
00934             MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
00935             ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
00936             if( ssl->compress_buf == NULL )
00937             {
00938                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
00939                                     MBEDTLS_SSL_BUFFER_LEN ) );
00940                 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00941             }
00942         }
00943 
00944         MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
00945 
00946         memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
00947         memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
00948 
00949         if( deflateInit( &transform->ctx_deflate,
00950                          Z_DEFAULT_COMPRESSION )   != Z_OK ||
00951             inflateInit( &transform->ctx_inflate ) != Z_OK )
00952         {
00953             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
00954             return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
00955         }
00956     }
00957 #endif /* MBEDTLS_ZLIB_SUPPORT */
00958 
00959     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
00960 
00961     return( 0 );
00962 }
00963 
00964 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00965 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
00966 {
00967     mbedtls_md5_context md5;
00968     mbedtls_sha1_context sha1;
00969     unsigned char pad_1[48];
00970     unsigned char pad_2[48];
00971 
00972     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
00973 
00974     mbedtls_md5_init( &md5 );
00975     mbedtls_sha1_init( &sha1 );
00976 
00977     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
00978     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
00979 
00980     memset( pad_1, 0x36, 48 );
00981     memset( pad_2, 0x5C, 48 );
00982 
00983     mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
00984     mbedtls_md5_update( &md5, pad_1, 48 );
00985     mbedtls_md5_finish( &md5, hash );
00986 
00987     mbedtls_md5_starts( &md5 );
00988     mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
00989     mbedtls_md5_update( &md5, pad_2, 48 );
00990     mbedtls_md5_update( &md5, hash,  16 );
00991     mbedtls_md5_finish( &md5, hash );
00992 
00993     mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
00994     mbedtls_sha1_update( &sha1, pad_1, 40 );
00995     mbedtls_sha1_finish( &sha1, hash + 16 );
00996 
00997     mbedtls_sha1_starts( &sha1 );
00998     mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
00999     mbedtls_sha1_update( &sha1, pad_2, 40 );
01000     mbedtls_sha1_update( &sha1, hash + 16, 20 );
01001     mbedtls_sha1_finish( &sha1, hash + 16 );
01002 
01003     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
01004     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01005 
01006     mbedtls_md5_free(  &md5  );
01007     mbedtls_sha1_free( &sha1 );
01008 
01009     return;
01010 }
01011 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01012 
01013 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
01014 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
01015 {
01016     mbedtls_md5_context md5;
01017     mbedtls_sha1_context sha1;
01018 
01019     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
01020 
01021     mbedtls_md5_init( &md5 );
01022     mbedtls_sha1_init( &sha1 );
01023 
01024     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
01025     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
01026 
01027      mbedtls_md5_finish( &md5,  hash );
01028     mbedtls_sha1_finish( &sha1, hash + 16 );
01029 
01030     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
01031     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01032 
01033     mbedtls_md5_free(  &md5  );
01034     mbedtls_sha1_free( &sha1 );
01035 
01036     return;
01037 }
01038 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
01039 
01040 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
01041 #if defined(MBEDTLS_SHA256_C)
01042 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
01043 {
01044     mbedtls_sha256_context sha256;
01045 
01046     mbedtls_sha256_init( &sha256 );
01047 
01048     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
01049 
01050     mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
01051     mbedtls_sha256_finish( &sha256, hash );
01052 
01053     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
01054     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01055 
01056     mbedtls_sha256_free( &sha256 );
01057 
01058     return;
01059 }
01060 #endif /* MBEDTLS_SHA256_C */
01061 
01062 #if defined(MBEDTLS_SHA512_C)
01063 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
01064 {
01065     mbedtls_sha512_context sha512;
01066 
01067     mbedtls_sha512_init( &sha512 );
01068 
01069     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
01070 
01071     mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
01072     mbedtls_sha512_finish( &sha512, hash );
01073 
01074     MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
01075     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
01076 
01077     mbedtls_sha512_free( &sha512 );
01078 
01079     return;
01080 }
01081 #endif /* MBEDTLS_SHA512_C */
01082 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
01083 
01084 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
01085 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
01086 {
01087     unsigned char *p = ssl->handshake->premaster;
01088     unsigned char *end = p + sizeof( ssl->handshake->premaster );
01089     const unsigned char *psk = ssl->conf->psk;
01090     size_t psk_len = ssl->conf->psk_len;
01091 
01092     /* If the psk callback was called, use its result */
01093     if( ssl->handshake->psk != NULL )
01094     {
01095         psk = ssl->handshake->psk;
01096         psk_len = ssl->handshake->psk_len;
01097     }
01098 
01099     /*
01100      * PMS = struct {
01101      *     opaque other_secret<0..2^16-1>;
01102      *     opaque psk<0..2^16-1>;
01103      * };
01104      * with "other_secret" depending on the particular key exchange
01105      */
01106 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
01107     if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
01108     {
01109         if( end - p < 2 )
01110             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01111 
01112         *(p++) = (unsigned char)( psk_len >> 8 );
01113         *(p++) = (unsigned char)( psk_len      );
01114 
01115         if( end < p || (size_t)( end - p ) < psk_len )
01116             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01117 
01118         memset( p, 0, psk_len );
01119         p += psk_len;
01120     }
01121     else
01122 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
01123 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
01124     if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
01125     {
01126         /*
01127          * other_secret already set by the ClientKeyExchange message,
01128          * and is 48 bytes long
01129          */
01130         *p++ = 0;
01131         *p++ = 48;
01132         p += 48;
01133     }
01134     else
01135 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
01136 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
01137     if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
01138     {
01139         int ret;
01140         size_t len;
01141 
01142         /* Write length only when we know the actual value */
01143         if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
01144                                       p + 2, end - ( p + 2 ), &len,
01145                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
01146         {
01147             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
01148             return( ret );
01149         }
01150         *(p++) = (unsigned char)( len >> 8 );
01151         *(p++) = (unsigned char)( len );
01152         p += len;
01153 
01154         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
01155     }
01156     else
01157 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
01158 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
01159     if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
01160     {
01161         int ret;
01162         size_t zlen;
01163 
01164         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
01165                                        p + 2, end - ( p + 2 ),
01166                                        ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
01167         {
01168             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
01169             return( ret );
01170         }
01171 
01172         *(p++) = (unsigned char)( zlen >> 8 );
01173         *(p++) = (unsigned char)( zlen      );
01174         p += zlen;
01175 
01176         MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
01177     }
01178     else
01179 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
01180     {
01181         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01182         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01183     }
01184 
01185     /* opaque psk<0..2^16-1>; */
01186     if( end - p < 2 )
01187         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01188 
01189     *(p++) = (unsigned char)( psk_len >> 8 );
01190     *(p++) = (unsigned char)( psk_len      );
01191 
01192     if( end < p || (size_t)( end - p ) < psk_len )
01193         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
01194 
01195     memcpy( p, psk, psk_len );
01196     p += psk_len;
01197 
01198     ssl->handshake->pmslen = p - ssl->handshake->premaster;
01199 
01200     return( 0 );
01201 }
01202 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
01203 
01204 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01205 /*
01206  * SSLv3.0 MAC functions
01207  */
01208 static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret,
01209                      unsigned char *buf, size_t len,
01210                      unsigned char *ctr, int type )
01211 {
01212     unsigned char header[11];
01213     unsigned char padding[48];
01214     int padlen;
01215     int md_size = mbedtls_md_get_size( md_ctx->md_info );
01216     int md_type = mbedtls_md_get_type( md_ctx->md_info );
01217 
01218     /* Only MD5 and SHA-1 supported */
01219     if( md_type == MBEDTLS_MD_MD5 )
01220         padlen = 48;
01221     else
01222         padlen = 40;
01223 
01224     memcpy( header, ctr, 8 );
01225     header[ 8] = (unsigned char)  type;
01226     header[ 9] = (unsigned char)( len >> 8 );
01227     header[10] = (unsigned char)( len      );
01228 
01229     memset( padding, 0x36, padlen );
01230     mbedtls_md_starts( md_ctx );
01231     mbedtls_md_update( md_ctx, secret,  md_size );
01232     mbedtls_md_update( md_ctx, padding, padlen  );
01233     mbedtls_md_update( md_ctx, header,  11      );
01234     mbedtls_md_update( md_ctx, buf,     len     );
01235     mbedtls_md_finish( md_ctx, buf +    len     );
01236 
01237     memset( padding, 0x5C, padlen );
01238     mbedtls_md_starts( md_ctx );
01239     mbedtls_md_update( md_ctx, secret,    md_size );
01240     mbedtls_md_update( md_ctx, padding,   padlen  );
01241     mbedtls_md_update( md_ctx, buf + len, md_size );
01242     mbedtls_md_finish( md_ctx, buf + len          );
01243 }
01244 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01245 
01246 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||     \
01247     ( defined(MBEDTLS_CIPHER_MODE_CBC) &&                                  \
01248       ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) )
01249 #define SSL_SOME_MODES_USE_MAC
01250 #endif
01251 
01252 /*
01253  * Encryption/decryption functions
01254  */
01255 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
01256 {
01257     mbedtls_cipher_mode_t mode;
01258     int auth_done = 0;
01259 
01260     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
01261 
01262     if( ssl->session_out == NULL || ssl->transform_out == NULL )
01263     {
01264         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01265         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01266     }
01267 
01268     mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
01269 
01270     MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
01271                       ssl->out_msg, ssl->out_msglen );
01272 
01273     /*
01274      * Add MAC before if needed
01275      */
01276 #if defined(SSL_SOME_MODES_USE_MAC)
01277     if( mode == MBEDTLS_MODE_STREAM ||
01278         ( mode == MBEDTLS_MODE_CBC
01279 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01280           && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
01281 #endif
01282         ) )
01283     {
01284 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01285         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01286         {
01287             ssl_mac( &ssl->transform_out->md_ctx_enc,
01288                       ssl->transform_out->mac_enc,
01289                       ssl->out_msg, ssl->out_msglen,
01290                       ssl->out_ctr, ssl->out_msgtype );
01291         }
01292         else
01293 #endif
01294 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01295         defined(MBEDTLS_SSL_PROTO_TLS1_2)
01296         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
01297         {
01298             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
01299             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
01300             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
01301             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
01302                              ssl->out_msg, ssl->out_msglen );
01303             mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
01304                              ssl->out_msg + ssl->out_msglen );
01305             mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
01306         }
01307         else
01308 #endif
01309         {
01310             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01311             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01312         }
01313 
01314         MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
01315                        ssl->out_msg + ssl->out_msglen,
01316                        ssl->transform_out->maclen );
01317 
01318         ssl->out_msglen += ssl->transform_out->maclen;
01319         auth_done++;
01320     }
01321 #endif /* AEAD not the only option */
01322 
01323     /*
01324      * Encrypt
01325      */
01326 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
01327     if( mode == MBEDTLS_MODE_STREAM )
01328     {
01329         int ret;
01330         size_t olen = 0;
01331 
01332         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
01333                             "including %d bytes of padding",
01334                        ssl->out_msglen, 0 ) );
01335 
01336         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
01337                                    ssl->transform_out->iv_enc,
01338                                    ssl->transform_out->ivlen,
01339                                    ssl->out_msg, ssl->out_msglen,
01340                                    ssl->out_msg, &olen ) ) != 0 )
01341         {
01342             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01343             return( ret );
01344         }
01345 
01346         if( ssl->out_msglen != olen )
01347         {
01348             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01349             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01350         }
01351     }
01352     else
01353 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
01354 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
01355     if( mode == MBEDTLS_MODE_GCM ||
01356         mode == MBEDTLS_MODE_CCM )
01357     {
01358         int ret;
01359         size_t enc_msglen, olen;
01360         unsigned char *enc_msg;
01361         unsigned char add_data[13];
01362         unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
01363                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
01364 
01365         memcpy( add_data, ssl->out_ctr, 8 );
01366         add_data[8]  = ssl->out_msgtype;
01367         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
01368                            ssl->conf->transport, add_data + 9 );
01369         add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
01370         add_data[12] = ssl->out_msglen & 0xFF;
01371 
01372         MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
01373                        add_data, 13 );
01374 
01375         /*
01376          * Generate IV
01377          */
01378 #if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
01379         ret = ssl->conf->f_rng( ssl->conf->p_rng,
01380                 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
01381                 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
01382         if( ret != 0 )
01383             return( ret );
01384 
01385         memcpy( ssl->out_iv,
01386                 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
01387                 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
01388 #else
01389         if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
01390         {
01391             /* Reminder if we ever add an AEAD mode with a different size */
01392             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01393             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01394         }
01395 
01396         memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
01397                              ssl->out_ctr, 8 );
01398         memcpy( ssl->out_iv, ssl->out_ctr, 8 );
01399 #endif
01400 
01401         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
01402                 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
01403 
01404         /*
01405          * Fix pointer positions and message length with added IV
01406          */
01407         enc_msg = ssl->out_msg;
01408         enc_msglen = ssl->out_msglen;
01409         ssl->out_msglen += ssl->transform_out->ivlen -
01410                            ssl->transform_out->fixed_ivlen;
01411 
01412         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
01413                             "including %d bytes of padding",
01414                        ssl->out_msglen, 0 ) );
01415 
01416         /*
01417          * Encrypt and authenticate
01418          */
01419         if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
01420                                          ssl->transform_out->iv_enc,
01421                                          ssl->transform_out->ivlen,
01422                                          add_data, 13,
01423                                          enc_msg, enc_msglen,
01424                                          enc_msg, &olen,
01425                                          enc_msg + enc_msglen, taglen ) ) != 0 )
01426         {
01427             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
01428             return( ret );
01429         }
01430 
01431         if( olen != enc_msglen )
01432         {
01433             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01434             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01435         }
01436 
01437         ssl->out_msglen += taglen;
01438         auth_done++;
01439 
01440         MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
01441     }
01442     else
01443 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
01444 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
01445     ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
01446     if( mode == MBEDTLS_MODE_CBC )
01447     {
01448         int ret;
01449         unsigned char *enc_msg;
01450         size_t enc_msglen, padlen, olen = 0, i;
01451 
01452         padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
01453                  ssl->transform_out->ivlen;
01454         if( padlen == ssl->transform_out->ivlen )
01455             padlen = 0;
01456 
01457         for( i = 0; i <= padlen; i++ )
01458             ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
01459 
01460         ssl->out_msglen += padlen + 1;
01461 
01462         enc_msglen = ssl->out_msglen;
01463         enc_msg = ssl->out_msg;
01464 
01465 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
01466         /*
01467          * Prepend per-record IV for block cipher in TLS v1.1 and up as per
01468          * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
01469          */
01470         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
01471         {
01472             /*
01473              * Generate IV
01474              */
01475             ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
01476                                   ssl->transform_out->ivlen );
01477             if( ret != 0 )
01478                 return( ret );
01479 
01480             memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
01481                     ssl->transform_out->ivlen );
01482 
01483             /*
01484              * Fix pointer positions and message length with added IV
01485              */
01486             enc_msg = ssl->out_msg;
01487             enc_msglen = ssl->out_msglen;
01488             ssl->out_msglen += ssl->transform_out->ivlen;
01489         }
01490 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
01491 
01492         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
01493                             "including %d bytes of IV and %d bytes of padding",
01494                             ssl->out_msglen, ssl->transform_out->ivlen,
01495                             padlen + 1 ) );
01496 
01497         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
01498                                    ssl->transform_out->iv_enc,
01499                                    ssl->transform_out->ivlen,
01500                                    enc_msg, enc_msglen,
01501                                    enc_msg, &olen ) ) != 0 )
01502         {
01503             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01504             return( ret );
01505         }
01506 
01507         if( enc_msglen != olen )
01508         {
01509             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01510             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01511         }
01512 
01513 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
01514         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
01515         {
01516             /*
01517              * Save IV in SSL3 and TLS1
01518              */
01519             memcpy( ssl->transform_out->iv_enc,
01520                     ssl->transform_out->cipher_ctx_enc.iv,
01521                     ssl->transform_out->ivlen );
01522         }
01523 #endif
01524 
01525 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01526         if( auth_done == 0 )
01527         {
01528             /*
01529              * MAC(MAC_write_key, seq_num +
01530              *     TLSCipherText.type +
01531              *     TLSCipherText.version +
01532              *     length_of( (IV +) ENC(...) ) +
01533              *     IV + // except for TLS 1.0
01534              *     ENC(content + padding + padding_length));
01535              */
01536             unsigned char pseudo_hdr[13];
01537 
01538             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
01539 
01540             memcpy( pseudo_hdr +  0, ssl->out_ctr, 8 );
01541             memcpy( pseudo_hdr +  8, ssl->out_hdr, 3 );
01542             pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
01543             pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen      ) & 0xFF );
01544 
01545             MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
01546 
01547             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
01548             mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
01549                              ssl->out_iv, ssl->out_msglen );
01550             mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
01551                              ssl->out_iv + ssl->out_msglen );
01552             mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
01553 
01554             ssl->out_msglen += ssl->transform_out->maclen;
01555             auth_done++;
01556         }
01557 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01558     }
01559     else
01560 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
01561           ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
01562     {
01563         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01564         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01565     }
01566 
01567     /* Make extra sure authentication was performed, exactly once */
01568     if( auth_done != 1 )
01569     {
01570         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01571         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01572     }
01573 
01574     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
01575 
01576     return( 0 );
01577 }
01578 
01579 #define SSL_MAX_MAC_SIZE   48
01580 
01581 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
01582 {
01583     size_t i;
01584     mbedtls_cipher_mode_t mode;
01585     int auth_done = 0;
01586 #if defined(SSL_SOME_MODES_USE_MAC)
01587     size_t padlen = 0, correct = 1;
01588 #endif
01589 
01590     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
01591 
01592     if( ssl->session_in == NULL || ssl->transform_in == NULL )
01593     {
01594         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01595         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01596     }
01597 
01598     mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
01599 
01600     if( ssl->in_msglen < ssl->transform_in->minlen )
01601     {
01602         MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
01603                        ssl->in_msglen, ssl->transform_in->minlen ) );
01604         return( MBEDTLS_ERR_SSL_INVALID_MAC );
01605     }
01606 
01607 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
01608     if( mode == MBEDTLS_MODE_STREAM )
01609     {
01610         int ret;
01611         size_t olen = 0;
01612 
01613         padlen = 0;
01614 
01615         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
01616                                    ssl->transform_in->iv_dec,
01617                                    ssl->transform_in->ivlen,
01618                                    ssl->in_msg, ssl->in_msglen,
01619                                    ssl->in_msg, &olen ) ) != 0 )
01620         {
01621             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01622             return( ret );
01623         }
01624 
01625         if( ssl->in_msglen != olen )
01626         {
01627             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01628             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01629         }
01630     }
01631     else
01632 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
01633 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
01634     if( mode == MBEDTLS_MODE_GCM ||
01635         mode == MBEDTLS_MODE_CCM )
01636     {
01637         int ret;
01638         size_t dec_msglen, olen;
01639         unsigned char *dec_msg;
01640         unsigned char *dec_msg_result;
01641         unsigned char add_data[13];
01642         unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
01643                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
01644         size_t explicit_iv_len = ssl->transform_in->ivlen -
01645                                  ssl->transform_in->fixed_ivlen;
01646 
01647         if( ssl->in_msglen < explicit_iv_len + taglen )
01648         {
01649             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
01650                                 "+ taglen (%d)", ssl->in_msglen,
01651                                 explicit_iv_len, taglen ) );
01652             return( MBEDTLS_ERR_SSL_INVALID_MAC );
01653         }
01654         dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
01655 
01656         dec_msg = ssl->in_msg;
01657         dec_msg_result = ssl->in_msg;
01658         ssl->in_msglen = dec_msglen;
01659 
01660         memcpy( add_data, ssl->in_ctr, 8 );
01661         add_data[8]  = ssl->in_msgtype;
01662         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
01663                            ssl->conf->transport, add_data + 9 );
01664         add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
01665         add_data[12] = ssl->in_msglen & 0xFF;
01666 
01667         MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
01668                        add_data, 13 );
01669 
01670         memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
01671                 ssl->in_iv,
01672                 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
01673 
01674         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
01675                                      ssl->transform_in->ivlen );
01676         MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
01677 
01678         /*
01679          * Decrypt and authenticate
01680          */
01681         if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
01682                                          ssl->transform_in->iv_dec,
01683                                          ssl->transform_in->ivlen,
01684                                          add_data, 13,
01685                                          dec_msg, dec_msglen,
01686                                          dec_msg_result, &olen,
01687                                          dec_msg + dec_msglen, taglen ) ) != 0 )
01688         {
01689             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
01690 
01691             if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
01692                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
01693 
01694             return( ret );
01695         }
01696         auth_done++;
01697 
01698         if( olen != dec_msglen )
01699         {
01700             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01701             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01702         }
01703     }
01704     else
01705 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
01706 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
01707     ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
01708     if( mode == MBEDTLS_MODE_CBC )
01709     {
01710         /*
01711          * Decrypt and check the padding
01712          */
01713         int ret;
01714         unsigned char *dec_msg;
01715         unsigned char *dec_msg_result;
01716         size_t dec_msglen;
01717         size_t minlen = 0;
01718         size_t olen = 0;
01719 
01720         /*
01721          * Check immediate ciphertext sanity
01722          */
01723 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
01724         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
01725             minlen += ssl->transform_in->ivlen;
01726 #endif
01727 
01728         if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
01729             ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
01730         {
01731             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
01732                                 "+ 1 ) ( + expl IV )", ssl->in_msglen,
01733                                 ssl->transform_in->ivlen,
01734                                 ssl->transform_in->maclen ) );
01735             return( MBEDTLS_ERR_SSL_INVALID_MAC );
01736         }
01737 
01738         dec_msglen = ssl->in_msglen;
01739         dec_msg = ssl->in_msg;
01740         dec_msg_result = ssl->in_msg;
01741 
01742         /*
01743          * Authenticate before decrypt if enabled
01744          */
01745 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01746         if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
01747         {
01748             unsigned char computed_mac[SSL_MAX_MAC_SIZE];
01749             unsigned char pseudo_hdr[13];
01750 
01751             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
01752 
01753             dec_msglen -= ssl->transform_in->maclen;
01754             ssl->in_msglen -= ssl->transform_in->maclen;
01755 
01756             memcpy( pseudo_hdr +  0, ssl->in_ctr, 8 );
01757             memcpy( pseudo_hdr +  8, ssl->in_hdr, 3 );
01758             pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
01759             pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen      ) & 0xFF );
01760 
01761             MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
01762 
01763             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
01764             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
01765                              ssl->in_iv, ssl->in_msglen );
01766             mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
01767             mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
01768 
01769             MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_iv + ssl->in_msglen,
01770                                               ssl->transform_in->maclen );
01771             MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
01772                                               ssl->transform_in->maclen );
01773 
01774             if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
01775                               ssl->transform_in->maclen ) != 0 )
01776             {
01777                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
01778 
01779                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
01780             }
01781             auth_done++;
01782         }
01783 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01784 
01785         /*
01786          * Check length sanity
01787          */
01788         if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
01789         {
01790             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
01791                            ssl->in_msglen, ssl->transform_in->ivlen ) );
01792             return( MBEDTLS_ERR_SSL_INVALID_MAC );
01793         }
01794 
01795 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
01796         /*
01797          * Initialize for prepended IV for block cipher in TLS v1.1 and up
01798          */
01799         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
01800         {
01801             dec_msglen -= ssl->transform_in->ivlen;
01802             ssl->in_msglen -= ssl->transform_in->ivlen;
01803 
01804             for( i = 0; i < ssl->transform_in->ivlen; i++ )
01805                 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
01806         }
01807 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
01808 
01809         if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
01810                                    ssl->transform_in->iv_dec,
01811                                    ssl->transform_in->ivlen,
01812                                    dec_msg, dec_msglen,
01813                                    dec_msg_result, &olen ) ) != 0 )
01814         {
01815             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
01816             return( ret );
01817         }
01818 
01819         if( dec_msglen != olen )
01820         {
01821             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01822             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01823         }
01824 
01825 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
01826         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
01827         {
01828             /*
01829              * Save IV in SSL3 and TLS1
01830              */
01831             memcpy( ssl->transform_in->iv_dec,
01832                     ssl->transform_in->cipher_ctx_dec.iv,
01833                     ssl->transform_in->ivlen );
01834         }
01835 #endif
01836 
01837         padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
01838 
01839         if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
01840             auth_done == 0 )
01841         {
01842 #if defined(MBEDTLS_SSL_DEBUG_ALL)
01843             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
01844                         ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
01845 #endif
01846             padlen = 0;
01847             correct = 0;
01848         }
01849 
01850 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01851         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01852         {
01853             if( padlen > ssl->transform_in->ivlen )
01854             {
01855 #if defined(MBEDTLS_SSL_DEBUG_ALL)
01856                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
01857                                     "should be no more than %d",
01858                                padlen, ssl->transform_in->ivlen ) );
01859 #endif
01860                 correct = 0;
01861             }
01862         }
01863         else
01864 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01865 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01866     defined(MBEDTLS_SSL_PROTO_TLS1_2)
01867         if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
01868         {
01869             /*
01870              * TLSv1+: always check the padding up to the first failure
01871              * and fake check up to 256 bytes of padding
01872              */
01873             size_t pad_count = 0, real_count = 1;
01874             size_t padding_idx = ssl->in_msglen - padlen - 1;
01875 
01876             /*
01877              * Padding is guaranteed to be incorrect if:
01878              *   1. padlen >= ssl->in_msglen
01879              *
01880              *   2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
01881              *                     ssl->transform_in->maclen
01882              *
01883              * In both cases we reset padding_idx to a safe value (0) to
01884              * prevent out-of-buffer reads.
