mbed-dev-OS5_10_4 - RTC auf true

Users » kevman » Code » mbed-dev-OS5_10_4

RTC auf true

features/mbedtls/src/ssl_tls.c@0:38ceb79fef03, 2018-11-28 (annotated)

Committer:: kevman
Date:: Wed Nov 28 15:10:15 2018 +0000
Revision:: 0:38ceb79fef03

RTC modified

Who changed what in which revision?

User	Revision	Line number	New contents of line
kevman	0:38ceb79fef03	1	/*
kevman	0:38ceb79fef03	2	* SSLv3/TLSv1 shared functions
kevman	0:38ceb79fef03	3	*
kevman	0:38ceb79fef03	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
kevman	0:38ceb79fef03	5	* SPDX-License-Identifier: Apache-2.0
kevman	0:38ceb79fef03	6	*
kevman	0:38ceb79fef03	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
kevman	0:38ceb79fef03	8	* not use this file except in compliance with the License.
kevman	0:38ceb79fef03	9	* You may obtain a copy of the License at
kevman	0:38ceb79fef03	10	*
kevman	0:38ceb79fef03	11	* http://www.apache.org/licenses/LICENSE-2.0
kevman	0:38ceb79fef03	12	*
kevman	0:38ceb79fef03	13	* Unless required by applicable law or agreed to in writing, software
kevman	0:38ceb79fef03	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
kevman	0:38ceb79fef03	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
kevman	0:38ceb79fef03	16	* See the License for the specific language governing permissions and
kevman	0:38ceb79fef03	17	* limitations under the License.
kevman	0:38ceb79fef03	18	*
kevman	0:38ceb79fef03	19	* This file is part of mbed TLS (https://tls.mbed.org)
kevman	0:38ceb79fef03	20	*/
kevman	0:38ceb79fef03	21	/*
kevman	0:38ceb79fef03	22	* The SSL 3.0 specification was drafted by Netscape in 1996,
kevman	0:38ceb79fef03	23	* and became an IETF standard in 1999.
kevman	0:38ceb79fef03	24	*
kevman	0:38ceb79fef03	25	* http://wp.netscape.com/eng/ssl3/
kevman	0:38ceb79fef03	26	* http://www.ietf.org/rfc/rfc2246.txt
kevman	0:38ceb79fef03	27	* http://www.ietf.org/rfc/rfc4346.txt
kevman	0:38ceb79fef03	28	*/
kevman	0:38ceb79fef03	29
kevman	0:38ceb79fef03	30	#if !defined(MBEDTLS_CONFIG_FILE)
kevman	0:38ceb79fef03	31	#include "mbedtls/config.h"
kevman	0:38ceb79fef03	32	#else
kevman	0:38ceb79fef03	33	#include MBEDTLS_CONFIG_FILE
kevman	0:38ceb79fef03	34	#endif
kevman	0:38ceb79fef03	35
kevman	0:38ceb79fef03	36	#if defined(MBEDTLS_SSL_TLS_C)
kevman	0:38ceb79fef03	37
kevman	0:38ceb79fef03	38	#if defined(MBEDTLS_PLATFORM_C)
kevman	0:38ceb79fef03	39	#include "mbedtls/platform.h"
kevman	0:38ceb79fef03	40	#else
kevman	0:38ceb79fef03	41	#include <stdlib.h>
kevman	0:38ceb79fef03	42	#define mbedtls_calloc calloc
kevman	0:38ceb79fef03	43	#define mbedtls_free free
kevman	0:38ceb79fef03	44	#endif
kevman	0:38ceb79fef03	45
kevman	0:38ceb79fef03	46	#include "mbedtls/debug.h"
kevman	0:38ceb79fef03	47	#include "mbedtls/ssl.h"
kevman	0:38ceb79fef03	48	#include "mbedtls/ssl_internal.h"
kevman	0:38ceb79fef03	49	#include "mbedtls/platform_util.h"
kevman	0:38ceb79fef03	50
kevman	0:38ceb79fef03	51	#include <string.h>
kevman	0:38ceb79fef03	52
kevman	0:38ceb79fef03	53	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	54	#include "mbedtls/oid.h"
kevman	0:38ceb79fef03	55	#endif
kevman	0:38ceb79fef03	56
kevman	0:38ceb79fef03	57	static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	58	static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
kevman	0:38ceb79fef03	59
kevman	0:38ceb79fef03	60	/* Length of the "epoch" field in the record header */
kevman	0:38ceb79fef03	61	static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	62	{
kevman	0:38ceb79fef03	63	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	64	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	65	return( 2 );
kevman	0:38ceb79fef03	66	#else
kevman	0:38ceb79fef03	67	((void) ssl);
kevman	0:38ceb79fef03	68	#endif
kevman	0:38ceb79fef03	69	return( 0 );
kevman	0:38ceb79fef03	70	}
kevman	0:38ceb79fef03	71
kevman	0:38ceb79fef03	72	/*
kevman	0:38ceb79fef03	73	* Start a timer.
kevman	0:38ceb79fef03	74	* Passing millisecs = 0 cancels a running timer.
kevman	0:38ceb79fef03	75	*/
kevman	0:38ceb79fef03	76	static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
kevman	0:38ceb79fef03	77	{
kevman	0:38ceb79fef03	78	if( ssl->f_set_timer == NULL )
kevman	0:38ceb79fef03	79	return;
kevman	0:38ceb79fef03	80
kevman	0:38ceb79fef03	81	MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
kevman	0:38ceb79fef03	82	ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
kevman	0:38ceb79fef03	83	}
kevman	0:38ceb79fef03	84
kevman	0:38ceb79fef03	85	/*
kevman	0:38ceb79fef03	86	* Return -1 is timer is expired, 0 if it isn't.
kevman	0:38ceb79fef03	87	*/
kevman	0:38ceb79fef03	88	static int ssl_check_timer( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	89	{
kevman	0:38ceb79fef03	90	if( ssl->f_get_timer == NULL )
kevman	0:38ceb79fef03	91	return( 0 );
kevman	0:38ceb79fef03	92
kevman	0:38ceb79fef03	93	if( ssl->f_get_timer( ssl->p_timer ) == 2 )
kevman	0:38ceb79fef03	94	{
kevman	0:38ceb79fef03	95	MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
kevman	0:38ceb79fef03	96	return( -1 );
kevman	0:38ceb79fef03	97	}
kevman	0:38ceb79fef03	98
kevman	0:38ceb79fef03	99	return( 0 );
kevman	0:38ceb79fef03	100	}
kevman	0:38ceb79fef03	101
kevman	0:38ceb79fef03	102	static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	103	mbedtls_ssl_transform *transform );
kevman	0:38ceb79fef03	104	static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	105	mbedtls_ssl_transform *transform );
kevman	0:38ceb79fef03	106
kevman	0:38ceb79fef03	107	#define SSL_DONT_FORCE_FLUSH 0
kevman	0:38ceb79fef03	108	#define SSL_FORCE_FLUSH 1
kevman	0:38ceb79fef03	109
kevman	0:38ceb79fef03	110	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	111
kevman	0:38ceb79fef03	112	/* Forward declarations for functions related to message buffering. */
kevman	0:38ceb79fef03	113	static void ssl_buffering_free( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	114	static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	115	uint8_t slot );
kevman	0:38ceb79fef03	116	static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	117	static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	118	static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	119	static int ssl_buffer_message( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	120	static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	121	static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	122
kevman	0:38ceb79fef03	123	static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	124	static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	125	{
kevman	0:38ceb79fef03	126	size_t mtu = ssl_get_current_mtu( ssl );
kevman	0:38ceb79fef03	127
kevman	0:38ceb79fef03	128	if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
kevman	0:38ceb79fef03	129	return( mtu );
kevman	0:38ceb79fef03	130
kevman	0:38ceb79fef03	131	return( MBEDTLS_SSL_OUT_BUFFER_LEN );
kevman	0:38ceb79fef03	132	}
kevman	0:38ceb79fef03	133
kevman	0:38ceb79fef03	134	static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	135	{
kevman	0:38ceb79fef03	136	size_t const bytes_written = ssl->out_left;
kevman	0:38ceb79fef03	137	size_t const mtu = ssl_get_maximum_datagram_size( ssl );
kevman	0:38ceb79fef03	138
kevman	0:38ceb79fef03	139	/* Double-check that the write-index hasn't gone
kevman	0:38ceb79fef03	140	* past what we can transmit in a single datagram. */
kevman	0:38ceb79fef03	141	if( bytes_written > mtu )
kevman	0:38ceb79fef03	142	{
kevman	0:38ceb79fef03	143	/* Should never happen... */
kevman	0:38ceb79fef03	144	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	145	}
kevman	0:38ceb79fef03	146
kevman	0:38ceb79fef03	147	return( (int) ( mtu - bytes_written ) );
kevman	0:38ceb79fef03	148	}
kevman	0:38ceb79fef03	149
kevman	0:38ceb79fef03	150	static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	151	{
kevman	0:38ceb79fef03	152	int ret;
kevman	0:38ceb79fef03	153	size_t remaining, expansion;
kevman	0:38ceb79fef03	154	size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
kevman	0:38ceb79fef03	155
kevman	0:38ceb79fef03	156	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kevman	0:38ceb79fef03	157	const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
kevman	0:38ceb79fef03	158
kevman	0:38ceb79fef03	159	if( max_len > mfl )
kevman	0:38ceb79fef03	160	max_len = mfl;
kevman	0:38ceb79fef03	161
kevman	0:38ceb79fef03	162	/* By the standard (RFC 6066 Sect. 4), the MFL extension
kevman	0:38ceb79fef03	163	* only limits the maximum record payload size, so in theory
kevman	0:38ceb79fef03	164	* we would be allowed to pack multiple records of payload size
kevman	0:38ceb79fef03	165	* MFL into a single datagram. However, this would mean that there's
kevman	0:38ceb79fef03	166	* no way to explicitly communicate MTU restrictions to the peer.
kevman	0:38ceb79fef03	167	*
kevman	0:38ceb79fef03	168	* The following reduction of max_len makes sure that we never
kevman	0:38ceb79fef03	169	* write datagrams larger than MFL + Record Expansion Overhead.
kevman	0:38ceb79fef03	170	*/
kevman	0:38ceb79fef03	171	if( max_len <= ssl->out_left )
kevman	0:38ceb79fef03	172	return( 0 );
kevman	0:38ceb79fef03	173
kevman	0:38ceb79fef03	174	max_len -= ssl->out_left;
kevman	0:38ceb79fef03	175	#endif
kevman	0:38ceb79fef03	176
kevman	0:38ceb79fef03	177	ret = ssl_get_remaining_space_in_datagram( ssl );
kevman	0:38ceb79fef03	178	if( ret < 0 )
kevman	0:38ceb79fef03	179	return( ret );
kevman	0:38ceb79fef03	180	remaining = (size_t) ret;
kevman	0:38ceb79fef03	181
kevman	0:38ceb79fef03	182	ret = mbedtls_ssl_get_record_expansion( ssl );
kevman	0:38ceb79fef03	183	if( ret < 0 )
kevman	0:38ceb79fef03	184	return( ret );
kevman	0:38ceb79fef03	185	expansion = (size_t) ret;
kevman	0:38ceb79fef03	186
kevman	0:38ceb79fef03	187	if( remaining <= expansion )
kevman	0:38ceb79fef03	188	return( 0 );
kevman	0:38ceb79fef03	189
kevman	0:38ceb79fef03	190	remaining -= expansion;
kevman	0:38ceb79fef03	191	if( remaining >= max_len )
kevman	0:38ceb79fef03	192	remaining = max_len;
kevman	0:38ceb79fef03	193
kevman	0:38ceb79fef03	194	return( (int) remaining );
kevman	0:38ceb79fef03	195	}
kevman	0:38ceb79fef03	196
kevman	0:38ceb79fef03	197	/*
kevman	0:38ceb79fef03	198	* Double the retransmit timeout value, within the allowed range,
kevman	0:38ceb79fef03	199	* returning -1 if the maximum value has already been reached.
kevman	0:38ceb79fef03	200	*/
kevman	0:38ceb79fef03	201	static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	202	{
kevman	0:38ceb79fef03	203	uint32_t new_timeout;
kevman	0:38ceb79fef03	204
kevman	0:38ceb79fef03	205	if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
kevman	0:38ceb79fef03	206	return( -1 );
kevman	0:38ceb79fef03	207
kevman	0:38ceb79fef03	208	/* Implement the final paragraph of RFC 6347 section 4.1.1.1
kevman	0:38ceb79fef03	209	* in the following way: after the initial transmission and a first
kevman	0:38ceb79fef03	210	* retransmission, back off to a temporary estimated MTU of 508 bytes.
kevman	0:38ceb79fef03	211	* This value is guaranteed to be deliverable (if not guaranteed to be
kevman	0:38ceb79fef03	212	* delivered) of any compliant IPv4 (and IPv6) network, and should work
kevman	0:38ceb79fef03	213	* on most non-IP stacks too. */
kevman	0:38ceb79fef03	214	if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
kevman	0:38ceb79fef03	215	ssl->handshake->mtu = 508;
kevman	0:38ceb79fef03	216
kevman	0:38ceb79fef03	217	new_timeout = 2 * ssl->handshake->retransmit_timeout;
kevman	0:38ceb79fef03	218
kevman	0:38ceb79fef03	219	/* Avoid arithmetic overflow and range overflow */
kevman	0:38ceb79fef03	220	if( new_timeout < ssl->handshake->retransmit_timeout \|\|
kevman	0:38ceb79fef03	221	new_timeout > ssl->conf->hs_timeout_max )
kevman	0:38ceb79fef03	222	{
kevman	0:38ceb79fef03	223	new_timeout = ssl->conf->hs_timeout_max;
kevman	0:38ceb79fef03	224	}
kevman	0:38ceb79fef03	225
kevman	0:38ceb79fef03	226	ssl->handshake->retransmit_timeout = new_timeout;
kevman	0:38ceb79fef03	227	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
kevman	0:38ceb79fef03	228	ssl->handshake->retransmit_timeout ) );
kevman	0:38ceb79fef03	229
kevman	0:38ceb79fef03	230	return( 0 );
kevman	0:38ceb79fef03	231	}
kevman	0:38ceb79fef03	232
kevman	0:38ceb79fef03	233	static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	234	{
kevman	0:38ceb79fef03	235	ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
kevman	0:38ceb79fef03	236	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
kevman	0:38ceb79fef03	237	ssl->handshake->retransmit_timeout ) );
kevman	0:38ceb79fef03	238	}
kevman	0:38ceb79fef03	239	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	240
kevman	0:38ceb79fef03	241	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kevman	0:38ceb79fef03	242	/*
kevman	0:38ceb79fef03	243	* Convert max_fragment_length codes to length.
kevman	0:38ceb79fef03	244	* RFC 6066 says:
kevman	0:38ceb79fef03	245	* enum{
kevman	0:38ceb79fef03	246	* 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
kevman	0:38ceb79fef03	247	* } MaxFragmentLength;
kevman	0:38ceb79fef03	248	* and we add 0 -> extension unused
kevman	0:38ceb79fef03	249	*/
kevman	0:38ceb79fef03	250	static unsigned int ssl_mfl_code_to_length( int mfl )
kevman	0:38ceb79fef03	251	{
kevman	0:38ceb79fef03	252	switch( mfl )
kevman	0:38ceb79fef03	253	{
kevman	0:38ceb79fef03	254	case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
kevman	0:38ceb79fef03	255	return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
kevman	0:38ceb79fef03	256	case MBEDTLS_SSL_MAX_FRAG_LEN_512:
kevman	0:38ceb79fef03	257	return 512;
kevman	0:38ceb79fef03	258	case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
kevman	0:38ceb79fef03	259	return 1024;
kevman	0:38ceb79fef03	260	case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
kevman	0:38ceb79fef03	261	return 2048;
kevman	0:38ceb79fef03	262	case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
kevman	0:38ceb79fef03	263	return 4096;
kevman	0:38ceb79fef03	264	default:
kevman	0:38ceb79fef03	265	return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
kevman	0:38ceb79fef03	266	}
kevman	0:38ceb79fef03	267	}
kevman	0:38ceb79fef03	268	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
kevman	0:38ceb79fef03	269
kevman	0:38ceb79fef03	270	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	271	static int ssl_session_copy( mbedtls_ssl_session dst, const mbedtls_ssl_session src )
kevman	0:38ceb79fef03	272	{
kevman	0:38ceb79fef03	273	mbedtls_ssl_session_free( dst );
kevman	0:38ceb79fef03	274	memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
kevman	0:38ceb79fef03	275
kevman	0:38ceb79fef03	276	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	277	if( src->peer_cert != NULL )
kevman	0:38ceb79fef03	278	{
kevman	0:38ceb79fef03	279	int ret;
kevman	0:38ceb79fef03	280
kevman	0:38ceb79fef03	281	dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
kevman	0:38ceb79fef03	282	if( dst->peer_cert == NULL )
kevman	0:38ceb79fef03	283	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	284
kevman	0:38ceb79fef03	285	mbedtls_x509_crt_init( dst->peer_cert );
kevman	0:38ceb79fef03	286
kevman	0:38ceb79fef03	287	if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
kevman	0:38ceb79fef03	288	src->peer_cert->raw.len ) ) != 0 )
kevman	0:38ceb79fef03	289	{
kevman	0:38ceb79fef03	290	mbedtls_free( dst->peer_cert );
kevman	0:38ceb79fef03	291	dst->peer_cert = NULL;
kevman	0:38ceb79fef03	292	return( ret );
kevman	0:38ceb79fef03	293	}
kevman	0:38ceb79fef03	294	}
kevman	0:38ceb79fef03	295	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	296
kevman	0:38ceb79fef03	297	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	298	if( src->ticket != NULL )
kevman	0:38ceb79fef03	299	{
kevman	0:38ceb79fef03	300	dst->ticket = mbedtls_calloc( 1, src->ticket_len );
kevman	0:38ceb79fef03	301	if( dst->ticket == NULL )
kevman	0:38ceb79fef03	302	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	303
kevman	0:38ceb79fef03	304	memcpy( dst->ticket, src->ticket, src->ticket_len );
kevman	0:38ceb79fef03	305	}
kevman	0:38ceb79fef03	306	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	307
kevman	0:38ceb79fef03	308	return( 0 );
kevman	0:38ceb79fef03	309	}
kevman	0:38ceb79fef03	310	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	311
kevman	0:38ceb79fef03	312	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	313	int (mbedtls_ssl_hw_record_init)( mbedtls_ssl_context ssl,
kevman	0:38ceb79fef03	314	const unsigned char key_enc, const unsigned char key_dec,
kevman	0:38ceb79fef03	315	size_t keylen,
kevman	0:38ceb79fef03	316	const unsigned char iv_enc, const unsigned char iv_dec,
kevman	0:38ceb79fef03	317	size_t ivlen,
kevman	0:38ceb79fef03	318	const unsigned char mac_enc, const unsigned char mac_dec,
kevman	0:38ceb79fef03	319	size_t maclen ) = NULL;
kevman	0:38ceb79fef03	320	int (mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context ssl, int direction) = NULL;
kevman	0:38ceb79fef03	321	int (mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context ssl ) = NULL;
kevman	0:38ceb79fef03	322	int (mbedtls_ssl_hw_record_write)( mbedtls_ssl_context ssl ) = NULL;
kevman	0:38ceb79fef03	323	int (mbedtls_ssl_hw_record_read)( mbedtls_ssl_context ssl ) = NULL;
kevman	0:38ceb79fef03	324	int (mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context ssl ) = NULL;
kevman	0:38ceb79fef03	325	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
kevman	0:38ceb79fef03	326
kevman	0:38ceb79fef03	327	/*
kevman	0:38ceb79fef03	328	* Key material generation
kevman	0:38ceb79fef03	329	*/
kevman	0:38ceb79fef03	330	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	331	static int ssl3_prf( const unsigned char *secret, size_t slen,
kevman	0:38ceb79fef03	332	const char *label,
kevman	0:38ceb79fef03	333	const unsigned char *random, size_t rlen,
kevman	0:38ceb79fef03	334	unsigned char *dstbuf, size_t dlen )
kevman	0:38ceb79fef03	335	{
kevman	0:38ceb79fef03	336	int ret = 0;
kevman	0:38ceb79fef03	337	size_t i;
kevman	0:38ceb79fef03	338	mbedtls_md5_context md5;
kevman	0:38ceb79fef03	339	mbedtls_sha1_context sha1;
kevman	0:38ceb79fef03	340	unsigned char padding[16];
kevman	0:38ceb79fef03	341	unsigned char sha1sum[20];
kevman	0:38ceb79fef03	342	((void)label);
kevman	0:38ceb79fef03	343
kevman	0:38ceb79fef03	344	mbedtls_md5_init( &md5 );
kevman	0:38ceb79fef03	345	mbedtls_sha1_init( &sha1 );
kevman	0:38ceb79fef03	346
kevman	0:38ceb79fef03	347	/*
kevman	0:38ceb79fef03	348	* SSLv3:
kevman	0:38ceb79fef03	349	* block =
kevman	0:38ceb79fef03	350	* MD5( secret + SHA1( 'A' + secret + random ) ) +
kevman	0:38ceb79fef03	351	* MD5( secret + SHA1( 'BB' + secret + random ) ) +
kevman	0:38ceb79fef03	352	* MD5( secret + SHA1( 'CCC' + secret + random ) ) +
kevman	0:38ceb79fef03	353	* ...
kevman	0:38ceb79fef03	354	*/
kevman	0:38ceb79fef03	355	for( i = 0; i < dlen / 16; i++ )
kevman	0:38ceb79fef03	356	{
kevman	0:38ceb79fef03	357	memset( padding, (unsigned char) ('A' + i), 1 + i );
kevman	0:38ceb79fef03	358
kevman	0:38ceb79fef03	359	if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
kevman	0:38ceb79fef03	360	goto exit;
kevman	0:38ceb79fef03	361	if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
kevman	0:38ceb79fef03	362	goto exit;
kevman	0:38ceb79fef03	363	if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
kevman	0:38ceb79fef03	364	goto exit;
kevman	0:38ceb79fef03	365	if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
kevman	0:38ceb79fef03	366	goto exit;
kevman	0:38ceb79fef03	367	if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
kevman	0:38ceb79fef03	368	goto exit;
kevman	0:38ceb79fef03	369
kevman	0:38ceb79fef03	370	if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
kevman	0:38ceb79fef03	371	goto exit;
kevman	0:38ceb79fef03	372	if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
kevman	0:38ceb79fef03	373	goto exit;
kevman	0:38ceb79fef03	374	if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
kevman	0:38ceb79fef03	375	goto exit;
kevman	0:38ceb79fef03	376	if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
kevman	0:38ceb79fef03	377	goto exit;
kevman	0:38ceb79fef03	378	}
kevman	0:38ceb79fef03	379
kevman	0:38ceb79fef03	380	exit:
kevman	0:38ceb79fef03	381	mbedtls_md5_free( &md5 );
kevman	0:38ceb79fef03	382	mbedtls_sha1_free( &sha1 );
kevman	0:38ceb79fef03	383
kevman	0:38ceb79fef03	384	mbedtls_platform_zeroize( padding, sizeof( padding ) );
kevman	0:38ceb79fef03	385	mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
kevman	0:38ceb79fef03	386
kevman	0:38ceb79fef03	387	return( ret );
kevman	0:38ceb79fef03	388	}
kevman	0:38ceb79fef03	389	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	390
kevman	0:38ceb79fef03	391	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	392	static int tls1_prf( const unsigned char *secret, size_t slen,
kevman	0:38ceb79fef03	393	const char *label,
kevman	0:38ceb79fef03	394	const unsigned char *random, size_t rlen,
kevman	0:38ceb79fef03	395	unsigned char *dstbuf, size_t dlen )
kevman	0:38ceb79fef03	396	{
kevman	0:38ceb79fef03	397	size_t nb, hs;
kevman	0:38ceb79fef03	398	size_t i, j, k;
kevman	0:38ceb79fef03	399	const unsigned char S1, S2;
kevman	0:38ceb79fef03	400	unsigned char tmp[128];
kevman	0:38ceb79fef03	401	unsigned char h_i[20];
kevman	0:38ceb79fef03	402	const mbedtls_md_info_t *md_info;
kevman	0:38ceb79fef03	403	mbedtls_md_context_t md_ctx;
kevman	0:38ceb79fef03	404	int ret;
kevman	0:38ceb79fef03	405
kevman	0:38ceb79fef03	406	mbedtls_md_init( &md_ctx );
kevman	0:38ceb79fef03	407
kevman	0:38ceb79fef03	408	if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
kevman	0:38ceb79fef03	409	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	410
kevman	0:38ceb79fef03	411	hs = ( slen + 1 ) / 2;
kevman	0:38ceb79fef03	412	S1 = secret;
kevman	0:38ceb79fef03	413	S2 = secret + slen - hs;
kevman	0:38ceb79fef03	414
kevman	0:38ceb79fef03	415	nb = strlen( label );
kevman	0:38ceb79fef03	416	memcpy( tmp + 20, label, nb );
kevman	0:38ceb79fef03	417	memcpy( tmp + 20 + nb, random, rlen );
kevman	0:38ceb79fef03	418	nb += rlen;
kevman	0:38ceb79fef03	419
kevman	0:38ceb79fef03	420	/*
kevman	0:38ceb79fef03	421	* First compute P_md5(secret,label+random)[0..dlen]
kevman	0:38ceb79fef03	422	*/
kevman	0:38ceb79fef03	423	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
kevman	0:38ceb79fef03	424	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	425
kevman	0:38ceb79fef03	426	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
kevman	0:38ceb79fef03	427	return( ret );
kevman	0:38ceb79fef03	428
kevman	0:38ceb79fef03	429	mbedtls_md_hmac_starts( &md_ctx, S1, hs );
kevman	0:38ceb79fef03	430	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
kevman	0:38ceb79fef03	431	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
kevman	0:38ceb79fef03	432
kevman	0:38ceb79fef03	433	for( i = 0; i < dlen; i += 16 )
kevman	0:38ceb79fef03	434	{
kevman	0:38ceb79fef03	435	mbedtls_md_hmac_reset ( &md_ctx );
kevman	0:38ceb79fef03	436	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
kevman	0:38ceb79fef03	437	mbedtls_md_hmac_finish( &md_ctx, h_i );
kevman	0:38ceb79fef03	438
kevman	0:38ceb79fef03	439	mbedtls_md_hmac_reset ( &md_ctx );
kevman	0:38ceb79fef03	440	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
kevman	0:38ceb79fef03	441	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
kevman	0:38ceb79fef03	442
kevman	0:38ceb79fef03	443	k = ( i + 16 > dlen ) ? dlen % 16 : 16;
kevman	0:38ceb79fef03	444
kevman	0:38ceb79fef03	445	for( j = 0; j < k; j++ )
kevman	0:38ceb79fef03	446	dstbuf[i + j] = h_i[j];
kevman	0:38ceb79fef03	447	}
kevman	0:38ceb79fef03	448
kevman	0:38ceb79fef03	449	mbedtls_md_free( &md_ctx );
kevman	0:38ceb79fef03	450
kevman	0:38ceb79fef03	451	/*
kevman	0:38ceb79fef03	452	* XOR out with P_sha1(secret,label+random)[0..dlen]
kevman	0:38ceb79fef03	453	*/
kevman	0:38ceb79fef03	454	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
kevman	0:38ceb79fef03	455	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	456
kevman	0:38ceb79fef03	457	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
kevman	0:38ceb79fef03	458	return( ret );
kevman	0:38ceb79fef03	459
kevman	0:38ceb79fef03	460	mbedtls_md_hmac_starts( &md_ctx, S2, hs );
kevman	0:38ceb79fef03	461	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
kevman	0:38ceb79fef03	462	mbedtls_md_hmac_finish( &md_ctx, tmp );
kevman	0:38ceb79fef03	463
kevman	0:38ceb79fef03	464	for( i = 0; i < dlen; i += 20 )
kevman	0:38ceb79fef03	465	{
kevman	0:38ceb79fef03	466	mbedtls_md_hmac_reset ( &md_ctx );
kevman	0:38ceb79fef03	467	mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
kevman	0:38ceb79fef03	468	mbedtls_md_hmac_finish( &md_ctx, h_i );
kevman	0:38ceb79fef03	469
kevman	0:38ceb79fef03	470	mbedtls_md_hmac_reset ( &md_ctx );
kevman	0:38ceb79fef03	471	mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
kevman	0:38ceb79fef03	472	mbedtls_md_hmac_finish( &md_ctx, tmp );
kevman	0:38ceb79fef03	473
kevman	0:38ceb79fef03	474	k = ( i + 20 > dlen ) ? dlen % 20 : 20;
kevman	0:38ceb79fef03	475
kevman	0:38ceb79fef03	476	for( j = 0; j < k; j++ )
kevman	0:38ceb79fef03	477	dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
kevman	0:38ceb79fef03	478	}
kevman	0:38ceb79fef03	479
kevman	0:38ceb79fef03	480	mbedtls_md_free( &md_ctx );
kevman	0:38ceb79fef03	481
kevman	0:38ceb79fef03	482	mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
kevman	0:38ceb79fef03	483	mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
kevman	0:38ceb79fef03	484
kevman	0:38ceb79fef03	485	return( 0 );
kevman	0:38ceb79fef03	486	}
kevman	0:38ceb79fef03	487	#endif /* MBEDTLS_SSL_PROTO_TLS1) \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
kevman	0:38ceb79fef03	488
kevman	0:38ceb79fef03	489	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	490	static int tls_prf_generic( mbedtls_md_type_t md_type,
kevman	0:38ceb79fef03	491	const unsigned char *secret, size_t slen,
kevman	0:38ceb79fef03	492	const char *label,
kevman	0:38ceb79fef03	493	const unsigned char *random, size_t rlen,
kevman	0:38ceb79fef03	494	unsigned char *dstbuf, size_t dlen )
kevman	0:38ceb79fef03	495	{
kevman	0:38ceb79fef03	496	size_t nb;
kevman	0:38ceb79fef03	497	size_t i, j, k, md_len;
kevman	0:38ceb79fef03	498	unsigned char tmp[128];
kevman	0:38ceb79fef03	499	unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
kevman	0:38ceb79fef03	500	const mbedtls_md_info_t *md_info;
kevman	0:38ceb79fef03	501	mbedtls_md_context_t md_ctx;
kevman	0:38ceb79fef03	502	int ret;
kevman	0:38ceb79fef03	503
kevman	0:38ceb79fef03	504	mbedtls_md_init( &md_ctx );
kevman	0:38ceb79fef03	505
kevman	0:38ceb79fef03	506	if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
kevman	0:38ceb79fef03	507	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	508
kevman	0:38ceb79fef03	509	md_len = mbedtls_md_get_size( md_info );
kevman	0:38ceb79fef03	510
kevman	0:38ceb79fef03	511	if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
kevman	0:38ceb79fef03	512	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	513
kevman	0:38ceb79fef03	514	nb = strlen( label );
kevman	0:38ceb79fef03	515	memcpy( tmp + md_len, label, nb );
kevman	0:38ceb79fef03	516	memcpy( tmp + md_len + nb, random, rlen );
kevman	0:38ceb79fef03	517	nb += rlen;
kevman	0:38ceb79fef03	518
kevman	0:38ceb79fef03	519	/*
kevman	0:38ceb79fef03	520	* Compute P_<hash>(secret, label + random)[0..dlen]
kevman	0:38ceb79fef03	521	*/
kevman	0:38ceb79fef03	522	if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
kevman	0:38ceb79fef03	523	return( ret );
kevman	0:38ceb79fef03	524
kevman	0:38ceb79fef03	525	mbedtls_md_hmac_starts( &md_ctx, secret, slen );
kevman	0:38ceb79fef03	526	mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
kevman	0:38ceb79fef03	527	mbedtls_md_hmac_finish( &md_ctx, tmp );
kevman	0:38ceb79fef03	528
kevman	0:38ceb79fef03	529	for( i = 0; i < dlen; i += md_len )
kevman	0:38ceb79fef03	530	{
kevman	0:38ceb79fef03	531	mbedtls_md_hmac_reset ( &md_ctx );
kevman	0:38ceb79fef03	532	mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
kevman	0:38ceb79fef03	533	mbedtls_md_hmac_finish( &md_ctx, h_i );
kevman	0:38ceb79fef03	534
kevman	0:38ceb79fef03	535	mbedtls_md_hmac_reset ( &md_ctx );
kevman	0:38ceb79fef03	536	mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
kevman	0:38ceb79fef03	537	mbedtls_md_hmac_finish( &md_ctx, tmp );
kevman	0:38ceb79fef03	538
kevman	0:38ceb79fef03	539	k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
kevman	0:38ceb79fef03	540
kevman	0:38ceb79fef03	541	for( j = 0; j < k; j++ )
kevman	0:38ceb79fef03	542	dstbuf[i + j] = h_i[j];
kevman	0:38ceb79fef03	543	}
kevman	0:38ceb79fef03	544
kevman	0:38ceb79fef03	545	mbedtls_md_free( &md_ctx );
kevman	0:38ceb79fef03	546
kevman	0:38ceb79fef03	547	mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
kevman	0:38ceb79fef03	548	mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
kevman	0:38ceb79fef03	549
kevman	0:38ceb79fef03	550	return( 0 );
kevman	0:38ceb79fef03	551	}
kevman	0:38ceb79fef03	552
kevman	0:38ceb79fef03	553	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	554	static int tls_prf_sha256( const unsigned char *secret, size_t slen,
kevman	0:38ceb79fef03	555	const char *label,
kevman	0:38ceb79fef03	556	const unsigned char *random, size_t rlen,
kevman	0:38ceb79fef03	557	unsigned char *dstbuf, size_t dlen )
kevman	0:38ceb79fef03	558	{
kevman	0:38ceb79fef03	559	return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
kevman	0:38ceb79fef03	560	label, random, rlen, dstbuf, dlen ) );
kevman	0:38ceb79fef03	561	}
kevman	0:38ceb79fef03	562	#endif /* MBEDTLS_SHA256_C */
kevman	0:38ceb79fef03	563
kevman	0:38ceb79fef03	564	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	565	static int tls_prf_sha384( const unsigned char *secret, size_t slen,
kevman	0:38ceb79fef03	566	const char *label,
kevman	0:38ceb79fef03	567	const unsigned char *random, size_t rlen,
kevman	0:38ceb79fef03	568	unsigned char *dstbuf, size_t dlen )
kevman	0:38ceb79fef03	569	{
kevman	0:38ceb79fef03	570	return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
kevman	0:38ceb79fef03	571	label, random, rlen, dstbuf, dlen ) );
kevman	0:38ceb79fef03	572	}
kevman	0:38ceb79fef03	573	#endif /* MBEDTLS_SHA512_C */
kevman	0:38ceb79fef03	574	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	575
kevman	0:38ceb79fef03	576	static void ssl_update_checksum_start( mbedtls_ssl_context , const unsigned char , size_t );
kevman	0:38ceb79fef03	577
kevman	0:38ceb79fef03	578	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	579	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	580	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context , const unsigned char , size_t );
kevman	0:38ceb79fef03	581	#endif
kevman	0:38ceb79fef03	582
kevman	0:38ceb79fef03	583	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	584	static void ssl_calc_verify_ssl( mbedtls_ssl_context , unsigned char );
kevman	0:38ceb79fef03	585	static void ssl_calc_finished_ssl( mbedtls_ssl_context , unsigned char , int );
kevman	0:38ceb79fef03	586	#endif
kevman	0:38ceb79fef03	587
kevman	0:38ceb79fef03	588	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	589	static void ssl_calc_verify_tls( mbedtls_ssl_context , unsigned char );
kevman	0:38ceb79fef03	590	static void ssl_calc_finished_tls( mbedtls_ssl_context , unsigned char , int );
kevman	0:38ceb79fef03	591	#endif
kevman	0:38ceb79fef03	592
kevman	0:38ceb79fef03	593	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	594	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	595	static void ssl_update_checksum_sha256( mbedtls_ssl_context , const unsigned char , size_t );
kevman	0:38ceb79fef03	596	static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context ,unsigned char );
kevman	0:38ceb79fef03	597	static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context ,unsigned char , int );
kevman	0:38ceb79fef03	598	#endif
kevman	0:38ceb79fef03	599
kevman	0:38ceb79fef03	600	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	601	static void ssl_update_checksum_sha384( mbedtls_ssl_context , const unsigned char , size_t );
kevman	0:38ceb79fef03	602	static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context , unsigned char );
kevman	0:38ceb79fef03	603	static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context , unsigned char , int );
kevman	0:38ceb79fef03	604	#endif
kevman	0:38ceb79fef03	605	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	606
kevman	0:38ceb79fef03	607	int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	608	{
kevman	0:38ceb79fef03	609	int ret = 0;
kevman	0:38ceb79fef03	610	unsigned char tmp[64];
kevman	0:38ceb79fef03	611	unsigned char keyblk[256];
kevman	0:38ceb79fef03	612	unsigned char *key1;
kevman	0:38ceb79fef03	613	unsigned char *key2;
kevman	0:38ceb79fef03	614	unsigned char *mac_enc;
kevman	0:38ceb79fef03	615	unsigned char *mac_dec;
kevman	0:38ceb79fef03	616	size_t mac_key_len;
kevman	0:38ceb79fef03	617	size_t iv_copy_len;
kevman	0:38ceb79fef03	618	const mbedtls_cipher_info_t *cipher_info;
kevman	0:38ceb79fef03	619	const mbedtls_md_info_t *md_info;
kevman	0:38ceb79fef03	620
kevman	0:38ceb79fef03	621	mbedtls_ssl_session *session = ssl->session_negotiate;
kevman	0:38ceb79fef03	622	mbedtls_ssl_transform *transform = ssl->transform_negotiate;
kevman	0:38ceb79fef03	623	mbedtls_ssl_handshake_params *handshake = ssl->handshake;
kevman	0:38ceb79fef03	624
kevman	0:38ceb79fef03	625	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
kevman	0:38ceb79fef03	626
kevman	0:38ceb79fef03	627	cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
kevman	0:38ceb79fef03	628	if( cipher_info == NULL )
kevman	0:38ceb79fef03	629	{
kevman	0:38ceb79fef03	630	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
kevman	0:38ceb79fef03	631	transform->ciphersuite_info->cipher ) );
kevman	0:38ceb79fef03	632	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	633	}
kevman	0:38ceb79fef03	634
kevman	0:38ceb79fef03	635	md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
kevman	0:38ceb79fef03	636	if( md_info == NULL )
kevman	0:38ceb79fef03	637	{
kevman	0:38ceb79fef03	638	MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
kevman	0:38ceb79fef03	639	transform->ciphersuite_info->mac ) );
kevman	0:38ceb79fef03	640	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	641	}
kevman	0:38ceb79fef03	642
kevman	0:38ceb79fef03	643	/*
kevman	0:38ceb79fef03	644	* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
kevman	0:38ceb79fef03	645	*/
kevman	0:38ceb79fef03	646	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	647	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	648	{
kevman	0:38ceb79fef03	649	handshake->tls_prf = ssl3_prf;
kevman	0:38ceb79fef03	650	handshake->calc_verify = ssl_calc_verify_ssl;
kevman	0:38ceb79fef03	651	handshake->calc_finished = ssl_calc_finished_ssl;
kevman	0:38ceb79fef03	652	}
kevman	0:38ceb79fef03	653	else
kevman	0:38ceb79fef03	654	#endif
kevman	0:38ceb79fef03	655	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	656	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	657	{
kevman	0:38ceb79fef03	658	handshake->tls_prf = tls1_prf;
kevman	0:38ceb79fef03	659	handshake->calc_verify = ssl_calc_verify_tls;
kevman	0:38ceb79fef03	660	handshake->calc_finished = ssl_calc_finished_tls;
kevman	0:38ceb79fef03	661	}
kevman	0:38ceb79fef03	662	else
kevman	0:38ceb79fef03	663	#endif
kevman	0:38ceb79fef03	664	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	665	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	666	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
kevman	0:38ceb79fef03	667	transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
kevman	0:38ceb79fef03	668	{
kevman	0:38ceb79fef03	669	handshake->tls_prf = tls_prf_sha384;
kevman	0:38ceb79fef03	670	handshake->calc_verify = ssl_calc_verify_tls_sha384;
kevman	0:38ceb79fef03	671	handshake->calc_finished = ssl_calc_finished_tls_sha384;
kevman	0:38ceb79fef03	672	}
kevman	0:38ceb79fef03	673	else
kevman	0:38ceb79fef03	674	#endif
kevman	0:38ceb79fef03	675	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	676	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	677	{
kevman	0:38ceb79fef03	678	handshake->tls_prf = tls_prf_sha256;
kevman	0:38ceb79fef03	679	handshake->calc_verify = ssl_calc_verify_tls_sha256;
kevman	0:38ceb79fef03	680	handshake->calc_finished = ssl_calc_finished_tls_sha256;
kevman	0:38ceb79fef03	681	}
kevman	0:38ceb79fef03	682	else
kevman	0:38ceb79fef03	683	#endif
kevman	0:38ceb79fef03	684	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	685	{
kevman	0:38ceb79fef03	686	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	687	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	688	}
kevman	0:38ceb79fef03	689
kevman	0:38ceb79fef03	690	/*
kevman	0:38ceb79fef03	691	* SSLv3:
kevman	0:38ceb79fef03	692	* master =
kevman	0:38ceb79fef03	693	* MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
kevman	0:38ceb79fef03	694	* MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
kevman	0:38ceb79fef03	695	* MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
kevman	0:38ceb79fef03	696	*
kevman	0:38ceb79fef03	697	* TLSv1+:
kevman	0:38ceb79fef03	698	* master = PRF( premaster, "master secret", randbytes )[0..47]
kevman	0:38ceb79fef03	699	*/
kevman	0:38ceb79fef03	700	if( handshake->resume == 0 )
kevman	0:38ceb79fef03	701	{
kevman	0:38ceb79fef03	702	MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
kevman	0:38ceb79fef03	703	handshake->pmslen );
kevman	0:38ceb79fef03	704
kevman	0:38ceb79fef03	705	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
kevman	0:38ceb79fef03	706	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
kevman	0:38ceb79fef03	707	{
kevman	0:38ceb79fef03	708	unsigned char session_hash[48];
kevman	0:38ceb79fef03	709	size_t hash_len;
kevman	0:38ceb79fef03	710
kevman	0:38ceb79fef03	711	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
kevman	0:38ceb79fef03	712
kevman	0:38ceb79fef03	713	ssl->handshake->calc_verify( ssl, session_hash );
kevman	0:38ceb79fef03	714
kevman	0:38ceb79fef03	715	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	716	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	717	{
kevman	0:38ceb79fef03	718	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	719	if( ssl->transform_negotiate->ciphersuite_info->mac ==
kevman	0:38ceb79fef03	720	MBEDTLS_MD_SHA384 )
kevman	0:38ceb79fef03	721	{
kevman	0:38ceb79fef03	722	hash_len = 48;
kevman	0:38ceb79fef03	723	}
kevman	0:38ceb79fef03	724	else
kevman	0:38ceb79fef03	725	#endif
kevman	0:38ceb79fef03	726	hash_len = 32;
kevman	0:38ceb79fef03	727	}
kevman	0:38ceb79fef03	728	else
kevman	0:38ceb79fef03	729	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	730	hash_len = 36;
kevman	0:38ceb79fef03	731
kevman	0:38ceb79fef03	732	MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
kevman	0:38ceb79fef03	733
kevman	0:38ceb79fef03	734	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
kevman	0:38ceb79fef03	735	"extended master secret",
kevman	0:38ceb79fef03	736	session_hash, hash_len,
kevman	0:38ceb79fef03	737	session->master, 48 );
kevman	0:38ceb79fef03	738	if( ret != 0 )
kevman	0:38ceb79fef03	739	{
kevman	0:38ceb79fef03	740	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
kevman	0:38ceb79fef03	741	return( ret );
kevman	0:38ceb79fef03	742	}
kevman	0:38ceb79fef03	743
kevman	0:38ceb79fef03	744	}
kevman	0:38ceb79fef03	745	else
kevman	0:38ceb79fef03	746	#endif
kevman	0:38ceb79fef03	747	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
kevman	0:38ceb79fef03	748	"master secret",
kevman	0:38ceb79fef03	749	handshake->randbytes, 64,
kevman	0:38ceb79fef03	750	session->master, 48 );
kevman	0:38ceb79fef03	751	if( ret != 0 )
kevman	0:38ceb79fef03	752	{
kevman	0:38ceb79fef03	753	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
kevman	0:38ceb79fef03	754	return( ret );
kevman	0:38ceb79fef03	755	}
kevman	0:38ceb79fef03	756
kevman	0:38ceb79fef03	757	mbedtls_platform_zeroize( handshake->premaster,
kevman	0:38ceb79fef03	758	sizeof(handshake->premaster) );
kevman	0:38ceb79fef03	759	}
kevman	0:38ceb79fef03	760	else
kevman	0:38ceb79fef03	761	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
kevman	0:38ceb79fef03	762
kevman	0:38ceb79fef03	763	/*
kevman	0:38ceb79fef03	764	* Swap the client and server random values.
kevman	0:38ceb79fef03	765	*/
kevman	0:38ceb79fef03	766	memcpy( tmp, handshake->randbytes, 64 );
kevman	0:38ceb79fef03	767	memcpy( handshake->randbytes, tmp + 32, 32 );
kevman	0:38ceb79fef03	768	memcpy( handshake->randbytes + 32, tmp, 32 );
kevman	0:38ceb79fef03	769	mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
kevman	0:38ceb79fef03	770
kevman	0:38ceb79fef03	771	/*
kevman	0:38ceb79fef03	772	* SSLv3:
kevman	0:38ceb79fef03	773	* key block =
kevman	0:38ceb79fef03	774	* MD5( master + SHA1( 'A' + master + randbytes ) ) +
kevman	0:38ceb79fef03	775	* MD5( master + SHA1( 'BB' + master + randbytes ) ) +
kevman	0:38ceb79fef03	776	* MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
kevman	0:38ceb79fef03	777	* MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
kevman	0:38ceb79fef03	778	* ...
kevman	0:38ceb79fef03	779	*
kevman	0:38ceb79fef03	780	* TLSv1:
kevman	0:38ceb79fef03	781	* key block = PRF( master, "key expansion", randbytes )
kevman	0:38ceb79fef03	782	*/
kevman	0:38ceb79fef03	783	ret = handshake->tls_prf( session->master, 48, "key expansion",
kevman	0:38ceb79fef03	784	handshake->randbytes, 64, keyblk, 256 );
kevman	0:38ceb79fef03	785	if( ret != 0 )
kevman	0:38ceb79fef03	786	{
kevman	0:38ceb79fef03	787	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
kevman	0:38ceb79fef03	788	return( ret );
kevman	0:38ceb79fef03	789	}
kevman	0:38ceb79fef03	790
kevman	0:38ceb79fef03	791	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
kevman	0:38ceb79fef03	792	mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
kevman	0:38ceb79fef03	793	MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
kevman	0:38ceb79fef03	794	MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
kevman	0:38ceb79fef03	795	MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
kevman	0:38ceb79fef03	796
kevman	0:38ceb79fef03	797	mbedtls_platform_zeroize( handshake->randbytes,
kevman	0:38ceb79fef03	798	sizeof( handshake->randbytes ) );
kevman	0:38ceb79fef03	799
kevman	0:38ceb79fef03	800	/*
kevman	0:38ceb79fef03	801	* Determine the appropriate key, IV and MAC length.
kevman	0:38ceb79fef03	802	*/
kevman	0:38ceb79fef03	803
kevman	0:38ceb79fef03	804	transform->keylen = cipher_info->key_bitlen / 8;
kevman	0:38ceb79fef03	805
kevman	0:38ceb79fef03	806	if( cipher_info->mode == MBEDTLS_MODE_GCM \|\|
kevman	0:38ceb79fef03	807	cipher_info->mode == MBEDTLS_MODE_CCM \|\|
kevman	0:38ceb79fef03	808	cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
kevman	0:38ceb79fef03	809	{
kevman	0:38ceb79fef03	810	size_t taglen, explicit_ivlen;
kevman	0:38ceb79fef03	811
kevman	0:38ceb79fef03	812	transform->maclen = 0;
kevman	0:38ceb79fef03	813	mac_key_len = 0;
kevman	0:38ceb79fef03	814
kevman	0:38ceb79fef03	815	/* All modes haves 96-bit IVs;
kevman	0:38ceb79fef03	816	* GCM and CCM has 4 implicit and 8 explicit bytes
kevman	0:38ceb79fef03	817	* ChachaPoly has all 12 bytes implicit
kevman	0:38ceb79fef03	818	*/
kevman	0:38ceb79fef03	819	transform->ivlen = 12;
kevman	0:38ceb79fef03	820	if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
kevman	0:38ceb79fef03	821	transform->fixed_ivlen = 12;
kevman	0:38ceb79fef03	822	else
kevman	0:38ceb79fef03	823	transform->fixed_ivlen = 4;
kevman	0:38ceb79fef03	824
kevman	0:38ceb79fef03	825	/* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
kevman	0:38ceb79fef03	826	taglen = transform->ciphersuite_info->flags &
kevman	0:38ceb79fef03	827	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
kevman	0:38ceb79fef03	828
kevman	0:38ceb79fef03	829
kevman	0:38ceb79fef03	830	/* Minimum length of encrypted record */
kevman	0:38ceb79fef03	831	explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
kevman	0:38ceb79fef03	832	transform->minlen = explicit_ivlen + taglen;
kevman	0:38ceb79fef03	833	}
kevman	0:38ceb79fef03	834	else
kevman	0:38ceb79fef03	835	{
kevman	0:38ceb79fef03	836	/* Initialize HMAC contexts */
kevman	0:38ceb79fef03	837	if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 \|\|
kevman	0:38ceb79fef03	838	( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
kevman	0:38ceb79fef03	839	{
kevman	0:38ceb79fef03	840	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
kevman	0:38ceb79fef03	841	return( ret );
kevman	0:38ceb79fef03	842	}
kevman	0:38ceb79fef03	843
kevman	0:38ceb79fef03	844	/* Get MAC length */
kevman	0:38ceb79fef03	845	mac_key_len = mbedtls_md_get_size( md_info );
kevman	0:38ceb79fef03	846	transform->maclen = mac_key_len;
kevman	0:38ceb79fef03	847
kevman	0:38ceb79fef03	848	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
kevman	0:38ceb79fef03	849	/*
kevman	0:38ceb79fef03	850	* If HMAC is to be truncated, we shall keep the leftmost bytes,
kevman	0:38ceb79fef03	851	* (rfc 6066 page 13 or rfc 2104 section 4),
kevman	0:38ceb79fef03	852	* so we only need to adjust the length here.
kevman	0:38ceb79fef03	853	*/
kevman	0:38ceb79fef03	854	if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
kevman	0:38ceb79fef03	855	{
kevman	0:38ceb79fef03	856	transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
kevman	0:38ceb79fef03	857
kevman	0:38ceb79fef03	858	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
kevman	0:38ceb79fef03	859	/* Fall back to old, non-compliant version of the truncated
kevman	0:38ceb79fef03	860	* HMAC implementation which also truncates the key
kevman	0:38ceb79fef03	861	* (Mbed TLS versions from 1.3 to 2.6.0) */
kevman	0:38ceb79fef03	862	mac_key_len = transform->maclen;
kevman	0:38ceb79fef03	863	#endif
kevman	0:38ceb79fef03	864	}
kevman	0:38ceb79fef03	865	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
kevman	0:38ceb79fef03	866
kevman	0:38ceb79fef03	867	/* IV length */
kevman	0:38ceb79fef03	868	transform->ivlen = cipher_info->iv_size;
kevman	0:38ceb79fef03	869
kevman	0:38ceb79fef03	870	/* Minimum length */
kevman	0:38ceb79fef03	871	if( cipher_info->mode == MBEDTLS_MODE_STREAM )
kevman	0:38ceb79fef03	872	transform->minlen = transform->maclen;
kevman	0:38ceb79fef03	873	else
kevman	0:38ceb79fef03	874	{
kevman	0:38ceb79fef03	875	/*
kevman	0:38ceb79fef03	876	* GenericBlockCipher:
kevman	0:38ceb79fef03	877	* 1. if EtM is in use: one block plus MAC
kevman	0:38ceb79fef03	878	* otherwise: * first multiple of blocklen greater than maclen
kevman	0:38ceb79fef03	879	* 2. IV except for SSL3 and TLS 1.0
kevman	0:38ceb79fef03	880	*/
kevman	0:38ceb79fef03	881	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	882	if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
kevman	0:38ceb79fef03	883	{
kevman	0:38ceb79fef03	884	transform->minlen = transform->maclen
kevman	0:38ceb79fef03	885	+ cipher_info->block_size;
kevman	0:38ceb79fef03	886	}
kevman	0:38ceb79fef03	887	else
kevman	0:38ceb79fef03	888	#endif
kevman	0:38ceb79fef03	889	{
kevman	0:38ceb79fef03	890	transform->minlen = transform->maclen
kevman	0:38ceb79fef03	891	+ cipher_info->block_size
kevman	0:38ceb79fef03	892	- transform->maclen % cipher_info->block_size;
kevman	0:38ceb79fef03	893	}
kevman	0:38ceb79fef03	894
kevman	0:38ceb79fef03	895	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
kevman	0:38ceb79fef03	896	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
kevman	0:38ceb79fef03	897	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
kevman	0:38ceb79fef03	898	; /* No need to adjust minlen */
kevman	0:38ceb79fef03	899	else
kevman	0:38ceb79fef03	900	#endif
kevman	0:38ceb79fef03	901	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	902	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 \|\|
kevman	0:38ceb79fef03	903	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	904	{
kevman	0:38ceb79fef03	905	transform->minlen += transform->ivlen;
kevman	0:38ceb79fef03	906	}
kevman	0:38ceb79fef03	907	else
kevman	0:38ceb79fef03	908	#endif
kevman	0:38ceb79fef03	909	{
kevman	0:38ceb79fef03	910	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	911	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	912	}
kevman	0:38ceb79fef03	913	}
kevman	0:38ceb79fef03	914	}
kevman	0:38ceb79fef03	915
kevman	0:38ceb79fef03	916	MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
kevman	0:38ceb79fef03	917	transform->keylen, transform->minlen, transform->ivlen,
kevman	0:38ceb79fef03	918	transform->maclen ) );
kevman	0:38ceb79fef03	919
kevman	0:38ceb79fef03	920	/*
kevman	0:38ceb79fef03	921	* Finally setup the cipher contexts, IVs and MAC secrets.
kevman	0:38ceb79fef03	922	*/
kevman	0:38ceb79fef03	923	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	924	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	925	{
kevman	0:38ceb79fef03	926	key1 = keyblk + mac_key_len * 2;
kevman	0:38ceb79fef03	927	key2 = keyblk + mac_key_len * 2 + transform->keylen;
kevman	0:38ceb79fef03	928
kevman	0:38ceb79fef03	929	mac_enc = keyblk;
kevman	0:38ceb79fef03	930	mac_dec = keyblk + mac_key_len;
kevman	0:38ceb79fef03	931
kevman	0:38ceb79fef03	932	/*
kevman	0:38ceb79fef03	933	* This is not used in TLS v1.1.
kevman	0:38ceb79fef03	934	*/
kevman	0:38ceb79fef03	935	iv_copy_len = ( transform->fixed_ivlen ) ?
kevman	0:38ceb79fef03	936	transform->fixed_ivlen : transform->ivlen;
kevman	0:38ceb79fef03	937	memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
kevman	0:38ceb79fef03	938	memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
kevman	0:38ceb79fef03	939	iv_copy_len );
kevman	0:38ceb79fef03	940	}
kevman	0:38ceb79fef03	941	else
kevman	0:38ceb79fef03	942	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	943	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	944	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	945	{
kevman	0:38ceb79fef03	946	key1 = keyblk + mac_key_len * 2 + transform->keylen;
kevman	0:38ceb79fef03	947	key2 = keyblk + mac_key_len * 2;
kevman	0:38ceb79fef03	948
kevman	0:38ceb79fef03	949	mac_enc = keyblk + mac_key_len;
kevman	0:38ceb79fef03	950	mac_dec = keyblk;
kevman	0:38ceb79fef03	951
kevman	0:38ceb79fef03	952	/*
kevman	0:38ceb79fef03	953	* This is not used in TLS v1.1.
kevman	0:38ceb79fef03	954	*/
kevman	0:38ceb79fef03	955	iv_copy_len = ( transform->fixed_ivlen ) ?
kevman	0:38ceb79fef03	956	transform->fixed_ivlen : transform->ivlen;
kevman	0:38ceb79fef03	957	memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
kevman	0:38ceb79fef03	958	memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
kevman	0:38ceb79fef03	959	iv_copy_len );
kevman	0:38ceb79fef03	960	}
kevman	0:38ceb79fef03	961	else
kevman	0:38ceb79fef03	962	#endif /* MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	963	{
kevman	0:38ceb79fef03	964	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	965	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	966	}
kevman	0:38ceb79fef03	967
kevman	0:38ceb79fef03	968	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	969	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	970	{
kevman	0:38ceb79fef03	971	if( mac_key_len > sizeof transform->mac_enc )
kevman	0:38ceb79fef03	972	{
kevman	0:38ceb79fef03	973	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	974	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	975	}
kevman	0:38ceb79fef03	976
kevman	0:38ceb79fef03	977	memcpy( transform->mac_enc, mac_enc, mac_key_len );
kevman	0:38ceb79fef03	978	memcpy( transform->mac_dec, mac_dec, mac_key_len );
kevman	0:38ceb79fef03	979	}
kevman	0:38ceb79fef03	980	else
kevman	0:38ceb79fef03	981	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	982	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	983	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	984	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
kevman	0:38ceb79fef03	985	{
kevman	0:38ceb79fef03	986	/* For HMAC-based ciphersuites, initialize the HMAC transforms.