01885              */
01886             correct &= ( ssl->in_msglen >= padlen + 1 );
01887             correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
01888                                        ssl->transform_in->maclen );
01889 
01890             padding_idx *= correct;
01891 
01892             for( i = 1; i <= 256; i++ )
01893             {
01894                 real_count &= ( i <= padlen );
01895                 pad_count += real_count *
01896                              ( ssl->in_msg[padding_idx + i] == padlen - 1 );
01897             }
01898 
01899             correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
01900 
01901 #if defined(MBEDTLS_SSL_DEBUG_ALL)
01902             if( padlen > 0 && correct == 0 )
01903                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
01904 #endif
01905             padlen &= correct * 0x1FF;
01906         }
01907         else
01908 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
01909           MBEDTLS_SSL_PROTO_TLS1_2 */
01910         {
01911             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01912             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01913         }
01914 
01915         ssl->in_msglen -= padlen;
01916     }
01917     else
01918 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
01919           ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
01920     {
01921         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01922         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01923     }
01924 
01925     MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
01926                    ssl->in_msg, ssl->in_msglen );
01927 
01928     /*
01929      * Authenticate if not done yet.
01930      * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
01931      */
01932 #if defined(SSL_SOME_MODES_USE_MAC)
01933     if( auth_done == 0 )
01934     {
01935         unsigned char tmp[SSL_MAX_MAC_SIZE];
01936 
01937         ssl->in_msglen -= ssl->transform_in->maclen;
01938 
01939         ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
01940         ssl->in_len[1] = (unsigned char)( ssl->in_msglen      );
01941 
01942         memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
01943 
01944 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01945         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
01946         {
01947             ssl_mac( &ssl->transform_in->md_ctx_dec,
01948                       ssl->transform_in->mac_dec,
01949                       ssl->in_msg, ssl->in_msglen,
01950                       ssl->in_ctr, ssl->in_msgtype );
01951         }
01952         else
01953 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
01954 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
01955         defined(MBEDTLS_SSL_PROTO_TLS1_2)
01956         if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
01957         {
01958             /*
01959              * Process MAC and always update for padlen afterwards to make
01960              * total time independent of padlen
01961              *
01962              * extra_run compensates MAC check for padlen
01963              *
01964              * Known timing attacks:
01965              *  - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
01966              *
01967              * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
01968              * correctly. (We round down instead of up, so -56 is the correct
01969              * value for our calculations instead of -55)
01970              */
01971             size_t j, extra_run = 0;
01972             extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
01973                         ( 13 + ssl->in_msglen          + 8 ) / 64;
01974 
01975             extra_run &= correct * 0xFF;
01976 
01977             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
01978             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
01979             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
01980             mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
01981                              ssl->in_msglen );
01982             mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec,
01983                              ssl->in_msg + ssl->in_msglen );
01984             /* Call mbedtls_md_process at least once due to cache attacks */
01985             for( j = 0; j < extra_run + 1; j++ )
01986                 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
01987 
01988             mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
01989         }
01990         else
01991 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
01992               MBEDTLS_SSL_PROTO_TLS1_2 */
01993         {
01994             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01995             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
01996         }
01997 
01998         MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", tmp, ssl->transform_in->maclen );
01999         MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
02000                        ssl->transform_in->maclen );
02001 
02002         if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
02003                          ssl->transform_in->maclen ) != 0 )
02004         {
02005 #if defined(MBEDTLS_SSL_DEBUG_ALL)
02006             MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
02007 #endif
02008             correct = 0;
02009         }
02010         auth_done++;
02011 
02012         /*
02013          * Finally check the correct flag
02014          */
02015         if( correct == 0 )
02016             return( MBEDTLS_ERR_SSL_INVALID_MAC );
02017     }
02018 #endif /* SSL_SOME_MODES_USE_MAC */
02019 
02020     /* Make extra sure authentication was performed, exactly once */
02021     if( auth_done != 1 )
02022     {
02023         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02024         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02025     }
02026 
02027     if( ssl->in_msglen == 0 )
02028     {
02029         ssl->nb_zero++;
02030 
02031         /*
02032          * Three or more empty messages may be a DoS attack
02033          * (excessive CPU consumption).
02034          */
02035         if( ssl->nb_zero > 3 )
02036         {
02037             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
02038                                 "messages, possible DoS attack" ) );
02039             return( MBEDTLS_ERR_SSL_INVALID_MAC );
02040         }
02041     }
02042     else
02043         ssl->nb_zero = 0;
02044 
02045 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02046     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
02047     {
02048         ; /* in_ctr read from peer, not maintained internally */
02049     }
02050     else
02051 #endif
02052     {
02053         for( i = 8; i > ssl_ep_len( ssl ); i-- )
02054             if( ++ssl->in_ctr[i - 1] != 0 )
02055                 break;
02056 
02057         /* The loop goes to its end iff the counter is wrapping */
02058         if( i == ssl_ep_len( ssl ) )
02059         {
02060             MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
02061             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
02062         }
02063     }
02064 
02065     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
02066 
02067     return( 0 );
02068 }
02069 
02070 #undef MAC_NONE
02071 #undef MAC_PLAINTEXT
02072 #undef MAC_CIPHERTEXT
02073 
02074 #if defined(MBEDTLS_ZLIB_SUPPORT)
02075 /*
02076  * Compression/decompression functions
02077  */
02078 static int ssl_compress_buf( mbedtls_ssl_context *ssl )
02079 {
02080     int ret;
02081     unsigned char *msg_post = ssl->out_msg;
02082     size_t len_pre = ssl->out_msglen;
02083     unsigned char *msg_pre = ssl->compress_buf;
02084 
02085     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
02086 
02087     if( len_pre == 0 )
02088         return( 0 );
02089 
02090     memcpy( msg_pre, ssl->out_msg, len_pre );
02091 
02092     MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
02093                    ssl->out_msglen ) );
02094 
02095     MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
02096                    ssl->out_msg, ssl->out_msglen );
02097 
02098     ssl->transform_out->ctx_deflate.next_in = msg_pre;
02099     ssl->transform_out->ctx_deflate.avail_in = len_pre;
02100     ssl->transform_out->ctx_deflate.next_out = msg_post;
02101     ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN;
02102 
02103     ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
02104     if( ret != Z_OK )
02105     {
02106         MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
02107         return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
02108     }
02109 
02110     ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
02111                       ssl->transform_out->ctx_deflate.avail_out;
02112 
02113     MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
02114                    ssl->out_msglen ) );
02115 
02116     MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
02117                    ssl->out_msg, ssl->out_msglen );
02118 
02119     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
02120 
02121     return( 0 );
02122 }
02123 
02124 static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
02125 {
02126     int ret;
02127     unsigned char *msg_post = ssl->in_msg;
02128     size_t len_pre = ssl->in_msglen;
02129     unsigned char *msg_pre = ssl->compress_buf;
02130 
02131     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
02132 
02133     if( len_pre == 0 )
02134         return( 0 );
02135 
02136     memcpy( msg_pre, ssl->in_msg, len_pre );
02137 
02138     MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
02139                    ssl->in_msglen ) );
02140 
02141     MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
02142                    ssl->in_msg, ssl->in_msglen );
02143 
02144     ssl->transform_in->ctx_inflate.next_in = msg_pre;
02145     ssl->transform_in->ctx_inflate.avail_in = len_pre;
02146     ssl->transform_in->ctx_inflate.next_out = msg_post;
02147     ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN;
02148 
02149     ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
02150     if( ret != Z_OK )
02151     {
02152         MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
02153         return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
02154     }
02155 
02156     ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN -
02157                      ssl->transform_in->ctx_inflate.avail_out;
02158 
02159     MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
02160                    ssl->in_msglen ) );
02161 
02162     MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
02163                    ssl->in_msg, ssl->in_msglen );
02164 
02165     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
02166 
02167     return( 0 );
02168 }
02169 #endif /* MBEDTLS_ZLIB_SUPPORT */
02170 
02171 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
02172 static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
02173 
02174 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02175 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
02176 {
02177     /* If renegotiation is not enforced, retransmit until we would reach max
02178      * timeout if we were using the usual handshake doubling scheme */
02179     if( ssl->conf->renego_max_records < 0 )
02180     {
02181         uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
02182         unsigned char doublings = 1;
02183 
02184         while( ratio != 0 )
02185         {
02186             ++doublings;
02187             ratio >>= 1;
02188         }
02189 
02190         if( ++ssl->renego_records_seen > doublings )
02191         {
02192             MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
02193             return( 0 );
02194         }
02195     }
02196 
02197     return( ssl_write_hello_request( ssl ) );
02198 }
02199 #endif
02200 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
02201 
02202 /*
02203  * Fill the input message buffer by appending data to it.
02204  * The amount of data already fetched is in ssl->in_left.
02205  *
02206  * If we return 0, is it guaranteed that (at least) nb_want bytes are
02207  * available (from this read and/or a previous one). Otherwise, an error code
02208  * is returned (possibly EOF or WANT_READ).
02209  *
02210  * With stream transport (TLS) on success ssl->in_left == nb_want, but
02211  * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
02212  * since we always read a whole datagram at once.
02213  *
02214  * For DTLS, it is up to the caller to set ssl->next_record_offset when
02215  * they're done reading a record.
02216  */
02217 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
02218 {
02219     int ret;
02220     size_t len;
02221 
02222     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
02223 
02224     if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
02225     {
02226         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
02227                             "or mbedtls_ssl_set_bio()" ) );
02228         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02229     }
02230 
02231     if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
02232     {
02233         MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
02234         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02235     }
02236 
02237 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02238     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
02239     {
02240         uint32_t timeout;
02241 
02242         /* Just to be sure */
02243         if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
02244         {
02245             MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
02246                         "mbedtls_ssl_set_timer_cb() for DTLS" ) );
02247             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02248         }
02249 
02250         /*
02251          * The point is, we need to always read a full datagram at once, so we
02252          * sometimes read more then requested, and handle the additional data.
02253          * It could be the rest of the current record (while fetching the
02254          * header) and/or some other records in the same datagram.
02255          */
02256 
02257         /*
02258          * Move to the next record in the already read datagram if applicable
02259          */
02260         if( ssl->next_record_offset != 0 )
02261         {
02262             if( ssl->in_left < ssl->next_record_offset )
02263             {
02264                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02265                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02266             }
02267 
02268             ssl->in_left -= ssl->next_record_offset;
02269 
02270             if( ssl->in_left != 0 )
02271             {
02272                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
02273                                     ssl->next_record_offset ) );
02274                 memmove( ssl->in_hdr,
02275                          ssl->in_hdr + ssl->next_record_offset,
02276                          ssl->in_left );
02277             }
02278 
02279             ssl->next_record_offset = 0;
02280         }
02281 
02282         MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
02283                        ssl->in_left, nb_want ) );
02284 
02285         /*
02286          * Done if we already have enough data.
02287          */
02288         if( nb_want <= ssl->in_left)
02289         {
02290             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
02291             return( 0 );
02292         }
02293 
02294         /*
02295          * A record can't be split accross datagrams. If we need to read but
02296          * are not at the beginning of a new record, the caller did something
02297          * wrong.
02298          */
02299         if( ssl->in_left != 0 )
02300         {
02301             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02302             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02303         }
02304 
02305         /*
02306          * Don't even try to read if time's out already.
02307          * This avoids by-passing the timer when repeatedly receiving messages
02308          * that will end up being dropped.
02309          */
02310         if( ssl_check_timer( ssl ) != 0 )
02311             ret = MBEDTLS_ERR_SSL_TIMEOUT;
02312         else
02313         {
02314             len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
02315 
02316             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
02317                 timeout = ssl->handshake->retransmit_timeout;
02318             else
02319                 timeout = ssl->conf->read_timeout;
02320 
02321             MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
02322 
02323             if( ssl->f_recv_timeout != NULL )
02324                 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
02325                                                                     timeout );
02326             else
02327                 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
02328 
02329             MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
02330 
02331             if( ret == 0 )
02332                 return( MBEDTLS_ERR_SSL_CONN_EOF );
02333         }
02334 
02335         if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
02336         {
02337             MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
02338             ssl_set_timer( ssl, 0 );
02339 
02340             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
02341             {
02342                 if( ssl_double_retransmit_timeout( ssl ) != 0 )
02343                 {
02344                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
02345                     return( MBEDTLS_ERR_SSL_TIMEOUT );
02346                 }
02347 
02348                 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
02349                 {
02350                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
02351                     return( ret );
02352                 }
02353 
02354                 return( MBEDTLS_ERR_SSL_WANT_READ );
02355             }
02356 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
02357             else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
02358                      ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
02359             {
02360                 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
02361                 {
02362                     MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
02363                     return( ret );
02364                 }
02365 
02366                 return( MBEDTLS_ERR_SSL_WANT_READ );
02367             }
02368 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
02369         }
02370 
02371         if( ret < 0 )
02372             return( ret );
02373 
02374         ssl->in_left = ret;
02375     }
02376     else
02377 #endif
02378     {
02379         MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
02380                        ssl->in_left, nb_want ) );
02381 
02382         while( ssl->in_left < nb_want )
02383         {
02384             len = nb_want - ssl->in_left;
02385 
02386             if( ssl_check_timer( ssl ) != 0 )
02387                 ret = MBEDTLS_ERR_SSL_TIMEOUT;
02388             else
02389             {
02390                 if( ssl->f_recv_timeout != NULL )
02391                 {
02392                     ret = ssl->f_recv_timeout( ssl->p_bio,
02393                                                ssl->in_hdr + ssl->in_left, len,
02394                                                ssl->conf->read_timeout );
02395                 }
02396                 else
02397                 {
02398                     ret = ssl->f_recv( ssl->p_bio,
02399                                        ssl->in_hdr + ssl->in_left, len );
02400                 }
02401             }
02402 
02403             MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
02404                                         ssl->in_left, nb_want ) );
02405             MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
02406 
02407             if( ret == 0 )
02408                 return( MBEDTLS_ERR_SSL_CONN_EOF );
02409 
02410             if( ret < 0 )
02411                 return( ret );
02412 
02413             ssl->in_left += ret;
02414         }
02415     }
02416 
02417     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
02418 
02419     return( 0 );
02420 }
02421 
02422 /*
02423  * Flush any data not yet written
02424  */
02425 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
02426 {
02427     int ret;
02428     unsigned char *buf, i;
02429 
02430     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
02431 
02432     if( ssl->f_send == NULL )
02433     {
02434         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
02435                             "or mbedtls_ssl_set_bio()" ) );
02436         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02437     }
02438 
02439     /* Avoid incrementing counter if data is flushed */
02440     if( ssl->out_left == 0 )
02441     {
02442         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
02443         return( 0 );
02444     }
02445 
02446     while( ssl->out_left > 0 )
02447     {
02448         MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
02449                        mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
02450 
02451         buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
02452               ssl->out_msglen - ssl->out_left;
02453         ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
02454 
02455         MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
02456 
02457         if( ret <= 0 )
02458             return( ret );
02459 
02460         ssl->out_left -= ret;
02461     }
02462 
02463     for( i = 8; i > ssl_ep_len( ssl ); i-- )
02464         if( ++ssl->out_ctr[i - 1] != 0 )
02465             break;
02466 
02467     /* The loop goes to its end iff the counter is wrapping */
02468     if( i == ssl_ep_len( ssl ) )
02469     {
02470         MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
02471         return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
02472     }
02473 
02474     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
02475 
02476     return( 0 );
02477 }
02478 
02479 /*
02480  * Functions to handle the DTLS retransmission state machine
02481  */
02482 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02483 /*
02484  * Append current handshake message to current outgoing flight
02485  */
02486 static int ssl_flight_append( mbedtls_ssl_context *ssl )
02487 {
02488     mbedtls_ssl_flight_item *msg;
02489 
02490     /* Allocate space for current message */
02491     if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
02492     {
02493         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
02494                             sizeof( mbedtls_ssl_flight_item ) ) );
02495         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
02496     }
02497 
02498     if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
02499     {
02500         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
02501         mbedtls_free( msg );
02502         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
02503     }
02504 
02505     /* Copy current handshake message with headers */
02506     memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
02507     msg->len = ssl->out_msglen;
02508     msg->type = ssl->out_msgtype;
02509     msg->next = NULL;
02510 
02511     /* Append to the current flight */
02512     if( ssl->handshake->flight == NULL )
02513         ssl->handshake->flight = msg;
02514     else
02515     {
02516         mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
02517         while( cur->next != NULL )
02518             cur = cur->next;
02519         cur->next = msg;
02520     }
02521 
02522     return( 0 );
02523 }
02524 
02525 /*
02526  * Free the current flight of handshake messages
02527  */
02528 static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
02529 {
02530     mbedtls_ssl_flight_item *cur = flight;
02531     mbedtls_ssl_flight_item *next;
02532 
02533     while( cur != NULL )
02534     {
02535         next = cur->next;
02536 
02537         mbedtls_free( cur->p );
02538         mbedtls_free( cur );
02539 
02540         cur = next;
02541     }
02542 }
02543 
02544 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
02545 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
02546 #endif
02547 
02548 /*
02549  * Swap transform_out and out_ctr with the alternative ones
02550  */
02551 static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
02552 {
02553     mbedtls_ssl_transform *tmp_transform;
02554     unsigned char tmp_out_ctr[8];
02555 
02556     if( ssl->transform_out == ssl->handshake->alt_transform_out )
02557     {
02558         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
02559         return;
02560     }
02561 
02562     MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
02563 
02564     /* Swap transforms */
02565     tmp_transform                     = ssl->transform_out;
02566     ssl->transform_out                = ssl->handshake->alt_transform_out;
02567     ssl->handshake->alt_transform_out = tmp_transform;
02568 
02569     /* Swap epoch + sequence_number */
02570     memcpy( tmp_out_ctr,                 ssl->out_ctr,                8 );
02571     memcpy( ssl->out_ctr,                ssl->handshake->alt_out_ctr, 8 );
02572     memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
02573 
02574     /* Adjust to the newly activated transform */
02575     if( ssl->transform_out != NULL &&
02576         ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
02577     {
02578         ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
02579                                      ssl->transform_out->fixed_ivlen;
02580     }
02581     else
02582         ssl->out_msg = ssl->out_iv;
02583 
02584 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
02585     if( mbedtls_ssl_hw_record_activate != NULL )
02586     {
02587         if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
02588         {
02589             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
02590             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
02591         }
02592     }
02593 #endif
02594 }
02595 
02596 /*
02597  * Retransmit the current flight of messages.
02598  *
02599  * Need to remember the current message in case flush_output returns
02600  * WANT_WRITE, causing us to exit this function and come back later.
02601  * This function must be called until state is no longer SENDING.
02602  */
02603 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
02604 {
02605     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
02606 
02607     if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
02608     {
02609         MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
02610 
02611         ssl->handshake->cur_msg = ssl->handshake->flight;
02612         ssl_swap_epochs( ssl );
02613 
02614         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
02615     }
02616 
02617     while( ssl->handshake->cur_msg != NULL )
02618     {
02619         int ret;
02620         mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
02621 
02622         /* Swap epochs before sending Finished: we can't do it after
02623          * sending ChangeCipherSpec, in case write returns WANT_READ.
02624          * Must be done before copying, may change out_msg pointer */
02625         if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
02626             cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
02627         {
02628             ssl_swap_epochs( ssl );
02629         }
02630 
02631         memcpy( ssl->out_msg, cur->p, cur->len );
02632         ssl->out_msglen = cur->len;
02633         ssl->out_msgtype = cur->type;
02634 
02635         ssl->handshake->cur_msg = cur->next;
02636 
02637         MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
02638 
02639         if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
02640         {
02641             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
02642             return( ret );
02643         }
02644     }
02645 
02646     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
02647         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
02648     else
02649     {
02650         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
02651         ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
02652     }
02653 
02654     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
02655 
02656     return( 0 );
02657 }
02658 
02659 /*
02660  * To be called when the last message of an incoming flight is received.
02661  */
02662 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
02663 {
02664     /* We won't need to resend that one any more */
02665     ssl_flight_free( ssl->handshake->flight );
02666     ssl->handshake->flight = NULL;
02667     ssl->handshake->cur_msg = NULL;
02668 
02669     /* The next incoming flight will start with this msg_seq */
02670     ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
02671 
02672     /* Cancel timer */
02673     ssl_set_timer( ssl, 0 );
02674 
02675     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
02676         ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
02677     {
02678         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
02679     }
02680     else
02681         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
02682 }
02683 
02684 /*
02685  * To be called when the last message of an outgoing flight is send.
02686  */
02687 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
02688 {
02689     ssl_reset_retransmit_timeout( ssl );
02690     ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
02691 
02692     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
02693         ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
02694     {
02695         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
02696     }
02697     else
02698         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
02699 }
02700 #endif /* MBEDTLS_SSL_PROTO_DTLS */
02701 
02702 /*
02703  * Record layer functions
02704  */
02705 
02706 /*
02707  * Write current record.
02708  * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
02709  */
02710 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
02711 {
02712     int ret, done = 0, out_msg_type;
02713     size_t len = ssl->out_msglen;
02714 
02715     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
02716 
02717 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02718     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02719         ssl->handshake != NULL &&
02720         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
02721     {
02722         ; /* Skip special handshake treatment when resending */
02723     }
02724     else
02725 #endif
02726     if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
02727     {
02728         out_msg_type = ssl->out_msg[0];
02729 
02730         if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
02731             ssl->handshake == NULL )
02732         {
02733             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02734             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02735         }
02736 
02737         ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
02738         ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
02739         ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
02740 
02741         /*
02742          * DTLS has additional fields in the Handshake layer,
02743          * between the length field and the actual payload:
02744          *      uint16 message_seq;
02745          *      uint24 fragment_offset;
02746          *      uint24 fragment_length;
02747          */
02748 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02749         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
02750         {
02751             /* Make room for the additional DTLS fields */
02752             memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
02753             ssl->out_msglen += 8;
02754             len += 8;
02755 
02756             /* Write message_seq and update it, except for HelloRequest */
02757             if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
02758             {
02759                 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
02760                 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq      ) & 0xFF;
02761                 ++( ssl->handshake->out_msg_seq );
02762             }
02763             else
02764             {
02765                 ssl->out_msg[4] = 0;
02766                 ssl->out_msg[5] = 0;
02767             }
02768 
02769             /* We don't fragment, so frag_offset = 0 and frag_len = len */
02770             memset( ssl->out_msg + 6, 0x00, 3 );
02771             memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
02772         }
02773 #endif /* MBEDTLS_SSL_PROTO_DTLS */
02774 
02775         if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
02776             ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
02777     }
02778 
02779     /* Save handshake and CCS messages for resending */
02780 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02781     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02782         ssl->handshake != NULL &&
02783         ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
02784         ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ||
02785           ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
02786     {
02787         if( ( ret = ssl_flight_append( ssl ) ) != 0 )
02788         {
02789             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
02790             return( ret );
02791         }
02792     }
02793 #endif
02794 
02795 #if defined(MBEDTLS_ZLIB_SUPPORT)
02796     if( ssl->transform_out != NULL &&
02797         ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
02798     {
02799         if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
02800         {
02801             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
02802             return( ret );
02803         }
02804 
02805         len = ssl->out_msglen;
02806     }
02807 #endif /*MBEDTLS_ZLIB_SUPPORT */
02808 
02809 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
02810     if( mbedtls_ssl_hw_record_write != NULL )
02811     {
02812         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
02813 
02814         ret = mbedtls_ssl_hw_record_write( ssl );
02815         if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
02816         {
02817             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
02818             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
02819         }
02820 
02821         if( ret == 0 )
02822             done = 1;
02823     }
02824 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
02825     if( !done )
02826     {
02827         ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
02828         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02829                            ssl->conf->transport, ssl->out_hdr + 1 );
02830 
02831         ssl->out_len[0] = (unsigned char)( len >> 8 );
02832         ssl->out_len[1] = (unsigned char)( len      );
02833 
02834         if( ssl->transform_out != NULL )
02835         {
02836             if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
02837             {
02838                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
02839                 return( ret );
02840             }
02841 
02842             len = ssl->out_msglen;
02843             ssl->out_len[0] = (unsigned char)( len >> 8 );
02844             ssl->out_len[1] = (unsigned char)( len      );
02845         }
02846 
02847         ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
02848 
02849         MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
02850                             "version = [%d:%d], msglen = %d",
02851                        ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
02852                      ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) );
02853 
02854         MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
02855                        ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
02856     }
02857 
02858     if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
02859     {
02860         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
02861         return( ret );
02862     }
02863 
02864     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
02865 
02866     return( 0 );
02867 }
02868 
02869 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02870 /*
02871  * Mark bits in bitmask (used for DTLS HS reassembly)
02872  */
02873 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
02874 {
02875     unsigned int start_bits, end_bits;
02876 
02877     start_bits = 8 - ( offset % 8 );
02878     if( start_bits != 8 )
02879     {
02880         size_t first_byte_idx = offset / 8;
02881 
02882         /* Special case */
02883         if( len <= start_bits )
02884         {
02885             for( ; len != 0; len-- )
02886                 mask[first_byte_idx] |= 1 << ( start_bits - len );
02887 
02888             /* Avoid potential issues with offset or len becoming invalid */
02889             return;
02890         }
02891 
02892         offset += start_bits; /* Now offset % 8 == 0 */
02893         len -= start_bits;
02894 
02895         for( ; start_bits != 0; start_bits-- )
02896             mask[first_byte_idx] |= 1 << ( start_bits - 1 );
02897     }
02898 
02899     end_bits = len % 8;
02900     if( end_bits != 0 )
02901     {
02902         size_t last_byte_idx = ( offset + len ) / 8;
02903 
02904         len -= end_bits; /* Now len % 8 == 0 */
02905 
02906         for( ; end_bits != 0; end_bits-- )
02907             mask[last_byte_idx] |= 1 << ( 8 - end_bits );
02908     }
02909 
02910     memset( mask + offset / 8, 0xFF, len / 8 );
02911 }
02912 
02913 /*
02914  * Check that bitmask is full
02915  */
02916 static int ssl_bitmask_check( unsigned char *mask, size_t len )
02917 {
02918     size_t i;
02919 
02920     for( i = 0; i < len / 8; i++ )
02921         if( mask[i] != 0xFF )
02922             return( -1 );
02923 
02924     for( i = 0; i < len % 8; i++ )
02925         if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
02926             return( -1 );
02927 
02928     return( 0 );
02929 }
02930 
02931 /*
02932  * Reassemble fragmented DTLS handshake messages.
02933  *
02934  * Use a temporary buffer for reassembly, divided in two parts:
02935  * - the first holds the reassembled message (including handshake header),
02936  * - the second holds a bitmask indicating which parts of the message
02937  *   (excluding headers) have been received so far.
02938  */
02939 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
02940 {
02941     unsigned char *msg, *bitmask;
02942     size_t frag_len, frag_off;
02943     size_t msg_len = ssl->in_hslen - 12; /* Without headers */
02944 
02945     if( ssl->handshake == NULL )
02946     {
02947         MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
02948         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
02949     }
02950 
02951     /*
02952      * For first fragment, check size and allocate buffer
02953      */
02954     if( ssl->handshake->hs_msg == NULL )
02955     {
02956         size_t alloc_len;
02957 
02958         MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
02959                             msg_len ) );
02960 
02961         if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
02962         {
02963             MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
02964             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
02965         }
02966 
02967         /* The bitmask needs one bit per byte of message excluding header */
02968         alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
02969 
02970         ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
02971         if( ssl->handshake->hs_msg == NULL )
02972         {
02973             MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
02974             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
02975         }
02976 
02977         /* Prepare final header: copy msg_type, length and message_seq,
02978          * then add standardised fragment_offset and fragment_length */
02979         memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
02980         memset( ssl->handshake->hs_msg + 6, 0, 3 );
02981         memcpy( ssl->handshake->hs_msg + 9,
02982                 ssl->handshake->hs_msg + 1, 3 );
02983     }
02984     else
02985     {
02986         /* Make sure msg_type and length are consistent */
02987         if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
02988         {
02989             MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
02990             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
02991         }
02992     }
02993 
02994     msg = ssl->handshake->hs_msg + 12;
02995     bitmask = msg + msg_len;
02996 
02997     /*
02998      * Check and copy current fragment
02999      */
03000     frag_off = ( ssl->in_msg[6]  << 16 ) |
03001                ( ssl->in_msg[7]  << 8  ) |
03002                  ssl->in_msg[8];
03003     frag_len = ( ssl->in_msg[9]  << 16 ) |
03004                ( ssl->in_msg[10] << 8  ) |
03005                  ssl->in_msg[11];
03006 
03007     if( frag_off + frag_len > msg_len )
03008     {
03009         MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
03010                           frag_off, frag_len, msg_len ) );
03011         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03012     }
03013 
03014     if( frag_len + 12 > ssl->in_msglen )
03015     {
03016         MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
03017                           frag_len, ssl->in_msglen ) );
03018         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03019     }
03020 
03021     MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
03022                         frag_off, frag_len ) );
03023 
03024     memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
03025     ssl_bitmask_set( bitmask, frag_off, frag_len );
03026 
03027     /*
03028      * Do we have the complete message by now?
03029      * If yes, finalize it, else ask to read the next record.
03030      */
03031     if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
03032     {
03033         MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
03034         return( MBEDTLS_ERR_SSL_WANT_READ );
03035     }
03036 
03037     MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
03038 
03039     if( frag_len + 12 < ssl->in_msglen )
03040     {
03041         /*
03042          * We'got more handshake messages in the same record.
03043          * This case is not handled now because no know implementation does
03044          * that and it's hard to test, so we prefer to fail cleanly for now.
03045          */
03046         MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
03047         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
03048     }
03049 
03050     if( ssl->in_left > ssl->next_record_offset )
03051     {
03052         /*
03053          * We've got more data in the buffer after the current record,
03054          * that we don't want to overwrite. Move it before writing the
03055          * reassembled message, and adjust in_left and next_record_offset.
03056          */
03057         unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
03058         unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
03059         size_t remain_len = ssl->in_left - ssl->next_record_offset;
03060 
03061         /* First compute and check new lengths */
03062         ssl->next_record_offset = new_remain - ssl->in_hdr;
03063         ssl->in_left = ssl->next_record_offset + remain_len;
03064 
03065         if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
03066                            (size_t)( ssl->in_hdr - ssl->in_buf ) )
03067         {
03068             MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
03069             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
03070         }
03071 
03072         memmove( new_remain, cur_remain, remain_len );
03073     }
03074 
03075     memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
03076 
03077     mbedtls_free( ssl->handshake->hs_msg );
03078     ssl->handshake->hs_msg = NULL;
03079 
03080     MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
03081                    ssl->in_msg, ssl->in_hslen );
03082 
03083     return( 0 );
03084 }
03085 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03086 
03087 static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
03088 {
03089     if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
03090     {
03091         MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
03092                             ssl->in_msglen ) );
03093         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03094     }
03095 
03096     ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
03097                     ( ssl->in_msg[1] << 16 ) |
03098                     ( ssl->in_msg[2] << 8  ) |
03099                       ssl->in_msg[3] );
03100 
03101     MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
03102                         " %d, type = %d, hslen = %d",
03103                         ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
03104 
03105 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03106     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03107     {
03108         int ret;
03109         unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
03110 
03111         /* ssl->handshake is NULL when receiving ClientHello for renego */
03112         if( ssl->handshake != NULL &&
03113             recv_msg_seq != ssl->handshake->in_msg_seq )
03114         {
03115             /* Retransmit only on last message from previous flight, to avoid
03116              * too many retransmissions.
03117              * Besides, No sane server ever retransmits HelloVerifyRequest */
03118             if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
03119                 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
03120             {
03121                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
03122                                     "message_seq = %d, start_of_flight = %d",
03123                                     recv_msg_seq,
03124                                     ssl->handshake->in_flight_start_seq ) );
03125 
03126                 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
03127                 {
03128                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
03129                     return( ret );
03130                 }
03131             }
03132             else
03133             {
03134                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
03135                                     "message_seq = %d, expected = %d",
03136                                     recv_msg_seq,
03137                                     ssl->handshake->in_msg_seq ) );
03138             }
03139 
03140             return( MBEDTLS_ERR_SSL_WANT_READ );
03141         }
03142         /* Wait until message completion to increment in_msg_seq */
03143 
03144         /* Reassemble if current message is fragmented or reassembly is
03145          * already in progress */
03146         if( ssl->in_msglen < ssl->in_hslen ||
03147             memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
03148             memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ||
03149             ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
03150         {
03151             MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
03152 
03153             if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
03154             {
03155                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
03156                 return( ret );
03157             }
03158         }
03159     }
03160     else
03161 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03162     /* With TLS we don't handle fragmentation (for now) */
03163     if( ssl->in_msglen < ssl->in_hslen )
03164     {
03165         MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
03166         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
03167     }
03168 
03169     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
03170         ssl->handshake != NULL )
03171     {
03172         ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
03173     }
03174 
03175     /* Handshake message is complete, increment counter */
03176 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03177     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03178         ssl->handshake != NULL )
03179     {
03180         ssl->handshake->in_msg_seq++;
03181     }
03182 #endif
03183 
03184     return( 0 );
03185 }
03186 
03187 /*
03188  * DTLS anti-replay: RFC 6347 4.1.2.6
03189  *
03190  * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
03191  * Bit n is set iff record number in_window_top - n has been seen.
03192  *
03193  * Usually, in_window_top is the last record number seen and the lsb of
03194  * in_window is set. The only exception is the initial state (record number 0
03195  * not seen yet).
03196  */
03197 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
03198 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
03199 {
03200     ssl->in_window_top = 0;
03201     ssl->in_window = 0;
03202 }
03203 
03204 static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
03205 {
03206     return( ( (uint64_t) buf[0] << 40 ) |
03207             ( (uint64_t) buf[1] << 32 ) |
03208             ( (uint64_t) buf[2] << 24 ) |
03209             ( (uint64_t) buf[3] << 16 ) |
03210             ( (uint64_t) buf[4] <<  8 ) |
03211             ( (uint64_t) buf[5]       ) );
03212 }
03213 
03214 /*
03215  * Return 0 if sequence number is acceptable, -1 otherwise
03216  */
03217 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
03218 {
03219     uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
03220     uint64_t bit;
03221 
03222     if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
03223         return( 0 );
03224 
03225     if( rec_seqnum > ssl->in_window_top )
03226         return( 0 );
03227 
03228     bit = ssl->in_window_top - rec_seqnum;
03229 
03230     if( bit >= 64 )
03231         return( -1 );
03232 
03233     if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
03234         return( -1 );
03235 
03236     return( 0 );
03237 }
03238 
03239 /*
03240  * Update replay window on new validated record
03241  */
03242 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
03243 {
03244     uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
03245 
03246     if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
03247         return;
03248 
03249     if( rec_seqnum > ssl->in_window_top )
03250     {
03251         /* Update window_top and the contents of the window */
03252         uint64_t shift = rec_seqnum - ssl->in_window_top;
03253 
03254         if( shift >= 64 )
03255             ssl->in_window = 1;
03256         else
03257         {
03258             ssl->in_window <<= shift;
03259             ssl->in_window |= 1;
03260         }
03261 
03262         ssl->in_window_top = rec_seqnum;
03263     }
03264     else
03265     {
03266         /* Mark that number as seen in the current window */
03267         uint64_t bit = ssl->in_window_top - rec_seqnum;
03268 
03269         if( bit < 64 ) /* Always true, but be extra sure */
03270             ssl->in_window |= (uint64_t) 1 << bit;
03271     }
03272 }
03273 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
03274 
03275 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
03276 /* Forward declaration */
03277 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
03278 
03279 /*
03280  * Without any SSL context, check if a datagram looks like a ClientHello with
03281  * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
03282  * Both input and output include full DTLS headers.
03283  *
03284  * - if cookie is valid, return 0
03285  * - if ClientHello looks superficially valid but cookie is not,
03286  *   fill obuf and set olen, then
03287  *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
03288  * - otherwise return a specific error code
03289  */
03290 static int ssl_check_dtls_clihlo_cookie(
03291                            mbedtls_ssl_cookie_write_t *f_cookie_write,
03292                            mbedtls_ssl_cookie_check_t *f_cookie_check,
03293                            void *p_cookie,
03294                            const unsigned char *cli_id, size_t cli_id_len,
03295                            const unsigned char *in, size_t in_len,
03296                            unsigned char *obuf, size_t buf_len, size_t *olen )
03297 {
03298     size_t sid_len, cookie_len;
03299     unsigned char *p;
03300 
03301     if( f_cookie_write == NULL || f_cookie_check == NULL )
03302         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
03303 
03304     /*
03305      * Structure of ClientHello with record and handshake headers,
03306      * and expected values. We don't need to check a lot, more checks will be
03307      * done when actually parsing the ClientHello - skipping those checks
03308      * avoids code duplication and does not make cookie forging any easier.
03309      *
03310      *  0-0  ContentType type;                  copied, must be handshake
03311      *  1-2  ProtocolVersion version;           copied
03312      *  3-4  uint16 epoch;                      copied, must be 0
03313      *  5-10 uint48 sequence_number;            copied
03314      * 11-12 uint16 length;                     (ignored)
03315      *
03316      * 13-13 HandshakeType msg_type;            (ignored)
03317      * 14-16 uint24 length;                     (ignored)
03318      * 17-18 uint16 message_seq;                copied
03319      * 19-21 uint24 fragment_offset;            copied, must be 0
03320      * 22-24 uint24 fragment_length;            (ignored)
03321      *
03322      * 25-26 ProtocolVersion client_version;    (ignored)
03323      * 27-58 Random random;                     (ignored)
03324      * 59-xx SessionID session_id;              1 byte len + sid_len content
03325      * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
03326      *       ...
03327      *
03328      * Minimum length is 61 bytes.
03329      */
03330     if( in_len < 61 ||
03331         in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
03332         in[3] != 0 || in[4] != 0 ||
03333         in[19] != 0 || in[20] != 0 || in[21] != 0 )
03334     {
03335         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
03336     }
03337 
03338     sid_len = in[59];
03339     if( sid_len > in_len - 61 )
03340         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
03341 
03342     cookie_len = in[60 + sid_len];
03343     if( cookie_len > in_len - 60 )
03344         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
03345 
03346     if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
03347                         cli_id, cli_id_len ) == 0 )
03348     {
03349         /* Valid cookie */
03350         return( 0 );
03351     }
03352 
03353     /*
03354      * If we get here, we've got an invalid cookie, let's prepare HVR.