kevman	0:38ceb79fef03	987	For AEAD-based ciphersuites, there is nothing to do here. */
kevman	0:38ceb79fef03	988	if( mac_key_len != 0 )
kevman	0:38ceb79fef03	989	{
kevman	0:38ceb79fef03	990	mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
kevman	0:38ceb79fef03	991	mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
kevman	0:38ceb79fef03	992	}
kevman	0:38ceb79fef03	993	}
kevman	0:38ceb79fef03	994	else
kevman	0:38ceb79fef03	995	#endif
kevman	0:38ceb79fef03	996	{
kevman	0:38ceb79fef03	997	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	998	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	999	}
kevman	0:38ceb79fef03	1000
kevman	0:38ceb79fef03	1001	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	1002	if( mbedtls_ssl_hw_record_init != NULL )
kevman	0:38ceb79fef03	1003	{
kevman	0:38ceb79fef03	1004	int ret = 0;
kevman	0:38ceb79fef03	1005
kevman	0:38ceb79fef03	1006	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
kevman	0:38ceb79fef03	1007
kevman	0:38ceb79fef03	1008	if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
kevman	0:38ceb79fef03	1009	transform->iv_enc, transform->iv_dec,
kevman	0:38ceb79fef03	1010	iv_copy_len,
kevman	0:38ceb79fef03	1011	mac_enc, mac_dec,
kevman	0:38ceb79fef03	1012	mac_key_len ) ) != 0 )
kevman	0:38ceb79fef03	1013	{
kevman	0:38ceb79fef03	1014	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
kevman	0:38ceb79fef03	1015	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	1016	}
kevman	0:38ceb79fef03	1017	}
kevman	0:38ceb79fef03	1018	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
kevman	0:38ceb79fef03	1019
kevman	0:38ceb79fef03	1020	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
kevman	0:38ceb79fef03	1021	if( ssl->conf->f_export_keys != NULL )
kevman	0:38ceb79fef03	1022	{
kevman	0:38ceb79fef03	1023	ssl->conf->f_export_keys( ssl->conf->p_export_keys,
kevman	0:38ceb79fef03	1024	session->master, keyblk,
kevman	0:38ceb79fef03	1025	mac_key_len, transform->keylen,
kevman	0:38ceb79fef03	1026	iv_copy_len );
kevman	0:38ceb79fef03	1027	}
kevman	0:38ceb79fef03	1028	#endif
kevman	0:38ceb79fef03	1029
kevman	0:38ceb79fef03	1030	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
kevman	0:38ceb79fef03	1031	cipher_info ) ) != 0 )
kevman	0:38ceb79fef03	1032	{
kevman	0:38ceb79fef03	1033	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
kevman	0:38ceb79fef03	1034	return( ret );
kevman	0:38ceb79fef03	1035	}
kevman	0:38ceb79fef03	1036
kevman	0:38ceb79fef03	1037	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
kevman	0:38ceb79fef03	1038	cipher_info ) ) != 0 )
kevman	0:38ceb79fef03	1039	{
kevman	0:38ceb79fef03	1040	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
kevman	0:38ceb79fef03	1041	return( ret );
kevman	0:38ceb79fef03	1042	}
kevman	0:38ceb79fef03	1043
kevman	0:38ceb79fef03	1044	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
kevman	0:38ceb79fef03	1045	cipher_info->key_bitlen,
kevman	0:38ceb79fef03	1046	MBEDTLS_ENCRYPT ) ) != 0 )
kevman	0:38ceb79fef03	1047	{
kevman	0:38ceb79fef03	1048	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
kevman	0:38ceb79fef03	1049	return( ret );
kevman	0:38ceb79fef03	1050	}
kevman	0:38ceb79fef03	1051
kevman	0:38ceb79fef03	1052	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
kevman	0:38ceb79fef03	1053	cipher_info->key_bitlen,
kevman	0:38ceb79fef03	1054	MBEDTLS_DECRYPT ) ) != 0 )
kevman	0:38ceb79fef03	1055	{
kevman	0:38ceb79fef03	1056	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
kevman	0:38ceb79fef03	1057	return( ret );
kevman	0:38ceb79fef03	1058	}
kevman	0:38ceb79fef03	1059
kevman	0:38ceb79fef03	1060	#if defined(MBEDTLS_CIPHER_MODE_CBC)
kevman	0:38ceb79fef03	1061	if( cipher_info->mode == MBEDTLS_MODE_CBC )
kevman	0:38ceb79fef03	1062	{
kevman	0:38ceb79fef03	1063	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
kevman	0:38ceb79fef03	1064	MBEDTLS_PADDING_NONE ) ) != 0 )
kevman	0:38ceb79fef03	1065	{
kevman	0:38ceb79fef03	1066	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
kevman	0:38ceb79fef03	1067	return( ret );
kevman	0:38ceb79fef03	1068	}
kevman	0:38ceb79fef03	1069
kevman	0:38ceb79fef03	1070	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
kevman	0:38ceb79fef03	1071	MBEDTLS_PADDING_NONE ) ) != 0 )
kevman	0:38ceb79fef03	1072	{
kevman	0:38ceb79fef03	1073	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
kevman	0:38ceb79fef03	1074	return( ret );
kevman	0:38ceb79fef03	1075	}
kevman	0:38ceb79fef03	1076	}
kevman	0:38ceb79fef03	1077	#endif /* MBEDTLS_CIPHER_MODE_CBC */
kevman	0:38ceb79fef03	1078
kevman	0:38ceb79fef03	1079	mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
kevman	0:38ceb79fef03	1080
kevman	0:38ceb79fef03	1081	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	1082	// Initialize compression
kevman	0:38ceb79fef03	1083	//
kevman	0:38ceb79fef03	1084	if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
kevman	0:38ceb79fef03	1085	{
kevman	0:38ceb79fef03	1086	if( ssl->compress_buf == NULL )
kevman	0:38ceb79fef03	1087	{
kevman	0:38ceb79fef03	1088	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
kevman	0:38ceb79fef03	1089	ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
kevman	0:38ceb79fef03	1090	if( ssl->compress_buf == NULL )
kevman	0:38ceb79fef03	1091	{
kevman	0:38ceb79fef03	1092	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
kevman	0:38ceb79fef03	1093	MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
kevman	0:38ceb79fef03	1094	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	1095	}
kevman	0:38ceb79fef03	1096	}
kevman	0:38ceb79fef03	1097
kevman	0:38ceb79fef03	1098	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
kevman	0:38ceb79fef03	1099
kevman	0:38ceb79fef03	1100	memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
kevman	0:38ceb79fef03	1101	memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
kevman	0:38ceb79fef03	1102
kevman	0:38ceb79fef03	1103	if( deflateInit( &transform->ctx_deflate,
kevman	0:38ceb79fef03	1104	Z_DEFAULT_COMPRESSION ) != Z_OK \|\|
kevman	0:38ceb79fef03	1105	inflateInit( &transform->ctx_inflate ) != Z_OK )
kevman	0:38ceb79fef03	1106	{
kevman	0:38ceb79fef03	1107	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
kevman	0:38ceb79fef03	1108	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
kevman	0:38ceb79fef03	1109	}
kevman	0:38ceb79fef03	1110	}
kevman	0:38ceb79fef03	1111	#endif /* MBEDTLS_ZLIB_SUPPORT */
kevman	0:38ceb79fef03	1112
kevman	0:38ceb79fef03	1113	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
kevman	0:38ceb79fef03	1114
kevman	0:38ceb79fef03	1115	return( 0 );
kevman	0:38ceb79fef03	1116	}
kevman	0:38ceb79fef03	1117
kevman	0:38ceb79fef03	1118	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	1119	void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
kevman	0:38ceb79fef03	1120	{
kevman	0:38ceb79fef03	1121	mbedtls_md5_context md5;
kevman	0:38ceb79fef03	1122	mbedtls_sha1_context sha1;
kevman	0:38ceb79fef03	1123	unsigned char pad_1[48];
kevman	0:38ceb79fef03	1124	unsigned char pad_2[48];
kevman	0:38ceb79fef03	1125
kevman	0:38ceb79fef03	1126	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
kevman	0:38ceb79fef03	1127
kevman	0:38ceb79fef03	1128	mbedtls_md5_init( &md5 );
kevman	0:38ceb79fef03	1129	mbedtls_sha1_init( &sha1 );
kevman	0:38ceb79fef03	1130
kevman	0:38ceb79fef03	1131	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
kevman	0:38ceb79fef03	1132	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
kevman	0:38ceb79fef03	1133
kevman	0:38ceb79fef03	1134	memset( pad_1, 0x36, 48 );
kevman	0:38ceb79fef03	1135	memset( pad_2, 0x5C, 48 );
kevman	0:38ceb79fef03	1136
kevman	0:38ceb79fef03	1137	mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
kevman	0:38ceb79fef03	1138	mbedtls_md5_update_ret( &md5, pad_1, 48 );
kevman	0:38ceb79fef03	1139	mbedtls_md5_finish_ret( &md5, hash );
kevman	0:38ceb79fef03	1140
kevman	0:38ceb79fef03	1141	mbedtls_md5_starts_ret( &md5 );
kevman	0:38ceb79fef03	1142	mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
kevman	0:38ceb79fef03	1143	mbedtls_md5_update_ret( &md5, pad_2, 48 );
kevman	0:38ceb79fef03	1144	mbedtls_md5_update_ret( &md5, hash, 16 );
kevman	0:38ceb79fef03	1145	mbedtls_md5_finish_ret( &md5, hash );
kevman	0:38ceb79fef03	1146
kevman	0:38ceb79fef03	1147	mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
kevman	0:38ceb79fef03	1148	mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
kevman	0:38ceb79fef03	1149	mbedtls_sha1_finish_ret( &sha1, hash + 16 );
kevman	0:38ceb79fef03	1150
kevman	0:38ceb79fef03	1151	mbedtls_sha1_starts_ret( &sha1 );
kevman	0:38ceb79fef03	1152	mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
kevman	0:38ceb79fef03	1153	mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
kevman	0:38ceb79fef03	1154	mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
kevman	0:38ceb79fef03	1155	mbedtls_sha1_finish_ret( &sha1, hash + 16 );
kevman	0:38ceb79fef03	1156
kevman	0:38ceb79fef03	1157	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
kevman	0:38ceb79fef03	1158	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
kevman	0:38ceb79fef03	1159
kevman	0:38ceb79fef03	1160	mbedtls_md5_free( &md5 );
kevman	0:38ceb79fef03	1161	mbedtls_sha1_free( &sha1 );
kevman	0:38ceb79fef03	1162
kevman	0:38ceb79fef03	1163	return;
kevman	0:38ceb79fef03	1164	}
kevman	0:38ceb79fef03	1165	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	1166
kevman	0:38ceb79fef03	1167	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	1168	void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
kevman	0:38ceb79fef03	1169	{
kevman	0:38ceb79fef03	1170	mbedtls_md5_context md5;
kevman	0:38ceb79fef03	1171	mbedtls_sha1_context sha1;
kevman	0:38ceb79fef03	1172
kevman	0:38ceb79fef03	1173	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
kevman	0:38ceb79fef03	1174
kevman	0:38ceb79fef03	1175	mbedtls_md5_init( &md5 );
kevman	0:38ceb79fef03	1176	mbedtls_sha1_init( &sha1 );
kevman	0:38ceb79fef03	1177
kevman	0:38ceb79fef03	1178	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
kevman	0:38ceb79fef03	1179	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
kevman	0:38ceb79fef03	1180
kevman	0:38ceb79fef03	1181	mbedtls_md5_finish_ret( &md5, hash );
kevman	0:38ceb79fef03	1182	mbedtls_sha1_finish_ret( &sha1, hash + 16 );
kevman	0:38ceb79fef03	1183
kevman	0:38ceb79fef03	1184	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
kevman	0:38ceb79fef03	1185	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
kevman	0:38ceb79fef03	1186
kevman	0:38ceb79fef03	1187	mbedtls_md5_free( &md5 );
kevman	0:38ceb79fef03	1188	mbedtls_sha1_free( &sha1 );
kevman	0:38ceb79fef03	1189
kevman	0:38ceb79fef03	1190	return;
kevman	0:38ceb79fef03	1191	}
kevman	0:38ceb79fef03	1192	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
kevman	0:38ceb79fef03	1193
kevman	0:38ceb79fef03	1194	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	1195	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	1196	void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
kevman	0:38ceb79fef03	1197	{
kevman	0:38ceb79fef03	1198	mbedtls_sha256_context sha256;
kevman	0:38ceb79fef03	1199
kevman	0:38ceb79fef03	1200	mbedtls_sha256_init( &sha256 );
kevman	0:38ceb79fef03	1201
kevman	0:38ceb79fef03	1202	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
kevman	0:38ceb79fef03	1203
kevman	0:38ceb79fef03	1204	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
kevman	0:38ceb79fef03	1205	mbedtls_sha256_finish_ret( &sha256, hash );
kevman	0:38ceb79fef03	1206
kevman	0:38ceb79fef03	1207	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
kevman	0:38ceb79fef03	1208	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
kevman	0:38ceb79fef03	1209
kevman	0:38ceb79fef03	1210	mbedtls_sha256_free( &sha256 );
kevman	0:38ceb79fef03	1211
kevman	0:38ceb79fef03	1212	return;
kevman	0:38ceb79fef03	1213	}
kevman	0:38ceb79fef03	1214	#endif /* MBEDTLS_SHA256_C */
kevman	0:38ceb79fef03	1215
kevman	0:38ceb79fef03	1216	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	1217	void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
kevman	0:38ceb79fef03	1218	{
kevman	0:38ceb79fef03	1219	mbedtls_sha512_context sha512;
kevman	0:38ceb79fef03	1220
kevman	0:38ceb79fef03	1221	mbedtls_sha512_init( &sha512 );
kevman	0:38ceb79fef03	1222
kevman	0:38ceb79fef03	1223	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
kevman	0:38ceb79fef03	1224
kevman	0:38ceb79fef03	1225	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
kevman	0:38ceb79fef03	1226	mbedtls_sha512_finish_ret( &sha512, hash );
kevman	0:38ceb79fef03	1227
kevman	0:38ceb79fef03	1228	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
kevman	0:38ceb79fef03	1229	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
kevman	0:38ceb79fef03	1230
kevman	0:38ceb79fef03	1231	mbedtls_sha512_free( &sha512 );
kevman	0:38ceb79fef03	1232
kevman	0:38ceb79fef03	1233	return;
kevman	0:38ceb79fef03	1234	}
kevman	0:38ceb79fef03	1235	#endif /* MBEDTLS_SHA512_C */
kevman	0:38ceb79fef03	1236	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	1237
kevman	0:38ceb79fef03	1238	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
kevman	0:38ceb79fef03	1239	int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
kevman	0:38ceb79fef03	1240	{
kevman	0:38ceb79fef03	1241	unsigned char *p = ssl->handshake->premaster;
kevman	0:38ceb79fef03	1242	unsigned char *end = p + sizeof( ssl->handshake->premaster );
kevman	0:38ceb79fef03	1243	const unsigned char *psk = ssl->conf->psk;
kevman	0:38ceb79fef03	1244	size_t psk_len = ssl->conf->psk_len;
kevman	0:38ceb79fef03	1245
kevman	0:38ceb79fef03	1246	/* If the psk callback was called, use its result */
kevman	0:38ceb79fef03	1247	if( ssl->handshake->psk != NULL )
kevman	0:38ceb79fef03	1248	{
kevman	0:38ceb79fef03	1249	psk = ssl->handshake->psk;
kevman	0:38ceb79fef03	1250	psk_len = ssl->handshake->psk_len;
kevman	0:38ceb79fef03	1251	}
kevman	0:38ceb79fef03	1252
kevman	0:38ceb79fef03	1253	/*
kevman	0:38ceb79fef03	1254	* PMS = struct {
kevman	0:38ceb79fef03	1255	* opaque other_secret<0..2^16-1>;
kevman	0:38ceb79fef03	1256	* opaque psk<0..2^16-1>;
kevman	0:38ceb79fef03	1257	* };
kevman	0:38ceb79fef03	1258	* with "other_secret" depending on the particular key exchange
kevman	0:38ceb79fef03	1259	*/
kevman	0:38ceb79fef03	1260	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
kevman	0:38ceb79fef03	1261	if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
kevman	0:38ceb79fef03	1262	{
kevman	0:38ceb79fef03	1263	if( end - p < 2 )
kevman	0:38ceb79fef03	1264	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	1265
kevman	0:38ceb79fef03	1266	*(p++) = (unsigned char)( psk_len >> 8 );
kevman	0:38ceb79fef03	1267	*(p++) = (unsigned char)( psk_len );
kevman	0:38ceb79fef03	1268
kevman	0:38ceb79fef03	1269	if( end < p \|\| (size_t)( end - p ) < psk_len )
kevman	0:38ceb79fef03	1270	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	1271
kevman	0:38ceb79fef03	1272	memset( p, 0, psk_len );
kevman	0:38ceb79fef03	1273	p += psk_len;
kevman	0:38ceb79fef03	1274	}
kevman	0:38ceb79fef03	1275	else
kevman	0:38ceb79fef03	1276	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
kevman	0:38ceb79fef03	1277	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
kevman	0:38ceb79fef03	1278	if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
kevman	0:38ceb79fef03	1279	{
kevman	0:38ceb79fef03	1280	/*
kevman	0:38ceb79fef03	1281	* other_secret already set by the ClientKeyExchange message,
kevman	0:38ceb79fef03	1282	* and is 48 bytes long
kevman	0:38ceb79fef03	1283	*/
kevman	0:38ceb79fef03	1284	if( end - p < 2 )
kevman	0:38ceb79fef03	1285	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	1286
kevman	0:38ceb79fef03	1287	*p++ = 0;
kevman	0:38ceb79fef03	1288	*p++ = 48;
kevman	0:38ceb79fef03	1289	p += 48;
kevman	0:38ceb79fef03	1290	}
kevman	0:38ceb79fef03	1291	else
kevman	0:38ceb79fef03	1292	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
kevman	0:38ceb79fef03	1293	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
kevman	0:38ceb79fef03	1294	if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
kevman	0:38ceb79fef03	1295	{
kevman	0:38ceb79fef03	1296	int ret;
kevman	0:38ceb79fef03	1297	size_t len;
kevman	0:38ceb79fef03	1298
kevman	0:38ceb79fef03	1299	/* Write length only when we know the actual value */
kevman	0:38ceb79fef03	1300	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
kevman	0:38ceb79fef03	1301	p + 2, end - ( p + 2 ), &len,
kevman	0:38ceb79fef03	1302	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
kevman	0:38ceb79fef03	1303	{
kevman	0:38ceb79fef03	1304	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
kevman	0:38ceb79fef03	1305	return( ret );
kevman	0:38ceb79fef03	1306	}
kevman	0:38ceb79fef03	1307	*(p++) = (unsigned char)( len >> 8 );
kevman	0:38ceb79fef03	1308	*(p++) = (unsigned char)( len );
kevman	0:38ceb79fef03	1309	p += len;
kevman	0:38ceb79fef03	1310
kevman	0:38ceb79fef03	1311	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
kevman	0:38ceb79fef03	1312	}
kevman	0:38ceb79fef03	1313	else
kevman	0:38ceb79fef03	1314	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
kevman	0:38ceb79fef03	1315	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
kevman	0:38ceb79fef03	1316	if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
kevman	0:38ceb79fef03	1317	{
kevman	0:38ceb79fef03	1318	int ret;
kevman	0:38ceb79fef03	1319	size_t zlen;
kevman	0:38ceb79fef03	1320
kevman	0:38ceb79fef03	1321	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
kevman	0:38ceb79fef03	1322	p + 2, end - ( p + 2 ),
kevman	0:38ceb79fef03	1323	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
kevman	0:38ceb79fef03	1324	{
kevman	0:38ceb79fef03	1325	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
kevman	0:38ceb79fef03	1326	return( ret );
kevman	0:38ceb79fef03	1327	}
kevman	0:38ceb79fef03	1328
kevman	0:38ceb79fef03	1329	*(p++) = (unsigned char)( zlen >> 8 );
kevman	0:38ceb79fef03	1330	*(p++) = (unsigned char)( zlen );
kevman	0:38ceb79fef03	1331	p += zlen;
kevman	0:38ceb79fef03	1332
kevman	0:38ceb79fef03	1333	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
kevman	0:38ceb79fef03	1334	}
kevman	0:38ceb79fef03	1335	else
kevman	0:38ceb79fef03	1336	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
kevman	0:38ceb79fef03	1337	{
kevman	0:38ceb79fef03	1338	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1339	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1340	}
kevman	0:38ceb79fef03	1341
kevman	0:38ceb79fef03	1342	/* opaque psk<0..2^16-1>; */
kevman	0:38ceb79fef03	1343	if( end - p < 2 )
kevman	0:38ceb79fef03	1344	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	1345
kevman	0:38ceb79fef03	1346	*(p++) = (unsigned char)( psk_len >> 8 );
kevman	0:38ceb79fef03	1347	*(p++) = (unsigned char)( psk_len );
kevman	0:38ceb79fef03	1348
kevman	0:38ceb79fef03	1349	if( end < p \|\| (size_t)( end - p ) < psk_len )
kevman	0:38ceb79fef03	1350	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	1351
kevman	0:38ceb79fef03	1352	memcpy( p, psk, psk_len );
kevman	0:38ceb79fef03	1353	p += psk_len;
kevman	0:38ceb79fef03	1354
kevman	0:38ceb79fef03	1355	ssl->handshake->pmslen = p - ssl->handshake->premaster;
kevman	0:38ceb79fef03	1356
kevman	0:38ceb79fef03	1357	return( 0 );
kevman	0:38ceb79fef03	1358	}
kevman	0:38ceb79fef03	1359	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
kevman	0:38ceb79fef03	1360
kevman	0:38ceb79fef03	1361	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	1362	/*
kevman	0:38ceb79fef03	1363	* SSLv3.0 MAC functions
kevman	0:38ceb79fef03	1364	*/
kevman	0:38ceb79fef03	1365	#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
kevman	0:38ceb79fef03	1366	static void ssl_mac( mbedtls_md_context_t *md_ctx,
kevman	0:38ceb79fef03	1367	const unsigned char *secret,
kevman	0:38ceb79fef03	1368	const unsigned char *buf, size_t len,
kevman	0:38ceb79fef03	1369	const unsigned char *ctr, int type,
kevman	0:38ceb79fef03	1370	unsigned char out[SSL_MAC_MAX_BYTES] )
kevman	0:38ceb79fef03	1371	{
kevman	0:38ceb79fef03	1372	unsigned char header[11];
kevman	0:38ceb79fef03	1373	unsigned char padding[48];
kevman	0:38ceb79fef03	1374	int padlen;
kevman	0:38ceb79fef03	1375	int md_size = mbedtls_md_get_size( md_ctx->md_info );
kevman	0:38ceb79fef03	1376	int md_type = mbedtls_md_get_type( md_ctx->md_info );
kevman	0:38ceb79fef03	1377
kevman	0:38ceb79fef03	1378	/* Only MD5 and SHA-1 supported */
kevman	0:38ceb79fef03	1379	if( md_type == MBEDTLS_MD_MD5 )
kevman	0:38ceb79fef03	1380	padlen = 48;
kevman	0:38ceb79fef03	1381	else
kevman	0:38ceb79fef03	1382	padlen = 40;
kevman	0:38ceb79fef03	1383
kevman	0:38ceb79fef03	1384	memcpy( header, ctr, 8 );
kevman	0:38ceb79fef03	1385	header[ 8] = (unsigned char) type;
kevman	0:38ceb79fef03	1386	header[ 9] = (unsigned char)( len >> 8 );
kevman	0:38ceb79fef03	1387	header[10] = (unsigned char)( len );
kevman	0:38ceb79fef03	1388
kevman	0:38ceb79fef03	1389	memset( padding, 0x36, padlen );
kevman	0:38ceb79fef03	1390	mbedtls_md_starts( md_ctx );
kevman	0:38ceb79fef03	1391	mbedtls_md_update( md_ctx, secret, md_size );
kevman	0:38ceb79fef03	1392	mbedtls_md_update( md_ctx, padding, padlen );
kevman	0:38ceb79fef03	1393	mbedtls_md_update( md_ctx, header, 11 );
kevman	0:38ceb79fef03	1394	mbedtls_md_update( md_ctx, buf, len );
kevman	0:38ceb79fef03	1395	mbedtls_md_finish( md_ctx, out );
kevman	0:38ceb79fef03	1396
kevman	0:38ceb79fef03	1397	memset( padding, 0x5C, padlen );
kevman	0:38ceb79fef03	1398	mbedtls_md_starts( md_ctx );
kevman	0:38ceb79fef03	1399	mbedtls_md_update( md_ctx, secret, md_size );
kevman	0:38ceb79fef03	1400	mbedtls_md_update( md_ctx, padding, padlen );
kevman	0:38ceb79fef03	1401	mbedtls_md_update( md_ctx, out, md_size );
kevman	0:38ceb79fef03	1402	mbedtls_md_finish( md_ctx, out );
kevman	0:38ceb79fef03	1403	}
kevman	0:38ceb79fef03	1404	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	1405
kevman	0:38ceb79fef03	1406	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER) \|\| \
kevman	0:38ceb79fef03	1407	( defined(MBEDTLS_CIPHER_MODE_CBC) && \
kevman	0:38ceb79fef03	1408	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) \|\| defined(MBEDTLS_ARIA_C)) )
kevman	0:38ceb79fef03	1409	#define SSL_SOME_MODES_USE_MAC
kevman	0:38ceb79fef03	1410	#endif
kevman	0:38ceb79fef03	1411
kevman	0:38ceb79fef03	1412	/* The function below is only used in the Lucky 13 counter-measure in
kevman	0:38ceb79fef03	1413	* ssl_decrypt_buf(). These are the defines that guard the call site. */
kevman	0:38ceb79fef03	1414	#if defined(SSL_SOME_MODES_USE_MAC) && \
kevman	0:38ceb79fef03	1415	( defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	1416	defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	1417	defined(MBEDTLS_SSL_PROTO_TLS1_2) )
kevman	0:38ceb79fef03	1418	/* This function makes sure every byte in the memory region is accessed
kevman	0:38ceb79fef03	1419	* (in ascending addresses order) */
kevman	0:38ceb79fef03	1420	static void ssl_read_memory( unsigned char *p, size_t len )
kevman	0:38ceb79fef03	1421	{
kevman	0:38ceb79fef03	1422	unsigned char acc = 0;
kevman	0:38ceb79fef03	1423	volatile unsigned char force;
kevman	0:38ceb79fef03	1424
kevman	0:38ceb79fef03	1425	for( ; len != 0; p++, len-- )
kevman	0:38ceb79fef03	1426	acc ^= *p;
kevman	0:38ceb79fef03	1427
kevman	0:38ceb79fef03	1428	force = acc;
kevman	0:38ceb79fef03	1429	(void) force;
kevman	0:38ceb79fef03	1430	}
kevman	0:38ceb79fef03	1431	#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 \|\| TLS1_1 \|\| TLS1_2 ) */
kevman	0:38ceb79fef03	1432
kevman	0:38ceb79fef03	1433	/*
kevman	0:38ceb79fef03	1434	* Encryption/decryption functions
kevman	0:38ceb79fef03	1435	*/
kevman	0:38ceb79fef03	1436	static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	1437	{
kevman	0:38ceb79fef03	1438	mbedtls_cipher_mode_t mode;
kevman	0:38ceb79fef03	1439	int auth_done = 0;
kevman	0:38ceb79fef03	1440
kevman	0:38ceb79fef03	1441	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
kevman	0:38ceb79fef03	1442
kevman	0:38ceb79fef03	1443	if( ssl->session_out == NULL \|\| ssl->transform_out == NULL )
kevman	0:38ceb79fef03	1444	{
kevman	0:38ceb79fef03	1445	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1446	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1447	}
kevman	0:38ceb79fef03	1448
kevman	0:38ceb79fef03	1449	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
kevman	0:38ceb79fef03	1450
kevman	0:38ceb79fef03	1451	MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
kevman	0:38ceb79fef03	1452	ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	1453
kevman	0:38ceb79fef03	1454	/*
kevman	0:38ceb79fef03	1455	* Add MAC before if needed
kevman	0:38ceb79fef03	1456	*/
kevman	0:38ceb79fef03	1457	#if defined(SSL_SOME_MODES_USE_MAC)
kevman	0:38ceb79fef03	1458	if( mode == MBEDTLS_MODE_STREAM \|\|
kevman	0:38ceb79fef03	1459	( mode == MBEDTLS_MODE_CBC
kevman	0:38ceb79fef03	1460	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	1461	&& ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
kevman	0:38ceb79fef03	1462	#endif
kevman	0:38ceb79fef03	1463	) )
kevman	0:38ceb79fef03	1464	{
kevman	0:38ceb79fef03	1465	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	1466	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	1467	{
kevman	0:38ceb79fef03	1468	unsigned char mac[SSL_MAC_MAX_BYTES];
kevman	0:38ceb79fef03	1469
kevman	0:38ceb79fef03	1470	ssl_mac( &ssl->transform_out->md_ctx_enc,
kevman	0:38ceb79fef03	1471	ssl->transform_out->mac_enc,
kevman	0:38ceb79fef03	1472	ssl->out_msg, ssl->out_msglen,
kevman	0:38ceb79fef03	1473	ssl->out_ctr, ssl->out_msgtype,
kevman	0:38ceb79fef03	1474	mac );
kevman	0:38ceb79fef03	1475
kevman	0:38ceb79fef03	1476	memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
kevman	0:38ceb79fef03	1477	}
kevman	0:38ceb79fef03	1478	else
kevman	0:38ceb79fef03	1479	#endif
kevman	0:38ceb79fef03	1480	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	1481	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	1482	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
kevman	0:38ceb79fef03	1483	{
kevman	0:38ceb79fef03	1484	unsigned char mac[MBEDTLS_SSL_MAC_ADD];
kevman	0:38ceb79fef03	1485
kevman	0:38ceb79fef03	1486	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
kevman	0:38ceb79fef03	1487	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
kevman	0:38ceb79fef03	1488	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
kevman	0:38ceb79fef03	1489	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
kevman	0:38ceb79fef03	1490	ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	1491	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
kevman	0:38ceb79fef03	1492	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
kevman	0:38ceb79fef03	1493
kevman	0:38ceb79fef03	1494	memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
kevman	0:38ceb79fef03	1495	}
kevman	0:38ceb79fef03	1496	else
kevman	0:38ceb79fef03	1497	#endif
kevman	0:38ceb79fef03	1498	{
kevman	0:38ceb79fef03	1499	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1500	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1501	}
kevman	0:38ceb79fef03	1502
kevman	0:38ceb79fef03	1503	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
kevman	0:38ceb79fef03	1504	ssl->out_msg + ssl->out_msglen,
kevman	0:38ceb79fef03	1505	ssl->transform_out->maclen );
kevman	0:38ceb79fef03	1506
kevman	0:38ceb79fef03	1507	ssl->out_msglen += ssl->transform_out->maclen;
kevman	0:38ceb79fef03	1508	auth_done++;
kevman	0:38ceb79fef03	1509	}
kevman	0:38ceb79fef03	1510	#endif /* AEAD not the only option */
kevman	0:38ceb79fef03	1511
kevman	0:38ceb79fef03	1512	/*
kevman	0:38ceb79fef03	1513	* Encrypt
kevman	0:38ceb79fef03	1514	*/
kevman	0:38ceb79fef03	1515	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
kevman	0:38ceb79fef03	1516	if( mode == MBEDTLS_MODE_STREAM )
kevman	0:38ceb79fef03	1517	{
kevman	0:38ceb79fef03	1518	int ret;
kevman	0:38ceb79fef03	1519	size_t olen = 0;
kevman	0:38ceb79fef03	1520
kevman	0:38ceb79fef03	1521	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
kevman	0:38ceb79fef03	1522	"including %d bytes of padding",
kevman	0:38ceb79fef03	1523	ssl->out_msglen, 0 ) );
kevman	0:38ceb79fef03	1524
kevman	0:38ceb79fef03	1525	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
kevman	0:38ceb79fef03	1526	ssl->transform_out->iv_enc,
kevman	0:38ceb79fef03	1527	ssl->transform_out->ivlen,
kevman	0:38ceb79fef03	1528	ssl->out_msg, ssl->out_msglen,
kevman	0:38ceb79fef03	1529	ssl->out_msg, &olen ) ) != 0 )
kevman	0:38ceb79fef03	1530	{
kevman	0:38ceb79fef03	1531	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
kevman	0:38ceb79fef03	1532	return( ret );
kevman	0:38ceb79fef03	1533	}
kevman	0:38ceb79fef03	1534
kevman	0:38ceb79fef03	1535	if( ssl->out_msglen != olen )
kevman	0:38ceb79fef03	1536	{
kevman	0:38ceb79fef03	1537	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1538	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1539	}
kevman	0:38ceb79fef03	1540	}
kevman	0:38ceb79fef03	1541	else
kevman	0:38ceb79fef03	1542	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
kevman	0:38ceb79fef03	1543	#if defined(MBEDTLS_GCM_C) \|\| \
kevman	0:38ceb79fef03	1544	defined(MBEDTLS_CCM_C) \|\| \
kevman	0:38ceb79fef03	1545	defined(MBEDTLS_CHACHAPOLY_C)
kevman	0:38ceb79fef03	1546	if( mode == MBEDTLS_MODE_GCM \|\|
kevman	0:38ceb79fef03	1547	mode == MBEDTLS_MODE_CCM \|\|
kevman	0:38ceb79fef03	1548	mode == MBEDTLS_MODE_CHACHAPOLY )
kevman	0:38ceb79fef03	1549	{
kevman	0:38ceb79fef03	1550	int ret;
kevman	0:38ceb79fef03	1551	size_t enc_msglen, olen;
kevman	0:38ceb79fef03	1552	unsigned char *enc_msg;
kevman	0:38ceb79fef03	1553	unsigned char add_data[13];
kevman	0:38ceb79fef03	1554	unsigned char iv[12];
kevman	0:38ceb79fef03	1555	mbedtls_ssl_transform *transform = ssl->transform_out;
kevman	0:38ceb79fef03	1556	unsigned char taglen = transform->ciphersuite_info->flags &
kevman	0:38ceb79fef03	1557	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
kevman	0:38ceb79fef03	1558	size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
kevman	0:38ceb79fef03	1559
kevman	0:38ceb79fef03	1560	/*
kevman	0:38ceb79fef03	1561	* Prepare additional authenticated data
kevman	0:38ceb79fef03	1562	*/
kevman	0:38ceb79fef03	1563	memcpy( add_data, ssl->out_ctr, 8 );
kevman	0:38ceb79fef03	1564	add_data[8] = ssl->out_msgtype;
kevman	0:38ceb79fef03	1565	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
kevman	0:38ceb79fef03	1566	ssl->conf->transport, add_data + 9 );
kevman	0:38ceb79fef03	1567	add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
kevman	0:38ceb79fef03	1568	add_data[12] = ssl->out_msglen & 0xFF;
kevman	0:38ceb79fef03	1569
kevman	0:38ceb79fef03	1570	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
kevman	0:38ceb79fef03	1571
kevman	0:38ceb79fef03	1572	/*
kevman	0:38ceb79fef03	1573	* Generate IV
kevman	0:38ceb79fef03	1574	*/
kevman	0:38ceb79fef03	1575	if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
kevman	0:38ceb79fef03	1576	{
kevman	0:38ceb79fef03	1577	/* GCM and CCM: fixed \|\| explicit (=seqnum) */
kevman	0:38ceb79fef03	1578	memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
kevman	0:38ceb79fef03	1579	memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
kevman	0:38ceb79fef03	1580	memcpy( ssl->out_iv, ssl->out_ctr, 8 );
kevman	0:38ceb79fef03	1581
kevman	0:38ceb79fef03	1582	}
kevman	0:38ceb79fef03	1583	else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
kevman	0:38ceb79fef03	1584	{
kevman	0:38ceb79fef03	1585	/* ChachaPoly: fixed XOR sequence number */
kevman	0:38ceb79fef03	1586	unsigned char i;
kevman	0:38ceb79fef03	1587
kevman	0:38ceb79fef03	1588	memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
kevman	0:38ceb79fef03	1589
kevman	0:38ceb79fef03	1590	for( i = 0; i < 8; i++ )
kevman	0:38ceb79fef03	1591	iv[i+4] ^= ssl->out_ctr[i];
kevman	0:38ceb79fef03	1592	}
kevman	0:38ceb79fef03	1593	else
kevman	0:38ceb79fef03	1594	{
kevman	0:38ceb79fef03	1595	/* Reminder if we ever add an AEAD mode with a different size */
kevman	0:38ceb79fef03	1596	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1597	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1598	}
kevman	0:38ceb79fef03	1599
kevman	0:38ceb79fef03	1600	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
kevman	0:38ceb79fef03	1601	iv, transform->ivlen );
kevman	0:38ceb79fef03	1602	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
kevman	0:38ceb79fef03	1603	ssl->out_iv, explicit_ivlen );
kevman	0:38ceb79fef03	1604
kevman	0:38ceb79fef03	1605	/*
kevman	0:38ceb79fef03	1606	* Fix message length with added IV
kevman	0:38ceb79fef03	1607	*/
kevman	0:38ceb79fef03	1608	enc_msg = ssl->out_msg;
kevman	0:38ceb79fef03	1609	enc_msglen = ssl->out_msglen;
kevman	0:38ceb79fef03	1610	ssl->out_msglen += explicit_ivlen;
kevman	0:38ceb79fef03	1611
kevman	0:38ceb79fef03	1612	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
kevman	0:38ceb79fef03	1613	"including 0 bytes of padding",
kevman	0:38ceb79fef03	1614	ssl->out_msglen ) );
kevman	0:38ceb79fef03	1615
kevman	0:38ceb79fef03	1616	/*
kevman	0:38ceb79fef03	1617	* Encrypt and authenticate
kevman	0:38ceb79fef03	1618	*/
kevman	0:38ceb79fef03	1619	if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
kevman	0:38ceb79fef03	1620	iv, transform->ivlen,
kevman	0:38ceb79fef03	1621	add_data, 13,
kevman	0:38ceb79fef03	1622	enc_msg, enc_msglen,
kevman	0:38ceb79fef03	1623	enc_msg, &olen,
kevman	0:38ceb79fef03	1624	enc_msg + enc_msglen, taglen ) ) != 0 )
kevman	0:38ceb79fef03	1625	{
kevman	0:38ceb79fef03	1626	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
kevman	0:38ceb79fef03	1627	return( ret );
kevman	0:38ceb79fef03	1628	}
kevman	0:38ceb79fef03	1629
kevman	0:38ceb79fef03	1630	if( olen != enc_msglen )
kevman	0:38ceb79fef03	1631	{
kevman	0:38ceb79fef03	1632	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1633	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1634	}
kevman	0:38ceb79fef03	1635
kevman	0:38ceb79fef03	1636	ssl->out_msglen += taglen;
kevman	0:38ceb79fef03	1637	auth_done++;
kevman	0:38ceb79fef03	1638
kevman	0:38ceb79fef03	1639	MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
kevman	0:38ceb79fef03	1640	}
kevman	0:38ceb79fef03	1641	else
kevman	0:38ceb79fef03	1642	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
kevman	0:38ceb79fef03	1643	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
kevman	0:38ceb79fef03	1644	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) \|\| defined(MBEDTLS_ARIA_C) )
kevman	0:38ceb79fef03	1645	if( mode == MBEDTLS_MODE_CBC )
kevman	0:38ceb79fef03	1646	{
kevman	0:38ceb79fef03	1647	int ret;
kevman	0:38ceb79fef03	1648	unsigned char *enc_msg;
kevman	0:38ceb79fef03	1649	size_t enc_msglen, padlen, olen = 0, i;
kevman	0:38ceb79fef03	1650
kevman	0:38ceb79fef03	1651	padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
kevman	0:38ceb79fef03	1652	ssl->transform_out->ivlen;
kevman	0:38ceb79fef03	1653	if( padlen == ssl->transform_out->ivlen )
kevman	0:38ceb79fef03	1654	padlen = 0;
kevman	0:38ceb79fef03	1655
kevman	0:38ceb79fef03	1656	for( i = 0; i <= padlen; i++ )
kevman	0:38ceb79fef03	1657	ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
kevman	0:38ceb79fef03	1658
kevman	0:38ceb79fef03	1659	ssl->out_msglen += padlen + 1;
kevman	0:38ceb79fef03	1660
kevman	0:38ceb79fef03	1661	enc_msglen = ssl->out_msglen;
kevman	0:38ceb79fef03	1662	enc_msg = ssl->out_msg;
kevman	0:38ceb79fef03	1663
kevman	0:38ceb79fef03	1664	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	1665	/*
kevman	0:38ceb79fef03	1666	* Prepend per-record IV for block cipher in TLS v1.1 and up as per
kevman	0:38ceb79fef03	1667	* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
kevman	0:38ceb79fef03	1668	*/
kevman	0:38ceb79fef03	1669	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	1670	{
kevman	0:38ceb79fef03	1671	/*
kevman	0:38ceb79fef03	1672	* Generate IV
kevman	0:38ceb79fef03	1673	*/
kevman	0:38ceb79fef03	1674	ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
kevman	0:38ceb79fef03	1675	ssl->transform_out->ivlen );
kevman	0:38ceb79fef03	1676	if( ret != 0 )
kevman	0:38ceb79fef03	1677	return( ret );
kevman	0:38ceb79fef03	1678
kevman	0:38ceb79fef03	1679	memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
kevman	0:38ceb79fef03	1680	ssl->transform_out->ivlen );
kevman	0:38ceb79fef03	1681
kevman	0:38ceb79fef03	1682	/*
kevman	0:38ceb79fef03	1683	* Fix pointer positions and message length with added IV
kevman	0:38ceb79fef03	1684	*/
kevman	0:38ceb79fef03	1685	enc_msg = ssl->out_msg;
kevman	0:38ceb79fef03	1686	enc_msglen = ssl->out_msglen;
kevman	0:38ceb79fef03	1687	ssl->out_msglen += ssl->transform_out->ivlen;
kevman	0:38ceb79fef03	1688	}
kevman	0:38ceb79fef03	1689	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	1690
kevman	0:38ceb79fef03	1691	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
kevman	0:38ceb79fef03	1692	"including %d bytes of IV and %d bytes of padding",
kevman	0:38ceb79fef03	1693	ssl->out_msglen, ssl->transform_out->ivlen,
kevman	0:38ceb79fef03	1694	padlen + 1 ) );
kevman	0:38ceb79fef03	1695
kevman	0:38ceb79fef03	1696	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
kevman	0:38ceb79fef03	1697	ssl->transform_out->iv_enc,
kevman	0:38ceb79fef03	1698	ssl->transform_out->ivlen,
kevman	0:38ceb79fef03	1699	enc_msg, enc_msglen,
kevman	0:38ceb79fef03	1700	enc_msg, &olen ) ) != 0 )
kevman	0:38ceb79fef03	1701	{
kevman	0:38ceb79fef03	1702	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
kevman	0:38ceb79fef03	1703	return( ret );
kevman	0:38ceb79fef03	1704	}
kevman	0:38ceb79fef03	1705
kevman	0:38ceb79fef03	1706	if( enc_msglen != olen )
kevman	0:38ceb79fef03	1707	{
kevman	0:38ceb79fef03	1708	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1709	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1710	}
kevman	0:38ceb79fef03	1711
kevman	0:38ceb79fef03	1712	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
kevman	0:38ceb79fef03	1713	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	1714	{
kevman	0:38ceb79fef03	1715	/*
kevman	0:38ceb79fef03	1716	* Save IV in SSL3 and TLS1
kevman	0:38ceb79fef03	1717	*/
kevman	0:38ceb79fef03	1718	memcpy( ssl->transform_out->iv_enc,
kevman	0:38ceb79fef03	1719	ssl->transform_out->cipher_ctx_enc.iv,
kevman	0:38ceb79fef03	1720	ssl->transform_out->ivlen );
kevman	0:38ceb79fef03	1721	}
kevman	0:38ceb79fef03	1722	#endif
kevman	0:38ceb79fef03	1723
kevman	0:38ceb79fef03	1724	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	1725	if( auth_done == 0 )
kevman	0:38ceb79fef03	1726	{
kevman	0:38ceb79fef03	1727	unsigned char mac[MBEDTLS_SSL_MAC_ADD];
kevman	0:38ceb79fef03	1728
kevman	0:38ceb79fef03	1729	/*
kevman	0:38ceb79fef03	1730	* MAC(MAC_write_key, seq_num +
kevman	0:38ceb79fef03	1731	* TLSCipherText.type +
kevman	0:38ceb79fef03	1732	* TLSCipherText.version +
kevman	0:38ceb79fef03	1733	* length_of( (IV +) ENC(...) ) +
kevman	0:38ceb79fef03	1734	* IV + // except for TLS 1.0
kevman	0:38ceb79fef03	1735	* ENC(content + padding + padding_length));
kevman	0:38ceb79fef03	1736	*/
kevman	0:38ceb79fef03	1737	unsigned char pseudo_hdr[13];
kevman	0:38ceb79fef03	1738
kevman	0:38ceb79fef03	1739	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
kevman	0:38ceb79fef03	1740
kevman	0:38ceb79fef03	1741	memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
kevman	0:38ceb79fef03	1742	memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
kevman	0:38ceb79fef03	1743	pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
kevman	0:38ceb79fef03	1744	pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
kevman	0:38ceb79fef03	1745
kevman	0:38ceb79fef03	1746	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
kevman	0:38ceb79fef03	1747
kevman	0:38ceb79fef03	1748	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
kevman	0:38ceb79fef03	1749	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
kevman	0:38ceb79fef03	1750	ssl->out_iv, ssl->out_msglen );
kevman	0:38ceb79fef03	1751	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
kevman	0:38ceb79fef03	1752	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
kevman	0:38ceb79fef03	1753
kevman	0:38ceb79fef03	1754	memcpy( ssl->out_iv + ssl->out_msglen, mac,
kevman	0:38ceb79fef03	1755	ssl->transform_out->maclen );
kevman	0:38ceb79fef03	1756
kevman	0:38ceb79fef03	1757	ssl->out_msglen += ssl->transform_out->maclen;
kevman	0:38ceb79fef03	1758	auth_done++;
kevman	0:38ceb79fef03	1759	}
kevman	0:38ceb79fef03	1760	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
kevman	0:38ceb79fef03	1761	}
kevman	0:38ceb79fef03	1762	else
kevman	0:38ceb79fef03	1763	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
kevman	0:38ceb79fef03	1764	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C \|\| MBEDTLS_ARIA_C ) */
kevman	0:38ceb79fef03	1765	{
kevman	0:38ceb79fef03	1766	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1767	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1768	}
kevman	0:38ceb79fef03	1769
kevman	0:38ceb79fef03	1770	/* Make extra sure authentication was performed, exactly once */
kevman	0:38ceb79fef03	1771	if( auth_done != 1 )
kevman	0:38ceb79fef03	1772	{
kevman	0:38ceb79fef03	1773	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1774	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1775	}
kevman	0:38ceb79fef03	1776
kevman	0:38ceb79fef03	1777	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
kevman	0:38ceb79fef03	1778
kevman	0:38ceb79fef03	1779	return( 0 );
kevman	0:38ceb79fef03	1780	}
kevman	0:38ceb79fef03	1781
kevman	0:38ceb79fef03	1782	static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	1783	{
kevman	0:38ceb79fef03	1784	mbedtls_cipher_mode_t mode;
kevman	0:38ceb79fef03	1785	int auth_done = 0;
kevman	0:38ceb79fef03	1786	#if defined(SSL_SOME_MODES_USE_MAC)
kevman	0:38ceb79fef03	1787	size_t padlen = 0, correct = 1;
kevman	0:38ceb79fef03	1788	#endif
kevman	0:38ceb79fef03	1789
kevman	0:38ceb79fef03	1790	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
kevman	0:38ceb79fef03	1791
kevman	0:38ceb79fef03	1792	if( ssl->session_in == NULL \|\| ssl->transform_in == NULL )
kevman	0:38ceb79fef03	1793	{
kevman	0:38ceb79fef03	1794	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1795	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1796	}
kevman	0:38ceb79fef03	1797
kevman	0:38ceb79fef03	1798	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
kevman	0:38ceb79fef03	1799
kevman	0:38ceb79fef03	1800	if( ssl->in_msglen < ssl->transform_in->minlen )
kevman	0:38ceb79fef03	1801	{
kevman	0:38ceb79fef03	1802	MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
kevman	0:38ceb79fef03	1803	ssl->in_msglen, ssl->transform_in->minlen ) );
kevman	0:38ceb79fef03	1804	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	1805	}
kevman	0:38ceb79fef03	1806
kevman	0:38ceb79fef03	1807	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
kevman	0:38ceb79fef03	1808	if( mode == MBEDTLS_MODE_STREAM )
kevman	0:38ceb79fef03	1809	{
kevman	0:38ceb79fef03	1810	int ret;
kevman	0:38ceb79fef03	1811	size_t olen = 0;
kevman	0:38ceb79fef03	1812
kevman	0:38ceb79fef03	1813	padlen = 0;
kevman	0:38ceb79fef03	1814
kevman	0:38ceb79fef03	1815	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
kevman	0:38ceb79fef03	1816	ssl->transform_in->iv_dec,
kevman	0:38ceb79fef03	1817	ssl->transform_in->ivlen,
kevman	0:38ceb79fef03	1818	ssl->in_msg, ssl->in_msglen,
kevman	0:38ceb79fef03	1819	ssl->in_msg, &olen ) ) != 0 )
kevman	0:38ceb79fef03	1820	{
kevman	0:38ceb79fef03	1821	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
kevman	0:38ceb79fef03	1822	return( ret );
kevman	0:38ceb79fef03	1823	}
kevman	0:38ceb79fef03	1824
kevman	0:38ceb79fef03	1825	if( ssl->in_msglen != olen )
kevman	0:38ceb79fef03	1826	{
kevman	0:38ceb79fef03	1827	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1828	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1829	}
kevman	0:38ceb79fef03	1830	}
kevman	0:38ceb79fef03	1831	else
kevman	0:38ceb79fef03	1832	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
kevman	0:38ceb79fef03	1833	#if defined(MBEDTLS_GCM_C) \|\| \
kevman	0:38ceb79fef03	1834	defined(MBEDTLS_CCM_C) \|\| \
kevman	0:38ceb79fef03	1835	defined(MBEDTLS_CHACHAPOLY_C)
kevman	0:38ceb79fef03	1836	if( mode == MBEDTLS_MODE_GCM \|\|
kevman	0:38ceb79fef03	1837	mode == MBEDTLS_MODE_CCM \|\|
kevman	0:38ceb79fef03	1838	mode == MBEDTLS_MODE_CHACHAPOLY )
kevman	0:38ceb79fef03	1839	{
kevman	0:38ceb79fef03	1840	int ret;
kevman	0:38ceb79fef03	1841	size_t dec_msglen, olen;
kevman	0:38ceb79fef03	1842	unsigned char *dec_msg;
kevman	0:38ceb79fef03	1843	unsigned char *dec_msg_result;
kevman	0:38ceb79fef03	1844	unsigned char add_data[13];
kevman	0:38ceb79fef03	1845	unsigned char iv[12];
kevman	0:38ceb79fef03	1846	mbedtls_ssl_transform *transform = ssl->transform_in;
kevman	0:38ceb79fef03	1847	unsigned char taglen = transform->ciphersuite_info->flags &
kevman	0:38ceb79fef03	1848	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
kevman	0:38ceb79fef03	1849	size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
kevman	0:38ceb79fef03	1850
kevman	0:38ceb79fef03	1851	/*
kevman	0:38ceb79fef03	1852	* Compute and update sizes
kevman	0:38ceb79fef03	1853	*/
kevman	0:38ceb79fef03	1854	if( ssl->in_msglen < explicit_iv_len + taglen )
kevman	0:38ceb79fef03	1855	{
kevman	0:38ceb79fef03	1856	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
kevman	0:38ceb79fef03	1857	"+ taglen (%d)", ssl->in_msglen,
kevman	0:38ceb79fef03	1858	explicit_iv_len, taglen ) );
kevman	0:38ceb79fef03	1859	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	1860	}
kevman	0:38ceb79fef03	1861	dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
kevman	0:38ceb79fef03	1862
kevman	0:38ceb79fef03	1863	dec_msg = ssl->in_msg;
kevman	0:38ceb79fef03	1864	dec_msg_result = ssl->in_msg;
kevman	0:38ceb79fef03	1865	ssl->in_msglen = dec_msglen;
kevman	0:38ceb79fef03	1866
kevman	0:38ceb79fef03	1867	/*
kevman	0:38ceb79fef03	1868	* Prepare additional authenticated data
kevman	0:38ceb79fef03	1869	*/
kevman	0:38ceb79fef03	1870	memcpy( add_data, ssl->in_ctr, 8 );
kevman	0:38ceb79fef03	1871	add_data[8] = ssl->in_msgtype;
kevman	0:38ceb79fef03	1872	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
kevman	0:38ceb79fef03	1873	ssl->conf->transport, add_data + 9 );
kevman	0:38ceb79fef03	1874	add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
kevman	0:38ceb79fef03	1875	add_data[12] = ssl->in_msglen & 0xFF;
kevman	0:38ceb79fef03	1876
kevman	0:38ceb79fef03	1877	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
kevman	0:38ceb79fef03	1878
kevman	0:38ceb79fef03	1879	/*
kevman	0:38ceb79fef03	1880	* Prepare IV
kevman	0:38ceb79fef03	1881	*/
kevman	0:38ceb79fef03	1882	if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
kevman	0:38ceb79fef03	1883	{
kevman	0:38ceb79fef03	1884	/* GCM and CCM: fixed \|\| explicit (transmitted) */
kevman	0:38ceb79fef03	1885	memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
kevman	0:38ceb79fef03	1886	memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
kevman	0:38ceb79fef03	1887
kevman	0:38ceb79fef03	1888	}
kevman	0:38ceb79fef03	1889	else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
kevman	0:38ceb79fef03	1890	{
kevman	0:38ceb79fef03	1891	/* ChachaPoly: fixed XOR sequence number */
kevman	0:38ceb79fef03	1892	unsigned char i;
kevman	0:38ceb79fef03	1893
kevman	0:38ceb79fef03	1894	memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
kevman	0:38ceb79fef03	1895
kevman	0:38ceb79fef03	1896	for( i = 0; i < 8; i++ )
kevman	0:38ceb79fef03	1897	iv[i+4] ^= ssl->in_ctr[i];
kevman	0:38ceb79fef03	1898	}
kevman	0:38ceb79fef03	1899	else
kevman	0:38ceb79fef03	1900	{
kevman	0:38ceb79fef03	1901	/* Reminder if we ever add an AEAD mode with a different size */
kevman	0:38ceb79fef03	1902	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1903	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1904	}
kevman	0:38ceb79fef03	1905
kevman	0:38ceb79fef03	1906	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
kevman	0:38ceb79fef03	1907	MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
kevman	0:38ceb79fef03	1908
kevman	0:38ceb79fef03	1909	/*
kevman	0:38ceb79fef03	1910	* Decrypt and authenticate
kevman	0:38ceb79fef03	1911	*/
kevman	0:38ceb79fef03	1912	if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
kevman	0:38ceb79fef03	1913	iv, transform->ivlen,
kevman	0:38ceb79fef03	1914	add_data, 13,
kevman	0:38ceb79fef03	1915	dec_msg, dec_msglen,
kevman	0:38ceb79fef03	1916	dec_msg_result, &olen,
kevman	0:38ceb79fef03	1917	dec_msg + dec_msglen, taglen ) ) != 0 )
kevman	0:38ceb79fef03	1918	{
kevman	0:38ceb79fef03	1919	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
kevman	0:38ceb79fef03	1920
kevman	0:38ceb79fef03	1921	if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
kevman	0:38ceb79fef03	1922	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	1923
kevman	0:38ceb79fef03	1924	return( ret );
kevman	0:38ceb79fef03	1925	}
kevman	0:38ceb79fef03	1926	auth_done++;
kevman	0:38ceb79fef03	1927
kevman	0:38ceb79fef03	1928	if( olen != dec_msglen )
kevman	0:38ceb79fef03	1929	{
kevman	0:38ceb79fef03	1930	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	1931	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	1932	}
kevman	0:38ceb79fef03	1933	}
kevman	0:38ceb79fef03	1934	else
kevman	0:38ceb79fef03	1935	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
kevman	0:38ceb79fef03	1936	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
kevman	0:38ceb79fef03	1937	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) \|\| defined(MBEDTLS_ARIA_C) )
kevman	0:38ceb79fef03	1938	if( mode == MBEDTLS_MODE_CBC )
kevman	0:38ceb79fef03	1939	{
kevman	0:38ceb79fef03	1940	/*
kevman	0:38ceb79fef03	1941	* Decrypt and check the padding
kevman	0:38ceb79fef03	1942	*/
kevman	0:38ceb79fef03	1943	int ret;
kevman	0:38ceb79fef03	1944	unsigned char *dec_msg;
kevman	0:38ceb79fef03	1945	unsigned char *dec_msg_result;
kevman	0:38ceb79fef03	1946	size_t dec_msglen;
kevman	0:38ceb79fef03	1947	size_t minlen = 0;
kevman	0:38ceb79fef03	1948	size_t olen = 0;
kevman	0:38ceb79fef03	1949
kevman	0:38ceb79fef03	1950	/*
kevman	0:38ceb79fef03	1951	* Check immediate ciphertext sanity
kevman	0:38ceb79fef03	1952	*/
kevman	0:38ceb79fef03	1953	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	1954	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	1955	minlen += ssl->transform_in->ivlen;
kevman	0:38ceb79fef03	1956	#endif
kevman	0:38ceb79fef03	1957
kevman	0:38ceb79fef03	1958	if( ssl->in_msglen < minlen + ssl->transform_in->ivlen \|\|
kevman	0:38ceb79fef03	1959	ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
kevman	0:38ceb79fef03	1960	{
kevman	0:38ceb79fef03	1961	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
kevman	0:38ceb79fef03	1962	"+ 1 ) ( + expl IV )", ssl->in_msglen,
kevman	0:38ceb79fef03	1963	ssl->transform_in->ivlen,
kevman	0:38ceb79fef03	1964	ssl->transform_in->maclen ) );
kevman	0:38ceb79fef03	1965	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	1966	}
kevman	0:38ceb79fef03	1967
kevman	0:38ceb79fef03	1968	dec_msglen = ssl->in_msglen;
kevman	0:38ceb79fef03	1969	dec_msg = ssl->in_msg;
kevman	0:38ceb79fef03	1970	dec_msg_result = ssl->in_msg;
kevman	0:38ceb79fef03	1971
kevman	0:38ceb79fef03	1972	/*
kevman	0:38ceb79fef03	1973	* Authenticate before decrypt if enabled
kevman	0:38ceb79fef03	1974	*/
kevman	0:38ceb79fef03	1975	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	1976	if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
kevman	0:38ceb79fef03	1977	{
kevman	0:38ceb79fef03	1978	unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
kevman	0:38ceb79fef03	1979	unsigned char pseudo_hdr[13];
kevman	0:38ceb79fef03	1980
kevman	0:38ceb79fef03	1981	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
kevman	0:38ceb79fef03	1982
kevman	0:38ceb79fef03	1983	dec_msglen -= ssl->transform_in->maclen;
kevman	0:38ceb79fef03	1984	ssl->in_msglen -= ssl->transform_in->maclen;
kevman	0:38ceb79fef03	1985
kevman	0:38ceb79fef03	1986	memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
kevman	0:38ceb79fef03	1987	memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
kevman	0:38ceb79fef03	1988	pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
kevman	0:38ceb79fef03	1989	pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
kevman	0:38ceb79fef03	1990
kevman	0:38ceb79fef03	1991	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
kevman	0:38ceb79fef03	1992
kevman	0:38ceb79fef03	1993	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
kevman	0:38ceb79fef03	1994	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
kevman	0:38ceb79fef03	1995	ssl->in_iv, ssl->in_msglen );
kevman	0:38ceb79fef03	1996	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
kevman	0:38ceb79fef03	1997	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
kevman	0:38ceb79fef03	1998
kevman	0:38ceb79fef03	1999	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
kevman	0:38ceb79fef03	2000	ssl->transform_in->maclen );
kevman	0:38ceb79fef03	2001	MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
kevman	0:38ceb79fef03	2002	ssl->transform_in->maclen );
kevman	0:38ceb79fef03	2003
kevman	0:38ceb79fef03	2004	if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
kevman	0:38ceb79fef03	2005	ssl->transform_in->maclen ) != 0 )
kevman	0:38ceb79fef03	2006	{
kevman	0:38ceb79fef03	2007	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
kevman	0:38ceb79fef03	2008
kevman	0:38ceb79fef03	2009	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	2010	}
kevman	0:38ceb79fef03	2011	auth_done++;
kevman	0:38ceb79fef03	2012	}
kevman	0:38ceb79fef03	2013	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
kevman	0:38ceb79fef03	2014
kevman	0:38ceb79fef03	2015	/*
kevman	0:38ceb79fef03	2016	* Check length sanity
kevman	0:38ceb79fef03	2017	*/
kevman	0:38ceb79fef03	2018	if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
kevman	0:38ceb79fef03	2019	{
kevman	0:38ceb79fef03	2020	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
kevman	0:38ceb79fef03	2021	ssl->in_msglen, ssl->transform_in->ivlen ) );
kevman	0:38ceb79fef03	2022	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	2023	}
kevman	0:38ceb79fef03	2024
kevman	0:38ceb79fef03	2025	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	2026	/*
kevman	0:38ceb79fef03	2027	* Initialize for prepended IV for block cipher in TLS v1.1 and up
kevman	0:38ceb79fef03	2028	*/
kevman	0:38ceb79fef03	2029	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	2030	{
kevman	0:38ceb79fef03	2031	unsigned char i;
kevman	0:38ceb79fef03	2032	dec_msglen -= ssl->transform_in->ivlen;
kevman	0:38ceb79fef03	2033	ssl->in_msglen -= ssl->transform_in->ivlen;
kevman	0:38ceb79fef03	2034
kevman	0:38ceb79fef03	2035	for( i = 0; i < ssl->transform_in->ivlen; i++ )
kevman	0:38ceb79fef03	2036	ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
kevman	0:38ceb79fef03	2037	}
kevman	0:38ceb79fef03	2038	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	2039
kevman	0:38ceb79fef03	2040	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
kevman	0:38ceb79fef03	2041	ssl->transform_in->iv_dec,
kevman	0:38ceb79fef03	2042	ssl->transform_in->ivlen,
kevman	0:38ceb79fef03	2043	dec_msg, dec_msglen,
kevman	0:38ceb79fef03	2044	dec_msg_result, &olen ) ) != 0 )
kevman	0:38ceb79fef03	2045	{
kevman	0:38ceb79fef03	2046	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
kevman	0:38ceb79fef03	2047	return( ret );
kevman	0:38ceb79fef03	2048	}
kevman	0:38ceb79fef03	2049
kevman	0:38ceb79fef03	2050	if( dec_msglen != olen )
kevman	0:38ceb79fef03	2051	{
kevman	0:38ceb79fef03	2052	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2053	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2054	}
kevman	0:38ceb79fef03	2055
kevman	0:38ceb79fef03	2056	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
kevman	0:38ceb79fef03	2057	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	2058	{
kevman	0:38ceb79fef03	2059	/*
kevman	0:38ceb79fef03	2060	* Save IV in SSL3 and TLS1
kevman	0:38ceb79fef03	2061	*/
kevman	0:38ceb79fef03	2062	memcpy( ssl->transform_in->iv_dec,
kevman	0:38ceb79fef03	2063	ssl->transform_in->cipher_ctx_dec.iv,
kevman	0:38ceb79fef03	2064	ssl->transform_in->ivlen );
kevman	0:38ceb79fef03	2065	}
kevman	0:38ceb79fef03	2066	#endif
kevman	0:38ceb79fef03	2067
kevman	0:38ceb79fef03	2068	padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
kevman	0:38ceb79fef03	2069
kevman	0:38ceb79fef03	2070	if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
kevman	0:38ceb79fef03	2071	auth_done == 0 )
kevman	0:38ceb79fef03	2072	{
kevman	0:38ceb79fef03	2073	#if defined(MBEDTLS_SSL_DEBUG_ALL)
kevman	0:38ceb79fef03	2074	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
kevman	0:38ceb79fef03	2075	ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
kevman	0:38ceb79fef03	2076	#endif
kevman	0:38ceb79fef03	2077	padlen = 0;
kevman	0:38ceb79fef03	2078	correct = 0;
kevman	0:38ceb79fef03	2079	}
kevman	0:38ceb79fef03	2080
kevman	0:38ceb79fef03	2081	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	2082	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	2083	{
kevman	0:38ceb79fef03	2084	if( padlen > ssl->transform_in->ivlen )
kevman	0:38ceb79fef03	2085	{
kevman	0:38ceb79fef03	2086	#if defined(MBEDTLS_SSL_DEBUG_ALL)
kevman	0:38ceb79fef03	2087	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
kevman	0:38ceb79fef03	2088	"should be no more than %d",
kevman	0:38ceb79fef03	2089	padlen, ssl->transform_in->ivlen ) );
kevman	0:38ceb79fef03	2090	#endif
kevman	0:38ceb79fef03	2091	correct = 0;
kevman	0:38ceb79fef03	2092	}
kevman	0:38ceb79fef03	2093	}
kevman	0:38ceb79fef03	2094	else
kevman	0:38ceb79fef03	2095	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	2096	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	2097	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	2098	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	2099	{
kevman	0:38ceb79fef03	2100	/*
kevman	0:38ceb79fef03	2101	* TLSv1+: always check the padding up to the first failure
kevman	0:38ceb79fef03	2102	* and fake check up to 256 bytes of padding
kevman	0:38ceb79fef03	2103	*/
kevman	0:38ceb79fef03	2104	size_t pad_count = 0, real_count = 1;
kevman	0:38ceb79fef03	2105	size_t padding_idx = ssl->in_msglen - padlen;
kevman	0:38ceb79fef03	2106	size_t i;
kevman	0:38ceb79fef03	2107
kevman	0:38ceb79fef03	2108	/*
kevman	0:38ceb79fef03	2109	* Padding is guaranteed to be incorrect if:
kevman	0:38ceb79fef03	2110	* 1. padlen > ssl->in_msglen
kevman	0:38ceb79fef03	2111	*
kevman	0:38ceb79fef03	2112	* 2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
kevman	0:38ceb79fef03	2113	* ssl->transform_in->maclen
kevman	0:38ceb79fef03	2114	*
kevman	0:38ceb79fef03	2115	* In both cases we reset padding_idx to a safe value (0) to
kevman	0:38ceb79fef03	2116	* prevent out-of-buffer reads.
kevman	0:38ceb79fef03	2117	*/
kevman	0:38ceb79fef03	2118	correct &= ( padlen <= ssl->in_msglen );
kevman	0:38ceb79fef03	2119	correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
kevman	0:38ceb79fef03	2120	ssl->transform_in->maclen );
kevman	0:38ceb79fef03	2121
kevman	0:38ceb79fef03	2122	padding_idx *= correct;
kevman	0:38ceb79fef03	2123
kevman	0:38ceb79fef03	2124	for( i = 0; i < 256; i++ )
kevman	0:38ceb79fef03	2125	{
kevman	0:38ceb79fef03	2126	real_count &= ( i < padlen );
kevman	0:38ceb79fef03	2127	pad_count += real_count *
kevman	0:38ceb79fef03	2128	( ssl->in_msg[padding_idx + i] == padlen - 1 );
kevman	0:38ceb79fef03	2129	}
kevman	0:38ceb79fef03	2130
kevman	0:38ceb79fef03	2131	correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
kevman	0:38ceb79fef03	2132
kevman	0:38ceb79fef03	2133	#if defined(MBEDTLS_SSL_DEBUG_ALL)
kevman	0:38ceb79fef03	2134	if( padlen > 0 && correct == 0 )
kevman	0:38ceb79fef03	2135	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
kevman	0:38ceb79fef03	2136	#endif
kevman	0:38ceb79fef03	2137	padlen &= correct * 0x1FF;
kevman	0:38ceb79fef03	2138	}
kevman	0:38ceb79fef03	2139	else
kevman	0:38ceb79fef03	2140	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
kevman	0:38ceb79fef03	2141	MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	2142	{
kevman	0:38ceb79fef03	2143	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2144	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2145	}
kevman	0:38ceb79fef03	2146
kevman	0:38ceb79fef03	2147	ssl->in_msglen -= padlen;
kevman	0:38ceb79fef03	2148	}
kevman	0:38ceb79fef03	2149	else
kevman	0:38ceb79fef03	2150	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
kevman	0:38ceb79fef03	2151	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C \|\| MBEDTLS_ARIA_C ) */
kevman	0:38ceb79fef03	2152	{
kevman	0:38ceb79fef03	2153	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2154	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2155	}
kevman	0:38ceb79fef03	2156
kevman	0:38ceb79fef03	2157	#if defined(MBEDTLS_SSL_DEBUG_ALL)
kevman	0:38ceb79fef03	2158	MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
kevman	0:38ceb79fef03	2159	ssl->in_msg, ssl->in_msglen );
kevman	0:38ceb79fef03	2160	#endif
kevman	0:38ceb79fef03	2161
kevman	0:38ceb79fef03	2162	/*
kevman	0:38ceb79fef03	2163	* Authenticate if not done yet.
kevman	0:38ceb79fef03	2164	* Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
kevman	0:38ceb79fef03	2165	*/
kevman	0:38ceb79fef03	2166	#if defined(SSL_SOME_MODES_USE_MAC)
kevman	0:38ceb79fef03	2167	if( auth_done == 0 )
kevman	0:38ceb79fef03	2168	{
kevman	0:38ceb79fef03	2169	unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
kevman	0:38ceb79fef03	2170
kevman	0:38ceb79fef03	2171	ssl->in_msglen -= ssl->transform_in->maclen;
kevman	0:38ceb79fef03	2172
kevman	0:38ceb79fef03	2173	ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
kevman	0:38ceb79fef03	2174	ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
kevman	0:38ceb79fef03	2175
kevman	0:38ceb79fef03	2176	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	2177	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	2178	{
kevman	0:38ceb79fef03	2179	ssl_mac( &ssl->transform_in->md_ctx_dec,
kevman	0:38ceb79fef03	2180	ssl->transform_in->mac_dec,
kevman	0:38ceb79fef03	2181	ssl->in_msg, ssl->in_msglen,
kevman	0:38ceb79fef03	2182	ssl->in_ctr, ssl->in_msgtype,
kevman	0:38ceb79fef03	2183	mac_expect );
kevman	0:38ceb79fef03	2184	}
kevman	0:38ceb79fef03	2185	else
kevman	0:38ceb79fef03	2186	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	2187	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	2188	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	2189	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	2190	{
kevman	0:38ceb79fef03	2191	/*
kevman	0:38ceb79fef03	2192	* Process MAC and always update for padlen afterwards to make
kevman	0:38ceb79fef03	2193	* total time independent of padlen.
kevman	0:38ceb79fef03	2194	*
kevman	0:38ceb79fef03	2195	* Known timing attacks:
kevman	0:38ceb79fef03	2196	* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
kevman	0:38ceb79fef03	2197	*
kevman	0:38ceb79fef03	2198	* To compensate for different timings for the MAC calculation
kevman	0:38ceb79fef03	2199	* depending on how much padding was removed (which is determined
kevman	0:38ceb79fef03	2200	* by padlen), process extra_run more blocks through the hash
kevman	0:38ceb79fef03	2201	* function.
kevman	0:38ceb79fef03	2202	*
kevman	0:38ceb79fef03	2203	* The formula in the paper is
kevman	0:38ceb79fef03	2204	* extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
kevman	0:38ceb79fef03	2205	* where L1 is the size of the header plus the decrypted message
kevman	0:38ceb79fef03	2206	* plus CBC padding and L2 is the size of the header plus the
kevman	0:38ceb79fef03	2207	* decrypted message. This is for an underlying hash function
kevman	0:38ceb79fef03	2208	* with 64-byte blocks.
kevman	0:38ceb79fef03	2209	* We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
kevman	0:38ceb79fef03	2210	* correctly. We round down instead of up, so -56 is the correct
kevman	0:38ceb79fef03	2211	* value for our calculations instead of -55.
kevman	0:38ceb79fef03	2212	*
kevman	0:38ceb79fef03	2213	* Repeat the formula rather than defining a block_size variable.
kevman	0:38ceb79fef03	2214	* This avoids requiring division by a variable at runtime
kevman	0:38ceb79fef03	2215	* (which would be marginally less efficient and would require
kevman	0:38ceb79fef03	2216	* linking an extra division function in some builds).
kevman	0:38ceb79fef03	2217	*/
kevman	0:38ceb79fef03	2218	size_t j, extra_run = 0;
kevman	0:38ceb79fef03	2219
kevman	0:38ceb79fef03	2220	/*
kevman	0:38ceb79fef03	2221	* The next two sizes are the minimum and maximum values of
kevman	0:38ceb79fef03	2222	* in_msglen over all padlen values.
kevman	0:38ceb79fef03	2223	*
kevman	0:38ceb79fef03	2224	* They're independent of padlen, since we previously did
kevman	0:38ceb79fef03	2225	* in_msglen -= padlen.
kevman	0:38ceb79fef03	2226	*
kevman	0:38ceb79fef03	2227	* Note that max_len + maclen is never more than the buffer
kevman	0:38ceb79fef03	2228	* length, as we previously did in_msglen -= maclen too.
kevman	0:38ceb79fef03	2229	*/
kevman	0:38ceb79fef03	2230	const size_t max_len = ssl->in_msglen + padlen;
kevman	0:38ceb79fef03	2231	const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
kevman	0:38ceb79fef03	2232
kevman	0:38ceb79fef03	2233	switch( ssl->transform_in->ciphersuite_info->mac )
kevman	0:38ceb79fef03	2234	{
kevman	0:38ceb79fef03	2235	#if defined(MBEDTLS_MD5_C) \|\| defined(MBEDTLS_SHA1_C) \|\| \
kevman	0:38ceb79fef03	2236	defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	2237	case MBEDTLS_MD_MD5:
kevman	0:38ceb79fef03	2238	case MBEDTLS_MD_SHA1:
kevman	0:38ceb79fef03	2239	case MBEDTLS_MD_SHA256:
kevman	0:38ceb79fef03	2240	/* 8 bytes of message size, 64-byte compression blocks */
kevman	0:38ceb79fef03	2241	extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
kevman	0:38ceb79fef03	2242	( 13 + ssl->in_msglen + 8 ) / 64;
kevman	0:38ceb79fef03	2243	break;
kevman	0:38ceb79fef03	2244	#endif
kevman	0:38ceb79fef03	2245	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	2246	case MBEDTLS_MD_SHA384:
kevman	0:38ceb79fef03	2247	/* 16 bytes of message size, 128-byte compression blocks */
kevman	0:38ceb79fef03	2248	extra_run = ( 13 + ssl->in_msglen + padlen + 16 ) / 128 -
kevman	0:38ceb79fef03	2249	( 13 + ssl->in_msglen + 16 ) / 128;
kevman	0:38ceb79fef03	2250	break;
kevman	0:38ceb79fef03	2251	#endif
kevman	0:38ceb79fef03	2252	default:
kevman	0:38ceb79fef03	2253	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2254	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2255	}
kevman	0:38ceb79fef03	2256
kevman	0:38ceb79fef03	2257	extra_run &= correct * 0xFF;
kevman	0:38ceb79fef03	2258
kevman	0:38ceb79fef03	2259	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
kevman	0:38ceb79fef03	2260	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
kevman	0:38ceb79fef03	2261	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
kevman	0:38ceb79fef03	2262	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
kevman	0:38ceb79fef03	2263	ssl->in_msglen );
kevman	0:38ceb79fef03	2264	/* Make sure we access everything even when padlen > 0. This
kevman	0:38ceb79fef03	2265	* makes the synchronisation requirements for just-in-time
kevman	0:38ceb79fef03	2266	* Prime+Probe attacks much tighter and hopefully impractical. */
kevman	0:38ceb79fef03	2267	ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
kevman	0:38ceb79fef03	2268	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
kevman	0:38ceb79fef03	2269
kevman	0:38ceb79fef03	2270	/* Call mbedtls_md_process at least once due to cache attacks
kevman	0:38ceb79fef03	2271	* that observe whether md_process() was called of not */
kevman	0:38ceb79fef03	2272	for( j = 0; j < extra_run + 1; j++ )
kevman	0:38ceb79fef03	2273	mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
kevman	0:38ceb79fef03	2274
kevman	0:38ceb79fef03	2275	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
kevman	0:38ceb79fef03	2276
kevman	0:38ceb79fef03	2277	/* Make sure we access all the memory that could contain the MAC,
kevman	0:38ceb79fef03	2278	* before we check it in the next code block. This makes the
kevman	0:38ceb79fef03	2279	* synchronisation requirements for just-in-time Prime+Probe
kevman	0:38ceb79fef03	2280	* attacks much tighter and hopefully impractical. */
kevman	0:38ceb79fef03	2281	ssl_read_memory( ssl->in_msg + min_len,
kevman	0:38ceb79fef03	2282	max_len - min_len + ssl->transform_in->maclen );
kevman	0:38ceb79fef03	2283	}
kevman	0:38ceb79fef03	2284	else
kevman	0:38ceb79fef03	2285	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
kevman	0:38ceb79fef03	2286	MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	2287	{
kevman	0:38ceb79fef03	2288	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2289	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2290	}
kevman	0:38ceb79fef03	2291
kevman	0:38ceb79fef03	2292	#if defined(MBEDTLS_SSL_DEBUG_ALL)
kevman	0:38ceb79fef03	2293	MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
kevman	0:38ceb79fef03	2294	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen,
kevman	0:38ceb79fef03	2295	ssl->transform_in->maclen );
kevman	0:38ceb79fef03	2296	#endif
kevman	0:38ceb79fef03	2297
kevman	0:38ceb79fef03	2298	if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
kevman	0:38ceb79fef03	2299	ssl->transform_in->maclen ) != 0 )
kevman	0:38ceb79fef03	2300	{
kevman	0:38ceb79fef03	2301	#if defined(MBEDTLS_SSL_DEBUG_ALL)
kevman	0:38ceb79fef03	2302	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
kevman	0:38ceb79fef03	2303	#endif
kevman	0:38ceb79fef03	2304	correct = 0;
kevman	0:38ceb79fef03	2305	}
kevman	0:38ceb79fef03	2306	auth_done++;
kevman	0:38ceb79fef03	2307
kevman	0:38ceb79fef03	2308	/*
kevman	0:38ceb79fef03	2309	* Finally check the correct flag
kevman	0:38ceb79fef03	2310	*/
kevman	0:38ceb79fef03	2311	if( correct == 0 )
kevman	0:38ceb79fef03	2312	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	2313	}
kevman	0:38ceb79fef03	2314	#endif /* SSL_SOME_MODES_USE_MAC */
kevman	0:38ceb79fef03	2315
kevman	0:38ceb79fef03	2316	/* Make extra sure authentication was performed, exactly once */
kevman	0:38ceb79fef03	2317	if( auth_done != 1 )
kevman	0:38ceb79fef03	2318	{
kevman	0:38ceb79fef03	2319	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2320	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2321	}
kevman	0:38ceb79fef03	2322
kevman	0:38ceb79fef03	2323	if( ssl->in_msglen == 0 )
kevman	0:38ceb79fef03	2324	{
kevman	0:38ceb79fef03	2325	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	2326	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
kevman	0:38ceb79fef03	2327	&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
kevman	0:38ceb79fef03	2328	{
kevman	0:38ceb79fef03	2329	/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
kevman	0:38ceb79fef03	2330	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
kevman	0:38ceb79fef03	2331	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	2332	}
kevman	0:38ceb79fef03	2333	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	2334
kevman	0:38ceb79fef03	2335	ssl->nb_zero++;
kevman	0:38ceb79fef03	2336
kevman	0:38ceb79fef03	2337	/*
kevman	0:38ceb79fef03	2338	* Three or more empty messages may be a DoS attack
kevman	0:38ceb79fef03	2339	* (excessive CPU consumption).