03355      *
03356      *  0-0  ContentType type;                  copied
03357      *  1-2  ProtocolVersion version;           copied
03358      *  3-4  uint16 epoch;                      copied
03359      *  5-10 uint48 sequence_number;            copied
03360      * 11-12 uint16 length;                     olen - 13
03361      *
03362      * 13-13 HandshakeType msg_type;            hello_verify_request
03363      * 14-16 uint24 length;                     olen - 25
03364      * 17-18 uint16 message_seq;                copied
03365      * 19-21 uint24 fragment_offset;            copied
03366      * 22-24 uint24 fragment_length;            olen - 25
03367      *
03368      * 25-26 ProtocolVersion server_version;    0xfe 0xff
03369      * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
03370      *
03371      * Minimum length is 28.
03372      */
03373     if( buf_len < 28 )
03374         return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
03375 
03376     /* Copy most fields and adapt others */
03377     memcpy( obuf, in, 25 );
03378     obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
03379     obuf[25] = 0xfe;
03380     obuf[26] = 0xff;
03381 
03382     /* Generate and write actual cookie */
03383     p = obuf + 28;
03384     if( f_cookie_write( p_cookie,
03385                         &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
03386     {
03387         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03388     }
03389 
03390     *olen = p - obuf;
03391 
03392     /* Go back and fill length fields */
03393     obuf[27] = (unsigned char)( *olen - 28 );
03394 
03395     obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
03396     obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >>  8 );
03397     obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 )       );
03398 
03399     obuf[11] = (unsigned char)( ( *olen - 13 ) >>  8 );
03400     obuf[12] = (unsigned char)( ( *olen - 13 )       );
03401 
03402     return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
03403 }
03404 
03405 /*
03406  * Handle possible client reconnect with the same UDP quadruplet
03407  * (RFC 6347 Section 4.2.8).
03408  *
03409  * Called by ssl_parse_record_header() in case we receive an epoch 0 record
03410  * that looks like a ClientHello.
03411  *
03412  * - if the input looks like a ClientHello without cookies,
03413  *   send back HelloVerifyRequest, then
03414  *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
03415  * - if the input looks like a ClientHello with a valid cookie,
03416  *   reset the session of the current context, and
03417  *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
03418  * - if anything goes wrong, return a specific error code
03419  *
03420  * mbedtls_ssl_read_record() will ignore the record if anything else than
03421  * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
03422  * cannot not return 0.
03423  */
03424 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
03425 {
03426     int ret;
03427     size_t len;
03428 
03429     ret = ssl_check_dtls_clihlo_cookie(
03430             ssl->conf->f_cookie_write,
03431             ssl->conf->f_cookie_check,
03432             ssl->conf->p_cookie,
03433             ssl->cli_id, ssl->cli_id_len,
03434             ssl->in_buf, ssl->in_left,
03435             ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
03436 
03437     MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
03438 
03439     if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
03440     {
03441         /* Dont check write errors as we can't do anything here.
03442          * If the error is permanent we'll catch it later,
03443          * if it's not, then hopefully it'll work next time. */
03444         (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
03445 
03446         return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
03447     }
03448 
03449     if( ret == 0 )
03450     {
03451         /* Got a valid cookie, partially reset context */
03452         if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
03453         {
03454             MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
03455             return( ret );
03456         }
03457 
03458         return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
03459     }
03460 
03461     return( ret );
03462 }
03463 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
03464 
03465 /*
03466  * ContentType type;
03467  * ProtocolVersion version;
03468  * uint16 epoch;            // DTLS only
03469  * uint48 sequence_number;  // DTLS only
03470  * uint16 length;
03471  *
03472  * Return 0 if header looks sane (and, for DTLS, the record is expected)
03473  * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
03474  * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
03475  *
03476  * With DTLS, mbedtls_ssl_read_record() will:
03477  * 1. proceed with the record if this function returns 0
03478  * 2. drop only the current record if this function returns UNEXPECTED_RECORD
03479  * 3. return CLIENT_RECONNECT if this function return that value
03480  * 4. drop the whole datagram if this function returns anything else.
03481  * Point 2 is needed when the peer is resending, and we have already received
03482  * the first record from a datagram but are still waiting for the others.
03483  */
03484 static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
03485 {
03486     int ret;
03487     int major_ver, minor_ver;
03488 
03489     MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
03490 
03491     ssl->in_msgtype =  ssl->in_hdr[0];
03492     ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
03493     mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
03494 
03495     MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
03496                         "version = [%d:%d], msglen = %d",
03497                         ssl->in_msgtype,
03498                         major_ver, minor_ver, ssl->in_msglen ) );
03499 
03500     /* Check record type */
03501     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
03502         ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
03503         ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
03504         ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
03505     {
03506         MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
03507 
03508         if( ( ret = mbedtls_ssl_send_alert_message( ssl,
03509                         MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03510                         MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
03511         {
03512             return( ret );
03513         }
03514 
03515         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03516     }
03517 
03518     /* Check version */
03519     if( major_ver != ssl->major_ver )
03520     {
03521         MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
03522         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03523     }
03524 
03525     if( minor_ver > ssl->conf->max_minor_ver )
03526     {
03527         MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
03528         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03529     }
03530 
03531     /* Check length against the size of our buffer */
03532     if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
03533                          - (size_t)( ssl->in_msg - ssl->in_buf ) )
03534     {
03535         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03536         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03537     }
03538 
03539     /* Check length against bounds of the current transform and version */
03540     if( ssl->transform_in == NULL )
03541     {
03542         if( ssl->in_msglen < 1 ||
03543             ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
03544         {
03545             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03546             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03547         }
03548     }
03549     else
03550     {
03551         if( ssl->in_msglen < ssl->transform_in->minlen )
03552         {
03553             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03554             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03555         }
03556 
03557 #if defined(MBEDTLS_SSL_PROTO_SSL3)
03558         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
03559             ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
03560         {
03561             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03562             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03563         }
03564 #endif
03565 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03566     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03567         /*
03568          * TLS encrypted messages can have up to 256 bytes of padding
03569          */
03570         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
03571             ssl->in_msglen > ssl->transform_in->minlen +
03572                              MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
03573         {
03574             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03575             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03576         }
03577 #endif
03578     }
03579 
03580     /*
03581      * DTLS-related tests done last, because most of them may result in
03582      * silently dropping the record (but not the whole datagram), and we only
03583      * want to consider that after ensuring that the "basic" fields (type,
03584      * version, length) are sane.
03585      */
03586 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03587     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03588     {
03589         unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
03590 
03591         /* Drop unexpected ChangeCipherSpec messages */
03592         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
03593             ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
03594             ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
03595         {
03596             MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
03597             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03598         }
03599 
03600         /* Drop unexpected ApplicationData records,
03601          * except at the beginning of renegotiations */
03602         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
03603             ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
03604 #if defined(MBEDTLS_SSL_RENEGOTIATION)
03605             && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
03606                    ssl->state == MBEDTLS_SSL_SERVER_HELLO )
03607 #endif
03608             )
03609         {
03610             MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
03611             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03612         }
03613 
03614         /* Check epoch (and sequence number) with DTLS */
03615         if( rec_epoch != ssl->in_epoch )
03616         {
03617             MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
03618                                         "expected %d, received %d",
03619                                         ssl->in_epoch, rec_epoch ) );
03620 
03621 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
03622             /*
03623              * Check for an epoch 0 ClientHello. We can't use in_msg here to
03624              * access the first byte of record content (handshake type), as we
03625              * have an active transform (possibly iv_len != 0), so use the
03626              * fact that the record header len is 13 instead.
03627              */
03628             if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
03629                 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
03630                 rec_epoch == 0 &&
03631                 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
03632                 ssl->in_left > 13 &&
03633                 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
03634             {
03635                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
03636                                             "from the same port" ) );
03637                 return( ssl_handle_possible_reconnect( ssl ) );
03638             }
03639             else
03640 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
03641                 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03642         }
03643 
03644 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
03645         /* Replay detection only works for the current epoch */
03646         if( rec_epoch == ssl->in_epoch &&
03647             mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
03648         {
03649             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
03650             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
03651         }
03652 #endif
03653     }
03654 #endif /* MBEDTLS_SSL_PROTO_DTLS */
03655 
03656     return( 0 );
03657 }
03658 
03659 /*
03660  * If applicable, decrypt (and decompress) record content
03661  */
03662 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
03663 {
03664     int ret, done = 0;
03665 
03666     MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
03667                    ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
03668 
03669 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
03670     if( mbedtls_ssl_hw_record_read != NULL )
03671     {
03672         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
03673 
03674         ret = mbedtls_ssl_hw_record_read( ssl );
03675         if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
03676         {
03677             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
03678             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
03679         }
03680 
03681         if( ret == 0 )
03682             done = 1;
03683     }
03684 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
03685     if( !done && ssl->transform_in != NULL )
03686     {
03687         if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
03688         {
03689             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
03690             return( ret );
03691         }
03692 
03693         MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
03694                        ssl->in_msg, ssl->in_msglen );
03695 
03696         if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
03697         {
03698             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
03699             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
03700         }
03701     }
03702 
03703 #if defined(MBEDTLS_ZLIB_SUPPORT)
03704     if( ssl->transform_in != NULL &&
03705         ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
03706     {
03707         if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
03708         {
03709             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
03710             return( ret );
03711         }
03712     }
03713 #endif /* MBEDTLS_ZLIB_SUPPORT */
03714 
03715 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
03716     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03717     {
03718         mbedtls_ssl_dtls_replay_update( ssl );
03719     }
03720 #endif
03721 
03722     return( 0 );
03723 }
03724 
03725 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
03726 
03727 /*
03728  * Read a record.
03729  *
03730  * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
03731  * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
03732  *
03733  */
03734 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
03735 {
03736     int ret;
03737 
03738     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
03739 
03740     if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
03741     {
03742         /*
03743          * Get next Handshake message in the current record
03744          */
03745         ssl->in_msglen -= ssl->in_hslen;
03746 
03747         memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
03748                  ssl->in_msglen );
03749 
03750         MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
03751                            ssl->in_msg, ssl->in_msglen );
03752 
03753         if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
03754             return( ret );
03755 
03756         return( 0 );
03757     }
03758 
03759     ssl->in_hslen = 0;
03760 
03761     /*
03762      * Read the record header and parse it
03763      */
03764 read_record_header:
03765     if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
03766     {
03767         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
03768         return( ret );
03769     }
03770 
03771     if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
03772     {
03773 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03774         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03775             ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
03776         {
03777             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
03778             {
03779                 /* Skip unexpected record (but not whole datagram) */
03780                 ssl->next_record_offset = ssl->in_msglen
03781                                         + mbedtls_ssl_hdr_len( ssl );
03782 
03783                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
03784                                             "(header)" ) );
03785             }
03786             else
03787             {
03788                 /* Skip invalid record and the rest of the datagram */
03789                 ssl->next_record_offset = 0;
03790                 ssl->in_left = 0;
03791 
03792                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
03793                                             "(header)" ) );
03794             }
03795 
03796             /* Get next record */
03797             goto read_record_header;
03798         }
03799 #endif
03800         return( ret );
03801     }
03802 
03803     /*
03804      * Read and optionally decrypt the message contents
03805      */
03806     if( ( ret = mbedtls_ssl_fetch_input( ssl,
03807                                  mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
03808     {
03809         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
03810         return( ret );
03811     }
03812 
03813     /* Done reading this record, get ready for the next one */
03814 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03815     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03816         ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
03817     else
03818 #endif
03819         ssl->in_left = 0;
03820 
03821     if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
03822     {
03823 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03824         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03825         {
03826             /* Silently discard invalid records */
03827             if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
03828                 ret == MBEDTLS_ERR_SSL_INVALID_MAC )
03829             {
03830                 /* Except when waiting for Finished as a bad mac here
03831                  * probably means something went wrong in the handshake
03832                  * (eg wrong psk used, mitm downgrade attempt, etc.) */
03833                 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
03834                     ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
03835                 {
03836 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
03837                     if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
03838                     {
03839                         mbedtls_ssl_send_alert_message( ssl,
03840                                 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03841                                 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
03842                     }
03843 #endif
03844                     return( ret );
03845                 }
03846 
03847 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
03848                 if( ssl->conf->badmac_limit != 0 &&
03849                     ++ssl->badmac_seen >= ssl->conf->badmac_limit )
03850                 {
03851                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
03852                     return( MBEDTLS_ERR_SSL_INVALID_MAC );
03853                 }
03854 #endif
03855 
03856                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
03857                 goto read_record_header;
03858             }
03859 
03860             return( ret );
03861         }
03862         else
03863 #endif
03864         {
03865             /* Error out (and send alert) on invalid records */
03866 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
03867             if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
03868             {
03869                 mbedtls_ssl_send_alert_message( ssl,
03870                         MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03871                         MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
03872             }
03873 #endif
03874             return( ret );
03875         }
03876     }
03877 
03878     /*
03879      * When we sent the last flight of the handshake, we MUST respond to a
03880      * retransmit of the peer's previous flight with a retransmit. (In
03881      * practice, only the Finished message will make it, other messages
03882      * including CCS use the old transform so they're dropped as invalid.)
03883      *
03884      * If the record we received is not a handshake message, however, it
03885      * means the peer received our last flight so we can clean up
03886      * handshake info.
03887      *
03888      * This check needs to be done before prepare_handshake() due to an edge
03889      * case: if the client immediately requests renegotiation, this
03890      * finishes the current handshake first, avoiding the new ClientHello
03891      * being mistaken for an ancient message in the current handshake.
03892      */
03893 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03894     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
03895         ssl->handshake != NULL &&
03896         ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
03897     {
03898         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
03899                 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
03900         {
03901             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
03902 
03903             if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
03904             {
03905                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
03906                 return( ret );
03907             }
03908 
03909             return( MBEDTLS_ERR_SSL_WANT_READ );
03910         }
03911         else
03912         {
03913             ssl_handshake_wrapup_free_hs_transform( ssl );
03914         }
03915     }
03916 #endif
03917 
03918     /*
03919      * Handle particular types of records
03920      */
03921     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
03922     {
03923         if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
03924             return( ret );
03925     }
03926 
03927     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
03928     {
03929         MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
03930                        ssl->in_msg[0], ssl->in_msg[1] ) );
03931 
03932         /*
03933          * Ignore non-fatal alerts, except close_notify and no_renegotiation
03934          */
03935         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
03936         {
03937             MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
03938                            ssl->in_msg[1] ) );
03939             return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
03940         }
03941 
03942         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
03943             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
03944         {
03945             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
03946             return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
03947         }
03948 
03949 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
03950         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
03951             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
03952         {
03953             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
03954             /* Will be handled when trying to parse ServerHello */
03955             return( 0 );
03956         }
03957 #endif
03958 
03959 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
03960         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
03961             ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
03962             ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
03963             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
03964         {
03965             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
03966             /* Will be handled in mbedtls_ssl_parse_certificate() */
03967             return( 0 );
03968         }
03969 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
03970 
03971         /* Silently ignore: fetch new message */
03972         goto read_record_header;
03973     }
03974 
03975     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
03976 
03977     return( 0 );
03978 }
03979 
03980 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
03981 {
03982     int ret;
03983 
03984     if( ( ret = mbedtls_ssl_send_alert_message( ssl,
03985                     MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03986                     MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
03987     {
03988         return( ret );
03989     }
03990 
03991     return( 0 );
03992 }
03993 
03994 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
03995                             unsigned char level,
03996                             unsigned char message )
03997 {
03998     int ret;
03999 
04000     if( ssl == NULL || ssl->conf == NULL )
04001         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
04002 
04003     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
04004 
04005     ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
04006     ssl->out_msglen = 2;
04007     ssl->out_msg[0] = level;
04008     ssl->out_msg[1] = message;
04009 
04010     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
04011     {
04012         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
04013         return( ret );
04014     }
04015 
04016     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
04017 
04018     return( 0 );
04019 }
04020 
04021 /*
04022  * Handshake functions
04023  */
04024 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)         && \
04025     !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)     && \
04026     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)     && \
04027     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)   && \
04028     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
04029     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)    && \
04030     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
04031 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
04032 {
04033     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04034 
04035     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
04036 
04037     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04038         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04039         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04040         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04041     {
04042         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
04043         ssl->state++;
04044         return( 0 );
04045     }
04046 
04047     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
04048     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
04049 }
04050 
04051 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
04052 {
04053     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04054 
04055     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
04056 
04057     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04058         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04059         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04060         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04061     {
04062         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04063         ssl->state++;
04064         return( 0 );
04065     }
04066 
04067     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
04068     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
04069 }
04070 #else
04071 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
04072 {
04073     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
04074     size_t i, n;
04075     const mbedtls_x509_crt *crt;
04076     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04077 
04078     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
04079 
04080     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04081         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04082         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04083         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04084     {
04085         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
04086         ssl->state++;
04087         return( 0 );
04088     }
04089 
04090 #if defined(MBEDTLS_SSL_CLI_C)
04091     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
04092     {
04093         if( ssl->client_auth == 0 )
04094         {
04095             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
04096             ssl->state++;
04097             return( 0 );
04098         }
04099 
04100 #if defined(MBEDTLS_SSL_PROTO_SSL3)
04101         /*
04102          * If using SSLv3 and got no cert, send an Alert message
04103          * (otherwise an empty Certificate message will be sent).
04104          */
04105         if( mbedtls_ssl_own_cert( ssl )  == NULL &&
04106             ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
04107         {
04108             ssl->out_msglen  = 2;
04109             ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
04110             ssl->out_msg[0]  = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
04111             ssl->out_msg[1]  = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
04112 
04113             MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
04114             goto write_msg;
04115         }
04116 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
04117     }
04118 #endif /* MBEDTLS_SSL_CLI_C */
04119 #if defined(MBEDTLS_SSL_SRV_C)
04120     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
04121     {
04122         if( mbedtls_ssl_own_cert( ssl ) == NULL )
04123         {
04124             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
04125             return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
04126         }
04127     }
04128 #endif
04129 
04130     MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
04131 
04132     /*
04133      *     0  .  0    handshake type
04134      *     1  .  3    handshake length
04135      *     4  .  6    length of all certs
04136      *     7  .  9    length of cert. 1
04137      *    10  . n-1   peer certificate
04138      *     n  . n+2   length of cert. 2
04139      *    n+3 . ...   upper level cert, etc.
04140      */
04141     i = 7;
04142     crt = mbedtls_ssl_own_cert( ssl );
04143 
04144     while( crt != NULL )
04145     {
04146         n = crt->raw.len;
04147         if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
04148         {
04149             MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
04150                            i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
04151             return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
04152         }
04153 
04154         ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
04155         ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
04156         ssl->out_msg[i + 2] = (unsigned char)( n       );
04157 
04158         i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
04159         i += n; crt = crt->next;
04160     }
04161 
04162     ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
04163     ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
04164     ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
04165 
04166     ssl->out_msglen  = i;
04167     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
04168     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE;
04169 
04170 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
04171 write_msg:
04172 #endif
04173 
04174     ssl->state++;
04175 
04176     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
04177     {
04178         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
04179         return( ret );
04180     }
04181 
04182     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
04183 
04184     return( ret );
04185 }
04186 
04187 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
04188 {
04189     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
04190     size_t i, n;
04191     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
04192     int authmode = ssl->conf->authmode;
04193 
04194     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
04195 
04196     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
04197         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
04198         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
04199         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
04200     {
04201         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04202         ssl->state++;
04203         return( 0 );
04204     }
04205 
04206 #if defined(MBEDTLS_SSL_SRV_C)
04207     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
04208         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
04209     {
04210         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04211         ssl->state++;
04212         return( 0 );
04213     }
04214 
04215 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
04216     if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
04217         authmode = ssl->handshake->sni_authmode;
04218 #endif
04219 
04220     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
04221         authmode == MBEDTLS_SSL_VERIFY_NONE )
04222     {
04223         ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
04224         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
04225         ssl->state++;
04226         return( 0 );
04227     }
04228 #endif
04229 
04230     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
04231     {
04232         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
04233         return( ret );
04234     }
04235 
04236     ssl->state++;
04237 
04238 #if defined(MBEDTLS_SSL_SRV_C)
04239 #if defined(MBEDTLS_SSL_PROTO_SSL3)
04240     /*
04241      * Check if the client sent an empty certificate
04242      */
04243     if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
04244         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
04245     {
04246         if( ssl->in_msglen  == 2                        &&
04247             ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT            &&
04248             ssl->in_msg[0]  == MBEDTLS_SSL_ALERT_LEVEL_WARNING  &&
04249             ssl->in_msg[1]  == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
04250         {
04251             MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
04252 
04253             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
04254             if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
04255                 return( 0 );
04256             else
04257                 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
04258         }
04259     }
04260 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
04261 
04262 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
04263     defined(MBEDTLS_SSL_PROTO_TLS1_2)
04264     if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
04265         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
04266     {
04267         if( ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
04268             ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
04269             ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
04270             memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
04271         {
04272             MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
04273 
04274             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
04275             if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
04276                 return( 0 );
04277             else
04278                 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
04279         }
04280     }
04281 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
04282           MBEDTLS_SSL_PROTO_TLS1_2 */
04283 #endif /* MBEDTLS_SSL_SRV_C */
04284 
04285     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
04286     {
04287         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04288         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
04289     }
04290 
04291     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
04292         ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
04293     {
04294         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04295         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04296     }
04297 
04298     i = mbedtls_ssl_hs_hdr_len( ssl );
04299 
04300     /*
04301      * Same message structure as in mbedtls_ssl_write_certificate()
04302      */
04303     n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
04304 
04305     if( ssl->in_msg[i] != 0 ||
04306         ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
04307     {
04308         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04309         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04310     }
04311 
04312     /* In case we tried to reuse a session but it failed */
04313     if( ssl->session_negotiate->peer_cert != NULL )
04314     {
04315         mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
04316         mbedtls_free( ssl->session_negotiate->peer_cert );
04317     }
04318 
04319     if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
04320                     sizeof( mbedtls_x509_crt ) ) ) == NULL )
04321     {
04322         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
04323                        sizeof( mbedtls_x509_crt ) ) );
04324         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
04325     }
04326 
04327     mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
04328 
04329     i += 3;
04330 
04331     while( i < ssl->in_hslen )
04332     {
04333         if( ssl->in_msg[i] != 0 )
04334         {
04335             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04336             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04337         }
04338 
04339         n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
04340             | (unsigned int) ssl->in_msg[i + 2];
04341         i += 3;
04342 
04343         if( n < 128 || i + n > ssl->in_hslen )
04344         {
04345             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
04346             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04347         }
04348 
04349         ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
04350                                   ssl->in_msg + i, n );
04351         if( ret != 0 )
04352         {
04353             MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
04354             return( ret );
04355         }
04356 
04357         i += n;
04358     }
04359 
04360     MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
04361 
04362     /*
04363      * On client, make sure the server cert doesn't change during renego to
04364      * avoid "triple handshake" attack: https://secure-resumption.com/
04365      */
04366 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
04367     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
04368         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
04369     {
04370         if( ssl->session->peer_cert == NULL )
04371         {
04372             MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
04373             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04374         }
04375 
04376         if( ssl->session->peer_cert->raw.len !=
04377             ssl->session_negotiate->peer_cert->raw.len ||
04378             memcmp( ssl->session->peer_cert->raw.p,
04379                     ssl->session_negotiate->peer_cert->raw.p,
04380                     ssl->session->peer_cert->raw.len ) != 0 )
04381         {
04382             MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
04383             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
04384         }
04385     }
04386 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
04387 
04388     if( authmode != MBEDTLS_SSL_VERIFY_NONE )
04389     {
04390         mbedtls_x509_crt *ca_chain;
04391         mbedtls_x509_crl *ca_crl;
04392 
04393 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
04394         if( ssl->handshake->sni_ca_chain != NULL )
04395         {
04396             ca_chain = ssl->handshake->sni_ca_chain;
04397             ca_crl   = ssl->handshake->sni_ca_crl;
04398         }
04399         else
04400 #endif
04401         {
04402             ca_chain = ssl->conf->ca_chain;
04403             ca_crl   = ssl->conf->ca_crl;
04404         }
04405 
04406         if( ca_chain == NULL )
04407         {
04408             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
04409             return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED );
04410         }
04411 
04412         /*
04413          * Main check: verify certificate
04414          */
04415         ret = mbedtls_x509_crt_verify_with_profile(
04416                                 ssl->session_negotiate->peer_cert,
04417                                 ca_chain, ca_crl,
04418                                 ssl->conf->cert_profile,
04419                                 ssl->hostname,
04420                                &ssl->session_negotiate->verify_result,
04421                                 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
04422 
04423         if( ret != 0 )
04424         {
04425             MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
04426         }
04427 
04428         /*
04429          * Secondary checks: always done, but change 'ret' only if it was 0
04430          */
04431 
04432 #if defined(MBEDTLS_ECP_C)
04433         {
04434             const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
04435 
04436             /* If certificate uses an EC key, make sure the curve is OK */
04437             if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
04438                 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id  ) != 0 )
04439             {
04440                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
04441                 if( ret == 0 )
04442                     ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
04443             }
04444         }
04445 #endif /* MBEDTLS_ECP_C */
04446 
04447         if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
04448                                   ciphersuite_info,
04449                                   ! ssl->conf->endpoint,
04450                                  &ssl->session_negotiate->verify_result ) != 0 )
04451         {
04452             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
04453             if( ret == 0 )
04454                 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
04455         }
04456 
04457         if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
04458             ret = 0;
04459     }
04460 
04461     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
04462 
04463     return( ret );
04464 }
04465 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
04466           !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
04467           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
04468           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
04469           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
04470           !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
04471           !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
04472 
04473 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
04474 {
04475     int ret;
04476 
04477     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
04478 
04479     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
04480     ssl->out_msglen  = 1;
04481     ssl->out_msg[0]  = 1;
04482 
04483     ssl->state++;
04484 
04485     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
04486     {
04487         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
04488         return( ret );
04489     }
04490 
04491     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
04492 
04493     return( 0 );
04494 }
04495 
04496 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
04497 {
04498     int ret;
04499 
04500     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
04501 
04502     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
04503     {
04504         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
04505         return( ret );
04506     }
04507 
04508     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
04509     {
04510         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
04511         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
04512     }
04513 
04514     if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
04515     {
04516         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
04517         return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
04518     }
04519 
04520     /*
04521      * Switch to our negotiated transform and session parameters for inbound
04522      * data.
04523      */
04524     MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
04525     ssl->transform_in = ssl->transform_negotiate;
04526     ssl->session_in = ssl->session_negotiate;
04527 
04528 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04529     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
04530     {
04531 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
04532         ssl_dtls_replay_reset( ssl );
04533 #endif
04534 
04535         /* Increment epoch */
04536         if( ++ssl->in_epoch == 0 )
04537         {
04538             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
04539             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
04540         }
04541     }
04542     else
04543 #endif /* MBEDTLS_SSL_PROTO_DTLS */
04544     memset( ssl->in_ctr, 0, 8 );
04545 
04546     /*
04547      * Set the in_msg pointer to the correct location based on IV length
04548      */
04549     if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
04550     {
04551         ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
04552                       ssl->transform_negotiate->fixed_ivlen;
04553     }
04554     else
04555         ssl->in_msg = ssl->in_iv;
04556 
04557 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
04558     if( mbedtls_ssl_hw_record_activate != NULL )
04559     {
04560         if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
04561         {
04562             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
04563             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
04564         }
04565     }
04566 #endif
04567 
04568     ssl->state++;
04569 
04570     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
04571 
04572     return( 0 );
04573 }
04574 
04575 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
04576                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
04577 {
04578     ((void) ciphersuite_info);
04579 
04580 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04581     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04582     if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
04583         ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
04584     else
04585 #endif
04586 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04587 #if defined(MBEDTLS_SHA512_C)
04588     if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
04589         ssl->handshake->update_checksum = ssl_update_checksum_sha384;
04590     else
04591 #endif
04592 #if defined(MBEDTLS_SHA256_C)
04593     if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
04594         ssl->handshake->update_checksum = ssl_update_checksum_sha256;
04595     else
04596 #endif
04597 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04598     {
04599         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
04600         return;
04601     }
04602 }
04603 
04604 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
04605 {
04606 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04607     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04608      mbedtls_md5_starts( &ssl->handshake->fin_md5  );
04609     mbedtls_sha1_starts( &ssl->handshake->fin_sha1 );
04610 #endif
04611 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04612 #if defined(MBEDTLS_SHA256_C)
04613     mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
04614 #endif
04615 #if defined(MBEDTLS_SHA512_C)
04616     mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
04617 #endif
04618 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04619 }
04620 
04621 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
04622                                        const unsigned char *buf, size_t len )
04623 {
04624 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04625     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04626      mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
04627     mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
04628 #endif
04629 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04630 #if defined(MBEDTLS_SHA256_C)
04631     mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
04632 #endif
04633 #if defined(MBEDTLS_SHA512_C)
04634     mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
04635 #endif
04636 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04637 }
04638 
04639 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
04640     defined(MBEDTLS_SSL_PROTO_TLS1_1)
04641 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
04642                                          const unsigned char *buf, size_t len )
04643 {
04644      mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
04645     mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
04646 }
04647 #endif
04648 
04649 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04650 #if defined(MBEDTLS_SHA256_C)
04651 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
04652                                         const unsigned char *buf, size_t len )
04653 {
04654     mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
04655 }
04656 #endif
04657 
04658 #if defined(MBEDTLS_SHA512_C)
04659 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
04660                                         const unsigned char *buf, size_t len )
04661 {
04662     mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
04663 }
04664 #endif
04665 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04666 
04667 #if defined(MBEDTLS_SSL_PROTO_SSL3)
04668 static void ssl_calc_finished_ssl(
04669                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
04670 {
04671     const char *sender;
04672     mbedtls_md5_context  md5;
04673     mbedtls_sha1_context sha1;
04674 
04675     unsigned char padbuf[48];
04676     unsigned char md5sum[16];
04677     unsigned char sha1sum[20];
04678 
04679     mbedtls_ssl_session *session = ssl->session_negotiate;
04680     if( !session )
04681         session = ssl->session;
04682 
04683     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished ssl" ) );
04684 
04685     mbedtls_md5_init( &md5 );
04686     mbedtls_sha1_init( &sha1 );
04687 
04688     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
04689     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
04690 
04691     /*
04692      * SSLv3:
04693      *   hash =
04694      *      MD5( master + pad2 +
04695      *          MD5( handshake + sender + master + pad1 ) )
04696      *   + SHA1( master + pad2 +
04697      *         SHA1( handshake + sender + master + pad1 ) )
04698      */
04699 
04700 #if !defined(MBEDTLS_MD5_ALT)
04701     MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
04702                     md5.state , sizeof(  md5.state  ) );
04703 #endif
04704 
04705 #if !defined(MBEDTLS_SHA1_ALT)
04706     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
04707                    sha1.state , sizeof( sha1.state  ) );
04708 #endif
04709 
04710     sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
04711                                        : "SRVR";
04712 
04713     memset( padbuf, 0x36, 48 );
04714 
04715     mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 );
04716     mbedtls_md5_update( &md5, session->master, 48 );
04717     mbedtls_md5_update( &md5, padbuf, 48 );
04718     mbedtls_md5_finish( &md5, md5sum );
04719 
04720     mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 );
04721     mbedtls_sha1_update( &sha1, session->master, 48 );
04722     mbedtls_sha1_update( &sha1, padbuf, 40 );
04723     mbedtls_sha1_finish( &sha1, sha1sum );
04724 
04725     memset( padbuf, 0x5C, 48 );
04726 
04727     mbedtls_md5_starts( &md5 );
04728     mbedtls_md5_update( &md5, session->master, 48 );
04729     mbedtls_md5_update( &md5, padbuf, 48 );
04730     mbedtls_md5_update( &md5, md5sum, 16 );
04731     mbedtls_md5_finish( &md5, buf );
04732 
04733     mbedtls_sha1_starts( &sha1 );
04734     mbedtls_sha1_update( &sha1, session->master, 48 );
04735     mbedtls_sha1_update( &sha1, padbuf , 40 );
04736     mbedtls_sha1_update( &sha1, sha1sum, 20 );
04737     mbedtls_sha1_finish( &sha1, buf + 16 );
04738 
04739     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
04740 
04741     mbedtls_md5_free(  &md5  );
04742     mbedtls_sha1_free( &sha1 );
04743 
04744     mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
04745     mbedtls_zeroize(  md5sum, sizeof(  md5sum ) );
04746     mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
04747 
04748     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
04749 }
04750 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
04751 
04752 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
04753 static void ssl_calc_finished_tls(
04754                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
04755 {
04756     int len = 12;
04757     const char *sender;
04758     mbedtls_md5_context  md5;
04759     mbedtls_sha1_context sha1;
04760     unsigned char padbuf[36];
04761 
04762     mbedtls_ssl_session *session = ssl->session_negotiate;
04763     if( !session )
04764         session = ssl->session;
04765 
04766     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls" ) );
04767 
04768     mbedtls_md5_init( &md5 );
04769     mbedtls_sha1_init( &sha1 );
04770 
04771     mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
04772     mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
04773 
04774     /*
04775      * TLSv1:
04776      *   hash = PRF( master, finished_label,
04777      *               MD5( handshake ) + SHA1( handshake ) )[0..11]
04778      */
04779 
04780 #if !defined(MBEDTLS_MD5_ALT)
04781     MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
04782                     md5.state , sizeof(  md5.state  ) );
04783 #endif
04784 
04785 #if !defined(MBEDTLS_SHA1_ALT)
04786     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
04787                    sha1.state , sizeof( sha1.state  ) );
04788 #endif
04789 
04790     sender = ( from == MBEDTLS_SSL_IS_CLIENT )
04791              ? "client finished"
04792              : "server finished";
04793 
04794     mbedtls_md5_finish(  &md5, padbuf );
04795     mbedtls_sha1_finish( &sha1, padbuf + 16 );
04796 
04797     ssl->handshake->tls_prf( session->master, 48, sender,
04798                              padbuf, 36, buf, len );
04799 
04800     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
04801 
04802     mbedtls_md5_free(  &md5  );
04803     mbedtls_sha1_free( &sha1 );
04804 
04805     mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
04806 
04807     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
04808 }
04809 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
04810 
04811 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
04812 #if defined(MBEDTLS_SHA256_C)
04813 static void ssl_calc_finished_tls_sha256(
04814                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
04815 {
04816     int len = 12;
04817     const char *sender;
04818     mbedtls_sha256_context sha256;
04819     unsigned char padbuf[32];
04820 
04821     mbedtls_ssl_session *session = ssl->session_negotiate;
04822     if( !session )
04823         session = ssl->session;
04824 
04825     mbedtls_sha256_init( &sha256 );
04826 
04827     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha256" ) );
04828 
04829     mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
04830 
04831     /*
04832      * TLSv1.2:
04833      *   hash = PRF( master, finished_label,
04834      *               Hash( handshake ) )[0.11]
04835      */
04836 
04837 #if !defined(MBEDTLS_SHA256_ALT)
04838     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
04839                    sha256.state , sizeof( sha256.state  ) );
04840 #endif
04841 
04842     sender = ( from == MBEDTLS_SSL_IS_CLIENT )
04843              ? "client finished"
04844              : "server finished";
04845 
04846     mbedtls_sha256_finish( &sha256, padbuf );
04847 
04848     ssl->handshake->tls_prf( session->master, 48, sender,
04849                              padbuf, 32, buf, len );
04850 
04851     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
04852 
04853     mbedtls_sha256_free( &sha256 );
04854 
04855     mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
04856 
04857     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
04858 }
04859 #endif /* MBEDTLS_SHA256_C */
04860 
04861 #if defined(MBEDTLS_SHA512_C)
04862 static void ssl_calc_finished_tls_sha384(
04863                 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
04864 {
04865     int len = 12;
04866     const char *sender;
04867     mbedtls_sha512_context sha512;
04868     unsigned char padbuf[48];
04869 
04870     mbedtls_ssl_session *session = ssl->session_negotiate;
04871     if( !session )
04872         session = ssl->session;
04873 
04874     mbedtls_sha512_init( &sha512 );
04875 
04876     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha384" ) );
04877 
04878     mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
04879 
04880     /*
04881      * TLSv1.2:
04882      *   hash = PRF( master, finished_label,
04883      *               Hash( handshake ) )[0.11]
04884      */
04885 
04886 #if !defined(MBEDTLS_SHA512_ALT)
04887     MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
04888                    sha512.state , sizeof( sha512.state  ) );
04889 #endif
04890 
04891     sender = ( from == MBEDTLS_SSL_IS_CLIENT )
04892              ? "client finished"
04893              : "server finished";
04894 
04895     mbedtls_sha512_finish( &sha512, padbuf );
04896 
04897     ssl->handshake->tls_prf( session->master, 48, sender,
04898                              padbuf, 48, buf, len );
04899 
04900     MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
04901 
04902     mbedtls_sha512_free( &sha512 );
04903 
04904     mbedtls_zeroize(  padbuf, sizeof( padbuf ) );
04905 
04906     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
04907 }
04908 #endif /* MBEDTLS_SHA512_C */
04909 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
04910 
04911 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
04912 {
04913     MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
04914 
04915     /*
04916      * Free our handshake params
04917      */
04918     mbedtls_ssl_handshake_free( ssl->handshake );
04919     mbedtls_free( ssl->handshake );
04920     ssl->handshake = NULL;
04921 
04922     /*
04923      * Free the previous transform and swith in the current one
04924      */
04925     if( ssl->transform )
04926     {
04927         mbedtls_ssl_transform_free( ssl->transform );
04928         mbedtls_free( ssl->transform );
04929     }
04930     ssl->transform = ssl->transform_negotiate;
04931     ssl->transform_negotiate = NULL;
04932 
04933     MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
04934 }
04935 
04936 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
04937 {
04938     int resume = ssl->handshake->resume;
04939 
04940     MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
04941 
04942 #if defined(MBEDTLS_SSL_RENEGOTIATION)
04943     if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
04944     {
04945         ssl->renego_status =  MBEDTLS_SSL_RENEGOTIATION_DONE;
04946         ssl->renego_records_seen = 0;
04947     }
04948 #endif
04949 
04950     /*
04951      * Free the previous session and switch in the current one
04952      */
04953     if( ssl->session )
04954     {
04955 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
04956         /* RFC 7366 3.1: keep the EtM state */
04957         ssl->session_negotiate->encrypt_then_mac =
04958                   ssl->session->encrypt_then_mac;
04959 #endif
04960 
04961         mbedtls_ssl_session_free( ssl->session );
04962         mbedtls_free( ssl->session );
04963     }
04964     ssl->session = ssl->session_negotiate;
04965     ssl->session_negotiate = NULL;
04966 
04967     /*
04968      * Add cache entry
04969      */
04970     if( ssl->conf->f_set_cache != NULL &&
04971         ssl->session->id_len != 0 &&
04972         resume == 0 )
04973     {
04974         if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
04975             MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
04976     }
04977 
04978 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04979     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
04980         ssl->handshake->flight != NULL )
04981     {
04982         /* Cancel handshake timer */
04983         ssl_set_timer( ssl, 0 );
04984 
04985         /* Keep last flight around in case we need to resend it:
04986          * we need the handshake and transform structures for that */
04987         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
04988     }
04989     else
04990 #endif
04991         ssl_handshake_wrapup_free_hs_transform( ssl );
04992 
04993     ssl->state++;
04994 
04995     MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
04996 }
04997 
04998 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
04999 {
05000     int ret, hash_len;
05001 
05002     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
05003 
05004     /*
05005      * Set the out_msg pointer to the correct location based on IV length
05006      */
05007     if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
05008     {
05009         ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
05010                        ssl->transform_negotiate->fixed_ivlen;
05011     }
05012     else
05013         ssl->out_msg = ssl->out_iv;
05014 
05015     ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
05016 
05017     /*
05018      * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
05019      * may define some other value. Currently (early 2016), no defined
05020      * ciphersuite does this (and this is unlikely to change as activity has
05021      * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
05022      */
05023     hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
05024 
05025 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05026     ssl->verify_data_len = hash_len;
05027     memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
05028 #endif
05029 
05030     ssl->out_msglen  = 4 + hash_len;
05031     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
05032     ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;
05033 
05034     /*
05035      * In case of session resuming, invert the client and server
05036      * ChangeCipherSpec messages order.
05037      */
05038     if( ssl->handshake->resume != 0 )
05039     {
05040 #if defined(MBEDTLS_SSL_CLI_C)
05041         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
05042             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
05043 #endif
05044 #if defined(MBEDTLS_SSL_SRV_C)
05045         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
05046             ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
05047 #endif
05048     }
05049     else
05050         ssl->state++;
05051 
05052     /*
05053      * Switch to our negotiated transform and session parameters for outbound
05054      * data.