kevman	0:38ceb79fef03	2340	*/
kevman	0:38ceb79fef03	2341	if( ssl->nb_zero > 3 )
kevman	0:38ceb79fef03	2342	{
kevman	0:38ceb79fef03	2343	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
kevman	0:38ceb79fef03	2344	"messages, possible DoS attack" ) );
kevman	0:38ceb79fef03	2345	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	2346	}
kevman	0:38ceb79fef03	2347	}
kevman	0:38ceb79fef03	2348	else
kevman	0:38ceb79fef03	2349	ssl->nb_zero = 0;
kevman	0:38ceb79fef03	2350
kevman	0:38ceb79fef03	2351	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	2352	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	2353	{
kevman	0:38ceb79fef03	2354	; /* in_ctr read from peer, not maintained internally */
kevman	0:38ceb79fef03	2355	}
kevman	0:38ceb79fef03	2356	else
kevman	0:38ceb79fef03	2357	#endif
kevman	0:38ceb79fef03	2358	{
kevman	0:38ceb79fef03	2359	unsigned char i;
kevman	0:38ceb79fef03	2360	for( i = 8; i > ssl_ep_len( ssl ); i-- )
kevman	0:38ceb79fef03	2361	if( ++ssl->in_ctr[i - 1] != 0 )
kevman	0:38ceb79fef03	2362	break;
kevman	0:38ceb79fef03	2363
kevman	0:38ceb79fef03	2364	/* The loop goes to its end iff the counter is wrapping */
kevman	0:38ceb79fef03	2365	if( i == ssl_ep_len( ssl ) )
kevman	0:38ceb79fef03	2366	{
kevman	0:38ceb79fef03	2367	MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
kevman	0:38ceb79fef03	2368	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
kevman	0:38ceb79fef03	2369	}
kevman	0:38ceb79fef03	2370	}
kevman	0:38ceb79fef03	2371
kevman	0:38ceb79fef03	2372	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
kevman	0:38ceb79fef03	2373
kevman	0:38ceb79fef03	2374	return( 0 );
kevman	0:38ceb79fef03	2375	}
kevman	0:38ceb79fef03	2376
kevman	0:38ceb79fef03	2377	#undef MAC_NONE
kevman	0:38ceb79fef03	2378	#undef MAC_PLAINTEXT
kevman	0:38ceb79fef03	2379	#undef MAC_CIPHERTEXT
kevman	0:38ceb79fef03	2380
kevman	0:38ceb79fef03	2381	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	2382	/*
kevman	0:38ceb79fef03	2383	* Compression/decompression functions
kevman	0:38ceb79fef03	2384	*/
kevman	0:38ceb79fef03	2385	static int ssl_compress_buf( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2386	{
kevman	0:38ceb79fef03	2387	int ret;
kevman	0:38ceb79fef03	2388	unsigned char *msg_post = ssl->out_msg;
kevman	0:38ceb79fef03	2389	ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
kevman	0:38ceb79fef03	2390	size_t len_pre = ssl->out_msglen;
kevman	0:38ceb79fef03	2391	unsigned char *msg_pre = ssl->compress_buf;
kevman	0:38ceb79fef03	2392
kevman	0:38ceb79fef03	2393	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
kevman	0:38ceb79fef03	2394
kevman	0:38ceb79fef03	2395	if( len_pre == 0 )
kevman	0:38ceb79fef03	2396	return( 0 );
kevman	0:38ceb79fef03	2397
kevman	0:38ceb79fef03	2398	memcpy( msg_pre, ssl->out_msg, len_pre );
kevman	0:38ceb79fef03	2399
kevman	0:38ceb79fef03	2400	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
kevman	0:38ceb79fef03	2401	ssl->out_msglen ) );
kevman	0:38ceb79fef03	2402
kevman	0:38ceb79fef03	2403	MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
kevman	0:38ceb79fef03	2404	ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	2405
kevman	0:38ceb79fef03	2406	ssl->transform_out->ctx_deflate.next_in = msg_pre;
kevman	0:38ceb79fef03	2407	ssl->transform_out->ctx_deflate.avail_in = len_pre;
kevman	0:38ceb79fef03	2408	ssl->transform_out->ctx_deflate.next_out = msg_post;
kevman	0:38ceb79fef03	2409	ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
kevman	0:38ceb79fef03	2410
kevman	0:38ceb79fef03	2411	ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
kevman	0:38ceb79fef03	2412	if( ret != Z_OK )
kevman	0:38ceb79fef03	2413	{
kevman	0:38ceb79fef03	2414	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
kevman	0:38ceb79fef03	2415	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
kevman	0:38ceb79fef03	2416	}
kevman	0:38ceb79fef03	2417
kevman	0:38ceb79fef03	2418	ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
kevman	0:38ceb79fef03	2419	ssl->transform_out->ctx_deflate.avail_out - bytes_written;
kevman	0:38ceb79fef03	2420
kevman	0:38ceb79fef03	2421	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
kevman	0:38ceb79fef03	2422	ssl->out_msglen ) );
kevman	0:38ceb79fef03	2423
kevman	0:38ceb79fef03	2424	MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
kevman	0:38ceb79fef03	2425	ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	2426
kevman	0:38ceb79fef03	2427	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
kevman	0:38ceb79fef03	2428
kevman	0:38ceb79fef03	2429	return( 0 );
kevman	0:38ceb79fef03	2430	}
kevman	0:38ceb79fef03	2431
kevman	0:38ceb79fef03	2432	static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2433	{
kevman	0:38ceb79fef03	2434	int ret;
kevman	0:38ceb79fef03	2435	unsigned char *msg_post = ssl->in_msg;
kevman	0:38ceb79fef03	2436	ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
kevman	0:38ceb79fef03	2437	size_t len_pre = ssl->in_msglen;
kevman	0:38ceb79fef03	2438	unsigned char *msg_pre = ssl->compress_buf;
kevman	0:38ceb79fef03	2439
kevman	0:38ceb79fef03	2440	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
kevman	0:38ceb79fef03	2441
kevman	0:38ceb79fef03	2442	if( len_pre == 0 )
kevman	0:38ceb79fef03	2443	return( 0 );
kevman	0:38ceb79fef03	2444
kevman	0:38ceb79fef03	2445	memcpy( msg_pre, ssl->in_msg, len_pre );
kevman	0:38ceb79fef03	2446
kevman	0:38ceb79fef03	2447	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
kevman	0:38ceb79fef03	2448	ssl->in_msglen ) );
kevman	0:38ceb79fef03	2449
kevman	0:38ceb79fef03	2450	MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
kevman	0:38ceb79fef03	2451	ssl->in_msg, ssl->in_msglen );
kevman	0:38ceb79fef03	2452
kevman	0:38ceb79fef03	2453	ssl->transform_in->ctx_inflate.next_in = msg_pre;
kevman	0:38ceb79fef03	2454	ssl->transform_in->ctx_inflate.avail_in = len_pre;
kevman	0:38ceb79fef03	2455	ssl->transform_in->ctx_inflate.next_out = msg_post;
kevman	0:38ceb79fef03	2456	ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
kevman	0:38ceb79fef03	2457	header_bytes;
kevman	0:38ceb79fef03	2458
kevman	0:38ceb79fef03	2459	ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
kevman	0:38ceb79fef03	2460	if( ret != Z_OK )
kevman	0:38ceb79fef03	2461	{
kevman	0:38ceb79fef03	2462	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
kevman	0:38ceb79fef03	2463	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
kevman	0:38ceb79fef03	2464	}
kevman	0:38ceb79fef03	2465
kevman	0:38ceb79fef03	2466	ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
kevman	0:38ceb79fef03	2467	ssl->transform_in->ctx_inflate.avail_out - header_bytes;
kevman	0:38ceb79fef03	2468
kevman	0:38ceb79fef03	2469	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
kevman	0:38ceb79fef03	2470	ssl->in_msglen ) );
kevman	0:38ceb79fef03	2471
kevman	0:38ceb79fef03	2472	MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
kevman	0:38ceb79fef03	2473	ssl->in_msg, ssl->in_msglen );
kevman	0:38ceb79fef03	2474
kevman	0:38ceb79fef03	2475	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
kevman	0:38ceb79fef03	2476
kevman	0:38ceb79fef03	2477	return( 0 );
kevman	0:38ceb79fef03	2478	}
kevman	0:38ceb79fef03	2479	#endif /* MBEDTLS_ZLIB_SUPPORT */
kevman	0:38ceb79fef03	2480
kevman	0:38ceb79fef03	2481	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	2482	static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	2483
kevman	0:38ceb79fef03	2484	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	2485	static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2486	{
kevman	0:38ceb79fef03	2487	/* If renegotiation is not enforced, retransmit until we would reach max
kevman	0:38ceb79fef03	2488	* timeout if we were using the usual handshake doubling scheme */
kevman	0:38ceb79fef03	2489	if( ssl->conf->renego_max_records < 0 )
kevman	0:38ceb79fef03	2490	{
kevman	0:38ceb79fef03	2491	uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
kevman	0:38ceb79fef03	2492	unsigned char doublings = 1;
kevman	0:38ceb79fef03	2493
kevman	0:38ceb79fef03	2494	while( ratio != 0 )
kevman	0:38ceb79fef03	2495	{
kevman	0:38ceb79fef03	2496	++doublings;
kevman	0:38ceb79fef03	2497	ratio >>= 1;
kevman	0:38ceb79fef03	2498	}
kevman	0:38ceb79fef03	2499
kevman	0:38ceb79fef03	2500	if( ++ssl->renego_records_seen > doublings )
kevman	0:38ceb79fef03	2501	{
kevman	0:38ceb79fef03	2502	MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
kevman	0:38ceb79fef03	2503	return( 0 );
kevman	0:38ceb79fef03	2504	}
kevman	0:38ceb79fef03	2505	}
kevman	0:38ceb79fef03	2506
kevman	0:38ceb79fef03	2507	return( ssl_write_hello_request( ssl ) );
kevman	0:38ceb79fef03	2508	}
kevman	0:38ceb79fef03	2509	#endif
kevman	0:38ceb79fef03	2510	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	2511
kevman	0:38ceb79fef03	2512	/*
kevman	0:38ceb79fef03	2513	* Fill the input message buffer by appending data to it.
kevman	0:38ceb79fef03	2514	* The amount of data already fetched is in ssl->in_left.
kevman	0:38ceb79fef03	2515	*
kevman	0:38ceb79fef03	2516	* If we return 0, is it guaranteed that (at least) nb_want bytes are
kevman	0:38ceb79fef03	2517	* available (from this read and/or a previous one). Otherwise, an error code
kevman	0:38ceb79fef03	2518	* is returned (possibly EOF or WANT_READ).
kevman	0:38ceb79fef03	2519	*
kevman	0:38ceb79fef03	2520	* With stream transport (TLS) on success ssl->in_left == nb_want, but
kevman	0:38ceb79fef03	2521	* with datagram transport (DTLS) on success ssl->in_left >= nb_want,
kevman	0:38ceb79fef03	2522	* since we always read a whole datagram at once.
kevman	0:38ceb79fef03	2523	*
kevman	0:38ceb79fef03	2524	* For DTLS, it is up to the caller to set ssl->next_record_offset when
kevman	0:38ceb79fef03	2525	* they're done reading a record.
kevman	0:38ceb79fef03	2526	*/
kevman	0:38ceb79fef03	2527	int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
kevman	0:38ceb79fef03	2528	{
kevman	0:38ceb79fef03	2529	int ret;
kevman	0:38ceb79fef03	2530	size_t len;
kevman	0:38ceb79fef03	2531
kevman	0:38ceb79fef03	2532	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
kevman	0:38ceb79fef03	2533
kevman	0:38ceb79fef03	2534	if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
kevman	0:38ceb79fef03	2535	{
kevman	0:38ceb79fef03	2536	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
kevman	0:38ceb79fef03	2537	"or mbedtls_ssl_set_bio()" ) );
kevman	0:38ceb79fef03	2538	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	2539	}
kevman	0:38ceb79fef03	2540
kevman	0:38ceb79fef03	2541	if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
kevman	0:38ceb79fef03	2542	{
kevman	0:38ceb79fef03	2543	MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
kevman	0:38ceb79fef03	2544	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	2545	}
kevman	0:38ceb79fef03	2546
kevman	0:38ceb79fef03	2547	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	2548	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	2549	{
kevman	0:38ceb79fef03	2550	uint32_t timeout;
kevman	0:38ceb79fef03	2551
kevman	0:38ceb79fef03	2552	/* Just to be sure */
kevman	0:38ceb79fef03	2553	if( ssl->f_set_timer == NULL \|\| ssl->f_get_timer == NULL )
kevman	0:38ceb79fef03	2554	{
kevman	0:38ceb79fef03	2555	MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
kevman	0:38ceb79fef03	2556	"mbedtls_ssl_set_timer_cb() for DTLS" ) );
kevman	0:38ceb79fef03	2557	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	2558	}
kevman	0:38ceb79fef03	2559
kevman	0:38ceb79fef03	2560	/*
kevman	0:38ceb79fef03	2561	* The point is, we need to always read a full datagram at once, so we
kevman	0:38ceb79fef03	2562	* sometimes read more then requested, and handle the additional data.
kevman	0:38ceb79fef03	2563	* It could be the rest of the current record (while fetching the
kevman	0:38ceb79fef03	2564	* header) and/or some other records in the same datagram.
kevman	0:38ceb79fef03	2565	*/
kevman	0:38ceb79fef03	2566
kevman	0:38ceb79fef03	2567	/*
kevman	0:38ceb79fef03	2568	* Move to the next record in the already read datagram if applicable
kevman	0:38ceb79fef03	2569	*/
kevman	0:38ceb79fef03	2570	if( ssl->next_record_offset != 0 )
kevman	0:38ceb79fef03	2571	{
kevman	0:38ceb79fef03	2572	if( ssl->in_left < ssl->next_record_offset )
kevman	0:38ceb79fef03	2573	{
kevman	0:38ceb79fef03	2574	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2575	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2576	}
kevman	0:38ceb79fef03	2577
kevman	0:38ceb79fef03	2578	ssl->in_left -= ssl->next_record_offset;
kevman	0:38ceb79fef03	2579
kevman	0:38ceb79fef03	2580	if( ssl->in_left != 0 )
kevman	0:38ceb79fef03	2581	{
kevman	0:38ceb79fef03	2582	MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
kevman	0:38ceb79fef03	2583	ssl->next_record_offset ) );
kevman	0:38ceb79fef03	2584	memmove( ssl->in_hdr,
kevman	0:38ceb79fef03	2585	ssl->in_hdr + ssl->next_record_offset,
kevman	0:38ceb79fef03	2586	ssl->in_left );
kevman	0:38ceb79fef03	2587	}
kevman	0:38ceb79fef03	2588
kevman	0:38ceb79fef03	2589	ssl->next_record_offset = 0;
kevman	0:38ceb79fef03	2590	}
kevman	0:38ceb79fef03	2591
kevman	0:38ceb79fef03	2592	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
kevman	0:38ceb79fef03	2593	ssl->in_left, nb_want ) );
kevman	0:38ceb79fef03	2594
kevman	0:38ceb79fef03	2595	/*
kevman	0:38ceb79fef03	2596	* Done if we already have enough data.
kevman	0:38ceb79fef03	2597	*/
kevman	0:38ceb79fef03	2598	if( nb_want <= ssl->in_left)
kevman	0:38ceb79fef03	2599	{
kevman	0:38ceb79fef03	2600	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
kevman	0:38ceb79fef03	2601	return( 0 );
kevman	0:38ceb79fef03	2602	}
kevman	0:38ceb79fef03	2603
kevman	0:38ceb79fef03	2604	/*
kevman	0:38ceb79fef03	2605	* A record can't be split accross datagrams. If we need to read but
kevman	0:38ceb79fef03	2606	* are not at the beginning of a new record, the caller did something
kevman	0:38ceb79fef03	2607	* wrong.
kevman	0:38ceb79fef03	2608	*/
kevman	0:38ceb79fef03	2609	if( ssl->in_left != 0 )
kevman	0:38ceb79fef03	2610	{
kevman	0:38ceb79fef03	2611	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	2612	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2613	}
kevman	0:38ceb79fef03	2614
kevman	0:38ceb79fef03	2615	/*
kevman	0:38ceb79fef03	2616	* Don't even try to read if time's out already.
kevman	0:38ceb79fef03	2617	* This avoids by-passing the timer when repeatedly receiving messages
kevman	0:38ceb79fef03	2618	* that will end up being dropped.
kevman	0:38ceb79fef03	2619	*/
kevman	0:38ceb79fef03	2620	if( ssl_check_timer( ssl ) != 0 )
kevman	0:38ceb79fef03	2621	{
kevman	0:38ceb79fef03	2622	MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
kevman	0:38ceb79fef03	2623	ret = MBEDTLS_ERR_SSL_TIMEOUT;
kevman	0:38ceb79fef03	2624	}
kevman	0:38ceb79fef03	2625	else
kevman	0:38ceb79fef03	2626	{
kevman	0:38ceb79fef03	2627	len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
kevman	0:38ceb79fef03	2628
kevman	0:38ceb79fef03	2629	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	2630	timeout = ssl->handshake->retransmit_timeout;
kevman	0:38ceb79fef03	2631	else
kevman	0:38ceb79fef03	2632	timeout = ssl->conf->read_timeout;
kevman	0:38ceb79fef03	2633
kevman	0:38ceb79fef03	2634	MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
kevman	0:38ceb79fef03	2635
kevman	0:38ceb79fef03	2636	if( ssl->f_recv_timeout != NULL )
kevman	0:38ceb79fef03	2637	ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
kevman	0:38ceb79fef03	2638	timeout );
kevman	0:38ceb79fef03	2639	else
kevman	0:38ceb79fef03	2640	ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
kevman	0:38ceb79fef03	2641
kevman	0:38ceb79fef03	2642	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
kevman	0:38ceb79fef03	2643
kevman	0:38ceb79fef03	2644	if( ret == 0 )
kevman	0:38ceb79fef03	2645	return( MBEDTLS_ERR_SSL_CONN_EOF );
kevman	0:38ceb79fef03	2646	}
kevman	0:38ceb79fef03	2647
kevman	0:38ceb79fef03	2648	if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
kevman	0:38ceb79fef03	2649	{
kevman	0:38ceb79fef03	2650	MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
kevman	0:38ceb79fef03	2651	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	2652
kevman	0:38ceb79fef03	2653	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	2654	{
kevman	0:38ceb79fef03	2655	if( ssl_double_retransmit_timeout( ssl ) != 0 )
kevman	0:38ceb79fef03	2656	{
kevman	0:38ceb79fef03	2657	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
kevman	0:38ceb79fef03	2658	return( MBEDTLS_ERR_SSL_TIMEOUT );
kevman	0:38ceb79fef03	2659	}
kevman	0:38ceb79fef03	2660
kevman	0:38ceb79fef03	2661	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
kevman	0:38ceb79fef03	2662	{
kevman	0:38ceb79fef03	2663	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
kevman	0:38ceb79fef03	2664	return( ret );
kevman	0:38ceb79fef03	2665	}
kevman	0:38ceb79fef03	2666
kevman	0:38ceb79fef03	2667	return( MBEDTLS_ERR_SSL_WANT_READ );
kevman	0:38ceb79fef03	2668	}
kevman	0:38ceb79fef03	2669	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	2670	else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	2671	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
kevman	0:38ceb79fef03	2672	{
kevman	0:38ceb79fef03	2673	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
kevman	0:38ceb79fef03	2674	{
kevman	0:38ceb79fef03	2675	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
kevman	0:38ceb79fef03	2676	return( ret );
kevman	0:38ceb79fef03	2677	}
kevman	0:38ceb79fef03	2678
kevman	0:38ceb79fef03	2679	return( MBEDTLS_ERR_SSL_WANT_READ );
kevman	0:38ceb79fef03	2680	}
kevman	0:38ceb79fef03	2681	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	2682	}
kevman	0:38ceb79fef03	2683
kevman	0:38ceb79fef03	2684	if( ret < 0 )
kevman	0:38ceb79fef03	2685	return( ret );
kevman	0:38ceb79fef03	2686
kevman	0:38ceb79fef03	2687	ssl->in_left = ret;
kevman	0:38ceb79fef03	2688	}
kevman	0:38ceb79fef03	2689	else
kevman	0:38ceb79fef03	2690	#endif
kevman	0:38ceb79fef03	2691	{
kevman	0:38ceb79fef03	2692	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
kevman	0:38ceb79fef03	2693	ssl->in_left, nb_want ) );
kevman	0:38ceb79fef03	2694
kevman	0:38ceb79fef03	2695	while( ssl->in_left < nb_want )
kevman	0:38ceb79fef03	2696	{
kevman	0:38ceb79fef03	2697	len = nb_want - ssl->in_left;
kevman	0:38ceb79fef03	2698
kevman	0:38ceb79fef03	2699	if( ssl_check_timer( ssl ) != 0 )
kevman	0:38ceb79fef03	2700	ret = MBEDTLS_ERR_SSL_TIMEOUT;
kevman	0:38ceb79fef03	2701	else
kevman	0:38ceb79fef03	2702	{
kevman	0:38ceb79fef03	2703	if( ssl->f_recv_timeout != NULL )
kevman	0:38ceb79fef03	2704	{
kevman	0:38ceb79fef03	2705	ret = ssl->f_recv_timeout( ssl->p_bio,
kevman	0:38ceb79fef03	2706	ssl->in_hdr + ssl->in_left, len,
kevman	0:38ceb79fef03	2707	ssl->conf->read_timeout );
kevman	0:38ceb79fef03	2708	}
kevman	0:38ceb79fef03	2709	else
kevman	0:38ceb79fef03	2710	{
kevman	0:38ceb79fef03	2711	ret = ssl->f_recv( ssl->p_bio,
kevman	0:38ceb79fef03	2712	ssl->in_hdr + ssl->in_left, len );
kevman	0:38ceb79fef03	2713	}
kevman	0:38ceb79fef03	2714	}
kevman	0:38ceb79fef03	2715
kevman	0:38ceb79fef03	2716	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
kevman	0:38ceb79fef03	2717	ssl->in_left, nb_want ) );
kevman	0:38ceb79fef03	2718	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
kevman	0:38ceb79fef03	2719
kevman	0:38ceb79fef03	2720	if( ret == 0 )
kevman	0:38ceb79fef03	2721	return( MBEDTLS_ERR_SSL_CONN_EOF );
kevman	0:38ceb79fef03	2722
kevman	0:38ceb79fef03	2723	if( ret < 0 )
kevman	0:38ceb79fef03	2724	return( ret );
kevman	0:38ceb79fef03	2725
kevman	0:38ceb79fef03	2726	if ( (size_t)ret > len \|\| ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
kevman	0:38ceb79fef03	2727	{
kevman	0:38ceb79fef03	2728	MBEDTLS_SSL_DEBUG_MSG( 1,
kevman	0:38ceb79fef03	2729	( "f_recv returned %d bytes but only %lu were requested",
kevman	0:38ceb79fef03	2730	ret, (unsigned long)len ) );
kevman	0:38ceb79fef03	2731	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2732	}
kevman	0:38ceb79fef03	2733
kevman	0:38ceb79fef03	2734	ssl->in_left += ret;
kevman	0:38ceb79fef03	2735	}
kevman	0:38ceb79fef03	2736	}
kevman	0:38ceb79fef03	2737
kevman	0:38ceb79fef03	2738	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
kevman	0:38ceb79fef03	2739
kevman	0:38ceb79fef03	2740	return( 0 );
kevman	0:38ceb79fef03	2741	}
kevman	0:38ceb79fef03	2742
kevman	0:38ceb79fef03	2743	/*
kevman	0:38ceb79fef03	2744	* Flush any data not yet written
kevman	0:38ceb79fef03	2745	*/
kevman	0:38ceb79fef03	2746	int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2747	{
kevman	0:38ceb79fef03	2748	int ret;
kevman	0:38ceb79fef03	2749	unsigned char *buf;
kevman	0:38ceb79fef03	2750
kevman	0:38ceb79fef03	2751	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
kevman	0:38ceb79fef03	2752
kevman	0:38ceb79fef03	2753	if( ssl->f_send == NULL )
kevman	0:38ceb79fef03	2754	{
kevman	0:38ceb79fef03	2755	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
kevman	0:38ceb79fef03	2756	"or mbedtls_ssl_set_bio()" ) );
kevman	0:38ceb79fef03	2757	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	2758	}
kevman	0:38ceb79fef03	2759
kevman	0:38ceb79fef03	2760	/* Avoid incrementing counter if data is flushed */
kevman	0:38ceb79fef03	2761	if( ssl->out_left == 0 )
kevman	0:38ceb79fef03	2762	{
kevman	0:38ceb79fef03	2763	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
kevman	0:38ceb79fef03	2764	return( 0 );
kevman	0:38ceb79fef03	2765	}
kevman	0:38ceb79fef03	2766
kevman	0:38ceb79fef03	2767	while( ssl->out_left > 0 )
kevman	0:38ceb79fef03	2768	{
kevman	0:38ceb79fef03	2769	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
kevman	0:38ceb79fef03	2770	mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
kevman	0:38ceb79fef03	2771
kevman	0:38ceb79fef03	2772	buf = ssl->out_hdr - ssl->out_left;
kevman	0:38ceb79fef03	2773	ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
kevman	0:38ceb79fef03	2774
kevman	0:38ceb79fef03	2775	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
kevman	0:38ceb79fef03	2776
kevman	0:38ceb79fef03	2777	if( ret <= 0 )
kevman	0:38ceb79fef03	2778	return( ret );
kevman	0:38ceb79fef03	2779
kevman	0:38ceb79fef03	2780	if( (size_t)ret > ssl->out_left \|\| ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
kevman	0:38ceb79fef03	2781	{
kevman	0:38ceb79fef03	2782	MBEDTLS_SSL_DEBUG_MSG( 1,
kevman	0:38ceb79fef03	2783	( "f_send returned %d bytes but only %lu bytes were sent",
kevman	0:38ceb79fef03	2784	ret, (unsigned long)ssl->out_left ) );
kevman	0:38ceb79fef03	2785	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	2786	}
kevman	0:38ceb79fef03	2787
kevman	0:38ceb79fef03	2788	ssl->out_left -= ret;
kevman	0:38ceb79fef03	2789	}
kevman	0:38ceb79fef03	2790
kevman	0:38ceb79fef03	2791	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	2792	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	2793	{
kevman	0:38ceb79fef03	2794	ssl->out_hdr = ssl->out_buf;
kevman	0:38ceb79fef03	2795	}
kevman	0:38ceb79fef03	2796	else
kevman	0:38ceb79fef03	2797	#endif
kevman	0:38ceb79fef03	2798	{
kevman	0:38ceb79fef03	2799	ssl->out_hdr = ssl->out_buf + 8;
kevman	0:38ceb79fef03	2800	}
kevman	0:38ceb79fef03	2801	ssl_update_out_pointers( ssl, ssl->transform_out );
kevman	0:38ceb79fef03	2802
kevman	0:38ceb79fef03	2803	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
kevman	0:38ceb79fef03	2804
kevman	0:38ceb79fef03	2805	return( 0 );
kevman	0:38ceb79fef03	2806	}
kevman	0:38ceb79fef03	2807
kevman	0:38ceb79fef03	2808	/*
kevman	0:38ceb79fef03	2809	* Functions to handle the DTLS retransmission state machine
kevman	0:38ceb79fef03	2810	*/
kevman	0:38ceb79fef03	2811	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	2812	/*
kevman	0:38ceb79fef03	2813	* Append current handshake message to current outgoing flight
kevman	0:38ceb79fef03	2814	*/
kevman	0:38ceb79fef03	2815	static int ssl_flight_append( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2816	{
kevman	0:38ceb79fef03	2817	mbedtls_ssl_flight_item *msg;
kevman	0:38ceb79fef03	2818	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
kevman	0:38ceb79fef03	2819	MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
kevman	0:38ceb79fef03	2820	ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	2821
kevman	0:38ceb79fef03	2822	/* Allocate space for current message */
kevman	0:38ceb79fef03	2823	if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
kevman	0:38ceb79fef03	2824	{
kevman	0:38ceb79fef03	2825	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
kevman	0:38ceb79fef03	2826	sizeof( mbedtls_ssl_flight_item ) ) );
kevman	0:38ceb79fef03	2827	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	2828	}
kevman	0:38ceb79fef03	2829
kevman	0:38ceb79fef03	2830	if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
kevman	0:38ceb79fef03	2831	{
kevman	0:38ceb79fef03	2832	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
kevman	0:38ceb79fef03	2833	mbedtls_free( msg );
kevman	0:38ceb79fef03	2834	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	2835	}
kevman	0:38ceb79fef03	2836
kevman	0:38ceb79fef03	2837	/* Copy current handshake message with headers */
kevman	0:38ceb79fef03	2838	memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	2839	msg->len = ssl->out_msglen;
kevman	0:38ceb79fef03	2840	msg->type = ssl->out_msgtype;
kevman	0:38ceb79fef03	2841	msg->next = NULL;
kevman	0:38ceb79fef03	2842
kevman	0:38ceb79fef03	2843	/* Append to the current flight */
kevman	0:38ceb79fef03	2844	if( ssl->handshake->flight == NULL )
kevman	0:38ceb79fef03	2845	ssl->handshake->flight = msg;
kevman	0:38ceb79fef03	2846	else
kevman	0:38ceb79fef03	2847	{
kevman	0:38ceb79fef03	2848	mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
kevman	0:38ceb79fef03	2849	while( cur->next != NULL )
kevman	0:38ceb79fef03	2850	cur = cur->next;
kevman	0:38ceb79fef03	2851	cur->next = msg;
kevman	0:38ceb79fef03	2852	}
kevman	0:38ceb79fef03	2853
kevman	0:38ceb79fef03	2854	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
kevman	0:38ceb79fef03	2855	return( 0 );
kevman	0:38ceb79fef03	2856	}
kevman	0:38ceb79fef03	2857
kevman	0:38ceb79fef03	2858	/*
kevman	0:38ceb79fef03	2859	* Free the current flight of handshake messages
kevman	0:38ceb79fef03	2860	*/
kevman	0:38ceb79fef03	2861	static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
kevman	0:38ceb79fef03	2862	{
kevman	0:38ceb79fef03	2863	mbedtls_ssl_flight_item *cur = flight;
kevman	0:38ceb79fef03	2864	mbedtls_ssl_flight_item *next;
kevman	0:38ceb79fef03	2865
kevman	0:38ceb79fef03	2866	while( cur != NULL )
kevman	0:38ceb79fef03	2867	{
kevman	0:38ceb79fef03	2868	next = cur->next;
kevman	0:38ceb79fef03	2869
kevman	0:38ceb79fef03	2870	mbedtls_free( cur->p );
kevman	0:38ceb79fef03	2871	mbedtls_free( cur );
kevman	0:38ceb79fef03	2872
kevman	0:38ceb79fef03	2873	cur = next;
kevman	0:38ceb79fef03	2874	}
kevman	0:38ceb79fef03	2875	}
kevman	0:38ceb79fef03	2876
kevman	0:38ceb79fef03	2877	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	2878	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	2879	#endif
kevman	0:38ceb79fef03	2880
kevman	0:38ceb79fef03	2881	/*
kevman	0:38ceb79fef03	2882	* Swap transform_out and out_ctr with the alternative ones
kevman	0:38ceb79fef03	2883	*/
kevman	0:38ceb79fef03	2884	static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2885	{
kevman	0:38ceb79fef03	2886	mbedtls_ssl_transform *tmp_transform;
kevman	0:38ceb79fef03	2887	unsigned char tmp_out_ctr[8];
kevman	0:38ceb79fef03	2888
kevman	0:38ceb79fef03	2889	if( ssl->transform_out == ssl->handshake->alt_transform_out )
kevman	0:38ceb79fef03	2890	{
kevman	0:38ceb79fef03	2891	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
kevman	0:38ceb79fef03	2892	return;
kevman	0:38ceb79fef03	2893	}
kevman	0:38ceb79fef03	2894
kevman	0:38ceb79fef03	2895	MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
kevman	0:38ceb79fef03	2896
kevman	0:38ceb79fef03	2897	/* Swap transforms */
kevman	0:38ceb79fef03	2898	tmp_transform = ssl->transform_out;
kevman	0:38ceb79fef03	2899	ssl->transform_out = ssl->handshake->alt_transform_out;
kevman	0:38ceb79fef03	2900	ssl->handshake->alt_transform_out = tmp_transform;
kevman	0:38ceb79fef03	2901
kevman	0:38ceb79fef03	2902	/* Swap epoch + sequence_number */
kevman	0:38ceb79fef03	2903	memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
kevman	0:38ceb79fef03	2904	memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
kevman	0:38ceb79fef03	2905	memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
kevman	0:38ceb79fef03	2906
kevman	0:38ceb79fef03	2907	/* Adjust to the newly activated transform */
kevman	0:38ceb79fef03	2908	ssl_update_out_pointers( ssl, ssl->transform_out );
kevman	0:38ceb79fef03	2909
kevman	0:38ceb79fef03	2910	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	2911	if( mbedtls_ssl_hw_record_activate != NULL )
kevman	0:38ceb79fef03	2912	{
kevman	0:38ceb79fef03	2913	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
kevman	0:38ceb79fef03	2914	{
kevman	0:38ceb79fef03	2915	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
kevman	0:38ceb79fef03	2916	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	2917	}
kevman	0:38ceb79fef03	2918	}
kevman	0:38ceb79fef03	2919	#endif
kevman	0:38ceb79fef03	2920	}
kevman	0:38ceb79fef03	2921
kevman	0:38ceb79fef03	2922	/*
kevman	0:38ceb79fef03	2923	* Retransmit the current flight of messages.
kevman	0:38ceb79fef03	2924	*/
kevman	0:38ceb79fef03	2925	int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2926	{
kevman	0:38ceb79fef03	2927	int ret = 0;
kevman	0:38ceb79fef03	2928
kevman	0:38ceb79fef03	2929	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
kevman	0:38ceb79fef03	2930
kevman	0:38ceb79fef03	2931	ret = mbedtls_ssl_flight_transmit( ssl );
kevman	0:38ceb79fef03	2932
kevman	0:38ceb79fef03	2933	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
kevman	0:38ceb79fef03	2934
kevman	0:38ceb79fef03	2935	return( ret );
kevman	0:38ceb79fef03	2936	}
kevman	0:38ceb79fef03	2937
kevman	0:38ceb79fef03	2938	/*
kevman	0:38ceb79fef03	2939	* Transmit or retransmit the current flight of messages.
kevman	0:38ceb79fef03	2940	*
kevman	0:38ceb79fef03	2941	* Need to remember the current message in case flush_output returns
kevman	0:38ceb79fef03	2942	* WANT_WRITE, causing us to exit this function and come back later.
kevman	0:38ceb79fef03	2943	* This function must be called until state is no longer SENDING.
kevman	0:38ceb79fef03	2944	*/
kevman	0:38ceb79fef03	2945	int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	2946	{
kevman	0:38ceb79fef03	2947	int ret;
kevman	0:38ceb79fef03	2948	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
kevman	0:38ceb79fef03	2949
kevman	0:38ceb79fef03	2950	if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
kevman	0:38ceb79fef03	2951	{
kevman	0:38ceb79fef03	2952	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
kevman	0:38ceb79fef03	2953
kevman	0:38ceb79fef03	2954	ssl->handshake->cur_msg = ssl->handshake->flight;
kevman	0:38ceb79fef03	2955	ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
kevman	0:38ceb79fef03	2956	ssl_swap_epochs( ssl );
kevman	0:38ceb79fef03	2957
kevman	0:38ceb79fef03	2958	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
kevman	0:38ceb79fef03	2959	}
kevman	0:38ceb79fef03	2960
kevman	0:38ceb79fef03	2961	while( ssl->handshake->cur_msg != NULL )
kevman	0:38ceb79fef03	2962	{
kevman	0:38ceb79fef03	2963	size_t max_frag_len;
kevman	0:38ceb79fef03	2964	const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
kevman	0:38ceb79fef03	2965
kevman	0:38ceb79fef03	2966	int const is_finished =
kevman	0:38ceb79fef03	2967	( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	2968	cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
kevman	0:38ceb79fef03	2969
kevman	0:38ceb79fef03	2970	uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
kevman	0:38ceb79fef03	2971	SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
kevman	0:38ceb79fef03	2972
kevman	0:38ceb79fef03	2973	/* Swap epochs before sending Finished: we can't do it after
kevman	0:38ceb79fef03	2974	* sending ChangeCipherSpec, in case write returns WANT_READ.
kevman	0:38ceb79fef03	2975	* Must be done before copying, may change out_msg pointer */
kevman	0:38ceb79fef03	2976	if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
kevman	0:38ceb79fef03	2977	{
kevman	0:38ceb79fef03	2978	MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
kevman	0:38ceb79fef03	2979	ssl_swap_epochs( ssl );
kevman	0:38ceb79fef03	2980	}
kevman	0:38ceb79fef03	2981
kevman	0:38ceb79fef03	2982	ret = ssl_get_remaining_payload_in_datagram( ssl );
kevman	0:38ceb79fef03	2983	if( ret < 0 )
kevman	0:38ceb79fef03	2984	return( ret );
kevman	0:38ceb79fef03	2985	max_frag_len = (size_t) ret;
kevman	0:38ceb79fef03	2986
kevman	0:38ceb79fef03	2987	/* CCS is copied as is, while HS messages may need fragmentation */
kevman	0:38ceb79fef03	2988	if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
kevman	0:38ceb79fef03	2989	{
kevman	0:38ceb79fef03	2990	if( max_frag_len == 0 )
kevman	0:38ceb79fef03	2991	{
kevman	0:38ceb79fef03	2992	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
kevman	0:38ceb79fef03	2993	return( ret );
kevman	0:38ceb79fef03	2994
kevman	0:38ceb79fef03	2995	continue;
kevman	0:38ceb79fef03	2996	}
kevman	0:38ceb79fef03	2997
kevman	0:38ceb79fef03	2998	memcpy( ssl->out_msg, cur->p, cur->len );
kevman	0:38ceb79fef03	2999	ssl->out_msglen = cur->len;
kevman	0:38ceb79fef03	3000	ssl->out_msgtype = cur->type;
kevman	0:38ceb79fef03	3001
kevman	0:38ceb79fef03	3002	/* Update position inside current message */
kevman	0:38ceb79fef03	3003	ssl->handshake->cur_msg_p += cur->len;
kevman	0:38ceb79fef03	3004	}
kevman	0:38ceb79fef03	3005	else
kevman	0:38ceb79fef03	3006	{
kevman	0:38ceb79fef03	3007	const unsigned char * const p = ssl->handshake->cur_msg_p;
kevman	0:38ceb79fef03	3008	const size_t hs_len = cur->len - 12;
kevman	0:38ceb79fef03	3009	const size_t frag_off = p - ( cur->p + 12 );
kevman	0:38ceb79fef03	3010	const size_t rem_len = hs_len - frag_off;
kevman	0:38ceb79fef03	3011	size_t cur_hs_frag_len, max_hs_frag_len;
kevman	0:38ceb79fef03	3012
kevman	0:38ceb79fef03	3013	if( ( max_frag_len < 12 ) \|\| ( max_frag_len == 12 && hs_len != 0 ) )
kevman	0:38ceb79fef03	3014	{
kevman	0:38ceb79fef03	3015	if( is_finished )
kevman	0:38ceb79fef03	3016	ssl_swap_epochs( ssl );
kevman	0:38ceb79fef03	3017
kevman	0:38ceb79fef03	3018	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3019	return( ret );
kevman	0:38ceb79fef03	3020
kevman	0:38ceb79fef03	3021	continue;
kevman	0:38ceb79fef03	3022	}
kevman	0:38ceb79fef03	3023	max_hs_frag_len = max_frag_len - 12;
kevman	0:38ceb79fef03	3024
kevman	0:38ceb79fef03	3025	cur_hs_frag_len = rem_len > max_hs_frag_len ?
kevman	0:38ceb79fef03	3026	max_hs_frag_len : rem_len;
kevman	0:38ceb79fef03	3027
kevman	0:38ceb79fef03	3028	if( frag_off == 0 && cur_hs_frag_len != hs_len )
kevman	0:38ceb79fef03	3029	{
kevman	0:38ceb79fef03	3030	MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
kevman	0:38ceb79fef03	3031	(unsigned) cur_hs_frag_len,
kevman	0:38ceb79fef03	3032	(unsigned) max_hs_frag_len ) );
kevman	0:38ceb79fef03	3033	}
kevman	0:38ceb79fef03	3034
kevman	0:38ceb79fef03	3035	/* Messages are stored with handshake headers as if not fragmented,
kevman	0:38ceb79fef03	3036	* copy beginning of headers then fill fragmentation fields.
kevman	0:38ceb79fef03	3037	* Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
kevman	0:38ceb79fef03	3038	memcpy( ssl->out_msg, cur->p, 6 );
kevman	0:38ceb79fef03	3039
kevman	0:38ceb79fef03	3040	ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
kevman	0:38ceb79fef03	3041	ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
kevman	0:38ceb79fef03	3042	ssl->out_msg[8] = ( ( frag_off ) & 0xff );
kevman	0:38ceb79fef03	3043
kevman	0:38ceb79fef03	3044	ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
kevman	0:38ceb79fef03	3045	ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
kevman	0:38ceb79fef03	3046	ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
kevman	0:38ceb79fef03	3047
kevman	0:38ceb79fef03	3048	MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
kevman	0:38ceb79fef03	3049
kevman	0:38ceb79fef03	3050	/* Copy the handshake message content and set records fields */
kevman	0:38ceb79fef03	3051	memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
kevman	0:38ceb79fef03	3052	ssl->out_msglen = cur_hs_frag_len + 12;
kevman	0:38ceb79fef03	3053	ssl->out_msgtype = cur->type;
kevman	0:38ceb79fef03	3054
kevman	0:38ceb79fef03	3055	/* Update position inside current message */
kevman	0:38ceb79fef03	3056	ssl->handshake->cur_msg_p += cur_hs_frag_len;
kevman	0:38ceb79fef03	3057	}
kevman	0:38ceb79fef03	3058
kevman	0:38ceb79fef03	3059	/* If done with the current message move to the next one if any */
kevman	0:38ceb79fef03	3060	if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
kevman	0:38ceb79fef03	3061	{
kevman	0:38ceb79fef03	3062	if( cur->next != NULL )
kevman	0:38ceb79fef03	3063	{
kevman	0:38ceb79fef03	3064	ssl->handshake->cur_msg = cur->next;
kevman	0:38ceb79fef03	3065	ssl->handshake->cur_msg_p = cur->next->p + 12;
kevman	0:38ceb79fef03	3066	}
kevman	0:38ceb79fef03	3067	else
kevman	0:38ceb79fef03	3068	{
kevman	0:38ceb79fef03	3069	ssl->handshake->cur_msg = NULL;
kevman	0:38ceb79fef03	3070	ssl->handshake->cur_msg_p = NULL;
kevman	0:38ceb79fef03	3071	}
kevman	0:38ceb79fef03	3072	}
kevman	0:38ceb79fef03	3073
kevman	0:38ceb79fef03	3074	/* Actually send the message out */
kevman	0:38ceb79fef03	3075	if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
kevman	0:38ceb79fef03	3076	{
kevman	0:38ceb79fef03	3077	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
kevman	0:38ceb79fef03	3078	return( ret );
kevman	0:38ceb79fef03	3079	}
kevman	0:38ceb79fef03	3080	}
kevman	0:38ceb79fef03	3081
kevman	0:38ceb79fef03	3082	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3083	return( ret );
kevman	0:38ceb79fef03	3084
kevman	0:38ceb79fef03	3085	/* Update state and set timer */
kevman	0:38ceb79fef03	3086	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	3087	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
kevman	0:38ceb79fef03	3088	else
kevman	0:38ceb79fef03	3089	{
kevman	0:38ceb79fef03	3090	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
kevman	0:38ceb79fef03	3091	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
kevman	0:38ceb79fef03	3092	}
kevman	0:38ceb79fef03	3093
kevman	0:38ceb79fef03	3094	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
kevman	0:38ceb79fef03	3095
kevman	0:38ceb79fef03	3096	return( 0 );
kevman	0:38ceb79fef03	3097	}
kevman	0:38ceb79fef03	3098
kevman	0:38ceb79fef03	3099	/*
kevman	0:38ceb79fef03	3100	* To be called when the last message of an incoming flight is received.
kevman	0:38ceb79fef03	3101	*/
kevman	0:38ceb79fef03	3102	void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3103	{
kevman	0:38ceb79fef03	3104	/* We won't need to resend that one any more */
kevman	0:38ceb79fef03	3105	ssl_flight_free( ssl->handshake->flight );
kevman	0:38ceb79fef03	3106	ssl->handshake->flight = NULL;
kevman	0:38ceb79fef03	3107	ssl->handshake->cur_msg = NULL;
kevman	0:38ceb79fef03	3108
kevman	0:38ceb79fef03	3109	/* The next incoming flight will start with this msg_seq */
kevman	0:38ceb79fef03	3110	ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
kevman	0:38ceb79fef03	3111
kevman	0:38ceb79fef03	3112	/* We don't want to remember CCS's across flight boundaries. */
kevman	0:38ceb79fef03	3113	ssl->handshake->buffering.seen_ccs = 0;
kevman	0:38ceb79fef03	3114
kevman	0:38ceb79fef03	3115	/* Clear future message buffering structure. */
kevman	0:38ceb79fef03	3116	ssl_buffering_free( ssl );
kevman	0:38ceb79fef03	3117
kevman	0:38ceb79fef03	3118	/* Cancel timer */
kevman	0:38ceb79fef03	3119	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	3120
kevman	0:38ceb79fef03	3121	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	3122	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
kevman	0:38ceb79fef03	3123	{
kevman	0:38ceb79fef03	3124	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
kevman	0:38ceb79fef03	3125	}
kevman	0:38ceb79fef03	3126	else
kevman	0:38ceb79fef03	3127	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
kevman	0:38ceb79fef03	3128	}
kevman	0:38ceb79fef03	3129
kevman	0:38ceb79fef03	3130	/*
kevman	0:38ceb79fef03	3131	* To be called when the last message of an outgoing flight is send.
kevman	0:38ceb79fef03	3132	*/
kevman	0:38ceb79fef03	3133	void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3134	{
kevman	0:38ceb79fef03	3135	ssl_reset_retransmit_timeout( ssl );
kevman	0:38ceb79fef03	3136	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
kevman	0:38ceb79fef03	3137
kevman	0:38ceb79fef03	3138	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	3139	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
kevman	0:38ceb79fef03	3140	{
kevman	0:38ceb79fef03	3141	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
kevman	0:38ceb79fef03	3142	}
kevman	0:38ceb79fef03	3143	else
kevman	0:38ceb79fef03	3144	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
kevman	0:38ceb79fef03	3145	}
kevman	0:38ceb79fef03	3146	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	3147
kevman	0:38ceb79fef03	3148	/*
kevman	0:38ceb79fef03	3149	* Handshake layer functions
kevman	0:38ceb79fef03	3150	*/
kevman	0:38ceb79fef03	3151
kevman	0:38ceb79fef03	3152	/*
kevman	0:38ceb79fef03	3153	* Write (DTLS: or queue) current handshake (including CCS) message.
kevman	0:38ceb79fef03	3154	*
kevman	0:38ceb79fef03	3155	* - fill in handshake headers
kevman	0:38ceb79fef03	3156	* - update handshake checksum
kevman	0:38ceb79fef03	3157	* - DTLS: save message for resending
kevman	0:38ceb79fef03	3158	* - then pass to the record layer
kevman	0:38ceb79fef03	3159	*
kevman	0:38ceb79fef03	3160	* DTLS: except for HelloRequest, messages are only queued, and will only be
kevman	0:38ceb79fef03	3161	* actually sent when calling flight_transmit() or resend().
kevman	0:38ceb79fef03	3162	*
kevman	0:38ceb79fef03	3163	* Inputs:
kevman	0:38ceb79fef03	3164	* - ssl->out_msglen: 4 + actual handshake message len
kevman	0:38ceb79fef03	3165	* (4 is the size of handshake headers for TLS)
kevman	0:38ceb79fef03	3166	* - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
kevman	0:38ceb79fef03	3167	* - ssl->out_msg + 4: the handshake message body
kevman	0:38ceb79fef03	3168	*
kevman	0:38ceb79fef03	3169	* Outputs, ie state before passing to flight_append() or write_record():
kevman	0:38ceb79fef03	3170	* - ssl->out_msglen: the length of the record contents
kevman	0:38ceb79fef03	3171	* (including handshake headers but excluding record headers)
kevman	0:38ceb79fef03	3172	* - ssl->out_msg: the record contents (handshake headers + content)
kevman	0:38ceb79fef03	3173	*/
kevman	0:38ceb79fef03	3174	int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3175	{
kevman	0:38ceb79fef03	3176	int ret;
kevman	0:38ceb79fef03	3177	const size_t hs_len = ssl->out_msglen - 4;
kevman	0:38ceb79fef03	3178	const unsigned char hs_type = ssl->out_msg[0];
kevman	0:38ceb79fef03	3179
kevman	0:38ceb79fef03	3180	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
kevman	0:38ceb79fef03	3181
kevman	0:38ceb79fef03	3182	/*
kevman	0:38ceb79fef03	3183	* Sanity checks
kevman	0:38ceb79fef03	3184	*/
kevman	0:38ceb79fef03	3185	if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	3186	ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
kevman	0:38ceb79fef03	3187	{
kevman	0:38ceb79fef03	3188	/* In SSLv3, the client might send a NoCertificate alert. */
kevman	0:38ceb79fef03	3189	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	3190	if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
kevman	0:38ceb79fef03	3191	ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
kevman	0:38ceb79fef03	3192	ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
kevman	0:38ceb79fef03	3193	#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	3194	{
kevman	0:38ceb79fef03	3195	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	3196	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	3197	}
kevman	0:38ceb79fef03	3198	}
kevman	0:38ceb79fef03	3199
kevman	0:38ceb79fef03	3200	if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	3201	hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
kevman	0:38ceb79fef03	3202	ssl->handshake == NULL )
kevman	0:38ceb79fef03	3203	{
kevman	0:38ceb79fef03	3204	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	3205	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	3206	}
kevman	0:38ceb79fef03	3207
kevman	0:38ceb79fef03	3208	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3209	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	3210	ssl->handshake != NULL &&
kevman	0:38ceb79fef03	3211	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
kevman	0:38ceb79fef03	3212	{
kevman	0:38ceb79fef03	3213	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	3214	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	3215	}
kevman	0:38ceb79fef03	3216	#endif
kevman	0:38ceb79fef03	3217
kevman	0:38ceb79fef03	3218	/* Double-check that we did not exceed the bounds
kevman	0:38ceb79fef03	3219	* of the outgoing record buffer.
kevman	0:38ceb79fef03	3220	* This should never fail as the various message
kevman	0:38ceb79fef03	3221	* writing functions must obey the bounds of the
kevman	0:38ceb79fef03	3222	* outgoing record buffer, but better be safe.
kevman	0:38ceb79fef03	3223	*
kevman	0:38ceb79fef03	3224	* Note: We deliberately do not check for the MTU or MFL here.
kevman	0:38ceb79fef03	3225	*/
kevman	0:38ceb79fef03	3226	if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
kevman	0:38ceb79fef03	3227	{
kevman	0:38ceb79fef03	3228	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
kevman	0:38ceb79fef03	3229	"size %u, maximum %u",
kevman	0:38ceb79fef03	3230	(unsigned) ssl->out_msglen,
kevman	0:38ceb79fef03	3231	(unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
kevman	0:38ceb79fef03	3232	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	3233	}
kevman	0:38ceb79fef03	3234
kevman	0:38ceb79fef03	3235	/*
kevman	0:38ceb79fef03	3236	* Fill handshake headers
kevman	0:38ceb79fef03	3237	*/
kevman	0:38ceb79fef03	3238	if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
kevman	0:38ceb79fef03	3239	{
kevman	0:38ceb79fef03	3240	ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
kevman	0:38ceb79fef03	3241	ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
kevman	0:38ceb79fef03	3242	ssl->out_msg[3] = (unsigned char)( hs_len );
kevman	0:38ceb79fef03	3243
kevman	0:38ceb79fef03	3244	/*
kevman	0:38ceb79fef03	3245	* DTLS has additional fields in the Handshake layer,
kevman	0:38ceb79fef03	3246	* between the length field and the actual payload:
kevman	0:38ceb79fef03	3247	* uint16 message_seq;
kevman	0:38ceb79fef03	3248	* uint24 fragment_offset;
kevman	0:38ceb79fef03	3249	* uint24 fragment_length;
kevman	0:38ceb79fef03	3250	*/
kevman	0:38ceb79fef03	3251	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3252	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	3253	{
kevman	0:38ceb79fef03	3254	/* Make room for the additional DTLS fields */
kevman	0:38ceb79fef03	3255	if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
kevman	0:38ceb79fef03	3256	{
kevman	0:38ceb79fef03	3257	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
kevman	0:38ceb79fef03	3258	"size %u, maximum %u",
kevman	0:38ceb79fef03	3259	(unsigned) ( hs_len ),
kevman	0:38ceb79fef03	3260	(unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
kevman	0:38ceb79fef03	3261	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	3262	}
kevman	0:38ceb79fef03	3263
kevman	0:38ceb79fef03	3264	memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
kevman	0:38ceb79fef03	3265	ssl->out_msglen += 8;
kevman	0:38ceb79fef03	3266
kevman	0:38ceb79fef03	3267	/* Write message_seq and update it, except for HelloRequest */
kevman	0:38ceb79fef03	3268	if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
kevman	0:38ceb79fef03	3269	{
kevman	0:38ceb79fef03	3270	ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
kevman	0:38ceb79fef03	3271	ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
kevman	0:38ceb79fef03	3272	++( ssl->handshake->out_msg_seq );
kevman	0:38ceb79fef03	3273	}
kevman	0:38ceb79fef03	3274	else
kevman	0:38ceb79fef03	3275	{
kevman	0:38ceb79fef03	3276	ssl->out_msg[4] = 0;
kevman	0:38ceb79fef03	3277	ssl->out_msg[5] = 0;
kevman	0:38ceb79fef03	3278	}
kevman	0:38ceb79fef03	3279
kevman	0:38ceb79fef03	3280	/* Handshake hashes are computed without fragmentation,
kevman	0:38ceb79fef03	3281	* so set frag_offset = 0 and frag_len = hs_len for now */
kevman	0:38ceb79fef03	3282	memset( ssl->out_msg + 6, 0x00, 3 );
kevman	0:38ceb79fef03	3283	memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
kevman	0:38ceb79fef03	3284	}
kevman	0:38ceb79fef03	3285	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	3286
kevman	0:38ceb79fef03	3287	/* Update running hashes of handshake messages seen */
kevman	0:38ceb79fef03	3288	if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
kevman	0:38ceb79fef03	3289	ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
kevman	0:38ceb79fef03	3290	}
kevman	0:38ceb79fef03	3291
kevman	0:38ceb79fef03	3292	/* Either send now, or just save to be sent (and resent) later */
kevman	0:38ceb79fef03	3293	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3294	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	3295	( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
kevman	0:38ceb79fef03	3296	hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) )
kevman	0:38ceb79fef03	3297	{
kevman	0:38ceb79fef03	3298	if( ( ret = ssl_flight_append( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3299	{
kevman	0:38ceb79fef03	3300	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
kevman	0:38ceb79fef03	3301	return( ret );
kevman	0:38ceb79fef03	3302	}
kevman	0:38ceb79fef03	3303	}
kevman	0:38ceb79fef03	3304	else
kevman	0:38ceb79fef03	3305	#endif
kevman	0:38ceb79fef03	3306	{
kevman	0:38ceb79fef03	3307	if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
kevman	0:38ceb79fef03	3308	{
kevman	0:38ceb79fef03	3309	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
kevman	0:38ceb79fef03	3310	return( ret );
kevman	0:38ceb79fef03	3311	}
kevman	0:38ceb79fef03	3312	}
kevman	0:38ceb79fef03	3313
kevman	0:38ceb79fef03	3314	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
kevman	0:38ceb79fef03	3315
kevman	0:38ceb79fef03	3316	return( 0 );
kevman	0:38ceb79fef03	3317	}
kevman	0:38ceb79fef03	3318
kevman	0:38ceb79fef03	3319	/*
kevman	0:38ceb79fef03	3320	* Record layer functions
kevman	0:38ceb79fef03	3321	*/
kevman	0:38ceb79fef03	3322
kevman	0:38ceb79fef03	3323	/*
kevman	0:38ceb79fef03	3324	* Write current record.
kevman	0:38ceb79fef03	3325	*
kevman	0:38ceb79fef03	3326	* Uses:
kevman	0:38ceb79fef03	3327	* - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
kevman	0:38ceb79fef03	3328	* - ssl->out_msglen: length of the record content (excl headers)
kevman	0:38ceb79fef03	3329	* - ssl->out_msg: record content
kevman	0:38ceb79fef03	3330	*/
kevman	0:38ceb79fef03	3331	int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
kevman	0:38ceb79fef03	3332	{
kevman	0:38ceb79fef03	3333	int ret, done = 0;
kevman	0:38ceb79fef03	3334	size_t len = ssl->out_msglen;
kevman	0:38ceb79fef03	3335	uint8_t flush = force_flush;
kevman	0:38ceb79fef03	3336
kevman	0:38ceb79fef03	3337	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
kevman	0:38ceb79fef03	3338
kevman	0:38ceb79fef03	3339	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	3340	if( ssl->transform_out != NULL &&
kevman	0:38ceb79fef03	3341	ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
kevman	0:38ceb79fef03	3342	{
kevman	0:38ceb79fef03	3343	if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3344	{
kevman	0:38ceb79fef03	3345	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
kevman	0:38ceb79fef03	3346	return( ret );
kevman	0:38ceb79fef03	3347	}
kevman	0:38ceb79fef03	3348
kevman	0:38ceb79fef03	3349	len = ssl->out_msglen;
kevman	0:38ceb79fef03	3350	}
kevman	0:38ceb79fef03	3351	#endif /MBEDTLS_ZLIB_SUPPORT /
kevman	0:38ceb79fef03	3352
kevman	0:38ceb79fef03	3353	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	3354	if( mbedtls_ssl_hw_record_write != NULL )
kevman	0:38ceb79fef03	3355	{
kevman	0:38ceb79fef03	3356	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
kevman	0:38ceb79fef03	3357
kevman	0:38ceb79fef03	3358	ret = mbedtls_ssl_hw_record_write( ssl );
kevman	0:38ceb79fef03	3359	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
kevman	0:38ceb79fef03	3360	{
kevman	0:38ceb79fef03	3361	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
kevman	0:38ceb79fef03	3362	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	3363	}
kevman	0:38ceb79fef03	3364
kevman	0:38ceb79fef03	3365	if( ret == 0 )
kevman	0:38ceb79fef03	3366	done = 1;
kevman	0:38ceb79fef03	3367	}
kevman	0:38ceb79fef03	3368	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
kevman	0:38ceb79fef03	3369	if( !done )
kevman	0:38ceb79fef03	3370	{
kevman	0:38ceb79fef03	3371	unsigned i;
kevman	0:38ceb79fef03	3372	size_t protected_record_size;
kevman	0:38ceb79fef03	3373
kevman	0:38ceb79fef03	3374	ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
kevman	0:38ceb79fef03	3375	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
kevman	0:38ceb79fef03	3376	ssl->conf->transport, ssl->out_hdr + 1 );
kevman	0:38ceb79fef03	3377
kevman	0:38ceb79fef03	3378	memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
kevman	0:38ceb79fef03	3379	ssl->out_len[0] = (unsigned char)( len >> 8 );
kevman	0:38ceb79fef03	3380	ssl->out_len[1] = (unsigned char)( len );
kevman	0:38ceb79fef03	3381
kevman	0:38ceb79fef03	3382	if( ssl->transform_out != NULL )
kevman	0:38ceb79fef03	3383	{
kevman	0:38ceb79fef03	3384	if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3385	{
kevman	0:38ceb79fef03	3386	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
kevman	0:38ceb79fef03	3387	return( ret );
kevman	0:38ceb79fef03	3388	}
kevman	0:38ceb79fef03	3389
kevman	0:38ceb79fef03	3390	len = ssl->out_msglen;
kevman	0:38ceb79fef03	3391	ssl->out_len[0] = (unsigned char)( len >> 8 );
kevman	0:38ceb79fef03	3392	ssl->out_len[1] = (unsigned char)( len );
kevman	0:38ceb79fef03	3393	}
kevman	0:38ceb79fef03	3394
kevman	0:38ceb79fef03	3395	protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
kevman	0:38ceb79fef03	3396
kevman	0:38ceb79fef03	3397	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3398	/* In case of DTLS, double-check that we don't exceed
kevman	0:38ceb79fef03	3399	* the remaining space in the datagram. */
kevman	0:38ceb79fef03	3400	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	3401	{
kevman	0:38ceb79fef03	3402	ret = ssl_get_remaining_space_in_datagram( ssl );
kevman	0:38ceb79fef03	3403	if( ret < 0 )
kevman	0:38ceb79fef03	3404	return( ret );
kevman	0:38ceb79fef03	3405
kevman	0:38ceb79fef03	3406	if( protected_record_size > (size_t) ret )
kevman	0:38ceb79fef03	3407	{
kevman	0:38ceb79fef03	3408	/* Should never happen */
kevman	0:38ceb79fef03	3409	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	3410	}
kevman	0:38ceb79fef03	3411	}
kevman	0:38ceb79fef03	3412	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	3413
kevman	0:38ceb79fef03	3414	MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
kevman	0:38ceb79fef03	3415	"version = [%d:%d], msglen = %d",
kevman	0:38ceb79fef03	3416	ssl->out_hdr[0], ssl->out_hdr[1],
kevman	0:38ceb79fef03	3417	ssl->out_hdr[2], len ) );
kevman	0:38ceb79fef03	3418
kevman	0:38ceb79fef03	3419	MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
kevman	0:38ceb79fef03	3420	ssl->out_hdr, protected_record_size );
kevman	0:38ceb79fef03	3421
kevman	0:38ceb79fef03	3422	ssl->out_left += protected_record_size;
kevman	0:38ceb79fef03	3423	ssl->out_hdr += protected_record_size;
kevman	0:38ceb79fef03	3424	ssl_update_out_pointers( ssl, ssl->transform_out );
kevman	0:38ceb79fef03	3425
kevman	0:38ceb79fef03	3426	for( i = 8; i > ssl_ep_len( ssl ); i-- )
kevman	0:38ceb79fef03	3427	if( ++ssl->cur_out_ctr[i - 1] != 0 )
kevman	0:38ceb79fef03	3428	break;
kevman	0:38ceb79fef03	3429
kevman	0:38ceb79fef03	3430	/* The loop goes to its end iff the counter is wrapping */
kevman	0:38ceb79fef03	3431	if( i == ssl_ep_len( ssl ) )
kevman	0:38ceb79fef03	3432	{
kevman	0:38ceb79fef03	3433	MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
kevman	0:38ceb79fef03	3434	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
kevman	0:38ceb79fef03	3435	}
kevman	0:38ceb79fef03	3436	}
kevman	0:38ceb79fef03	3437
kevman	0:38ceb79fef03	3438	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3439	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	3440	flush == SSL_DONT_FORCE_FLUSH )
kevman	0:38ceb79fef03	3441	{
kevman	0:38ceb79fef03	3442	size_t remaining;
kevman	0:38ceb79fef03	3443	ret = ssl_get_remaining_payload_in_datagram( ssl );
kevman	0:38ceb79fef03	3444	if( ret < 0 )
kevman	0:38ceb79fef03	3445	{
kevman	0:38ceb79fef03	3446	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
kevman	0:38ceb79fef03	3447	ret );
kevman	0:38ceb79fef03	3448	return( ret );
kevman	0:38ceb79fef03	3449	}
kevman	0:38ceb79fef03	3450
kevman	0:38ceb79fef03	3451	remaining = (size_t) ret;
kevman	0:38ceb79fef03	3452	if( remaining == 0 )
kevman	0:38ceb79fef03	3453	{
kevman	0:38ceb79fef03	3454	flush = SSL_FORCE_FLUSH;
kevman	0:38ceb79fef03	3455	}
kevman	0:38ceb79fef03	3456	else
kevman	0:38ceb79fef03	3457	{
kevman	0:38ceb79fef03	3458	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
kevman	0:38ceb79fef03	3459	}
kevman	0:38ceb79fef03	3460	}
kevman	0:38ceb79fef03	3461	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	3462
kevman	0:38ceb79fef03	3463	if( ( flush == SSL_FORCE_FLUSH ) &&
kevman	0:38ceb79fef03	3464	( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3465	{
kevman	0:38ceb79fef03	3466	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
kevman	0:38ceb79fef03	3467	return( ret );
kevman	0:38ceb79fef03	3468	}
kevman	0:38ceb79fef03	3469
kevman	0:38ceb79fef03	3470	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
kevman	0:38ceb79fef03	3471
kevman	0:38ceb79fef03	3472	return( 0 );
kevman	0:38ceb79fef03	3473	}
kevman	0:38ceb79fef03	3474
kevman	0:38ceb79fef03	3475	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3476
kevman	0:38ceb79fef03	3477	static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3478	{
kevman	0:38ceb79fef03	3479	if( ssl->in_msglen < ssl->in_hslen \|\|
kevman	0:38ceb79fef03	3480	memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 \|\|
kevman	0:38ceb79fef03	3481	memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
kevman	0:38ceb79fef03	3482	{
kevman	0:38ceb79fef03	3483	return( 1 );
kevman	0:38ceb79fef03	3484	}
kevman	0:38ceb79fef03	3485	return( 0 );
kevman	0:38ceb79fef03	3486	}
kevman	0:38ceb79fef03	3487
kevman	0:38ceb79fef03	3488	static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	3489	{
kevman	0:38ceb79fef03	3490	return( ( ssl->in_msg[9] << 16 ) \|
kevman	0:38ceb79fef03	3491	( ssl->in_msg[10] << 8 ) \|
kevman	0:38ceb79fef03	3492	ssl->in_msg[11] );
kevman	0:38ceb79fef03	3493	}
kevman	0:38ceb79fef03	3494
kevman	0:38ceb79fef03	3495	static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	3496	{
kevman	0:38ceb79fef03	3497	return( ( ssl->in_msg[6] << 16 ) \|
kevman	0:38ceb79fef03	3498	( ssl->in_msg[7] << 8 ) \|
kevman	0:38ceb79fef03	3499	ssl->in_msg[8] );
kevman	0:38ceb79fef03	3500	}
kevman	0:38ceb79fef03	3501
kevman	0:38ceb79fef03	3502	static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	3503	{
kevman	0:38ceb79fef03	3504	uint32_t msg_len, frag_off, frag_len;
kevman	0:38ceb79fef03	3505
kevman	0:38ceb79fef03	3506	msg_len = ssl_get_hs_total_len( ssl );
kevman	0:38ceb79fef03	3507	frag_off = ssl_get_hs_frag_off( ssl );
kevman	0:38ceb79fef03	3508	frag_len = ssl_get_hs_frag_len( ssl );
kevman	0:38ceb79fef03	3509
kevman	0:38ceb79fef03	3510	if( frag_off > msg_len )
kevman	0:38ceb79fef03	3511	return( -1 );
kevman	0:38ceb79fef03	3512
kevman	0:38ceb79fef03	3513	if( frag_len > msg_len - frag_off )
kevman	0:38ceb79fef03	3514	return( -1 );
kevman	0:38ceb79fef03	3515
kevman	0:38ceb79fef03	3516	if( frag_len + 12 > ssl->in_msglen )
kevman	0:38ceb79fef03	3517	return( -1 );
kevman	0:38ceb79fef03	3518
kevman	0:38ceb79fef03	3519	return( 0 );
kevman	0:38ceb79fef03	3520	}
kevman	0:38ceb79fef03	3521
kevman	0:38ceb79fef03	3522	/*
kevman	0:38ceb79fef03	3523	* Mark bits in bitmask (used for DTLS HS reassembly)
kevman	0:38ceb79fef03	3524	*/
kevman	0:38ceb79fef03	3525	static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
kevman	0:38ceb79fef03	3526	{
kevman	0:38ceb79fef03	3527	unsigned int start_bits, end_bits;
kevman	0:38ceb79fef03	3528
kevman	0:38ceb79fef03	3529	start_bits = 8 - ( offset % 8 );
kevman	0:38ceb79fef03	3530	if( start_bits != 8 )
kevman	0:38ceb79fef03	3531	{
kevman	0:38ceb79fef03	3532	size_t first_byte_idx = offset / 8;
kevman	0:38ceb79fef03	3533
kevman	0:38ceb79fef03	3534	/* Special case */
kevman	0:38ceb79fef03	3535	if( len <= start_bits )
kevman	0:38ceb79fef03	3536	{
kevman	0:38ceb79fef03	3537	for( ; len != 0; len-- )
kevman	0:38ceb79fef03	3538	mask[first_byte_idx] \|= 1 << ( start_bits - len );
kevman	0:38ceb79fef03	3539
kevman	0:38ceb79fef03	3540	/* Avoid potential issues with offset or len becoming invalid */
kevman	0:38ceb79fef03	3541	return;
kevman	0:38ceb79fef03	3542	}
kevman	0:38ceb79fef03	3543
kevman	0:38ceb79fef03	3544	offset += start_bits; /* Now offset % 8 == 0 */
kevman	0:38ceb79fef03	3545	len -= start_bits;
kevman	0:38ceb79fef03	3546
kevman	0:38ceb79fef03	3547	for( ; start_bits != 0; start_bits-- )
kevman	0:38ceb79fef03	3548	mask[first_byte_idx] \|= 1 << ( start_bits - 1 );
kevman	0:38ceb79fef03	3549	}
kevman	0:38ceb79fef03	3550
kevman	0:38ceb79fef03	3551	end_bits = len % 8;
kevman	0:38ceb79fef03	3552	if( end_bits != 0 )
kevman	0:38ceb79fef03	3553	{
kevman	0:38ceb79fef03	3554	size_t last_byte_idx = ( offset + len ) / 8;
kevman	0:38ceb79fef03	3555
kevman	0:38ceb79fef03	3556	len -= end_bits; /* Now len % 8 == 0 */
kevman	0:38ceb79fef03	3557
kevman	0:38ceb79fef03	3558	for( ; end_bits != 0; end_bits-- )
kevman	0:38ceb79fef03	3559	mask[last_byte_idx] \|= 1 << ( 8 - end_bits );
kevman	0:38ceb79fef03	3560	}
kevman	0:38ceb79fef03	3561
kevman	0:38ceb79fef03	3562	memset( mask + offset / 8, 0xFF, len / 8 );
kevman	0:38ceb79fef03	3563	}
kevman	0:38ceb79fef03	3564
kevman	0:38ceb79fef03	3565	/*
kevman	0:38ceb79fef03	3566	* Check that bitmask is full
kevman	0:38ceb79fef03	3567	*/
kevman	0:38ceb79fef03	3568	static int ssl_bitmask_check( unsigned char *mask, size_t len )
kevman	0:38ceb79fef03	3569	{
kevman	0:38ceb79fef03	3570	size_t i;
kevman	0:38ceb79fef03	3571
kevman	0:38ceb79fef03	3572	for( i = 0; i < len / 8; i++ )
kevman	0:38ceb79fef03	3573	if( mask[i] != 0xFF )
kevman	0:38ceb79fef03	3574	return( -1 );
kevman	0:38ceb79fef03	3575
kevman	0:38ceb79fef03	3576	for( i = 0; i < len % 8; i++ )
kevman	0:38ceb79fef03	3577	if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
kevman	0:38ceb79fef03	3578	return( -1 );
kevman	0:38ceb79fef03	3579
kevman	0:38ceb79fef03	3580	return( 0 );
kevman	0:38ceb79fef03	3581	}
kevman	0:38ceb79fef03	3582
kevman	0:38ceb79fef03	3583	/* msg_len does not include the handshake header */
kevman	0:38ceb79fef03	3584	static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
kevman	0:38ceb79fef03	3585	unsigned add_bitmap )
kevman	0:38ceb79fef03	3586	{
kevman	0:38ceb79fef03	3587	size_t alloc_len;
kevman	0:38ceb79fef03	3588
kevman	0:38ceb79fef03	3589	alloc_len = 12; /* Handshake header */
kevman	0:38ceb79fef03	3590	alloc_len += msg_len; /* Content buffer */
kevman	0:38ceb79fef03	3591
kevman	0:38ceb79fef03	3592	if( add_bitmap )
kevman	0:38ceb79fef03	3593	alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
kevman	0:38ceb79fef03	3594
kevman	0:38ceb79fef03	3595	return( alloc_len );
kevman	0:38ceb79fef03	3596	}
kevman	0:38ceb79fef03	3597
kevman	0:38ceb79fef03	3598	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	3599
kevman	0:38ceb79fef03	3600	static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
kevman	0:38ceb79fef03	3601	{
kevman	0:38ceb79fef03	3602	return( ( ssl->in_msg[1] << 16 ) \|
kevman	0:38ceb79fef03	3603	( ssl->in_msg[2] << 8 ) \|
kevman	0:38ceb79fef03	3604	ssl->in_msg[3] );
kevman	0:38ceb79fef03	3605	}
kevman	0:38ceb79fef03	3606
kevman	0:38ceb79fef03	3607	int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3608	{
kevman	0:38ceb79fef03	3609	if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
kevman	0:38ceb79fef03	3610	{
kevman	0:38ceb79fef03	3611	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
kevman	0:38ceb79fef03	3612	ssl->in_msglen ) );
kevman	0:38ceb79fef03	3613	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	3614	}
kevman	0:38ceb79fef03	3615
kevman	0:38ceb79fef03	3616	ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
kevman	0:38ceb79fef03	3617
kevman	0:38ceb79fef03	3618	MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
kevman	0:38ceb79fef03	3619	" %d, type = %d, hslen = %d",
kevman	0:38ceb79fef03	3620	ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
kevman	0:38ceb79fef03	3621
kevman	0:38ceb79fef03	3622	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3623	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	3624	{
kevman	0:38ceb79fef03	3625	int ret;
kevman	0:38ceb79fef03	3626	unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) \| ssl->in_msg[5];
kevman	0:38ceb79fef03	3627
kevman	0:38ceb79fef03	3628	if( ssl_check_hs_header( ssl ) != 0 )
kevman	0:38ceb79fef03	3629	{
kevman	0:38ceb79fef03	3630	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
kevman	0:38ceb79fef03	3631	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	3632	}
kevman	0:38ceb79fef03	3633
kevman	0:38ceb79fef03	3634	if( ssl->handshake != NULL &&
kevman	0:38ceb79fef03	3635	( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
kevman	0:38ceb79fef03	3636	recv_msg_seq != ssl->handshake->in_msg_seq ) \|\|
kevman	0:38ceb79fef03	3637	( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
kevman	0:38ceb79fef03	3638	ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
kevman	0:38ceb79fef03	3639	{
kevman	0:38ceb79fef03	3640	if( recv_msg_seq > ssl->handshake->in_msg_seq )
kevman	0:38ceb79fef03	3641	{
kevman	0:38ceb79fef03	3642	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
kevman	0:38ceb79fef03	3643	recv_msg_seq,
kevman	0:38ceb79fef03	3644	ssl->handshake->in_msg_seq ) );
kevman	0:38ceb79fef03	3645	return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
kevman	0:38ceb79fef03	3646	}
kevman	0:38ceb79fef03	3647
kevman	0:38ceb79fef03	3648	/* Retransmit only on last message from previous flight, to avoid
kevman	0:38ceb79fef03	3649	* too many retransmissions.