05055      */
05056     MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
05057 
05058 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05059     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05060     {
05061         unsigned char i;
05062 
05063         /* Remember current epoch settings for resending */
05064         ssl->handshake->alt_transform_out = ssl->transform_out;
05065         memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
05066 
05067         /* Set sequence_number to zero */
05068         memset( ssl->out_ctr + 2, 0, 6 );
05069 
05070         /* Increment epoch */
05071         for( i = 2; i > 0; i-- )
05072             if( ++ssl->out_ctr[i - 1] != 0 )
05073                 break;
05074 
05075         /* The loop goes to its end iff the counter is wrapping */
05076         if( i == 0 )
05077         {
05078             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
05079             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
05080         }
05081     }
05082     else
05083 #endif /* MBEDTLS_SSL_PROTO_DTLS */
05084     memset( ssl->out_ctr, 0, 8 );
05085 
05086     ssl->transform_out = ssl->transform_negotiate;
05087     ssl->session_out = ssl->session_negotiate;
05088 
05089 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
05090     if( mbedtls_ssl_hw_record_activate != NULL )
05091     {
05092         if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
05093         {
05094             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
05095             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
05096         }
05097     }
05098 #endif
05099 
05100 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05101     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05102         mbedtls_ssl_send_flight_completed( ssl );
05103 #endif
05104 
05105     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
05106     {
05107         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
05108         return( ret );
05109     }
05110 
05111     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
05112 
05113     return( 0 );
05114 }
05115 
05116 #if defined(MBEDTLS_SSL_PROTO_SSL3)
05117 #define SSL_MAX_HASH_LEN 36
05118 #else
05119 #define SSL_MAX_HASH_LEN 12
05120 #endif
05121 
05122 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
05123 {
05124     int ret;
05125     unsigned int hash_len;
05126     unsigned char buf[SSL_MAX_HASH_LEN];
05127 
05128     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
05129 
05130     ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
05131 
05132     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
05133     {
05134         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
05135         return( ret );
05136     }
05137 
05138     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
05139     {
05140         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
05141         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
05142     }
05143 
05144     /* There is currently no ciphersuite using another length with TLS 1.2 */
05145 #if defined(MBEDTLS_SSL_PROTO_SSL3)
05146     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
05147         hash_len = 36;
05148     else
05149 #endif
05150         hash_len = 12;
05151 
05152     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
05153         ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
05154     {
05155         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
05156         return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
05157     }
05158 
05159     if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
05160                       buf, hash_len ) != 0 )
05161     {
05162         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
05163         return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
05164     }
05165 
05166 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05167     ssl->verify_data_len = hash_len;
05168     memcpy( ssl->peer_verify_data, buf, hash_len );
05169 #endif
05170 
05171     if( ssl->handshake->resume != 0 )
05172     {
05173 #if defined(MBEDTLS_SSL_CLI_C)
05174         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
05175             ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
05176 #endif
05177 #if defined(MBEDTLS_SSL_SRV_C)
05178         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
05179             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
05180 #endif
05181     }
05182     else
05183         ssl->state++;
05184 
05185 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05186     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05187         mbedtls_ssl_recv_flight_completed( ssl );
05188 #endif
05189 
05190     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
05191 
05192     return( 0 );
05193 }
05194 
05195 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
05196 {
05197     memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
05198 
05199 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
05200     defined(MBEDTLS_SSL_PROTO_TLS1_1)
05201      mbedtls_md5_init(   &handshake->fin_md5  );
05202     mbedtls_sha1_init(   &handshake->fin_sha1 );
05203      mbedtls_md5_starts( &handshake->fin_md5  );
05204     mbedtls_sha1_starts( &handshake->fin_sha1 );
05205 #endif
05206 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
05207 #if defined(MBEDTLS_SHA256_C)
05208     mbedtls_sha256_init(   &handshake->fin_sha256    );
05209     mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
05210 #endif
05211 #if defined(MBEDTLS_SHA512_C)
05212     mbedtls_sha512_init(   &handshake->fin_sha512    );
05213     mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
05214 #endif
05215 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
05216 
05217     handshake->update_checksum = ssl_update_checksum_start;
05218     handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1;
05219 
05220 #if defined(MBEDTLS_DHM_C)
05221     mbedtls_dhm_init( &handshake->dhm_ctx );
05222 #endif
05223 #if defined(MBEDTLS_ECDH_C)
05224     mbedtls_ecdh_init( &handshake->ecdh_ctx );
05225 #endif
05226 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
05227     mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
05228 #if defined(MBEDTLS_SSL_CLI_C)
05229     handshake->ecjpake_cache = NULL;
05230     handshake->ecjpake_cache_len = 0;
05231 #endif
05232 #endif
05233 
05234 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
05235     handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
05236 #endif
05237 }
05238 
05239 static void ssl_transform_init( mbedtls_ssl_transform *transform )
05240 {
05241     memset( transform, 0, sizeof(mbedtls_ssl_transform) );
05242 
05243     mbedtls_cipher_init( &transform->cipher_ctx_enc );
05244     mbedtls_cipher_init( &transform->cipher_ctx_dec );
05245 
05246     mbedtls_md_init( &transform->md_ctx_enc );
05247     mbedtls_md_init( &transform->md_ctx_dec );
05248 }
05249 
05250 void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
05251 {
05252     memset( session, 0, sizeof(mbedtls_ssl_session) );
05253 }
05254 
05255 static int ssl_handshake_init( mbedtls_ssl_context *ssl )
05256 {
05257     /* Clear old handshake information if present */
05258     if( ssl->transform_negotiate )
05259         mbedtls_ssl_transform_free( ssl->transform_negotiate );
05260     if( ssl->session_negotiate )
05261         mbedtls_ssl_session_free( ssl->session_negotiate );
05262     if( ssl->handshake )
05263         mbedtls_ssl_handshake_free( ssl->handshake );
05264 
05265     /*
05266      * Either the pointers are now NULL or cleared properly and can be freed.
05267      * Now allocate missing structures.
05268      */
05269     if( ssl->transform_negotiate == NULL )
05270     {
05271         ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
05272     }
05273 
05274     if( ssl->session_negotiate == NULL )
05275     {
05276         ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
05277     }
05278 
05279     if( ssl->handshake == NULL )
05280     {
05281         ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
05282     }
05283 
05284     /* All pointers should exist and can be directly freed without issue */
05285     if( ssl->handshake == NULL ||
05286         ssl->transform_negotiate == NULL ||
05287         ssl->session_negotiate == NULL )
05288     {
05289         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
05290 
05291         mbedtls_free( ssl->handshake );
05292         mbedtls_free( ssl->transform_negotiate );
05293         mbedtls_free( ssl->session_negotiate );
05294 
05295         ssl->handshake = NULL;
05296         ssl->transform_negotiate = NULL;
05297         ssl->session_negotiate = NULL;
05298 
05299         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05300     }
05301 
05302     /* Initialize structures */
05303     mbedtls_ssl_session_init( ssl->session_negotiate );
05304     ssl_transform_init( ssl->transform_negotiate );
05305     ssl_handshake_params_init( ssl->handshake );
05306 
05307 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05308     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05309     {
05310         ssl->handshake->alt_transform_out = ssl->transform_out;
05311 
05312         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
05313             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
05314         else
05315             ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
05316 
05317         ssl_set_timer( ssl, 0 );
05318     }
05319 #endif
05320 
05321     return( 0 );
05322 }
05323 
05324 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
05325 /* Dummy cookie callbacks for defaults */
05326 static int ssl_cookie_write_dummy( void *ctx,
05327                       unsigned char **p, unsigned char *end,
05328                       const unsigned char *cli_id, size_t cli_id_len )
05329 {
05330     ((void) ctx);
05331     ((void) p);
05332     ((void) end);
05333     ((void) cli_id);
05334     ((void) cli_id_len);
05335 
05336     return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
05337 }
05338 
05339 static int ssl_cookie_check_dummy( void *ctx,
05340                       const unsigned char *cookie, size_t cookie_len,
05341                       const unsigned char *cli_id, size_t cli_id_len )
05342 {
05343     ((void) ctx);
05344     ((void) cookie);
05345     ((void) cookie_len);
05346     ((void) cli_id);
05347     ((void) cli_id_len);
05348 
05349     return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
05350 }
05351 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
05352 
05353 /*
05354  * Initialize an SSL context
05355  */
05356 void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
05357 {
05358     memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
05359 }
05360 
05361 /*
05362  * Setup an SSL context
05363  */
05364 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
05365                        const mbedtls_ssl_config *conf )
05366 {
05367     int ret;
05368     const size_t len = MBEDTLS_SSL_BUFFER_LEN;
05369 
05370     ssl->conf = conf;
05371 
05372     /*
05373      * Prepare base structures
05374      */
05375     if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
05376         ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
05377     {
05378         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
05379         mbedtls_free( ssl->in_buf );
05380         ssl->in_buf = NULL;
05381         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05382     }
05383 
05384 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05385     if( conf->transport  == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
05386     {
05387         ssl->out_hdr = ssl->out_buf;
05388         ssl->out_ctr = ssl->out_buf +  3;
05389         ssl->out_len = ssl->out_buf + 11;
05390         ssl->out_iv  = ssl->out_buf + 13;
05391         ssl->out_msg = ssl->out_buf + 13;
05392 
05393         ssl->in_hdr = ssl->in_buf;
05394         ssl->in_ctr = ssl->in_buf +  3;
05395         ssl->in_len = ssl->in_buf + 11;
05396         ssl->in_iv  = ssl->in_buf + 13;
05397         ssl->in_msg = ssl->in_buf + 13;
05398     }
05399     else
05400 #endif
05401     {
05402         ssl->out_ctr = ssl->out_buf;
05403         ssl->out_hdr = ssl->out_buf +  8;
05404         ssl->out_len = ssl->out_buf + 11;
05405         ssl->out_iv  = ssl->out_buf + 13;
05406         ssl->out_msg = ssl->out_buf + 13;
05407 
05408         ssl->in_ctr = ssl->in_buf;
05409         ssl->in_hdr = ssl->in_buf +  8;
05410         ssl->in_len = ssl->in_buf + 11;
05411         ssl->in_iv  = ssl->in_buf + 13;
05412         ssl->in_msg = ssl->in_buf + 13;
05413     }
05414 
05415     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
05416         return( ret );
05417 
05418     return( 0 );
05419 }
05420 
05421 /*
05422  * Reset an initialized and used SSL context for re-use while retaining
05423  * all application-set variables, function pointers and data.
05424  *
05425  * If partial is non-zero, keep data in the input buffer and client ID.
05426  * (Use when a DTLS client reconnects from the same port.)
05427  */
05428 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
05429 {
05430     int ret;
05431 
05432     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
05433 
05434     /* Cancel any possibly running timer */
05435     ssl_set_timer( ssl, 0 );
05436 
05437 #if defined(MBEDTLS_SSL_RENEGOTIATION)
05438     ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
05439     ssl->renego_records_seen = 0;
05440 
05441     ssl->verify_data_len = 0;
05442     memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
05443     memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
05444 #endif
05445     ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
05446 
05447     ssl->in_offt = NULL;
05448 
05449     ssl->in_msg = ssl->in_buf + 13;
05450     ssl->in_msgtype = 0;
05451     ssl->in_msglen = 0;
05452     if( partial == 0 )
05453         ssl->in_left = 0;
05454 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05455     ssl->next_record_offset = 0;
05456     ssl->in_epoch = 0;
05457 #endif
05458 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
05459     ssl_dtls_replay_reset( ssl );
05460 #endif
05461 
05462     ssl->in_hslen = 0;
05463     ssl->nb_zero = 0;
05464     ssl->record_read = 0;
05465 
05466     ssl->out_msg = ssl->out_buf + 13;
05467     ssl->out_msgtype = 0;
05468     ssl->out_msglen = 0;
05469     ssl->out_left = 0;
05470 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
05471     if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
05472         ssl->split_done = 0;
05473 #endif
05474 
05475     ssl->transform_in = NULL;
05476     ssl->transform_out = NULL;
05477 
05478     memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
05479     if( partial == 0 )
05480         memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
05481 
05482 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
05483     if( mbedtls_ssl_hw_record_reset != NULL )
05484     {
05485         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
05486         if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
05487         {
05488             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
05489             return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
05490         }
05491     }
05492 #endif
05493 
05494     if( ssl->transform )
05495     {
05496         mbedtls_ssl_transform_free( ssl->transform );
05497         mbedtls_free( ssl->transform );
05498         ssl->transform = NULL;
05499     }
05500 
05501     if( ssl->session )
05502     {
05503         mbedtls_ssl_session_free( ssl->session );
05504         mbedtls_free( ssl->session );
05505         ssl->session = NULL;
05506     }
05507 
05508 #if defined(MBEDTLS_SSL_ALPN)
05509     ssl->alpn_chosen = NULL;
05510 #endif
05511 
05512 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
05513     if( partial == 0 )
05514     {
05515         mbedtls_free( ssl->cli_id );
05516         ssl->cli_id = NULL;
05517         ssl->cli_id_len = 0;
05518     }
05519 #endif
05520 
05521     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
05522         return( ret );
05523 
05524     return( 0 );
05525 }
05526 
05527 /*
05528  * Reset an initialized and used SSL context for re-use while retaining
05529  * all application-set variables, function pointers and data.
05530  */
05531 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
05532 {
05533     return( ssl_session_reset_int( ssl, 0 ) );
05534 }
05535 
05536 /*
05537  * SSL set accessors
05538  */
05539 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
05540 {
05541     conf->endpoint    = endpoint;
05542 }
05543 
05544 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
05545 {
05546     conf->transport  = transport;
05547 }
05548 
05549 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
05550 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
05551 {
05552     conf->anti_replay  = mode;
05553 }
05554 #endif
05555 
05556 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
05557 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
05558 {
05559     conf->badmac_limit  = limit;
05560 }
05561 #endif
05562 
05563 #if defined(MBEDTLS_SSL_PROTO_DTLS)
05564 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
05565 {
05566     conf->hs_timeout_min  = min;
05567     conf->hs_timeout_max  = max;
05568 }
05569 #endif
05570 
05571 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
05572 {
05573     conf->authmode    = authmode;
05574 }
05575 
05576 #if defined(MBEDTLS_X509_CRT_PARSE_C)
05577 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
05578                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
05579                      void *p_vrfy )
05580 {
05581     conf->f_vrfy      = f_vrfy;
05582     conf->p_vrfy       = p_vrfy;
05583 }
05584 #endif /* MBEDTLS_X509_CRT_PARSE_C */
05585 
05586 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
05587                   int (*f_rng)(void *, unsigned char *, size_t),
05588                   void *p_rng )
05589 {
05590     conf->f_rng      = f_rng;
05591     conf->p_rng       = p_rng;
05592 }
05593 
05594 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
05595                   void (*f_dbg)(void *, int, const char *, int, const char *),
05596                   void  *p_dbg )
05597 {
05598     conf->f_dbg      = f_dbg;
05599     conf->p_dbg       = p_dbg;
05600 }
05601 
05602 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
05603         void *p_bio,
05604         mbedtls_ssl_send_t *f_send,
05605         mbedtls_ssl_recv_t *f_recv,
05606         mbedtls_ssl_recv_timeout_t *f_recv_timeout )
05607 {
05608     ssl->p_bio          = p_bio;
05609     ssl->f_send         = f_send;
05610     ssl->f_recv         = f_recv;
05611     ssl->f_recv_timeout = f_recv_timeout;
05612 }
05613 
05614 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
05615 {
05616     conf->read_timeout    = timeout;
05617 }
05618 
05619 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
05620                                void *p_timer,
05621                                mbedtls_ssl_set_timer_t *f_set_timer,
05622                                mbedtls_ssl_get_timer_t *f_get_timer )
05623 {
05624     ssl->p_timer        = p_timer;
05625     ssl->f_set_timer    = f_set_timer;
05626     ssl->f_get_timer    = f_get_timer;
05627 
05628     /* Make sure we start with no timer running */
05629     ssl_set_timer( ssl, 0 );
05630 }
05631 
05632 #if defined(MBEDTLS_SSL_SRV_C)
05633 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
05634         void *p_cache,
05635         int (*f_get_cache)(void *, mbedtls_ssl_session *),
05636         int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
05637 {
05638     conf->p_cache  = p_cache;
05639     conf->f_get_cache = f_get_cache;
05640     conf->f_set_cache = f_set_cache;
05641 }
05642 #endif /* MBEDTLS_SSL_SRV_C */
05643 
05644 #if defined(MBEDTLS_SSL_CLI_C)
05645 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
05646 {
05647     int ret;
05648 
05649     if( ssl == NULL ||
05650         session == NULL ||
05651         ssl->session_negotiate == NULL ||
05652         ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
05653     {
05654         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05655     }
05656 
05657     if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
05658         return( ret );
05659 
05660     ssl->handshake->resume = 1;
05661 
05662     return( 0 );
05663 }
05664 #endif /* MBEDTLS_SSL_CLI_C */
05665 
05666 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
05667                                    const int *ciphersuites )
05668 {
05669     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
05670     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
05671     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
05672     conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
05673 }
05674 
05675 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
05676                                        const int *ciphersuites,
05677                                        int major, int minor )
05678 {
05679     if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
05680         return;
05681 
05682     if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
05683         return;
05684 
05685     conf->ciphersuite_list [minor] = ciphersuites;
05686 }
05687 
05688 #if defined(MBEDTLS_X509_CRT_PARSE_C)
05689 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
05690                                     const mbedtls_x509_crt_profile *profile )
05691 {
05692     conf->cert_profile  = profile;
05693 }
05694 
05695 /* Append a new keycert entry to a (possibly empty) list */
05696 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
05697                                 mbedtls_x509_crt *cert,
05698                                 mbedtls_pk_context *key )
05699 {
05700     mbedtls_ssl_key_cert *new;
05701 
05702     new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
05703     if( new == NULL )
05704         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05705 
05706     new->cert = cert;
05707     new->key  = key;
05708     new->next = NULL;
05709 
05710     /* Update head is the list was null, else add to the end */
05711     if( *head == NULL )
05712     {
05713         *head = new;
05714     }
05715     else
05716     {
05717         mbedtls_ssl_key_cert *cur = *head;
05718         while( cur->next != NULL )
05719             cur = cur->next;
05720         cur->next = new;
05721     }
05722 
05723     return( 0 );
05724 }
05725 
05726 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
05727                               mbedtls_x509_crt *own_cert,
05728                               mbedtls_pk_context *pk_key )
05729 {
05730     return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) );
05731 }
05732 
05733 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
05734                                mbedtls_x509_crt *ca_chain,
05735                                mbedtls_x509_crl *ca_crl )
05736 {
05737     conf->ca_chain    = ca_chain;
05738     conf->ca_crl      = ca_crl;
05739 }
05740 #endif /* MBEDTLS_X509_CRT_PARSE_C */
05741 
05742 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
05743 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
05744                                  mbedtls_x509_crt *own_cert,
05745                                  mbedtls_pk_context *pk_key )
05746 {
05747     return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
05748                                  own_cert, pk_key ) );
05749 }
05750 
05751 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
05752                                   mbedtls_x509_crt *ca_chain,
05753                                   mbedtls_x509_crl *ca_crl )
05754 {
05755     ssl->handshake->sni_ca_chain   = ca_chain;
05756     ssl->handshake->sni_ca_crl     = ca_crl;
05757 }
05758 
05759 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
05760                                   int authmode )
05761 {
05762     ssl->handshake->sni_authmode = authmode;
05763 }
05764 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
05765 
05766 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
05767 /*
05768  * Set EC J-PAKE password for current handshake
05769  */
05770 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
05771                                          const unsigned char *pw,
05772                                          size_t pw_len )
05773 {
05774     mbedtls_ecjpake_role role;
05775 
05776     if( ssl->handshake == NULL || ssl->conf == NULL )
05777         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05778 
05779     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
05780         role = MBEDTLS_ECJPAKE_SERVER;
05781     else
05782         role = MBEDTLS_ECJPAKE_CLIENT;
05783 
05784     return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
05785                                    role,
05786                                    MBEDTLS_MD_SHA256,
05787                                    MBEDTLS_ECP_DP_SECP256R1 ,
05788                                    pw, pw_len ) );
05789 }
05790 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
05791 
05792 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
05793 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
05794                 const unsigned char *psk, size_t psk_len,
05795                 const unsigned char *psk_identity, size_t psk_identity_len )
05796 {
05797     if( psk == NULL || psk_identity == NULL )
05798         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05799 
05800     if( psk_len > MBEDTLS_PSK_MAX_LEN )
05801         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05802 
05803     /* Identity len will be encoded on two bytes */
05804     if( ( psk_identity_len >> 16 ) != 0 ||
05805         psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
05806     {
05807         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05808     }
05809 
05810     if( conf->psk  != NULL || conf->psk_identity  != NULL )
05811     {
05812         mbedtls_free( conf->psk  );
05813         mbedtls_free( conf->psk_identity  );
05814         conf->psk  = NULL;
05815         conf->psk_identity  = NULL;
05816     }
05817 
05818     if( ( conf->psk  = mbedtls_calloc( 1, psk_len ) ) == NULL ||
05819         ( conf->psk_identity  = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
05820     {
05821         mbedtls_free( conf->psk  );
05822         mbedtls_free( conf->psk_identity  );
05823         conf->psk  = NULL;
05824         conf->psk_identity  = NULL;
05825         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05826     }
05827 
05828     conf->psk_len  = psk_len;
05829     conf->psk_identity_len  = psk_identity_len;
05830 
05831     memcpy( conf->psk , psk, conf->psk_len  );
05832     memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len  );
05833 
05834     return( 0 );
05835 }
05836 
05837 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
05838                             const unsigned char *psk, size_t psk_len )
05839 {
05840     if( psk == NULL || ssl->handshake == NULL )
05841         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05842 
05843     if( psk_len > MBEDTLS_PSK_MAX_LEN )
05844         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05845 
05846     if( ssl->handshake->psk != NULL )
05847         mbedtls_free( ssl->handshake->psk );
05848 
05849     if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
05850         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05851 
05852     ssl->handshake->psk_len = psk_len;
05853     memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
05854 
05855     return( 0 );
05856 }
05857 
05858 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
05859                      int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
05860                      size_t),
05861                      void *p_psk )
05862 {
05863     conf->f_psk = f_psk;
05864     conf->p_psk  = p_psk;
05865 }
05866 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
05867 
05868 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
05869 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
05870 {
05871     int ret;
05872 
05873     if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 ||
05874         ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 )
05875     {
05876         mbedtls_mpi_free( &conf->dhm_P  );
05877         mbedtls_mpi_free( &conf->dhm_G  );
05878         return( ret );
05879     }
05880 
05881     return( 0 );
05882 }
05883 
05884 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
05885 {
05886     int ret;
05887 
05888     if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P  ) ) != 0 ||
05889         ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G  ) ) != 0 )
05890     {
05891         mbedtls_mpi_free( &conf->dhm_P  );
05892         mbedtls_mpi_free( &conf->dhm_G  );
05893         return( ret );
05894     }
05895 
05896     return( 0 );
05897 }
05898 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
05899 
05900 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
05901 /*
05902  * Set the minimum length for Diffie-Hellman parameters
05903  */
05904 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
05905                                       unsigned int bitlen )
05906 {
05907     conf->dhm_min_bitlen  = bitlen;
05908 }
05909 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
05910 
05911 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
05912 /*
05913  * Set allowed/preferred hashes for handshake signatures
05914  */
05915 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
05916                                   const int *hashes )
05917 {
05918     conf->sig_hashes  = hashes;
05919 }
05920 #endif
05921 
05922 #if defined(MBEDTLS_ECP_C)
05923 /*
05924  * Set the allowed elliptic curves
05925  */
05926 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
05927                              const mbedtls_ecp_group_id *curve_list )
05928 {
05929     conf->curve_list  = curve_list;
05930 }
05931 #endif
05932 
05933 #if defined(MBEDTLS_X509_CRT_PARSE_C)
05934 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
05935 {
05936     size_t hostname_len;
05937 
05938     if( hostname == NULL )
05939         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05940 
05941     hostname_len = strlen( hostname );
05942 
05943     if( hostname_len + 1 == 0 )
05944         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05945 
05946     if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
05947         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05948 
05949     ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
05950 
05951     if( ssl->hostname == NULL )
05952         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
05953 
05954     memcpy( ssl->hostname, hostname, hostname_len );
05955 
05956     ssl->hostname[hostname_len] = '\0';
05957 
05958     return( 0 );
05959 }
05960 #endif
05961 
05962 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
05963 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
05964                   int (*f_sni)(void *, mbedtls_ssl_context *,
05965                                 const unsigned char *, size_t),
05966                   void *p_sni )
05967 {
05968     conf->f_sni = f_sni;
05969     conf->p_sni  = p_sni;
05970 }
05971 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
05972 
05973 #if defined(MBEDTLS_SSL_ALPN)
05974 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
05975 {
05976     size_t cur_len, tot_len;
05977     const char **p;
05978 
05979     /*
05980      * "Empty strings MUST NOT be included and byte strings MUST NOT be
05981      * truncated". Check lengths now rather than later.