kevman	0:38ceb79fef03	3650	* Besides, No sane server ever retransmits HelloVerifyRequest */
kevman	0:38ceb79fef03	3651	if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
kevman	0:38ceb79fef03	3652	ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
kevman	0:38ceb79fef03	3653	{
kevman	0:38ceb79fef03	3654	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
kevman	0:38ceb79fef03	3655	"message_seq = %d, start_of_flight = %d",
kevman	0:38ceb79fef03	3656	recv_msg_seq,
kevman	0:38ceb79fef03	3657	ssl->handshake->in_flight_start_seq ) );
kevman	0:38ceb79fef03	3658
kevman	0:38ceb79fef03	3659	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
kevman	0:38ceb79fef03	3660	{
kevman	0:38ceb79fef03	3661	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
kevman	0:38ceb79fef03	3662	return( ret );
kevman	0:38ceb79fef03	3663	}
kevman	0:38ceb79fef03	3664	}
kevman	0:38ceb79fef03	3665	else
kevman	0:38ceb79fef03	3666	{
kevman	0:38ceb79fef03	3667	MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
kevman	0:38ceb79fef03	3668	"message_seq = %d, expected = %d",
kevman	0:38ceb79fef03	3669	recv_msg_seq,
kevman	0:38ceb79fef03	3670	ssl->handshake->in_msg_seq ) );
kevman	0:38ceb79fef03	3671	}
kevman	0:38ceb79fef03	3672
kevman	0:38ceb79fef03	3673	return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
kevman	0:38ceb79fef03	3674	}
kevman	0:38ceb79fef03	3675	/* Wait until message completion to increment in_msg_seq */
kevman	0:38ceb79fef03	3676
kevman	0:38ceb79fef03	3677	/* Message reassembly is handled alongside buffering of future
kevman	0:38ceb79fef03	3678	* messages; the commonality is that both handshake fragments and
kevman	0:38ceb79fef03	3679	* future messages cannot be forwarded immediately to the
kevman	0:38ceb79fef03	3680	* handshake logic layer. */
kevman	0:38ceb79fef03	3681	if( ssl_hs_is_proper_fragment( ssl ) == 1 )
kevman	0:38ceb79fef03	3682	{
kevman	0:38ceb79fef03	3683	MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
kevman	0:38ceb79fef03	3684	return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
kevman	0:38ceb79fef03	3685	}
kevman	0:38ceb79fef03	3686	}
kevman	0:38ceb79fef03	3687	else
kevman	0:38ceb79fef03	3688	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	3689	/* With TLS we don't handle fragmentation (for now) */
kevman	0:38ceb79fef03	3690	if( ssl->in_msglen < ssl->in_hslen )
kevman	0:38ceb79fef03	3691	{
kevman	0:38ceb79fef03	3692	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
kevman	0:38ceb79fef03	3693	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
kevman	0:38ceb79fef03	3694	}
kevman	0:38ceb79fef03	3695
kevman	0:38ceb79fef03	3696	return( 0 );
kevman	0:38ceb79fef03	3697	}
kevman	0:38ceb79fef03	3698
kevman	0:38ceb79fef03	3699	void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3700	{
kevman	0:38ceb79fef03	3701	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	3702
kevman	0:38ceb79fef03	3703	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
kevman	0:38ceb79fef03	3704	{
kevman	0:38ceb79fef03	3705	ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
kevman	0:38ceb79fef03	3706	}
kevman	0:38ceb79fef03	3707
kevman	0:38ceb79fef03	3708	/* Handshake message is complete, increment counter */
kevman	0:38ceb79fef03	3709	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	3710	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	3711	ssl->handshake != NULL )
kevman	0:38ceb79fef03	3712	{
kevman	0:38ceb79fef03	3713	unsigned offset;
kevman	0:38ceb79fef03	3714	mbedtls_ssl_hs_buffer *hs_buf;
kevman	0:38ceb79fef03	3715
kevman	0:38ceb79fef03	3716	/* Increment handshake sequence number */
kevman	0:38ceb79fef03	3717	hs->in_msg_seq++;
kevman	0:38ceb79fef03	3718
kevman	0:38ceb79fef03	3719	/*
kevman	0:38ceb79fef03	3720	* Clear up handshake buffering and reassembly structure.
kevman	0:38ceb79fef03	3721	*/
kevman	0:38ceb79fef03	3722
kevman	0:38ceb79fef03	3723	/* Free first entry */
kevman	0:38ceb79fef03	3724	ssl_buffering_free_slot( ssl, 0 );
kevman	0:38ceb79fef03	3725
kevman	0:38ceb79fef03	3726	/* Shift all other entries */
kevman	0:38ceb79fef03	3727	for( offset = 0, hs_buf = &hs->buffering.hs[0];
kevman	0:38ceb79fef03	3728	offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
kevman	0:38ceb79fef03	3729	offset++, hs_buf++ )
kevman	0:38ceb79fef03	3730	{
kevman	0:38ceb79fef03	3731	hs_buf = (hs_buf + 1);
kevman	0:38ceb79fef03	3732	}
kevman	0:38ceb79fef03	3733
kevman	0:38ceb79fef03	3734	/* Create a fresh last entry */
kevman	0:38ceb79fef03	3735	memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
kevman	0:38ceb79fef03	3736	}
kevman	0:38ceb79fef03	3737	#endif
kevman	0:38ceb79fef03	3738	}
kevman	0:38ceb79fef03	3739
kevman	0:38ceb79fef03	3740	/*
kevman	0:38ceb79fef03	3741	* DTLS anti-replay: RFC 6347 4.1.2.6
kevman	0:38ceb79fef03	3742	*
kevman	0:38ceb79fef03	3743	* in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
kevman	0:38ceb79fef03	3744	* Bit n is set iff record number in_window_top - n has been seen.
kevman	0:38ceb79fef03	3745	*
kevman	0:38ceb79fef03	3746	* Usually, in_window_top is the last record number seen and the lsb of
kevman	0:38ceb79fef03	3747	* in_window is set. The only exception is the initial state (record number 0
kevman	0:38ceb79fef03	3748	* not seen yet).
kevman	0:38ceb79fef03	3749	*/
kevman	0:38ceb79fef03	3750	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	3751	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3752	{
kevman	0:38ceb79fef03	3753	ssl->in_window_top = 0;
kevman	0:38ceb79fef03	3754	ssl->in_window = 0;
kevman	0:38ceb79fef03	3755	}
kevman	0:38ceb79fef03	3756
kevman	0:38ceb79fef03	3757	static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
kevman	0:38ceb79fef03	3758	{
kevman	0:38ceb79fef03	3759	return( ( (uint64_t) buf[0] << 40 ) \|
kevman	0:38ceb79fef03	3760	( (uint64_t) buf[1] << 32 ) \|
kevman	0:38ceb79fef03	3761	( (uint64_t) buf[2] << 24 ) \|
kevman	0:38ceb79fef03	3762	( (uint64_t) buf[3] << 16 ) \|
kevman	0:38ceb79fef03	3763	( (uint64_t) buf[4] << 8 ) \|
kevman	0:38ceb79fef03	3764	( (uint64_t) buf[5] ) );
kevman	0:38ceb79fef03	3765	}
kevman	0:38ceb79fef03	3766
kevman	0:38ceb79fef03	3767	/*
kevman	0:38ceb79fef03	3768	* Return 0 if sequence number is acceptable, -1 otherwise
kevman	0:38ceb79fef03	3769	*/
kevman	0:38ceb79fef03	3770	int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3771	{
kevman	0:38ceb79fef03	3772	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
kevman	0:38ceb79fef03	3773	uint64_t bit;
kevman	0:38ceb79fef03	3774
kevman	0:38ceb79fef03	3775	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
kevman	0:38ceb79fef03	3776	return( 0 );
kevman	0:38ceb79fef03	3777
kevman	0:38ceb79fef03	3778	if( rec_seqnum > ssl->in_window_top )
kevman	0:38ceb79fef03	3779	return( 0 );
kevman	0:38ceb79fef03	3780
kevman	0:38ceb79fef03	3781	bit = ssl->in_window_top - rec_seqnum;
kevman	0:38ceb79fef03	3782
kevman	0:38ceb79fef03	3783	if( bit >= 64 )
kevman	0:38ceb79fef03	3784	return( -1 );
kevman	0:38ceb79fef03	3785
kevman	0:38ceb79fef03	3786	if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
kevman	0:38ceb79fef03	3787	return( -1 );
kevman	0:38ceb79fef03	3788
kevman	0:38ceb79fef03	3789	return( 0 );
kevman	0:38ceb79fef03	3790	}
kevman	0:38ceb79fef03	3791
kevman	0:38ceb79fef03	3792	/*
kevman	0:38ceb79fef03	3793	* Update replay window on new validated record
kevman	0:38ceb79fef03	3794	*/
kevman	0:38ceb79fef03	3795	void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3796	{
kevman	0:38ceb79fef03	3797	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
kevman	0:38ceb79fef03	3798
kevman	0:38ceb79fef03	3799	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
kevman	0:38ceb79fef03	3800	return;
kevman	0:38ceb79fef03	3801
kevman	0:38ceb79fef03	3802	if( rec_seqnum > ssl->in_window_top )
kevman	0:38ceb79fef03	3803	{
kevman	0:38ceb79fef03	3804	/* Update window_top and the contents of the window */
kevman	0:38ceb79fef03	3805	uint64_t shift = rec_seqnum - ssl->in_window_top;
kevman	0:38ceb79fef03	3806
kevman	0:38ceb79fef03	3807	if( shift >= 64 )
kevman	0:38ceb79fef03	3808	ssl->in_window = 1;
kevman	0:38ceb79fef03	3809	else
kevman	0:38ceb79fef03	3810	{
kevman	0:38ceb79fef03	3811	ssl->in_window <<= shift;
kevman	0:38ceb79fef03	3812	ssl->in_window \|= 1;
kevman	0:38ceb79fef03	3813	}
kevman	0:38ceb79fef03	3814
kevman	0:38ceb79fef03	3815	ssl->in_window_top = rec_seqnum;
kevman	0:38ceb79fef03	3816	}
kevman	0:38ceb79fef03	3817	else
kevman	0:38ceb79fef03	3818	{
kevman	0:38ceb79fef03	3819	/* Mark that number as seen in the current window */
kevman	0:38ceb79fef03	3820	uint64_t bit = ssl->in_window_top - rec_seqnum;
kevman	0:38ceb79fef03	3821
kevman	0:38ceb79fef03	3822	if( bit < 64 ) /* Always true, but be extra sure */
kevman	0:38ceb79fef03	3823	ssl->in_window \|= (uint64_t) 1 << bit;
kevman	0:38ceb79fef03	3824	}
kevman	0:38ceb79fef03	3825	}
kevman	0:38ceb79fef03	3826	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
kevman	0:38ceb79fef03	3827
kevman	0:38ceb79fef03	3828	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	3829	/* Forward declaration */
kevman	0:38ceb79fef03	3830	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
kevman	0:38ceb79fef03	3831
kevman	0:38ceb79fef03	3832	/*
kevman	0:38ceb79fef03	3833	* Without any SSL context, check if a datagram looks like a ClientHello with
kevman	0:38ceb79fef03	3834	* a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
kevman	0:38ceb79fef03	3835	* Both input and output include full DTLS headers.
kevman	0:38ceb79fef03	3836	*
kevman	0:38ceb79fef03	3837	* - if cookie is valid, return 0
kevman	0:38ceb79fef03	3838	* - if ClientHello looks superficially valid but cookie is not,
kevman	0:38ceb79fef03	3839	* fill obuf and set olen, then
kevman	0:38ceb79fef03	3840	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
kevman	0:38ceb79fef03	3841	* - otherwise return a specific error code
kevman	0:38ceb79fef03	3842	*/
kevman	0:38ceb79fef03	3843	static int ssl_check_dtls_clihlo_cookie(
kevman	0:38ceb79fef03	3844	mbedtls_ssl_cookie_write_t *f_cookie_write,
kevman	0:38ceb79fef03	3845	mbedtls_ssl_cookie_check_t *f_cookie_check,
kevman	0:38ceb79fef03	3846	void *p_cookie,
kevman	0:38ceb79fef03	3847	const unsigned char *cli_id, size_t cli_id_len,
kevman	0:38ceb79fef03	3848	const unsigned char *in, size_t in_len,
kevman	0:38ceb79fef03	3849	unsigned char obuf, size_t buf_len, size_t olen )
kevman	0:38ceb79fef03	3850	{
kevman	0:38ceb79fef03	3851	size_t sid_len, cookie_len;
kevman	0:38ceb79fef03	3852	unsigned char *p;
kevman	0:38ceb79fef03	3853
kevman	0:38ceb79fef03	3854	if( f_cookie_write == NULL \|\| f_cookie_check == NULL )
kevman	0:38ceb79fef03	3855	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	3856
kevman	0:38ceb79fef03	3857	/*
kevman	0:38ceb79fef03	3858	* Structure of ClientHello with record and handshake headers,
kevman	0:38ceb79fef03	3859	* and expected values. We don't need to check a lot, more checks will be
kevman	0:38ceb79fef03	3860	* done when actually parsing the ClientHello - skipping those checks
kevman	0:38ceb79fef03	3861	* avoids code duplication and does not make cookie forging any easier.
kevman	0:38ceb79fef03	3862	*
kevman	0:38ceb79fef03	3863	* 0-0 ContentType type; copied, must be handshake
kevman	0:38ceb79fef03	3864	* 1-2 ProtocolVersion version; copied
kevman	0:38ceb79fef03	3865	* 3-4 uint16 epoch; copied, must be 0
kevman	0:38ceb79fef03	3866	* 5-10 uint48 sequence_number; copied
kevman	0:38ceb79fef03	3867	* 11-12 uint16 length; (ignored)
kevman	0:38ceb79fef03	3868	*
kevman	0:38ceb79fef03	3869	* 13-13 HandshakeType msg_type; (ignored)
kevman	0:38ceb79fef03	3870	* 14-16 uint24 length; (ignored)
kevman	0:38ceb79fef03	3871	* 17-18 uint16 message_seq; copied
kevman	0:38ceb79fef03	3872	* 19-21 uint24 fragment_offset; copied, must be 0
kevman	0:38ceb79fef03	3873	* 22-24 uint24 fragment_length; (ignored)
kevman	0:38ceb79fef03	3874	*
kevman	0:38ceb79fef03	3875	* 25-26 ProtocolVersion client_version; (ignored)
kevman	0:38ceb79fef03	3876	* 27-58 Random random; (ignored)
kevman	0:38ceb79fef03	3877	* 59-xx SessionID session_id; 1 byte len + sid_len content
kevman	0:38ceb79fef03	3878	* 60+ opaque cookie<0..2^8-1>; 1 byte len + content
kevman	0:38ceb79fef03	3879	* ...
kevman	0:38ceb79fef03	3880	*
kevman	0:38ceb79fef03	3881	* Minimum length is 61 bytes.
kevman	0:38ceb79fef03	3882	*/
kevman	0:38ceb79fef03	3883	if( in_len < 61 \|\|
kevman	0:38ceb79fef03	3884	in[0] != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
kevman	0:38ceb79fef03	3885	in[3] != 0 \|\| in[4] != 0 \|\|
kevman	0:38ceb79fef03	3886	in[19] != 0 \|\| in[20] != 0 \|\| in[21] != 0 )
kevman	0:38ceb79fef03	3887	{
kevman	0:38ceb79fef03	3888	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
kevman	0:38ceb79fef03	3889	}
kevman	0:38ceb79fef03	3890
kevman	0:38ceb79fef03	3891	sid_len = in[59];
kevman	0:38ceb79fef03	3892	if( sid_len > in_len - 61 )
kevman	0:38ceb79fef03	3893	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
kevman	0:38ceb79fef03	3894
kevman	0:38ceb79fef03	3895	cookie_len = in[60 + sid_len];
kevman	0:38ceb79fef03	3896	if( cookie_len > in_len - 60 )
kevman	0:38ceb79fef03	3897	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
kevman	0:38ceb79fef03	3898
kevman	0:38ceb79fef03	3899	if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
kevman	0:38ceb79fef03	3900	cli_id, cli_id_len ) == 0 )
kevman	0:38ceb79fef03	3901	{
kevman	0:38ceb79fef03	3902	/* Valid cookie */
kevman	0:38ceb79fef03	3903	return( 0 );
kevman	0:38ceb79fef03	3904	}
kevman	0:38ceb79fef03	3905
kevman	0:38ceb79fef03	3906	/*
kevman	0:38ceb79fef03	3907	* If we get here, we've got an invalid cookie, let's prepare HVR.
kevman	0:38ceb79fef03	3908	*
kevman	0:38ceb79fef03	3909	* 0-0 ContentType type; copied
kevman	0:38ceb79fef03	3910	* 1-2 ProtocolVersion version; copied
kevman	0:38ceb79fef03	3911	* 3-4 uint16 epoch; copied
kevman	0:38ceb79fef03	3912	* 5-10 uint48 sequence_number; copied
kevman	0:38ceb79fef03	3913	* 11-12 uint16 length; olen - 13
kevman	0:38ceb79fef03	3914	*
kevman	0:38ceb79fef03	3915	* 13-13 HandshakeType msg_type; hello_verify_request
kevman	0:38ceb79fef03	3916	* 14-16 uint24 length; olen - 25
kevman	0:38ceb79fef03	3917	* 17-18 uint16 message_seq; copied
kevman	0:38ceb79fef03	3918	* 19-21 uint24 fragment_offset; copied
kevman	0:38ceb79fef03	3919	* 22-24 uint24 fragment_length; olen - 25
kevman	0:38ceb79fef03	3920	*
kevman	0:38ceb79fef03	3921	* 25-26 ProtocolVersion server_version; 0xfe 0xff
kevman	0:38ceb79fef03	3922	* 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
kevman	0:38ceb79fef03	3923	*
kevman	0:38ceb79fef03	3924	* Minimum length is 28.
kevman	0:38ceb79fef03	3925	*/
kevman	0:38ceb79fef03	3926	if( buf_len < 28 )
kevman	0:38ceb79fef03	3927	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
kevman	0:38ceb79fef03	3928
kevman	0:38ceb79fef03	3929	/* Copy most fields and adapt others */
kevman	0:38ceb79fef03	3930	memcpy( obuf, in, 25 );
kevman	0:38ceb79fef03	3931	obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
kevman	0:38ceb79fef03	3932	obuf[25] = 0xfe;
kevman	0:38ceb79fef03	3933	obuf[26] = 0xff;
kevman	0:38ceb79fef03	3934
kevman	0:38ceb79fef03	3935	/* Generate and write actual cookie */
kevman	0:38ceb79fef03	3936	p = obuf + 28;
kevman	0:38ceb79fef03	3937	if( f_cookie_write( p_cookie,
kevman	0:38ceb79fef03	3938	&p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
kevman	0:38ceb79fef03	3939	{
kevman	0:38ceb79fef03	3940	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	3941	}
kevman	0:38ceb79fef03	3942
kevman	0:38ceb79fef03	3943	*olen = p - obuf;
kevman	0:38ceb79fef03	3944
kevman	0:38ceb79fef03	3945	/* Go back and fill length fields */
kevman	0:38ceb79fef03	3946	obuf[27] = (unsigned char)( *olen - 28 );
kevman	0:38ceb79fef03	3947
kevman	0:38ceb79fef03	3948	obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
kevman	0:38ceb79fef03	3949	obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
kevman	0:38ceb79fef03	3950	obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
kevman	0:38ceb79fef03	3951
kevman	0:38ceb79fef03	3952	obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
kevman	0:38ceb79fef03	3953	obuf[12] = (unsigned char)( ( *olen - 13 ) );
kevman	0:38ceb79fef03	3954
kevman	0:38ceb79fef03	3955	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
kevman	0:38ceb79fef03	3956	}
kevman	0:38ceb79fef03	3957
kevman	0:38ceb79fef03	3958	/*
kevman	0:38ceb79fef03	3959	* Handle possible client reconnect with the same UDP quadruplet
kevman	0:38ceb79fef03	3960	* (RFC 6347 Section 4.2.8).
kevman	0:38ceb79fef03	3961	*
kevman	0:38ceb79fef03	3962	* Called by ssl_parse_record_header() in case we receive an epoch 0 record
kevman	0:38ceb79fef03	3963	* that looks like a ClientHello.
kevman	0:38ceb79fef03	3964	*
kevman	0:38ceb79fef03	3965	* - if the input looks like a ClientHello without cookies,
kevman	0:38ceb79fef03	3966	* send back HelloVerifyRequest, then
kevman	0:38ceb79fef03	3967	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
kevman	0:38ceb79fef03	3968	* - if the input looks like a ClientHello with a valid cookie,
kevman	0:38ceb79fef03	3969	* reset the session of the current context, and
kevman	0:38ceb79fef03	3970	* return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
kevman	0:38ceb79fef03	3971	* - if anything goes wrong, return a specific error code
kevman	0:38ceb79fef03	3972	*
kevman	0:38ceb79fef03	3973	* mbedtls_ssl_read_record() will ignore the record if anything else than
kevman	0:38ceb79fef03	3974	* MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
kevman	0:38ceb79fef03	3975	* cannot not return 0.
kevman	0:38ceb79fef03	3976	*/
kevman	0:38ceb79fef03	3977	static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	3978	{
kevman	0:38ceb79fef03	3979	int ret;
kevman	0:38ceb79fef03	3980	size_t len;
kevman	0:38ceb79fef03	3981
kevman	0:38ceb79fef03	3982	ret = ssl_check_dtls_clihlo_cookie(
kevman	0:38ceb79fef03	3983	ssl->conf->f_cookie_write,
kevman	0:38ceb79fef03	3984	ssl->conf->f_cookie_check,
kevman	0:38ceb79fef03	3985	ssl->conf->p_cookie,
kevman	0:38ceb79fef03	3986	ssl->cli_id, ssl->cli_id_len,
kevman	0:38ceb79fef03	3987	ssl->in_buf, ssl->in_left,
kevman	0:38ceb79fef03	3988	ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
kevman	0:38ceb79fef03	3989
kevman	0:38ceb79fef03	3990	MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
kevman	0:38ceb79fef03	3991
kevman	0:38ceb79fef03	3992	if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
kevman	0:38ceb79fef03	3993	{
kevman	0:38ceb79fef03	3994	/* Don't check write errors as we can't do anything here.
kevman	0:38ceb79fef03	3995	* If the error is permanent we'll catch it later,
kevman	0:38ceb79fef03	3996	* if it's not, then hopefully it'll work next time. */
kevman	0:38ceb79fef03	3997	(void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
kevman	0:38ceb79fef03	3998
kevman	0:38ceb79fef03	3999	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
kevman	0:38ceb79fef03	4000	}
kevman	0:38ceb79fef03	4001
kevman	0:38ceb79fef03	4002	if( ret == 0 )
kevman	0:38ceb79fef03	4003	{
kevman	0:38ceb79fef03	4004	/* Got a valid cookie, partially reset context */
kevman	0:38ceb79fef03	4005	if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
kevman	0:38ceb79fef03	4006	{
kevman	0:38ceb79fef03	4007	MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
kevman	0:38ceb79fef03	4008	return( ret );
kevman	0:38ceb79fef03	4009	}
kevman	0:38ceb79fef03	4010
kevman	0:38ceb79fef03	4011	return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
kevman	0:38ceb79fef03	4012	}
kevman	0:38ceb79fef03	4013
kevman	0:38ceb79fef03	4014	return( ret );
kevman	0:38ceb79fef03	4015	}
kevman	0:38ceb79fef03	4016	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	4017
kevman	0:38ceb79fef03	4018	/*
kevman	0:38ceb79fef03	4019	* ContentType type;
kevman	0:38ceb79fef03	4020	* ProtocolVersion version;
kevman	0:38ceb79fef03	4021	* uint16 epoch; // DTLS only
kevman	0:38ceb79fef03	4022	* uint48 sequence_number; // DTLS only
kevman	0:38ceb79fef03	4023	* uint16 length;
kevman	0:38ceb79fef03	4024	*
kevman	0:38ceb79fef03	4025	* Return 0 if header looks sane (and, for DTLS, the record is expected)
kevman	0:38ceb79fef03	4026	* MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
kevman	0:38ceb79fef03	4027	* MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
kevman	0:38ceb79fef03	4028	*
kevman	0:38ceb79fef03	4029	* With DTLS, mbedtls_ssl_read_record() will:
kevman	0:38ceb79fef03	4030	* 1. proceed with the record if this function returns 0
kevman	0:38ceb79fef03	4031	* 2. drop only the current record if this function returns UNEXPECTED_RECORD
kevman	0:38ceb79fef03	4032	* 3. return CLIENT_RECONNECT if this function return that value
kevman	0:38ceb79fef03	4033	* 4. drop the whole datagram if this function returns anything else.
kevman	0:38ceb79fef03	4034	* Point 2 is needed when the peer is resending, and we have already received
kevman	0:38ceb79fef03	4035	* the first record from a datagram but are still waiting for the others.
kevman	0:38ceb79fef03	4036	*/
kevman	0:38ceb79fef03	4037	static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4038	{
kevman	0:38ceb79fef03	4039	int major_ver, minor_ver;
kevman	0:38ceb79fef03	4040
kevman	0:38ceb79fef03	4041	MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
kevman	0:38ceb79fef03	4042
kevman	0:38ceb79fef03	4043	ssl->in_msgtype = ssl->in_hdr[0];
kevman	0:38ceb79fef03	4044	ssl->in_msglen = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
kevman	0:38ceb79fef03	4045	mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
kevman	0:38ceb79fef03	4046
kevman	0:38ceb79fef03	4047	MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
kevman	0:38ceb79fef03	4048	"version = [%d:%d], msglen = %d",
kevman	0:38ceb79fef03	4049	ssl->in_msgtype,
kevman	0:38ceb79fef03	4050	major_ver, minor_ver, ssl->in_msglen ) );
kevman	0:38ceb79fef03	4051
kevman	0:38ceb79fef03	4052	/* Check record type */
kevman	0:38ceb79fef03	4053	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	4054	ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
kevman	0:38ceb79fef03	4055	ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
kevman	0:38ceb79fef03	4056	ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
kevman	0:38ceb79fef03	4057	{
kevman	0:38ceb79fef03	4058	MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
kevman	0:38ceb79fef03	4059
kevman	0:38ceb79fef03	4060	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4061	/* Silently ignore invalid DTLS records as recommended by RFC 6347
kevman	0:38ceb79fef03	4062	* Section 4.1.2.7 */
kevman	0:38ceb79fef03	4063	if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	4064	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4065	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	4066	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	4067
kevman	0:38ceb79fef03	4068	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4069	}
kevman	0:38ceb79fef03	4070
kevman	0:38ceb79fef03	4071	/* Check version */
kevman	0:38ceb79fef03	4072	if( major_ver != ssl->major_ver )
kevman	0:38ceb79fef03	4073	{
kevman	0:38ceb79fef03	4074	MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
kevman	0:38ceb79fef03	4075	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4076	}
kevman	0:38ceb79fef03	4077
kevman	0:38ceb79fef03	4078	if( minor_ver > ssl->conf->max_minor_ver )
kevman	0:38ceb79fef03	4079	{
kevman	0:38ceb79fef03	4080	MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
kevman	0:38ceb79fef03	4081	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4082	}
kevman	0:38ceb79fef03	4083
kevman	0:38ceb79fef03	4084	/* Check length against the size of our buffer */
kevman	0:38ceb79fef03	4085	if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
kevman	0:38ceb79fef03	4086	- (size_t)( ssl->in_msg - ssl->in_buf ) )
kevman	0:38ceb79fef03	4087	{
kevman	0:38ceb79fef03	4088	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
kevman	0:38ceb79fef03	4089	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4090	}
kevman	0:38ceb79fef03	4091
kevman	0:38ceb79fef03	4092	/*
kevman	0:38ceb79fef03	4093	* DTLS-related tests.
kevman	0:38ceb79fef03	4094	* Check epoch before checking length constraint because
kevman	0:38ceb79fef03	4095	* the latter varies with the epoch. E.g., if a ChangeCipherSpec
kevman	0:38ceb79fef03	4096	* message gets duplicated before the corresponding Finished message,
kevman	0:38ceb79fef03	4097	* the second ChangeCipherSpec should be discarded because it belongs
kevman	0:38ceb79fef03	4098	* to an old epoch, but not because its length is shorter than
kevman	0:38ceb79fef03	4099	* the minimum record length for packets using the new record transform.
kevman	0:38ceb79fef03	4100	* Note that these two kinds of failures are handled differently,
kevman	0:38ceb79fef03	4101	* as an unexpected record is silently skipped but an invalid
kevman	0:38ceb79fef03	4102	* record leads to the entire datagram being dropped.
kevman	0:38ceb79fef03	4103	*/
kevman	0:38ceb79fef03	4104	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4105	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	4106	{
kevman	0:38ceb79fef03	4107	unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) \| ssl->in_ctr[1];
kevman	0:38ceb79fef03	4108
kevman	0:38ceb79fef03	4109	/* Check epoch (and sequence number) with DTLS */
kevman	0:38ceb79fef03	4110	if( rec_epoch != ssl->in_epoch )
kevman	0:38ceb79fef03	4111	{
kevman	0:38ceb79fef03	4112	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
kevman	0:38ceb79fef03	4113	"expected %d, received %d",
kevman	0:38ceb79fef03	4114	ssl->in_epoch, rec_epoch ) );
kevman	0:38ceb79fef03	4115
kevman	0:38ceb79fef03	4116	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	4117	/*
kevman	0:38ceb79fef03	4118	* Check for an epoch 0 ClientHello. We can't use in_msg here to
kevman	0:38ceb79fef03	4119	* access the first byte of record content (handshake type), as we
kevman	0:38ceb79fef03	4120	* have an active transform (possibly iv_len != 0), so use the
kevman	0:38ceb79fef03	4121	* fact that the record header len is 13 instead.
kevman	0:38ceb79fef03	4122	*/
kevman	0:38ceb79fef03	4123	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	4124	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
kevman	0:38ceb79fef03	4125	rec_epoch == 0 &&
kevman	0:38ceb79fef03	4126	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	4127	ssl->in_left > 13 &&
kevman	0:38ceb79fef03	4128	ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
kevman	0:38ceb79fef03	4129	{
kevman	0:38ceb79fef03	4130	MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
kevman	0:38ceb79fef03	4131	"from the same port" ) );
kevman	0:38ceb79fef03	4132	return( ssl_handle_possible_reconnect( ssl ) );
kevman	0:38ceb79fef03	4133	}
kevman	0:38ceb79fef03	4134	else
kevman	0:38ceb79fef03	4135	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	4136	{
kevman	0:38ceb79fef03	4137	/* Consider buffering the record. */
kevman	0:38ceb79fef03	4138	if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
kevman	0:38ceb79fef03	4139	{
kevman	0:38ceb79fef03	4140	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
kevman	0:38ceb79fef03	4141	return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
kevman	0:38ceb79fef03	4142	}
kevman	0:38ceb79fef03	4143
kevman	0:38ceb79fef03	4144	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
kevman	0:38ceb79fef03	4145	}
kevman	0:38ceb79fef03	4146	}
kevman	0:38ceb79fef03	4147
kevman	0:38ceb79fef03	4148	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	4149	/* Replay detection only works for the current epoch */
kevman	0:38ceb79fef03	4150	if( rec_epoch == ssl->in_epoch &&
kevman	0:38ceb79fef03	4151	mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
kevman	0:38ceb79fef03	4152	{
kevman	0:38ceb79fef03	4153	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
kevman	0:38ceb79fef03	4154	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
kevman	0:38ceb79fef03	4155	}
kevman	0:38ceb79fef03	4156	#endif
kevman	0:38ceb79fef03	4157
kevman	0:38ceb79fef03	4158	/* Drop unexpected ApplicationData records,
kevman	0:38ceb79fef03	4159	* except at the beginning of renegotiations */
kevman	0:38ceb79fef03	4160	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
kevman	0:38ceb79fef03	4161	ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
kevman	0:38ceb79fef03	4162	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	4163	&& ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
kevman	0:38ceb79fef03	4164	ssl->state == MBEDTLS_SSL_SERVER_HELLO )
kevman	0:38ceb79fef03	4165	#endif
kevman	0:38ceb79fef03	4166	)
kevman	0:38ceb79fef03	4167	{
kevman	0:38ceb79fef03	4168	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
kevman	0:38ceb79fef03	4169	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
kevman	0:38ceb79fef03	4170	}
kevman	0:38ceb79fef03	4171	}
kevman	0:38ceb79fef03	4172	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4173
kevman	0:38ceb79fef03	4174
kevman	0:38ceb79fef03	4175	/* Check length against bounds of the current transform and version */
kevman	0:38ceb79fef03	4176	if( ssl->transform_in == NULL )
kevman	0:38ceb79fef03	4177	{
kevman	0:38ceb79fef03	4178	if( ssl->in_msglen < 1 \|\|
kevman	0:38ceb79fef03	4179	ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
kevman	0:38ceb79fef03	4180	{
kevman	0:38ceb79fef03	4181	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
kevman	0:38ceb79fef03	4182	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4183	}
kevman	0:38ceb79fef03	4184	}
kevman	0:38ceb79fef03	4185	else
kevman	0:38ceb79fef03	4186	{
kevman	0:38ceb79fef03	4187	if( ssl->in_msglen < ssl->transform_in->minlen )
kevman	0:38ceb79fef03	4188	{
kevman	0:38ceb79fef03	4189	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
kevman	0:38ceb79fef03	4190	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4191	}
kevman	0:38ceb79fef03	4192
kevman	0:38ceb79fef03	4193	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	4194	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
kevman	0:38ceb79fef03	4195	ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
kevman	0:38ceb79fef03	4196	{
kevman	0:38ceb79fef03	4197	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
kevman	0:38ceb79fef03	4198	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4199	}
kevman	0:38ceb79fef03	4200	#endif
kevman	0:38ceb79fef03	4201	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	4202	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	4203	/*
kevman	0:38ceb79fef03	4204	* TLS encrypted messages can have up to 256 bytes of padding
kevman	0:38ceb79fef03	4205	*/
kevman	0:38ceb79fef03	4206	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
kevman	0:38ceb79fef03	4207	ssl->in_msglen > ssl->transform_in->minlen +
kevman	0:38ceb79fef03	4208	MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
kevman	0:38ceb79fef03	4209	{
kevman	0:38ceb79fef03	4210	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
kevman	0:38ceb79fef03	4211	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4212	}
kevman	0:38ceb79fef03	4213	#endif
kevman	0:38ceb79fef03	4214	}
kevman	0:38ceb79fef03	4215
kevman	0:38ceb79fef03	4216	return( 0 );
kevman	0:38ceb79fef03	4217	}
kevman	0:38ceb79fef03	4218
kevman	0:38ceb79fef03	4219	/*
kevman	0:38ceb79fef03	4220	* If applicable, decrypt (and decompress) record content
kevman	0:38ceb79fef03	4221	*/
kevman	0:38ceb79fef03	4222	static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4223	{
kevman	0:38ceb79fef03	4224	int ret, done = 0;
kevman	0:38ceb79fef03	4225
kevman	0:38ceb79fef03	4226	MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
kevman	0:38ceb79fef03	4227	ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
kevman	0:38ceb79fef03	4228
kevman	0:38ceb79fef03	4229	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	4230	if( mbedtls_ssl_hw_record_read != NULL )
kevman	0:38ceb79fef03	4231	{
kevman	0:38ceb79fef03	4232	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
kevman	0:38ceb79fef03	4233
kevman	0:38ceb79fef03	4234	ret = mbedtls_ssl_hw_record_read( ssl );
kevman	0:38ceb79fef03	4235	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
kevman	0:38ceb79fef03	4236	{
kevman	0:38ceb79fef03	4237	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
kevman	0:38ceb79fef03	4238	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	4239	}
kevman	0:38ceb79fef03	4240
kevman	0:38ceb79fef03	4241	if( ret == 0 )
kevman	0:38ceb79fef03	4242	done = 1;
kevman	0:38ceb79fef03	4243	}
kevman	0:38ceb79fef03	4244	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
kevman	0:38ceb79fef03	4245	if( !done && ssl->transform_in != NULL )
kevman	0:38ceb79fef03	4246	{
kevman	0:38ceb79fef03	4247	if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
kevman	0:38ceb79fef03	4248	{
kevman	0:38ceb79fef03	4249	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
kevman	0:38ceb79fef03	4250	return( ret );
kevman	0:38ceb79fef03	4251	}
kevman	0:38ceb79fef03	4252
kevman	0:38ceb79fef03	4253	MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
kevman	0:38ceb79fef03	4254	ssl->in_msg, ssl->in_msglen );
kevman	0:38ceb79fef03	4255
kevman	0:38ceb79fef03	4256	if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
kevman	0:38ceb79fef03	4257	{
kevman	0:38ceb79fef03	4258	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
kevman	0:38ceb79fef03	4259	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	4260	}
kevman	0:38ceb79fef03	4261	}
kevman	0:38ceb79fef03	4262
kevman	0:38ceb79fef03	4263	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	4264	if( ssl->transform_in != NULL &&
kevman	0:38ceb79fef03	4265	ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
kevman	0:38ceb79fef03	4266	{
kevman	0:38ceb79fef03	4267	if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
kevman	0:38ceb79fef03	4268	{
kevman	0:38ceb79fef03	4269	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
kevman	0:38ceb79fef03	4270	return( ret );
kevman	0:38ceb79fef03	4271	}
kevman	0:38ceb79fef03	4272	}
kevman	0:38ceb79fef03	4273	#endif /* MBEDTLS_ZLIB_SUPPORT */
kevman	0:38ceb79fef03	4274
kevman	0:38ceb79fef03	4275	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	4276	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	4277	{
kevman	0:38ceb79fef03	4278	mbedtls_ssl_dtls_replay_update( ssl );
kevman	0:38ceb79fef03	4279	}
kevman	0:38ceb79fef03	4280	#endif
kevman	0:38ceb79fef03	4281
kevman	0:38ceb79fef03	4282	return( 0 );
kevman	0:38ceb79fef03	4283	}
kevman	0:38ceb79fef03	4284
kevman	0:38ceb79fef03	4285	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	4286
kevman	0:38ceb79fef03	4287	/*
kevman	0:38ceb79fef03	4288	* Read a record.
kevman	0:38ceb79fef03	4289	*
kevman	0:38ceb79fef03	4290	* Silently ignore non-fatal alert (and for DTLS, invalid records as well,
kevman	0:38ceb79fef03	4291	* RFC 6347 4.1.2.7) and continue reading until a valid record is found.
kevman	0:38ceb79fef03	4292	*
kevman	0:38ceb79fef03	4293	*/
kevman	0:38ceb79fef03	4294
kevman	0:38ceb79fef03	4295	/* Helper functions for mbedtls_ssl_read_record(). */
kevman	0:38ceb79fef03	4296	static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	4297	static int ssl_get_next_record( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	4298	static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
kevman	0:38ceb79fef03	4299
kevman	0:38ceb79fef03	4300	int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	4301	unsigned update_hs_digest )
kevman	0:38ceb79fef03	4302	{
kevman	0:38ceb79fef03	4303	int ret;
kevman	0:38ceb79fef03	4304
kevman	0:38ceb79fef03	4305	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
kevman	0:38ceb79fef03	4306
kevman	0:38ceb79fef03	4307	if( ssl->keep_current_message == 0 )
kevman	0:38ceb79fef03	4308	{
kevman	0:38ceb79fef03	4309	do {
kevman	0:38ceb79fef03	4310
kevman	0:38ceb79fef03	4311	ret = ssl_consume_current_message( ssl );
kevman	0:38ceb79fef03	4312	if( ret != 0 )
kevman	0:38ceb79fef03	4313	return( ret );
kevman	0:38ceb79fef03	4314
kevman	0:38ceb79fef03	4315	if( ssl_record_is_in_progress( ssl ) == 0 )
kevman	0:38ceb79fef03	4316	{
kevman	0:38ceb79fef03	4317	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4318	int have_buffered = 0;
kevman	0:38ceb79fef03	4319
kevman	0:38ceb79fef03	4320	/* We only check for buffered messages if the
kevman	0:38ceb79fef03	4321	* current datagram is fully consumed. */
kevman	0:38ceb79fef03	4322	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	4323	ssl_next_record_is_in_datagram( ssl ) == 0 )
kevman	0:38ceb79fef03	4324	{
kevman	0:38ceb79fef03	4325	if( ssl_load_buffered_message( ssl ) == 0 )
kevman	0:38ceb79fef03	4326	have_buffered = 1;
kevman	0:38ceb79fef03	4327	}
kevman	0:38ceb79fef03	4328
kevman	0:38ceb79fef03	4329	if( have_buffered == 0 )
kevman	0:38ceb79fef03	4330	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4331	{
kevman	0:38ceb79fef03	4332	ret = ssl_get_next_record( ssl );
kevman	0:38ceb79fef03	4333	if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
kevman	0:38ceb79fef03	4334	continue;
kevman	0:38ceb79fef03	4335
kevman	0:38ceb79fef03	4336	if( ret != 0 )
kevman	0:38ceb79fef03	4337	{
kevman	0:38ceb79fef03	4338	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
kevman	0:38ceb79fef03	4339	return( ret );
kevman	0:38ceb79fef03	4340	}
kevman	0:38ceb79fef03	4341	}
kevman	0:38ceb79fef03	4342	}
kevman	0:38ceb79fef03	4343
kevman	0:38ceb79fef03	4344	ret = mbedtls_ssl_handle_message_type( ssl );
kevman	0:38ceb79fef03	4345
kevman	0:38ceb79fef03	4346	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4347	if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
kevman	0:38ceb79fef03	4348	{
kevman	0:38ceb79fef03	4349	/* Buffer future message */
kevman	0:38ceb79fef03	4350	ret = ssl_buffer_message( ssl );
kevman	0:38ceb79fef03	4351	if( ret != 0 )
kevman	0:38ceb79fef03	4352	return( ret );
kevman	0:38ceb79fef03	4353
kevman	0:38ceb79fef03	4354	ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
kevman	0:38ceb79fef03	4355	}
kevman	0:38ceb79fef03	4356	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4357
kevman	0:38ceb79fef03	4358	} while( MBEDTLS_ERR_SSL_NON_FATAL == ret \|\|
kevman	0:38ceb79fef03	4359	MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
kevman	0:38ceb79fef03	4360
kevman	0:38ceb79fef03	4361	if( 0 != ret )
kevman	0:38ceb79fef03	4362	{
kevman	0:38ceb79fef03	4363	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
kevman	0:38ceb79fef03	4364	return( ret );
kevman	0:38ceb79fef03	4365	}
kevman	0:38ceb79fef03	4366
kevman	0:38ceb79fef03	4367	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	4368	update_hs_digest == 1 )
kevman	0:38ceb79fef03	4369	{
kevman	0:38ceb79fef03	4370	mbedtls_ssl_update_handshake_status( ssl );
kevman	0:38ceb79fef03	4371	}
kevman	0:38ceb79fef03	4372	}
kevman	0:38ceb79fef03	4373	else
kevman	0:38ceb79fef03	4374	{
kevman	0:38ceb79fef03	4375	MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
kevman	0:38ceb79fef03	4376	ssl->keep_current_message = 0;
kevman	0:38ceb79fef03	4377	}
kevman	0:38ceb79fef03	4378
kevman	0:38ceb79fef03	4379	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
kevman	0:38ceb79fef03	4380
kevman	0:38ceb79fef03	4381	return( 0 );
kevman	0:38ceb79fef03	4382	}
kevman	0:38ceb79fef03	4383
kevman	0:38ceb79fef03	4384	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4385	static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4386	{
kevman	0:38ceb79fef03	4387	if( ssl->in_left > ssl->next_record_offset )
kevman	0:38ceb79fef03	4388	return( 1 );
kevman	0:38ceb79fef03	4389
kevman	0:38ceb79fef03	4390	return( 0 );
kevman	0:38ceb79fef03	4391	}
kevman	0:38ceb79fef03	4392
kevman	0:38ceb79fef03	4393	static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4394	{
kevman	0:38ceb79fef03	4395	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	4396	mbedtls_ssl_hs_buffer * hs_buf;
kevman	0:38ceb79fef03	4397	int ret = 0;
kevman	0:38ceb79fef03	4398
kevman	0:38ceb79fef03	4399	if( hs == NULL )
kevman	0:38ceb79fef03	4400	return( -1 );
kevman	0:38ceb79fef03	4401
kevman	0:38ceb79fef03	4402	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
kevman	0:38ceb79fef03	4403
kevman	0:38ceb79fef03	4404	if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC \|\|
kevman	0:38ceb79fef03	4405	ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
kevman	0:38ceb79fef03	4406	{
kevman	0:38ceb79fef03	4407	/* Check if we have seen a ChangeCipherSpec before.
kevman	0:38ceb79fef03	4408	* If yes, synthesize a CCS record. */
kevman	0:38ceb79fef03	4409	if( !hs->buffering.seen_ccs )
kevman	0:38ceb79fef03	4410	{
kevman	0:38ceb79fef03	4411	MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
kevman	0:38ceb79fef03	4412	ret = -1;
kevman	0:38ceb79fef03	4413	goto exit;
kevman	0:38ceb79fef03	4414	}
kevman	0:38ceb79fef03	4415
kevman	0:38ceb79fef03	4416	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
kevman	0:38ceb79fef03	4417	ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
kevman	0:38ceb79fef03	4418	ssl->in_msglen = 1;
kevman	0:38ceb79fef03	4419	ssl->in_msg[0] = 1;
kevman	0:38ceb79fef03	4420
kevman	0:38ceb79fef03	4421	/* As long as they are equal, the exact value doesn't matter. */
kevman	0:38ceb79fef03	4422	ssl->in_left = 0;
kevman	0:38ceb79fef03	4423	ssl->next_record_offset = 0;
kevman	0:38ceb79fef03	4424
kevman	0:38ceb79fef03	4425	hs->buffering.seen_ccs = 0;
kevman	0:38ceb79fef03	4426	goto exit;
kevman	0:38ceb79fef03	4427	}
kevman	0:38ceb79fef03	4428
kevman	0:38ceb79fef03	4429	#if defined(MBEDTLS_DEBUG_C)
kevman	0:38ceb79fef03	4430	/* Debug only */
kevman	0:38ceb79fef03	4431	{
kevman	0:38ceb79fef03	4432	unsigned offset;
kevman	0:38ceb79fef03	4433	for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
kevman	0:38ceb79fef03	4434	{
kevman	0:38ceb79fef03	4435	hs_buf = &hs->buffering.hs[offset];
kevman	0:38ceb79fef03	4436	if( hs_buf->is_valid == 1 )
kevman	0:38ceb79fef03	4437	{
kevman	0:38ceb79fef03	4438	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
kevman	0:38ceb79fef03	4439	hs->in_msg_seq + offset,
kevman	0:38ceb79fef03	4440	hs_buf->is_complete ? "fully" : "partially" ) );
kevman	0:38ceb79fef03	4441	}
kevman	0:38ceb79fef03	4442	}
kevman	0:38ceb79fef03	4443	}
kevman	0:38ceb79fef03	4444	#endif /* MBEDTLS_DEBUG_C */
kevman	0:38ceb79fef03	4445
kevman	0:38ceb79fef03	4446	/* Check if we have buffered and/or fully reassembled the
kevman	0:38ceb79fef03	4447	* next handshake message. */
kevman	0:38ceb79fef03	4448	hs_buf = &hs->buffering.hs[0];
kevman	0:38ceb79fef03	4449	if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
kevman	0:38ceb79fef03	4450	{
kevman	0:38ceb79fef03	4451	/* Synthesize a record containing the buffered HS message. */
kevman	0:38ceb79fef03	4452	size_t msg_len = ( hs_buf->data[1] << 16 ) \|
kevman	0:38ceb79fef03	4453	( hs_buf->data[2] << 8 ) \|
kevman	0:38ceb79fef03	4454	hs_buf->data[3];
kevman	0:38ceb79fef03	4455
kevman	0:38ceb79fef03	4456	/* Double-check that we haven't accidentally buffered
kevman	0:38ceb79fef03	4457	* a message that doesn't fit into the input buffer. */
kevman	0:38ceb79fef03	4458	if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
kevman	0:38ceb79fef03	4459	{
kevman	0:38ceb79fef03	4460	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	4461	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	4462	}
kevman	0:38ceb79fef03	4463
kevman	0:38ceb79fef03	4464	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
kevman	0:38ceb79fef03	4465	MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
kevman	0:38ceb79fef03	4466	hs_buf->data, msg_len + 12 );
kevman	0:38ceb79fef03	4467
kevman	0:38ceb79fef03	4468	ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
kevman	0:38ceb79fef03	4469	ssl->in_hslen = msg_len + 12;
kevman	0:38ceb79fef03	4470	ssl->in_msglen = msg_len + 12;
kevman	0:38ceb79fef03	4471	memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
kevman	0:38ceb79fef03	4472
kevman	0:38ceb79fef03	4473	ret = 0;
kevman	0:38ceb79fef03	4474	goto exit;
kevman	0:38ceb79fef03	4475	}
kevman	0:38ceb79fef03	4476	else
kevman	0:38ceb79fef03	4477	{
kevman	0:38ceb79fef03	4478	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
kevman	0:38ceb79fef03	4479	hs->in_msg_seq ) );
kevman	0:38ceb79fef03	4480	}
kevman	0:38ceb79fef03	4481
kevman	0:38ceb79fef03	4482	ret = -1;
kevman	0:38ceb79fef03	4483
kevman	0:38ceb79fef03	4484	exit:
kevman	0:38ceb79fef03	4485
kevman	0:38ceb79fef03	4486	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
kevman	0:38ceb79fef03	4487	return( ret );
kevman	0:38ceb79fef03	4488	}
kevman	0:38ceb79fef03	4489
kevman	0:38ceb79fef03	4490	static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	4491	size_t desired )
kevman	0:38ceb79fef03	4492	{
kevman	0:38ceb79fef03	4493	int offset;
kevman	0:38ceb79fef03	4494	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	4495	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
kevman	0:38ceb79fef03	4496	(unsigned) desired ) );
kevman	0:38ceb79fef03	4497
kevman	0:38ceb79fef03	4498	/* Get rid of future records epoch first, if such exist. */
kevman	0:38ceb79fef03	4499	ssl_free_buffered_record( ssl );
kevman	0:38ceb79fef03	4500
kevman	0:38ceb79fef03	4501	/* Check if we have enough space available now. */
kevman	0:38ceb79fef03	4502	if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
kevman	0:38ceb79fef03	4503	hs->buffering.total_bytes_buffered ) )
kevman	0:38ceb79fef03	4504	{
kevman	0:38ceb79fef03	4505	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
kevman	0:38ceb79fef03	4506	return( 0 );
kevman	0:38ceb79fef03	4507	}
kevman	0:38ceb79fef03	4508
kevman	0:38ceb79fef03	4509	/* We don't have enough space to buffer the next expected handshake
kevman	0:38ceb79fef03	4510	* message. Remove buffers used for future messages to gain space,
kevman	0:38ceb79fef03	4511	* starting with the most distant one. */
kevman	0:38ceb79fef03	4512	for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
kevman	0:38ceb79fef03	4513	offset >= 0; offset-- )
kevman	0:38ceb79fef03	4514	{
kevman	0:38ceb79fef03	4515	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
kevman	0:38ceb79fef03	4516	offset ) );
kevman	0:38ceb79fef03	4517
kevman	0:38ceb79fef03	4518	ssl_buffering_free_slot( ssl, (uint8_t) offset );
kevman	0:38ceb79fef03	4519
kevman	0:38ceb79fef03	4520	/* Check if we have enough space available now. */
kevman	0:38ceb79fef03	4521	if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
kevman	0:38ceb79fef03	4522	hs->buffering.total_bytes_buffered ) )
kevman	0:38ceb79fef03	4523	{
kevman	0:38ceb79fef03	4524	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
kevman	0:38ceb79fef03	4525	return( 0 );
kevman	0:38ceb79fef03	4526	}
kevman	0:38ceb79fef03	4527	}
kevman	0:38ceb79fef03	4528
kevman	0:38ceb79fef03	4529	return( -1 );
kevman	0:38ceb79fef03	4530	}
kevman	0:38ceb79fef03	4531
kevman	0:38ceb79fef03	4532	static int ssl_buffer_message( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4533	{
kevman	0:38ceb79fef03	4534	int ret = 0;
kevman	0:38ceb79fef03	4535	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	4536
kevman	0:38ceb79fef03	4537	if( hs == NULL )
kevman	0:38ceb79fef03	4538	return( 0 );
kevman	0:38ceb79fef03	4539
kevman	0:38ceb79fef03	4540	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
kevman	0:38ceb79fef03	4541
kevman	0:38ceb79fef03	4542	switch( ssl->in_msgtype )
kevman	0:38ceb79fef03	4543	{
kevman	0:38ceb79fef03	4544	case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
kevman	0:38ceb79fef03	4545	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
kevman	0:38ceb79fef03	4546
kevman	0:38ceb79fef03	4547	hs->buffering.seen_ccs = 1;
kevman	0:38ceb79fef03	4548	break;
kevman	0:38ceb79fef03	4549
kevman	0:38ceb79fef03	4550	case MBEDTLS_SSL_MSG_HANDSHAKE:
kevman	0:38ceb79fef03	4551	{
kevman	0:38ceb79fef03	4552	unsigned recv_msg_seq_offset;
kevman	0:38ceb79fef03	4553	unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) \| ssl->in_msg[5];
kevman	0:38ceb79fef03	4554	mbedtls_ssl_hs_buffer *hs_buf;
kevman	0:38ceb79fef03	4555	size_t msg_len = ssl->in_hslen - 12;
kevman	0:38ceb79fef03	4556
kevman	0:38ceb79fef03	4557	/* We should never receive an old handshake
kevman	0:38ceb79fef03	4558	* message - double-check nonetheless. */
kevman	0:38ceb79fef03	4559	if( recv_msg_seq < ssl->handshake->in_msg_seq )
kevman	0:38ceb79fef03	4560	{
kevman	0:38ceb79fef03	4561	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	4562	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	4563	}
kevman	0:38ceb79fef03	4564
kevman	0:38ceb79fef03	4565	recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
kevman	0:38ceb79fef03	4566	if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
kevman	0:38ceb79fef03	4567	{
kevman	0:38ceb79fef03	4568	/* Silently ignore -- message too far in the future */
kevman	0:38ceb79fef03	4569	MBEDTLS_SSL_DEBUG_MSG( 2,
kevman	0:38ceb79fef03	4570	( "Ignore future HS message with sequence number %u, "
kevman	0:38ceb79fef03	4571	"buffering window %u - %u",
kevman	0:38ceb79fef03	4572	recv_msg_seq, ssl->handshake->in_msg_seq,
kevman	0:38ceb79fef03	4573	ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
kevman	0:38ceb79fef03	4574
kevman	0:38ceb79fef03	4575	goto exit;
kevman	0:38ceb79fef03	4576	}
kevman	0:38ceb79fef03	4577
kevman	0:38ceb79fef03	4578	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
kevman	0:38ceb79fef03	4579	recv_msg_seq, recv_msg_seq_offset ) );
kevman	0:38ceb79fef03	4580
kevman	0:38ceb79fef03	4581	hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
kevman	0:38ceb79fef03	4582
kevman	0:38ceb79fef03	4583	/* Check if the buffering for this seq nr has already commenced. */
kevman	0:38ceb79fef03	4584	if( !hs_buf->is_valid )
kevman	0:38ceb79fef03	4585	{
kevman	0:38ceb79fef03	4586	size_t reassembly_buf_sz;
kevman	0:38ceb79fef03	4587
kevman	0:38ceb79fef03	4588	hs_buf->is_fragmented =
kevman	0:38ceb79fef03	4589	( ssl_hs_is_proper_fragment( ssl ) == 1 );
kevman	0:38ceb79fef03	4590
kevman	0:38ceb79fef03	4591	/* We copy the message back into the input buffer
kevman	0:38ceb79fef03	4592	* after reassembly, so check that it's not too large.
kevman	0:38ceb79fef03	4593	* This is an implementation-specific limitation
kevman	0:38ceb79fef03	4594	* and not one from the standard, hence it is not
kevman	0:38ceb79fef03	4595	* checked in ssl_check_hs_header(). */
kevman	0:38ceb79fef03	4596	if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
kevman	0:38ceb79fef03	4597	{
kevman	0:38ceb79fef03	4598	/* Ignore message */
kevman	0:38ceb79fef03	4599	goto exit;
kevman	0:38ceb79fef03	4600	}
kevman	0:38ceb79fef03	4601
kevman	0:38ceb79fef03	4602	/* Check if we have enough space to buffer the message. */
kevman	0:38ceb79fef03	4603	if( hs->buffering.total_bytes_buffered >
kevman	0:38ceb79fef03	4604	MBEDTLS_SSL_DTLS_MAX_BUFFERING )
kevman	0:38ceb79fef03	4605	{
kevman	0:38ceb79fef03	4606	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	4607	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	4608	}
kevman	0:38ceb79fef03	4609
kevman	0:38ceb79fef03	4610	reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
kevman	0:38ceb79fef03	4611	hs_buf->is_fragmented );
kevman	0:38ceb79fef03	4612
kevman	0:38ceb79fef03	4613	if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
kevman	0:38ceb79fef03	4614	hs->buffering.total_bytes_buffered ) )
kevman	0:38ceb79fef03	4615	{
kevman	0:38ceb79fef03	4616	if( recv_msg_seq_offset > 0 )
kevman	0:38ceb79fef03	4617	{
kevman	0:38ceb79fef03	4618	/* If we can't buffer a future message because
kevman	0:38ceb79fef03	4619	* of space limitations -- ignore. */
kevman	0:38ceb79fef03	4620	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
kevman	0:38ceb79fef03	4621	(unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
kevman	0:38ceb79fef03	4622	(unsigned) hs->buffering.total_bytes_buffered ) );
kevman	0:38ceb79fef03	4623	goto exit;
kevman	0:38ceb79fef03	4624	}
kevman	0:38ceb79fef03	4625	else
kevman	0:38ceb79fef03	4626	{
kevman	0:38ceb79fef03	4627	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
kevman	0:38ceb79fef03	4628	(unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
kevman	0:38ceb79fef03	4629	(unsigned) hs->buffering.total_bytes_buffered ) );
kevman	0:38ceb79fef03	4630	}
kevman	0:38ceb79fef03	4631
kevman	0:38ceb79fef03	4632	if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
kevman	0:38ceb79fef03	4633	{
kevman	0:38ceb79fef03	4634	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
kevman	0:38ceb79fef03	4635	(unsigned) msg_len,
kevman	0:38ceb79fef03	4636	(unsigned) reassembly_buf_sz,
kevman	0:38ceb79fef03	4637	MBEDTLS_SSL_DTLS_MAX_BUFFERING,
kevman	0:38ceb79fef03	4638	(unsigned) hs->buffering.total_bytes_buffered ) );
kevman	0:38ceb79fef03	4639	ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
kevman	0:38ceb79fef03	4640	goto exit;
kevman	0:38ceb79fef03	4641	}
kevman	0:38ceb79fef03	4642	}
kevman	0:38ceb79fef03	4643
kevman	0:38ceb79fef03	4644	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
kevman	0:38ceb79fef03	4645	msg_len ) );
kevman	0:38ceb79fef03	4646
kevman	0:38ceb79fef03	4647	hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
kevman	0:38ceb79fef03	4648	if( hs_buf->data == NULL )
kevman	0:38ceb79fef03	4649	{
kevman	0:38ceb79fef03	4650	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
kevman	0:38ceb79fef03	4651	goto exit;
kevman	0:38ceb79fef03	4652	}
kevman	0:38ceb79fef03	4653	hs_buf->data_len = reassembly_buf_sz;
kevman	0:38ceb79fef03	4654
kevman	0:38ceb79fef03	4655	/* Prepare final header: copy msg_type, length and message_seq,
kevman	0:38ceb79fef03	4656	* then add standardised fragment_offset and fragment_length */
kevman	0:38ceb79fef03	4657	memcpy( hs_buf->data, ssl->in_msg, 6 );
kevman	0:38ceb79fef03	4658	memset( hs_buf->data + 6, 0, 3 );
kevman	0:38ceb79fef03	4659	memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
kevman	0:38ceb79fef03	4660
kevman	0:38ceb79fef03	4661	hs_buf->is_valid = 1;
kevman	0:38ceb79fef03	4662
kevman	0:38ceb79fef03	4663	hs->buffering.total_bytes_buffered += reassembly_buf_sz;
kevman	0:38ceb79fef03	4664	}
kevman	0:38ceb79fef03	4665	else
kevman	0:38ceb79fef03	4666	{
kevman	0:38ceb79fef03	4667	/* Make sure msg_type and length are consistent */
kevman	0:38ceb79fef03	4668	if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
kevman	0:38ceb79fef03	4669	{
kevman	0:38ceb79fef03	4670	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
kevman	0:38ceb79fef03	4671	/* Ignore */
kevman	0:38ceb79fef03	4672	goto exit;
kevman	0:38ceb79fef03	4673	}
kevman	0:38ceb79fef03	4674	}
kevman	0:38ceb79fef03	4675
kevman	0:38ceb79fef03	4676	if( !hs_buf->is_complete )
kevman	0:38ceb79fef03	4677	{
kevman	0:38ceb79fef03	4678	size_t frag_len, frag_off;
kevman	0:38ceb79fef03	4679	unsigned char * const msg = hs_buf->data + 12;
kevman	0:38ceb79fef03	4680
kevman	0:38ceb79fef03	4681	/*
kevman	0:38ceb79fef03	4682	* Check and copy current fragment
kevman	0:38ceb79fef03	4683	*/
kevman	0:38ceb79fef03	4684
kevman	0:38ceb79fef03	4685	/* Validation of header fields already done in
kevman	0:38ceb79fef03	4686	* mbedtls_ssl_prepare_handshake_record(). */
kevman	0:38ceb79fef03	4687	frag_off = ssl_get_hs_frag_off( ssl );
kevman	0:38ceb79fef03	4688	frag_len = ssl_get_hs_frag_len( ssl );
kevman	0:38ceb79fef03	4689
kevman	0:38ceb79fef03	4690	MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
kevman	0:38ceb79fef03	4691	frag_off, frag_len ) );
kevman	0:38ceb79fef03	4692	memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
kevman	0:38ceb79fef03	4693
kevman	0:38ceb79fef03	4694	if( hs_buf->is_fragmented )
kevman	0:38ceb79fef03	4695	{
kevman	0:38ceb79fef03	4696	unsigned char * const bitmask = msg + msg_len;
kevman	0:38ceb79fef03	4697	ssl_bitmask_set( bitmask, frag_off, frag_len );
kevman	0:38ceb79fef03	4698	hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
kevman	0:38ceb79fef03	4699	msg_len ) == 0 );
kevman	0:38ceb79fef03	4700	}
kevman	0:38ceb79fef03	4701	else
kevman	0:38ceb79fef03	4702	{
kevman	0:38ceb79fef03	4703	hs_buf->is_complete = 1;
kevman	0:38ceb79fef03	4704	}
kevman	0:38ceb79fef03	4705
kevman	0:38ceb79fef03	4706	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
kevman	0:38ceb79fef03	4707	hs_buf->is_complete ? "" : "not yet " ) );
kevman	0:38ceb79fef03	4708	}
kevman	0:38ceb79fef03	4709
kevman	0:38ceb79fef03	4710	break;
kevman	0:38ceb79fef03	4711	}
kevman	0:38ceb79fef03	4712
kevman	0:38ceb79fef03	4713	default:
kevman	0:38ceb79fef03	4714	/* We don't buffer other types of messages. */
kevman	0:38ceb79fef03	4715	break;
kevman	0:38ceb79fef03	4716	}
kevman	0:38ceb79fef03	4717
kevman	0:38ceb79fef03	4718	exit:
kevman	0:38ceb79fef03	4719
kevman	0:38ceb79fef03	4720	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
kevman	0:38ceb79fef03	4721	return( ret );
kevman	0:38ceb79fef03	4722	}
kevman	0:38ceb79fef03	4723	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4724
kevman	0:38ceb79fef03	4725	static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4726	{
kevman	0:38ceb79fef03	4727	/*
kevman	0:38ceb79fef03	4728	* Consume last content-layer message and potentially
kevman	0:38ceb79fef03	4729	* update in_msglen which keeps track of the contents'
kevman	0:38ceb79fef03	4730	* consumption state.
kevman	0:38ceb79fef03	4731	*
kevman	0:38ceb79fef03	4732	* (1) Handshake messages:
kevman	0:38ceb79fef03	4733	* Remove last handshake message, move content
kevman	0:38ceb79fef03	4734	* and adapt in_msglen.
kevman	0:38ceb79fef03	4735	*
kevman	0:38ceb79fef03	4736	* (2) Alert messages:
kevman	0:38ceb79fef03	4737	* Consume whole record content, in_msglen = 0.
kevman	0:38ceb79fef03	4738	*
kevman	0:38ceb79fef03	4739	* (3) Change cipher spec:
kevman	0:38ceb79fef03	4740	* Consume whole record content, in_msglen = 0.
kevman	0:38ceb79fef03	4741	*
kevman	0:38ceb79fef03	4742	* (4) Application data:
kevman	0:38ceb79fef03	4743	* Don't do anything - the record layer provides
kevman	0:38ceb79fef03	4744	* the application data as a stream transport
kevman	0:38ceb79fef03	4745	* and consumes through mbedtls_ssl_read only.
kevman	0:38ceb79fef03	4746	*
kevman	0:38ceb79fef03	4747	*/
kevman	0:38ceb79fef03	4748
kevman	0:38ceb79fef03	4749	/* Case (1): Handshake messages */
kevman	0:38ceb79fef03	4750	if( ssl->in_hslen != 0 )
kevman	0:38ceb79fef03	4751	{
kevman	0:38ceb79fef03	4752	/* Hard assertion to be sure that no application data
kevman	0:38ceb79fef03	4753	* is in flight, as corrupting ssl->in_msglen during
kevman	0:38ceb79fef03	4754	* ssl->in_offt != NULL is fatal. */
kevman	0:38ceb79fef03	4755	if( ssl->in_offt != NULL )
kevman	0:38ceb79fef03	4756	{
kevman	0:38ceb79fef03	4757	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	4758	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	4759	}
kevman	0:38ceb79fef03	4760
kevman	0:38ceb79fef03	4761	/*
kevman	0:38ceb79fef03	4762	* Get next Handshake message in the current record
kevman	0:38ceb79fef03	4763	*/
kevman	0:38ceb79fef03	4764
kevman	0:38ceb79fef03	4765	/* Notes:
kevman	0:38ceb79fef03	4766	* (1) in_hslen is not necessarily the size of the
kevman	0:38ceb79fef03	4767	* current handshake content: If DTLS handshake
kevman	0:38ceb79fef03	4768	* fragmentation is used, that's the fragment
kevman	0:38ceb79fef03	4769	* size instead. Using the total handshake message
kevman	0:38ceb79fef03	4770	* size here is faulty and should be changed at
kevman	0:38ceb79fef03	4771	* some point.
kevman	0:38ceb79fef03	4772	* (2) While it doesn't seem to cause problems, one
kevman	0:38ceb79fef03	4773	* has to be very careful not to assume that in_hslen
kevman	0:38ceb79fef03	4774	* is always <= in_msglen in a sensible communication.
kevman	0:38ceb79fef03	4775	* Again, it's wrong for DTLS handshake fragmentation.
kevman	0:38ceb79fef03	4776	* The following check is therefore mandatory, and
kevman	0:38ceb79fef03	4777	* should not be treated as a silently corrected assertion.
kevman	0:38ceb79fef03	4778	* Additionally, ssl->in_hslen might be arbitrarily out of
kevman	0:38ceb79fef03	4779	* bounds after handling a DTLS message with an unexpected
kevman	0:38ceb79fef03	4780	* sequence number, see mbedtls_ssl_prepare_handshake_record.
kevman	0:38ceb79fef03	4781	*/
kevman	0:38ceb79fef03	4782	if( ssl->in_hslen < ssl->in_msglen )
kevman	0:38ceb79fef03	4783	{
kevman	0:38ceb79fef03	4784	ssl->in_msglen -= ssl->in_hslen;
kevman	0:38ceb79fef03	4785	memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
kevman	0:38ceb79fef03	4786	ssl->in_msglen );
kevman	0:38ceb79fef03	4787
kevman	0:38ceb79fef03	4788	MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
kevman	0:38ceb79fef03	4789	ssl->in_msg, ssl->in_msglen );
kevman	0:38ceb79fef03	4790	}
kevman	0:38ceb79fef03	4791	else
kevman	0:38ceb79fef03	4792	{
kevman	0:38ceb79fef03	4793	ssl->in_msglen = 0;
kevman	0:38ceb79fef03	4794	}
kevman	0:38ceb79fef03	4795
kevman	0:38ceb79fef03	4796	ssl->in_hslen = 0;
kevman	0:38ceb79fef03	4797	}
kevman	0:38ceb79fef03	4798	/* Case (4): Application data */
kevman	0:38ceb79fef03	4799	else if( ssl->in_offt != NULL )
kevman	0:38ceb79fef03	4800	{
kevman	0:38ceb79fef03	4801	return( 0 );
kevman	0:38ceb79fef03	4802	}
kevman	0:38ceb79fef03	4803	/* Everything else (CCS & Alerts) */
kevman	0:38ceb79fef03	4804	else
kevman	0:38ceb79fef03	4805	{
kevman	0:38ceb79fef03	4806	ssl->in_msglen = 0;
kevman	0:38ceb79fef03	4807	}
kevman	0:38ceb79fef03	4808
kevman	0:38ceb79fef03	4809	return( 0 );
kevman	0:38ceb79fef03	4810	}
kevman	0:38ceb79fef03	4811
kevman	0:38ceb79fef03	4812	static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4813	{
kevman	0:38ceb79fef03	4814	if( ssl->in_msglen > 0 )
kevman	0:38ceb79fef03	4815	return( 1 );
kevman	0:38ceb79fef03	4816
kevman	0:38ceb79fef03	4817	return( 0 );
kevman	0:38ceb79fef03	4818	}
kevman	0:38ceb79fef03	4819
kevman	0:38ceb79fef03	4820	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4821
kevman	0:38ceb79fef03	4822	static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4823	{
kevman	0:38ceb79fef03	4824	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	4825	if( hs == NULL )
kevman	0:38ceb79fef03	4826	return;
kevman	0:38ceb79fef03	4827
kevman	0:38ceb79fef03	4828	if( hs->buffering.future_record.data != NULL )
kevman	0:38ceb79fef03	4829	{
kevman	0:38ceb79fef03	4830	hs->buffering.total_bytes_buffered -=
kevman	0:38ceb79fef03	4831	hs->buffering.future_record.len;
kevman	0:38ceb79fef03	4832
kevman	0:38ceb79fef03	4833	mbedtls_free( hs->buffering.future_record.data );
kevman	0:38ceb79fef03	4834	hs->buffering.future_record.data = NULL;
kevman	0:38ceb79fef03	4835	}
kevman	0:38ceb79fef03	4836	}
kevman	0:38ceb79fef03	4837
kevman	0:38ceb79fef03	4838	static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4839	{
kevman	0:38ceb79fef03	4840	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	4841	unsigned char * rec;
kevman	0:38ceb79fef03	4842	size_t rec_len;
kevman	0:38ceb79fef03	4843	unsigned rec_epoch;
kevman	0:38ceb79fef03	4844
kevman	0:38ceb79fef03	4845	if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	4846	return( 0 );
kevman	0:38ceb79fef03	4847
kevman	0:38ceb79fef03	4848	if( hs == NULL )
kevman	0:38ceb79fef03	4849	return( 0 );
kevman	0:38ceb79fef03	4850
kevman	0:38ceb79fef03	4851	rec = hs->buffering.future_record.data;
kevman	0:38ceb79fef03	4852	rec_len = hs->buffering.future_record.len;
kevman	0:38ceb79fef03	4853	rec_epoch = hs->buffering.future_record.epoch;
kevman	0:38ceb79fef03	4854
kevman	0:38ceb79fef03	4855	if( rec == NULL )
kevman	0:38ceb79fef03	4856	return( 0 );
kevman	0:38ceb79fef03	4857
kevman	0:38ceb79fef03	4858	/* Only consider loading future records if the
kevman	0:38ceb79fef03	4859	* input buffer is empty. */
kevman	0:38ceb79fef03	4860	if( ssl_next_record_is_in_datagram( ssl ) == 1 )
kevman	0:38ceb79fef03	4861	return( 0 );
kevman	0:38ceb79fef03	4862
kevman	0:38ceb79fef03	4863	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
kevman	0:38ceb79fef03	4864
kevman	0:38ceb79fef03	4865	if( rec_epoch != ssl->in_epoch )
kevman	0:38ceb79fef03	4866	{
kevman	0:38ceb79fef03	4867	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
kevman	0:38ceb79fef03	4868	goto exit;
kevman	0:38ceb79fef03	4869	}
kevman	0:38ceb79fef03	4870
kevman	0:38ceb79fef03	4871	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
kevman	0:38ceb79fef03	4872
kevman	0:38ceb79fef03	4873	/* Double-check that the record is not too large */
kevman	0:38ceb79fef03	4874	if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
kevman	0:38ceb79fef03	4875	(size_t)( ssl->in_hdr - ssl->in_buf ) )
kevman	0:38ceb79fef03	4876	{
kevman	0:38ceb79fef03	4877	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	4878	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	4879	}
kevman	0:38ceb79fef03	4880
kevman	0:38ceb79fef03	4881	memcpy( ssl->in_hdr, rec, rec_len );
kevman	0:38ceb79fef03	4882	ssl->in_left = rec_len;
kevman	0:38ceb79fef03	4883	ssl->next_record_offset = 0;
kevman	0:38ceb79fef03	4884
kevman	0:38ceb79fef03	4885	ssl_free_buffered_record( ssl );
kevman	0:38ceb79fef03	4886
kevman	0:38ceb79fef03	4887	exit:
kevman	0:38ceb79fef03	4888	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
kevman	0:38ceb79fef03	4889	return( 0 );
kevman	0:38ceb79fef03	4890	}
kevman	0:38ceb79fef03	4891
kevman	0:38ceb79fef03	4892	static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4893	{
kevman	0:38ceb79fef03	4894	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	4895	size_t const rec_hdr_len = 13;
kevman	0:38ceb79fef03	4896	size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
kevman	0:38ceb79fef03	4897
kevman	0:38ceb79fef03	4898	/* Don't buffer future records outside handshakes. */
kevman	0:38ceb79fef03	4899	if( hs == NULL )
kevman	0:38ceb79fef03	4900	return( 0 );
kevman	0:38ceb79fef03	4901
kevman	0:38ceb79fef03	4902	/* Only buffer handshake records (we are only interested
kevman	0:38ceb79fef03	4903	* in Finished messages). */
kevman	0:38ceb79fef03	4904	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
kevman	0:38ceb79fef03	4905	return( 0 );
kevman	0:38ceb79fef03	4906
kevman	0:38ceb79fef03	4907	/* Don't buffer more than one future epoch record. */
kevman	0:38ceb79fef03	4908	if( hs->buffering.future_record.data != NULL )
kevman	0:38ceb79fef03	4909	return( 0 );
kevman	0:38ceb79fef03	4910
kevman	0:38ceb79fef03	4911	/* Don't buffer record if there's not enough buffering space remaining. */
kevman	0:38ceb79fef03	4912	if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
kevman	0:38ceb79fef03	4913	hs->buffering.total_bytes_buffered ) )
kevman	0:38ceb79fef03	4914	{
kevman	0:38ceb79fef03	4915	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
kevman	0:38ceb79fef03	4916	(unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
kevman	0:38ceb79fef03	4917	(unsigned) hs->buffering.total_bytes_buffered ) );
kevman	0:38ceb79fef03	4918	return( 0 );
kevman	0:38ceb79fef03	4919	}
kevman	0:38ceb79fef03	4920
kevman	0:38ceb79fef03	4921	/* Buffer record */
kevman	0:38ceb79fef03	4922	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
kevman	0:38ceb79fef03	4923	ssl->in_epoch + 1 ) );
kevman	0:38ceb79fef03	4924	MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
kevman	0:38ceb79fef03	4925	rec_hdr_len + ssl->in_msglen );
kevman	0:38ceb79fef03	4926
kevman	0:38ceb79fef03	4927	/* ssl_parse_record_header() only considers records
kevman	0:38ceb79fef03	4928	* of the next epoch as candidates for buffering. */
kevman	0:38ceb79fef03	4929	hs->buffering.future_record.epoch = ssl->in_epoch + 1;
kevman	0:38ceb79fef03	4930	hs->buffering.future_record.len = total_buf_sz;
kevman	0:38ceb79fef03	4931
kevman	0:38ceb79fef03	4932	hs->buffering.future_record.data =
kevman	0:38ceb79fef03	4933	mbedtls_calloc( 1, hs->buffering.future_record.len );
kevman	0:38ceb79fef03	4934	if( hs->buffering.future_record.data == NULL )
kevman	0:38ceb79fef03	4935	{
kevman	0:38ceb79fef03	4936	/* If we run out of RAM trying to buffer a
kevman	0:38ceb79fef03	4937	* record from the next epoch, just ignore. */
kevman	0:38ceb79fef03	4938	return( 0 );
kevman	0:38ceb79fef03	4939	}
kevman	0:38ceb79fef03	4940
kevman	0:38ceb79fef03	4941	memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
kevman	0:38ceb79fef03	4942
kevman	0:38ceb79fef03	4943	hs->buffering.total_bytes_buffered += total_buf_sz;
kevman	0:38ceb79fef03	4944	return( 0 );
kevman	0:38ceb79fef03	4945	}
kevman	0:38ceb79fef03	4946
kevman	0:38ceb79fef03	4947	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4948
kevman	0:38ceb79fef03	4949	static int ssl_get_next_record( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	4950	{
kevman	0:38ceb79fef03	4951	int ret;
kevman	0:38ceb79fef03	4952
kevman	0:38ceb79fef03	4953	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4954	/* We might have buffered a future record; if so,
kevman	0:38ceb79fef03	4955	* and if the epoch matches now, load it.
kevman	0:38ceb79fef03	4956	* On success, this call will set ssl->in_left to
kevman	0:38ceb79fef03	4957	* the length of the buffered record, so that
kevman	0:38ceb79fef03	4958	* the calls to ssl_fetch_input() below will
kevman	0:38ceb79fef03	4959	* essentially be no-ops. */
kevman	0:38ceb79fef03	4960	ret = ssl_load_buffered_record( ssl );
kevman	0:38ceb79fef03	4961	if( ret != 0 )
kevman	0:38ceb79fef03	4962	return( ret );
kevman	0:38ceb79fef03	4963	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	4964
kevman	0:38ceb79fef03	4965	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
kevman	0:38ceb79fef03	4966	{
kevman	0:38ceb79fef03	4967	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
kevman	0:38ceb79fef03	4968	return( ret );
kevman	0:38ceb79fef03	4969	}
kevman	0:38ceb79fef03	4970
kevman	0:38ceb79fef03	4971	if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
kevman	0:38ceb79fef03	4972	{
kevman	0:38ceb79fef03	4973	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	4974	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	4975	ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
kevman	0:38ceb79fef03	4976	{
kevman	0:38ceb79fef03	4977	if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
kevman	0:38ceb79fef03	4978	{
kevman	0:38ceb79fef03	4979	ret = ssl_buffer_future_record( ssl );
kevman	0:38ceb79fef03	4980	if( ret != 0 )
kevman	0:38ceb79fef03	4981	return( ret );
kevman	0:38ceb79fef03	4982
kevman	0:38ceb79fef03	4983	/* Fall through to handling of unexpected records */
kevman	0:38ceb79fef03	4984	ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
kevman	0:38ceb79fef03	4985	}
kevman	0:38ceb79fef03	4986
kevman	0:38ceb79fef03	4987	if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
kevman	0:38ceb79fef03	4988	{
kevman	0:38ceb79fef03	4989	/* Skip unexpected record (but not whole datagram) */
kevman	0:38ceb79fef03	4990	ssl->next_record_offset = ssl->in_msglen
kevman	0:38ceb79fef03	4991	+ mbedtls_ssl_hdr_len( ssl );
kevman	0:38ceb79fef03	4992
kevman	0:38ceb79fef03	4993	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
kevman	0:38ceb79fef03	4994	"(header)" ) );
kevman	0:38ceb79fef03	4995	}
kevman	0:38ceb79fef03	4996	else
kevman	0:38ceb79fef03	4997	{
kevman	0:38ceb79fef03	4998	/* Skip invalid record and the rest of the datagram */
kevman	0:38ceb79fef03	4999	ssl->next_record_offset = 0;
kevman	0:38ceb79fef03	5000	ssl->in_left = 0;
kevman	0:38ceb79fef03	5001
kevman	0:38ceb79fef03	5002	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
kevman	0:38ceb79fef03	5003	"(header)" ) );
kevman	0:38ceb79fef03	5004	}
kevman	0:38ceb79fef03	5005
kevman	0:38ceb79fef03	5006	/* Get next record */
kevman	0:38ceb79fef03	5007	return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
kevman	0:38ceb79fef03	5008	}
kevman	0:38ceb79fef03	5009	#endif
kevman	0:38ceb79fef03	5010	return( ret );
kevman	0:38ceb79fef03	5011	}
kevman	0:38ceb79fef03	5012
kevman	0:38ceb79fef03	5013	/*
kevman	0:38ceb79fef03	5014	* Read and optionally decrypt the message contents
kevman	0:38ceb79fef03	5015	*/
kevman	0:38ceb79fef03	5016	if( ( ret = mbedtls_ssl_fetch_input( ssl,
kevman	0:38ceb79fef03	5017	mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
kevman	0:38ceb79fef03	5018	{
kevman	0:38ceb79fef03	5019	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
kevman	0:38ceb79fef03	5020	return( ret );
kevman	0:38ceb79fef03	5021	}
kevman	0:38ceb79fef03	5022
kevman	0:38ceb79fef03	5023	/* Done reading this record, get ready for the next one */
kevman	0:38ceb79fef03	5024	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	5025	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	5026	{
kevman	0:38ceb79fef03	5027	ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
kevman	0:38ceb79fef03	5028	if( ssl->next_record_offset < ssl->in_left )
kevman	0:38ceb79fef03	5029	{
kevman	0:38ceb79fef03	5030	MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
kevman	0:38ceb79fef03	5031	}
kevman	0:38ceb79fef03	5032	}
kevman	0:38ceb79fef03	5033	else
kevman	0:38ceb79fef03	5034	#endif
kevman	0:38ceb79fef03	5035	ssl->in_left = 0;
kevman	0:38ceb79fef03	5036
kevman	0:38ceb79fef03	5037	if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
kevman	0:38ceb79fef03	5038	{
kevman	0:38ceb79fef03	5039	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	5040	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	5041	{
kevman	0:38ceb79fef03	5042	/* Silently discard invalid records */
kevman	0:38ceb79fef03	5043	if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD \|\|
kevman	0:38ceb79fef03	5044	ret == MBEDTLS_ERR_SSL_INVALID_MAC )
kevman	0:38ceb79fef03	5045	{
kevman	0:38ceb79fef03	5046	/* Except when waiting for Finished as a bad mac here
kevman	0:38ceb79fef03	5047	* probably means something went wrong in the handshake
kevman	0:38ceb79fef03	5048	* (eg wrong psk used, mitm downgrade attempt, etc.) */
kevman	0:38ceb79fef03	5049	if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED \|\|
kevman	0:38ceb79fef03	5050	ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
kevman	0:38ceb79fef03	5051	{
kevman	0:38ceb79fef03	5052	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
kevman	0:38ceb79fef03	5053	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
kevman	0:38ceb79fef03	5054	{
kevman	0:38ceb79fef03	5055	mbedtls_ssl_send_alert_message( ssl,
kevman	0:38ceb79fef03	5056	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5057	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
kevman	0:38ceb79fef03	5058	}
kevman	0:38ceb79fef03	5059	#endif
kevman	0:38ceb79fef03	5060	return( ret );
kevman	0:38ceb79fef03	5061	}
kevman	0:38ceb79fef03	5062
kevman	0:38ceb79fef03	5063	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
kevman	0:38ceb79fef03	5064	if( ssl->conf->badmac_limit != 0 &&
kevman	0:38ceb79fef03	5065	++ssl->badmac_seen >= ssl->conf->badmac_limit )
kevman	0:38ceb79fef03	5066	{
kevman	0:38ceb79fef03	5067	MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
kevman	0:38ceb79fef03	5068	return( MBEDTLS_ERR_SSL_INVALID_MAC );
kevman	0:38ceb79fef03	5069	}
kevman	0:38ceb79fef03	5070	#endif
kevman	0:38ceb79fef03	5071
kevman	0:38ceb79fef03	5072	/* As above, invalid records cause
kevman	0:38ceb79fef03	5073	* dismissal of the whole datagram. */
kevman	0:38ceb79fef03	5074
kevman	0:38ceb79fef03	5075	ssl->next_record_offset = 0;
kevman	0:38ceb79fef03	5076	ssl->in_left = 0;
kevman	0:38ceb79fef03	5077
kevman	0:38ceb79fef03	5078	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
kevman	0:38ceb79fef03	5079	return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
kevman	0:38ceb79fef03	5080	}
kevman	0:38ceb79fef03	5081
kevman	0:38ceb79fef03	5082	return( ret );
kevman	0:38ceb79fef03	5083	}
kevman	0:38ceb79fef03	5084	else
kevman	0:38ceb79fef03	5085	#endif
kevman	0:38ceb79fef03	5086	{
kevman	0:38ceb79fef03	5087	/* Error out (and send alert) on invalid records */
kevman	0:38ceb79fef03	5088	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
kevman	0:38ceb79fef03	5089	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
kevman	0:38ceb79fef03	5090	{
kevman	0:38ceb79fef03	5091	mbedtls_ssl_send_alert_message( ssl,
kevman	0:38ceb79fef03	5092	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5093	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
kevman	0:38ceb79fef03	5094	}
kevman	0:38ceb79fef03	5095	#endif
kevman	0:38ceb79fef03	5096	return( ret );
kevman	0:38ceb79fef03	5097	}
kevman	0:38ceb79fef03	5098	}
kevman	0:38ceb79fef03	5099
kevman	0:38ceb79fef03	5100	return( 0 );
kevman	0:38ceb79fef03	5101	}
kevman	0:38ceb79fef03	5102
kevman	0:38ceb79fef03	5103	int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5104	{
kevman	0:38ceb79fef03	5105	int ret;
kevman	0:38ceb79fef03	5106
kevman	0:38ceb79fef03	5107	/*
kevman	0:38ceb79fef03	5108	* Handle particular types of records
kevman	0:38ceb79fef03	5109	*/
kevman	0:38ceb79fef03	5110	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
kevman	0:38ceb79fef03	5111	{
kevman	0:38ceb79fef03	5112	if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
kevman	0:38ceb79fef03	5113	{
kevman	0:38ceb79fef03	5114	return( ret );
kevman	0:38ceb79fef03	5115	}
kevman	0:38ceb79fef03	5116	}
kevman	0:38ceb79fef03	5117
kevman	0:38ceb79fef03	5118	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
kevman	0:38ceb79fef03	5119	{
kevman	0:38ceb79fef03	5120	if( ssl->in_msglen != 1 )
kevman	0:38ceb79fef03	5121	{
kevman	0:38ceb79fef03	5122	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
kevman	0:38ceb79fef03	5123	ssl->in_msglen ) );
kevman	0:38ceb79fef03	5124	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	5125	}
kevman	0:38ceb79fef03	5126
kevman	0:38ceb79fef03	5127	if( ssl->in_msg[0] != 1 )
kevman	0:38ceb79fef03	5128	{
kevman	0:38ceb79fef03	5129	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
kevman	0:38ceb79fef03	5130	ssl->in_msg[0] ) );
kevman	0:38ceb79fef03	5131	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	5132	}
kevman	0:38ceb79fef03	5133
kevman	0:38ceb79fef03	5134	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	5135	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	5136	ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
kevman	0:38ceb79fef03	5137	ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
kevman	0:38ceb79fef03	5138	{
kevman	0:38ceb79fef03	5139	if( ssl->handshake == NULL )
kevman	0:38ceb79fef03	5140	{
kevman	0:38ceb79fef03	5141	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
kevman	0:38ceb79fef03	5142	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
kevman	0:38ceb79fef03	5143	}
kevman	0:38ceb79fef03	5144
kevman	0:38ceb79fef03	5145	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
kevman	0:38ceb79fef03	5146	return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
kevman	0:38ceb79fef03	5147	}
kevman	0:38ceb79fef03	5148	#endif
kevman	0:38ceb79fef03	5149	}
kevman	0:38ceb79fef03	5150
kevman	0:38ceb79fef03	5151	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
kevman	0:38ceb79fef03	5152	{
kevman	0:38ceb79fef03	5153	if( ssl->in_msglen != 2 )
kevman	0:38ceb79fef03	5154	{
kevman	0:38ceb79fef03	5155	/* Note: Standard allows for more than one 2 byte alert
kevman	0:38ceb79fef03	5156	to be packed in a single message, but Mbed TLS doesn't
kevman	0:38ceb79fef03	5157	currently support this. */
kevman	0:38ceb79fef03	5158	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
kevman	0:38ceb79fef03	5159	ssl->in_msglen ) );
kevman	0:38ceb79fef03	5160	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
kevman	0:38ceb79fef03	5161	}
kevman	0:38ceb79fef03	5162
kevman	0:38ceb79fef03	5163	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
kevman	0:38ceb79fef03	5164	ssl->in_msg[0], ssl->in_msg[1] ) );
kevman	0:38ceb79fef03	5165
kevman	0:38ceb79fef03	5166	/*
kevman	0:38ceb79fef03	5167	* Ignore non-fatal alerts, except close_notify and no_renegotiation
kevman	0:38ceb79fef03	5168	*/
kevman	0:38ceb79fef03	5169	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
kevman	0:38ceb79fef03	5170	{
kevman	0:38ceb79fef03	5171	MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
kevman	0:38ceb79fef03	5172	ssl->in_msg[1] ) );
kevman	0:38ceb79fef03	5173	return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
kevman	0:38ceb79fef03	5174	}
kevman	0:38ceb79fef03	5175
kevman	0:38ceb79fef03	5176	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
kevman	0:38ceb79fef03	5177	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
kevman	0:38ceb79fef03	5178	{
kevman	0:38ceb79fef03	5179	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
kevman	0:38ceb79fef03	5180	return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
kevman	0:38ceb79fef03	5181	}
kevman	0:38ceb79fef03	5182
kevman	0:38ceb79fef03	5183	#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
kevman	0:38ceb79fef03	5184	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
kevman	0:38ceb79fef03	5185	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
kevman	0:38ceb79fef03	5186	{
kevman	0:38ceb79fef03	5187	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
kevman	0:38ceb79fef03	5188	/* Will be handled when trying to parse ServerHello */
kevman	0:38ceb79fef03	5189	return( 0 );
kevman	0:38ceb79fef03	5190	}
kevman	0:38ceb79fef03	5191	#endif
kevman	0:38ceb79fef03	5192
kevman	0:38ceb79fef03	5193	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	5194	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
kevman	0:38ceb79fef03	5195	ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	5196	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
kevman	0:38ceb79fef03	5197	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
kevman	0:38ceb79fef03	5198	{
kevman	0:38ceb79fef03	5199	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
kevman	0:38ceb79fef03	5200	/* Will be handled in mbedtls_ssl_parse_certificate() */
kevman	0:38ceb79fef03	5201	return( 0 );
kevman	0:38ceb79fef03	5202	}
kevman	0:38ceb79fef03	5203	#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	5204
kevman	0:38ceb79fef03	5205	/* Silently ignore: fetch new message */
kevman	0:38ceb79fef03	5206	return MBEDTLS_ERR_SSL_NON_FATAL;
kevman	0:38ceb79fef03	5207	}
kevman	0:38ceb79fef03	5208
kevman	0:38ceb79fef03	5209	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	5210	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	5211	ssl->handshake != NULL &&
kevman	0:38ceb79fef03	5212	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	5213	{
kevman	0:38ceb79fef03	5214	ssl_handshake_wrapup_free_hs_transform( ssl );
kevman	0:38ceb79fef03	5215	}
kevman	0:38ceb79fef03	5216	#endif
kevman	0:38ceb79fef03	5217
kevman	0:38ceb79fef03	5218	return( 0 );
kevman	0:38ceb79fef03	5219	}
kevman	0:38ceb79fef03	5220
kevman	0:38ceb79fef03	5221	int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5222	{
kevman	0:38ceb79fef03	5223	int ret;
kevman	0:38ceb79fef03	5224
kevman	0:38ceb79fef03	5225	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
kevman	0:38ceb79fef03	5226	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5227	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
kevman	0:38ceb79fef03	5228	{
kevman	0:38ceb79fef03	5229	return( ret );
kevman	0:38ceb79fef03	5230	}
kevman	0:38ceb79fef03	5231
kevman	0:38ceb79fef03	5232	return( 0 );
kevman	0:38ceb79fef03	5233	}
kevman	0:38ceb79fef03	5234
kevman	0:38ceb79fef03	5235	int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	5236	unsigned char level,
kevman	0:38ceb79fef03	5237	unsigned char message )
kevman	0:38ceb79fef03	5238	{
kevman	0:38ceb79fef03	5239	int ret;
kevman	0:38ceb79fef03	5240
kevman	0:38ceb79fef03	5241	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	5242	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	5243
kevman	0:38ceb79fef03	5244	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
kevman	0:38ceb79fef03	5245	MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
kevman	0:38ceb79fef03	5246
kevman	0:38ceb79fef03	5247	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
kevman	0:38ceb79fef03	5248	ssl->out_msglen = 2;
kevman	0:38ceb79fef03	5249	ssl->out_msg[0] = level;
kevman	0:38ceb79fef03	5250	ssl->out_msg[1] = message;
kevman	0:38ceb79fef03	5251
kevman	0:38ceb79fef03	5252	if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
kevman	0:38ceb79fef03	5253	{
kevman	0:38ceb79fef03	5254	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
kevman	0:38ceb79fef03	5255	return( ret );
kevman	0:38ceb79fef03	5256	}
kevman	0:38ceb79fef03	5257	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
kevman	0:38ceb79fef03	5258
kevman	0:38ceb79fef03	5259	return( 0 );
kevman	0:38ceb79fef03	5260	}
kevman	0:38ceb79fef03	5261
kevman	0:38ceb79fef03	5262	/*
kevman	0:38ceb79fef03	5263	* Handshake functions
kevman	0:38ceb79fef03	5264	*/
kevman	0:38ceb79fef03	5265	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
kevman	0:38ceb79fef03	5266	!defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
kevman	0:38ceb79fef03	5267	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
kevman	0:38ceb79fef03	5268	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
kevman	0:38ceb79fef03	5269	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
kevman	0:38ceb79fef03	5270	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
kevman	0:38ceb79fef03	5271	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
kevman	0:38ceb79fef03	5272	/* No certificate support -> dummy functions */
kevman	0:38ceb79fef03	5273	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5274	{
kevman	0:38ceb79fef03	5275	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
kevman	0:38ceb79fef03	5276
kevman	0:38ceb79fef03	5277	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
kevman	0:38ceb79fef03	5278
kevman	0:38ceb79fef03	5279	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
kevman	0:38ceb79fef03	5280	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
kevman	0:38ceb79fef03	5281	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
kevman	0:38ceb79fef03	5282	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
kevman	0:38ceb79fef03	5283	{
kevman	0:38ceb79fef03	5284	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
kevman	0:38ceb79fef03	5285	ssl->state++;
kevman	0:38ceb79fef03	5286	return( 0 );
kevman	0:38ceb79fef03	5287	}
kevman	0:38ceb79fef03	5288
kevman	0:38ceb79fef03	5289	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	5290	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	5291	}
kevman	0:38ceb79fef03	5292
kevman	0:38ceb79fef03	5293	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5294	{
kevman	0:38ceb79fef03	5295	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
kevman	0:38ceb79fef03	5296
kevman	0:38ceb79fef03	5297	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
kevman	0:38ceb79fef03	5298
kevman	0:38ceb79fef03	5299	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
kevman	0:38ceb79fef03	5300	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
kevman	0:38ceb79fef03	5301	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
kevman	0:38ceb79fef03	5302	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
kevman	0:38ceb79fef03	5303	{
kevman	0:38ceb79fef03	5304	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
kevman	0:38ceb79fef03	5305	ssl->state++;
kevman	0:38ceb79fef03	5306	return( 0 );
kevman	0:38ceb79fef03	5307	}
kevman	0:38ceb79fef03	5308
kevman	0:38ceb79fef03	5309	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	5310	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	5311	}
kevman	0:38ceb79fef03	5312
kevman	0:38ceb79fef03	5313	#else
kevman	0:38ceb79fef03	5314	/* Some certificate support -> implement write and parse */
kevman	0:38ceb79fef03	5315
kevman	0:38ceb79fef03	5316	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5317	{
kevman	0:38ceb79fef03	5318	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
kevman	0:38ceb79fef03	5319	size_t i, n;
kevman	0:38ceb79fef03	5320	const mbedtls_x509_crt *crt;
kevman	0:38ceb79fef03	5321	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
kevman	0:38ceb79fef03	5322
kevman	0:38ceb79fef03	5323	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
kevman	0:38ceb79fef03	5324
kevman	0:38ceb79fef03	5325	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
kevman	0:38ceb79fef03	5326	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
kevman	0:38ceb79fef03	5327	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
kevman	0:38ceb79fef03	5328	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
kevman	0:38ceb79fef03	5329	{
kevman	0:38ceb79fef03	5330	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
kevman	0:38ceb79fef03	5331	ssl->state++;
kevman	0:38ceb79fef03	5332	return( 0 );
kevman	0:38ceb79fef03	5333	}
kevman	0:38ceb79fef03	5334
kevman	0:38ceb79fef03	5335	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	5336	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	5337	{
kevman	0:38ceb79fef03	5338	if( ssl->client_auth == 0 )
kevman	0:38ceb79fef03	5339	{
kevman	0:38ceb79fef03	5340	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
kevman	0:38ceb79fef03	5341	ssl->state++;
kevman	0:38ceb79fef03	5342	return( 0 );
kevman	0:38ceb79fef03	5343	}
kevman	0:38ceb79fef03	5344
kevman	0:38ceb79fef03	5345	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	5346	/*
kevman	0:38ceb79fef03	5347	* If using SSLv3 and got no cert, send an Alert message
kevman	0:38ceb79fef03	5348	* (otherwise an empty Certificate message will be sent).
kevman	0:38ceb79fef03	5349	*/
kevman	0:38ceb79fef03	5350	if( mbedtls_ssl_own_cert( ssl ) == NULL &&
kevman	0:38ceb79fef03	5351	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	5352	{
kevman	0:38ceb79fef03	5353	ssl->out_msglen = 2;
kevman	0:38ceb79fef03	5354	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
kevman	0:38ceb79fef03	5355	ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
kevman	0:38ceb79fef03	5356	ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
kevman	0:38ceb79fef03	5357
kevman	0:38ceb79fef03	5358	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
kevman	0:38ceb79fef03	5359	goto write_msg;
kevman	0:38ceb79fef03	5360	}
kevman	0:38ceb79fef03	5361	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	5362	}
kevman	0:38ceb79fef03	5363	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	5364	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	5365	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	5366	{
kevman	0:38ceb79fef03	5367	if( mbedtls_ssl_own_cert( ssl ) == NULL )
kevman	0:38ceb79fef03	5368	{
kevman	0:38ceb79fef03	5369	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
kevman	0:38ceb79fef03	5370	return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
kevman	0:38ceb79fef03	5371	}
kevman	0:38ceb79fef03	5372	}
kevman	0:38ceb79fef03	5373	#endif
kevman	0:38ceb79fef03	5374
kevman	0:38ceb79fef03	5375	MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
kevman	0:38ceb79fef03	5376
kevman	0:38ceb79fef03	5377	/*
kevman	0:38ceb79fef03	5378	* 0 . 0 handshake type
kevman	0:38ceb79fef03	5379	* 1 . 3 handshake length
kevman	0:38ceb79fef03	5380	* 4 . 6 length of all certs
kevman	0:38ceb79fef03	5381	* 7 . 9 length of cert. 1
kevman	0:38ceb79fef03	5382	* 10 . n-1 peer certificate
kevman	0:38ceb79fef03	5383	* n . n+2 length of cert. 2
kevman	0:38ceb79fef03	5384	* n+3 . ... upper level cert, etc.
kevman	0:38ceb79fef03	5385	*/
kevman	0:38ceb79fef03	5386	i = 7;
kevman	0:38ceb79fef03	5387	crt = mbedtls_ssl_own_cert( ssl );
kevman	0:38ceb79fef03	5388
kevman	0:38ceb79fef03	5389	while( crt != NULL )
kevman	0:38ceb79fef03	5390	{
kevman	0:38ceb79fef03	5391	n = crt->raw.len;
kevman	0:38ceb79fef03	5392	if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
kevman	0:38ceb79fef03	5393	{
kevman	0:38ceb79fef03	5394	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
kevman	0:38ceb79fef03	5395	i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
kevman	0:38ceb79fef03	5396	return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
kevman	0:38ceb79fef03	5397	}
kevman	0:38ceb79fef03	5398
kevman	0:38ceb79fef03	5399	ssl->out_msg[i ] = (unsigned char)( n >> 16 );
kevman	0:38ceb79fef03	5400	ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
kevman	0:38ceb79fef03	5401	ssl->out_msg[i + 2] = (unsigned char)( n );
kevman	0:38ceb79fef03	5402
kevman	0:38ceb79fef03	5403	i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
kevman	0:38ceb79fef03	5404	i += n; crt = crt->next;
kevman	0:38ceb79fef03	5405	}
kevman	0:38ceb79fef03	5406
kevman	0:38ceb79fef03	5407	ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
kevman	0:38ceb79fef03	5408	ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
kevman	0:38ceb79fef03	5409	ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
kevman	0:38ceb79fef03	5410
kevman	0:38ceb79fef03	5411	ssl->out_msglen = i;
kevman	0:38ceb79fef03	5412	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
kevman	0:38ceb79fef03	5413	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
kevman	0:38ceb79fef03	5414
kevman	0:38ceb79fef03	5415	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	5416	write_msg:
kevman	0:38ceb79fef03	5417	#endif
kevman	0:38ceb79fef03	5418
kevman	0:38ceb79fef03	5419	ssl->state++;
kevman	0:38ceb79fef03	5420
kevman	0:38ceb79fef03	5421	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
kevman	0:38ceb79fef03	5422	{
kevman	0:38ceb79fef03	5423	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
kevman	0:38ceb79fef03	5424	return( ret );
kevman	0:38ceb79fef03	5425	}
kevman	0:38ceb79fef03	5426
kevman	0:38ceb79fef03	5427	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
kevman	0:38ceb79fef03	5428
kevman	0:38ceb79fef03	5429	return( ret );
kevman	0:38ceb79fef03	5430	}
kevman	0:38ceb79fef03	5431
kevman	0:38ceb79fef03	5432	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5433	{
kevman	0:38ceb79fef03	5434	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
kevman	0:38ceb79fef03	5435	size_t i, n;
kevman	0:38ceb79fef03	5436	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
kevman	0:38ceb79fef03	5437	int authmode = ssl->conf->authmode;
kevman	0:38ceb79fef03	5438	uint8_t alert;
kevman	0:38ceb79fef03	5439
kevman	0:38ceb79fef03	5440	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
kevman	0:38ceb79fef03	5441
kevman	0:38ceb79fef03	5442	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
kevman	0:38ceb79fef03	5443	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
kevman	0:38ceb79fef03	5444	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
kevman	0:38ceb79fef03	5445	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
kevman	0:38ceb79fef03	5446	{
kevman	0:38ceb79fef03	5447	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
kevman	0:38ceb79fef03	5448	ssl->state++;
kevman	0:38ceb79fef03	5449	return( 0 );
kevman	0:38ceb79fef03	5450	}
kevman	0:38ceb79fef03	5451
kevman	0:38ceb79fef03	5452	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	5453	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	5454	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
kevman	0:38ceb79fef03	5455	{
kevman	0:38ceb79fef03	5456	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
kevman	0:38ceb79fef03	5457	ssl->state++;
kevman	0:38ceb79fef03	5458	return( 0 );
kevman	0:38ceb79fef03	5459	}
kevman	0:38ceb79fef03	5460
kevman	0:38ceb79fef03	5461	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
kevman	0:38ceb79fef03	5462	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
kevman	0:38ceb79fef03	5463	authmode = ssl->handshake->sni_authmode;
kevman	0:38ceb79fef03	5464	#endif
kevman	0:38ceb79fef03	5465
kevman	0:38ceb79fef03	5466	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	5467	authmode == MBEDTLS_SSL_VERIFY_NONE )
kevman	0:38ceb79fef03	5468	{
kevman	0:38ceb79fef03	5469	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
kevman	0:38ceb79fef03	5470	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
kevman	0:38ceb79fef03	5471	ssl->state++;
kevman	0:38ceb79fef03	5472	return( 0 );
kevman	0:38ceb79fef03	5473	}
kevman	0:38ceb79fef03	5474	#endif
kevman	0:38ceb79fef03	5475
kevman	0:38ceb79fef03	5476	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
kevman	0:38ceb79fef03	5477	{
kevman	0:38ceb79fef03	5478	/* mbedtls_ssl_read_record may have sent an alert already. We
kevman	0:38ceb79fef03	5479	let it decide whether to alert. */
kevman	0:38ceb79fef03	5480	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
kevman	0:38ceb79fef03	5481	return( ret );
kevman	0:38ceb79fef03	5482	}
kevman	0:38ceb79fef03	5483
kevman	0:38ceb79fef03	5484	ssl->state++;
kevman	0:38ceb79fef03	5485
kevman	0:38ceb79fef03	5486	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	5487	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	5488	/*
kevman	0:38ceb79fef03	5489	* Check if the client sent an empty certificate
kevman	0:38ceb79fef03	5490	*/
kevman	0:38ceb79fef03	5491	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	5492	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	5493	{
kevman	0:38ceb79fef03	5494	if( ssl->in_msglen == 2 &&
kevman	0:38ceb79fef03	5495	ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
kevman	0:38ceb79fef03	5496	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
kevman	0:38ceb79fef03	5497	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
kevman	0:38ceb79fef03	5498	{
kevman	0:38ceb79fef03	5499	MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
kevman	0:38ceb79fef03	5500
kevman	0:38ceb79fef03	5501	/* The client was asked for a certificate but didn't send
kevman	0:38ceb79fef03	5502	one. The client should know what's going on, so we
kevman	0:38ceb79fef03	5503	don't send an alert. */
kevman	0:38ceb79fef03	5504	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
kevman	0:38ceb79fef03	5505	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
kevman	0:38ceb79fef03	5506	return( 0 );
kevman	0:38ceb79fef03	5507	else
kevman	0:38ceb79fef03	5508	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
kevman	0:38ceb79fef03	5509	}
kevman	0:38ceb79fef03	5510	}
kevman	0:38ceb79fef03	5511	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	5512
kevman	0:38ceb79fef03	5513	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	5514	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	5515	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	5516	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	5517	{
kevman	0:38ceb79fef03	5518	if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
kevman	0:38ceb79fef03	5519	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
kevman	0:38ceb79fef03	5520	ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
kevman	0:38ceb79fef03	5521	memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
kevman	0:38ceb79fef03	5522	{
kevman	0:38ceb79fef03	5523	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
kevman	0:38ceb79fef03	5524
kevman	0:38ceb79fef03	5525	/* The client was asked for a certificate but didn't send
kevman	0:38ceb79fef03	5526	one. The client should know what's going on, so we
kevman	0:38ceb79fef03	5527	don't send an alert. */
kevman	0:38ceb79fef03	5528	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
kevman	0:38ceb79fef03	5529	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
kevman	0:38ceb79fef03	5530	return( 0 );
kevman	0:38ceb79fef03	5531	else
kevman	0:38ceb79fef03	5532	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
kevman	0:38ceb79fef03	5533	}
kevman	0:38ceb79fef03	5534	}
kevman	0:38ceb79fef03	5535	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
kevman	0:38ceb79fef03	5536	MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	5537	#endif /* MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	5538
kevman	0:38ceb79fef03	5539	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
kevman	0:38ceb79fef03	5540	{
kevman	0:38ceb79fef03	5541	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
kevman	0:38ceb79fef03	5542	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5543	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	5544	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	5545	}
kevman	0:38ceb79fef03	5546
kevman	0:38ceb79fef03	5547	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE \|\|
kevman	0:38ceb79fef03	5548	ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
kevman	0:38ceb79fef03	5549	{
kevman	0:38ceb79fef03	5550	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
kevman	0:38ceb79fef03	5551	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5552	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	5553	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5554	}
kevman	0:38ceb79fef03	5555
kevman	0:38ceb79fef03	5556	i = mbedtls_ssl_hs_hdr_len( ssl );
kevman	0:38ceb79fef03	5557
kevman	0:38ceb79fef03	5558	/*
kevman	0:38ceb79fef03	5559	* Same message structure as in mbedtls_ssl_write_certificate()
kevman	0:38ceb79fef03	5560	*/
kevman	0:38ceb79fef03	5561	n = ( ssl->in_msg[i+1] << 8 ) \| ssl->in_msg[i+2];
kevman	0:38ceb79fef03	5562
kevman	0:38ceb79fef03	5563	if( ssl->in_msg[i] != 0 \|\|
kevman	0:38ceb79fef03	5564	ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
kevman	0:38ceb79fef03	5565	{
kevman	0:38ceb79fef03	5566	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
kevman	0:38ceb79fef03	5567	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5568	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	5569	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5570	}
kevman	0:38ceb79fef03	5571
kevman	0:38ceb79fef03	5572	/* In case we tried to reuse a session but it failed */
kevman	0:38ceb79fef03	5573	if( ssl->session_negotiate->peer_cert != NULL )
kevman	0:38ceb79fef03	5574	{
kevman	0:38ceb79fef03	5575	mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
kevman	0:38ceb79fef03	5576	mbedtls_free( ssl->session_negotiate->peer_cert );
kevman	0:38ceb79fef03	5577	}
kevman	0:38ceb79fef03	5578
kevman	0:38ceb79fef03	5579	if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
kevman	0:38ceb79fef03	5580	sizeof( mbedtls_x509_crt ) ) ) == NULL )
kevman	0:38ceb79fef03	5581	{
kevman	0:38ceb79fef03	5582	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
kevman	0:38ceb79fef03	5583	sizeof( mbedtls_x509_crt ) ) );
kevman	0:38ceb79fef03	5584	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5585	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
kevman	0:38ceb79fef03	5586	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	5587	}
kevman	0:38ceb79fef03	5588
kevman	0:38ceb79fef03	5589	mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
kevman	0:38ceb79fef03	5590
kevman	0:38ceb79fef03	5591	i += 3;
kevman	0:38ceb79fef03	5592
kevman	0:38ceb79fef03	5593	while( i < ssl->in_hslen )
kevman	0:38ceb79fef03	5594	{
kevman	0:38ceb79fef03	5595	if ( i + 3 > ssl->in_hslen ) {
kevman	0:38ceb79fef03	5596	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
kevman	0:38ceb79fef03	5597	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5598	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	5599	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5600	}
kevman	0:38ceb79fef03	5601	if( ssl->in_msg[i] != 0 )
kevman	0:38ceb79fef03	5602	{
kevman	0:38ceb79fef03	5603	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
kevman	0:38ceb79fef03	5604	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5605	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	5606	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5607	}
kevman	0:38ceb79fef03	5608
kevman	0:38ceb79fef03	5609	n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
kevman	0:38ceb79fef03	5610	\| (unsigned int) ssl->in_msg[i + 2];
kevman	0:38ceb79fef03	5611	i += 3;
kevman	0:38ceb79fef03	5612
kevman	0:38ceb79fef03	5613	if( n < 128 \|\| i + n > ssl->in_hslen )
kevman	0:38ceb79fef03	5614	{
kevman	0:38ceb79fef03	5615	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
kevman	0:38ceb79fef03	5616	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5617	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	5618	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5619	}
kevman	0:38ceb79fef03	5620
kevman	0:38ceb79fef03	5621	ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
kevman	0:38ceb79fef03	5622	ssl->in_msg + i, n );
kevman	0:38ceb79fef03	5623	switch( ret )
kevman	0:38ceb79fef03	5624	{
kevman	0:38ceb79fef03	5625	case 0: /ok/
kevman	0:38ceb79fef03	5626	case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
kevman	0:38ceb79fef03	5627	/* Ignore certificate with an unknown algorithm: maybe a
kevman	0:38ceb79fef03	5628	prior certificate was already trusted. */
kevman	0:38ceb79fef03	5629	break;
kevman	0:38ceb79fef03	5630
kevman	0:38ceb79fef03	5631	case MBEDTLS_ERR_X509_ALLOC_FAILED:
kevman	0:38ceb79fef03	5632	alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
kevman	0:38ceb79fef03	5633	goto crt_parse_der_failed;
kevman	0:38ceb79fef03	5634
kevman	0:38ceb79fef03	5635	case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
kevman	0:38ceb79fef03	5636	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
kevman	0:38ceb79fef03	5637	goto crt_parse_der_failed;
kevman	0:38ceb79fef03	5638
kevman	0:38ceb79fef03	5639	default:
kevman	0:38ceb79fef03	5640	alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
kevman	0:38ceb79fef03	5641	crt_parse_der_failed:
kevman	0:38ceb79fef03	5642	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
kevman	0:38ceb79fef03	5643	MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
kevman	0:38ceb79fef03	5644	return( ret );
kevman	0:38ceb79fef03	5645	}
kevman	0:38ceb79fef03	5646
kevman	0:38ceb79fef03	5647	i += n;
kevman	0:38ceb79fef03	5648	}
kevman	0:38ceb79fef03	5649
kevman	0:38ceb79fef03	5650	MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
kevman	0:38ceb79fef03	5651
kevman	0:38ceb79fef03	5652	/*
kevman	0:38ceb79fef03	5653	* On client, make sure the server cert doesn't change during renego to
kevman	0:38ceb79fef03	5654	* avoid "triple handshake" attack: https://secure-resumption.com/
kevman	0:38ceb79fef03	5655	*/
kevman	0:38ceb79fef03	5656	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	5657	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
kevman	0:38ceb79fef03	5658	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
kevman	0:38ceb79fef03	5659	{
kevman	0:38ceb79fef03	5660	if( ssl->session->peer_cert == NULL )
kevman	0:38ceb79fef03	5661	{
kevman	0:38ceb79fef03	5662	MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
kevman	0:38ceb79fef03	5663	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5664	MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
kevman	0:38ceb79fef03	5665	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5666	}
kevman	0:38ceb79fef03	5667
kevman	0:38ceb79fef03	5668	if( ssl->session->peer_cert->raw.len !=
kevman	0:38ceb79fef03	5669	ssl->session_negotiate->peer_cert->raw.len \|\|
kevman	0:38ceb79fef03	5670	memcmp( ssl->session->peer_cert->raw.p,
kevman	0:38ceb79fef03	5671	ssl->session_negotiate->peer_cert->raw.p,
kevman	0:38ceb79fef03	5672	ssl->session->peer_cert->raw.len ) != 0 )
kevman	0:38ceb79fef03	5673	{
kevman	0:38ceb79fef03	5674	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
kevman	0:38ceb79fef03	5675	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5676	MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
kevman	0:38ceb79fef03	5677	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
kevman	0:38ceb79fef03	5678	}
kevman	0:38ceb79fef03	5679	}
kevman	0:38ceb79fef03	5680	#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	5681
kevman	0:38ceb79fef03	5682	if( authmode != MBEDTLS_SSL_VERIFY_NONE )
kevman	0:38ceb79fef03	5683	{
kevman	0:38ceb79fef03	5684	mbedtls_x509_crt *ca_chain;
kevman	0:38ceb79fef03	5685	mbedtls_x509_crl *ca_crl;
kevman	0:38ceb79fef03	5686
kevman	0:38ceb79fef03	5687	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
kevman	0:38ceb79fef03	5688	if( ssl->handshake->sni_ca_chain != NULL )
kevman	0:38ceb79fef03	5689	{
kevman	0:38ceb79fef03	5690	ca_chain = ssl->handshake->sni_ca_chain;
kevman	0:38ceb79fef03	5691	ca_crl = ssl->handshake->sni_ca_crl;
kevman	0:38ceb79fef03	5692	}
kevman	0:38ceb79fef03	5693	else
kevman	0:38ceb79fef03	5694	#endif
kevman	0:38ceb79fef03	5695	{
kevman	0:38ceb79fef03	5696	ca_chain = ssl->conf->ca_chain;
kevman	0:38ceb79fef03	5697	ca_crl = ssl->conf->ca_crl;
kevman	0:38ceb79fef03	5698	}
kevman	0:38ceb79fef03	5699
kevman	0:38ceb79fef03	5700	/*
kevman	0:38ceb79fef03	5701	* Main check: verify certificate
kevman	0:38ceb79fef03	5702	*/
kevman	0:38ceb79fef03	5703	ret = mbedtls_x509_crt_verify_with_profile(
kevman	0:38ceb79fef03	5704	ssl->session_negotiate->peer_cert,
kevman	0:38ceb79fef03	5705	ca_chain, ca_crl,
kevman	0:38ceb79fef03	5706	ssl->conf->cert_profile,
kevman	0:38ceb79fef03	5707	ssl->hostname,
kevman	0:38ceb79fef03	5708	&ssl->session_negotiate->verify_result,
kevman	0:38ceb79fef03	5709	ssl->conf->f_vrfy, ssl->conf->p_vrfy );
kevman	0:38ceb79fef03	5710
kevman	0:38ceb79fef03	5711	if( ret != 0 )
kevman	0:38ceb79fef03	5712	{
kevman	0:38ceb79fef03	5713	MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
kevman	0:38ceb79fef03	5714	}
kevman	0:38ceb79fef03	5715
kevman	0:38ceb79fef03	5716	/*
kevman	0:38ceb79fef03	5717	* Secondary checks: always done, but change 'ret' only if it was 0
kevman	0:38ceb79fef03	5718	*/
kevman	0:38ceb79fef03	5719
kevman	0:38ceb79fef03	5720	#if defined(MBEDTLS_ECP_C)
kevman	0:38ceb79fef03	5721	{
kevman	0:38ceb79fef03	5722	const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
kevman	0:38ceb79fef03	5723
kevman	0:38ceb79fef03	5724	/* If certificate uses an EC key, make sure the curve is OK */
kevman	0:38ceb79fef03	5725	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
kevman	0:38ceb79fef03	5726	mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
kevman	0:38ceb79fef03	5727	{
kevman	0:38ceb79fef03	5728	ssl->session_negotiate->verify_result \|= MBEDTLS_X509_BADCERT_BAD_KEY;
kevman	0:38ceb79fef03	5729
kevman	0:38ceb79fef03	5730	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
kevman	0:38ceb79fef03	5731	if( ret == 0 )
kevman	0:38ceb79fef03	5732	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
kevman	0:38ceb79fef03	5733	}
kevman	0:38ceb79fef03	5734	}
kevman	0:38ceb79fef03	5735	#endif /* MBEDTLS_ECP_C */
kevman	0:38ceb79fef03	5736
kevman	0:38ceb79fef03	5737	if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
kevman	0:38ceb79fef03	5738	ciphersuite_info,
kevman	0:38ceb79fef03	5739	! ssl->conf->endpoint,
kevman	0:38ceb79fef03	5740	&ssl->session_negotiate->verify_result ) != 0 )
kevman	0:38ceb79fef03	5741	{
kevman	0:38ceb79fef03	5742	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
kevman	0:38ceb79fef03	5743	if( ret == 0 )
kevman	0:38ceb79fef03	5744	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
kevman	0:38ceb79fef03	5745	}
kevman	0:38ceb79fef03	5746
kevman	0:38ceb79fef03	5747	/* mbedtls_x509_crt_verify_with_profile is supposed to report a
kevman	0:38ceb79fef03	5748	* verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
kevman	0:38ceb79fef03	5749	* with details encoded in the verification flags. All other kinds
kevman	0:38ceb79fef03	5750	* of error codes, including those from the user provided f_vrfy
kevman	0:38ceb79fef03	5751	* functions, are treated as fatal and lead to a failure of
kevman	0:38ceb79fef03	5752	* ssl_parse_certificate even if verification was optional. */
kevman	0:38ceb79fef03	5753	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
kevman	0:38ceb79fef03	5754	( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED \|\|
kevman	0:38ceb79fef03	5755	ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
kevman	0:38ceb79fef03	5756	{
kevman	0:38ceb79fef03	5757	ret = 0;
kevman	0:38ceb79fef03	5758	}
kevman	0:38ceb79fef03	5759
kevman	0:38ceb79fef03	5760	if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
kevman	0:38ceb79fef03	5761	{
kevman	0:38ceb79fef03	5762	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
kevman	0:38ceb79fef03	5763	ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
kevman	0:38ceb79fef03	5764	}
kevman	0:38ceb79fef03	5765
kevman	0:38ceb79fef03	5766	if( ret != 0 )
kevman	0:38ceb79fef03	5767	{
kevman	0:38ceb79fef03	5768	/* The certificate may have been rejected for several reasons.
kevman	0:38ceb79fef03	5769	Pick one and send the corresponding alert. Which alert to send
kevman	0:38ceb79fef03	5770	may be a subject of debate in some cases. */
kevman	0:38ceb79fef03	5771	if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
kevman	0:38ceb79fef03	5772	alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
kevman	0:38ceb79fef03	5773	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
kevman	0:38ceb79fef03	5774	alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
kevman	0:38ceb79fef03	5775	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
kevman	0:38ceb79fef03	5776	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
kevman	0:38ceb79fef03	5777	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
kevman	0:38ceb79fef03	5778	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
kevman	0:38ceb79fef03	5779	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
kevman	0:38ceb79fef03	5780	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
kevman	0:38ceb79fef03	5781	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
kevman	0:38ceb79fef03	5782	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
kevman	0:38ceb79fef03	5783	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
kevman	0:38ceb79fef03	5784	alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
kevman	0:38ceb79fef03	5785	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
kevman	0:38ceb79fef03	5786	alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
kevman	0:38ceb79fef03	5787	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
kevman	0:38ceb79fef03	5788	alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
kevman	0:38ceb79fef03	5789	else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
kevman	0:38ceb79fef03	5790	alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
kevman	0:38ceb79fef03	5791	else
kevman	0:38ceb79fef03	5792	alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
kevman	0:38ceb79fef03	5793	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5794	alert );
kevman	0:38ceb79fef03	5795	}
kevman	0:38ceb79fef03	5796
kevman	0:38ceb79fef03	5797	#if defined(MBEDTLS_DEBUG_C)
kevman	0:38ceb79fef03	5798	if( ssl->session_negotiate->verify_result != 0 )
kevman	0:38ceb79fef03	5799	{
kevman	0:38ceb79fef03	5800	MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
kevman	0:38ceb79fef03	5801	ssl->session_negotiate->verify_result ) );
kevman	0:38ceb79fef03	5802	}
kevman	0:38ceb79fef03	5803	else
kevman	0:38ceb79fef03	5804	{
kevman	0:38ceb79fef03	5805	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
kevman	0:38ceb79fef03	5806	}
kevman	0:38ceb79fef03	5807	#endif /* MBEDTLS_DEBUG_C */
kevman	0:38ceb79fef03	5808	}
kevman	0:38ceb79fef03	5809
kevman	0:38ceb79fef03	5810	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
kevman	0:38ceb79fef03	5811
kevman	0:38ceb79fef03	5812	return( ret );
kevman	0:38ceb79fef03	5813	}
kevman	0:38ceb79fef03	5814	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
kevman	0:38ceb79fef03	5815	!MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
kevman	0:38ceb79fef03	5816	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
kevman	0:38ceb79fef03	5817	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
kevman	0:38ceb79fef03	5818	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
kevman	0:38ceb79fef03	5819	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
kevman	0:38ceb79fef03	5820	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
kevman	0:38ceb79fef03	5821
kevman	0:38ceb79fef03	5822	int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5823	{
kevman	0:38ceb79fef03	5824	int ret;
kevman	0:38ceb79fef03	5825
kevman	0:38ceb79fef03	5826	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
kevman	0:38ceb79fef03	5827
kevman	0:38ceb79fef03	5828	ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
kevman	0:38ceb79fef03	5829	ssl->out_msglen = 1;
kevman	0:38ceb79fef03	5830	ssl->out_msg[0] = 1;
kevman	0:38ceb79fef03	5831
kevman	0:38ceb79fef03	5832	ssl->state++;
kevman	0:38ceb79fef03	5833
kevman	0:38ceb79fef03	5834	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
kevman	0:38ceb79fef03	5835	{
kevman	0:38ceb79fef03	5836	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
kevman	0:38ceb79fef03	5837	return( ret );
kevman	0:38ceb79fef03	5838	}
kevman	0:38ceb79fef03	5839
kevman	0:38ceb79fef03	5840	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
kevman	0:38ceb79fef03	5841
kevman	0:38ceb79fef03	5842	return( 0 );
kevman	0:38ceb79fef03	5843	}
kevman	0:38ceb79fef03	5844
kevman	0:38ceb79fef03	5845	int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5846	{
kevman	0:38ceb79fef03	5847	int ret;
kevman	0:38ceb79fef03	5848
kevman	0:38ceb79fef03	5849	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
kevman	0:38ceb79fef03	5850
kevman	0:38ceb79fef03	5851	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
kevman	0:38ceb79fef03	5852	{
kevman	0:38ceb79fef03	5853	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
kevman	0:38ceb79fef03	5854	return( ret );
kevman	0:38ceb79fef03	5855	}
kevman	0:38ceb79fef03	5856
kevman	0:38ceb79fef03	5857	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
kevman	0:38ceb79fef03	5858	{
kevman	0:38ceb79fef03	5859	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
kevman	0:38ceb79fef03	5860	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5861	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	5862	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	5863	}
kevman	0:38ceb79fef03	5864
kevman	0:38ceb79fef03	5865	/* CCS records are only accepted if they have length 1 and content '1',
kevman	0:38ceb79fef03	5866	* so we don't need to check this here. */
kevman	0:38ceb79fef03	5867
kevman	0:38ceb79fef03	5868	/*
kevman	0:38ceb79fef03	5869	* Switch to our negotiated transform and session parameters for inbound
kevman	0:38ceb79fef03	5870	* data.