05982      */
05983     tot_len = 0;
05984     for( p = protos; *p != NULL; p++ )
05985     {
05986         cur_len = strlen( *p );
05987         tot_len += cur_len;
05988 
05989         if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
05990             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
05991     }
05992 
05993     conf->alpn_list  = protos;
05994 
05995     return( 0 );
05996 }
05997 
05998 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
05999 {
06000     return( ssl->alpn_chosen );
06001 }
06002 #endif /* MBEDTLS_SSL_ALPN */
06003 
06004 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
06005 {
06006     conf->max_major_ver  = major;
06007     conf->max_minor_ver  = minor;
06008 }
06009 
06010 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
06011 {
06012     conf->min_major_ver  = major;
06013     conf->min_minor_ver  = minor;
06014 }
06015 
06016 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
06017 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
06018 {
06019     conf->fallback  = fallback;
06020 }
06021 #endif
06022 
06023 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
06024 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
06025 {
06026     conf->encrypt_then_mac  = etm;
06027 }
06028 #endif
06029 
06030 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
06031 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
06032 {
06033     conf->extended_ms  = ems;
06034 }
06035 #endif
06036 
06037 #if defined(MBEDTLS_ARC4_C)
06038 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
06039 {
06040     conf->arc4_disabled  = arc4;
06041 }
06042 #endif
06043 
06044 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
06045 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
06046 {
06047     if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
06048         mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
06049     {
06050         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06051     }
06052 
06053     conf->mfl_code  = mfl_code;
06054 
06055     return( 0 );
06056 }
06057 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
06058 
06059 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
06060 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
06061 {
06062     conf->trunc_hmac  = truncate;
06063 }
06064 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
06065 
06066 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
06067 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
06068 {
06069     conf->cbc_record_splitting  = split;
06070 }
06071 #endif
06072 
06073 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
06074 {
06075     conf->allow_legacy_renegotiation  = allow_legacy;
06076 }
06077 
06078 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06079 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
06080 {
06081     conf->disable_renegotiation  = renegotiation;
06082 }
06083 
06084 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
06085 {
06086     conf->renego_max_records  = max_records;
06087 }
06088 
06089 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
06090                                    const unsigned char period[8] )
06091 {
06092     memcpy( conf->renego_period , period, 8 );
06093 }
06094 #endif /* MBEDTLS_SSL_RENEGOTIATION */
06095 
06096 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
06097 #if defined(MBEDTLS_SSL_CLI_C)
06098 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
06099 {
06100     conf->session_tickets  = use_tickets;
06101 }
06102 #endif
06103 
06104 #if defined(MBEDTLS_SSL_SRV_C)
06105 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
06106         mbedtls_ssl_ticket_write_t *f_ticket_write,
06107         mbedtls_ssl_ticket_parse_t *f_ticket_parse,
06108         void *p_ticket )
06109 {
06110     conf->f_ticket_write = f_ticket_write;
06111     conf->f_ticket_parse = f_ticket_parse;
06112     conf->p_ticket        = p_ticket;
06113 }
06114 #endif
06115 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
06116 
06117 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
06118 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
06119         mbedtls_ssl_export_keys_t *f_export_keys,
06120         void *p_export_keys )
06121 {
06122     conf->f_export_keys = f_export_keys;
06123     conf->p_export_keys  = p_export_keys;
06124 }
06125 #endif
06126 
06127 /*
06128  * SSL get accessors
06129  */
06130 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
06131 {
06132     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
06133 }
06134 
06135 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
06136 {
06137     if( ssl->session != NULL )
06138         return( ssl->session->verify_result );
06139 
06140     if( ssl->session_negotiate != NULL )
06141         return( ssl->session_negotiate->verify_result );
06142 
06143     return( 0xFFFFFFFF );
06144 }
06145 
06146 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
06147 {
06148     if( ssl == NULL || ssl->session == NULL )
06149         return( NULL );
06150 
06151     return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
06152 }
06153 
06154 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
06155 {
06156 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06157     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06158     {
06159         switch( ssl->minor_ver )
06160         {
06161             case MBEDTLS_SSL_MINOR_VERSION_2:
06162                 return( "DTLSv1.0" );
06163 
06164             case MBEDTLS_SSL_MINOR_VERSION_3:
06165                 return( "DTLSv1.2" );
06166 
06167             default:
06168                 return( "unknown (DTLS)" );
06169         }
06170     }
06171 #endif
06172 
06173     switch( ssl->minor_ver )
06174     {
06175         case MBEDTLS_SSL_MINOR_VERSION_0:
06176             return( "SSLv3.0" );
06177 
06178         case MBEDTLS_SSL_MINOR_VERSION_1:
06179             return( "TLSv1.0" );
06180 
06181         case MBEDTLS_SSL_MINOR_VERSION_2:
06182             return( "TLSv1.1" );
06183 
06184         case MBEDTLS_SSL_MINOR_VERSION_3:
06185             return( "TLSv1.2" );
06186 
06187         default:
06188             return( "unknown" );
06189     }
06190 }
06191 
06192 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
06193 {
06194     size_t transform_expansion;
06195     const mbedtls_ssl_transform *transform = ssl->transform_out;
06196 
06197 #if defined(MBEDTLS_ZLIB_SUPPORT)
06198     if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
06199         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
06200 #endif
06201 
06202     if( transform == NULL )
06203         return( (int) mbedtls_ssl_hdr_len( ssl ) );
06204 
06205     switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
06206     {
06207         case MBEDTLS_MODE_GCM:
06208         case MBEDTLS_MODE_CCM:
06209         case MBEDTLS_MODE_STREAM:
06210             transform_expansion = transform->minlen;
06211             break;
06212 
06213         case MBEDTLS_MODE_CBC:
06214             transform_expansion = transform->maclen
06215                       + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc );
06216             break;
06217 
06218         default:
06219             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
06220             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
06221     }
06222 
06223     return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
06224 }
06225 
06226 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
06227 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
06228 {
06229     size_t max_len;
06230 
06231     /*
06232      * Assume mfl_code is correct since it was checked when set
06233      */
06234     max_len = mfl_code_to_length[ssl->conf->mfl_code];
06235 
06236     /*
06237      * Check if a smaller max length was negotiated
06238      */
06239     if( ssl->session_out != NULL &&
06240         mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
06241     {
06242         max_len = mfl_code_to_length[ssl->session_out->mfl_code];
06243     }
06244 
06245     return max_len;
06246 }
06247 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
06248 
06249 #if defined(MBEDTLS_X509_CRT_PARSE_C)
06250 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
06251 {
06252     if( ssl == NULL || ssl->session == NULL )
06253         return( NULL );
06254 
06255     return( ssl->session->peer_cert );
06256 }
06257 #endif /* MBEDTLS_X509_CRT_PARSE_C */
06258 
06259 #if defined(MBEDTLS_SSL_CLI_C)
06260 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
06261 {
06262     if( ssl == NULL ||
06263         dst == NULL ||
06264         ssl->session == NULL ||
06265         ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
06266     {
06267         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06268     }
06269 
06270     return( ssl_session_copy( dst, ssl->session ) );
06271 }
06272 #endif /* MBEDTLS_SSL_CLI_C */
06273 
06274 /*
06275  * Perform a single step of the SSL handshake
06276  */
06277 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
06278 {
06279     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
06280 
06281     if( ssl == NULL || ssl->conf == NULL )
06282         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06283 
06284 #if defined(MBEDTLS_SSL_CLI_C)
06285     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
06286         ret = mbedtls_ssl_handshake_client_step( ssl );
06287 #endif
06288 #if defined(MBEDTLS_SSL_SRV_C)
06289     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06290         ret = mbedtls_ssl_handshake_server_step( ssl );
06291 #endif
06292 
06293     return( ret );
06294 }
06295 
06296 /*
06297  * Perform the SSL handshake
06298  */
06299 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
06300 {
06301     int ret = 0;
06302 
06303     if( ssl == NULL || ssl->conf == NULL )
06304         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06305 
06306     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
06307 
06308     while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06309     {
06310         ret = mbedtls_ssl_handshake_step( ssl );
06311 
06312         if( ret != 0 )
06313             break;
06314     }
06315 
06316     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
06317 
06318     return( ret );
06319 }
06320 
06321 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06322 #if defined(MBEDTLS_SSL_SRV_C)
06323 /*
06324  * Write HelloRequest to request renegotiation on server
06325  */
06326 static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
06327 {
06328     int ret;
06329 
06330     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
06331 
06332     ssl->out_msglen  = 4;
06333     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
06334     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
06335 
06336     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
06337     {
06338         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
06339         return( ret );
06340     }
06341 
06342     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
06343 
06344     return( 0 );
06345 }
06346 #endif /* MBEDTLS_SSL_SRV_C */
06347 
06348 /*
06349  * Actually renegotiate current connection, triggered by either:
06350  * - any side: calling mbedtls_ssl_renegotiate(),
06351  * - client: receiving a HelloRequest during mbedtls_ssl_read(),
06352  * - server: receiving any handshake message on server during mbedtls_ssl_read() after
06353  *   the initial handshake is completed.
06354  * If the handshake doesn't complete due to waiting for I/O, it will continue
06355  * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
06356  */
06357 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
06358 {
06359     int ret;
06360 
06361     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
06362 
06363     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
06364         return( ret );
06365 
06366     /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
06367      * the ServerHello will have message_seq = 1" */
06368 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06369     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
06370         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
06371     {
06372         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06373             ssl->handshake->out_msg_seq = 1;
06374         else
06375             ssl->handshake->in_msg_seq = 1;
06376     }
06377 #endif
06378 
06379     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
06380     ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
06381 
06382     if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
06383     {
06384         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06385         return( ret );
06386     }
06387 
06388     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
06389 
06390     return( 0 );
06391 }
06392 
06393 /*
06394  * Renegotiate current connection on client,
06395  * or request renegotiation on server
06396  */
06397 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
06398 {
06399     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
06400 
06401     if( ssl == NULL || ssl->conf == NULL )
06402         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06403 
06404 #if defined(MBEDTLS_SSL_SRV_C)
06405     /* On server, just send the request */
06406     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
06407     {
06408         if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06409             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06410 
06411         ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
06412 
06413         /* Did we already try/start sending HelloRequest? */
06414         if( ssl->out_left != 0 )
06415             return( mbedtls_ssl_flush_output( ssl ) );
06416 
06417         return( ssl_write_hello_request( ssl ) );
06418     }
06419 #endif /* MBEDTLS_SSL_SRV_C */
06420 
06421 #if defined(MBEDTLS_SSL_CLI_C)
06422     /*
06423      * On client, either start the renegotiation process or,
06424      * if already in progress, continue the handshake
06425      */
06426     if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
06427     {
06428         if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06429             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06430 
06431         if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
06432         {
06433             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
06434             return( ret );
06435         }
06436     }
06437     else
06438     {
06439         if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
06440         {
06441             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06442             return( ret );
06443         }
06444     }
06445 #endif /* MBEDTLS_SSL_CLI_C */
06446 
06447     return( ret );
06448 }
06449 
06450 /*
06451  * Check record counters and renegotiate if they're above the limit.
06452  */
06453 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
06454 {
06455     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
06456         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
06457         ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
06458     {
06459         return( 0 );
06460     }
06461 
06462     if( memcmp( ssl->in_ctr,  ssl->conf->renego_period, 8 ) <= 0 &&
06463         memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 )
06464     {
06465         return( 0 );
06466     }
06467 
06468     MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
06469     return( mbedtls_ssl_renegotiate( ssl ) );
06470 }
06471 #endif /* MBEDTLS_SSL_RENEGOTIATION */
06472 
06473 /*
06474  * Receive application data decrypted from the SSL layer
06475  */
06476 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
06477 {
06478     int ret, record_read = 0;
06479     size_t n;
06480 
06481     if( ssl == NULL || ssl->conf == NULL )
06482         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06483 
06484     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
06485 
06486 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06487     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06488     {
06489         if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
06490             return( ret );
06491 
06492         if( ssl->handshake != NULL &&
06493             ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
06494         {
06495             if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
06496                 return( ret );
06497         }
06498     }
06499 #endif
06500 
06501 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06502     if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
06503     {
06504         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
06505         return( ret );
06506     }
06507 #endif
06508 
06509     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06510     {
06511         ret = mbedtls_ssl_handshake( ssl );
06512         if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
06513         {
06514             record_read = 1;
06515         }
06516         else if( ret != 0 )
06517         {
06518             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06519             return( ret );
06520         }
06521     }
06522 
06523     if( ssl->in_offt == NULL )
06524     {
06525         /* Start timer if not already running */
06526         if( ssl->f_get_timer != NULL &&
06527             ssl->f_get_timer( ssl->p_timer ) == -1 )
06528         {
06529             ssl_set_timer( ssl, ssl->conf->read_timeout );
06530         }
06531 
06532         if( ! record_read )
06533         {
06534             if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
06535             {
06536                 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
06537                     return( 0 );
06538 
06539                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
06540                 return( ret );
06541             }
06542         }
06543 
06544         if( ssl->in_msglen  == 0 &&
06545             ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
06546         {
06547             /*
06548              * OpenSSL sends empty messages to randomize the IV
06549              */
06550             if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
06551             {
06552                 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
06553                     return( 0 );
06554 
06555                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
06556                 return( ret );
06557             }
06558         }
06559 
06560 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06561         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
06562         {
06563             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
06564 
06565 #if defined(MBEDTLS_SSL_CLI_C)
06566             if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
06567                 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
06568                   ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
06569             {
06570                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
06571 
06572                 /* With DTLS, drop the packet (probably from last handshake) */
06573 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06574                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06575                     return( MBEDTLS_ERR_SSL_WANT_READ );
06576 #endif
06577                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
06578             }
06579 
06580             if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
06581                 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
06582             {
06583                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
06584 
06585                 /* With DTLS, drop the packet (probably from last handshake) */
06586 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06587                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06588                     return( MBEDTLS_ERR_SSL_WANT_READ );
06589 #endif
06590                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
06591             }
06592 #endif
06593 
06594             if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
06595                 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
06596                   ssl->conf->allow_legacy_renegotiation ==
06597                                                 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) )
06598             {
06599                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
06600 
06601 #if defined(MBEDTLS_SSL_PROTO_SSL3)
06602                 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
06603                 {
06604                     /*
06605                      * SSLv3 does not have a "no_renegotiation" alert
06606                      */
06607                     if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
06608                         return( ret );
06609                 }
06610                 else
06611 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
06612 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
06613     defined(MBEDTLS_SSL_PROTO_TLS1_2)
06614                 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
06615                 {
06616                     if( ( ret = mbedtls_ssl_send_alert_message( ssl,
06617                                     MBEDTLS_SSL_ALERT_LEVEL_WARNING,
06618                                     MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
06619                     {
06620                         return( ret );
06621                     }
06622                 }
06623                 else
06624 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
06625           MBEDTLS_SSL_PROTO_TLS1_2 */
06626                 {
06627                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
06628                     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
06629                 }
06630             }
06631             else
06632             {
06633                 /* DTLS clients need to know renego is server-initiated */
06634 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06635                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
06636                     ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
06637                 {
06638                     ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
06639                 }
06640 #endif
06641                 ret = ssl_start_renegotiation( ssl );
06642                 if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
06643                 {
06644                     record_read = 1;
06645                 }
06646                 else if( ret != 0 )
06647                 {
06648                     MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
06649                     return( ret );
06650                 }
06651             }
06652 
06653             /* If a non-handshake record was read during renego, fallthrough,
06654              * else tell the user they should call mbedtls_ssl_read() again */
06655             if( ! record_read )
06656                 return( MBEDTLS_ERR_SSL_WANT_READ );
06657         }
06658         else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
06659         {
06660 
06661             if( ssl->conf->renego_max_records >= 0 )
06662             {
06663                 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
06664                 {
06665                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
06666                                         "but not honored by client" ) );
06667                     return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
06668                 }
06669             }
06670         }
06671 #endif /* MBEDTLS_SSL_RENEGOTIATION */
06672 
06673         /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
06674         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
06675         {
06676             MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
06677             return( MBEDTLS_ERR_SSL_WANT_READ );
06678         }
06679 
06680         if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
06681         {
06682             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
06683             return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
06684         }
06685 
06686         ssl->in_offt = ssl->in_msg;
06687 
06688         /* We're going to return something now, cancel timer,
06689          * except if handshake (renegotiation) is in progress */
06690         if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
06691             ssl_set_timer( ssl, 0 );
06692 
06693 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06694         /* If we requested renego but received AppData, resend HelloRequest.
06695          * Do it now, after setting in_offt, to avoid taking this branch
06696          * again if ssl_write_hello_request() returns WANT_WRITE */
06697 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
06698         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
06699             ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
06700         {
06701             if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
06702             {
06703                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
06704                 return( ret );
06705             }
06706         }
06707 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
06708 #endif
06709     }
06710 
06711     n = ( len < ssl->in_msglen )
06712         ? len : ssl->in_msglen;
06713 
06714     memcpy( buf, ssl->in_offt, n );
06715     ssl->in_msglen -= n;
06716 
06717     if( ssl->in_msglen == 0 )
06718         /* all bytes consumed  */
06719         ssl->in_offt = NULL;
06720     else
06721         /* more data available */
06722         ssl->in_offt += n;
06723 
06724     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
06725 
06726     return( (int) n );
06727 }
06728 
06729 /*
06730  * Send application data to be encrypted by the SSL layer,
06731  * taking care of max fragment length and buffer size
06732  */
06733 static int ssl_write_real( mbedtls_ssl_context *ssl,
06734                            const unsigned char *buf, size_t len )
06735 {
06736     int ret;
06737 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
06738     size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
06739 
06740     if( len > max_len )
06741     {
06742 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06743         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
06744         {
06745             MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
06746                                 "maximum fragment length: %d > %d",
06747                                 len, max_len ) );
06748             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06749         }
06750         else
06751 #endif
06752             len = max_len;
06753     }
06754 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
06755 
06756     if( ssl->out_left != 0 )
06757     {
06758         if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
06759         {
06760             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
06761             return( ret );
06762         }
06763     }
06764     else
06765     {
06766         ssl->out_msglen  = len;
06767         ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
06768         memcpy( ssl->out_msg, buf, len );
06769 
06770         if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
06771         {
06772             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
06773             return( ret );
06774         }
06775     }
06776 
06777     return( (int) len );
06778 }
06779 
06780 /*
06781  * Write application data, doing 1/n-1 splitting if necessary.
06782  *
06783  * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
06784  * then the caller will call us again with the same arguments, so
06785  * remember wether we already did the split or not.