kevman	0:38ceb79fef03	5871	*/
kevman	0:38ceb79fef03	5872	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
kevman	0:38ceb79fef03	5873	ssl->transform_in = ssl->transform_negotiate;
kevman	0:38ceb79fef03	5874	ssl->session_in = ssl->session_negotiate;
kevman	0:38ceb79fef03	5875
kevman	0:38ceb79fef03	5876	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	5877	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	5878	{
kevman	0:38ceb79fef03	5879	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	5880	ssl_dtls_replay_reset( ssl );
kevman	0:38ceb79fef03	5881	#endif
kevman	0:38ceb79fef03	5882
kevman	0:38ceb79fef03	5883	/* Increment epoch */
kevman	0:38ceb79fef03	5884	if( ++ssl->in_epoch == 0 )
kevman	0:38ceb79fef03	5885	{
kevman	0:38ceb79fef03	5886	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
kevman	0:38ceb79fef03	5887	/* This is highly unlikely to happen for legitimate reasons, so
kevman	0:38ceb79fef03	5888	treat it as an attack and don't send an alert. */
kevman	0:38ceb79fef03	5889	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
kevman	0:38ceb79fef03	5890	}
kevman	0:38ceb79fef03	5891	}
kevman	0:38ceb79fef03	5892	else
kevman	0:38ceb79fef03	5893	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	5894	memset( ssl->in_ctr, 0, 8 );
kevman	0:38ceb79fef03	5895
kevman	0:38ceb79fef03	5896	ssl_update_in_pointers( ssl, ssl->transform_negotiate );
kevman	0:38ceb79fef03	5897
kevman	0:38ceb79fef03	5898	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	5899	if( mbedtls_ssl_hw_record_activate != NULL )
kevman	0:38ceb79fef03	5900	{
kevman	0:38ceb79fef03	5901	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
kevman	0:38ceb79fef03	5902	{
kevman	0:38ceb79fef03	5903	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
kevman	0:38ceb79fef03	5904	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	5905	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
kevman	0:38ceb79fef03	5906	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	5907	}
kevman	0:38ceb79fef03	5908	}
kevman	0:38ceb79fef03	5909	#endif
kevman	0:38ceb79fef03	5910
kevman	0:38ceb79fef03	5911	ssl->state++;
kevman	0:38ceb79fef03	5912
kevman	0:38ceb79fef03	5913	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
kevman	0:38ceb79fef03	5914
kevman	0:38ceb79fef03	5915	return( 0 );
kevman	0:38ceb79fef03	5916	}
kevman	0:38ceb79fef03	5917
kevman	0:38ceb79fef03	5918	void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	5919	const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
kevman	0:38ceb79fef03	5920	{
kevman	0:38ceb79fef03	5921	((void) ciphersuite_info);
kevman	0:38ceb79fef03	5922
kevman	0:38ceb79fef03	5923	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	5924	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	5925	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	5926	ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
kevman	0:38ceb79fef03	5927	else
kevman	0:38ceb79fef03	5928	#endif
kevman	0:38ceb79fef03	5929	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	5930	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	5931	if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
kevman	0:38ceb79fef03	5932	ssl->handshake->update_checksum = ssl_update_checksum_sha384;
kevman	0:38ceb79fef03	5933	else
kevman	0:38ceb79fef03	5934	#endif
kevman	0:38ceb79fef03	5935	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	5936	if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
kevman	0:38ceb79fef03	5937	ssl->handshake->update_checksum = ssl_update_checksum_sha256;
kevman	0:38ceb79fef03	5938	else
kevman	0:38ceb79fef03	5939	#endif
kevman	0:38ceb79fef03	5940	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	5941	{
kevman	0:38ceb79fef03	5942	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	5943	return;
kevman	0:38ceb79fef03	5944	}
kevman	0:38ceb79fef03	5945	}
kevman	0:38ceb79fef03	5946
kevman	0:38ceb79fef03	5947	void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	5948	{
kevman	0:38ceb79fef03	5949	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	5950	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	5951	mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
kevman	0:38ceb79fef03	5952	mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
kevman	0:38ceb79fef03	5953	#endif
kevman	0:38ceb79fef03	5954	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	5955	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	5956	mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
kevman	0:38ceb79fef03	5957	#endif
kevman	0:38ceb79fef03	5958	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	5959	mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
kevman	0:38ceb79fef03	5960	#endif
kevman	0:38ceb79fef03	5961	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	5962	}
kevman	0:38ceb79fef03	5963
kevman	0:38ceb79fef03	5964	static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	5965	const unsigned char *buf, size_t len )
kevman	0:38ceb79fef03	5966	{
kevman	0:38ceb79fef03	5967	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	5968	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	5969	mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
kevman	0:38ceb79fef03	5970	mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
kevman	0:38ceb79fef03	5971	#endif
kevman	0:38ceb79fef03	5972	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	5973	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	5974	mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
kevman	0:38ceb79fef03	5975	#endif
kevman	0:38ceb79fef03	5976	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	5977	mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
kevman	0:38ceb79fef03	5978	#endif
kevman	0:38ceb79fef03	5979	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	5980	}
kevman	0:38ceb79fef03	5981
kevman	0:38ceb79fef03	5982	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	5983	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	5984	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	5985	const unsigned char *buf, size_t len )
kevman	0:38ceb79fef03	5986	{
kevman	0:38ceb79fef03	5987	mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
kevman	0:38ceb79fef03	5988	mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
kevman	0:38ceb79fef03	5989	}
kevman	0:38ceb79fef03	5990	#endif
kevman	0:38ceb79fef03	5991
kevman	0:38ceb79fef03	5992	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	5993	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	5994	static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	5995	const unsigned char *buf, size_t len )
kevman	0:38ceb79fef03	5996	{
kevman	0:38ceb79fef03	5997	mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
kevman	0:38ceb79fef03	5998	}
kevman	0:38ceb79fef03	5999	#endif
kevman	0:38ceb79fef03	6000
kevman	0:38ceb79fef03	6001	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	6002	static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	6003	const unsigned char *buf, size_t len )
kevman	0:38ceb79fef03	6004	{
kevman	0:38ceb79fef03	6005	mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
kevman	0:38ceb79fef03	6006	}
kevman	0:38ceb79fef03	6007	#endif
kevman	0:38ceb79fef03	6008	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	6009
kevman	0:38ceb79fef03	6010	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	6011	static void ssl_calc_finished_ssl(
kevman	0:38ceb79fef03	6012	mbedtls_ssl_context ssl, unsigned char buf, int from )
kevman	0:38ceb79fef03	6013	{
kevman	0:38ceb79fef03	6014	const char *sender;
kevman	0:38ceb79fef03	6015	mbedtls_md5_context md5;
kevman	0:38ceb79fef03	6016	mbedtls_sha1_context sha1;
kevman	0:38ceb79fef03	6017
kevman	0:38ceb79fef03	6018	unsigned char padbuf[48];
kevman	0:38ceb79fef03	6019	unsigned char md5sum[16];
kevman	0:38ceb79fef03	6020	unsigned char sha1sum[20];
kevman	0:38ceb79fef03	6021
kevman	0:38ceb79fef03	6022	mbedtls_ssl_session *session = ssl->session_negotiate;
kevman	0:38ceb79fef03	6023	if( !session )
kevman	0:38ceb79fef03	6024	session = ssl->session;
kevman	0:38ceb79fef03	6025
kevman	0:38ceb79fef03	6026	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
kevman	0:38ceb79fef03	6027
kevman	0:38ceb79fef03	6028	mbedtls_md5_init( &md5 );
kevman	0:38ceb79fef03	6029	mbedtls_sha1_init( &sha1 );
kevman	0:38ceb79fef03	6030
kevman	0:38ceb79fef03	6031	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
kevman	0:38ceb79fef03	6032	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
kevman	0:38ceb79fef03	6033
kevman	0:38ceb79fef03	6034	/*
kevman	0:38ceb79fef03	6035	* SSLv3:
kevman	0:38ceb79fef03	6036	* hash =
kevman	0:38ceb79fef03	6037	* MD5( master + pad2 +
kevman	0:38ceb79fef03	6038	* MD5( handshake + sender + master + pad1 ) )
kevman	0:38ceb79fef03	6039	* + SHA1( master + pad2 +
kevman	0:38ceb79fef03	6040	* SHA1( handshake + sender + master + pad1 ) )
kevman	0:38ceb79fef03	6041	*/
kevman	0:38ceb79fef03	6042
kevman	0:38ceb79fef03	6043	#if !defined(MBEDTLS_MD5_ALT)
kevman	0:38ceb79fef03	6044	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
kevman	0:38ceb79fef03	6045	md5.state, sizeof( md5.state ) );
kevman	0:38ceb79fef03	6046	#endif
kevman	0:38ceb79fef03	6047
kevman	0:38ceb79fef03	6048	#if !defined(MBEDTLS_SHA1_ALT)
kevman	0:38ceb79fef03	6049	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
kevman	0:38ceb79fef03	6050	sha1.state, sizeof( sha1.state ) );
kevman	0:38ceb79fef03	6051	#endif
kevman	0:38ceb79fef03	6052
kevman	0:38ceb79fef03	6053	sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
kevman	0:38ceb79fef03	6054	: "SRVR";
kevman	0:38ceb79fef03	6055
kevman	0:38ceb79fef03	6056	memset( padbuf, 0x36, 48 );
kevman	0:38ceb79fef03	6057
kevman	0:38ceb79fef03	6058	mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
kevman	0:38ceb79fef03	6059	mbedtls_md5_update_ret( &md5, session->master, 48 );
kevman	0:38ceb79fef03	6060	mbedtls_md5_update_ret( &md5, padbuf, 48 );
kevman	0:38ceb79fef03	6061	mbedtls_md5_finish_ret( &md5, md5sum );
kevman	0:38ceb79fef03	6062
kevman	0:38ceb79fef03	6063	mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
kevman	0:38ceb79fef03	6064	mbedtls_sha1_update_ret( &sha1, session->master, 48 );
kevman	0:38ceb79fef03	6065	mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
kevman	0:38ceb79fef03	6066	mbedtls_sha1_finish_ret( &sha1, sha1sum );
kevman	0:38ceb79fef03	6067
kevman	0:38ceb79fef03	6068	memset( padbuf, 0x5C, 48 );
kevman	0:38ceb79fef03	6069
kevman	0:38ceb79fef03	6070	mbedtls_md5_starts_ret( &md5 );
kevman	0:38ceb79fef03	6071	mbedtls_md5_update_ret( &md5, session->master, 48 );
kevman	0:38ceb79fef03	6072	mbedtls_md5_update_ret( &md5, padbuf, 48 );
kevman	0:38ceb79fef03	6073	mbedtls_md5_update_ret( &md5, md5sum, 16 );
kevman	0:38ceb79fef03	6074	mbedtls_md5_finish_ret( &md5, buf );
kevman	0:38ceb79fef03	6075
kevman	0:38ceb79fef03	6076	mbedtls_sha1_starts_ret( &sha1 );
kevman	0:38ceb79fef03	6077	mbedtls_sha1_update_ret( &sha1, session->master, 48 );
kevman	0:38ceb79fef03	6078	mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
kevman	0:38ceb79fef03	6079	mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
kevman	0:38ceb79fef03	6080	mbedtls_sha1_finish_ret( &sha1, buf + 16 );
kevman	0:38ceb79fef03	6081
kevman	0:38ceb79fef03	6082	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
kevman	0:38ceb79fef03	6083
kevman	0:38ceb79fef03	6084	mbedtls_md5_free( &md5 );
kevman	0:38ceb79fef03	6085	mbedtls_sha1_free( &sha1 );
kevman	0:38ceb79fef03	6086
kevman	0:38ceb79fef03	6087	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
kevman	0:38ceb79fef03	6088	mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
kevman	0:38ceb79fef03	6089	mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
kevman	0:38ceb79fef03	6090
kevman	0:38ceb79fef03	6091	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
kevman	0:38ceb79fef03	6092	}
kevman	0:38ceb79fef03	6093	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	6094
kevman	0:38ceb79fef03	6095	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	6096	static void ssl_calc_finished_tls(
kevman	0:38ceb79fef03	6097	mbedtls_ssl_context ssl, unsigned char buf, int from )
kevman	0:38ceb79fef03	6098	{
kevman	0:38ceb79fef03	6099	int len = 12;
kevman	0:38ceb79fef03	6100	const char *sender;
kevman	0:38ceb79fef03	6101	mbedtls_md5_context md5;
kevman	0:38ceb79fef03	6102	mbedtls_sha1_context sha1;
kevman	0:38ceb79fef03	6103	unsigned char padbuf[36];
kevman	0:38ceb79fef03	6104
kevman	0:38ceb79fef03	6105	mbedtls_ssl_session *session = ssl->session_negotiate;
kevman	0:38ceb79fef03	6106	if( !session )
kevman	0:38ceb79fef03	6107	session = ssl->session;
kevman	0:38ceb79fef03	6108
kevman	0:38ceb79fef03	6109	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
kevman	0:38ceb79fef03	6110
kevman	0:38ceb79fef03	6111	mbedtls_md5_init( &md5 );
kevman	0:38ceb79fef03	6112	mbedtls_sha1_init( &sha1 );
kevman	0:38ceb79fef03	6113
kevman	0:38ceb79fef03	6114	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
kevman	0:38ceb79fef03	6115	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
kevman	0:38ceb79fef03	6116
kevman	0:38ceb79fef03	6117	/*
kevman	0:38ceb79fef03	6118	* TLSv1:
kevman	0:38ceb79fef03	6119	* hash = PRF( master, finished_label,
kevman	0:38ceb79fef03	6120	* MD5( handshake ) + SHA1( handshake ) )[0..11]
kevman	0:38ceb79fef03	6121	*/
kevman	0:38ceb79fef03	6122
kevman	0:38ceb79fef03	6123	#if !defined(MBEDTLS_MD5_ALT)
kevman	0:38ceb79fef03	6124	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
kevman	0:38ceb79fef03	6125	md5.state, sizeof( md5.state ) );
kevman	0:38ceb79fef03	6126	#endif
kevman	0:38ceb79fef03	6127
kevman	0:38ceb79fef03	6128	#if !defined(MBEDTLS_SHA1_ALT)
kevman	0:38ceb79fef03	6129	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
kevman	0:38ceb79fef03	6130	sha1.state, sizeof( sha1.state ) );
kevman	0:38ceb79fef03	6131	#endif
kevman	0:38ceb79fef03	6132
kevman	0:38ceb79fef03	6133	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	6134	? "client finished"
kevman	0:38ceb79fef03	6135	: "server finished";
kevman	0:38ceb79fef03	6136
kevman	0:38ceb79fef03	6137	mbedtls_md5_finish_ret( &md5, padbuf );
kevman	0:38ceb79fef03	6138	mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
kevman	0:38ceb79fef03	6139
kevman	0:38ceb79fef03	6140	ssl->handshake->tls_prf( session->master, 48, sender,
kevman	0:38ceb79fef03	6141	padbuf, 36, buf, len );
kevman	0:38ceb79fef03	6142
kevman	0:38ceb79fef03	6143	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
kevman	0:38ceb79fef03	6144
kevman	0:38ceb79fef03	6145	mbedtls_md5_free( &md5 );
kevman	0:38ceb79fef03	6146	mbedtls_sha1_free( &sha1 );
kevman	0:38ceb79fef03	6147
kevman	0:38ceb79fef03	6148	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
kevman	0:38ceb79fef03	6149
kevman	0:38ceb79fef03	6150	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
kevman	0:38ceb79fef03	6151	}
kevman	0:38ceb79fef03	6152	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
kevman	0:38ceb79fef03	6153
kevman	0:38ceb79fef03	6154	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	6155	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	6156	static void ssl_calc_finished_tls_sha256(
kevman	0:38ceb79fef03	6157	mbedtls_ssl_context ssl, unsigned char buf, int from )
kevman	0:38ceb79fef03	6158	{
kevman	0:38ceb79fef03	6159	int len = 12;
kevman	0:38ceb79fef03	6160	const char *sender;
kevman	0:38ceb79fef03	6161	mbedtls_sha256_context sha256;
kevman	0:38ceb79fef03	6162	unsigned char padbuf[32];
kevman	0:38ceb79fef03	6163
kevman	0:38ceb79fef03	6164	mbedtls_ssl_session *session = ssl->session_negotiate;
kevman	0:38ceb79fef03	6165	if( !session )
kevman	0:38ceb79fef03	6166	session = ssl->session;
kevman	0:38ceb79fef03	6167
kevman	0:38ceb79fef03	6168	mbedtls_sha256_init( &sha256 );
kevman	0:38ceb79fef03	6169
kevman	0:38ceb79fef03	6170	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
kevman	0:38ceb79fef03	6171
kevman	0:38ceb79fef03	6172	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
kevman	0:38ceb79fef03	6173
kevman	0:38ceb79fef03	6174	/*
kevman	0:38ceb79fef03	6175	* TLSv1.2:
kevman	0:38ceb79fef03	6176	* hash = PRF( master, finished_label,
kevman	0:38ceb79fef03	6177	* Hash( handshake ) )[0.11]
kevman	0:38ceb79fef03	6178	*/
kevman	0:38ceb79fef03	6179
kevman	0:38ceb79fef03	6180	#if !defined(MBEDTLS_SHA256_ALT)
kevman	0:38ceb79fef03	6181	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
kevman	0:38ceb79fef03	6182	sha256.state, sizeof( sha256.state ) );
kevman	0:38ceb79fef03	6183	#endif
kevman	0:38ceb79fef03	6184
kevman	0:38ceb79fef03	6185	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	6186	? "client finished"
kevman	0:38ceb79fef03	6187	: "server finished";
kevman	0:38ceb79fef03	6188
kevman	0:38ceb79fef03	6189	mbedtls_sha256_finish_ret( &sha256, padbuf );
kevman	0:38ceb79fef03	6190
kevman	0:38ceb79fef03	6191	ssl->handshake->tls_prf( session->master, 48, sender,
kevman	0:38ceb79fef03	6192	padbuf, 32, buf, len );
kevman	0:38ceb79fef03	6193
kevman	0:38ceb79fef03	6194	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
kevman	0:38ceb79fef03	6195
kevman	0:38ceb79fef03	6196	mbedtls_sha256_free( &sha256 );
kevman	0:38ceb79fef03	6197
kevman	0:38ceb79fef03	6198	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
kevman	0:38ceb79fef03	6199
kevman	0:38ceb79fef03	6200	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
kevman	0:38ceb79fef03	6201	}
kevman	0:38ceb79fef03	6202	#endif /* MBEDTLS_SHA256_C */
kevman	0:38ceb79fef03	6203
kevman	0:38ceb79fef03	6204	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	6205	static void ssl_calc_finished_tls_sha384(
kevman	0:38ceb79fef03	6206	mbedtls_ssl_context ssl, unsigned char buf, int from )
kevman	0:38ceb79fef03	6207	{
kevman	0:38ceb79fef03	6208	int len = 12;
kevman	0:38ceb79fef03	6209	const char *sender;
kevman	0:38ceb79fef03	6210	mbedtls_sha512_context sha512;
kevman	0:38ceb79fef03	6211	unsigned char padbuf[48];
kevman	0:38ceb79fef03	6212
kevman	0:38ceb79fef03	6213	mbedtls_ssl_session *session = ssl->session_negotiate;
kevman	0:38ceb79fef03	6214	if( !session )
kevman	0:38ceb79fef03	6215	session = ssl->session;
kevman	0:38ceb79fef03	6216
kevman	0:38ceb79fef03	6217	mbedtls_sha512_init( &sha512 );
kevman	0:38ceb79fef03	6218
kevman	0:38ceb79fef03	6219	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
kevman	0:38ceb79fef03	6220
kevman	0:38ceb79fef03	6221	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
kevman	0:38ceb79fef03	6222
kevman	0:38ceb79fef03	6223	/*
kevman	0:38ceb79fef03	6224	* TLSv1.2:
kevman	0:38ceb79fef03	6225	* hash = PRF( master, finished_label,
kevman	0:38ceb79fef03	6226	* Hash( handshake ) )[0.11]
kevman	0:38ceb79fef03	6227	*/
kevman	0:38ceb79fef03	6228
kevman	0:38ceb79fef03	6229	#if !defined(MBEDTLS_SHA512_ALT)
kevman	0:38ceb79fef03	6230	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
kevman	0:38ceb79fef03	6231	sha512.state, sizeof( sha512.state ) );
kevman	0:38ceb79fef03	6232	#endif
kevman	0:38ceb79fef03	6233
kevman	0:38ceb79fef03	6234	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	6235	? "client finished"
kevman	0:38ceb79fef03	6236	: "server finished";
kevman	0:38ceb79fef03	6237
kevman	0:38ceb79fef03	6238	mbedtls_sha512_finish_ret( &sha512, padbuf );
kevman	0:38ceb79fef03	6239
kevman	0:38ceb79fef03	6240	ssl->handshake->tls_prf( session->master, 48, sender,
kevman	0:38ceb79fef03	6241	padbuf, 48, buf, len );
kevman	0:38ceb79fef03	6242
kevman	0:38ceb79fef03	6243	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
kevman	0:38ceb79fef03	6244
kevman	0:38ceb79fef03	6245	mbedtls_sha512_free( &sha512 );
kevman	0:38ceb79fef03	6246
kevman	0:38ceb79fef03	6247	mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
kevman	0:38ceb79fef03	6248
kevman	0:38ceb79fef03	6249	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
kevman	0:38ceb79fef03	6250	}
kevman	0:38ceb79fef03	6251	#endif /* MBEDTLS_SHA512_C */
kevman	0:38ceb79fef03	6252	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	6253
kevman	0:38ceb79fef03	6254	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6255	{
kevman	0:38ceb79fef03	6256	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
kevman	0:38ceb79fef03	6257
kevman	0:38ceb79fef03	6258	/*
kevman	0:38ceb79fef03	6259	* Free our handshake params
kevman	0:38ceb79fef03	6260	*/
kevman	0:38ceb79fef03	6261	mbedtls_ssl_handshake_free( ssl );
kevman	0:38ceb79fef03	6262	mbedtls_free( ssl->handshake );
kevman	0:38ceb79fef03	6263	ssl->handshake = NULL;
kevman	0:38ceb79fef03	6264
kevman	0:38ceb79fef03	6265	/*
kevman	0:38ceb79fef03	6266	* Free the previous transform and swith in the current one
kevman	0:38ceb79fef03	6267	*/
kevman	0:38ceb79fef03	6268	if( ssl->transform )
kevman	0:38ceb79fef03	6269	{
kevman	0:38ceb79fef03	6270	mbedtls_ssl_transform_free( ssl->transform );
kevman	0:38ceb79fef03	6271	mbedtls_free( ssl->transform );
kevman	0:38ceb79fef03	6272	}
kevman	0:38ceb79fef03	6273	ssl->transform = ssl->transform_negotiate;
kevman	0:38ceb79fef03	6274	ssl->transform_negotiate = NULL;
kevman	0:38ceb79fef03	6275
kevman	0:38ceb79fef03	6276	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
kevman	0:38ceb79fef03	6277	}
kevman	0:38ceb79fef03	6278
kevman	0:38ceb79fef03	6279	void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6280	{
kevman	0:38ceb79fef03	6281	int resume = ssl->handshake->resume;
kevman	0:38ceb79fef03	6282
kevman	0:38ceb79fef03	6283	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
kevman	0:38ceb79fef03	6284
kevman	0:38ceb79fef03	6285	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	6286	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
kevman	0:38ceb79fef03	6287	{
kevman	0:38ceb79fef03	6288	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
kevman	0:38ceb79fef03	6289	ssl->renego_records_seen = 0;
kevman	0:38ceb79fef03	6290	}
kevman	0:38ceb79fef03	6291	#endif
kevman	0:38ceb79fef03	6292
kevman	0:38ceb79fef03	6293	/*
kevman	0:38ceb79fef03	6294	* Free the previous session and switch in the current one
kevman	0:38ceb79fef03	6295	*/
kevman	0:38ceb79fef03	6296	if( ssl->session )
kevman	0:38ceb79fef03	6297	{
kevman	0:38ceb79fef03	6298	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	6299	/* RFC 7366 3.1: keep the EtM state */
kevman	0:38ceb79fef03	6300	ssl->session_negotiate->encrypt_then_mac =
kevman	0:38ceb79fef03	6301	ssl->session->encrypt_then_mac;
kevman	0:38ceb79fef03	6302	#endif
kevman	0:38ceb79fef03	6303
kevman	0:38ceb79fef03	6304	mbedtls_ssl_session_free( ssl->session );
kevman	0:38ceb79fef03	6305	mbedtls_free( ssl->session );
kevman	0:38ceb79fef03	6306	}
kevman	0:38ceb79fef03	6307	ssl->session = ssl->session_negotiate;
kevman	0:38ceb79fef03	6308	ssl->session_negotiate = NULL;
kevman	0:38ceb79fef03	6309
kevman	0:38ceb79fef03	6310	/*
kevman	0:38ceb79fef03	6311	* Add cache entry
kevman	0:38ceb79fef03	6312	*/
kevman	0:38ceb79fef03	6313	if( ssl->conf->f_set_cache != NULL &&
kevman	0:38ceb79fef03	6314	ssl->session->id_len != 0 &&
kevman	0:38ceb79fef03	6315	resume == 0 )
kevman	0:38ceb79fef03	6316	{
kevman	0:38ceb79fef03	6317	if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
kevman	0:38ceb79fef03	6318	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
kevman	0:38ceb79fef03	6319	}
kevman	0:38ceb79fef03	6320
kevman	0:38ceb79fef03	6321	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6322	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	6323	ssl->handshake->flight != NULL )
kevman	0:38ceb79fef03	6324	{
kevman	0:38ceb79fef03	6325	/* Cancel handshake timer */
kevman	0:38ceb79fef03	6326	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	6327
kevman	0:38ceb79fef03	6328	/* Keep last flight around in case we need to resend it:
kevman	0:38ceb79fef03	6329	* we need the handshake and transform structures for that */
kevman	0:38ceb79fef03	6330	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
kevman	0:38ceb79fef03	6331	}
kevman	0:38ceb79fef03	6332	else
kevman	0:38ceb79fef03	6333	#endif
kevman	0:38ceb79fef03	6334	ssl_handshake_wrapup_free_hs_transform( ssl );
kevman	0:38ceb79fef03	6335
kevman	0:38ceb79fef03	6336	ssl->state++;
kevman	0:38ceb79fef03	6337
kevman	0:38ceb79fef03	6338	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
kevman	0:38ceb79fef03	6339	}
kevman	0:38ceb79fef03	6340
kevman	0:38ceb79fef03	6341	int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6342	{
kevman	0:38ceb79fef03	6343	int ret, hash_len;
kevman	0:38ceb79fef03	6344
kevman	0:38ceb79fef03	6345	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
kevman	0:38ceb79fef03	6346
kevman	0:38ceb79fef03	6347	ssl_update_out_pointers( ssl, ssl->transform_negotiate );
kevman	0:38ceb79fef03	6348
kevman	0:38ceb79fef03	6349	ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
kevman	0:38ceb79fef03	6350
kevman	0:38ceb79fef03	6351	/*
kevman	0:38ceb79fef03	6352	* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
kevman	0:38ceb79fef03	6353	* may define some other value. Currently (early 2016), no defined
kevman	0:38ceb79fef03	6354	* ciphersuite does this (and this is unlikely to change as activity has
kevman	0:38ceb79fef03	6355	* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
kevman	0:38ceb79fef03	6356	*/
kevman	0:38ceb79fef03	6357	hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
kevman	0:38ceb79fef03	6358
kevman	0:38ceb79fef03	6359	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	6360	ssl->verify_data_len = hash_len;
kevman	0:38ceb79fef03	6361	memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
kevman	0:38ceb79fef03	6362	#endif
kevman	0:38ceb79fef03	6363
kevman	0:38ceb79fef03	6364	ssl->out_msglen = 4 + hash_len;
kevman	0:38ceb79fef03	6365	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
kevman	0:38ceb79fef03	6366	ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
kevman	0:38ceb79fef03	6367
kevman	0:38ceb79fef03	6368	/*
kevman	0:38ceb79fef03	6369	* In case of session resuming, invert the client and server
kevman	0:38ceb79fef03	6370	* ChangeCipherSpec messages order.
kevman	0:38ceb79fef03	6371	*/
kevman	0:38ceb79fef03	6372	if( ssl->handshake->resume != 0 )
kevman	0:38ceb79fef03	6373	{
kevman	0:38ceb79fef03	6374	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	6375	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	6376	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
kevman	0:38ceb79fef03	6377	#endif
kevman	0:38ceb79fef03	6378	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	6379	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	6380	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
kevman	0:38ceb79fef03	6381	#endif
kevman	0:38ceb79fef03	6382	}
kevman	0:38ceb79fef03	6383	else
kevman	0:38ceb79fef03	6384	ssl->state++;
kevman	0:38ceb79fef03	6385
kevman	0:38ceb79fef03	6386	/*
kevman	0:38ceb79fef03	6387	* Switch to our negotiated transform and session parameters for outbound
kevman	0:38ceb79fef03	6388	* data.
kevman	0:38ceb79fef03	6389	*/
kevman	0:38ceb79fef03	6390	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
kevman	0:38ceb79fef03	6391
kevman	0:38ceb79fef03	6392	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6393	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6394	{
kevman	0:38ceb79fef03	6395	unsigned char i;
kevman	0:38ceb79fef03	6396
kevman	0:38ceb79fef03	6397	/* Remember current epoch settings for resending */
kevman	0:38ceb79fef03	6398	ssl->handshake->alt_transform_out = ssl->transform_out;
kevman	0:38ceb79fef03	6399	memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
kevman	0:38ceb79fef03	6400
kevman	0:38ceb79fef03	6401	/* Set sequence_number to zero */
kevman	0:38ceb79fef03	6402	memset( ssl->cur_out_ctr + 2, 0, 6 );
kevman	0:38ceb79fef03	6403
kevman	0:38ceb79fef03	6404	/* Increment epoch */
kevman	0:38ceb79fef03	6405	for( i = 2; i > 0; i-- )
kevman	0:38ceb79fef03	6406	if( ++ssl->cur_out_ctr[i - 1] != 0 )
kevman	0:38ceb79fef03	6407	break;
kevman	0:38ceb79fef03	6408
kevman	0:38ceb79fef03	6409	/* The loop goes to its end iff the counter is wrapping */
kevman	0:38ceb79fef03	6410	if( i == 0 )
kevman	0:38ceb79fef03	6411	{
kevman	0:38ceb79fef03	6412	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
kevman	0:38ceb79fef03	6413	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
kevman	0:38ceb79fef03	6414	}
kevman	0:38ceb79fef03	6415	}
kevman	0:38ceb79fef03	6416	else
kevman	0:38ceb79fef03	6417	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	6418	memset( ssl->cur_out_ctr, 0, 8 );
kevman	0:38ceb79fef03	6419
kevman	0:38ceb79fef03	6420	ssl->transform_out = ssl->transform_negotiate;
kevman	0:38ceb79fef03	6421	ssl->session_out = ssl->session_negotiate;
kevman	0:38ceb79fef03	6422
kevman	0:38ceb79fef03	6423	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	6424	if( mbedtls_ssl_hw_record_activate != NULL )
kevman	0:38ceb79fef03	6425	{
kevman	0:38ceb79fef03	6426	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
kevman	0:38ceb79fef03	6427	{
kevman	0:38ceb79fef03	6428	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
kevman	0:38ceb79fef03	6429	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	6430	}
kevman	0:38ceb79fef03	6431	}
kevman	0:38ceb79fef03	6432	#endif
kevman	0:38ceb79fef03	6433
kevman	0:38ceb79fef03	6434	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6435	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6436	mbedtls_ssl_send_flight_completed( ssl );
kevman	0:38ceb79fef03	6437	#endif
kevman	0:38ceb79fef03	6438
kevman	0:38ceb79fef03	6439	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
kevman	0:38ceb79fef03	6440	{
kevman	0:38ceb79fef03	6441	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
kevman	0:38ceb79fef03	6442	return( ret );
kevman	0:38ceb79fef03	6443	}
kevman	0:38ceb79fef03	6444
kevman	0:38ceb79fef03	6445	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6446	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	6447	( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
kevman	0:38ceb79fef03	6448	{
kevman	0:38ceb79fef03	6449	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
kevman	0:38ceb79fef03	6450	return( ret );
kevman	0:38ceb79fef03	6451	}
kevman	0:38ceb79fef03	6452	#endif
kevman	0:38ceb79fef03	6453
kevman	0:38ceb79fef03	6454	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
kevman	0:38ceb79fef03	6455
kevman	0:38ceb79fef03	6456	return( 0 );
kevman	0:38ceb79fef03	6457	}
kevman	0:38ceb79fef03	6458
kevman	0:38ceb79fef03	6459	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	6460	#define SSL_MAX_HASH_LEN 36
kevman	0:38ceb79fef03	6461	#else
kevman	0:38ceb79fef03	6462	#define SSL_MAX_HASH_LEN 12
kevman	0:38ceb79fef03	6463	#endif
kevman	0:38ceb79fef03	6464
kevman	0:38ceb79fef03	6465	int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6466	{
kevman	0:38ceb79fef03	6467	int ret;
kevman	0:38ceb79fef03	6468	unsigned int hash_len;
kevman	0:38ceb79fef03	6469	unsigned char buf[SSL_MAX_HASH_LEN];
kevman	0:38ceb79fef03	6470
kevman	0:38ceb79fef03	6471	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
kevman	0:38ceb79fef03	6472
kevman	0:38ceb79fef03	6473	ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
kevman	0:38ceb79fef03	6474
kevman	0:38ceb79fef03	6475	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
kevman	0:38ceb79fef03	6476	{
kevman	0:38ceb79fef03	6477	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
kevman	0:38ceb79fef03	6478	return( ret );
kevman	0:38ceb79fef03	6479	}
kevman	0:38ceb79fef03	6480
kevman	0:38ceb79fef03	6481	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
kevman	0:38ceb79fef03	6482	{
kevman	0:38ceb79fef03	6483	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
kevman	0:38ceb79fef03	6484	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	6485	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	6486	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	6487	}
kevman	0:38ceb79fef03	6488
kevman	0:38ceb79fef03	6489	/* There is currently no ciphersuite using another length with TLS 1.2 */
kevman	0:38ceb79fef03	6490	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	6491	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	6492	hash_len = 36;
kevman	0:38ceb79fef03	6493	else
kevman	0:38ceb79fef03	6494	#endif
kevman	0:38ceb79fef03	6495	hash_len = 12;
kevman	0:38ceb79fef03	6496
kevman	0:38ceb79fef03	6497	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED \|\|
kevman	0:38ceb79fef03	6498	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
kevman	0:38ceb79fef03	6499	{
kevman	0:38ceb79fef03	6500	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
kevman	0:38ceb79fef03	6501	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	6502	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	6503	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
kevman	0:38ceb79fef03	6504	}
kevman	0:38ceb79fef03	6505
kevman	0:38ceb79fef03	6506	if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
kevman	0:38ceb79fef03	6507	buf, hash_len ) != 0 )
kevman	0:38ceb79fef03	6508	{
kevman	0:38ceb79fef03	6509	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
kevman	0:38ceb79fef03	6510	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	6511	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
kevman	0:38ceb79fef03	6512	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
kevman	0:38ceb79fef03	6513	}
kevman	0:38ceb79fef03	6514
kevman	0:38ceb79fef03	6515	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	6516	ssl->verify_data_len = hash_len;
kevman	0:38ceb79fef03	6517	memcpy( ssl->peer_verify_data, buf, hash_len );
kevman	0:38ceb79fef03	6518	#endif
kevman	0:38ceb79fef03	6519
kevman	0:38ceb79fef03	6520	if( ssl->handshake->resume != 0 )
kevman	0:38ceb79fef03	6521	{
kevman	0:38ceb79fef03	6522	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	6523	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	6524	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
kevman	0:38ceb79fef03	6525	#endif
kevman	0:38ceb79fef03	6526	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	6527	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	6528	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
kevman	0:38ceb79fef03	6529	#endif
kevman	0:38ceb79fef03	6530	}
kevman	0:38ceb79fef03	6531	else
kevman	0:38ceb79fef03	6532	ssl->state++;
kevman	0:38ceb79fef03	6533
kevman	0:38ceb79fef03	6534	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6535	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6536	mbedtls_ssl_recv_flight_completed( ssl );
kevman	0:38ceb79fef03	6537	#endif
kevman	0:38ceb79fef03	6538
kevman	0:38ceb79fef03	6539	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
kevman	0:38ceb79fef03	6540
kevman	0:38ceb79fef03	6541	return( 0 );
kevman	0:38ceb79fef03	6542	}
kevman	0:38ceb79fef03	6543
kevman	0:38ceb79fef03	6544	static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
kevman	0:38ceb79fef03	6545	{
kevman	0:38ceb79fef03	6546	memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
kevman	0:38ceb79fef03	6547
kevman	0:38ceb79fef03	6548	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	6549	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	6550	mbedtls_md5_init( &handshake->fin_md5 );
kevman	0:38ceb79fef03	6551	mbedtls_sha1_init( &handshake->fin_sha1 );
kevman	0:38ceb79fef03	6552	mbedtls_md5_starts_ret( &handshake->fin_md5 );
kevman	0:38ceb79fef03	6553	mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
kevman	0:38ceb79fef03	6554	#endif
kevman	0:38ceb79fef03	6555	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	6556	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	6557	mbedtls_sha256_init( &handshake->fin_sha256 );
kevman	0:38ceb79fef03	6558	mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
kevman	0:38ceb79fef03	6559	#endif
kevman	0:38ceb79fef03	6560	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	6561	mbedtls_sha512_init( &handshake->fin_sha512 );
kevman	0:38ceb79fef03	6562	mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
kevman	0:38ceb79fef03	6563	#endif
kevman	0:38ceb79fef03	6564	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	6565
kevman	0:38ceb79fef03	6566	handshake->update_checksum = ssl_update_checksum_start;
kevman	0:38ceb79fef03	6567
kevman	0:38ceb79fef03	6568	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
kevman	0:38ceb79fef03	6569	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	6570	mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
kevman	0:38ceb79fef03	6571	#endif
kevman	0:38ceb79fef03	6572
kevman	0:38ceb79fef03	6573	#if defined(MBEDTLS_DHM_C)
kevman	0:38ceb79fef03	6574	mbedtls_dhm_init( &handshake->dhm_ctx );
kevman	0:38ceb79fef03	6575	#endif
kevman	0:38ceb79fef03	6576	#if defined(MBEDTLS_ECDH_C)
kevman	0:38ceb79fef03	6577	mbedtls_ecdh_init( &handshake->ecdh_ctx );
kevman	0:38ceb79fef03	6578	#endif
kevman	0:38ceb79fef03	6579	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
kevman	0:38ceb79fef03	6580	mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
kevman	0:38ceb79fef03	6581	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	6582	handshake->ecjpake_cache = NULL;
kevman	0:38ceb79fef03	6583	handshake->ecjpake_cache_len = 0;
kevman	0:38ceb79fef03	6584	#endif
kevman	0:38ceb79fef03	6585	#endif
kevman	0:38ceb79fef03	6586
kevman	0:38ceb79fef03	6587	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
kevman	0:38ceb79fef03	6588	handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
kevman	0:38ceb79fef03	6589	#endif
kevman	0:38ceb79fef03	6590	}
kevman	0:38ceb79fef03	6591
kevman	0:38ceb79fef03	6592	static void ssl_transform_init( mbedtls_ssl_transform *transform )
kevman	0:38ceb79fef03	6593	{
kevman	0:38ceb79fef03	6594	memset( transform, 0, sizeof(mbedtls_ssl_transform) );
kevman	0:38ceb79fef03	6595
kevman	0:38ceb79fef03	6596	mbedtls_cipher_init( &transform->cipher_ctx_enc );
kevman	0:38ceb79fef03	6597	mbedtls_cipher_init( &transform->cipher_ctx_dec );
kevman	0:38ceb79fef03	6598
kevman	0:38ceb79fef03	6599	mbedtls_md_init( &transform->md_ctx_enc );
kevman	0:38ceb79fef03	6600	mbedtls_md_init( &transform->md_ctx_dec );
kevman	0:38ceb79fef03	6601	}
kevman	0:38ceb79fef03	6602
kevman	0:38ceb79fef03	6603	void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
kevman	0:38ceb79fef03	6604	{
kevman	0:38ceb79fef03	6605	memset( session, 0, sizeof(mbedtls_ssl_session) );
kevman	0:38ceb79fef03	6606	}
kevman	0:38ceb79fef03	6607
kevman	0:38ceb79fef03	6608	static int ssl_handshake_init( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6609	{
kevman	0:38ceb79fef03	6610	/* Clear old handshake information if present */
kevman	0:38ceb79fef03	6611	if( ssl->transform_negotiate )
kevman	0:38ceb79fef03	6612	mbedtls_ssl_transform_free( ssl->transform_negotiate );
kevman	0:38ceb79fef03	6613	if( ssl->session_negotiate )
kevman	0:38ceb79fef03	6614	mbedtls_ssl_session_free( ssl->session_negotiate );
kevman	0:38ceb79fef03	6615	if( ssl->handshake )
kevman	0:38ceb79fef03	6616	mbedtls_ssl_handshake_free( ssl );
kevman	0:38ceb79fef03	6617
kevman	0:38ceb79fef03	6618	/*
kevman	0:38ceb79fef03	6619	* Either the pointers are now NULL or cleared properly and can be freed.
kevman	0:38ceb79fef03	6620	* Now allocate missing structures.
kevman	0:38ceb79fef03	6621	*/
kevman	0:38ceb79fef03	6622	if( ssl->transform_negotiate == NULL )
kevman	0:38ceb79fef03	6623	{
kevman	0:38ceb79fef03	6624	ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
kevman	0:38ceb79fef03	6625	}
kevman	0:38ceb79fef03	6626
kevman	0:38ceb79fef03	6627	if( ssl->session_negotiate == NULL )
kevman	0:38ceb79fef03	6628	{
kevman	0:38ceb79fef03	6629	ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
kevman	0:38ceb79fef03	6630	}
kevman	0:38ceb79fef03	6631
kevman	0:38ceb79fef03	6632	if( ssl->handshake == NULL )
kevman	0:38ceb79fef03	6633	{
kevman	0:38ceb79fef03	6634	ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
kevman	0:38ceb79fef03	6635	}
kevman	0:38ceb79fef03	6636
kevman	0:38ceb79fef03	6637	/* All pointers should exist and can be directly freed without issue */
kevman	0:38ceb79fef03	6638	if( ssl->handshake == NULL \|\|
kevman	0:38ceb79fef03	6639	ssl->transform_negotiate == NULL \|\|
kevman	0:38ceb79fef03	6640	ssl->session_negotiate == NULL )
kevman	0:38ceb79fef03	6641	{
kevman	0:38ceb79fef03	6642	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
kevman	0:38ceb79fef03	6643
kevman	0:38ceb79fef03	6644	mbedtls_free( ssl->handshake );
kevman	0:38ceb79fef03	6645	mbedtls_free( ssl->transform_negotiate );
kevman	0:38ceb79fef03	6646	mbedtls_free( ssl->session_negotiate );
kevman	0:38ceb79fef03	6647
kevman	0:38ceb79fef03	6648	ssl->handshake = NULL;
kevman	0:38ceb79fef03	6649	ssl->transform_negotiate = NULL;
kevman	0:38ceb79fef03	6650	ssl->session_negotiate = NULL;
kevman	0:38ceb79fef03	6651
kevman	0:38ceb79fef03	6652	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	6653	}
kevman	0:38ceb79fef03	6654
kevman	0:38ceb79fef03	6655	/* Initialize structures */
kevman	0:38ceb79fef03	6656	mbedtls_ssl_session_init( ssl->session_negotiate );
kevman	0:38ceb79fef03	6657	ssl_transform_init( ssl->transform_negotiate );
kevman	0:38ceb79fef03	6658	ssl_handshake_params_init( ssl->handshake );
kevman	0:38ceb79fef03	6659
kevman	0:38ceb79fef03	6660	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6661	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6662	{
kevman	0:38ceb79fef03	6663	ssl->handshake->alt_transform_out = ssl->transform_out;
kevman	0:38ceb79fef03	6664
kevman	0:38ceb79fef03	6665	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	6666	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
kevman	0:38ceb79fef03	6667	else
kevman	0:38ceb79fef03	6668	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
kevman	0:38ceb79fef03	6669
kevman	0:38ceb79fef03	6670	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	6671	}
kevman	0:38ceb79fef03	6672	#endif
kevman	0:38ceb79fef03	6673
kevman	0:38ceb79fef03	6674	return( 0 );
kevman	0:38ceb79fef03	6675	}
kevman	0:38ceb79fef03	6676
kevman	0:38ceb79fef03	6677	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	6678	/* Dummy cookie callbacks for defaults */
kevman	0:38ceb79fef03	6679	static int ssl_cookie_write_dummy( void *ctx,
kevman	0:38ceb79fef03	6680	unsigned char *p, unsigned char end,
kevman	0:38ceb79fef03	6681	const unsigned char *cli_id, size_t cli_id_len )
kevman	0:38ceb79fef03	6682	{
kevman	0:38ceb79fef03	6683	((void) ctx);
kevman	0:38ceb79fef03	6684	((void) p);
kevman	0:38ceb79fef03	6685	((void) end);
kevman	0:38ceb79fef03	6686	((void) cli_id);
kevman	0:38ceb79fef03	6687	((void) cli_id_len);
kevman	0:38ceb79fef03	6688
kevman	0:38ceb79fef03	6689	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
kevman	0:38ceb79fef03	6690	}
kevman	0:38ceb79fef03	6691
kevman	0:38ceb79fef03	6692	static int ssl_cookie_check_dummy( void *ctx,
kevman	0:38ceb79fef03	6693	const unsigned char *cookie, size_t cookie_len,
kevman	0:38ceb79fef03	6694	const unsigned char *cli_id, size_t cli_id_len )
kevman	0:38ceb79fef03	6695	{
kevman	0:38ceb79fef03	6696	((void) ctx);
kevman	0:38ceb79fef03	6697	((void) cookie);
kevman	0:38ceb79fef03	6698	((void) cookie_len);
kevman	0:38ceb79fef03	6699	((void) cli_id);
kevman	0:38ceb79fef03	6700	((void) cli_id_len);
kevman	0:38ceb79fef03	6701
kevman	0:38ceb79fef03	6702	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
kevman	0:38ceb79fef03	6703	}
kevman	0:38ceb79fef03	6704	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	6705
kevman	0:38ceb79fef03	6706	/* Once ssl->out_hdr as the address of the beginning of the
kevman	0:38ceb79fef03	6707	* next outgoing record is set, deduce the other pointers.
kevman	0:38ceb79fef03	6708	*
kevman	0:38ceb79fef03	6709	* Note: For TLS, we save the implicit record sequence number
kevman	0:38ceb79fef03	6710	* (entering MAC computation) in the 8 bytes before ssl->out_hdr,
kevman	0:38ceb79fef03	6711	* and the caller has to make sure there's space for this.
kevman	0:38ceb79fef03	6712	*/
kevman	0:38ceb79fef03	6713
kevman	0:38ceb79fef03	6714	static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	6715	mbedtls_ssl_transform *transform )
kevman	0:38ceb79fef03	6716	{
kevman	0:38ceb79fef03	6717	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6718	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6719	{
kevman	0:38ceb79fef03	6720	ssl->out_ctr = ssl->out_hdr + 3;
kevman	0:38ceb79fef03	6721	ssl->out_len = ssl->out_hdr + 11;
kevman	0:38ceb79fef03	6722	ssl->out_iv = ssl->out_hdr + 13;
kevman	0:38ceb79fef03	6723	}
kevman	0:38ceb79fef03	6724	else
kevman	0:38ceb79fef03	6725	#endif
kevman	0:38ceb79fef03	6726	{
kevman	0:38ceb79fef03	6727	ssl->out_ctr = ssl->out_hdr - 8;
kevman	0:38ceb79fef03	6728	ssl->out_len = ssl->out_hdr + 3;
kevman	0:38ceb79fef03	6729	ssl->out_iv = ssl->out_hdr + 5;
kevman	0:38ceb79fef03	6730	}
kevman	0:38ceb79fef03	6731
kevman	0:38ceb79fef03	6732	/* Adjust out_msg to make space for explicit IV, if used. */
kevman	0:38ceb79fef03	6733	if( transform != NULL &&
kevman	0:38ceb79fef03	6734	ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	6735	{
kevman	0:38ceb79fef03	6736	ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
kevman	0:38ceb79fef03	6737	}
kevman	0:38ceb79fef03	6738	else
kevman	0:38ceb79fef03	6739	ssl->out_msg = ssl->out_iv;
kevman	0:38ceb79fef03	6740	}
kevman	0:38ceb79fef03	6741
kevman	0:38ceb79fef03	6742	/* Once ssl->in_hdr as the address of the beginning of the
kevman	0:38ceb79fef03	6743	* next incoming record is set, deduce the other pointers.
kevman	0:38ceb79fef03	6744	*
kevman	0:38ceb79fef03	6745	* Note: For TLS, we save the implicit record sequence number
kevman	0:38ceb79fef03	6746	* (entering MAC computation) in the 8 bytes before ssl->in_hdr,
kevman	0:38ceb79fef03	6747	* and the caller has to make sure there's space for this.
kevman	0:38ceb79fef03	6748	*/
kevman	0:38ceb79fef03	6749
kevman	0:38ceb79fef03	6750	static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	6751	mbedtls_ssl_transform *transform )
kevman	0:38ceb79fef03	6752	{
kevman	0:38ceb79fef03	6753	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6754	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6755	{
kevman	0:38ceb79fef03	6756	ssl->in_ctr = ssl->in_hdr + 3;
kevman	0:38ceb79fef03	6757	ssl->in_len = ssl->in_hdr + 11;
kevman	0:38ceb79fef03	6758	ssl->in_iv = ssl->in_hdr + 13;
kevman	0:38ceb79fef03	6759	}
kevman	0:38ceb79fef03	6760	else
kevman	0:38ceb79fef03	6761	#endif
kevman	0:38ceb79fef03	6762	{
kevman	0:38ceb79fef03	6763	ssl->in_ctr = ssl->in_hdr - 8;
kevman	0:38ceb79fef03	6764	ssl->in_len = ssl->in_hdr + 3;
kevman	0:38ceb79fef03	6765	ssl->in_iv = ssl->in_hdr + 5;
kevman	0:38ceb79fef03	6766	}
kevman	0:38ceb79fef03	6767
kevman	0:38ceb79fef03	6768	/* Offset in_msg from in_iv to allow space for explicit IV, if used. */
kevman	0:38ceb79fef03	6769	if( transform != NULL &&
kevman	0:38ceb79fef03	6770	ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	6771	{
kevman	0:38ceb79fef03	6772	ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
kevman	0:38ceb79fef03	6773	}
kevman	0:38ceb79fef03	6774	else
kevman	0:38ceb79fef03	6775	ssl->in_msg = ssl->in_iv;
kevman	0:38ceb79fef03	6776	}
kevman	0:38ceb79fef03	6777
kevman	0:38ceb79fef03	6778	/*
kevman	0:38ceb79fef03	6779	* Initialize an SSL context
kevman	0:38ceb79fef03	6780	*/
kevman	0:38ceb79fef03	6781	void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6782	{
kevman	0:38ceb79fef03	6783	memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
kevman	0:38ceb79fef03	6784	}
kevman	0:38ceb79fef03	6785
kevman	0:38ceb79fef03	6786	/*
kevman	0:38ceb79fef03	6787	* Setup an SSL context
kevman	0:38ceb79fef03	6788	*/
kevman	0:38ceb79fef03	6789
kevman	0:38ceb79fef03	6790	static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6791	{
kevman	0:38ceb79fef03	6792	/* Set the incoming and outgoing record pointers. */
kevman	0:38ceb79fef03	6793	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6794	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	6795	{
kevman	0:38ceb79fef03	6796	ssl->out_hdr = ssl->out_buf;
kevman	0:38ceb79fef03	6797	ssl->in_hdr = ssl->in_buf;
kevman	0:38ceb79fef03	6798	}
kevman	0:38ceb79fef03	6799	else
kevman	0:38ceb79fef03	6800	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	6801	{
kevman	0:38ceb79fef03	6802	ssl->out_hdr = ssl->out_buf + 8;
kevman	0:38ceb79fef03	6803	ssl->in_hdr = ssl->in_buf + 8;
kevman	0:38ceb79fef03	6804	}
kevman	0:38ceb79fef03	6805
kevman	0:38ceb79fef03	6806	/* Derive other internal pointers. */
kevman	0:38ceb79fef03	6807	ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
kevman	0:38ceb79fef03	6808	ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
kevman	0:38ceb79fef03	6809	}
kevman	0:38ceb79fef03	6810
kevman	0:38ceb79fef03	6811	int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	6812	const mbedtls_ssl_config *conf )
kevman	0:38ceb79fef03	6813	{
kevman	0:38ceb79fef03	6814	int ret;
kevman	0:38ceb79fef03	6815
kevman	0:38ceb79fef03	6816	ssl->conf = conf;
kevman	0:38ceb79fef03	6817
kevman	0:38ceb79fef03	6818	/*
kevman	0:38ceb79fef03	6819	* Prepare base structures
kevman	0:38ceb79fef03	6820	*/
kevman	0:38ceb79fef03	6821
kevman	0:38ceb79fef03	6822	/* Set to NULL in case of an error condition */
kevman	0:38ceb79fef03	6823	ssl->out_buf = NULL;
kevman	0:38ceb79fef03	6824
kevman	0:38ceb79fef03	6825	ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
kevman	0:38ceb79fef03	6826	if( ssl->in_buf == NULL )
kevman	0:38ceb79fef03	6827	{
kevman	0:38ceb79fef03	6828	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
kevman	0:38ceb79fef03	6829	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
kevman	0:38ceb79fef03	6830	goto error;
kevman	0:38ceb79fef03	6831	}
kevman	0:38ceb79fef03	6832
kevman	0:38ceb79fef03	6833	ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
kevman	0:38ceb79fef03	6834	if( ssl->out_buf == NULL )
kevman	0:38ceb79fef03	6835	{
kevman	0:38ceb79fef03	6836	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
kevman	0:38ceb79fef03	6837	ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
kevman	0:38ceb79fef03	6838	goto error;
kevman	0:38ceb79fef03	6839	}
kevman	0:38ceb79fef03	6840
kevman	0:38ceb79fef03	6841	ssl_reset_in_out_pointers( ssl );
kevman	0:38ceb79fef03	6842
kevman	0:38ceb79fef03	6843	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
kevman	0:38ceb79fef03	6844	goto error;
kevman	0:38ceb79fef03	6845
kevman	0:38ceb79fef03	6846	return( 0 );
kevman	0:38ceb79fef03	6847
kevman	0:38ceb79fef03	6848	error:
kevman	0:38ceb79fef03	6849	mbedtls_free( ssl->in_buf );
kevman	0:38ceb79fef03	6850	mbedtls_free( ssl->out_buf );
kevman	0:38ceb79fef03	6851
kevman	0:38ceb79fef03	6852	ssl->conf = NULL;
kevman	0:38ceb79fef03	6853
kevman	0:38ceb79fef03	6854	ssl->in_buf = NULL;
kevman	0:38ceb79fef03	6855	ssl->out_buf = NULL;
kevman	0:38ceb79fef03	6856
kevman	0:38ceb79fef03	6857	ssl->in_hdr = NULL;
kevman	0:38ceb79fef03	6858	ssl->in_ctr = NULL;
kevman	0:38ceb79fef03	6859	ssl->in_len = NULL;
kevman	0:38ceb79fef03	6860	ssl->in_iv = NULL;
kevman	0:38ceb79fef03	6861	ssl->in_msg = NULL;
kevman	0:38ceb79fef03	6862
kevman	0:38ceb79fef03	6863	ssl->out_hdr = NULL;
kevman	0:38ceb79fef03	6864	ssl->out_ctr = NULL;
kevman	0:38ceb79fef03	6865	ssl->out_len = NULL;
kevman	0:38ceb79fef03	6866	ssl->out_iv = NULL;
kevman	0:38ceb79fef03	6867	ssl->out_msg = NULL;
kevman	0:38ceb79fef03	6868
kevman	0:38ceb79fef03	6869	return( ret );
kevman	0:38ceb79fef03	6870	}
kevman	0:38ceb79fef03	6871
kevman	0:38ceb79fef03	6872	/*
kevman	0:38ceb79fef03	6873	* Reset an initialized and used SSL context for re-use while retaining
kevman	0:38ceb79fef03	6874	* all application-set variables, function pointers and data.
kevman	0:38ceb79fef03	6875	*
kevman	0:38ceb79fef03	6876	* If partial is non-zero, keep data in the input buffer and client ID.
kevman	0:38ceb79fef03	6877	* (Use when a DTLS client reconnects from the same port.)
kevman	0:38ceb79fef03	6878	*/
kevman	0:38ceb79fef03	6879	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
kevman	0:38ceb79fef03	6880	{
kevman	0:38ceb79fef03	6881	int ret;
kevman	0:38ceb79fef03	6882
kevman	0:38ceb79fef03	6883	#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) \|\| \
kevman	0:38ceb79fef03	6884	!defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	6885	((void) partial);
kevman	0:38ceb79fef03	6886	#endif
kevman	0:38ceb79fef03	6887
kevman	0:38ceb79fef03	6888	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
kevman	0:38ceb79fef03	6889
kevman	0:38ceb79fef03	6890	/* Cancel any possibly running timer */
kevman	0:38ceb79fef03	6891	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	6892
kevman	0:38ceb79fef03	6893	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	6894	ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
kevman	0:38ceb79fef03	6895	ssl->renego_records_seen = 0;
kevman	0:38ceb79fef03	6896
kevman	0:38ceb79fef03	6897	ssl->verify_data_len = 0;
kevman	0:38ceb79fef03	6898	memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
kevman	0:38ceb79fef03	6899	memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
kevman	0:38ceb79fef03	6900	#endif
kevman	0:38ceb79fef03	6901	ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
kevman	0:38ceb79fef03	6902
kevman	0:38ceb79fef03	6903	ssl->in_offt = NULL;
kevman	0:38ceb79fef03	6904	ssl_reset_in_out_pointers( ssl );
kevman	0:38ceb79fef03	6905
kevman	0:38ceb79fef03	6906	ssl->in_msgtype = 0;
kevman	0:38ceb79fef03	6907	ssl->in_msglen = 0;
kevman	0:38ceb79fef03	6908	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	6909	ssl->next_record_offset = 0;
kevman	0:38ceb79fef03	6910	ssl->in_epoch = 0;
kevman	0:38ceb79fef03	6911	#endif
kevman	0:38ceb79fef03	6912	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	6913	ssl_dtls_replay_reset( ssl );
kevman	0:38ceb79fef03	6914	#endif
kevman	0:38ceb79fef03	6915
kevman	0:38ceb79fef03	6916	ssl->in_hslen = 0;
kevman	0:38ceb79fef03	6917	ssl->nb_zero = 0;
kevman	0:38ceb79fef03	6918
kevman	0:38ceb79fef03	6919	ssl->keep_current_message = 0;
kevman	0:38ceb79fef03	6920
kevman	0:38ceb79fef03	6921	ssl->out_msgtype = 0;
kevman	0:38ceb79fef03	6922	ssl->out_msglen = 0;
kevman	0:38ceb79fef03	6923	ssl->out_left = 0;
kevman	0:38ceb79fef03	6924	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
kevman	0:38ceb79fef03	6925	if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
kevman	0:38ceb79fef03	6926	ssl->split_done = 0;
kevman	0:38ceb79fef03	6927	#endif
kevman	0:38ceb79fef03	6928
kevman	0:38ceb79fef03	6929	memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
kevman	0:38ceb79fef03	6930
kevman	0:38ceb79fef03	6931	ssl->transform_in = NULL;
kevman	0:38ceb79fef03	6932	ssl->transform_out = NULL;
kevman	0:38ceb79fef03	6933
kevman	0:38ceb79fef03	6934	ssl->session_in = NULL;
kevman	0:38ceb79fef03	6935	ssl->session_out = NULL;
kevman	0:38ceb79fef03	6936
kevman	0:38ceb79fef03	6937	memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
kevman	0:38ceb79fef03	6938
kevman	0:38ceb79fef03	6939	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	6940	if( partial == 0 )
kevman	0:38ceb79fef03	6941	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	6942	{
kevman	0:38ceb79fef03	6943	ssl->in_left = 0;
kevman	0:38ceb79fef03	6944	memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
kevman	0:38ceb79fef03	6945	}
kevman	0:38ceb79fef03	6946
kevman	0:38ceb79fef03	6947	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	6948	if( mbedtls_ssl_hw_record_reset != NULL )
kevman	0:38ceb79fef03	6949	{
kevman	0:38ceb79fef03	6950	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
kevman	0:38ceb79fef03	6951	if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
kevman	0:38ceb79fef03	6952	{
kevman	0:38ceb79fef03	6953	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
kevman	0:38ceb79fef03	6954	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
kevman	0:38ceb79fef03	6955	}
kevman	0:38ceb79fef03	6956	}
kevman	0:38ceb79fef03	6957	#endif
kevman	0:38ceb79fef03	6958
kevman	0:38ceb79fef03	6959	if( ssl->transform )
kevman	0:38ceb79fef03	6960	{
kevman	0:38ceb79fef03	6961	mbedtls_ssl_transform_free( ssl->transform );
kevman	0:38ceb79fef03	6962	mbedtls_free( ssl->transform );
kevman	0:38ceb79fef03	6963	ssl->transform = NULL;
kevman	0:38ceb79fef03	6964	}
kevman	0:38ceb79fef03	6965
kevman	0:38ceb79fef03	6966	if( ssl->session )
kevman	0:38ceb79fef03	6967	{
kevman	0:38ceb79fef03	6968	mbedtls_ssl_session_free( ssl->session );
kevman	0:38ceb79fef03	6969	mbedtls_free( ssl->session );
kevman	0:38ceb79fef03	6970	ssl->session = NULL;
kevman	0:38ceb79fef03	6971	}
kevman	0:38ceb79fef03	6972
kevman	0:38ceb79fef03	6973	#if defined(MBEDTLS_SSL_ALPN)
kevman	0:38ceb79fef03	6974	ssl->alpn_chosen = NULL;
kevman	0:38ceb79fef03	6975	#endif
kevman	0:38ceb79fef03	6976
kevman	0:38ceb79fef03	6977	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	6978	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
kevman	0:38ceb79fef03	6979	if( partial == 0 )
kevman	0:38ceb79fef03	6980	#endif
kevman	0:38ceb79fef03	6981	{
kevman	0:38ceb79fef03	6982	mbedtls_free( ssl->cli_id );
kevman	0:38ceb79fef03	6983	ssl->cli_id = NULL;
kevman	0:38ceb79fef03	6984	ssl->cli_id_len = 0;
kevman	0:38ceb79fef03	6985	}
kevman	0:38ceb79fef03	6986	#endif
kevman	0:38ceb79fef03	6987
kevman	0:38ceb79fef03	6988	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
kevman	0:38ceb79fef03	6989	return( ret );
kevman	0:38ceb79fef03	6990
kevman	0:38ceb79fef03	6991	return( 0 );
kevman	0:38ceb79fef03	6992	}
kevman	0:38ceb79fef03	6993
kevman	0:38ceb79fef03	6994	/*
kevman	0:38ceb79fef03	6995	* Reset an initialized and used SSL context for re-use while retaining
kevman	0:38ceb79fef03	6996	* all application-set variables, function pointers and data.
kevman	0:38ceb79fef03	6997	*/
kevman	0:38ceb79fef03	6998	int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	6999	{
kevman	0:38ceb79fef03	7000	return( ssl_session_reset_int( ssl, 0 ) );
kevman	0:38ceb79fef03	7001	}
kevman	0:38ceb79fef03	7002
kevman	0:38ceb79fef03	7003	/*
kevman	0:38ceb79fef03	7004	* SSL set accessors
kevman	0:38ceb79fef03	7005	*/
kevman	0:38ceb79fef03	7006	void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
kevman	0:38ceb79fef03	7007	{
kevman	0:38ceb79fef03	7008	conf->endpoint = endpoint;
kevman	0:38ceb79fef03	7009	}
kevman	0:38ceb79fef03	7010
kevman	0:38ceb79fef03	7011	void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
kevman	0:38ceb79fef03	7012	{
kevman	0:38ceb79fef03	7013	conf->transport = transport;
kevman	0:38ceb79fef03	7014	}
kevman	0:38ceb79fef03	7015
kevman	0:38ceb79fef03	7016	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	7017	void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
kevman	0:38ceb79fef03	7018	{
kevman	0:38ceb79fef03	7019	conf->anti_replay = mode;
kevman	0:38ceb79fef03	7020	}
kevman	0:38ceb79fef03	7021	#endif
kevman	0:38ceb79fef03	7022
kevman	0:38ceb79fef03	7023	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
kevman	0:38ceb79fef03	7024	void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
kevman	0:38ceb79fef03	7025	{
kevman	0:38ceb79fef03	7026	conf->badmac_limit = limit;
kevman	0:38ceb79fef03	7027	}
kevman	0:38ceb79fef03	7028	#endif
kevman	0:38ceb79fef03	7029
kevman	0:38ceb79fef03	7030	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7031
kevman	0:38ceb79fef03	7032	void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7033	unsigned allow_packing )
kevman	0:38ceb79fef03	7034	{
kevman	0:38ceb79fef03	7035	ssl->disable_datagram_packing = !allow_packing;
kevman	0:38ceb79fef03	7036	}
kevman	0:38ceb79fef03	7037
kevman	0:38ceb79fef03	7038	void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7039	uint32_t min, uint32_t max )
kevman	0:38ceb79fef03	7040	{
kevman	0:38ceb79fef03	7041	conf->hs_timeout_min = min;
kevman	0:38ceb79fef03	7042	conf->hs_timeout_max = max;
kevman	0:38ceb79fef03	7043	}
kevman	0:38ceb79fef03	7044	#endif
kevman	0:38ceb79fef03	7045
kevman	0:38ceb79fef03	7046	void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
kevman	0:38ceb79fef03	7047	{
kevman	0:38ceb79fef03	7048	conf->authmode = authmode;
kevman	0:38ceb79fef03	7049	}
kevman	0:38ceb79fef03	7050
kevman	0:38ceb79fef03	7051	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	7052	void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7053	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
kevman	0:38ceb79fef03	7054	void *p_vrfy )
kevman	0:38ceb79fef03	7055	{
kevman	0:38ceb79fef03	7056	conf->f_vrfy = f_vrfy;
kevman	0:38ceb79fef03	7057	conf->p_vrfy = p_vrfy;
kevman	0:38ceb79fef03	7058	}
kevman	0:38ceb79fef03	7059	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	7060
kevman	0:38ceb79fef03	7061	void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7062	int (f_rng)(void , unsigned char *, size_t),
kevman	0:38ceb79fef03	7063	void *p_rng )
kevman	0:38ceb79fef03	7064	{
kevman	0:38ceb79fef03	7065	conf->f_rng = f_rng;
kevman	0:38ceb79fef03	7066	conf->p_rng = p_rng;
kevman	0:38ceb79fef03	7067	}
kevman	0:38ceb79fef03	7068
kevman	0:38ceb79fef03	7069	void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7070	void (f_dbg)(void , int, const char , int, const char ),
kevman	0:38ceb79fef03	7071	void *p_dbg )
kevman	0:38ceb79fef03	7072	{
kevman	0:38ceb79fef03	7073	conf->f_dbg = f_dbg;
kevman	0:38ceb79fef03	7074	conf->p_dbg = p_dbg;
kevman	0:38ceb79fef03	7075	}
kevman	0:38ceb79fef03	7076
kevman	0:38ceb79fef03	7077	void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7078	void *p_bio,
kevman	0:38ceb79fef03	7079	mbedtls_ssl_send_t *f_send,
kevman	0:38ceb79fef03	7080	mbedtls_ssl_recv_t *f_recv,
kevman	0:38ceb79fef03	7081	mbedtls_ssl_recv_timeout_t *f_recv_timeout )
kevman	0:38ceb79fef03	7082	{
kevman	0:38ceb79fef03	7083	ssl->p_bio = p_bio;
kevman	0:38ceb79fef03	7084	ssl->f_send = f_send;
kevman	0:38ceb79fef03	7085	ssl->f_recv = f_recv;
kevman	0:38ceb79fef03	7086	ssl->f_recv_timeout = f_recv_timeout;
kevman	0:38ceb79fef03	7087	}
kevman	0:38ceb79fef03	7088
kevman	0:38ceb79fef03	7089	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7090	void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
kevman	0:38ceb79fef03	7091	{
kevman	0:38ceb79fef03	7092	ssl->mtu = mtu;
kevman	0:38ceb79fef03	7093	}
kevman	0:38ceb79fef03	7094	#endif
kevman	0:38ceb79fef03	7095
kevman	0:38ceb79fef03	7096	void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
kevman	0:38ceb79fef03	7097	{
kevman	0:38ceb79fef03	7098	conf->read_timeout = timeout;
kevman	0:38ceb79fef03	7099	}
kevman	0:38ceb79fef03	7100
kevman	0:38ceb79fef03	7101	void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7102	void *p_timer,
kevman	0:38ceb79fef03	7103	mbedtls_ssl_set_timer_t *f_set_timer,
kevman	0:38ceb79fef03	7104	mbedtls_ssl_get_timer_t *f_get_timer )
kevman	0:38ceb79fef03	7105	{
kevman	0:38ceb79fef03	7106	ssl->p_timer = p_timer;
kevman	0:38ceb79fef03	7107	ssl->f_set_timer = f_set_timer;
kevman	0:38ceb79fef03	7108	ssl->f_get_timer = f_get_timer;
kevman	0:38ceb79fef03	7109
kevman	0:38ceb79fef03	7110	/* Make sure we start with no timer running */
kevman	0:38ceb79fef03	7111	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	7112	}
kevman	0:38ceb79fef03	7113
kevman	0:38ceb79fef03	7114	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	7115	void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7116	void *p_cache,
kevman	0:38ceb79fef03	7117	int (f_get_cache)(void , mbedtls_ssl_session *),
kevman	0:38ceb79fef03	7118	int (f_set_cache)(void , const mbedtls_ssl_session *) )
kevman	0:38ceb79fef03	7119	{
kevman	0:38ceb79fef03	7120	conf->p_cache = p_cache;
kevman	0:38ceb79fef03	7121	conf->f_get_cache = f_get_cache;
kevman	0:38ceb79fef03	7122	conf->f_set_cache = f_set_cache;
kevman	0:38ceb79fef03	7123	}
kevman	0:38ceb79fef03	7124	#endif /* MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	7125
kevman	0:38ceb79fef03	7126	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	7127	int mbedtls_ssl_set_session( mbedtls_ssl_context ssl, const mbedtls_ssl_session session )
kevman	0:38ceb79fef03	7128	{
kevman	0:38ceb79fef03	7129	int ret;
kevman	0:38ceb79fef03	7130
kevman	0:38ceb79fef03	7131	if( ssl == NULL \|\|
kevman	0:38ceb79fef03	7132	session == NULL \|\|
kevman	0:38ceb79fef03	7133	ssl->session_negotiate == NULL \|\|
kevman	0:38ceb79fef03	7134	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	7135	{
kevman	0:38ceb79fef03	7136	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7137	}
kevman	0:38ceb79fef03	7138
kevman	0:38ceb79fef03	7139	if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
kevman	0:38ceb79fef03	7140	return( ret );
kevman	0:38ceb79fef03	7141
kevman	0:38ceb79fef03	7142	ssl->handshake->resume = 1;
kevman	0:38ceb79fef03	7143
kevman	0:38ceb79fef03	7144	return( 0 );
kevman	0:38ceb79fef03	7145	}
kevman	0:38ceb79fef03	7146	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	7147
kevman	0:38ceb79fef03	7148	void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7149	const int *ciphersuites )
kevman	0:38ceb79fef03	7150	{
kevman	0:38ceb79fef03	7151	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
kevman	0:38ceb79fef03	7152	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
kevman	0:38ceb79fef03	7153	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
kevman	0:38ceb79fef03	7154	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
kevman	0:38ceb79fef03	7155	}
kevman	0:38ceb79fef03	7156
kevman	0:38ceb79fef03	7157	void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7158	const int *ciphersuites,
kevman	0:38ceb79fef03	7159	int major, int minor )
kevman	0:38ceb79fef03	7160	{
kevman	0:38ceb79fef03	7161	if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
kevman	0:38ceb79fef03	7162	return;
kevman	0:38ceb79fef03	7163
kevman	0:38ceb79fef03	7164	if( minor < MBEDTLS_SSL_MINOR_VERSION_0 \|\| minor > MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	7165	return;
kevman	0:38ceb79fef03	7166
kevman	0:38ceb79fef03	7167	conf->ciphersuite_list[minor] = ciphersuites;
kevman	0:38ceb79fef03	7168	}
kevman	0:38ceb79fef03	7169
kevman	0:38ceb79fef03	7170	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	7171	void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7172	const mbedtls_x509_crt_profile *profile )
kevman	0:38ceb79fef03	7173	{
kevman	0:38ceb79fef03	7174	conf->cert_profile = profile;
kevman	0:38ceb79fef03	7175	}
kevman	0:38ceb79fef03	7176
kevman	0:38ceb79fef03	7177	/* Append a new keycert entry to a (possibly empty) list */
kevman	0:38ceb79fef03	7178	static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
kevman	0:38ceb79fef03	7179	mbedtls_x509_crt *cert,
kevman	0:38ceb79fef03	7180	mbedtls_pk_context *key )
kevman	0:38ceb79fef03	7181	{
kevman	0:38ceb79fef03	7182	mbedtls_ssl_key_cert *new_cert;
kevman	0:38ceb79fef03	7183
kevman	0:38ceb79fef03	7184	new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
kevman	0:38ceb79fef03	7185	if( new_cert == NULL )
kevman	0:38ceb79fef03	7186	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	7187
kevman	0:38ceb79fef03	7188	new_cert->cert = cert;
kevman	0:38ceb79fef03	7189	new_cert->key = key;
kevman	0:38ceb79fef03	7190	new_cert->next = NULL;
kevman	0:38ceb79fef03	7191
kevman	0:38ceb79fef03	7192	/* Update head is the list was null, else add to the end */
kevman	0:38ceb79fef03	7193	if( *head == NULL )
kevman	0:38ceb79fef03	7194	{
kevman	0:38ceb79fef03	7195	*head = new_cert;
kevman	0:38ceb79fef03	7196	}
kevman	0:38ceb79fef03	7197	else
kevman	0:38ceb79fef03	7198	{
kevman	0:38ceb79fef03	7199	mbedtls_ssl_key_cert cur = head;
kevman	0:38ceb79fef03	7200	while( cur->next != NULL )
kevman	0:38ceb79fef03	7201	cur = cur->next;
kevman	0:38ceb79fef03	7202	cur->next = new_cert;
kevman	0:38ceb79fef03	7203	}
kevman	0:38ceb79fef03	7204
kevman	0:38ceb79fef03	7205	return( 0 );
kevman	0:38ceb79fef03	7206	}
kevman	0:38ceb79fef03	7207
kevman	0:38ceb79fef03	7208	int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7209	mbedtls_x509_crt *own_cert,
kevman	0:38ceb79fef03	7210	mbedtls_pk_context *pk_key )
kevman	0:38ceb79fef03	7211	{
kevman	0:38ceb79fef03	7212	return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
kevman	0:38ceb79fef03	7213	}
kevman	0:38ceb79fef03	7214
kevman	0:38ceb79fef03	7215	void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7216	mbedtls_x509_crt *ca_chain,
kevman	0:38ceb79fef03	7217	mbedtls_x509_crl *ca_crl )
kevman	0:38ceb79fef03	7218	{
kevman	0:38ceb79fef03	7219	conf->ca_chain = ca_chain;
kevman	0:38ceb79fef03	7220	conf->ca_crl = ca_crl;
kevman	0:38ceb79fef03	7221	}
kevman	0:38ceb79fef03	7222	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	7223
kevman	0:38ceb79fef03	7224	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
kevman	0:38ceb79fef03	7225	int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7226	mbedtls_x509_crt *own_cert,
kevman	0:38ceb79fef03	7227	mbedtls_pk_context *pk_key )
kevman	0:38ceb79fef03	7228	{
kevman	0:38ceb79fef03	7229	return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
kevman	0:38ceb79fef03	7230	own_cert, pk_key ) );
kevman	0:38ceb79fef03	7231	}
kevman	0:38ceb79fef03	7232
kevman	0:38ceb79fef03	7233	void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7234	mbedtls_x509_crt *ca_chain,
kevman	0:38ceb79fef03	7235	mbedtls_x509_crl *ca_crl )
kevman	0:38ceb79fef03	7236	{
kevman	0:38ceb79fef03	7237	ssl->handshake->sni_ca_chain = ca_chain;
kevman	0:38ceb79fef03	7238	ssl->handshake->sni_ca_crl = ca_crl;
kevman	0:38ceb79fef03	7239	}
kevman	0:38ceb79fef03	7240
kevman	0:38ceb79fef03	7241	void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7242	int authmode )
kevman	0:38ceb79fef03	7243	{
kevman	0:38ceb79fef03	7244	ssl->handshake->sni_authmode = authmode;
kevman	0:38ceb79fef03	7245	}
kevman	0:38ceb79fef03	7246	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
kevman	0:38ceb79fef03	7247
kevman	0:38ceb79fef03	7248	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
kevman	0:38ceb79fef03	7249	/*
kevman	0:38ceb79fef03	7250	* Set EC J-PAKE password for current handshake
kevman	0:38ceb79fef03	7251	*/
kevman	0:38ceb79fef03	7252	int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7253	const unsigned char *pw,
kevman	0:38ceb79fef03	7254	size_t pw_len )
kevman	0:38ceb79fef03	7255	{
kevman	0:38ceb79fef03	7256	mbedtls_ecjpake_role role;
kevman	0:38ceb79fef03	7257
kevman	0:38ceb79fef03	7258	if( ssl->handshake == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	7259	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7260
kevman	0:38ceb79fef03	7261	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	7262	role = MBEDTLS_ECJPAKE_SERVER;
kevman	0:38ceb79fef03	7263	else
kevman	0:38ceb79fef03	7264	role = MBEDTLS_ECJPAKE_CLIENT;
kevman	0:38ceb79fef03	7265
kevman	0:38ceb79fef03	7266	return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
kevman	0:38ceb79fef03	7267	role,
kevman	0:38ceb79fef03	7268	MBEDTLS_MD_SHA256,
kevman	0:38ceb79fef03	7269	MBEDTLS_ECP_DP_SECP256R1,
kevman	0:38ceb79fef03	7270	pw, pw_len ) );
kevman	0:38ceb79fef03	7271	}
kevman	0:38ceb79fef03	7272	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
kevman	0:38ceb79fef03	7273
kevman	0:38ceb79fef03	7274	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
kevman	0:38ceb79fef03	7275	int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7276	const unsigned char *psk, size_t psk_len,
kevman	0:38ceb79fef03	7277	const unsigned char *psk_identity, size_t psk_identity_len )
kevman	0:38ceb79fef03	7278	{
kevman	0:38ceb79fef03	7279	if( psk == NULL \|\| psk_identity == NULL )
kevman	0:38ceb79fef03	7280	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7281
kevman	0:38ceb79fef03	7282	if( psk_len > MBEDTLS_PSK_MAX_LEN )
kevman	0:38ceb79fef03	7283	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7284
kevman	0:38ceb79fef03	7285	/* Identity len will be encoded on two bytes */
kevman	0:38ceb79fef03	7286	if( ( psk_identity_len >> 16 ) != 0 \|\|
kevman	0:38ceb79fef03	7287	psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
kevman	0:38ceb79fef03	7288	{
kevman	0:38ceb79fef03	7289	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7290	}
kevman	0:38ceb79fef03	7291
kevman	0:38ceb79fef03	7292	if( conf->psk != NULL )
kevman	0:38ceb79fef03	7293	{
kevman	0:38ceb79fef03	7294	mbedtls_platform_zeroize( conf->psk, conf->psk_len );
kevman	0:38ceb79fef03	7295
kevman	0:38ceb79fef03	7296	mbedtls_free( conf->psk );
kevman	0:38ceb79fef03	7297	conf->psk = NULL;
kevman	0:38ceb79fef03	7298	conf->psk_len = 0;
kevman	0:38ceb79fef03	7299	}
kevman	0:38ceb79fef03	7300	if( conf->psk_identity != NULL )
kevman	0:38ceb79fef03	7301	{
kevman	0:38ceb79fef03	7302	mbedtls_free( conf->psk_identity );
kevman	0:38ceb79fef03	7303	conf->psk_identity = NULL;
kevman	0:38ceb79fef03	7304	conf->psk_identity_len = 0;
kevman	0:38ceb79fef03	7305	}
kevman	0:38ceb79fef03	7306
kevman	0:38ceb79fef03	7307	if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL \|\|
kevman	0:38ceb79fef03	7308	( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
kevman	0:38ceb79fef03	7309	{
kevman	0:38ceb79fef03	7310	mbedtls_free( conf->psk );
kevman	0:38ceb79fef03	7311	mbedtls_free( conf->psk_identity );
kevman	0:38ceb79fef03	7312	conf->psk = NULL;
kevman	0:38ceb79fef03	7313	conf->psk_identity = NULL;
kevman	0:38ceb79fef03	7314	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	7315	}
kevman	0:38ceb79fef03	7316
kevman	0:38ceb79fef03	7317	conf->psk_len = psk_len;
kevman	0:38ceb79fef03	7318	conf->psk_identity_len = psk_identity_len;
kevman	0:38ceb79fef03	7319
kevman	0:38ceb79fef03	7320	memcpy( conf->psk, psk, conf->psk_len );
kevman	0:38ceb79fef03	7321	memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
kevman	0:38ceb79fef03	7322
kevman	0:38ceb79fef03	7323	return( 0 );
kevman	0:38ceb79fef03	7324	}
kevman	0:38ceb79fef03	7325
kevman	0:38ceb79fef03	7326	int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7327	const unsigned char *psk, size_t psk_len )
kevman	0:38ceb79fef03	7328	{
kevman	0:38ceb79fef03	7329	if( psk == NULL \|\| ssl->handshake == NULL )
kevman	0:38ceb79fef03	7330	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7331
kevman	0:38ceb79fef03	7332	if( psk_len > MBEDTLS_PSK_MAX_LEN )
kevman	0:38ceb79fef03	7333	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7334
kevman	0:38ceb79fef03	7335	if( ssl->handshake->psk != NULL )
kevman	0:38ceb79fef03	7336	{
kevman	0:38ceb79fef03	7337	mbedtls_platform_zeroize( ssl->handshake->psk,
kevman	0:38ceb79fef03	7338	ssl->handshake->psk_len );
kevman	0:38ceb79fef03	7339	mbedtls_free( ssl->handshake->psk );
kevman	0:38ceb79fef03	7340	ssl->handshake->psk_len = 0;
kevman	0:38ceb79fef03	7341	}
kevman	0:38ceb79fef03	7342
kevman	0:38ceb79fef03	7343	if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
kevman	0:38ceb79fef03	7344	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	7345
kevman	0:38ceb79fef03	7346	ssl->handshake->psk_len = psk_len;
kevman	0:38ceb79fef03	7347	memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
kevman	0:38ceb79fef03	7348
kevman	0:38ceb79fef03	7349	return( 0 );
kevman	0:38ceb79fef03	7350	}
kevman	0:38ceb79fef03	7351
kevman	0:38ceb79fef03	7352	void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7353	int (f_psk)(void , mbedtls_ssl_context , const unsigned char ,
kevman	0:38ceb79fef03	7354	size_t),
kevman	0:38ceb79fef03	7355	void *p_psk )
kevman	0:38ceb79fef03	7356	{
kevman	0:38ceb79fef03	7357	conf->f_psk = f_psk;
kevman	0:38ceb79fef03	7358	conf->p_psk = p_psk;
kevman	0:38ceb79fef03	7359	}
kevman	0:38ceb79fef03	7360	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
kevman	0:38ceb79fef03	7361
kevman	0:38ceb79fef03	7362	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	7363
kevman	0:38ceb79fef03	7364	#if !defined(MBEDTLS_DEPRECATED_REMOVED)
kevman	0:38ceb79fef03	7365	int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config conf, const char dhm_P, const char *dhm_G )
kevman	0:38ceb79fef03	7366	{
kevman	0:38ceb79fef03	7367	int ret;
kevman	0:38ceb79fef03	7368
kevman	0:38ceb79fef03	7369	if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 \|\|
kevman	0:38ceb79fef03	7370	( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
kevman	0:38ceb79fef03	7371	{
kevman	0:38ceb79fef03	7372	mbedtls_mpi_free( &conf->dhm_P );
kevman	0:38ceb79fef03	7373	mbedtls_mpi_free( &conf->dhm_G );
kevman	0:38ceb79fef03	7374	return( ret );
kevman	0:38ceb79fef03	7375	}
kevman	0:38ceb79fef03	7376
kevman	0:38ceb79fef03	7377	return( 0 );
kevman	0:38ceb79fef03	7378	}
kevman	0:38ceb79fef03	7379	#endif /* MBEDTLS_DEPRECATED_REMOVED */
kevman	0:38ceb79fef03	7380
kevman	0:38ceb79fef03	7381	int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7382	const unsigned char *dhm_P, size_t P_len,
kevman	0:38ceb79fef03	7383	const unsigned char *dhm_G, size_t G_len )
kevman	0:38ceb79fef03	7384	{
kevman	0:38ceb79fef03	7385	int ret;
kevman	0:38ceb79fef03	7386
kevman	0:38ceb79fef03	7387	if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 \|\|
kevman	0:38ceb79fef03	7388	( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
kevman	0:38ceb79fef03	7389	{
kevman	0:38ceb79fef03	7390	mbedtls_mpi_free( &conf->dhm_P );
kevman	0:38ceb79fef03	7391	mbedtls_mpi_free( &conf->dhm_G );
kevman	0:38ceb79fef03	7392	return( ret );
kevman	0:38ceb79fef03	7393	}
kevman	0:38ceb79fef03	7394
kevman	0:38ceb79fef03	7395	return( 0 );
kevman	0:38ceb79fef03	7396	}
kevman	0:38ceb79fef03	7397
kevman	0:38ceb79fef03	7398	int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config conf, mbedtls_dhm_context dhm_ctx )
kevman	0:38ceb79fef03	7399	{
kevman	0:38ceb79fef03	7400	int ret;
kevman	0:38ceb79fef03	7401
kevman	0:38ceb79fef03	7402	if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 \|\|
kevman	0:38ceb79fef03	7403	( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
kevman	0:38ceb79fef03	7404	{
kevman	0:38ceb79fef03	7405	mbedtls_mpi_free( &conf->dhm_P );
kevman	0:38ceb79fef03	7406	mbedtls_mpi_free( &conf->dhm_G );
kevman	0:38ceb79fef03	7407	return( ret );
kevman	0:38ceb79fef03	7408	}
kevman	0:38ceb79fef03	7409
kevman	0:38ceb79fef03	7410	return( 0 );
kevman	0:38ceb79fef03	7411	}
kevman	0:38ceb79fef03	7412	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	7413
kevman	0:38ceb79fef03	7414	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	7415	/*
kevman	0:38ceb79fef03	7416	* Set the minimum length for Diffie-Hellman parameters
kevman	0:38ceb79fef03	7417	*/
kevman	0:38ceb79fef03	7418	void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7419	unsigned int bitlen )
kevman	0:38ceb79fef03	7420	{
kevman	0:38ceb79fef03	7421	conf->dhm_min_bitlen = bitlen;
kevman	0:38ceb79fef03	7422	}
kevman	0:38ceb79fef03	7423	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	7424
kevman	0:38ceb79fef03	7425	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	7426	/*
kevman	0:38ceb79fef03	7427	* Set allowed/preferred hashes for handshake signatures
kevman	0:38ceb79fef03	7428	*/
kevman	0:38ceb79fef03	7429	void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7430	const int *hashes )
kevman	0:38ceb79fef03	7431	{
kevman	0:38ceb79fef03	7432	conf->sig_hashes = hashes;
kevman	0:38ceb79fef03	7433	}
kevman	0:38ceb79fef03	7434	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
kevman	0:38ceb79fef03	7435
kevman	0:38ceb79fef03	7436	#if defined(MBEDTLS_ECP_C)
kevman	0:38ceb79fef03	7437	/*
kevman	0:38ceb79fef03	7438	* Set the allowed elliptic curves
kevman	0:38ceb79fef03	7439	*/
kevman	0:38ceb79fef03	7440	void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7441	const mbedtls_ecp_group_id *curve_list )
kevman	0:38ceb79fef03	7442	{
kevman	0:38ceb79fef03	7443	conf->curve_list = curve_list;
kevman	0:38ceb79fef03	7444	}
kevman	0:38ceb79fef03	7445	#endif /* MBEDTLS_ECP_C */
kevman	0:38ceb79fef03	7446
kevman	0:38ceb79fef03	7447	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	7448	int mbedtls_ssl_set_hostname( mbedtls_ssl_context ssl, const char hostname )
kevman	0:38ceb79fef03	7449	{
kevman	0:38ceb79fef03	7450	/* Initialize to suppress unnecessary compiler warning */
kevman	0:38ceb79fef03	7451	size_t hostname_len = 0;
kevman	0:38ceb79fef03	7452
kevman	0:38ceb79fef03	7453	/* Check if new hostname is valid before
kevman	0:38ceb79fef03	7454	* making any change to current one */
kevman	0:38ceb79fef03	7455	if( hostname != NULL )
kevman	0:38ceb79fef03	7456	{
kevman	0:38ceb79fef03	7457	hostname_len = strlen( hostname );
kevman	0:38ceb79fef03	7458
kevman	0:38ceb79fef03	7459	if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
kevman	0:38ceb79fef03	7460	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7461	}
kevman	0:38ceb79fef03	7462
kevman	0:38ceb79fef03	7463	/* Now it's clear that we will overwrite the old hostname,
kevman	0:38ceb79fef03	7464	* so we can free it safely */
kevman	0:38ceb79fef03	7465
kevman	0:38ceb79fef03	7466	if( ssl->hostname != NULL )
kevman	0:38ceb79fef03	7467	{
kevman	0:38ceb79fef03	7468	mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
kevman	0:38ceb79fef03	7469	mbedtls_free( ssl->hostname );
kevman	0:38ceb79fef03	7470	}
kevman	0:38ceb79fef03	7471
kevman	0:38ceb79fef03	7472	/* Passing NULL as hostname shall clear the old one */
kevman	0:38ceb79fef03	7473
kevman	0:38ceb79fef03	7474	if( hostname == NULL )
kevman	0:38ceb79fef03	7475	{
kevman	0:38ceb79fef03	7476	ssl->hostname = NULL;
kevman	0:38ceb79fef03	7477	}
kevman	0:38ceb79fef03	7478	else
kevman	0:38ceb79fef03	7479	{
kevman	0:38ceb79fef03	7480	ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
kevman	0:38ceb79fef03	7481	if( ssl->hostname == NULL )
kevman	0:38ceb79fef03	7482	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
kevman	0:38ceb79fef03	7483
kevman	0:38ceb79fef03	7484	memcpy( ssl->hostname, hostname, hostname_len );
kevman	0:38ceb79fef03	7485
kevman	0:38ceb79fef03	7486	ssl->hostname[hostname_len] = '\0';
kevman	0:38ceb79fef03	7487	}
kevman	0:38ceb79fef03	7488
kevman	0:38ceb79fef03	7489	return( 0 );
kevman	0:38ceb79fef03	7490	}
kevman	0:38ceb79fef03	7491	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	7492
kevman	0:38ceb79fef03	7493	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
kevman	0:38ceb79fef03	7494	void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7495	int (f_sni)(void , mbedtls_ssl_context *,
kevman	0:38ceb79fef03	7496	const unsigned char *, size_t),
kevman	0:38ceb79fef03	7497	void *p_sni )
kevman	0:38ceb79fef03	7498	{
kevman	0:38ceb79fef03	7499	conf->f_sni = f_sni;
kevman	0:38ceb79fef03	7500	conf->p_sni = p_sni;
kevman	0:38ceb79fef03	7501	}
kevman	0:38ceb79fef03	7502	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
kevman	0:38ceb79fef03	7503
kevman	0:38ceb79fef03	7504	#if defined(MBEDTLS_SSL_ALPN)
kevman	0:38ceb79fef03	7505	int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config conf, const char *protos )
kevman	0:38ceb79fef03	7506	{
kevman	0:38ceb79fef03	7507	size_t cur_len, tot_len;
kevman	0:38ceb79fef03	7508	const char **p;
kevman	0:38ceb79fef03	7509
kevman	0:38ceb79fef03	7510	/*
kevman	0:38ceb79fef03	7511	* RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
kevman	0:38ceb79fef03	7512	* MUST NOT be truncated."