06786  */
06787 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
06788 static int ssl_write_split( mbedtls_ssl_context *ssl,
06789                             const unsigned char *buf, size_t len )
06790 {
06791     int ret;
06792 
06793     if( ssl->conf->cbc_record_splitting ==
06794             MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
06795         len <= 1 ||
06796         ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
06797         mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
06798                                 != MBEDTLS_MODE_CBC )
06799     {
06800         return( ssl_write_real( ssl, buf, len ) );
06801     }
06802 
06803     if( ssl->split_done == 0 )
06804     {
06805         if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
06806             return( ret );
06807         ssl->split_done = 1;
06808     }
06809 
06810     if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
06811         return( ret );
06812     ssl->split_done = 0;
06813 
06814     return( ret + 1 );
06815 }
06816 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
06817 
06818 /*
06819  * Write application data (public-facing wrapper)
06820  */
06821 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
06822 {
06823     int ret;
06824 
06825     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
06826 
06827     if( ssl == NULL || ssl->conf == NULL )
06828         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06829 
06830 #if defined(MBEDTLS_SSL_RENEGOTIATION)
06831     if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
06832     {
06833         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
06834         return( ret );
06835     }
06836 #endif
06837 
06838     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
06839     {
06840         if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
06841         {
06842             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
06843             return( ret );
06844         }
06845     }
06846 
06847 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
06848     ret = ssl_write_split( ssl, buf, len );
06849 #else
06850     ret = ssl_write_real( ssl, buf, len );
06851 #endif
06852 
06853     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
06854 
06855     return( ret );
06856 }
06857 
06858 /*
06859  * Notify the peer that the connection is being closed
06860  */
06861 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
06862 {
06863     int ret;
06864 
06865     if( ssl == NULL || ssl->conf == NULL )
06866         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
06867 
06868     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
06869 
06870     if( ssl->out_left != 0 )
06871         return( mbedtls_ssl_flush_output( ssl ) );
06872 
06873     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
06874     {
06875         if( ( ret = mbedtls_ssl_send_alert_message( ssl,
06876                         MBEDTLS_SSL_ALERT_LEVEL_WARNING,
06877                         MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
06878         {
06879             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
06880             return( ret );
06881         }
06882     }
06883 
06884     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
06885 
06886     return( 0 );
06887 }
06888 
06889 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
06890 {
06891     if( transform == NULL )
06892         return;
06893 
06894 #if defined(MBEDTLS_ZLIB_SUPPORT)
06895     deflateEnd( &transform->ctx_deflate );
06896     inflateEnd( &transform->ctx_inflate );
06897 #endif
06898 
06899     mbedtls_cipher_free( &transform->cipher_ctx_enc );
06900     mbedtls_cipher_free( &transform->cipher_ctx_dec );
06901 
06902     mbedtls_md_free( &transform->md_ctx_enc );
06903     mbedtls_md_free( &transform->md_ctx_dec );
06904 
06905     mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
06906 }
06907 
06908 #if defined(MBEDTLS_X509_CRT_PARSE_C)
06909 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
06910 {
06911     mbedtls_ssl_key_cert *cur = key_cert, *next;
06912 
06913     while( cur != NULL )
06914     {
06915         next = cur->next;
06916         mbedtls_free( cur );
06917         cur = next;
06918     }
06919 }
06920 #endif /* MBEDTLS_X509_CRT_PARSE_C */
06921 
06922 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
06923 {
06924     if( handshake == NULL )
06925         return;
06926 
06927 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
06928     defined(MBEDTLS_SSL_PROTO_TLS1_1)
06929     mbedtls_md5_free(    &handshake->fin_md5  );
06930     mbedtls_sha1_free(   &handshake->fin_sha1 );
06931 #endif
06932 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
06933 #if defined(MBEDTLS_SHA256_C)
06934     mbedtls_sha256_free(   &handshake->fin_sha256    );
06935 #endif
06936 #if defined(MBEDTLS_SHA512_C)
06937     mbedtls_sha512_free(   &handshake->fin_sha512    );
06938 #endif
06939 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
06940 
06941 #if defined(MBEDTLS_DHM_C)
06942     mbedtls_dhm_free( &handshake->dhm_ctx );
06943 #endif
06944 #if defined(MBEDTLS_ECDH_C)
06945     mbedtls_ecdh_free( &handshake->ecdh_ctx );
06946 #endif
06947 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
06948     mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
06949 #if defined(MBEDTLS_SSL_CLI_C)
06950     mbedtls_free( handshake->ecjpake_cache );
06951     handshake->ecjpake_cache = NULL;
06952     handshake->ecjpake_cache_len = 0;
06953 #endif
06954 #endif
06955 
06956 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
06957     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
06958     /* explicit void pointer cast for buggy MS compiler */
06959     mbedtls_free( (void *) handshake->curves );
06960 #endif
06961 
06962 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
06963     if( handshake->psk != NULL )
06964     {
06965         mbedtls_zeroize( handshake->psk, handshake->psk_len );
06966         mbedtls_free( handshake->psk );
06967     }
06968 #endif
06969 
06970 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
06971     defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
06972     /*
06973      * Free only the linked list wrapper, not the keys themselves
06974      * since the belong to the SNI callback
06975      */
06976     if( handshake->sni_key_cert != NULL )
06977     {
06978         mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
06979 
06980         while( cur != NULL )
06981         {
06982             next = cur->next;
06983             mbedtls_free( cur );
06984             cur = next;
06985         }
06986     }
06987 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
06988 
06989 #if defined(MBEDTLS_SSL_PROTO_DTLS)
06990     mbedtls_free( handshake->verify_cookie );
06991     mbedtls_free( handshake->hs_msg );
06992     ssl_flight_free( handshake->flight );
06993 #endif
06994 
06995     mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) );
06996 }
06997 
06998 void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
06999 {
07000     if( session == NULL )
07001         return;
07002 
07003 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07004     if( session->peer_cert != NULL )
07005     {
07006         mbedtls_x509_crt_free( session->peer_cert );
07007         mbedtls_free( session->peer_cert );
07008     }
07009 #endif
07010 
07011 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
07012     mbedtls_free( session->ticket );
07013 #endif
07014 
07015     mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) );
07016 }
07017 
07018 /*
07019  * Free an SSL context
07020  */
07021 void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
07022 {
07023     if( ssl == NULL )
07024         return;
07025 
07026     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
07027 
07028     if( ssl->out_buf != NULL )
07029     {
07030         mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
07031         mbedtls_free( ssl->out_buf );
07032     }
07033 
07034     if( ssl->in_buf != NULL )
07035     {
07036         mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
07037         mbedtls_free( ssl->in_buf );
07038     }
07039 
07040 #if defined(MBEDTLS_ZLIB_SUPPORT)
07041     if( ssl->compress_buf != NULL )
07042     {
07043         mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
07044         mbedtls_free( ssl->compress_buf );
07045     }
07046 #endif
07047 
07048     if( ssl->transform )
07049     {
07050         mbedtls_ssl_transform_free( ssl->transform );
07051         mbedtls_free( ssl->transform );
07052     }
07053 
07054     if( ssl->handshake )
07055     {
07056         mbedtls_ssl_handshake_free( ssl->handshake );
07057         mbedtls_ssl_transform_free( ssl->transform_negotiate );
07058         mbedtls_ssl_session_free( ssl->session_negotiate );
07059 
07060         mbedtls_free( ssl->handshake );
07061         mbedtls_free( ssl->transform_negotiate );
07062         mbedtls_free( ssl->session_negotiate );
07063     }
07064 
07065     if( ssl->session )
07066     {
07067         mbedtls_ssl_session_free( ssl->session );
07068         mbedtls_free( ssl->session );
07069     }
07070 
07071 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07072     if( ssl->hostname != NULL )
07073     {
07074         mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
07075         mbedtls_free( ssl->hostname );
07076     }
07077 #endif
07078 
07079 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
07080     if( mbedtls_ssl_hw_record_finish != NULL )
07081     {
07082         MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
07083         mbedtls_ssl_hw_record_finish( ssl );
07084     }
07085 #endif
07086 
07087 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
07088     mbedtls_free( ssl->cli_id );
07089 #endif
07090 
07091     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
07092 
07093     /* Actually clear after last debug message */
07094     mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
07095 }
07096 
07097 /*
07098  * Initialze mbedtls_ssl_config
07099  */
07100 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
07101 {
07102     memset( conf, 0, sizeof( mbedtls_ssl_config ) );
07103 }
07104 
07105 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07106 static int ssl_preset_default_hashes[] = {
07107 #if defined(MBEDTLS_SHA512_C)
07108     MBEDTLS_MD_SHA512,
07109     MBEDTLS_MD_SHA384,
07110 #endif
07111 #if defined(MBEDTLS_SHA256_C)
07112     MBEDTLS_MD_SHA256,
07113     MBEDTLS_MD_SHA224,
07114 #endif
07115 #if defined(MBEDTLS_SHA1_C)
07116     MBEDTLS_MD_SHA1,
07117 #endif
07118     MBEDTLS_MD_NONE
07119 };
07120 #endif
07121 
07122 static int ssl_preset_suiteb_ciphersuites[] = {
07123     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
07124     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
07125     0
07126 };
07127 
07128 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07129 static int ssl_preset_suiteb_hashes[] = {
07130     MBEDTLS_MD_SHA256,
07131     MBEDTLS_MD_SHA384,
07132     MBEDTLS_MD_NONE
07133 };
07134 #endif
07135 
07136 #if defined(MBEDTLS_ECP_C)
07137 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
07138     MBEDTLS_ECP_DP_SECP256R1 ,
07139     MBEDTLS_ECP_DP_SECP384R1 ,
07140     MBEDTLS_ECP_DP_NONE
07141 };
07142 #endif
07143 
07144 /*
07145  * Load default in mbedtls_ssl_config
07146  */
07147 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
07148                                  int endpoint, int transport, int preset )
07149 {
07150 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
07151     int ret;
07152 #endif
07153 
07154     /* Use the functions here so that they are covered in tests,
07155      * but otherwise access member directly for efficiency */
07156     mbedtls_ssl_conf_endpoint( conf, endpoint );
07157     mbedtls_ssl_conf_transport( conf, transport );
07158 
07159     /*
07160      * Things that are common to all presets
07161      */
07162 #if defined(MBEDTLS_SSL_CLI_C)
07163     if( endpoint == MBEDTLS_SSL_IS_CLIENT )
07164     {
07165         conf->authmode  = MBEDTLS_SSL_VERIFY_REQUIRED;
07166 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
07167         conf->session_tickets  = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
07168 #endif
07169     }
07170 #endif
07171 
07172 #if defined(MBEDTLS_ARC4_C)
07173     conf->arc4_disabled  = MBEDTLS_SSL_ARC4_DISABLED;
07174 #endif
07175 
07176 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
07177     conf->encrypt_then_mac  = MBEDTLS_SSL_ETM_ENABLED;
07178 #endif
07179 
07180 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
07181     conf->extended_ms  = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
07182 #endif
07183 
07184 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
07185     conf->cbc_record_splitting  = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
07186 #endif
07187 
07188 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
07189     conf->f_cookie_write = ssl_cookie_write_dummy;
07190     conf->f_cookie_check = ssl_cookie_check_dummy;
07191 #endif
07192 
07193 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
07194     conf->anti_replay  = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
07195 #endif
07196 
07197 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07198     conf->hs_timeout_min  = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
07199     conf->hs_timeout_max  = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
07200 #endif
07201 
07202 #if defined(MBEDTLS_SSL_RENEGOTIATION)
07203     conf->renego_max_records  = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
07204     memset( conf->renego_period , 0xFF, 7 );
07205     conf->renego_period [7] = 0x00;
07206 #endif
07207 
07208 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
07209             if( endpoint == MBEDTLS_SSL_IS_SERVER )
07210             {
07211                 if( ( ret = mbedtls_ssl_conf_dh_param( conf,
07212                                 MBEDTLS_DHM_RFC5114_MODP_2048_P,
07213                                 MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
07214                 {
07215                     return( ret );
07216                 }
07217             }
07218 #endif
07219 
07220     /*
07221      * Preset-specific defaults
07222      */
07223     switch( preset )
07224     {
07225         /*
07226          * NSA Suite B
07227          */
07228         case MBEDTLS_SSL_PRESET_SUITEB:
07229             conf->min_major_ver  = MBEDTLS_SSL_MAJOR_VERSION_3;
07230             conf->min_minor_ver  = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
07231             conf->max_major_ver  = MBEDTLS_SSL_MAX_MAJOR_VERSION;
07232             conf->max_minor_ver  = MBEDTLS_SSL_MAX_MINOR_VERSION;
07233 
07234             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] =
07235             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] =
07236             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] =
07237             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] =
07238                                    ssl_preset_suiteb_ciphersuites;
07239 
07240 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07241             conf->cert_profile  = &mbedtls_x509_crt_profile_suiteb;
07242 #endif
07243 
07244 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07245             conf->sig_hashes  = ssl_preset_suiteb_hashes;
07246 #endif
07247 
07248 #if defined(MBEDTLS_ECP_C)
07249             conf->curve_list  = ssl_preset_suiteb_curves;
07250 #endif
07251             break;
07252 
07253         /*
07254          * Default
07255          */
07256         default:
07257             conf->min_major_ver  = MBEDTLS_SSL_MAJOR_VERSION_3;
07258             conf->min_minor_ver  = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
07259             conf->max_major_ver  = MBEDTLS_SSL_MAX_MAJOR_VERSION;
07260             conf->max_minor_ver  = MBEDTLS_SSL_MAX_MINOR_VERSION;
07261 
07262 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07263             if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07264                 conf->min_minor_ver  = MBEDTLS_SSL_MINOR_VERSION_2;
07265 #endif
07266 
07267             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] =
07268             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] =
07269             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] =
07270             conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] =
07271                                    mbedtls_ssl_list_ciphersuites();
07272 
07273 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07274             conf->cert_profile  = &mbedtls_x509_crt_profile_default;
07275 #endif
07276 
07277 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07278             conf->sig_hashes  = ssl_preset_default_hashes;
07279 #endif
07280 
07281 #if defined(MBEDTLS_ECP_C)
07282             conf->curve_list  = mbedtls_ecp_grp_id_list();
07283 #endif
07284 
07285 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
07286             conf->dhm_min_bitlen  = 1024;
07287 #endif
07288     }
07289 
07290     return( 0 );
07291 }
07292 
07293 /*
07294  * Free mbedtls_ssl_config
07295  */
07296 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
07297 {
07298 #if defined(MBEDTLS_DHM_C)
07299     mbedtls_mpi_free( &conf->dhm_P  );
07300     mbedtls_mpi_free( &conf->dhm_G  );
07301 #endif
07302 
07303 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
07304     if( conf->psk  != NULL )
07305     {
07306         mbedtls_zeroize( conf->psk , conf->psk_len  );
07307         mbedtls_zeroize( conf->psk_identity , conf->psk_identity_len  );
07308         mbedtls_free( conf->psk  );
07309         mbedtls_free( conf->psk_identity  );
07310         conf->psk_len  = 0;
07311         conf->psk_identity_len  = 0;
07312     }
07313 #endif
07314 
07315 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07316     ssl_key_cert_free( conf->key_cert  );
07317 #endif
07318 
07319     mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
07320 }
07321 
07322 #if defined(MBEDTLS_PK_C) && \
07323     ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
07324 /*
07325  * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
07326  */
07327 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
07328 {
07329 #if defined(MBEDTLS_RSA_C)
07330     if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
07331         return( MBEDTLS_SSL_SIG_RSA );
07332 #endif
07333 #if defined(MBEDTLS_ECDSA_C)
07334     if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
07335         return( MBEDTLS_SSL_SIG_ECDSA );
07336 #endif
07337     return( MBEDTLS_SSL_SIG_ANON );
07338 }
07339 
07340 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
07341 {
07342     switch( sig )
07343     {
07344 #if defined(MBEDTLS_RSA_C)
07345         case MBEDTLS_SSL_SIG_RSA:
07346             return( MBEDTLS_PK_RSA );
07347 #endif
07348 #if defined(MBEDTLS_ECDSA_C)
07349         case MBEDTLS_SSL_SIG_ECDSA:
07350             return( MBEDTLS_PK_ECDSA );
07351 #endif
07352         default:
07353             return( MBEDTLS_PK_NONE );
07354     }
07355 }
07356 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
07357 
07358 /*
07359  * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
07360  */
07361 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
07362 {
07363     switch( hash )
07364     {
07365 #if defined(MBEDTLS_MD5_C)
07366         case MBEDTLS_SSL_HASH_MD5:
07367             return( MBEDTLS_MD_MD5 );
07368 #endif
07369 #if defined(MBEDTLS_SHA1_C)
07370         case MBEDTLS_SSL_HASH_SHA1:
07371             return( MBEDTLS_MD_SHA1 );
07372 #endif
07373 #if defined(MBEDTLS_SHA256_C)
07374         case MBEDTLS_SSL_HASH_SHA224:
07375             return( MBEDTLS_MD_SHA224 );
07376         case MBEDTLS_SSL_HASH_SHA256:
07377             return( MBEDTLS_MD_SHA256 );
07378 #endif
07379 #if defined(MBEDTLS_SHA512_C)
07380         case MBEDTLS_SSL_HASH_SHA384:
07381             return( MBEDTLS_MD_SHA384 );
07382         case MBEDTLS_SSL_HASH_SHA512:
07383             return( MBEDTLS_MD_SHA512 );
07384 #endif
07385         default:
07386             return( MBEDTLS_MD_NONE );
07387     }
07388 }
07389 
07390 /*
07391  * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
07392  */
07393 unsigned char mbedtls_ssl_hash_from_md_alg( int md )
07394 {
07395     switch( md )
07396     {
07397 #if defined(MBEDTLS_MD5_C)
07398         case MBEDTLS_MD_MD5:
07399             return( MBEDTLS_SSL_HASH_MD5 );
07400 #endif
07401 #if defined(MBEDTLS_SHA1_C)
07402         case MBEDTLS_MD_SHA1:
07403             return( MBEDTLS_SSL_HASH_SHA1 );
07404 #endif
07405 #if defined(MBEDTLS_SHA256_C)
07406         case MBEDTLS_MD_SHA224:
07407             return( MBEDTLS_SSL_HASH_SHA224 );
07408         case MBEDTLS_MD_SHA256:
07409             return( MBEDTLS_SSL_HASH_SHA256 );
07410 #endif
07411 #if defined(MBEDTLS_SHA512_C)
07412         case MBEDTLS_MD_SHA384:
07413             return( MBEDTLS_SSL_HASH_SHA384 );
07414         case MBEDTLS_MD_SHA512:
07415             return( MBEDTLS_SSL_HASH_SHA512 );
07416 #endif
07417         default:
07418             return( MBEDTLS_SSL_HASH_NONE );
07419     }
07420 }
07421 
07422 #if defined(MBEDTLS_ECP_C)
07423 /*
07424  * Check if a curve proposed by the peer is in our list.
07425  * Return 0 if we're willing to use it, -1 otherwise.
07426  */
07427 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
07428 {
07429     const mbedtls_ecp_group_id *gid;
07430 
07431     if( ssl->conf->curve_list == NULL )
07432         return( -1 );
07433 
07434     for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
07435         if( *gid == grp_id )
07436             return( 0 );
07437 
07438     return( -1 );
07439 }
07440 #endif /* MBEDTLS_ECP_C */
07441 
07442 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
07443 /*
07444  * Check if a hash proposed by the peer is in our list.
07445  * Return 0 if we're willing to use it, -1 otherwise.
07446  */
07447 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
07448                                 mbedtls_md_type_t md )
07449 {
07450     const int *cur;
07451 
07452     if( ssl->conf->sig_hashes == NULL )
07453         return( -1 );
07454 
07455     for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
07456         if( *cur == (int) md )
07457             return( 0 );
07458 
07459     return( -1 );
07460 }
07461 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
07462 
07463 #if defined(MBEDTLS_X509_CRT_PARSE_C)
07464 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
07465                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
07466                           int cert_endpoint,
07467                           uint32_t *flags )
07468 {
07469     int ret = 0;
07470 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
07471     int usage = 0;
07472 #endif
07473 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
07474     const char *ext_oid;
07475     size_t ext_len;
07476 #endif
07477 
07478 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) &&          \
07479     !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
07480     ((void) cert);
07481     ((void) cert_endpoint);
07482     ((void) flags);
07483 #endif
07484 
07485 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
07486     if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
07487     {
07488         /* Server part of the key exchange */
07489         switch( ciphersuite->key_exchange )
07490         {
07491             case MBEDTLS_KEY_EXCHANGE_RSA:
07492             case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
07493                 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
07494                 break;
07495 
07496             case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
07497             case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
07498             case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
07499                 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
07500                 break;
07501 
07502             case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
07503             case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
07504                 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
07505                 break;
07506 
07507             /* Don't use default: we want warnings when adding new values */
07508             case MBEDTLS_KEY_EXCHANGE_NONE:
07509             case MBEDTLS_KEY_EXCHANGE_PSK:
07510             case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
07511             case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
07512             case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
07513                 usage = 0;
07514         }
07515     }
07516     else
07517     {
07518         /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
07519         usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
07520     }
07521 
07522     if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
07523     {
07524         *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
07525         ret = -1;
07526     }
07527 #else
07528     ((void) ciphersuite);
07529 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
07530 
07531 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
07532     if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
07533     {
07534         ext_oid = MBEDTLS_OID_SERVER_AUTH;
07535         ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
07536     }
07537     else
07538     {
07539         ext_oid = MBEDTLS_OID_CLIENT_AUTH;
07540         ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
07541     }
07542 
07543     if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
07544     {
07545         *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
07546         ret = -1;
07547     }
07548 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
07549 
07550     return( ret );
07551 }
07552 #endif /* MBEDTLS_X509_CRT_PARSE_C */
07553 
07554 /*
07555  * Convert version numbers to/from wire format
07556  * and, for DTLS, to/from TLS equivalent.
07557  *
07558  * For TLS this is the identity.
07559  * For DTLS, use one complement (v -> 255 - v, and then map as follows:
07560  * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
07561  * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
07562  */
07563 void mbedtls_ssl_write_version( int major, int minor, int transport,
07564                         unsigned char ver[2] )
07565 {
07566 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07567     if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07568     {
07569         if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
07570             --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
07571 
07572         ver[0] = (unsigned char)( 255 - ( major - 2 ) );
07573         ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
07574     }
07575     else
07576 #else
07577     ((void) transport);
07578 #endif
07579     {
07580         ver[0] = (unsigned char) major;
07581         ver[1] = (unsigned char) minor;
07582     }
07583 }
07584 
07585 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
07586                        const unsigned char ver[2] )
07587 {
07588 #if defined(MBEDTLS_SSL_PROTO_DTLS)
07589     if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
07590     {
07591         *major = 255 - ver[0] + 2;
07592         *minor = 255 - ver[1] + 1;
07593 
07594         if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
07595             ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
07596     }
07597     else
07598 #else
07599     ((void) transport);
07600 #endif
07601     {
07602         *major = ver[0];
07603         *minor = ver[1];
07604     }
07605 }
07606 
07607 #endif /* MBEDTLS_SSL_TLS_C */