kevman	0:38ceb79fef03	7513	* We check lengths now rather than later.
kevman	0:38ceb79fef03	7514	*/
kevman	0:38ceb79fef03	7515	tot_len = 0;
kevman	0:38ceb79fef03	7516	for( p = protos; *p != NULL; p++ )
kevman	0:38ceb79fef03	7517	{
kevman	0:38ceb79fef03	7518	cur_len = strlen( *p );
kevman	0:38ceb79fef03	7519	tot_len += cur_len;
kevman	0:38ceb79fef03	7520
kevman	0:38ceb79fef03	7521	if( cur_len == 0 \|\| cur_len > 255 \|\| tot_len > 65535 )
kevman	0:38ceb79fef03	7522	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7523	}
kevman	0:38ceb79fef03	7524
kevman	0:38ceb79fef03	7525	conf->alpn_list = protos;
kevman	0:38ceb79fef03	7526
kevman	0:38ceb79fef03	7527	return( 0 );
kevman	0:38ceb79fef03	7528	}
kevman	0:38ceb79fef03	7529
kevman	0:38ceb79fef03	7530	const char mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context ssl )
kevman	0:38ceb79fef03	7531	{
kevman	0:38ceb79fef03	7532	return( ssl->alpn_chosen );
kevman	0:38ceb79fef03	7533	}
kevman	0:38ceb79fef03	7534	#endif /* MBEDTLS_SSL_ALPN */
kevman	0:38ceb79fef03	7535
kevman	0:38ceb79fef03	7536	void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
kevman	0:38ceb79fef03	7537	{
kevman	0:38ceb79fef03	7538	conf->max_major_ver = major;
kevman	0:38ceb79fef03	7539	conf->max_minor_ver = minor;
kevman	0:38ceb79fef03	7540	}
kevman	0:38ceb79fef03	7541
kevman	0:38ceb79fef03	7542	void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
kevman	0:38ceb79fef03	7543	{
kevman	0:38ceb79fef03	7544	conf->min_major_ver = major;
kevman	0:38ceb79fef03	7545	conf->min_minor_ver = minor;
kevman	0:38ceb79fef03	7546	}
kevman	0:38ceb79fef03	7547
kevman	0:38ceb79fef03	7548	#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	7549	void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
kevman	0:38ceb79fef03	7550	{
kevman	0:38ceb79fef03	7551	conf->fallback = fallback;
kevman	0:38ceb79fef03	7552	}
kevman	0:38ceb79fef03	7553	#endif
kevman	0:38ceb79fef03	7554
kevman	0:38ceb79fef03	7555	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	7556	void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7557	char cert_req_ca_list )
kevman	0:38ceb79fef03	7558	{
kevman	0:38ceb79fef03	7559	conf->cert_req_ca_list = cert_req_ca_list;
kevman	0:38ceb79fef03	7560	}
kevman	0:38ceb79fef03	7561	#endif
kevman	0:38ceb79fef03	7562
kevman	0:38ceb79fef03	7563	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	7564	void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
kevman	0:38ceb79fef03	7565	{
kevman	0:38ceb79fef03	7566	conf->encrypt_then_mac = etm;
kevman	0:38ceb79fef03	7567	}
kevman	0:38ceb79fef03	7568	#endif
kevman	0:38ceb79fef03	7569
kevman	0:38ceb79fef03	7570	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
kevman	0:38ceb79fef03	7571	void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
kevman	0:38ceb79fef03	7572	{
kevman	0:38ceb79fef03	7573	conf->extended_ms = ems;
kevman	0:38ceb79fef03	7574	}
kevman	0:38ceb79fef03	7575	#endif
kevman	0:38ceb79fef03	7576
kevman	0:38ceb79fef03	7577	#if defined(MBEDTLS_ARC4_C)
kevman	0:38ceb79fef03	7578	void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
kevman	0:38ceb79fef03	7579	{
kevman	0:38ceb79fef03	7580	conf->arc4_disabled = arc4;
kevman	0:38ceb79fef03	7581	}
kevman	0:38ceb79fef03	7582	#endif
kevman	0:38ceb79fef03	7583
kevman	0:38ceb79fef03	7584	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kevman	0:38ceb79fef03	7585	int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
kevman	0:38ceb79fef03	7586	{
kevman	0:38ceb79fef03	7587	if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID \|\|
kevman	0:38ceb79fef03	7588	ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
kevman	0:38ceb79fef03	7589	{
kevman	0:38ceb79fef03	7590	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7591	}
kevman	0:38ceb79fef03	7592
kevman	0:38ceb79fef03	7593	conf->mfl_code = mfl_code;
kevman	0:38ceb79fef03	7594
kevman	0:38ceb79fef03	7595	return( 0 );
kevman	0:38ceb79fef03	7596	}
kevman	0:38ceb79fef03	7597	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
kevman	0:38ceb79fef03	7598
kevman	0:38ceb79fef03	7599	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
kevman	0:38ceb79fef03	7600	void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
kevman	0:38ceb79fef03	7601	{
kevman	0:38ceb79fef03	7602	conf->trunc_hmac = truncate;
kevman	0:38ceb79fef03	7603	}
kevman	0:38ceb79fef03	7604	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
kevman	0:38ceb79fef03	7605
kevman	0:38ceb79fef03	7606	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
kevman	0:38ceb79fef03	7607	void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
kevman	0:38ceb79fef03	7608	{
kevman	0:38ceb79fef03	7609	conf->cbc_record_splitting = split;
kevman	0:38ceb79fef03	7610	}
kevman	0:38ceb79fef03	7611	#endif
kevman	0:38ceb79fef03	7612
kevman	0:38ceb79fef03	7613	void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
kevman	0:38ceb79fef03	7614	{
kevman	0:38ceb79fef03	7615	conf->allow_legacy_renegotiation = allow_legacy;
kevman	0:38ceb79fef03	7616	}
kevman	0:38ceb79fef03	7617
kevman	0:38ceb79fef03	7618	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	7619	void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
kevman	0:38ceb79fef03	7620	{
kevman	0:38ceb79fef03	7621	conf->disable_renegotiation = renegotiation;
kevman	0:38ceb79fef03	7622	}
kevman	0:38ceb79fef03	7623
kevman	0:38ceb79fef03	7624	void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
kevman	0:38ceb79fef03	7625	{
kevman	0:38ceb79fef03	7626	conf->renego_max_records = max_records;
kevman	0:38ceb79fef03	7627	}
kevman	0:38ceb79fef03	7628
kevman	0:38ceb79fef03	7629	void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7630	const unsigned char period[8] )
kevman	0:38ceb79fef03	7631	{
kevman	0:38ceb79fef03	7632	memcpy( conf->renego_period, period, 8 );
kevman	0:38ceb79fef03	7633	}
kevman	0:38ceb79fef03	7634	#endif /* MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	7635
kevman	0:38ceb79fef03	7636	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
kevman	0:38ceb79fef03	7637	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	7638	void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
kevman	0:38ceb79fef03	7639	{
kevman	0:38ceb79fef03	7640	conf->session_tickets = use_tickets;
kevman	0:38ceb79fef03	7641	}
kevman	0:38ceb79fef03	7642	#endif
kevman	0:38ceb79fef03	7643
kevman	0:38ceb79fef03	7644	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	7645	void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7646	mbedtls_ssl_ticket_write_t *f_ticket_write,
kevman	0:38ceb79fef03	7647	mbedtls_ssl_ticket_parse_t *f_ticket_parse,
kevman	0:38ceb79fef03	7648	void *p_ticket )
kevman	0:38ceb79fef03	7649	{
kevman	0:38ceb79fef03	7650	conf->f_ticket_write = f_ticket_write;
kevman	0:38ceb79fef03	7651	conf->f_ticket_parse = f_ticket_parse;
kevman	0:38ceb79fef03	7652	conf->p_ticket = p_ticket;
kevman	0:38ceb79fef03	7653	}
kevman	0:38ceb79fef03	7654	#endif
kevman	0:38ceb79fef03	7655	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
kevman	0:38ceb79fef03	7656
kevman	0:38ceb79fef03	7657	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
kevman	0:38ceb79fef03	7658	void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7659	mbedtls_ssl_export_keys_t *f_export_keys,
kevman	0:38ceb79fef03	7660	void *p_export_keys )
kevman	0:38ceb79fef03	7661	{
kevman	0:38ceb79fef03	7662	conf->f_export_keys = f_export_keys;
kevman	0:38ceb79fef03	7663	conf->p_export_keys = p_export_keys;
kevman	0:38ceb79fef03	7664	}
kevman	0:38ceb79fef03	7665	#endif
kevman	0:38ceb79fef03	7666
kevman	0:38ceb79fef03	7667	#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
kevman	0:38ceb79fef03	7668	void mbedtls_ssl_conf_async_private_cb(
kevman	0:38ceb79fef03	7669	mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	7670	mbedtls_ssl_async_sign_t *f_async_sign,
kevman	0:38ceb79fef03	7671	mbedtls_ssl_async_decrypt_t *f_async_decrypt,
kevman	0:38ceb79fef03	7672	mbedtls_ssl_async_resume_t *f_async_resume,
kevman	0:38ceb79fef03	7673	mbedtls_ssl_async_cancel_t *f_async_cancel,
kevman	0:38ceb79fef03	7674	void *async_config_data )
kevman	0:38ceb79fef03	7675	{
kevman	0:38ceb79fef03	7676	conf->f_async_sign_start = f_async_sign;
kevman	0:38ceb79fef03	7677	conf->f_async_decrypt_start = f_async_decrypt;
kevman	0:38ceb79fef03	7678	conf->f_async_resume = f_async_resume;
kevman	0:38ceb79fef03	7679	conf->f_async_cancel = f_async_cancel;
kevman	0:38ceb79fef03	7680	conf->p_async_config_data = async_config_data;
kevman	0:38ceb79fef03	7681	}
kevman	0:38ceb79fef03	7682
kevman	0:38ceb79fef03	7683	void mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config conf )
kevman	0:38ceb79fef03	7684	{
kevman	0:38ceb79fef03	7685	return( conf->p_async_config_data );
kevman	0:38ceb79fef03	7686	}
kevman	0:38ceb79fef03	7687
kevman	0:38ceb79fef03	7688	void mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context ssl )
kevman	0:38ceb79fef03	7689	{
kevman	0:38ceb79fef03	7690	if( ssl->handshake == NULL )
kevman	0:38ceb79fef03	7691	return( NULL );
kevman	0:38ceb79fef03	7692	else
kevman	0:38ceb79fef03	7693	return( ssl->handshake->user_async_ctx );
kevman	0:38ceb79fef03	7694	}
kevman	0:38ceb79fef03	7695
kevman	0:38ceb79fef03	7696	void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	7697	void *ctx )
kevman	0:38ceb79fef03	7698	{
kevman	0:38ceb79fef03	7699	if( ssl->handshake != NULL )
kevman	0:38ceb79fef03	7700	ssl->handshake->user_async_ctx = ctx;
kevman	0:38ceb79fef03	7701	}
kevman	0:38ceb79fef03	7702	#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
kevman	0:38ceb79fef03	7703
kevman	0:38ceb79fef03	7704	/*
kevman	0:38ceb79fef03	7705	* SSL get accessors
kevman	0:38ceb79fef03	7706	*/
kevman	0:38ceb79fef03	7707	size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7708	{
kevman	0:38ceb79fef03	7709	return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
kevman	0:38ceb79fef03	7710	}
kevman	0:38ceb79fef03	7711
kevman	0:38ceb79fef03	7712	int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7713	{
kevman	0:38ceb79fef03	7714	/*
kevman	0:38ceb79fef03	7715	* Case A: We're currently holding back
kevman	0:38ceb79fef03	7716	* a message for further processing.
kevman	0:38ceb79fef03	7717	*/
kevman	0:38ceb79fef03	7718
kevman	0:38ceb79fef03	7719	if( ssl->keep_current_message == 1 )
kevman	0:38ceb79fef03	7720	{
kevman	0:38ceb79fef03	7721	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
kevman	0:38ceb79fef03	7722	return( 1 );
kevman	0:38ceb79fef03	7723	}
kevman	0:38ceb79fef03	7724
kevman	0:38ceb79fef03	7725	/*
kevman	0:38ceb79fef03	7726	* Case B: Further records are pending in the current datagram.
kevman	0:38ceb79fef03	7727	*/
kevman	0:38ceb79fef03	7728
kevman	0:38ceb79fef03	7729	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7730	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	7731	ssl->in_left > ssl->next_record_offset )
kevman	0:38ceb79fef03	7732	{
kevman	0:38ceb79fef03	7733	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
kevman	0:38ceb79fef03	7734	return( 1 );
kevman	0:38ceb79fef03	7735	}
kevman	0:38ceb79fef03	7736	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	7737
kevman	0:38ceb79fef03	7738	/*
kevman	0:38ceb79fef03	7739	* Case C: A handshake message is being processed.
kevman	0:38ceb79fef03	7740	*/
kevman	0:38ceb79fef03	7741
kevman	0:38ceb79fef03	7742	if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
kevman	0:38ceb79fef03	7743	{
kevman	0:38ceb79fef03	7744	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
kevman	0:38ceb79fef03	7745	return( 1 );
kevman	0:38ceb79fef03	7746	}
kevman	0:38ceb79fef03	7747
kevman	0:38ceb79fef03	7748	/*
kevman	0:38ceb79fef03	7749	* Case D: An application data message is being processed
kevman	0:38ceb79fef03	7750	*/
kevman	0:38ceb79fef03	7751	if( ssl->in_offt != NULL )
kevman	0:38ceb79fef03	7752	{
kevman	0:38ceb79fef03	7753	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
kevman	0:38ceb79fef03	7754	return( 1 );
kevman	0:38ceb79fef03	7755	}
kevman	0:38ceb79fef03	7756
kevman	0:38ceb79fef03	7757	/*
kevman	0:38ceb79fef03	7758	* In all other cases, the rest of the message can be dropped.
kevman	0:38ceb79fef03	7759	* As in ssl_get_next_record, this needs to be adapted if
kevman	0:38ceb79fef03	7760	* we implement support for multiple alerts in single records.
kevman	0:38ceb79fef03	7761	*/
kevman	0:38ceb79fef03	7762
kevman	0:38ceb79fef03	7763	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
kevman	0:38ceb79fef03	7764	return( 0 );
kevman	0:38ceb79fef03	7765	}
kevman	0:38ceb79fef03	7766
kevman	0:38ceb79fef03	7767	uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7768	{
kevman	0:38ceb79fef03	7769	if( ssl->session != NULL )
kevman	0:38ceb79fef03	7770	return( ssl->session->verify_result );
kevman	0:38ceb79fef03	7771
kevman	0:38ceb79fef03	7772	if( ssl->session_negotiate != NULL )
kevman	0:38ceb79fef03	7773	return( ssl->session_negotiate->verify_result );
kevman	0:38ceb79fef03	7774
kevman	0:38ceb79fef03	7775	return( 0xFFFFFFFF );
kevman	0:38ceb79fef03	7776	}
kevman	0:38ceb79fef03	7777
kevman	0:38ceb79fef03	7778	const char mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context ssl )
kevman	0:38ceb79fef03	7779	{
kevman	0:38ceb79fef03	7780	if( ssl == NULL \|\| ssl->session == NULL )
kevman	0:38ceb79fef03	7781	return( NULL );
kevman	0:38ceb79fef03	7782
kevman	0:38ceb79fef03	7783	return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
kevman	0:38ceb79fef03	7784	}
kevman	0:38ceb79fef03	7785
kevman	0:38ceb79fef03	7786	const char mbedtls_ssl_get_version( const mbedtls_ssl_context ssl )
kevman	0:38ceb79fef03	7787	{
kevman	0:38ceb79fef03	7788	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7789	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	7790	{
kevman	0:38ceb79fef03	7791	switch( ssl->minor_ver )
kevman	0:38ceb79fef03	7792	{
kevman	0:38ceb79fef03	7793	case MBEDTLS_SSL_MINOR_VERSION_2:
kevman	0:38ceb79fef03	7794	return( "DTLSv1.0" );
kevman	0:38ceb79fef03	7795
kevman	0:38ceb79fef03	7796	case MBEDTLS_SSL_MINOR_VERSION_3:
kevman	0:38ceb79fef03	7797	return( "DTLSv1.2" );
kevman	0:38ceb79fef03	7798
kevman	0:38ceb79fef03	7799	default:
kevman	0:38ceb79fef03	7800	return( "unknown (DTLS)" );
kevman	0:38ceb79fef03	7801	}
kevman	0:38ceb79fef03	7802	}
kevman	0:38ceb79fef03	7803	#endif
kevman	0:38ceb79fef03	7804
kevman	0:38ceb79fef03	7805	switch( ssl->minor_ver )
kevman	0:38ceb79fef03	7806	{
kevman	0:38ceb79fef03	7807	case MBEDTLS_SSL_MINOR_VERSION_0:
kevman	0:38ceb79fef03	7808	return( "SSLv3.0" );
kevman	0:38ceb79fef03	7809
kevman	0:38ceb79fef03	7810	case MBEDTLS_SSL_MINOR_VERSION_1:
kevman	0:38ceb79fef03	7811	return( "TLSv1.0" );
kevman	0:38ceb79fef03	7812
kevman	0:38ceb79fef03	7813	case MBEDTLS_SSL_MINOR_VERSION_2:
kevman	0:38ceb79fef03	7814	return( "TLSv1.1" );
kevman	0:38ceb79fef03	7815
kevman	0:38ceb79fef03	7816	case MBEDTLS_SSL_MINOR_VERSION_3:
kevman	0:38ceb79fef03	7817	return( "TLSv1.2" );
kevman	0:38ceb79fef03	7818
kevman	0:38ceb79fef03	7819	default:
kevman	0:38ceb79fef03	7820	return( "unknown" );
kevman	0:38ceb79fef03	7821	}
kevman	0:38ceb79fef03	7822	}
kevman	0:38ceb79fef03	7823
kevman	0:38ceb79fef03	7824	int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7825	{
kevman	0:38ceb79fef03	7826	size_t transform_expansion = 0;
kevman	0:38ceb79fef03	7827	const mbedtls_ssl_transform *transform = ssl->transform_out;
kevman	0:38ceb79fef03	7828	unsigned block_size;
kevman	0:38ceb79fef03	7829
kevman	0:38ceb79fef03	7830	if( transform == NULL )
kevman	0:38ceb79fef03	7831	return( (int) mbedtls_ssl_hdr_len( ssl ) );
kevman	0:38ceb79fef03	7832
kevman	0:38ceb79fef03	7833	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	7834	if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
kevman	0:38ceb79fef03	7835	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
kevman	0:38ceb79fef03	7836	#endif
kevman	0:38ceb79fef03	7837
kevman	0:38ceb79fef03	7838	switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
kevman	0:38ceb79fef03	7839	{
kevman	0:38ceb79fef03	7840	case MBEDTLS_MODE_GCM:
kevman	0:38ceb79fef03	7841	case MBEDTLS_MODE_CCM:
kevman	0:38ceb79fef03	7842	case MBEDTLS_MODE_CHACHAPOLY:
kevman	0:38ceb79fef03	7843	case MBEDTLS_MODE_STREAM:
kevman	0:38ceb79fef03	7844	transform_expansion = transform->minlen;
kevman	0:38ceb79fef03	7845	break;
kevman	0:38ceb79fef03	7846
kevman	0:38ceb79fef03	7847	case MBEDTLS_MODE_CBC:
kevman	0:38ceb79fef03	7848
kevman	0:38ceb79fef03	7849	block_size = mbedtls_cipher_get_block_size(
kevman	0:38ceb79fef03	7850	&transform->cipher_ctx_enc );
kevman	0:38ceb79fef03	7851
kevman	0:38ceb79fef03	7852	/* Expansion due to the addition of the MAC. */
kevman	0:38ceb79fef03	7853	transform_expansion += transform->maclen;
kevman	0:38ceb79fef03	7854
kevman	0:38ceb79fef03	7855	/* Expansion due to the addition of CBC padding;
kevman	0:38ceb79fef03	7856	* Theoretically up to 256 bytes, but we never use
kevman	0:38ceb79fef03	7857	* more than the block size of the underlying cipher. */
kevman	0:38ceb79fef03	7858	transform_expansion += block_size;
kevman	0:38ceb79fef03	7859
kevman	0:38ceb79fef03	7860	/* For TLS 1.1 or higher, an explicit IV is added
kevman	0:38ceb79fef03	7861	* after the record header. */
kevman	0:38ceb79fef03	7862	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	7863	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	7864	transform_expansion += block_size;
kevman	0:38ceb79fef03	7865	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	7866
kevman	0:38ceb79fef03	7867	break;
kevman	0:38ceb79fef03	7868
kevman	0:38ceb79fef03	7869	default:
kevman	0:38ceb79fef03	7870	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	7871	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	7872	}
kevman	0:38ceb79fef03	7873
kevman	0:38ceb79fef03	7874	return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
kevman	0:38ceb79fef03	7875	}
kevman	0:38ceb79fef03	7876
kevman	0:38ceb79fef03	7877	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kevman	0:38ceb79fef03	7878	size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7879	{
kevman	0:38ceb79fef03	7880	size_t max_len;
kevman	0:38ceb79fef03	7881
kevman	0:38ceb79fef03	7882	/*
kevman	0:38ceb79fef03	7883	* Assume mfl_code is correct since it was checked when set
kevman	0:38ceb79fef03	7884	*/
kevman	0:38ceb79fef03	7885	max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
kevman	0:38ceb79fef03	7886
kevman	0:38ceb79fef03	7887	/* Check if a smaller max length was negotiated */
kevman	0:38ceb79fef03	7888	if( ssl->session_out != NULL &&
kevman	0:38ceb79fef03	7889	ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
kevman	0:38ceb79fef03	7890	{
kevman	0:38ceb79fef03	7891	max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
kevman	0:38ceb79fef03	7892	}
kevman	0:38ceb79fef03	7893
kevman	0:38ceb79fef03	7894	/* During a handshake, use the value being negotiated */
kevman	0:38ceb79fef03	7895	if( ssl->session_negotiate != NULL &&
kevman	0:38ceb79fef03	7896	ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
kevman	0:38ceb79fef03	7897	{
kevman	0:38ceb79fef03	7898	max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
kevman	0:38ceb79fef03	7899	}
kevman	0:38ceb79fef03	7900
kevman	0:38ceb79fef03	7901	return( max_len );
kevman	0:38ceb79fef03	7902	}
kevman	0:38ceb79fef03	7903	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
kevman	0:38ceb79fef03	7904
kevman	0:38ceb79fef03	7905	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7906	static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7907	{
kevman	0:38ceb79fef03	7908	if( ssl->handshake == NULL \|\| ssl->handshake->mtu == 0 )
kevman	0:38ceb79fef03	7909	return( ssl->mtu );
kevman	0:38ceb79fef03	7910
kevman	0:38ceb79fef03	7911	if( ssl->mtu == 0 )
kevman	0:38ceb79fef03	7912	return( ssl->handshake->mtu );
kevman	0:38ceb79fef03	7913
kevman	0:38ceb79fef03	7914	return( ssl->mtu < ssl->handshake->mtu ?
kevman	0:38ceb79fef03	7915	ssl->mtu : ssl->handshake->mtu );
kevman	0:38ceb79fef03	7916	}
kevman	0:38ceb79fef03	7917	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	7918
kevman	0:38ceb79fef03	7919	int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7920	{
kevman	0:38ceb79fef03	7921	size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
kevman	0:38ceb79fef03	7922
kevman	0:38ceb79fef03	7923	#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
kevman	0:38ceb79fef03	7924	!defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7925	(void) ssl;
kevman	0:38ceb79fef03	7926	#endif
kevman	0:38ceb79fef03	7927
kevman	0:38ceb79fef03	7928	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kevman	0:38ceb79fef03	7929	const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
kevman	0:38ceb79fef03	7930
kevman	0:38ceb79fef03	7931	if( max_len > mfl )
kevman	0:38ceb79fef03	7932	max_len = mfl;
kevman	0:38ceb79fef03	7933	#endif
kevman	0:38ceb79fef03	7934
kevman	0:38ceb79fef03	7935	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7936	if( ssl_get_current_mtu( ssl ) != 0 )
kevman	0:38ceb79fef03	7937	{
kevman	0:38ceb79fef03	7938	const size_t mtu = ssl_get_current_mtu( ssl );
kevman	0:38ceb79fef03	7939	const int ret = mbedtls_ssl_get_record_expansion( ssl );
kevman	0:38ceb79fef03	7940	const size_t overhead = (size_t) ret;
kevman	0:38ceb79fef03	7941
kevman	0:38ceb79fef03	7942	if( ret < 0 )
kevman	0:38ceb79fef03	7943	return( ret );
kevman	0:38ceb79fef03	7944
kevman	0:38ceb79fef03	7945	if( mtu <= overhead )
kevman	0:38ceb79fef03	7946	{
kevman	0:38ceb79fef03	7947	MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
kevman	0:38ceb79fef03	7948	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
kevman	0:38ceb79fef03	7949	}
kevman	0:38ceb79fef03	7950
kevman	0:38ceb79fef03	7951	if( max_len > mtu - overhead )
kevman	0:38ceb79fef03	7952	max_len = mtu - overhead;
kevman	0:38ceb79fef03	7953	}
kevman	0:38ceb79fef03	7954	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	7955
kevman	0:38ceb79fef03	7956	#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
kevman	0:38ceb79fef03	7957	!defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	7958	((void) ssl);
kevman	0:38ceb79fef03	7959	#endif
kevman	0:38ceb79fef03	7960
kevman	0:38ceb79fef03	7961	return( (int) max_len );
kevman	0:38ceb79fef03	7962	}
kevman	0:38ceb79fef03	7963
kevman	0:38ceb79fef03	7964	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	7965	const mbedtls_x509_crt mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context ssl )
kevman	0:38ceb79fef03	7966	{
kevman	0:38ceb79fef03	7967	if( ssl == NULL \|\| ssl->session == NULL )
kevman	0:38ceb79fef03	7968	return( NULL );
kevman	0:38ceb79fef03	7969
kevman	0:38ceb79fef03	7970	return( ssl->session->peer_cert );
kevman	0:38ceb79fef03	7971	}
kevman	0:38ceb79fef03	7972	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	7973
kevman	0:38ceb79fef03	7974	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	7975	int mbedtls_ssl_get_session( const mbedtls_ssl_context ssl, mbedtls_ssl_session dst )
kevman	0:38ceb79fef03	7976	{
kevman	0:38ceb79fef03	7977	if( ssl == NULL \|\|
kevman	0:38ceb79fef03	7978	dst == NULL \|\|
kevman	0:38ceb79fef03	7979	ssl->session == NULL \|\|
kevman	0:38ceb79fef03	7980	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	7981	{
kevman	0:38ceb79fef03	7982	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7983	}
kevman	0:38ceb79fef03	7984
kevman	0:38ceb79fef03	7985	return( ssl_session_copy( dst, ssl->session ) );
kevman	0:38ceb79fef03	7986	}
kevman	0:38ceb79fef03	7987	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	7988
kevman	0:38ceb79fef03	7989	/*
kevman	0:38ceb79fef03	7990	* Perform a single step of the SSL handshake
kevman	0:38ceb79fef03	7991	*/
kevman	0:38ceb79fef03	7992	int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	7993	{
kevman	0:38ceb79fef03	7994	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
kevman	0:38ceb79fef03	7995
kevman	0:38ceb79fef03	7996	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	7997	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	7998
kevman	0:38ceb79fef03	7999	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	8000	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	8001	ret = mbedtls_ssl_handshake_client_step( ssl );
kevman	0:38ceb79fef03	8002	#endif
kevman	0:38ceb79fef03	8003	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	8004	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	8005	ret = mbedtls_ssl_handshake_server_step( ssl );
kevman	0:38ceb79fef03	8006	#endif
kevman	0:38ceb79fef03	8007
kevman	0:38ceb79fef03	8008	return( ret );
kevman	0:38ceb79fef03	8009	}
kevman	0:38ceb79fef03	8010
kevman	0:38ceb79fef03	8011	/*
kevman	0:38ceb79fef03	8012	* Perform the SSL handshake
kevman	0:38ceb79fef03	8013	*/
kevman	0:38ceb79fef03	8014	int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8015	{
kevman	0:38ceb79fef03	8016	int ret = 0;
kevman	0:38ceb79fef03	8017
kevman	0:38ceb79fef03	8018	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	8019	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8020
kevman	0:38ceb79fef03	8021	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
kevman	0:38ceb79fef03	8022
kevman	0:38ceb79fef03	8023	while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8024	{
kevman	0:38ceb79fef03	8025	ret = mbedtls_ssl_handshake_step( ssl );
kevman	0:38ceb79fef03	8026
kevman	0:38ceb79fef03	8027	if( ret != 0 )
kevman	0:38ceb79fef03	8028	break;
kevman	0:38ceb79fef03	8029	}
kevman	0:38ceb79fef03	8030
kevman	0:38ceb79fef03	8031	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
kevman	0:38ceb79fef03	8032
kevman	0:38ceb79fef03	8033	return( ret );
kevman	0:38ceb79fef03	8034	}
kevman	0:38ceb79fef03	8035
kevman	0:38ceb79fef03	8036	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	8037	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	8038	/*
kevman	0:38ceb79fef03	8039	* Write HelloRequest to request renegotiation on server
kevman	0:38ceb79fef03	8040	*/
kevman	0:38ceb79fef03	8041	static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8042	{
kevman	0:38ceb79fef03	8043	int ret;
kevman	0:38ceb79fef03	8044
kevman	0:38ceb79fef03	8045	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
kevman	0:38ceb79fef03	8046
kevman	0:38ceb79fef03	8047	ssl->out_msglen = 4;
kevman	0:38ceb79fef03	8048	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
kevman	0:38ceb79fef03	8049	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
kevman	0:38ceb79fef03	8050
kevman	0:38ceb79fef03	8051	if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8052	{
kevman	0:38ceb79fef03	8053	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
kevman	0:38ceb79fef03	8054	return( ret );
kevman	0:38ceb79fef03	8055	}
kevman	0:38ceb79fef03	8056
kevman	0:38ceb79fef03	8057	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
kevman	0:38ceb79fef03	8058
kevman	0:38ceb79fef03	8059	return( 0 );
kevman	0:38ceb79fef03	8060	}
kevman	0:38ceb79fef03	8061	#endif /* MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	8062
kevman	0:38ceb79fef03	8063	/*
kevman	0:38ceb79fef03	8064	* Actually renegotiate current connection, triggered by either:
kevman	0:38ceb79fef03	8065	* - any side: calling mbedtls_ssl_renegotiate(),
kevman	0:38ceb79fef03	8066	* - client: receiving a HelloRequest during mbedtls_ssl_read(),
kevman	0:38ceb79fef03	8067	* - server: receiving any handshake message on server during mbedtls_ssl_read() after
kevman	0:38ceb79fef03	8068	* the initial handshake is completed.
kevman	0:38ceb79fef03	8069	* If the handshake doesn't complete due to waiting for I/O, it will continue
kevman	0:38ceb79fef03	8070	* during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
kevman	0:38ceb79fef03	8071	*/
kevman	0:38ceb79fef03	8072	static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8073	{
kevman	0:38ceb79fef03	8074	int ret;
kevman	0:38ceb79fef03	8075
kevman	0:38ceb79fef03	8076	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
kevman	0:38ceb79fef03	8077
kevman	0:38ceb79fef03	8078	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8079	return( ret );
kevman	0:38ceb79fef03	8080
kevman	0:38ceb79fef03	8081	/* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
kevman	0:38ceb79fef03	8082	* the ServerHello will have message_seq = 1" */
kevman	0:38ceb79fef03	8083	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8084	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	8085	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
kevman	0:38ceb79fef03	8086	{
kevman	0:38ceb79fef03	8087	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	8088	ssl->handshake->out_msg_seq = 1;
kevman	0:38ceb79fef03	8089	else
kevman	0:38ceb79fef03	8090	ssl->handshake->in_msg_seq = 1;
kevman	0:38ceb79fef03	8091	}
kevman	0:38ceb79fef03	8092	#endif
kevman	0:38ceb79fef03	8093
kevman	0:38ceb79fef03	8094	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
kevman	0:38ceb79fef03	8095	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
kevman	0:38ceb79fef03	8096
kevman	0:38ceb79fef03	8097	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8098	{
kevman	0:38ceb79fef03	8099	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
kevman	0:38ceb79fef03	8100	return( ret );
kevman	0:38ceb79fef03	8101	}
kevman	0:38ceb79fef03	8102
kevman	0:38ceb79fef03	8103	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
kevman	0:38ceb79fef03	8104
kevman	0:38ceb79fef03	8105	return( 0 );
kevman	0:38ceb79fef03	8106	}
kevman	0:38ceb79fef03	8107
kevman	0:38ceb79fef03	8108	/*
kevman	0:38ceb79fef03	8109	* Renegotiate current connection on client,
kevman	0:38ceb79fef03	8110	* or request renegotiation on server
kevman	0:38ceb79fef03	8111	*/
kevman	0:38ceb79fef03	8112	int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8113	{
kevman	0:38ceb79fef03	8114	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
kevman	0:38ceb79fef03	8115
kevman	0:38ceb79fef03	8116	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	8117	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8118
kevman	0:38ceb79fef03	8119	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	8120	/* On server, just send the request */
kevman	0:38ceb79fef03	8121	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	8122	{
kevman	0:38ceb79fef03	8123	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8124	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8125
kevman	0:38ceb79fef03	8126	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
kevman	0:38ceb79fef03	8127
kevman	0:38ceb79fef03	8128	/* Did we already try/start sending HelloRequest? */
kevman	0:38ceb79fef03	8129	if( ssl->out_left != 0 )
kevman	0:38ceb79fef03	8130	return( mbedtls_ssl_flush_output( ssl ) );
kevman	0:38ceb79fef03	8131
kevman	0:38ceb79fef03	8132	return( ssl_write_hello_request( ssl ) );
kevman	0:38ceb79fef03	8133	}
kevman	0:38ceb79fef03	8134	#endif /* MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	8135
kevman	0:38ceb79fef03	8136	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	8137	/*
kevman	0:38ceb79fef03	8138	* On client, either start the renegotiation process or,
kevman	0:38ceb79fef03	8139	* if already in progress, continue the handshake
kevman	0:38ceb79fef03	8140	*/
kevman	0:38ceb79fef03	8141	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
kevman	0:38ceb79fef03	8142	{
kevman	0:38ceb79fef03	8143	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8144	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8145
kevman	0:38ceb79fef03	8146	if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8147	{
kevman	0:38ceb79fef03	8148	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
kevman	0:38ceb79fef03	8149	return( ret );
kevman	0:38ceb79fef03	8150	}
kevman	0:38ceb79fef03	8151	}
kevman	0:38ceb79fef03	8152	else
kevman	0:38ceb79fef03	8153	{
kevman	0:38ceb79fef03	8154	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8155	{
kevman	0:38ceb79fef03	8156	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
kevman	0:38ceb79fef03	8157	return( ret );
kevman	0:38ceb79fef03	8158	}
kevman	0:38ceb79fef03	8159	}
kevman	0:38ceb79fef03	8160	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	8161
kevman	0:38ceb79fef03	8162	return( ret );
kevman	0:38ceb79fef03	8163	}
kevman	0:38ceb79fef03	8164
kevman	0:38ceb79fef03	8165	/*
kevman	0:38ceb79fef03	8166	* Check record counters and renegotiate if they're above the limit.
kevman	0:38ceb79fef03	8167	*/
kevman	0:38ceb79fef03	8168	static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8169	{
kevman	0:38ceb79fef03	8170	size_t ep_len = ssl_ep_len( ssl );
kevman	0:38ceb79fef03	8171	int in_ctr_cmp;
kevman	0:38ceb79fef03	8172	int out_ctr_cmp;
kevman	0:38ceb79fef03	8173
kevman	0:38ceb79fef03	8174	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER \|\|
kevman	0:38ceb79fef03	8175	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING \|\|
kevman	0:38ceb79fef03	8176	ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
kevman	0:38ceb79fef03	8177	{
kevman	0:38ceb79fef03	8178	return( 0 );
kevman	0:38ceb79fef03	8179	}
kevman	0:38ceb79fef03	8180
kevman	0:38ceb79fef03	8181	in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
kevman	0:38ceb79fef03	8182	ssl->conf->renego_period + ep_len, 8 - ep_len );
kevman	0:38ceb79fef03	8183	out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
kevman	0:38ceb79fef03	8184	ssl->conf->renego_period + ep_len, 8 - ep_len );
kevman	0:38ceb79fef03	8185
kevman	0:38ceb79fef03	8186	if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
kevman	0:38ceb79fef03	8187	{
kevman	0:38ceb79fef03	8188	return( 0 );
kevman	0:38ceb79fef03	8189	}
kevman	0:38ceb79fef03	8190
kevman	0:38ceb79fef03	8191	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
kevman	0:38ceb79fef03	8192	return( mbedtls_ssl_renegotiate( ssl ) );
kevman	0:38ceb79fef03	8193	}
kevman	0:38ceb79fef03	8194	#endif /* MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	8195
kevman	0:38ceb79fef03	8196	/*
kevman	0:38ceb79fef03	8197	* Receive application data decrypted from the SSL layer
kevman	0:38ceb79fef03	8198	*/
kevman	0:38ceb79fef03	8199	int mbedtls_ssl_read( mbedtls_ssl_context ssl, unsigned char buf, size_t len )
kevman	0:38ceb79fef03	8200	{
kevman	0:38ceb79fef03	8201	int ret;
kevman	0:38ceb79fef03	8202	size_t n;
kevman	0:38ceb79fef03	8203
kevman	0:38ceb79fef03	8204	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	8205	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8206
kevman	0:38ceb79fef03	8207	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
kevman	0:38ceb79fef03	8208
kevman	0:38ceb79fef03	8209	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8210	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	8211	{
kevman	0:38ceb79fef03	8212	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8213	return( ret );
kevman	0:38ceb79fef03	8214
kevman	0:38ceb79fef03	8215	if( ssl->handshake != NULL &&
kevman	0:38ceb79fef03	8216	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
kevman	0:38ceb79fef03	8217	{
kevman	0:38ceb79fef03	8218	if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8219	return( ret );
kevman	0:38ceb79fef03	8220	}
kevman	0:38ceb79fef03	8221	}
kevman	0:38ceb79fef03	8222	#endif
kevman	0:38ceb79fef03	8223
kevman	0:38ceb79fef03	8224	/*
kevman	0:38ceb79fef03	8225	* Check if renegotiation is necessary and/or handshake is
kevman	0:38ceb79fef03	8226	* in process. If yes, perform/continue, and fall through
kevman	0:38ceb79fef03	8227	* if an unexpected packet is received while the client
kevman	0:38ceb79fef03	8228	* is waiting for the ServerHello.
kevman	0:38ceb79fef03	8229	*
kevman	0:38ceb79fef03	8230	* (There is no equivalent to the last condition on
kevman	0:38ceb79fef03	8231	* the server-side as it is not treated as within
kevman	0:38ceb79fef03	8232	* a handshake while waiting for the ClientHello
kevman	0:38ceb79fef03	8233	* after a renegotiation request.)
kevman	0:38ceb79fef03	8234	*/
kevman	0:38ceb79fef03	8235
kevman	0:38ceb79fef03	8236	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	8237	ret = ssl_check_ctr_renegotiate( ssl );
kevman	0:38ceb79fef03	8238	if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
kevman	0:38ceb79fef03	8239	ret != 0 )
kevman	0:38ceb79fef03	8240	{
kevman	0:38ceb79fef03	8241	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
kevman	0:38ceb79fef03	8242	return( ret );
kevman	0:38ceb79fef03	8243	}
kevman	0:38ceb79fef03	8244	#endif
kevman	0:38ceb79fef03	8245
kevman	0:38ceb79fef03	8246	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8247	{
kevman	0:38ceb79fef03	8248	ret = mbedtls_ssl_handshake( ssl );
kevman	0:38ceb79fef03	8249	if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
kevman	0:38ceb79fef03	8250	ret != 0 )
kevman	0:38ceb79fef03	8251	{
kevman	0:38ceb79fef03	8252	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
kevman	0:38ceb79fef03	8253	return( ret );
kevman	0:38ceb79fef03	8254	}
kevman	0:38ceb79fef03	8255	}
kevman	0:38ceb79fef03	8256
kevman	0:38ceb79fef03	8257	/* Loop as long as no application data record is available */
kevman	0:38ceb79fef03	8258	while( ssl->in_offt == NULL )
kevman	0:38ceb79fef03	8259	{
kevman	0:38ceb79fef03	8260	/* Start timer if not already running */
kevman	0:38ceb79fef03	8261	if( ssl->f_get_timer != NULL &&
kevman	0:38ceb79fef03	8262	ssl->f_get_timer( ssl->p_timer ) == -1 )
kevman	0:38ceb79fef03	8263	{
kevman	0:38ceb79fef03	8264	ssl_set_timer( ssl, ssl->conf->read_timeout );
kevman	0:38ceb79fef03	8265	}
kevman	0:38ceb79fef03	8266
kevman	0:38ceb79fef03	8267	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
kevman	0:38ceb79fef03	8268	{
kevman	0:38ceb79fef03	8269	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
kevman	0:38ceb79fef03	8270	return( 0 );
kevman	0:38ceb79fef03	8271
kevman	0:38ceb79fef03	8272	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
kevman	0:38ceb79fef03	8273	return( ret );
kevman	0:38ceb79fef03	8274	}
kevman	0:38ceb79fef03	8275
kevman	0:38ceb79fef03	8276	if( ssl->in_msglen == 0 &&
kevman	0:38ceb79fef03	8277	ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
kevman	0:38ceb79fef03	8278	{
kevman	0:38ceb79fef03	8279	/*
kevman	0:38ceb79fef03	8280	* OpenSSL sends empty messages to randomize the IV
kevman	0:38ceb79fef03	8281	*/
kevman	0:38ceb79fef03	8282	if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
kevman	0:38ceb79fef03	8283	{
kevman	0:38ceb79fef03	8284	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
kevman	0:38ceb79fef03	8285	return( 0 );
kevman	0:38ceb79fef03	8286
kevman	0:38ceb79fef03	8287	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
kevman	0:38ceb79fef03	8288	return( ret );
kevman	0:38ceb79fef03	8289	}
kevman	0:38ceb79fef03	8290	}
kevman	0:38ceb79fef03	8291
kevman	0:38ceb79fef03	8292	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
kevman	0:38ceb79fef03	8293	{
kevman	0:38ceb79fef03	8294	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
kevman	0:38ceb79fef03	8295
kevman	0:38ceb79fef03	8296	/*
kevman	0:38ceb79fef03	8297	* - For client-side, expect SERVER_HELLO_REQUEST.
kevman	0:38ceb79fef03	8298	* - For server-side, expect CLIENT_HELLO.
kevman	0:38ceb79fef03	8299	* - Fail (TLS) or silently drop record (DTLS) in other cases.
kevman	0:38ceb79fef03	8300	*/
kevman	0:38ceb79fef03	8301
kevman	0:38ceb79fef03	8302	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	8303	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
kevman	0:38ceb79fef03	8304	( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST \|\|
kevman	0:38ceb79fef03	8305	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
kevman	0:38ceb79fef03	8306	{
kevman	0:38ceb79fef03	8307	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
kevman	0:38ceb79fef03	8308
kevman	0:38ceb79fef03	8309	/* With DTLS, drop the packet (probably from last handshake) */
kevman	0:38ceb79fef03	8310	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8311	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	8312	{
kevman	0:38ceb79fef03	8313	continue;
kevman	0:38ceb79fef03	8314	}
kevman	0:38ceb79fef03	8315	#endif
kevman	0:38ceb79fef03	8316	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	8317	}
kevman	0:38ceb79fef03	8318	#endif /* MBEDTLS_SSL_CLI_C */
kevman	0:38ceb79fef03	8319
kevman	0:38ceb79fef03	8320	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	8321	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	8322	ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
kevman	0:38ceb79fef03	8323	{
kevman	0:38ceb79fef03	8324	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
kevman	0:38ceb79fef03	8325
kevman	0:38ceb79fef03	8326	/* With DTLS, drop the packet (probably from last handshake) */
kevman	0:38ceb79fef03	8327	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8328	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	8329	{
kevman	0:38ceb79fef03	8330	continue;
kevman	0:38ceb79fef03	8331	}
kevman	0:38ceb79fef03	8332	#endif
kevman	0:38ceb79fef03	8333	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	8334	}
kevman	0:38ceb79fef03	8335	#endif /* MBEDTLS_SSL_SRV_C */
kevman	0:38ceb79fef03	8336
kevman	0:38ceb79fef03	8337	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	8338	/* Determine whether renegotiation attempt should be accepted */
kevman	0:38ceb79fef03	8339	if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED \|\|
kevman	0:38ceb79fef03	8340	( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
kevman	0:38ceb79fef03	8341	ssl->conf->allow_legacy_renegotiation ==
kevman	0:38ceb79fef03	8342	MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
kevman	0:38ceb79fef03	8343	{
kevman	0:38ceb79fef03	8344	/*
kevman	0:38ceb79fef03	8345	* Accept renegotiation request
kevman	0:38ceb79fef03	8346	*/
kevman	0:38ceb79fef03	8347
kevman	0:38ceb79fef03	8348	/* DTLS clients need to know renego is server-initiated */
kevman	0:38ceb79fef03	8349	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8350	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
kevman	0:38ceb79fef03	8351	ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	8352	{
kevman	0:38ceb79fef03	8353	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
kevman	0:38ceb79fef03	8354	}
kevman	0:38ceb79fef03	8355	#endif
kevman	0:38ceb79fef03	8356	ret = ssl_start_renegotiation( ssl );
kevman	0:38ceb79fef03	8357	if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
kevman	0:38ceb79fef03	8358	ret != 0 )
kevman	0:38ceb79fef03	8359	{
kevman	0:38ceb79fef03	8360	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
kevman	0:38ceb79fef03	8361	return( ret );
kevman	0:38ceb79fef03	8362	}
kevman	0:38ceb79fef03	8363	}
kevman	0:38ceb79fef03	8364	else
kevman	0:38ceb79fef03	8365	#endif /* MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	8366	{
kevman	0:38ceb79fef03	8367	/*
kevman	0:38ceb79fef03	8368	* Refuse renegotiation
kevman	0:38ceb79fef03	8369	*/
kevman	0:38ceb79fef03	8370
kevman	0:38ceb79fef03	8371	MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
kevman	0:38ceb79fef03	8372
kevman	0:38ceb79fef03	8373	#if defined(MBEDTLS_SSL_PROTO_SSL3)
kevman	0:38ceb79fef03	8374	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
kevman	0:38ceb79fef03	8375	{
kevman	0:38ceb79fef03	8376	/* SSLv3 does not have a "no_renegotiation" warning, so
kevman	0:38ceb79fef03	8377	we send a fatal alert and abort the connection. */
kevman	0:38ceb79fef03	8378	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	8379	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	8380	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	8381	}
kevman	0:38ceb79fef03	8382	else
kevman	0:38ceb79fef03	8383	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
kevman	0:38ceb79fef03	8384	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	8385	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	8386	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
kevman	0:38ceb79fef03	8387	{
kevman	0:38ceb79fef03	8388	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
kevman	0:38ceb79fef03	8389	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
kevman	0:38ceb79fef03	8390	MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
kevman	0:38ceb79fef03	8391	{
kevman	0:38ceb79fef03	8392	return( ret );
kevman	0:38ceb79fef03	8393	}
kevman	0:38ceb79fef03	8394	}
kevman	0:38ceb79fef03	8395	else
kevman	0:38ceb79fef03	8396	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\|
kevman	0:38ceb79fef03	8397	MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	8398	{
kevman	0:38ceb79fef03	8399	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
kevman	0:38ceb79fef03	8400	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
kevman	0:38ceb79fef03	8401	}
kevman	0:38ceb79fef03	8402	}
kevman	0:38ceb79fef03	8403
kevman	0:38ceb79fef03	8404	/* At this point, we don't know whether the renegotiation has been
kevman	0:38ceb79fef03	8405	* completed or not. The cases to consider are the following:
kevman	0:38ceb79fef03	8406	* 1) The renegotiation is complete. In this case, no new record
kevman	0:38ceb79fef03	8407	* has been read yet.
kevman	0:38ceb79fef03	8408	* 2) The renegotiation is incomplete because the client received
kevman	0:38ceb79fef03	8409	* an application data record while awaiting the ServerHello.
kevman	0:38ceb79fef03	8410	* 3) The renegotiation is incomplete because the client received
kevman	0:38ceb79fef03	8411	* a non-handshake, non-application data message while awaiting
kevman	0:38ceb79fef03	8412	* the ServerHello.
kevman	0:38ceb79fef03	8413	* In each of these case, looping will be the proper action:
kevman	0:38ceb79fef03	8414	* - For 1), the next iteration will read a new record and check
kevman	0:38ceb79fef03	8415	* if it's application data.
kevman	0:38ceb79fef03	8416	* - For 2), the loop condition isn't satisfied as application data
kevman	0:38ceb79fef03	8417	* is present, hence continue is the same as break
kevman	0:38ceb79fef03	8418	* - For 3), the loop condition is satisfied and read_record
kevman	0:38ceb79fef03	8419	* will re-deliver the message that was held back by the client
kevman	0:38ceb79fef03	8420	* when expecting the ServerHello.
kevman	0:38ceb79fef03	8421	*/
kevman	0:38ceb79fef03	8422	continue;
kevman	0:38ceb79fef03	8423	}
kevman	0:38ceb79fef03	8424	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	8425	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
kevman	0:38ceb79fef03	8426	{
kevman	0:38ceb79fef03	8427	if( ssl->conf->renego_max_records >= 0 )
kevman	0:38ceb79fef03	8428	{
kevman	0:38ceb79fef03	8429	if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
kevman	0:38ceb79fef03	8430	{
kevman	0:38ceb79fef03	8431	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
kevman	0:38ceb79fef03	8432	"but not honored by client" ) );
kevman	0:38ceb79fef03	8433	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	8434	}
kevman	0:38ceb79fef03	8435	}
kevman	0:38ceb79fef03	8436	}
kevman	0:38ceb79fef03	8437	#endif /* MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	8438
kevman	0:38ceb79fef03	8439	/* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
kevman	0:38ceb79fef03	8440	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
kevman	0:38ceb79fef03	8441	{
kevman	0:38ceb79fef03	8442	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
kevman	0:38ceb79fef03	8443	return( MBEDTLS_ERR_SSL_WANT_READ );
kevman	0:38ceb79fef03	8444	}
kevman	0:38ceb79fef03	8445
kevman	0:38ceb79fef03	8446	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
kevman	0:38ceb79fef03	8447	{
kevman	0:38ceb79fef03	8448	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
kevman	0:38ceb79fef03	8449	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
kevman	0:38ceb79fef03	8450	}
kevman	0:38ceb79fef03	8451
kevman	0:38ceb79fef03	8452	ssl->in_offt = ssl->in_msg;
kevman	0:38ceb79fef03	8453
kevman	0:38ceb79fef03	8454	/* We're going to return something now, cancel timer,
kevman	0:38ceb79fef03	8455	* except if handshake (renegotiation) is in progress */
kevman	0:38ceb79fef03	8456	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8457	ssl_set_timer( ssl, 0 );
kevman	0:38ceb79fef03	8458
kevman	0:38ceb79fef03	8459	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8460	/* If we requested renego but received AppData, resend HelloRequest.
kevman	0:38ceb79fef03	8461	* Do it now, after setting in_offt, to avoid taking this branch
kevman	0:38ceb79fef03	8462	* again if ssl_write_hello_request() returns WANT_WRITE */
kevman	0:38ceb79fef03	8463	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	8464	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
kevman	0:38ceb79fef03	8465	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
kevman	0:38ceb79fef03	8466	{
kevman	0:38ceb79fef03	8467	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8468	{
kevman	0:38ceb79fef03	8469	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
kevman	0:38ceb79fef03	8470	return( ret );
kevman	0:38ceb79fef03	8471	}
kevman	0:38ceb79fef03	8472	}
kevman	0:38ceb79fef03	8473	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
kevman	0:38ceb79fef03	8474	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	8475	}
kevman	0:38ceb79fef03	8476
kevman	0:38ceb79fef03	8477	n = ( len < ssl->in_msglen )
kevman	0:38ceb79fef03	8478	? len : ssl->in_msglen;
kevman	0:38ceb79fef03	8479
kevman	0:38ceb79fef03	8480	memcpy( buf, ssl->in_offt, n );
kevman	0:38ceb79fef03	8481	ssl->in_msglen -= n;
kevman	0:38ceb79fef03	8482
kevman	0:38ceb79fef03	8483	if( ssl->in_msglen == 0 )
kevman	0:38ceb79fef03	8484	{
kevman	0:38ceb79fef03	8485	/* all bytes consumed */
kevman	0:38ceb79fef03	8486	ssl->in_offt = NULL;
kevman	0:38ceb79fef03	8487	ssl->keep_current_message = 0;
kevman	0:38ceb79fef03	8488	}
kevman	0:38ceb79fef03	8489	else
kevman	0:38ceb79fef03	8490	{
kevman	0:38ceb79fef03	8491	/* more data available */
kevman	0:38ceb79fef03	8492	ssl->in_offt += n;
kevman	0:38ceb79fef03	8493	}
kevman	0:38ceb79fef03	8494
kevman	0:38ceb79fef03	8495	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
kevman	0:38ceb79fef03	8496
kevman	0:38ceb79fef03	8497	return( (int) n );
kevman	0:38ceb79fef03	8498	}
kevman	0:38ceb79fef03	8499
kevman	0:38ceb79fef03	8500	/*
kevman	0:38ceb79fef03	8501	* Send application data to be encrypted by the SSL layer, taking care of max
kevman	0:38ceb79fef03	8502	* fragment length and buffer size.
kevman	0:38ceb79fef03	8503	*
kevman	0:38ceb79fef03	8504	* According to RFC 5246 Section 6.2.1:
kevman	0:38ceb79fef03	8505	*
kevman	0:38ceb79fef03	8506	* Zero-length fragments of Application data MAY be sent as they are
kevman	0:38ceb79fef03	8507	* potentially useful as a traffic analysis countermeasure.
kevman	0:38ceb79fef03	8508	*
kevman	0:38ceb79fef03	8509	* Therefore, it is possible that the input message length is 0 and the
kevman	0:38ceb79fef03	8510	* corresponding return code is 0 on success.
kevman	0:38ceb79fef03	8511	*/
kevman	0:38ceb79fef03	8512	static int ssl_write_real( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	8513	const unsigned char *buf, size_t len )
kevman	0:38ceb79fef03	8514	{
kevman	0:38ceb79fef03	8515	int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
kevman	0:38ceb79fef03	8516	const size_t max_len = (size_t) ret;
kevman	0:38ceb79fef03	8517
kevman	0:38ceb79fef03	8518	if( ret < 0 )
kevman	0:38ceb79fef03	8519	{
kevman	0:38ceb79fef03	8520	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
kevman	0:38ceb79fef03	8521	return( ret );
kevman	0:38ceb79fef03	8522	}
kevman	0:38ceb79fef03	8523
kevman	0:38ceb79fef03	8524	if( len > max_len )
kevman	0:38ceb79fef03	8525	{
kevman	0:38ceb79fef03	8526	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8527	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	8528	{
kevman	0:38ceb79fef03	8529	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
kevman	0:38ceb79fef03	8530	"maximum fragment length: %d > %d",
kevman	0:38ceb79fef03	8531	len, max_len ) );
kevman	0:38ceb79fef03	8532	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8533	}
kevman	0:38ceb79fef03	8534	else
kevman	0:38ceb79fef03	8535	#endif
kevman	0:38ceb79fef03	8536	len = max_len;
kevman	0:38ceb79fef03	8537	}
kevman	0:38ceb79fef03	8538
kevman	0:38ceb79fef03	8539	if( ssl->out_left != 0 )
kevman	0:38ceb79fef03	8540	{
kevman	0:38ceb79fef03	8541	/*
kevman	0:38ceb79fef03	8542	* The user has previously tried to send the data and
kevman	0:38ceb79fef03	8543	* MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
kevman	0:38ceb79fef03	8544	* written. In this case, we expect the high-level write function
kevman	0:38ceb79fef03	8545	* (e.g. mbedtls_ssl_write()) to be called with the same parameters
kevman	0:38ceb79fef03	8546	*/
kevman	0:38ceb79fef03	8547	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8548	{
kevman	0:38ceb79fef03	8549	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
kevman	0:38ceb79fef03	8550	return( ret );
kevman	0:38ceb79fef03	8551	}
kevman	0:38ceb79fef03	8552	}
kevman	0:38ceb79fef03	8553	else
kevman	0:38ceb79fef03	8554	{
kevman	0:38ceb79fef03	8555	/*
kevman	0:38ceb79fef03	8556	* The user is trying to send a message the first time, so we need to
kevman	0:38ceb79fef03	8557	* copy the data into the internal buffers and setup the data structure
kevman	0:38ceb79fef03	8558	* to keep track of partial writes
kevman	0:38ceb79fef03	8559	*/
kevman	0:38ceb79fef03	8560	ssl->out_msglen = len;
kevman	0:38ceb79fef03	8561	ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
kevman	0:38ceb79fef03	8562	memcpy( ssl->out_msg, buf, len );
kevman	0:38ceb79fef03	8563
kevman	0:38ceb79fef03	8564	if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
kevman	0:38ceb79fef03	8565	{
kevman	0:38ceb79fef03	8566	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
kevman	0:38ceb79fef03	8567	return( ret );
kevman	0:38ceb79fef03	8568	}
kevman	0:38ceb79fef03	8569	}
kevman	0:38ceb79fef03	8570
kevman	0:38ceb79fef03	8571	return( (int) len );
kevman	0:38ceb79fef03	8572	}
kevman	0:38ceb79fef03	8573
kevman	0:38ceb79fef03	8574	/*
kevman	0:38ceb79fef03	8575	* Write application data, doing 1/n-1 splitting if necessary.
kevman	0:38ceb79fef03	8576	*
kevman	0:38ceb79fef03	8577	* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
kevman	0:38ceb79fef03	8578	* then the caller will call us again with the same arguments, so
kevman	0:38ceb79fef03	8579	* remember whether we already did the split or not.
kevman	0:38ceb79fef03	8580	*/
kevman	0:38ceb79fef03	8581	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
kevman	0:38ceb79fef03	8582	static int ssl_write_split( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	8583	const unsigned char *buf, size_t len )
kevman	0:38ceb79fef03	8584	{
kevman	0:38ceb79fef03	8585	int ret;
kevman	0:38ceb79fef03	8586
kevman	0:38ceb79fef03	8587	if( ssl->conf->cbc_record_splitting ==
kevman	0:38ceb79fef03	8588	MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED \|\|
kevman	0:38ceb79fef03	8589	len <= 1 \|\|
kevman	0:38ceb79fef03	8590	ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 \|\|
kevman	0:38ceb79fef03	8591	mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
kevman	0:38ceb79fef03	8592	!= MBEDTLS_MODE_CBC )
kevman	0:38ceb79fef03	8593	{
kevman	0:38ceb79fef03	8594	return( ssl_write_real( ssl, buf, len ) );
kevman	0:38ceb79fef03	8595	}
kevman	0:38ceb79fef03	8596
kevman	0:38ceb79fef03	8597	if( ssl->split_done == 0 )
kevman	0:38ceb79fef03	8598	{
kevman	0:38ceb79fef03	8599	if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
kevman	0:38ceb79fef03	8600	return( ret );
kevman	0:38ceb79fef03	8601	ssl->split_done = 1;
kevman	0:38ceb79fef03	8602	}
kevman	0:38ceb79fef03	8603
kevman	0:38ceb79fef03	8604	if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
kevman	0:38ceb79fef03	8605	return( ret );
kevman	0:38ceb79fef03	8606	ssl->split_done = 0;
kevman	0:38ceb79fef03	8607
kevman	0:38ceb79fef03	8608	return( ret + 1 );
kevman	0:38ceb79fef03	8609	}
kevman	0:38ceb79fef03	8610	#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
kevman	0:38ceb79fef03	8611
kevman	0:38ceb79fef03	8612	/*
kevman	0:38ceb79fef03	8613	* Write application data (public-facing wrapper)
kevman	0:38ceb79fef03	8614	*/
kevman	0:38ceb79fef03	8615	int mbedtls_ssl_write( mbedtls_ssl_context ssl, const unsigned char buf, size_t len )
kevman	0:38ceb79fef03	8616	{
kevman	0:38ceb79fef03	8617	int ret;
kevman	0:38ceb79fef03	8618
kevman	0:38ceb79fef03	8619	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
kevman	0:38ceb79fef03	8620
kevman	0:38ceb79fef03	8621	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	8622	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8623
kevman	0:38ceb79fef03	8624	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	8625	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8626	{
kevman	0:38ceb79fef03	8627	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
kevman	0:38ceb79fef03	8628	return( ret );
kevman	0:38ceb79fef03	8629	}
kevman	0:38ceb79fef03	8630	#endif
kevman	0:38ceb79fef03	8631
kevman	0:38ceb79fef03	8632	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8633	{
kevman	0:38ceb79fef03	8634	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
kevman	0:38ceb79fef03	8635	{
kevman	0:38ceb79fef03	8636	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
kevman	0:38ceb79fef03	8637	return( ret );
kevman	0:38ceb79fef03	8638	}
kevman	0:38ceb79fef03	8639	}
kevman	0:38ceb79fef03	8640
kevman	0:38ceb79fef03	8641	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
kevman	0:38ceb79fef03	8642	ret = ssl_write_split( ssl, buf, len );
kevman	0:38ceb79fef03	8643	#else
kevman	0:38ceb79fef03	8644	ret = ssl_write_real( ssl, buf, len );
kevman	0:38ceb79fef03	8645	#endif
kevman	0:38ceb79fef03	8646
kevman	0:38ceb79fef03	8647	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
kevman	0:38ceb79fef03	8648
kevman	0:38ceb79fef03	8649	return( ret );
kevman	0:38ceb79fef03	8650	}
kevman	0:38ceb79fef03	8651
kevman	0:38ceb79fef03	8652	/*
kevman	0:38ceb79fef03	8653	* Notify the peer that the connection is being closed
kevman	0:38ceb79fef03	8654	*/
kevman	0:38ceb79fef03	8655	int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8656	{
kevman	0:38ceb79fef03	8657	int ret;
kevman	0:38ceb79fef03	8658
kevman	0:38ceb79fef03	8659	if( ssl == NULL \|\| ssl->conf == NULL )
kevman	0:38ceb79fef03	8660	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
kevman	0:38ceb79fef03	8661
kevman	0:38ceb79fef03	8662	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
kevman	0:38ceb79fef03	8663
kevman	0:38ceb79fef03	8664	if( ssl->out_left != 0 )
kevman	0:38ceb79fef03	8665	return( mbedtls_ssl_flush_output( ssl ) );
kevman	0:38ceb79fef03	8666
kevman	0:38ceb79fef03	8667	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
kevman	0:38ceb79fef03	8668	{
kevman	0:38ceb79fef03	8669	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
kevman	0:38ceb79fef03	8670	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
kevman	0:38ceb79fef03	8671	MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
kevman	0:38ceb79fef03	8672	{
kevman	0:38ceb79fef03	8673	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
kevman	0:38ceb79fef03	8674	return( ret );
kevman	0:38ceb79fef03	8675	}
kevman	0:38ceb79fef03	8676	}
kevman	0:38ceb79fef03	8677
kevman	0:38ceb79fef03	8678	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
kevman	0:38ceb79fef03	8679
kevman	0:38ceb79fef03	8680	return( 0 );
kevman	0:38ceb79fef03	8681	}
kevman	0:38ceb79fef03	8682
kevman	0:38ceb79fef03	8683	void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
kevman	0:38ceb79fef03	8684	{
kevman	0:38ceb79fef03	8685	if( transform == NULL )
kevman	0:38ceb79fef03	8686	return;
kevman	0:38ceb79fef03	8687
kevman	0:38ceb79fef03	8688	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	8689	deflateEnd( &transform->ctx_deflate );
kevman	0:38ceb79fef03	8690	inflateEnd( &transform->ctx_inflate );
kevman	0:38ceb79fef03	8691	#endif
kevman	0:38ceb79fef03	8692
kevman	0:38ceb79fef03	8693	mbedtls_cipher_free( &transform->cipher_ctx_enc );
kevman	0:38ceb79fef03	8694	mbedtls_cipher_free( &transform->cipher_ctx_dec );
kevman	0:38ceb79fef03	8695
kevman	0:38ceb79fef03	8696	mbedtls_md_free( &transform->md_ctx_enc );
kevman	0:38ceb79fef03	8697	mbedtls_md_free( &transform->md_ctx_dec );
kevman	0:38ceb79fef03	8698
kevman	0:38ceb79fef03	8699	mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
kevman	0:38ceb79fef03	8700	}
kevman	0:38ceb79fef03	8701
kevman	0:38ceb79fef03	8702	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	8703	static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
kevman	0:38ceb79fef03	8704	{
kevman	0:38ceb79fef03	8705	mbedtls_ssl_key_cert cur = key_cert, next;
kevman	0:38ceb79fef03	8706
kevman	0:38ceb79fef03	8707	while( cur != NULL )
kevman	0:38ceb79fef03	8708	{
kevman	0:38ceb79fef03	8709	next = cur->next;
kevman	0:38ceb79fef03	8710	mbedtls_free( cur );
kevman	0:38ceb79fef03	8711	cur = next;
kevman	0:38ceb79fef03	8712	}
kevman	0:38ceb79fef03	8713	}
kevman	0:38ceb79fef03	8714	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	8715
kevman	0:38ceb79fef03	8716	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8717
kevman	0:38ceb79fef03	8718	static void ssl_buffering_free( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8719	{
kevman	0:38ceb79fef03	8720	unsigned offset;
kevman	0:38ceb79fef03	8721	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	8722
kevman	0:38ceb79fef03	8723	if( hs == NULL )
kevman	0:38ceb79fef03	8724	return;
kevman	0:38ceb79fef03	8725
kevman	0:38ceb79fef03	8726	ssl_free_buffered_record( ssl );
kevman	0:38ceb79fef03	8727
kevman	0:38ceb79fef03	8728	for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
kevman	0:38ceb79fef03	8729	ssl_buffering_free_slot( ssl, offset );
kevman	0:38ceb79fef03	8730	}
kevman	0:38ceb79fef03	8731
kevman	0:38ceb79fef03	8732	static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	8733	uint8_t slot )
kevman	0:38ceb79fef03	8734	{
kevman	0:38ceb79fef03	8735	mbedtls_ssl_handshake_params * const hs = ssl->handshake;
kevman	0:38ceb79fef03	8736	mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
kevman	0:38ceb79fef03	8737
kevman	0:38ceb79fef03	8738	if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
kevman	0:38ceb79fef03	8739	return;
kevman	0:38ceb79fef03	8740
kevman	0:38ceb79fef03	8741	if( hs_buf->is_valid == 1 )
kevman	0:38ceb79fef03	8742	{
kevman	0:38ceb79fef03	8743	hs->buffering.total_bytes_buffered -= hs_buf->data_len;
kevman	0:38ceb79fef03	8744	mbedtls_free( hs_buf->data );
kevman	0:38ceb79fef03	8745	memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
kevman	0:38ceb79fef03	8746	}
kevman	0:38ceb79fef03	8747	}
kevman	0:38ceb79fef03	8748
kevman	0:38ceb79fef03	8749	#endif /* MBEDTLS_SSL_PROTO_DTLS */
kevman	0:38ceb79fef03	8750
kevman	0:38ceb79fef03	8751	void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8752	{
kevman	0:38ceb79fef03	8753	mbedtls_ssl_handshake_params *handshake = ssl->handshake;
kevman	0:38ceb79fef03	8754
kevman	0:38ceb79fef03	8755	if( handshake == NULL )
kevman	0:38ceb79fef03	8756	return;
kevman	0:38ceb79fef03	8757
kevman	0:38ceb79fef03	8758	#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
kevman	0:38ceb79fef03	8759	if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
kevman	0:38ceb79fef03	8760	{
kevman	0:38ceb79fef03	8761	ssl->conf->f_async_cancel( ssl );
kevman	0:38ceb79fef03	8762	handshake->async_in_progress = 0;
kevman	0:38ceb79fef03	8763	}
kevman	0:38ceb79fef03	8764	#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
kevman	0:38ceb79fef03	8765
kevman	0:38ceb79fef03	8766	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	8767	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	8768	mbedtls_md5_free( &handshake->fin_md5 );
kevman	0:38ceb79fef03	8769	mbedtls_sha1_free( &handshake->fin_sha1 );
kevman	0:38ceb79fef03	8770	#endif
kevman	0:38ceb79fef03	8771	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	8772	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	8773	mbedtls_sha256_free( &handshake->fin_sha256 );
kevman	0:38ceb79fef03	8774	#endif
kevman	0:38ceb79fef03	8775	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	8776	mbedtls_sha512_free( &handshake->fin_sha512 );
kevman	0:38ceb79fef03	8777	#endif
kevman	0:38ceb79fef03	8778	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	8779
kevman	0:38ceb79fef03	8780	#if defined(MBEDTLS_DHM_C)
kevman	0:38ceb79fef03	8781	mbedtls_dhm_free( &handshake->dhm_ctx );
kevman	0:38ceb79fef03	8782	#endif
kevman	0:38ceb79fef03	8783	#if defined(MBEDTLS_ECDH_C)
kevman	0:38ceb79fef03	8784	mbedtls_ecdh_free( &handshake->ecdh_ctx );
kevman	0:38ceb79fef03	8785	#endif
kevman	0:38ceb79fef03	8786	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
kevman	0:38ceb79fef03	8787	mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
kevman	0:38ceb79fef03	8788	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	8789	mbedtls_free( handshake->ecjpake_cache );
kevman	0:38ceb79fef03	8790	handshake->ecjpake_cache = NULL;
kevman	0:38ceb79fef03	8791	handshake->ecjpake_cache_len = 0;
kevman	0:38ceb79fef03	8792	#endif
kevman	0:38ceb79fef03	8793	#endif
kevman	0:38ceb79fef03	8794
kevman	0:38ceb79fef03	8795	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
kevman	0:38ceb79fef03	8796	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
kevman	0:38ceb79fef03	8797	/* explicit void pointer cast for buggy MS compiler */
kevman	0:38ceb79fef03	8798	mbedtls_free( (void *) handshake->curves );
kevman	0:38ceb79fef03	8799	#endif
kevman	0:38ceb79fef03	8800
kevman	0:38ceb79fef03	8801	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
kevman	0:38ceb79fef03	8802	if( handshake->psk != NULL )
kevman	0:38ceb79fef03	8803	{
kevman	0:38ceb79fef03	8804	mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
kevman	0:38ceb79fef03	8805	mbedtls_free( handshake->psk );
kevman	0:38ceb79fef03	8806	}
kevman	0:38ceb79fef03	8807	#endif
kevman	0:38ceb79fef03	8808
kevman	0:38ceb79fef03	8809	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
kevman	0:38ceb79fef03	8810	defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
kevman	0:38ceb79fef03	8811	/*
kevman	0:38ceb79fef03	8812	* Free only the linked list wrapper, not the keys themselves
kevman	0:38ceb79fef03	8813	* since the belong to the SNI callback
kevman	0:38ceb79fef03	8814	*/
kevman	0:38ceb79fef03	8815	if( handshake->sni_key_cert != NULL )
kevman	0:38ceb79fef03	8816	{
kevman	0:38ceb79fef03	8817	mbedtls_ssl_key_cert cur = handshake->sni_key_cert, next;
kevman	0:38ceb79fef03	8818
kevman	0:38ceb79fef03	8819	while( cur != NULL )
kevman	0:38ceb79fef03	8820	{
kevman	0:38ceb79fef03	8821	next = cur->next;
kevman	0:38ceb79fef03	8822	mbedtls_free( cur );
kevman	0:38ceb79fef03	8823	cur = next;
kevman	0:38ceb79fef03	8824	}
kevman	0:38ceb79fef03	8825	}
kevman	0:38ceb79fef03	8826	#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
kevman	0:38ceb79fef03	8827
kevman	0:38ceb79fef03	8828	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	8829	mbedtls_free( handshake->verify_cookie );
kevman	0:38ceb79fef03	8830	ssl_flight_free( handshake->flight );
kevman	0:38ceb79fef03	8831	ssl_buffering_free( ssl );
kevman	0:38ceb79fef03	8832	#endif
kevman	0:38ceb79fef03	8833
kevman	0:38ceb79fef03	8834	mbedtls_platform_zeroize( handshake,
kevman	0:38ceb79fef03	8835	sizeof( mbedtls_ssl_handshake_params ) );
kevman	0:38ceb79fef03	8836	}
kevman	0:38ceb79fef03	8837
kevman	0:38ceb79fef03	8838	void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
kevman	0:38ceb79fef03	8839	{
kevman	0:38ceb79fef03	8840	if( session == NULL )
kevman	0:38ceb79fef03	8841	return;
kevman	0:38ceb79fef03	8842
kevman	0:38ceb79fef03	8843	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	8844	if( session->peer_cert != NULL )
kevman	0:38ceb79fef03	8845	{
kevman	0:38ceb79fef03	8846	mbedtls_x509_crt_free( session->peer_cert );
kevman	0:38ceb79fef03	8847	mbedtls_free( session->peer_cert );
kevman	0:38ceb79fef03	8848	}
kevman	0:38ceb79fef03	8849	#endif
kevman	0:38ceb79fef03	8850
kevman	0:38ceb79fef03	8851	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	8852	mbedtls_free( session->ticket );
kevman	0:38ceb79fef03	8853	#endif
kevman	0:38ceb79fef03	8854
kevman	0:38ceb79fef03	8855	mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
kevman	0:38ceb79fef03	8856	}
kevman	0:38ceb79fef03	8857
kevman	0:38ceb79fef03	8858	/*
kevman	0:38ceb79fef03	8859	* Free an SSL context
kevman	0:38ceb79fef03	8860	*/
kevman	0:38ceb79fef03	8861	void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
kevman	0:38ceb79fef03	8862	{
kevman	0:38ceb79fef03	8863	if( ssl == NULL )
kevman	0:38ceb79fef03	8864	return;
kevman	0:38ceb79fef03	8865
kevman	0:38ceb79fef03	8866	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
kevman	0:38ceb79fef03	8867
kevman	0:38ceb79fef03	8868	if( ssl->out_buf != NULL )
kevman	0:38ceb79fef03	8869	{
kevman	0:38ceb79fef03	8870	mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
kevman	0:38ceb79fef03	8871	mbedtls_free( ssl->out_buf );
kevman	0:38ceb79fef03	8872	}
kevman	0:38ceb79fef03	8873
kevman	0:38ceb79fef03	8874	if( ssl->in_buf != NULL )
kevman	0:38ceb79fef03	8875	{
kevman	0:38ceb79fef03	8876	mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
kevman	0:38ceb79fef03	8877	mbedtls_free( ssl->in_buf );
kevman	0:38ceb79fef03	8878	}
kevman	0:38ceb79fef03	8879
kevman	0:38ceb79fef03	8880	#if defined(MBEDTLS_ZLIB_SUPPORT)
kevman	0:38ceb79fef03	8881	if( ssl->compress_buf != NULL )
kevman	0:38ceb79fef03	8882	{
kevman	0:38ceb79fef03	8883	mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
kevman	0:38ceb79fef03	8884	mbedtls_free( ssl->compress_buf );
kevman	0:38ceb79fef03	8885	}
kevman	0:38ceb79fef03	8886	#endif
kevman	0:38ceb79fef03	8887
kevman	0:38ceb79fef03	8888	if( ssl->transform )
kevman	0:38ceb79fef03	8889	{
kevman	0:38ceb79fef03	8890	mbedtls_ssl_transform_free( ssl->transform );
kevman	0:38ceb79fef03	8891	mbedtls_free( ssl->transform );
kevman	0:38ceb79fef03	8892	}
kevman	0:38ceb79fef03	8893
kevman	0:38ceb79fef03	8894	if( ssl->handshake )
kevman	0:38ceb79fef03	8895	{
kevman	0:38ceb79fef03	8896	mbedtls_ssl_handshake_free( ssl );
kevman	0:38ceb79fef03	8897	mbedtls_ssl_transform_free( ssl->transform_negotiate );
kevman	0:38ceb79fef03	8898	mbedtls_ssl_session_free( ssl->session_negotiate );
kevman	0:38ceb79fef03	8899
kevman	0:38ceb79fef03	8900	mbedtls_free( ssl->handshake );
kevman	0:38ceb79fef03	8901	mbedtls_free( ssl->transform_negotiate );
kevman	0:38ceb79fef03	8902	mbedtls_free( ssl->session_negotiate );
kevman	0:38ceb79fef03	8903	}
kevman	0:38ceb79fef03	8904
kevman	0:38ceb79fef03	8905	if( ssl->session )
kevman	0:38ceb79fef03	8906	{
kevman	0:38ceb79fef03	8907	mbedtls_ssl_session_free( ssl->session );
kevman	0:38ceb79fef03	8908	mbedtls_free( ssl->session );
kevman	0:38ceb79fef03	8909	}
kevman	0:38ceb79fef03	8910
kevman	0:38ceb79fef03	8911	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	8912	if( ssl->hostname != NULL )
kevman	0:38ceb79fef03	8913	{
kevman	0:38ceb79fef03	8914	mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
kevman	0:38ceb79fef03	8915	mbedtls_free( ssl->hostname );
kevman	0:38ceb79fef03	8916	}
kevman	0:38ceb79fef03	8917	#endif
kevman	0:38ceb79fef03	8918
kevman	0:38ceb79fef03	8919	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
kevman	0:38ceb79fef03	8920	if( mbedtls_ssl_hw_record_finish != NULL )
kevman	0:38ceb79fef03	8921	{
kevman	0:38ceb79fef03	8922	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
kevman	0:38ceb79fef03	8923	mbedtls_ssl_hw_record_finish( ssl );
kevman	0:38ceb79fef03	8924	}
kevman	0:38ceb79fef03	8925	#endif
kevman	0:38ceb79fef03	8926
kevman	0:38ceb79fef03	8927	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	8928	mbedtls_free( ssl->cli_id );
kevman	0:38ceb79fef03	8929	#endif
kevman	0:38ceb79fef03	8930
kevman	0:38ceb79fef03	8931	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
kevman	0:38ceb79fef03	8932
kevman	0:38ceb79fef03	8933	/* Actually clear after last debug message */
kevman	0:38ceb79fef03	8934	mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
kevman	0:38ceb79fef03	8935	}
kevman	0:38ceb79fef03	8936
kevman	0:38ceb79fef03	8937	/*
kevman	0:38ceb79fef03	8938	* Initialze mbedtls_ssl_config
kevman	0:38ceb79fef03	8939	*/
kevman	0:38ceb79fef03	8940	void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
kevman	0:38ceb79fef03	8941	{
kevman	0:38ceb79fef03	8942	memset( conf, 0, sizeof( mbedtls_ssl_config ) );
kevman	0:38ceb79fef03	8943	}
kevman	0:38ceb79fef03	8944
kevman	0:38ceb79fef03	8945	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	8946	static int ssl_preset_default_hashes[] = {
kevman	0:38ceb79fef03	8947	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	8948	MBEDTLS_MD_SHA512,
kevman	0:38ceb79fef03	8949	MBEDTLS_MD_SHA384,
kevman	0:38ceb79fef03	8950	#endif
kevman	0:38ceb79fef03	8951	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	8952	MBEDTLS_MD_SHA256,
kevman	0:38ceb79fef03	8953	MBEDTLS_MD_SHA224,
kevman	0:38ceb79fef03	8954	#endif
kevman	0:38ceb79fef03	8955	#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
kevman	0:38ceb79fef03	8956	MBEDTLS_MD_SHA1,
kevman	0:38ceb79fef03	8957	#endif
kevman	0:38ceb79fef03	8958	MBEDTLS_MD_NONE
kevman	0:38ceb79fef03	8959	};
kevman	0:38ceb79fef03	8960	#endif
kevman	0:38ceb79fef03	8961
kevman	0:38ceb79fef03	8962	static int ssl_preset_suiteb_ciphersuites[] = {
kevman	0:38ceb79fef03	8963	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
kevman	0:38ceb79fef03	8964	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
kevman	0:38ceb79fef03	8965	0
kevman	0:38ceb79fef03	8966	};
kevman	0:38ceb79fef03	8967
kevman	0:38ceb79fef03	8968	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	8969	static int ssl_preset_suiteb_hashes[] = {
kevman	0:38ceb79fef03	8970	MBEDTLS_MD_SHA256,
kevman	0:38ceb79fef03	8971	MBEDTLS_MD_SHA384,
kevman	0:38ceb79fef03	8972	MBEDTLS_MD_NONE
kevman	0:38ceb79fef03	8973	};
kevman	0:38ceb79fef03	8974	#endif
kevman	0:38ceb79fef03	8975
kevman	0:38ceb79fef03	8976	#if defined(MBEDTLS_ECP_C)
kevman	0:38ceb79fef03	8977	static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
kevman	0:38ceb79fef03	8978	MBEDTLS_ECP_DP_SECP256R1,
kevman	0:38ceb79fef03	8979	MBEDTLS_ECP_DP_SECP384R1,
kevman	0:38ceb79fef03	8980	MBEDTLS_ECP_DP_NONE
kevman	0:38ceb79fef03	8981	};
kevman	0:38ceb79fef03	8982	#endif
kevman	0:38ceb79fef03	8983
kevman	0:38ceb79fef03	8984	/*
kevman	0:38ceb79fef03	8985	* Load default in mbedtls_ssl_config
kevman	0:38ceb79fef03	8986	*/
kevman	0:38ceb79fef03	8987	int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
kevman	0:38ceb79fef03	8988	int endpoint, int transport, int preset )
kevman	0:38ceb79fef03	8989	{
kevman	0:38ceb79fef03	8990	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	8991	int ret;
kevman	0:38ceb79fef03	8992	#endif
kevman	0:38ceb79fef03	8993
kevman	0:38ceb79fef03	8994	/* Use the functions here so that they are covered in tests,
kevman	0:38ceb79fef03	8995	* but otherwise access member directly for efficiency */
kevman	0:38ceb79fef03	8996	mbedtls_ssl_conf_endpoint( conf, endpoint );
kevman	0:38ceb79fef03	8997	mbedtls_ssl_conf_transport( conf, transport );
kevman	0:38ceb79fef03	8998
kevman	0:38ceb79fef03	8999	/*
kevman	0:38ceb79fef03	9000	* Things that are common to all presets
kevman	0:38ceb79fef03	9001	*/
kevman	0:38ceb79fef03	9002	#if defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	9003	if( endpoint == MBEDTLS_SSL_IS_CLIENT )
kevman	0:38ceb79fef03	9004	{
kevman	0:38ceb79fef03	9005	conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
kevman	0:38ceb79fef03	9006	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
kevman	0:38ceb79fef03	9007	conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
kevman	0:38ceb79fef03	9008	#endif
kevman	0:38ceb79fef03	9009	}
kevman	0:38ceb79fef03	9010	#endif
kevman	0:38ceb79fef03	9011
kevman	0:38ceb79fef03	9012	#if defined(MBEDTLS_ARC4_C)
kevman	0:38ceb79fef03	9013	conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
kevman	0:38ceb79fef03	9014	#endif
kevman	0:38ceb79fef03	9015
kevman	0:38ceb79fef03	9016	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
kevman	0:38ceb79fef03	9017	conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
kevman	0:38ceb79fef03	9018	#endif
kevman	0:38ceb79fef03	9019
kevman	0:38ceb79fef03	9020	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
kevman	0:38ceb79fef03	9021	conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
kevman	0:38ceb79fef03	9022	#endif
kevman	0:38ceb79fef03	9023
kevman	0:38ceb79fef03	9024	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
kevman	0:38ceb79fef03	9025	conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
kevman	0:38ceb79fef03	9026	#endif
kevman	0:38ceb79fef03	9027
kevman	0:38ceb79fef03	9028	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	9029	conf->f_cookie_write = ssl_cookie_write_dummy;
kevman	0:38ceb79fef03	9030	conf->f_cookie_check = ssl_cookie_check_dummy;
kevman	0:38ceb79fef03	9031	#endif
kevman	0:38ceb79fef03	9032
kevman	0:38ceb79fef03	9033	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
kevman	0:38ceb79fef03	9034	conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
kevman	0:38ceb79fef03	9035	#endif
kevman	0:38ceb79fef03	9036
kevman	0:38ceb79fef03	9037	#if defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	9038	conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
kevman	0:38ceb79fef03	9039	#endif
kevman	0:38ceb79fef03	9040
kevman	0:38ceb79fef03	9041	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	9042	conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
kevman	0:38ceb79fef03	9043	conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
kevman	0:38ceb79fef03	9044	#endif
kevman	0:38ceb79fef03	9045
kevman	0:38ceb79fef03	9046	#if defined(MBEDTLS_SSL_RENEGOTIATION)
kevman	0:38ceb79fef03	9047	conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
kevman	0:38ceb79fef03	9048	memset( conf->renego_period, 0x00, 2 );
kevman	0:38ceb79fef03	9049	memset( conf->renego_period + 2, 0xFF, 6 );
kevman	0:38ceb79fef03	9050	#endif
kevman	0:38ceb79fef03	9051
kevman	0:38ceb79fef03	9052	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
kevman	0:38ceb79fef03	9053	if( endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	9054	{
kevman	0:38ceb79fef03	9055	const unsigned char dhm_p[] =
kevman	0:38ceb79fef03	9056	MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
kevman	0:38ceb79fef03	9057	const unsigned char dhm_g[] =
kevman	0:38ceb79fef03	9058	MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
kevman	0:38ceb79fef03	9059
kevman	0:38ceb79fef03	9060	if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
kevman	0:38ceb79fef03	9061	dhm_p, sizeof( dhm_p ),
kevman	0:38ceb79fef03	9062	dhm_g, sizeof( dhm_g ) ) ) != 0 )
kevman	0:38ceb79fef03	9063	{
kevman	0:38ceb79fef03	9064	return( ret );
kevman	0:38ceb79fef03	9065	}
kevman	0:38ceb79fef03	9066	}
kevman	0:38ceb79fef03	9067	#endif
kevman	0:38ceb79fef03	9068
kevman	0:38ceb79fef03	9069	/*
kevman	0:38ceb79fef03	9070	* Preset-specific defaults
kevman	0:38ceb79fef03	9071	*/
kevman	0:38ceb79fef03	9072	switch( preset )
kevman	0:38ceb79fef03	9073	{
kevman	0:38ceb79fef03	9074	/*
kevman	0:38ceb79fef03	9075	* NSA Suite B
kevman	0:38ceb79fef03	9076	*/
kevman	0:38ceb79fef03	9077	case MBEDTLS_SSL_PRESET_SUITEB:
kevman	0:38ceb79fef03	9078	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
kevman	0:38ceb79fef03	9079	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
kevman	0:38ceb79fef03	9080	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
kevman	0:38ceb79fef03	9081	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
kevman	0:38ceb79fef03	9082
kevman	0:38ceb79fef03	9083	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
kevman	0:38ceb79fef03	9084	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
kevman	0:38ceb79fef03	9085	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
kevman	0:38ceb79fef03	9086	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
kevman	0:38ceb79fef03	9087	ssl_preset_suiteb_ciphersuites;
kevman	0:38ceb79fef03	9088
kevman	0:38ceb79fef03	9089	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	9090	conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
kevman	0:38ceb79fef03	9091	#endif
kevman	0:38ceb79fef03	9092
kevman	0:38ceb79fef03	9093	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	9094	conf->sig_hashes = ssl_preset_suiteb_hashes;
kevman	0:38ceb79fef03	9095	#endif
kevman	0:38ceb79fef03	9096
kevman	0:38ceb79fef03	9097	#if defined(MBEDTLS_ECP_C)
kevman	0:38ceb79fef03	9098	conf->curve_list = ssl_preset_suiteb_curves;
kevman	0:38ceb79fef03	9099	#endif
kevman	0:38ceb79fef03	9100	break;
kevman	0:38ceb79fef03	9101
kevman	0:38ceb79fef03	9102	/*
kevman	0:38ceb79fef03	9103	* Default
kevman	0:38ceb79fef03	9104	*/
kevman	0:38ceb79fef03	9105	default:
kevman	0:38ceb79fef03	9106	conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
kevman	0:38ceb79fef03	9107	MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
kevman	0:38ceb79fef03	9108	MBEDTLS_SSL_MIN_MAJOR_VERSION :
kevman	0:38ceb79fef03	9109	MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
kevman	0:38ceb79fef03	9110	conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
kevman	0:38ceb79fef03	9111	MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
kevman	0:38ceb79fef03	9112	MBEDTLS_SSL_MIN_MINOR_VERSION :
kevman	0:38ceb79fef03	9113	MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
kevman	0:38ceb79fef03	9114	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
kevman	0:38ceb79fef03	9115	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
kevman	0:38ceb79fef03	9116
kevman	0:38ceb79fef03	9117	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	9118	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	9119	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
kevman	0:38ceb79fef03	9120	#endif
kevman	0:38ceb79fef03	9121
kevman	0:38ceb79fef03	9122	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
kevman	0:38ceb79fef03	9123	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
kevman	0:38ceb79fef03	9124	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
kevman	0:38ceb79fef03	9125	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
kevman	0:38ceb79fef03	9126	mbedtls_ssl_list_ciphersuites();
kevman	0:38ceb79fef03	9127
kevman	0:38ceb79fef03	9128	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	9129	conf->cert_profile = &mbedtls_x509_crt_profile_default;
kevman	0:38ceb79fef03	9130	#endif
kevman	0:38ceb79fef03	9131
kevman	0:38ceb79fef03	9132	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	9133	conf->sig_hashes = ssl_preset_default_hashes;
kevman	0:38ceb79fef03	9134	#endif
kevman	0:38ceb79fef03	9135
kevman	0:38ceb79fef03	9136	#if defined(MBEDTLS_ECP_C)
kevman	0:38ceb79fef03	9137	conf->curve_list = mbedtls_ecp_grp_id_list();
kevman	0:38ceb79fef03	9138	#endif
kevman	0:38ceb79fef03	9139
kevman	0:38ceb79fef03	9140	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
kevman	0:38ceb79fef03	9141	conf->dhm_min_bitlen = 1024;
kevman	0:38ceb79fef03	9142	#endif
kevman	0:38ceb79fef03	9143	}
kevman	0:38ceb79fef03	9144
kevman	0:38ceb79fef03	9145	return( 0 );
kevman	0:38ceb79fef03	9146	}
kevman	0:38ceb79fef03	9147
kevman	0:38ceb79fef03	9148	/*
kevman	0:38ceb79fef03	9149	* Free mbedtls_ssl_config
kevman	0:38ceb79fef03	9150	*/
kevman	0:38ceb79fef03	9151	void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
kevman	0:38ceb79fef03	9152	{
kevman	0:38ceb79fef03	9153	#if defined(MBEDTLS_DHM_C)
kevman	0:38ceb79fef03	9154	mbedtls_mpi_free( &conf->dhm_P );
kevman	0:38ceb79fef03	9155	mbedtls_mpi_free( &conf->dhm_G );
kevman	0:38ceb79fef03	9156	#endif
kevman	0:38ceb79fef03	9157
kevman	0:38ceb79fef03	9158	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
kevman	0:38ceb79fef03	9159	if( conf->psk != NULL )
kevman	0:38ceb79fef03	9160	{
kevman	0:38ceb79fef03	9161	mbedtls_platform_zeroize( conf->psk, conf->psk_len );
kevman	0:38ceb79fef03	9162	mbedtls_free( conf->psk );
kevman	0:38ceb79fef03	9163	conf->psk = NULL;
kevman	0:38ceb79fef03	9164	conf->psk_len = 0;
kevman	0:38ceb79fef03	9165	}
kevman	0:38ceb79fef03	9166
kevman	0:38ceb79fef03	9167	if( conf->psk_identity != NULL )
kevman	0:38ceb79fef03	9168	{
kevman	0:38ceb79fef03	9169	mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
kevman	0:38ceb79fef03	9170	mbedtls_free( conf->psk_identity );
kevman	0:38ceb79fef03	9171	conf->psk_identity = NULL;
kevman	0:38ceb79fef03	9172	conf->psk_identity_len = 0;
kevman	0:38ceb79fef03	9173	}
kevman	0:38ceb79fef03	9174	#endif
kevman	0:38ceb79fef03	9175
kevman	0:38ceb79fef03	9176	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	9177	ssl_key_cert_free( conf->key_cert );
kevman	0:38ceb79fef03	9178	#endif
kevman	0:38ceb79fef03	9179
kevman	0:38ceb79fef03	9180	mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
kevman	0:38ceb79fef03	9181	}
kevman	0:38ceb79fef03	9182
kevman	0:38ceb79fef03	9183	#if defined(MBEDTLS_PK_C) && \
kevman	0:38ceb79fef03	9184	( defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C) )
kevman	0:38ceb79fef03	9185	/*
kevman	0:38ceb79fef03	9186	* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
kevman	0:38ceb79fef03	9187	*/
kevman	0:38ceb79fef03	9188	unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
kevman	0:38ceb79fef03	9189	{
kevman	0:38ceb79fef03	9190	#if defined(MBEDTLS_RSA_C)
kevman	0:38ceb79fef03	9191	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
kevman	0:38ceb79fef03	9192	return( MBEDTLS_SSL_SIG_RSA );
kevman	0:38ceb79fef03	9193	#endif
kevman	0:38ceb79fef03	9194	#if defined(MBEDTLS_ECDSA_C)
kevman	0:38ceb79fef03	9195	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
kevman	0:38ceb79fef03	9196	return( MBEDTLS_SSL_SIG_ECDSA );
kevman	0:38ceb79fef03	9197	#endif
kevman	0:38ceb79fef03	9198	return( MBEDTLS_SSL_SIG_ANON );
kevman	0:38ceb79fef03	9199	}
kevman	0:38ceb79fef03	9200
kevman	0:38ceb79fef03	9201	unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
kevman	0:38ceb79fef03	9202	{
kevman	0:38ceb79fef03	9203	switch( type ) {
kevman	0:38ceb79fef03	9204	case MBEDTLS_PK_RSA:
kevman	0:38ceb79fef03	9205	return( MBEDTLS_SSL_SIG_RSA );
kevman	0:38ceb79fef03	9206	case MBEDTLS_PK_ECDSA:
kevman	0:38ceb79fef03	9207	case MBEDTLS_PK_ECKEY:
kevman	0:38ceb79fef03	9208	return( MBEDTLS_SSL_SIG_ECDSA );
kevman	0:38ceb79fef03	9209	default:
kevman	0:38ceb79fef03	9210	return( MBEDTLS_SSL_SIG_ANON );
kevman	0:38ceb79fef03	9211	}
kevman	0:38ceb79fef03	9212	}
kevman	0:38ceb79fef03	9213
kevman	0:38ceb79fef03	9214	mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
kevman	0:38ceb79fef03	9215	{
kevman	0:38ceb79fef03	9216	switch( sig )
kevman	0:38ceb79fef03	9217	{
kevman	0:38ceb79fef03	9218	#if defined(MBEDTLS_RSA_C)
kevman	0:38ceb79fef03	9219	case MBEDTLS_SSL_SIG_RSA:
kevman	0:38ceb79fef03	9220	return( MBEDTLS_PK_RSA );
kevman	0:38ceb79fef03	9221	#endif
kevman	0:38ceb79fef03	9222	#if defined(MBEDTLS_ECDSA_C)
kevman	0:38ceb79fef03	9223	case MBEDTLS_SSL_SIG_ECDSA:
kevman	0:38ceb79fef03	9224	return( MBEDTLS_PK_ECDSA );
kevman	0:38ceb79fef03	9225	#endif
kevman	0:38ceb79fef03	9226	default:
kevman	0:38ceb79fef03	9227	return( MBEDTLS_PK_NONE );
kevman	0:38ceb79fef03	9228	}
kevman	0:38ceb79fef03	9229	}
kevman	0:38ceb79fef03	9230	#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C \|\| MBEDTLS_ECDSA_C ) */
kevman	0:38ceb79fef03	9231
kevman	0:38ceb79fef03	9232	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
kevman	0:38ceb79fef03	9233	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	9234
kevman	0:38ceb79fef03	9235	/* Find an entry in a signature-hash set matching a given hash algorithm. */
kevman	0:38ceb79fef03	9236	mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
kevman	0:38ceb79fef03	9237	mbedtls_pk_type_t sig_alg )
kevman	0:38ceb79fef03	9238	{
kevman	0:38ceb79fef03	9239	switch( sig_alg )
kevman	0:38ceb79fef03	9240	{
kevman	0:38ceb79fef03	9241	case MBEDTLS_PK_RSA:
kevman	0:38ceb79fef03	9242	return( set->rsa );
kevman	0:38ceb79fef03	9243	case MBEDTLS_PK_ECDSA:
kevman	0:38ceb79fef03	9244	return( set->ecdsa );
kevman	0:38ceb79fef03	9245	default:
kevman	0:38ceb79fef03	9246	return( MBEDTLS_MD_NONE );
kevman	0:38ceb79fef03	9247	}
kevman	0:38ceb79fef03	9248	}
kevman	0:38ceb79fef03	9249
kevman	0:38ceb79fef03	9250	/* Add a signature-hash-pair to a signature-hash set */
kevman	0:38ceb79fef03	9251	void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
kevman	0:38ceb79fef03	9252	mbedtls_pk_type_t sig_alg,
kevman	0:38ceb79fef03	9253	mbedtls_md_type_t md_alg )
kevman	0:38ceb79fef03	9254	{
kevman	0:38ceb79fef03	9255	switch( sig_alg )
kevman	0:38ceb79fef03	9256	{
kevman	0:38ceb79fef03	9257	case MBEDTLS_PK_RSA:
kevman	0:38ceb79fef03	9258	if( set->rsa == MBEDTLS_MD_NONE )
kevman	0:38ceb79fef03	9259	set->rsa = md_alg;
kevman	0:38ceb79fef03	9260	break;
kevman	0:38ceb79fef03	9261
kevman	0:38ceb79fef03	9262	case MBEDTLS_PK_ECDSA:
kevman	0:38ceb79fef03	9263	if( set->ecdsa == MBEDTLS_MD_NONE )
kevman	0:38ceb79fef03	9264	set->ecdsa = md_alg;
kevman	0:38ceb79fef03	9265	break;
kevman	0:38ceb79fef03	9266
kevman	0:38ceb79fef03	9267	default:
kevman	0:38ceb79fef03	9268	break;
kevman	0:38ceb79fef03	9269	}
kevman	0:38ceb79fef03	9270	}
kevman	0:38ceb79fef03	9271
kevman	0:38ceb79fef03	9272	/* Allow exactly one hash algorithm for each signature. */
kevman	0:38ceb79fef03	9273	void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
kevman	0:38ceb79fef03	9274	mbedtls_md_type_t md_alg )
kevman	0:38ceb79fef03	9275	{
kevman	0:38ceb79fef03	9276	set->rsa = md_alg;
kevman	0:38ceb79fef03	9277	set->ecdsa = md_alg;
kevman	0:38ceb79fef03	9278	}
kevman	0:38ceb79fef03	9279
kevman	0:38ceb79fef03	9280	#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
kevman	0:38ceb79fef03	9281	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
kevman	0:38ceb79fef03	9282
kevman	0:38ceb79fef03	9283	/*
kevman	0:38ceb79fef03	9284	* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
kevman	0:38ceb79fef03	9285	*/
kevman	0:38ceb79fef03	9286	mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
kevman	0:38ceb79fef03	9287	{
kevman	0:38ceb79fef03	9288	switch( hash )
kevman	0:38ceb79fef03	9289	{
kevman	0:38ceb79fef03	9290	#if defined(MBEDTLS_MD5_C)
kevman	0:38ceb79fef03	9291	case MBEDTLS_SSL_HASH_MD5:
kevman	0:38ceb79fef03	9292	return( MBEDTLS_MD_MD5 );
kevman	0:38ceb79fef03	9293	#endif
kevman	0:38ceb79fef03	9294	#if defined(MBEDTLS_SHA1_C)
kevman	0:38ceb79fef03	9295	case MBEDTLS_SSL_HASH_SHA1:
kevman	0:38ceb79fef03	9296	return( MBEDTLS_MD_SHA1 );
kevman	0:38ceb79fef03	9297	#endif
kevman	0:38ceb79fef03	9298	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	9299	case MBEDTLS_SSL_HASH_SHA224:
kevman	0:38ceb79fef03	9300	return( MBEDTLS_MD_SHA224 );
kevman	0:38ceb79fef03	9301	case MBEDTLS_SSL_HASH_SHA256:
kevman	0:38ceb79fef03	9302	return( MBEDTLS_MD_SHA256 );
kevman	0:38ceb79fef03	9303	#endif
kevman	0:38ceb79fef03	9304	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	9305	case MBEDTLS_SSL_HASH_SHA384:
kevman	0:38ceb79fef03	9306	return( MBEDTLS_MD_SHA384 );
kevman	0:38ceb79fef03	9307	case MBEDTLS_SSL_HASH_SHA512:
kevman	0:38ceb79fef03	9308	return( MBEDTLS_MD_SHA512 );
kevman	0:38ceb79fef03	9309	#endif
kevman	0:38ceb79fef03	9310	default:
kevman	0:38ceb79fef03	9311	return( MBEDTLS_MD_NONE );
kevman	0:38ceb79fef03	9312	}
kevman	0:38ceb79fef03	9313	}
kevman	0:38ceb79fef03	9314
kevman	0:38ceb79fef03	9315	/*
kevman	0:38ceb79fef03	9316	* Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
kevman	0:38ceb79fef03	9317	*/
kevman	0:38ceb79fef03	9318	unsigned char mbedtls_ssl_hash_from_md_alg( int md )
kevman	0:38ceb79fef03	9319	{
kevman	0:38ceb79fef03	9320	switch( md )
kevman	0:38ceb79fef03	9321	{
kevman	0:38ceb79fef03	9322	#if defined(MBEDTLS_MD5_C)
kevman	0:38ceb79fef03	9323	case MBEDTLS_MD_MD5:
kevman	0:38ceb79fef03	9324	return( MBEDTLS_SSL_HASH_MD5 );
kevman	0:38ceb79fef03	9325	#endif
kevman	0:38ceb79fef03	9326	#if defined(MBEDTLS_SHA1_C)
kevman	0:38ceb79fef03	9327	case MBEDTLS_MD_SHA1:
kevman	0:38ceb79fef03	9328	return( MBEDTLS_SSL_HASH_SHA1 );
kevman	0:38ceb79fef03	9329	#endif
kevman	0:38ceb79fef03	9330	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	9331	case MBEDTLS_MD_SHA224:
kevman	0:38ceb79fef03	9332	return( MBEDTLS_SSL_HASH_SHA224 );
kevman	0:38ceb79fef03	9333	case MBEDTLS_MD_SHA256:
kevman	0:38ceb79fef03	9334	return( MBEDTLS_SSL_HASH_SHA256 );
kevman	0:38ceb79fef03	9335	#endif
kevman	0:38ceb79fef03	9336	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	9337	case MBEDTLS_MD_SHA384:
kevman	0:38ceb79fef03	9338	return( MBEDTLS_SSL_HASH_SHA384 );
kevman	0:38ceb79fef03	9339	case MBEDTLS_MD_SHA512:
kevman	0:38ceb79fef03	9340	return( MBEDTLS_SSL_HASH_SHA512 );
kevman	0:38ceb79fef03	9341	#endif
kevman	0:38ceb79fef03	9342	default:
kevman	0:38ceb79fef03	9343	return( MBEDTLS_SSL_HASH_NONE );
kevman	0:38ceb79fef03	9344	}
kevman	0:38ceb79fef03	9345	}
kevman	0:38ceb79fef03	9346
kevman	0:38ceb79fef03	9347	#if defined(MBEDTLS_ECP_C)
kevman	0:38ceb79fef03	9348	/*
kevman	0:38ceb79fef03	9349	* Check if a curve proposed by the peer is in our list.
kevman	0:38ceb79fef03	9350	* Return 0 if we're willing to use it, -1 otherwise.
kevman	0:38ceb79fef03	9351	*/
kevman	0:38ceb79fef03	9352	int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
kevman	0:38ceb79fef03	9353	{
kevman	0:38ceb79fef03	9354	const mbedtls_ecp_group_id *gid;
kevman	0:38ceb79fef03	9355
kevman	0:38ceb79fef03	9356	if( ssl->conf->curve_list == NULL )
kevman	0:38ceb79fef03	9357	return( -1 );
kevman	0:38ceb79fef03	9358
kevman	0:38ceb79fef03	9359	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
kevman	0:38ceb79fef03	9360	if( *gid == grp_id )
kevman	0:38ceb79fef03	9361	return( 0 );
kevman	0:38ceb79fef03	9362
kevman	0:38ceb79fef03	9363	return( -1 );
kevman	0:38ceb79fef03	9364	}
kevman	0:38ceb79fef03	9365	#endif /* MBEDTLS_ECP_C */
kevman	0:38ceb79fef03	9366
kevman	0:38ceb79fef03	9367	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
kevman	0:38ceb79fef03	9368	/*
kevman	0:38ceb79fef03	9369	* Check if a hash proposed by the peer is in our list.
kevman	0:38ceb79fef03	9370	* Return 0 if we're willing to use it, -1 otherwise.
kevman	0:38ceb79fef03	9371	*/
kevman	0:38ceb79fef03	9372	int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	9373	mbedtls_md_type_t md )
kevman	0:38ceb79fef03	9374	{
kevman	0:38ceb79fef03	9375	const int *cur;
kevman	0:38ceb79fef03	9376
kevman	0:38ceb79fef03	9377	if( ssl->conf->sig_hashes == NULL )
kevman	0:38ceb79fef03	9378	return( -1 );
kevman	0:38ceb79fef03	9379
kevman	0:38ceb79fef03	9380	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
kevman	0:38ceb79fef03	9381	if( *cur == (int) md )
kevman	0:38ceb79fef03	9382	return( 0 );
kevman	0:38ceb79fef03	9383
kevman	0:38ceb79fef03	9384	return( -1 );
kevman	0:38ceb79fef03	9385	}
kevman	0:38ceb79fef03	9386	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
kevman	0:38ceb79fef03	9387
kevman	0:38ceb79fef03	9388	#if defined(MBEDTLS_X509_CRT_PARSE_C)
kevman	0:38ceb79fef03	9389	int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
kevman	0:38ceb79fef03	9390	const mbedtls_ssl_ciphersuite_t *ciphersuite,
kevman	0:38ceb79fef03	9391	int cert_endpoint,
kevman	0:38ceb79fef03	9392	uint32_t *flags )
kevman	0:38ceb79fef03	9393	{
kevman	0:38ceb79fef03	9394	int ret = 0;
kevman	0:38ceb79fef03	9395	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
kevman	0:38ceb79fef03	9396	int usage = 0;
kevman	0:38ceb79fef03	9397	#endif
kevman	0:38ceb79fef03	9398	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
kevman	0:38ceb79fef03	9399	const char *ext_oid;
kevman	0:38ceb79fef03	9400	size_t ext_len;
kevman	0:38ceb79fef03	9401	#endif
kevman	0:38ceb79fef03	9402
kevman	0:38ceb79fef03	9403	#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
kevman	0:38ceb79fef03	9404	!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
kevman	0:38ceb79fef03	9405	((void) cert);
kevman	0:38ceb79fef03	9406	((void) cert_endpoint);
kevman	0:38ceb79fef03	9407	((void) flags);
kevman	0:38ceb79fef03	9408	#endif
kevman	0:38ceb79fef03	9409
kevman	0:38ceb79fef03	9410	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
kevman	0:38ceb79fef03	9411	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	9412	{
kevman	0:38ceb79fef03	9413	/* Server part of the key exchange */
kevman	0:38ceb79fef03	9414	switch( ciphersuite->key_exchange )
kevman	0:38ceb79fef03	9415	{
kevman	0:38ceb79fef03	9416	case MBEDTLS_KEY_EXCHANGE_RSA:
kevman	0:38ceb79fef03	9417	case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
kevman	0:38ceb79fef03	9418	usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
kevman	0:38ceb79fef03	9419	break;
kevman	0:38ceb79fef03	9420
kevman	0:38ceb79fef03	9421	case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
kevman	0:38ceb79fef03	9422	case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
kevman	0:38ceb79fef03	9423	case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
kevman	0:38ceb79fef03	9424	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
kevman	0:38ceb79fef03	9425	break;
kevman	0:38ceb79fef03	9426
kevman	0:38ceb79fef03	9427	case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
kevman	0:38ceb79fef03	9428	case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
kevman	0:38ceb79fef03	9429	usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
kevman	0:38ceb79fef03	9430	break;
kevman	0:38ceb79fef03	9431
kevman	0:38ceb79fef03	9432	/* Don't use default: we want warnings when adding new values */
kevman	0:38ceb79fef03	9433	case MBEDTLS_KEY_EXCHANGE_NONE:
kevman	0:38ceb79fef03	9434	case MBEDTLS_KEY_EXCHANGE_PSK:
kevman	0:38ceb79fef03	9435	case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
kevman	0:38ceb79fef03	9436	case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
kevman	0:38ceb79fef03	9437	case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
kevman	0:38ceb79fef03	9438	usage = 0;
kevman	0:38ceb79fef03	9439	}
kevman	0:38ceb79fef03	9440	}
kevman	0:38ceb79fef03	9441	else
kevman	0:38ceb79fef03	9442	{
kevman	0:38ceb79fef03	9443	/* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
kevman	0:38ceb79fef03	9444	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
kevman	0:38ceb79fef03	9445	}
kevman	0:38ceb79fef03	9446
kevman	0:38ceb79fef03	9447	if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
kevman	0:38ceb79fef03	9448	{
kevman	0:38ceb79fef03	9449	*flags \|= MBEDTLS_X509_BADCERT_KEY_USAGE;
kevman	0:38ceb79fef03	9450	ret = -1;
kevman	0:38ceb79fef03	9451	}
kevman	0:38ceb79fef03	9452	#else
kevman	0:38ceb79fef03	9453	((void) ciphersuite);
kevman	0:38ceb79fef03	9454	#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
kevman	0:38ceb79fef03	9455
kevman	0:38ceb79fef03	9456	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
kevman	0:38ceb79fef03	9457	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
kevman	0:38ceb79fef03	9458	{
kevman	0:38ceb79fef03	9459	ext_oid = MBEDTLS_OID_SERVER_AUTH;
kevman	0:38ceb79fef03	9460	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
kevman	0:38ceb79fef03	9461	}
kevman	0:38ceb79fef03	9462	else
kevman	0:38ceb79fef03	9463	{
kevman	0:38ceb79fef03	9464	ext_oid = MBEDTLS_OID_CLIENT_AUTH;
kevman	0:38ceb79fef03	9465	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
kevman	0:38ceb79fef03	9466	}
kevman	0:38ceb79fef03	9467
kevman	0:38ceb79fef03	9468	if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
kevman	0:38ceb79fef03	9469	{
kevman	0:38ceb79fef03	9470	*flags \|= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
kevman	0:38ceb79fef03	9471	ret = -1;
kevman	0:38ceb79fef03	9472	}
kevman	0:38ceb79fef03	9473	#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
kevman	0:38ceb79fef03	9474
kevman	0:38ceb79fef03	9475	return( ret );
kevman	0:38ceb79fef03	9476	}
kevman	0:38ceb79fef03	9477	#endif /* MBEDTLS_X509_CRT_PARSE_C */
kevman	0:38ceb79fef03	9478
kevman	0:38ceb79fef03	9479	/*
kevman	0:38ceb79fef03	9480	* Convert version numbers to/from wire format
kevman	0:38ceb79fef03	9481	* and, for DTLS, to/from TLS equivalent.
kevman	0:38ceb79fef03	9482	*
kevman	0:38ceb79fef03	9483	* For TLS this is the identity.
kevman	0:38ceb79fef03	9484	* For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
kevman	0:38ceb79fef03	9485	* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
kevman	0:38ceb79fef03	9486	* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
kevman	0:38ceb79fef03	9487	*/
kevman	0:38ceb79fef03	9488	void mbedtls_ssl_write_version( int major, int minor, int transport,
kevman	0:38ceb79fef03	9489	unsigned char ver[2] )
kevman	0:38ceb79fef03	9490	{
kevman	0:38ceb79fef03	9491	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	9492	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	9493	{
kevman	0:38ceb79fef03	9494	if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
kevman	0:38ceb79fef03	9495	--minor; /* DTLS 1.0 stored as TLS 1.1 internally */
kevman	0:38ceb79fef03	9496
kevman	0:38ceb79fef03	9497	ver[0] = (unsigned char)( 255 - ( major - 2 ) );
kevman	0:38ceb79fef03	9498	ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
kevman	0:38ceb79fef03	9499	}
kevman	0:38ceb79fef03	9500	else
kevman	0:38ceb79fef03	9501	#else
kevman	0:38ceb79fef03	9502	((void) transport);
kevman	0:38ceb79fef03	9503	#endif
kevman	0:38ceb79fef03	9504	{
kevman	0:38ceb79fef03	9505	ver[0] = (unsigned char) major;
kevman	0:38ceb79fef03	9506	ver[1] = (unsigned char) minor;
kevman	0:38ceb79fef03	9507	}
kevman	0:38ceb79fef03	9508	}
kevman	0:38ceb79fef03	9509
kevman	0:38ceb79fef03	9510	void mbedtls_ssl_read_version( int major, int minor, int transport,
kevman	0:38ceb79fef03	9511	const unsigned char ver[2] )
kevman	0:38ceb79fef03	9512	{
kevman	0:38ceb79fef03	9513	#if defined(MBEDTLS_SSL_PROTO_DTLS)
kevman	0:38ceb79fef03	9514	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
kevman	0:38ceb79fef03	9515	{
kevman	0:38ceb79fef03	9516	*major = 255 - ver[0] + 2;
kevman	0:38ceb79fef03	9517	*minor = 255 - ver[1] + 1;
kevman	0:38ceb79fef03	9518
kevman	0:38ceb79fef03	9519	if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
kevman	0:38ceb79fef03	9520	++minor; / DTLS 1.0 stored as TLS 1.1 internally */
kevman	0:38ceb79fef03	9521	}
kevman	0:38ceb79fef03	9522	else
kevman	0:38ceb79fef03	9523	#else
kevman	0:38ceb79fef03	9524	((void) transport);
kevman	0:38ceb79fef03	9525	#endif
kevman	0:38ceb79fef03	9526	{
kevman	0:38ceb79fef03	9527	*major = ver[0];
kevman	0:38ceb79fef03	9528	*minor = ver[1];
kevman	0:38ceb79fef03	9529	}
kevman	0:38ceb79fef03	9530	}
kevman	0:38ceb79fef03	9531
kevman	0:38ceb79fef03	9532	int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
kevman	0:38ceb79fef03	9533	{
kevman	0:38ceb79fef03	9534	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	9535	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
kevman	0:38ceb79fef03	9536	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
kevman	0:38ceb79fef03	9537
kevman	0:38ceb79fef03	9538	switch( md )
kevman	0:38ceb79fef03	9539	{
kevman	0:38ceb79fef03	9540	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	9541	#if defined(MBEDTLS_MD5_C)
kevman	0:38ceb79fef03	9542	case MBEDTLS_SSL_HASH_MD5:
kevman	0:38ceb79fef03	9543	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
kevman	0:38ceb79fef03	9544	#endif
kevman	0:38ceb79fef03	9545	#if defined(MBEDTLS_SHA1_C)
kevman	0:38ceb79fef03	9546	case MBEDTLS_SSL_HASH_SHA1:
kevman	0:38ceb79fef03	9547	ssl->handshake->calc_verify = ssl_calc_verify_tls;
kevman	0:38ceb79fef03	9548	break;
kevman	0:38ceb79fef03	9549	#endif
kevman	0:38ceb79fef03	9550	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
kevman	0:38ceb79fef03	9551	#if defined(MBEDTLS_SHA512_C)
kevman	0:38ceb79fef03	9552	case MBEDTLS_SSL_HASH_SHA384:
kevman	0:38ceb79fef03	9553	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
kevman	0:38ceb79fef03	9554	break;
kevman	0:38ceb79fef03	9555	#endif
kevman	0:38ceb79fef03	9556	#if defined(MBEDTLS_SHA256_C)
kevman	0:38ceb79fef03	9557	case MBEDTLS_SSL_HASH_SHA256:
kevman	0:38ceb79fef03	9558	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
kevman	0:38ceb79fef03	9559	break;
kevman	0:38ceb79fef03	9560	#endif
kevman	0:38ceb79fef03	9561	default:
kevman	0:38ceb79fef03	9562	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
kevman	0:38ceb79fef03	9563	}
kevman	0:38ceb79fef03	9564
kevman	0:38ceb79fef03	9565	return 0;
kevman	0:38ceb79fef03	9566	#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	9567	(void) ssl;
kevman	0:38ceb79fef03	9568	(void) md;
kevman	0:38ceb79fef03	9569
kevman	0:38ceb79fef03	9570	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
kevman	0:38ceb79fef03	9571	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	9572	}
kevman	0:38ceb79fef03	9573
kevman	0:38ceb79fef03	9574	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
kevman	0:38ceb79fef03	9575	defined(MBEDTLS_SSL_PROTO_TLS1_1)
kevman	0:38ceb79fef03	9576	int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	9577	unsigned char *output,
kevman	0:38ceb79fef03	9578	unsigned char *data, size_t data_len )
kevman	0:38ceb79fef03	9579	{
kevman	0:38ceb79fef03	9580	int ret = 0;
kevman	0:38ceb79fef03	9581	mbedtls_md5_context mbedtls_md5;
kevman	0:38ceb79fef03	9582	mbedtls_sha1_context mbedtls_sha1;
kevman	0:38ceb79fef03	9583
kevman	0:38ceb79fef03	9584	mbedtls_md5_init( &mbedtls_md5 );
kevman	0:38ceb79fef03	9585	mbedtls_sha1_init( &mbedtls_sha1 );
kevman	0:38ceb79fef03	9586
kevman	0:38ceb79fef03	9587	/*
kevman	0:38ceb79fef03	9588	* digitally-signed struct {
kevman	0:38ceb79fef03	9589	* opaque md5_hash[16];
kevman	0:38ceb79fef03	9590	* opaque sha_hash[20];
kevman	0:38ceb79fef03	9591	* };
kevman	0:38ceb79fef03	9592	*
kevman	0:38ceb79fef03	9593	* md5_hash
kevman	0:38ceb79fef03	9594	* MD5(ClientHello.random + ServerHello.random
kevman	0:38ceb79fef03	9595	* + ServerParams);
kevman	0:38ceb79fef03	9596	* sha_hash
kevman	0:38ceb79fef03	9597	* SHA(ClientHello.random + ServerHello.random
kevman	0:38ceb79fef03	9598	* + ServerParams);
kevman	0:38ceb79fef03	9599	*/
kevman	0:38ceb79fef03	9600	if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
kevman	0:38ceb79fef03	9601	{
kevman	0:38ceb79fef03	9602	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
kevman	0:38ceb79fef03	9603	goto exit;
kevman	0:38ceb79fef03	9604	}
kevman	0:38ceb79fef03	9605	if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
kevman	0:38ceb79fef03	9606	ssl->handshake->randbytes, 64 ) ) != 0 )
kevman	0:38ceb79fef03	9607	{
kevman	0:38ceb79fef03	9608	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
kevman	0:38ceb79fef03	9609	goto exit;
kevman	0:38ceb79fef03	9610	}
kevman	0:38ceb79fef03	9611	if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
kevman	0:38ceb79fef03	9612	{
kevman	0:38ceb79fef03	9613	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
kevman	0:38ceb79fef03	9614	goto exit;
kevman	0:38ceb79fef03	9615	}
kevman	0:38ceb79fef03	9616	if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
kevman	0:38ceb79fef03	9617	{
kevman	0:38ceb79fef03	9618	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
kevman	0:38ceb79fef03	9619	goto exit;
kevman	0:38ceb79fef03	9620	}
kevman	0:38ceb79fef03	9621
kevman	0:38ceb79fef03	9622	if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
kevman	0:38ceb79fef03	9623	{
kevman	0:38ceb79fef03	9624	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
kevman	0:38ceb79fef03	9625	goto exit;
kevman	0:38ceb79fef03	9626	}
kevman	0:38ceb79fef03	9627	if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
kevman	0:38ceb79fef03	9628	ssl->handshake->randbytes, 64 ) ) != 0 )
kevman	0:38ceb79fef03	9629	{
kevman	0:38ceb79fef03	9630	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
kevman	0:38ceb79fef03	9631	goto exit;
kevman	0:38ceb79fef03	9632	}
kevman	0:38ceb79fef03	9633	if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
kevman	0:38ceb79fef03	9634	data_len ) ) != 0 )
kevman	0:38ceb79fef03	9635	{
kevman	0:38ceb79fef03	9636	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
kevman	0:38ceb79fef03	9637	goto exit;
kevman	0:38ceb79fef03	9638	}
kevman	0:38ceb79fef03	9639	if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
kevman	0:38ceb79fef03	9640	output + 16 ) ) != 0 )
kevman	0:38ceb79fef03	9641	{
kevman	0:38ceb79fef03	9642	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
kevman	0:38ceb79fef03	9643	goto exit;
kevman	0:38ceb79fef03	9644	}
kevman	0:38ceb79fef03	9645
kevman	0:38ceb79fef03	9646	exit:
kevman	0:38ceb79fef03	9647	mbedtls_md5_free( &mbedtls_md5 );
kevman	0:38ceb79fef03	9648	mbedtls_sha1_free( &mbedtls_sha1 );
kevman	0:38ceb79fef03	9649
kevman	0:38ceb79fef03	9650	if( ret != 0 )
kevman	0:38ceb79fef03	9651	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	9652	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
kevman	0:38ceb79fef03	9653
kevman	0:38ceb79fef03	9654	return( ret );
kevman	0:38ceb79fef03	9655
kevman	0:38ceb79fef03	9656	}
kevman	0:38ceb79fef03	9657	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
kevman	0:38ceb79fef03	9658	MBEDTLS_SSL_PROTO_TLS1_1 */
kevman	0:38ceb79fef03	9659
kevman	0:38ceb79fef03	9660	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
kevman	0:38ceb79fef03	9661	defined(MBEDTLS_SSL_PROTO_TLS1_2)
kevman	0:38ceb79fef03	9662	int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
kevman	0:38ceb79fef03	9663	unsigned char hash, size_t hashlen,
kevman	0:38ceb79fef03	9664	unsigned char *data, size_t data_len,
kevman	0:38ceb79fef03	9665	mbedtls_md_type_t md_alg )
kevman	0:38ceb79fef03	9666	{
kevman	0:38ceb79fef03	9667	int ret = 0;
kevman	0:38ceb79fef03	9668	mbedtls_md_context_t ctx;
kevman	0:38ceb79fef03	9669	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
kevman	0:38ceb79fef03	9670	*hashlen = mbedtls_md_get_size( md_info );
kevman	0:38ceb79fef03	9671
kevman	0:38ceb79fef03	9672	mbedtls_md_init( &ctx );
kevman	0:38ceb79fef03	9673
kevman	0:38ceb79fef03	9674	/*
kevman	0:38ceb79fef03	9675	* digitally-signed struct {
kevman	0:38ceb79fef03	9676	* opaque client_random[32];
kevman	0:38ceb79fef03	9677	* opaque server_random[32];
kevman	0:38ceb79fef03	9678	* ServerDHParams params;
kevman	0:38ceb79fef03	9679	* };
kevman	0:38ceb79fef03	9680	*/
kevman	0:38ceb79fef03	9681	if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
kevman	0:38ceb79fef03	9682	{
kevman	0:38ceb79fef03	9683	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
kevman	0:38ceb79fef03	9684	goto exit;
kevman	0:38ceb79fef03	9685	}
kevman	0:38ceb79fef03	9686	if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
kevman	0:38ceb79fef03	9687	{
kevman	0:38ceb79fef03	9688	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
kevman	0:38ceb79fef03	9689	goto exit;
kevman	0:38ceb79fef03	9690	}
kevman	0:38ceb79fef03	9691	if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
kevman	0:38ceb79fef03	9692	{
kevman	0:38ceb79fef03	9693	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
kevman	0:38ceb79fef03	9694	goto exit;
kevman	0:38ceb79fef03	9695	}
kevman	0:38ceb79fef03	9696	if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
kevman	0:38ceb79fef03	9697	{
kevman	0:38ceb79fef03	9698	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
kevman	0:38ceb79fef03	9699	goto exit;
kevman	0:38ceb79fef03	9700	}
kevman	0:38ceb79fef03	9701	if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
kevman	0:38ceb79fef03	9702	{
kevman	0:38ceb79fef03	9703	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
kevman	0:38ceb79fef03	9704	goto exit;
kevman	0:38ceb79fef03	9705	}
kevman	0:38ceb79fef03	9706
kevman	0:38ceb79fef03	9707	exit:
kevman	0:38ceb79fef03	9708	mbedtls_md_free( &ctx );
kevman	0:38ceb79fef03	9709
kevman	0:38ceb79fef03	9710	if( ret != 0 )
kevman	0:38ceb79fef03	9711	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
kevman	0:38ceb79fef03	9712	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
kevman	0:38ceb79fef03	9713
kevman	0:38ceb79fef03	9714	return( ret );
kevman	0:38ceb79fef03	9715	}
kevman	0:38ceb79fef03	9716	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
kevman	0:38ceb79fef03	9717	MBEDTLS_SSL_PROTO_TLS1_2 */
kevman	0:38ceb79fef03	9718
kevman	0:38ceb79fef03	9719	#endif /* MBEDTLS_SSL_TLS_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	30 Oct 2019
Imports:	1
Forks:	0
Commits:	3
Dependents:	0
Dependencies:	0
Followers:	1

This repository is Public (Unlisted).

features/mbedtls/src/ssl_tls.c@0:38ceb79fef03, 2018-11-28 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning