Example_RTOS - Rtos API example

Users » marcozecchini » Code » Example_RTOS

Rtos API example

mbed-os/features/mbedtls/src/ssl_cli.c@0:9fca2b23d0ba, 2019-02-23 (annotated)

Committer:: marcozecchini
Date:: Sat Feb 23 12:13:36 2019 +0000
Revision:: 0:9fca2b23d0ba

final commit

Who changed what in which revision?

User	Revision	Line number	New contents of line
marcozecchini	0:9fca2b23d0ba	1	/*
marcozecchini	0:9fca2b23d0ba	2	* SSLv3/TLSv1 client-side functions
marcozecchini	0:9fca2b23d0ba	3	*
marcozecchini	0:9fca2b23d0ba	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
marcozecchini	0:9fca2b23d0ba	5	* SPDX-License-Identifier: Apache-2.0
marcozecchini	0:9fca2b23d0ba	6	*
marcozecchini	0:9fca2b23d0ba	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
marcozecchini	0:9fca2b23d0ba	8	* not use this file except in compliance with the License.
marcozecchini	0:9fca2b23d0ba	9	* You may obtain a copy of the License at
marcozecchini	0:9fca2b23d0ba	10	*
marcozecchini	0:9fca2b23d0ba	11	* http://www.apache.org/licenses/LICENSE-2.0
marcozecchini	0:9fca2b23d0ba	12	*
marcozecchini	0:9fca2b23d0ba	13	* Unless required by applicable law or agreed to in writing, software
marcozecchini	0:9fca2b23d0ba	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
marcozecchini	0:9fca2b23d0ba	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
marcozecchini	0:9fca2b23d0ba	16	* See the License for the specific language governing permissions and
marcozecchini	0:9fca2b23d0ba	17	* limitations under the License.
marcozecchini	0:9fca2b23d0ba	18	*
marcozecchini	0:9fca2b23d0ba	19	* This file is part of mbed TLS (https://tls.mbed.org)
marcozecchini	0:9fca2b23d0ba	20	*/
marcozecchini	0:9fca2b23d0ba	21
marcozecchini	0:9fca2b23d0ba	22	#if !defined(MBEDTLS_CONFIG_FILE)
marcozecchini	0:9fca2b23d0ba	23	#include "mbedtls/config.h"
marcozecchini	0:9fca2b23d0ba	24	#else
marcozecchini	0:9fca2b23d0ba	25	#include MBEDTLS_CONFIG_FILE
marcozecchini	0:9fca2b23d0ba	26	#endif
marcozecchini	0:9fca2b23d0ba	27
marcozecchini	0:9fca2b23d0ba	28	#if defined(MBEDTLS_SSL_CLI_C)
marcozecchini	0:9fca2b23d0ba	29
marcozecchini	0:9fca2b23d0ba	30	#if defined(MBEDTLS_PLATFORM_C)
marcozecchini	0:9fca2b23d0ba	31	#include "mbedtls/platform.h"
marcozecchini	0:9fca2b23d0ba	32	#else
marcozecchini	0:9fca2b23d0ba	33	#include <stdlib.h>
marcozecchini	0:9fca2b23d0ba	34	#define mbedtls_calloc calloc
marcozecchini	0:9fca2b23d0ba	35	#define mbedtls_free free
marcozecchini	0:9fca2b23d0ba	36	#endif
marcozecchini	0:9fca2b23d0ba	37
marcozecchini	0:9fca2b23d0ba	38	#include "mbedtls/debug.h"
marcozecchini	0:9fca2b23d0ba	39	#include "mbedtls/ssl.h"
marcozecchini	0:9fca2b23d0ba	40	#include "mbedtls/ssl_internal.h"
marcozecchini	0:9fca2b23d0ba	41
marcozecchini	0:9fca2b23d0ba	42	#include <string.h>
marcozecchini	0:9fca2b23d0ba	43
marcozecchini	0:9fca2b23d0ba	44	#include <stdint.h>
marcozecchini	0:9fca2b23d0ba	45
marcozecchini	0:9fca2b23d0ba	46	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	47	#include "mbedtls/platform_time.h"
marcozecchini	0:9fca2b23d0ba	48	#endif
marcozecchini	0:9fca2b23d0ba	49
marcozecchini	0:9fca2b23d0ba	50	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	51	/* Implementation that should never be optimized out by the compiler */
marcozecchini	0:9fca2b23d0ba	52	static void mbedtls_zeroize( void *v, size_t n ) {
marcozecchini	0:9fca2b23d0ba	53	volatile unsigned char p = v; while( n-- ) p++ = 0;
marcozecchini	0:9fca2b23d0ba	54	}
marcozecchini	0:9fca2b23d0ba	55	#endif
marcozecchini	0:9fca2b23d0ba	56
marcozecchini	0:9fca2b23d0ba	57	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	58	static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	59	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	60	size_t *olen )
marcozecchini	0:9fca2b23d0ba	61	{
marcozecchini	0:9fca2b23d0ba	62	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	63	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	64	size_t hostname_len;
marcozecchini	0:9fca2b23d0ba	65
marcozecchini	0:9fca2b23d0ba	66	*olen = 0;
marcozecchini	0:9fca2b23d0ba	67
marcozecchini	0:9fca2b23d0ba	68	if( ssl->hostname == NULL )
marcozecchini	0:9fca2b23d0ba	69	return;
marcozecchini	0:9fca2b23d0ba	70
marcozecchini	0:9fca2b23d0ba	71	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
marcozecchini	0:9fca2b23d0ba	72	ssl->hostname ) );
marcozecchini	0:9fca2b23d0ba	73
marcozecchini	0:9fca2b23d0ba	74	hostname_len = strlen( ssl->hostname );
marcozecchini	0:9fca2b23d0ba	75
marcozecchini	0:9fca2b23d0ba	76	if( end < p \|\| (size_t)( end - p ) < hostname_len + 9 )
marcozecchini	0:9fca2b23d0ba	77	{
marcozecchini	0:9fca2b23d0ba	78	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	79	return;
marcozecchini	0:9fca2b23d0ba	80	}
marcozecchini	0:9fca2b23d0ba	81
marcozecchini	0:9fca2b23d0ba	82	/*
marcozecchini	0:9fca2b23d0ba	83	* struct {
marcozecchini	0:9fca2b23d0ba	84	* NameType name_type;
marcozecchini	0:9fca2b23d0ba	85	* select (name_type) {
marcozecchini	0:9fca2b23d0ba	86	* case host_name: HostName;
marcozecchini	0:9fca2b23d0ba	87	* } name;
marcozecchini	0:9fca2b23d0ba	88	* } ServerName;
marcozecchini	0:9fca2b23d0ba	89	*
marcozecchini	0:9fca2b23d0ba	90	* enum {
marcozecchini	0:9fca2b23d0ba	91	* host_name(0), (255)
marcozecchini	0:9fca2b23d0ba	92	* } NameType;
marcozecchini	0:9fca2b23d0ba	93	*
marcozecchini	0:9fca2b23d0ba	94	* opaque HostName<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	95	*
marcozecchini	0:9fca2b23d0ba	96	* struct {
marcozecchini	0:9fca2b23d0ba	97	* ServerName server_name_list<1..2^16-1>
marcozecchini	0:9fca2b23d0ba	98	* } ServerNameList;
marcozecchini	0:9fca2b23d0ba	99	*/
marcozecchini	0:9fca2b23d0ba	100	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	101	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	102
marcozecchini	0:9fca2b23d0ba	103	*p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	104	*p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	105
marcozecchini	0:9fca2b23d0ba	106	*p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	107	*p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	108
marcozecchini	0:9fca2b23d0ba	109	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	110	*p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	111	*p++ = (unsigned char)( ( hostname_len ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	112
marcozecchini	0:9fca2b23d0ba	113	memcpy( p, ssl->hostname, hostname_len );
marcozecchini	0:9fca2b23d0ba	114
marcozecchini	0:9fca2b23d0ba	115	*olen = hostname_len + 9;
marcozecchini	0:9fca2b23d0ba	116	}
marcozecchini	0:9fca2b23d0ba	117	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
marcozecchini	0:9fca2b23d0ba	118
marcozecchini	0:9fca2b23d0ba	119	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	120	static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	121	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	122	size_t *olen )
marcozecchini	0:9fca2b23d0ba	123	{
marcozecchini	0:9fca2b23d0ba	124	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	125	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	126
marcozecchini	0:9fca2b23d0ba	127	*olen = 0;
marcozecchini	0:9fca2b23d0ba	128
marcozecchini	0:9fca2b23d0ba	129	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
marcozecchini	0:9fca2b23d0ba	130	return;
marcozecchini	0:9fca2b23d0ba	131
marcozecchini	0:9fca2b23d0ba	132	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
marcozecchini	0:9fca2b23d0ba	133
marcozecchini	0:9fca2b23d0ba	134	if( end < p \|\| (size_t)( end - p ) < 5 + ssl->verify_data_len )
marcozecchini	0:9fca2b23d0ba	135	{
marcozecchini	0:9fca2b23d0ba	136	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	137	return;
marcozecchini	0:9fca2b23d0ba	138	}
marcozecchini	0:9fca2b23d0ba	139
marcozecchini	0:9fca2b23d0ba	140	/*
marcozecchini	0:9fca2b23d0ba	141	* Secure renegotiation
marcozecchini	0:9fca2b23d0ba	142	*/
marcozecchini	0:9fca2b23d0ba	143	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	144	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	145
marcozecchini	0:9fca2b23d0ba	146	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	147	*p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
marcozecchini	0:9fca2b23d0ba	148	*p++ = ssl->verify_data_len & 0xFF;
marcozecchini	0:9fca2b23d0ba	149
marcozecchini	0:9fca2b23d0ba	150	memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
marcozecchini	0:9fca2b23d0ba	151
marcozecchini	0:9fca2b23d0ba	152	*olen = 5 + ssl->verify_data_len;
marcozecchini	0:9fca2b23d0ba	153	}
marcozecchini	0:9fca2b23d0ba	154	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	155
marcozecchini	0:9fca2b23d0ba	156	/*
marcozecchini	0:9fca2b23d0ba	157	* Only if we handle at least one key exchange that needs signatures.
marcozecchini	0:9fca2b23d0ba	158	*/
marcozecchini	0:9fca2b23d0ba	159	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	160	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	161	static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	162	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	163	size_t *olen )
marcozecchini	0:9fca2b23d0ba	164	{
marcozecchini	0:9fca2b23d0ba	165	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	166	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	167	size_t sig_alg_len = 0;
marcozecchini	0:9fca2b23d0ba	168	const int *md;
marcozecchini	0:9fca2b23d0ba	169	#if defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	170	unsigned char *sig_alg_list = buf + 6;
marcozecchini	0:9fca2b23d0ba	171	#endif
marcozecchini	0:9fca2b23d0ba	172
marcozecchini	0:9fca2b23d0ba	173	*olen = 0;
marcozecchini	0:9fca2b23d0ba	174
marcozecchini	0:9fca2b23d0ba	175	if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	176	return;
marcozecchini	0:9fca2b23d0ba	177
marcozecchini	0:9fca2b23d0ba	178	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
marcozecchini	0:9fca2b23d0ba	179
marcozecchini	0:9fca2b23d0ba	180	for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
marcozecchini	0:9fca2b23d0ba	181	{
marcozecchini	0:9fca2b23d0ba	182	#if defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	183	sig_alg_len += 2;
marcozecchini	0:9fca2b23d0ba	184	#endif
marcozecchini	0:9fca2b23d0ba	185	#if defined(MBEDTLS_RSA_C)
marcozecchini	0:9fca2b23d0ba	186	sig_alg_len += 2;
marcozecchini	0:9fca2b23d0ba	187	#endif
marcozecchini	0:9fca2b23d0ba	188	}
marcozecchini	0:9fca2b23d0ba	189
marcozecchini	0:9fca2b23d0ba	190	if( end < p \|\| (size_t)( end - p ) < sig_alg_len + 6 )
marcozecchini	0:9fca2b23d0ba	191	{
marcozecchini	0:9fca2b23d0ba	192	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	193	return;
marcozecchini	0:9fca2b23d0ba	194	}
marcozecchini	0:9fca2b23d0ba	195
marcozecchini	0:9fca2b23d0ba	196	/*
marcozecchini	0:9fca2b23d0ba	197	* Prepare signature_algorithms extension (TLS 1.2)
marcozecchini	0:9fca2b23d0ba	198	*/
marcozecchini	0:9fca2b23d0ba	199	sig_alg_len = 0;
marcozecchini	0:9fca2b23d0ba	200
marcozecchini	0:9fca2b23d0ba	201	for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
marcozecchini	0:9fca2b23d0ba	202	{
marcozecchini	0:9fca2b23d0ba	203	#if defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	204	sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
marcozecchini	0:9fca2b23d0ba	205	sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
marcozecchini	0:9fca2b23d0ba	206	#endif
marcozecchini	0:9fca2b23d0ba	207	#if defined(MBEDTLS_RSA_C)
marcozecchini	0:9fca2b23d0ba	208	sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
marcozecchini	0:9fca2b23d0ba	209	sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
marcozecchini	0:9fca2b23d0ba	210	#endif
marcozecchini	0:9fca2b23d0ba	211	}
marcozecchini	0:9fca2b23d0ba	212
marcozecchini	0:9fca2b23d0ba	213	/*
marcozecchini	0:9fca2b23d0ba	214	* enum {
marcozecchini	0:9fca2b23d0ba	215	* none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
marcozecchini	0:9fca2b23d0ba	216	* sha512(6), (255)
marcozecchini	0:9fca2b23d0ba	217	* } HashAlgorithm;
marcozecchini	0:9fca2b23d0ba	218	*
marcozecchini	0:9fca2b23d0ba	219	* enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
marcozecchini	0:9fca2b23d0ba	220	* SignatureAlgorithm;
marcozecchini	0:9fca2b23d0ba	221	*
marcozecchini	0:9fca2b23d0ba	222	* struct {
marcozecchini	0:9fca2b23d0ba	223	* HashAlgorithm hash;
marcozecchini	0:9fca2b23d0ba	224	* SignatureAlgorithm signature;
marcozecchini	0:9fca2b23d0ba	225	* } SignatureAndHashAlgorithm;
marcozecchini	0:9fca2b23d0ba	226	*
marcozecchini	0:9fca2b23d0ba	227	* SignatureAndHashAlgorithm
marcozecchini	0:9fca2b23d0ba	228	* supported_signature_algorithms<2..2^16-2>;
marcozecchini	0:9fca2b23d0ba	229	*/
marcozecchini	0:9fca2b23d0ba	230	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	231	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	232
marcozecchini	0:9fca2b23d0ba	233	*p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	234	*p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	235
marcozecchini	0:9fca2b23d0ba	236	*p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	237	*p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	238
marcozecchini	0:9fca2b23d0ba	239	*olen = 6 + sig_alg_len;
marcozecchini	0:9fca2b23d0ba	240	}
marcozecchini	0:9fca2b23d0ba	241	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
marcozecchini	0:9fca2b23d0ba	242	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
marcozecchini	0:9fca2b23d0ba	243
marcozecchini	0:9fca2b23d0ba	244	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	245	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	246	static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	247	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	248	size_t *olen )
marcozecchini	0:9fca2b23d0ba	249	{
marcozecchini	0:9fca2b23d0ba	250	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	251	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	252	unsigned char *elliptic_curve_list = p + 6;
marcozecchini	0:9fca2b23d0ba	253	size_t elliptic_curve_len = 0;
marcozecchini	0:9fca2b23d0ba	254	const mbedtls_ecp_curve_info *info;
marcozecchini	0:9fca2b23d0ba	255	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	256	const mbedtls_ecp_group_id *grp_id;
marcozecchini	0:9fca2b23d0ba	257	#else
marcozecchini	0:9fca2b23d0ba	258	((void) ssl);
marcozecchini	0:9fca2b23d0ba	259	#endif
marcozecchini	0:9fca2b23d0ba	260
marcozecchini	0:9fca2b23d0ba	261	*olen = 0;
marcozecchini	0:9fca2b23d0ba	262
marcozecchini	0:9fca2b23d0ba	263	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
marcozecchini	0:9fca2b23d0ba	264
marcozecchini	0:9fca2b23d0ba	265	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	266	for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
marcozecchini	0:9fca2b23d0ba	267	#else
marcozecchini	0:9fca2b23d0ba	268	for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
marcozecchini	0:9fca2b23d0ba	269	#endif
marcozecchini	0:9fca2b23d0ba	270	{
marcozecchini	0:9fca2b23d0ba	271	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	272	info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
marcozecchini	0:9fca2b23d0ba	273	#endif
marcozecchini	0:9fca2b23d0ba	274	if( info == NULL )
marcozecchini	0:9fca2b23d0ba	275	{
marcozecchini	0:9fca2b23d0ba	276	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
marcozecchini	0:9fca2b23d0ba	277	return;
marcozecchini	0:9fca2b23d0ba	278	}
marcozecchini	0:9fca2b23d0ba	279
marcozecchini	0:9fca2b23d0ba	280	elliptic_curve_len += 2;
marcozecchini	0:9fca2b23d0ba	281	}
marcozecchini	0:9fca2b23d0ba	282
marcozecchini	0:9fca2b23d0ba	283	if( end < p \|\| (size_t)( end - p ) < 6 + elliptic_curve_len )
marcozecchini	0:9fca2b23d0ba	284	{
marcozecchini	0:9fca2b23d0ba	285	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	286	return;
marcozecchini	0:9fca2b23d0ba	287	}
marcozecchini	0:9fca2b23d0ba	288
marcozecchini	0:9fca2b23d0ba	289	elliptic_curve_len = 0;
marcozecchini	0:9fca2b23d0ba	290
marcozecchini	0:9fca2b23d0ba	291	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	292	for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
marcozecchini	0:9fca2b23d0ba	293	#else
marcozecchini	0:9fca2b23d0ba	294	for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
marcozecchini	0:9fca2b23d0ba	295	#endif
marcozecchini	0:9fca2b23d0ba	296	{
marcozecchini	0:9fca2b23d0ba	297	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	298	info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
marcozecchini	0:9fca2b23d0ba	299	#endif
marcozecchini	0:9fca2b23d0ba	300	elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
marcozecchini	0:9fca2b23d0ba	301	elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
marcozecchini	0:9fca2b23d0ba	302	}
marcozecchini	0:9fca2b23d0ba	303
marcozecchini	0:9fca2b23d0ba	304	if( elliptic_curve_len == 0 )
marcozecchini	0:9fca2b23d0ba	305	return;
marcozecchini	0:9fca2b23d0ba	306
marcozecchini	0:9fca2b23d0ba	307	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	308	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	309
marcozecchini	0:9fca2b23d0ba	310	*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	311	*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	312
marcozecchini	0:9fca2b23d0ba	313	*p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	314	*p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	315
marcozecchini	0:9fca2b23d0ba	316	*olen = 6 + elliptic_curve_len;
marcozecchini	0:9fca2b23d0ba	317	}
marcozecchini	0:9fca2b23d0ba	318
marcozecchini	0:9fca2b23d0ba	319	static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	320	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	321	size_t *olen )
marcozecchini	0:9fca2b23d0ba	322	{
marcozecchini	0:9fca2b23d0ba	323	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	324	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	325
marcozecchini	0:9fca2b23d0ba	326	*olen = 0;
marcozecchini	0:9fca2b23d0ba	327
marcozecchini	0:9fca2b23d0ba	328	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
marcozecchini	0:9fca2b23d0ba	329
marcozecchini	0:9fca2b23d0ba	330	if( end < p \|\| (size_t)( end - p ) < 6 )
marcozecchini	0:9fca2b23d0ba	331	{
marcozecchini	0:9fca2b23d0ba	332	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	333	return;
marcozecchini	0:9fca2b23d0ba	334	}
marcozecchini	0:9fca2b23d0ba	335
marcozecchini	0:9fca2b23d0ba	336	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	337	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	338
marcozecchini	0:9fca2b23d0ba	339	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	340	*p++ = 2;
marcozecchini	0:9fca2b23d0ba	341
marcozecchini	0:9fca2b23d0ba	342	*p++ = 1;
marcozecchini	0:9fca2b23d0ba	343	*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
marcozecchini	0:9fca2b23d0ba	344
marcozecchini	0:9fca2b23d0ba	345	*olen = 6;
marcozecchini	0:9fca2b23d0ba	346	}
marcozecchini	0:9fca2b23d0ba	347	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
marcozecchini	0:9fca2b23d0ba	348	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	349
marcozecchini	0:9fca2b23d0ba	350	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	351	static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	352	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	353	size_t *olen )
marcozecchini	0:9fca2b23d0ba	354	{
marcozecchini	0:9fca2b23d0ba	355	int ret;
marcozecchini	0:9fca2b23d0ba	356	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	357	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	358	size_t kkpp_len;
marcozecchini	0:9fca2b23d0ba	359
marcozecchini	0:9fca2b23d0ba	360	*olen = 0;
marcozecchini	0:9fca2b23d0ba	361
marcozecchini	0:9fca2b23d0ba	362	/* Skip costly extension if we can't use EC J-PAKE anyway */
marcozecchini	0:9fca2b23d0ba	363	if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
marcozecchini	0:9fca2b23d0ba	364	return;
marcozecchini	0:9fca2b23d0ba	365
marcozecchini	0:9fca2b23d0ba	366	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
marcozecchini	0:9fca2b23d0ba	367
marcozecchini	0:9fca2b23d0ba	368	if( end - p < 4 )
marcozecchini	0:9fca2b23d0ba	369	{
marcozecchini	0:9fca2b23d0ba	370	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	371	return;
marcozecchini	0:9fca2b23d0ba	372	}
marcozecchini	0:9fca2b23d0ba	373
marcozecchini	0:9fca2b23d0ba	374	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	375	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	376
marcozecchini	0:9fca2b23d0ba	377	/*
marcozecchini	0:9fca2b23d0ba	378	* We may need to send ClientHello multiple times for Hello verification.
marcozecchini	0:9fca2b23d0ba	379	* We don't want to compute fresh values every time (both for performance
marcozecchini	0:9fca2b23d0ba	380	* and consistency reasons), so cache the extension content.
marcozecchini	0:9fca2b23d0ba	381	*/
marcozecchini	0:9fca2b23d0ba	382	if( ssl->handshake->ecjpake_cache == NULL \|\|
marcozecchini	0:9fca2b23d0ba	383	ssl->handshake->ecjpake_cache_len == 0 )
marcozecchini	0:9fca2b23d0ba	384	{
marcozecchini	0:9fca2b23d0ba	385	MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
marcozecchini	0:9fca2b23d0ba	386
marcozecchini	0:9fca2b23d0ba	387	ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	388	p + 2, end - p - 2, &kkpp_len,
marcozecchini	0:9fca2b23d0ba	389	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	390	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	391	{
marcozecchini	0:9fca2b23d0ba	392	MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
marcozecchini	0:9fca2b23d0ba	393	return;
marcozecchini	0:9fca2b23d0ba	394	}
marcozecchini	0:9fca2b23d0ba	395
marcozecchini	0:9fca2b23d0ba	396	ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
marcozecchini	0:9fca2b23d0ba	397	if( ssl->handshake->ecjpake_cache == NULL )
marcozecchini	0:9fca2b23d0ba	398	{
marcozecchini	0:9fca2b23d0ba	399	MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
marcozecchini	0:9fca2b23d0ba	400	return;
marcozecchini	0:9fca2b23d0ba	401	}
marcozecchini	0:9fca2b23d0ba	402
marcozecchini	0:9fca2b23d0ba	403	memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
marcozecchini	0:9fca2b23d0ba	404	ssl->handshake->ecjpake_cache_len = kkpp_len;
marcozecchini	0:9fca2b23d0ba	405	}
marcozecchini	0:9fca2b23d0ba	406	else
marcozecchini	0:9fca2b23d0ba	407	{
marcozecchini	0:9fca2b23d0ba	408	MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
marcozecchini	0:9fca2b23d0ba	409
marcozecchini	0:9fca2b23d0ba	410	kkpp_len = ssl->handshake->ecjpake_cache_len;
marcozecchini	0:9fca2b23d0ba	411
marcozecchini	0:9fca2b23d0ba	412	if( (size_t)( end - p - 2 ) < kkpp_len )
marcozecchini	0:9fca2b23d0ba	413	{
marcozecchini	0:9fca2b23d0ba	414	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	415	return;
marcozecchini	0:9fca2b23d0ba	416	}
marcozecchini	0:9fca2b23d0ba	417
marcozecchini	0:9fca2b23d0ba	418	memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
marcozecchini	0:9fca2b23d0ba	419	}
marcozecchini	0:9fca2b23d0ba	420
marcozecchini	0:9fca2b23d0ba	421	*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	422	*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	423
marcozecchini	0:9fca2b23d0ba	424	*olen = kkpp_len + 4;
marcozecchini	0:9fca2b23d0ba	425	}
marcozecchini	0:9fca2b23d0ba	426	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	427
marcozecchini	0:9fca2b23d0ba	428	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	429	static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	430	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	431	size_t *olen )
marcozecchini	0:9fca2b23d0ba	432	{
marcozecchini	0:9fca2b23d0ba	433	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	434	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	435
marcozecchini	0:9fca2b23d0ba	436	*olen = 0;
marcozecchini	0:9fca2b23d0ba	437
marcozecchini	0:9fca2b23d0ba	438	if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
marcozecchini	0:9fca2b23d0ba	439	return;
marcozecchini	0:9fca2b23d0ba	440	}
marcozecchini	0:9fca2b23d0ba	441
marcozecchini	0:9fca2b23d0ba	442	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
marcozecchini	0:9fca2b23d0ba	443
marcozecchini	0:9fca2b23d0ba	444	if( end < p \|\| (size_t)( end - p ) < 5 )
marcozecchini	0:9fca2b23d0ba	445	{
marcozecchini	0:9fca2b23d0ba	446	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	447	return;
marcozecchini	0:9fca2b23d0ba	448	}
marcozecchini	0:9fca2b23d0ba	449
marcozecchini	0:9fca2b23d0ba	450	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	451	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	452
marcozecchini	0:9fca2b23d0ba	453	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	454	*p++ = 1;
marcozecchini	0:9fca2b23d0ba	455
marcozecchini	0:9fca2b23d0ba	456	*p++ = ssl->conf->mfl_code;
marcozecchini	0:9fca2b23d0ba	457
marcozecchini	0:9fca2b23d0ba	458	*olen = 5;
marcozecchini	0:9fca2b23d0ba	459	}
marcozecchini	0:9fca2b23d0ba	460	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
marcozecchini	0:9fca2b23d0ba	461
marcozecchini	0:9fca2b23d0ba	462	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	463	static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	464	unsigned char buf, size_t olen )
marcozecchini	0:9fca2b23d0ba	465	{
marcozecchini	0:9fca2b23d0ba	466	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	467	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	468
marcozecchini	0:9fca2b23d0ba	469	*olen = 0;
marcozecchini	0:9fca2b23d0ba	470
marcozecchini	0:9fca2b23d0ba	471	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
marcozecchini	0:9fca2b23d0ba	472	{
marcozecchini	0:9fca2b23d0ba	473	return;
marcozecchini	0:9fca2b23d0ba	474	}
marcozecchini	0:9fca2b23d0ba	475
marcozecchini	0:9fca2b23d0ba	476	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
marcozecchini	0:9fca2b23d0ba	477
marcozecchini	0:9fca2b23d0ba	478	if( end < p \|\| (size_t)( end - p ) < 4 )
marcozecchini	0:9fca2b23d0ba	479	{
marcozecchini	0:9fca2b23d0ba	480	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	481	return;
marcozecchini	0:9fca2b23d0ba	482	}
marcozecchini	0:9fca2b23d0ba	483
marcozecchini	0:9fca2b23d0ba	484	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	485	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	486
marcozecchini	0:9fca2b23d0ba	487	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	488	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	489
marcozecchini	0:9fca2b23d0ba	490	*olen = 4;
marcozecchini	0:9fca2b23d0ba	491	}
marcozecchini	0:9fca2b23d0ba	492	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
marcozecchini	0:9fca2b23d0ba	493
marcozecchini	0:9fca2b23d0ba	494	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	495	static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	496	unsigned char buf, size_t olen )
marcozecchini	0:9fca2b23d0ba	497	{
marcozecchini	0:9fca2b23d0ba	498	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	499	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	500
marcozecchini	0:9fca2b23d0ba	501	*olen = 0;
marcozecchini	0:9fca2b23d0ba	502
marcozecchini	0:9fca2b23d0ba	503	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	504	ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	505	{
marcozecchini	0:9fca2b23d0ba	506	return;
marcozecchini	0:9fca2b23d0ba	507	}
marcozecchini	0:9fca2b23d0ba	508
marcozecchini	0:9fca2b23d0ba	509	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
marcozecchini	0:9fca2b23d0ba	510	"extension" ) );
marcozecchini	0:9fca2b23d0ba	511
marcozecchini	0:9fca2b23d0ba	512	if( end < p \|\| (size_t)( end - p ) < 4 )
marcozecchini	0:9fca2b23d0ba	513	{
marcozecchini	0:9fca2b23d0ba	514	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	515	return;
marcozecchini	0:9fca2b23d0ba	516	}
marcozecchini	0:9fca2b23d0ba	517
marcozecchini	0:9fca2b23d0ba	518	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	519	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	520
marcozecchini	0:9fca2b23d0ba	521	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	522	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	523
marcozecchini	0:9fca2b23d0ba	524	*olen = 4;
marcozecchini	0:9fca2b23d0ba	525	}
marcozecchini	0:9fca2b23d0ba	526	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
marcozecchini	0:9fca2b23d0ba	527
marcozecchini	0:9fca2b23d0ba	528	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	529	static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	530	unsigned char buf, size_t olen )
marcozecchini	0:9fca2b23d0ba	531	{
marcozecchini	0:9fca2b23d0ba	532	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	533	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	534
marcozecchini	0:9fca2b23d0ba	535	*olen = 0;
marcozecchini	0:9fca2b23d0ba	536
marcozecchini	0:9fca2b23d0ba	537	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	538	ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	539	{
marcozecchini	0:9fca2b23d0ba	540	return;
marcozecchini	0:9fca2b23d0ba	541	}
marcozecchini	0:9fca2b23d0ba	542
marcozecchini	0:9fca2b23d0ba	543	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
marcozecchini	0:9fca2b23d0ba	544	"extension" ) );
marcozecchini	0:9fca2b23d0ba	545
marcozecchini	0:9fca2b23d0ba	546	if( end < p \|\| (size_t)( end - p ) < 4 )
marcozecchini	0:9fca2b23d0ba	547	{
marcozecchini	0:9fca2b23d0ba	548	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	549	return;
marcozecchini	0:9fca2b23d0ba	550	}
marcozecchini	0:9fca2b23d0ba	551
marcozecchini	0:9fca2b23d0ba	552	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	553	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	554
marcozecchini	0:9fca2b23d0ba	555	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	556	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	557
marcozecchini	0:9fca2b23d0ba	558	*olen = 4;
marcozecchini	0:9fca2b23d0ba	559	}
marcozecchini	0:9fca2b23d0ba	560	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
marcozecchini	0:9fca2b23d0ba	561
marcozecchini	0:9fca2b23d0ba	562	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	563	static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	564	unsigned char buf, size_t olen )
marcozecchini	0:9fca2b23d0ba	565	{
marcozecchini	0:9fca2b23d0ba	566	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	567	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	568	size_t tlen = ssl->session_negotiate->ticket_len;
marcozecchini	0:9fca2b23d0ba	569
marcozecchini	0:9fca2b23d0ba	570	*olen = 0;
marcozecchini	0:9fca2b23d0ba	571
marcozecchini	0:9fca2b23d0ba	572	if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
marcozecchini	0:9fca2b23d0ba	573	{
marcozecchini	0:9fca2b23d0ba	574	return;
marcozecchini	0:9fca2b23d0ba	575	}
marcozecchini	0:9fca2b23d0ba	576
marcozecchini	0:9fca2b23d0ba	577	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
marcozecchini	0:9fca2b23d0ba	578
marcozecchini	0:9fca2b23d0ba	579	if( end < p \|\| (size_t)( end - p ) < 4 + tlen )
marcozecchini	0:9fca2b23d0ba	580	{
marcozecchini	0:9fca2b23d0ba	581	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	582	return;
marcozecchini	0:9fca2b23d0ba	583	}
marcozecchini	0:9fca2b23d0ba	584
marcozecchini	0:9fca2b23d0ba	585	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	586	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	587
marcozecchini	0:9fca2b23d0ba	588	*p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	589	*p++ = (unsigned char)( ( tlen ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	590
marcozecchini	0:9fca2b23d0ba	591	*olen = 4;
marcozecchini	0:9fca2b23d0ba	592
marcozecchini	0:9fca2b23d0ba	593	if( ssl->session_negotiate->ticket == NULL \|\| tlen == 0 )
marcozecchini	0:9fca2b23d0ba	594	{
marcozecchini	0:9fca2b23d0ba	595	return;
marcozecchini	0:9fca2b23d0ba	596	}
marcozecchini	0:9fca2b23d0ba	597
marcozecchini	0:9fca2b23d0ba	598	MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
marcozecchini	0:9fca2b23d0ba	599
marcozecchini	0:9fca2b23d0ba	600	memcpy( p, ssl->session_negotiate->ticket, tlen );
marcozecchini	0:9fca2b23d0ba	601
marcozecchini	0:9fca2b23d0ba	602	*olen += tlen;
marcozecchini	0:9fca2b23d0ba	603	}
marcozecchini	0:9fca2b23d0ba	604	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	605
marcozecchini	0:9fca2b23d0ba	606	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	607	static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	608	unsigned char buf, size_t olen )
marcozecchini	0:9fca2b23d0ba	609	{
marcozecchini	0:9fca2b23d0ba	610	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	611	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	612	size_t alpnlen = 0;
marcozecchini	0:9fca2b23d0ba	613	const char **cur;
marcozecchini	0:9fca2b23d0ba	614
marcozecchini	0:9fca2b23d0ba	615	*olen = 0;
marcozecchini	0:9fca2b23d0ba	616
marcozecchini	0:9fca2b23d0ba	617	if( ssl->conf->alpn_list == NULL )
marcozecchini	0:9fca2b23d0ba	618	{
marcozecchini	0:9fca2b23d0ba	619	return;
marcozecchini	0:9fca2b23d0ba	620	}
marcozecchini	0:9fca2b23d0ba	621
marcozecchini	0:9fca2b23d0ba	622	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
marcozecchini	0:9fca2b23d0ba	623
marcozecchini	0:9fca2b23d0ba	624	for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
marcozecchini	0:9fca2b23d0ba	625	alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
marcozecchini	0:9fca2b23d0ba	626
marcozecchini	0:9fca2b23d0ba	627	if( end < p \|\| (size_t)( end - p ) < 6 + alpnlen )
marcozecchini	0:9fca2b23d0ba	628	{
marcozecchini	0:9fca2b23d0ba	629	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	630	return;
marcozecchini	0:9fca2b23d0ba	631	}
marcozecchini	0:9fca2b23d0ba	632
marcozecchini	0:9fca2b23d0ba	633	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	634	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	635
marcozecchini	0:9fca2b23d0ba	636	/*
marcozecchini	0:9fca2b23d0ba	637	* opaque ProtocolName<1..2^8-1>;
marcozecchini	0:9fca2b23d0ba	638	*
marcozecchini	0:9fca2b23d0ba	639	* struct {
marcozecchini	0:9fca2b23d0ba	640	* ProtocolName protocol_name_list<2..2^16-1>
marcozecchini	0:9fca2b23d0ba	641	* } ProtocolNameList;
marcozecchini	0:9fca2b23d0ba	642	*/
marcozecchini	0:9fca2b23d0ba	643
marcozecchini	0:9fca2b23d0ba	644	/* Skip writing extension and list length for now */
marcozecchini	0:9fca2b23d0ba	645	p += 4;
marcozecchini	0:9fca2b23d0ba	646
marcozecchini	0:9fca2b23d0ba	647	for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
marcozecchini	0:9fca2b23d0ba	648	{
marcozecchini	0:9fca2b23d0ba	649	p = (unsigned char)( strlen( cur ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	650	memcpy( p + 1, cur, p );
marcozecchini	0:9fca2b23d0ba	651	p += 1 + *p;
marcozecchini	0:9fca2b23d0ba	652	}
marcozecchini	0:9fca2b23d0ba	653
marcozecchini	0:9fca2b23d0ba	654	*olen = p - buf;
marcozecchini	0:9fca2b23d0ba	655
marcozecchini	0:9fca2b23d0ba	656	/* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
marcozecchini	0:9fca2b23d0ba	657	buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	658	buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	659
marcozecchini	0:9fca2b23d0ba	660	/* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
marcozecchini	0:9fca2b23d0ba	661	buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	662	buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	663	}
marcozecchini	0:9fca2b23d0ba	664	#endif /* MBEDTLS_SSL_ALPN */
marcozecchini	0:9fca2b23d0ba	665
marcozecchini	0:9fca2b23d0ba	666	/*
marcozecchini	0:9fca2b23d0ba	667	* Generate random bytes for ClientHello
marcozecchini	0:9fca2b23d0ba	668	*/
marcozecchini	0:9fca2b23d0ba	669	static int ssl_generate_random( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	670	{
marcozecchini	0:9fca2b23d0ba	671	int ret;
marcozecchini	0:9fca2b23d0ba	672	unsigned char *p = ssl->handshake->randbytes;
marcozecchini	0:9fca2b23d0ba	673	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	674	mbedtls_time_t t;
marcozecchini	0:9fca2b23d0ba	675	#endif
marcozecchini	0:9fca2b23d0ba	676
marcozecchini	0:9fca2b23d0ba	677	/*
marcozecchini	0:9fca2b23d0ba	678	* When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
marcozecchini	0:9fca2b23d0ba	679	*/
marcozecchini	0:9fca2b23d0ba	680	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	681	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
marcozecchini	0:9fca2b23d0ba	682	ssl->handshake->verify_cookie != NULL )
marcozecchini	0:9fca2b23d0ba	683	{
marcozecchini	0:9fca2b23d0ba	684	return( 0 );
marcozecchini	0:9fca2b23d0ba	685	}
marcozecchini	0:9fca2b23d0ba	686	#endif
marcozecchini	0:9fca2b23d0ba	687
marcozecchini	0:9fca2b23d0ba	688	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	689	t = mbedtls_time( NULL );
marcozecchini	0:9fca2b23d0ba	690	*p++ = (unsigned char)( t >> 24 );
marcozecchini	0:9fca2b23d0ba	691	*p++ = (unsigned char)( t >> 16 );
marcozecchini	0:9fca2b23d0ba	692	*p++ = (unsigned char)( t >> 8 );
marcozecchini	0:9fca2b23d0ba	693	*p++ = (unsigned char)( t );
marcozecchini	0:9fca2b23d0ba	694
marcozecchini	0:9fca2b23d0ba	695	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
marcozecchini	0:9fca2b23d0ba	696	#else
marcozecchini	0:9fca2b23d0ba	697	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	698	return( ret );
marcozecchini	0:9fca2b23d0ba	699
marcozecchini	0:9fca2b23d0ba	700	p += 4;
marcozecchini	0:9fca2b23d0ba	701	#endif /* MBEDTLS_HAVE_TIME */
marcozecchini	0:9fca2b23d0ba	702
marcozecchini	0:9fca2b23d0ba	703	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	704	return( ret );
marcozecchini	0:9fca2b23d0ba	705
marcozecchini	0:9fca2b23d0ba	706	return( 0 );
marcozecchini	0:9fca2b23d0ba	707	}
marcozecchini	0:9fca2b23d0ba	708
marcozecchini	0:9fca2b23d0ba	709	static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	710	{
marcozecchini	0:9fca2b23d0ba	711	int ret;
marcozecchini	0:9fca2b23d0ba	712	size_t i, n, olen, ext_len = 0;
marcozecchini	0:9fca2b23d0ba	713	unsigned char *buf;
marcozecchini	0:9fca2b23d0ba	714	unsigned char p, q;
marcozecchini	0:9fca2b23d0ba	715	unsigned char offer_compress;
marcozecchini	0:9fca2b23d0ba	716	const int *ciphersuites;
marcozecchini	0:9fca2b23d0ba	717	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	718
marcozecchini	0:9fca2b23d0ba	719	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
marcozecchini	0:9fca2b23d0ba	720
marcozecchini	0:9fca2b23d0ba	721	if( ssl->conf->f_rng == NULL )
marcozecchini	0:9fca2b23d0ba	722	{
marcozecchini	0:9fca2b23d0ba	723	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
marcozecchini	0:9fca2b23d0ba	724	return( MBEDTLS_ERR_SSL_NO_RNG );
marcozecchini	0:9fca2b23d0ba	725	}
marcozecchini	0:9fca2b23d0ba	726
marcozecchini	0:9fca2b23d0ba	727	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	728	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	729	#endif
marcozecchini	0:9fca2b23d0ba	730	{
marcozecchini	0:9fca2b23d0ba	731	ssl->major_ver = ssl->conf->min_major_ver;
marcozecchini	0:9fca2b23d0ba	732	ssl->minor_ver = ssl->conf->min_minor_ver;
marcozecchini	0:9fca2b23d0ba	733	}
marcozecchini	0:9fca2b23d0ba	734
marcozecchini	0:9fca2b23d0ba	735	if( ssl->conf->max_major_ver == 0 )
marcozecchini	0:9fca2b23d0ba	736	{
marcozecchini	0:9fca2b23d0ba	737	MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
marcozecchini	0:9fca2b23d0ba	738	"consider using mbedtls_ssl_config_defaults()" ) );
marcozecchini	0:9fca2b23d0ba	739	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	740	}
marcozecchini	0:9fca2b23d0ba	741
marcozecchini	0:9fca2b23d0ba	742	/*
marcozecchini	0:9fca2b23d0ba	743	* 0 . 0 handshake type
marcozecchini	0:9fca2b23d0ba	744	* 1 . 3 handshake length
marcozecchini	0:9fca2b23d0ba	745	* 4 . 5 highest version supported
marcozecchini	0:9fca2b23d0ba	746	* 6 . 9 current UNIX time
marcozecchini	0:9fca2b23d0ba	747	* 10 . 37 random bytes
marcozecchini	0:9fca2b23d0ba	748	*/
marcozecchini	0:9fca2b23d0ba	749	buf = ssl->out_msg;
marcozecchini	0:9fca2b23d0ba	750	p = buf + 4;
marcozecchini	0:9fca2b23d0ba	751
marcozecchini	0:9fca2b23d0ba	752	mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
marcozecchini	0:9fca2b23d0ba	753	ssl->conf->transport, p );
marcozecchini	0:9fca2b23d0ba	754	p += 2;
marcozecchini	0:9fca2b23d0ba	755
marcozecchini	0:9fca2b23d0ba	756	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
marcozecchini	0:9fca2b23d0ba	757	buf[4], buf[5] ) );
marcozecchini	0:9fca2b23d0ba	758
marcozecchini	0:9fca2b23d0ba	759	if( ( ret = ssl_generate_random( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	760	{
marcozecchini	0:9fca2b23d0ba	761	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
marcozecchini	0:9fca2b23d0ba	762	return( ret );
marcozecchini	0:9fca2b23d0ba	763	}
marcozecchini	0:9fca2b23d0ba	764
marcozecchini	0:9fca2b23d0ba	765	memcpy( p, ssl->handshake->randbytes, 32 );
marcozecchini	0:9fca2b23d0ba	766	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
marcozecchini	0:9fca2b23d0ba	767	p += 32;
marcozecchini	0:9fca2b23d0ba	768
marcozecchini	0:9fca2b23d0ba	769	/*
marcozecchini	0:9fca2b23d0ba	770	* 38 . 38 session id length
marcozecchini	0:9fca2b23d0ba	771	* 39 . 39+n session id
marcozecchini	0:9fca2b23d0ba	772	* 39+n . 39+n DTLS only: cookie length (1 byte)
marcozecchini	0:9fca2b23d0ba	773	* 40+n . .. DTSL only: cookie
marcozecchini	0:9fca2b23d0ba	774	* .. . .. ciphersuitelist length (2 bytes)
marcozecchini	0:9fca2b23d0ba	775	* .. . .. ciphersuitelist
marcozecchini	0:9fca2b23d0ba	776	* .. . .. compression methods length (1 byte)
marcozecchini	0:9fca2b23d0ba	777	* .. . .. compression methods
marcozecchini	0:9fca2b23d0ba	778	* .. . .. extensions length (2 bytes)
marcozecchini	0:9fca2b23d0ba	779	* .. . .. extensions
marcozecchini	0:9fca2b23d0ba	780	*/
marcozecchini	0:9fca2b23d0ba	781	n = ssl->session_negotiate->id_len;
marcozecchini	0:9fca2b23d0ba	782
marcozecchini	0:9fca2b23d0ba	783	if( n < 16 \|\| n > 32 \|\|
marcozecchini	0:9fca2b23d0ba	784	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	785	ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE \|\|
marcozecchini	0:9fca2b23d0ba	786	#endif
marcozecchini	0:9fca2b23d0ba	787	ssl->handshake->resume == 0 )
marcozecchini	0:9fca2b23d0ba	788	{
marcozecchini	0:9fca2b23d0ba	789	n = 0;
marcozecchini	0:9fca2b23d0ba	790	}
marcozecchini	0:9fca2b23d0ba	791
marcozecchini	0:9fca2b23d0ba	792	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	793	/*
marcozecchini	0:9fca2b23d0ba	794	* RFC 5077 section 3.4: "When presenting a ticket, the client MAY
marcozecchini	0:9fca2b23d0ba	795	* generate and include a Session ID in the TLS ClientHello."
marcozecchini	0:9fca2b23d0ba	796	*/
marcozecchini	0:9fca2b23d0ba	797	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	798	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	799	#endif
marcozecchini	0:9fca2b23d0ba	800	{
marcozecchini	0:9fca2b23d0ba	801	if( ssl->session_negotiate->ticket != NULL &&
marcozecchini	0:9fca2b23d0ba	802	ssl->session_negotiate->ticket_len != 0 )
marcozecchini	0:9fca2b23d0ba	803	{
marcozecchini	0:9fca2b23d0ba	804	ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
marcozecchini	0:9fca2b23d0ba	805
marcozecchini	0:9fca2b23d0ba	806	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	807	return( ret );
marcozecchini	0:9fca2b23d0ba	808
marcozecchini	0:9fca2b23d0ba	809	ssl->session_negotiate->id_len = n = 32;
marcozecchini	0:9fca2b23d0ba	810	}
marcozecchini	0:9fca2b23d0ba	811	}
marcozecchini	0:9fca2b23d0ba	812	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	813
marcozecchini	0:9fca2b23d0ba	814	*p++ = (unsigned char) n;
marcozecchini	0:9fca2b23d0ba	815
marcozecchini	0:9fca2b23d0ba	816	for( i = 0; i < n; i++ )
marcozecchini	0:9fca2b23d0ba	817	*p++ = ssl->session_negotiate->id[i];
marcozecchini	0:9fca2b23d0ba	818
marcozecchini	0:9fca2b23d0ba	819	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
marcozecchini	0:9fca2b23d0ba	820	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
marcozecchini	0:9fca2b23d0ba	821
marcozecchini	0:9fca2b23d0ba	822	/*
marcozecchini	0:9fca2b23d0ba	823	* DTLS cookie
marcozecchini	0:9fca2b23d0ba	824	*/
marcozecchini	0:9fca2b23d0ba	825	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	826	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	827	{
marcozecchini	0:9fca2b23d0ba	828	if( ssl->handshake->verify_cookie == NULL )
marcozecchini	0:9fca2b23d0ba	829	{
marcozecchini	0:9fca2b23d0ba	830	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
marcozecchini	0:9fca2b23d0ba	831	*p++ = 0;
marcozecchini	0:9fca2b23d0ba	832	}
marcozecchini	0:9fca2b23d0ba	833	else
marcozecchini	0:9fca2b23d0ba	834	{
marcozecchini	0:9fca2b23d0ba	835	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
marcozecchini	0:9fca2b23d0ba	836	ssl->handshake->verify_cookie,
marcozecchini	0:9fca2b23d0ba	837	ssl->handshake->verify_cookie_len );
marcozecchini	0:9fca2b23d0ba	838
marcozecchini	0:9fca2b23d0ba	839	*p++ = ssl->handshake->verify_cookie_len;
marcozecchini	0:9fca2b23d0ba	840	memcpy( p, ssl->handshake->verify_cookie,
marcozecchini	0:9fca2b23d0ba	841	ssl->handshake->verify_cookie_len );
marcozecchini	0:9fca2b23d0ba	842	p += ssl->handshake->verify_cookie_len;
marcozecchini	0:9fca2b23d0ba	843	}
marcozecchini	0:9fca2b23d0ba	844	}
marcozecchini	0:9fca2b23d0ba	845	#endif
marcozecchini	0:9fca2b23d0ba	846
marcozecchini	0:9fca2b23d0ba	847	/*
marcozecchini	0:9fca2b23d0ba	848	* Ciphersuite list
marcozecchini	0:9fca2b23d0ba	849	*/
marcozecchini	0:9fca2b23d0ba	850	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
marcozecchini	0:9fca2b23d0ba	851
marcozecchini	0:9fca2b23d0ba	852	/* Skip writing ciphersuite length for now */
marcozecchini	0:9fca2b23d0ba	853	n = 0;
marcozecchini	0:9fca2b23d0ba	854	q = p;
marcozecchini	0:9fca2b23d0ba	855	p += 2;
marcozecchini	0:9fca2b23d0ba	856
marcozecchini	0:9fca2b23d0ba	857	for( i = 0; ciphersuites[i] != 0; i++ )
marcozecchini	0:9fca2b23d0ba	858	{
marcozecchini	0:9fca2b23d0ba	859	ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
marcozecchini	0:9fca2b23d0ba	860
marcozecchini	0:9fca2b23d0ba	861	if( ciphersuite_info == NULL )
marcozecchini	0:9fca2b23d0ba	862	continue;
marcozecchini	0:9fca2b23d0ba	863
marcozecchini	0:9fca2b23d0ba	864	if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver \|\|
marcozecchini	0:9fca2b23d0ba	865	ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
marcozecchini	0:9fca2b23d0ba	866	continue;
marcozecchini	0:9fca2b23d0ba	867
marcozecchini	0:9fca2b23d0ba	868	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	869	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
marcozecchini	0:9fca2b23d0ba	870	( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
marcozecchini	0:9fca2b23d0ba	871	continue;
marcozecchini	0:9fca2b23d0ba	872	#endif
marcozecchini	0:9fca2b23d0ba	873
marcozecchini	0:9fca2b23d0ba	874	#if defined(MBEDTLS_ARC4_C)
marcozecchini	0:9fca2b23d0ba	875	if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
marcozecchini	0:9fca2b23d0ba	876	ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
marcozecchini	0:9fca2b23d0ba	877	continue;
marcozecchini	0:9fca2b23d0ba	878	#endif
marcozecchini	0:9fca2b23d0ba	879
marcozecchini	0:9fca2b23d0ba	880	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	881	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
marcozecchini	0:9fca2b23d0ba	882	mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
marcozecchini	0:9fca2b23d0ba	883	continue;
marcozecchini	0:9fca2b23d0ba	884	#endif
marcozecchini	0:9fca2b23d0ba	885
marcozecchini	0:9fca2b23d0ba	886	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
marcozecchini	0:9fca2b23d0ba	887	ciphersuites[i] ) );
marcozecchini	0:9fca2b23d0ba	888
marcozecchini	0:9fca2b23d0ba	889	n++;
marcozecchini	0:9fca2b23d0ba	890	*p++ = (unsigned char)( ciphersuites[i] >> 8 );
marcozecchini	0:9fca2b23d0ba	891	*p++ = (unsigned char)( ciphersuites[i] );
marcozecchini	0:9fca2b23d0ba	892	}
marcozecchini	0:9fca2b23d0ba	893
marcozecchini	0:9fca2b23d0ba	894	/*
marcozecchini	0:9fca2b23d0ba	895	* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
marcozecchini	0:9fca2b23d0ba	896	*/
marcozecchini	0:9fca2b23d0ba	897	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	898	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	899	#endif
marcozecchini	0:9fca2b23d0ba	900	{
marcozecchini	0:9fca2b23d0ba	901	*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
marcozecchini	0:9fca2b23d0ba	902	*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
marcozecchini	0:9fca2b23d0ba	903	n++;
marcozecchini	0:9fca2b23d0ba	904	}
marcozecchini	0:9fca2b23d0ba	905
marcozecchini	0:9fca2b23d0ba	906	/* Some versions of OpenSSL don't handle it correctly if not at end */
marcozecchini	0:9fca2b23d0ba	907	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
marcozecchini	0:9fca2b23d0ba	908	if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
marcozecchini	0:9fca2b23d0ba	909	{
marcozecchini	0:9fca2b23d0ba	910	MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
marcozecchini	0:9fca2b23d0ba	911	*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
marcozecchini	0:9fca2b23d0ba	912	*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
marcozecchini	0:9fca2b23d0ba	913	n++;
marcozecchini	0:9fca2b23d0ba	914	}
marcozecchini	0:9fca2b23d0ba	915	#endif
marcozecchini	0:9fca2b23d0ba	916
marcozecchini	0:9fca2b23d0ba	917	*q++ = (unsigned char)( n >> 7 );
marcozecchini	0:9fca2b23d0ba	918	*q++ = (unsigned char)( n << 1 );
marcozecchini	0:9fca2b23d0ba	919
marcozecchini	0:9fca2b23d0ba	920	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
marcozecchini	0:9fca2b23d0ba	921
marcozecchini	0:9fca2b23d0ba	922	#if defined(MBEDTLS_ZLIB_SUPPORT)
marcozecchini	0:9fca2b23d0ba	923	offer_compress = 1;
marcozecchini	0:9fca2b23d0ba	924	#else
marcozecchini	0:9fca2b23d0ba	925	offer_compress = 0;
marcozecchini	0:9fca2b23d0ba	926	#endif
marcozecchini	0:9fca2b23d0ba	927
marcozecchini	0:9fca2b23d0ba	928	/*
marcozecchini	0:9fca2b23d0ba	929	* We don't support compression with DTLS right now: is many records come
marcozecchini	0:9fca2b23d0ba	930	* in the same datagram, uncompressing one could overwrite the next one.
marcozecchini	0:9fca2b23d0ba	931	* We don't want to add complexity for handling that case unless there is
marcozecchini	0:9fca2b23d0ba	932	* an actual need for it.
marcozecchini	0:9fca2b23d0ba	933	*/
marcozecchini	0:9fca2b23d0ba	934	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	935	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	936	offer_compress = 0;
marcozecchini	0:9fca2b23d0ba	937	#endif
marcozecchini	0:9fca2b23d0ba	938
marcozecchini	0:9fca2b23d0ba	939	if( offer_compress )
marcozecchini	0:9fca2b23d0ba	940	{
marcozecchini	0:9fca2b23d0ba	941	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
marcozecchini	0:9fca2b23d0ba	942	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
marcozecchini	0:9fca2b23d0ba	943	MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
marcozecchini	0:9fca2b23d0ba	944
marcozecchini	0:9fca2b23d0ba	945	*p++ = 2;
marcozecchini	0:9fca2b23d0ba	946	*p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
marcozecchini	0:9fca2b23d0ba	947	*p++ = MBEDTLS_SSL_COMPRESS_NULL;
marcozecchini	0:9fca2b23d0ba	948	}
marcozecchini	0:9fca2b23d0ba	949	else
marcozecchini	0:9fca2b23d0ba	950	{
marcozecchini	0:9fca2b23d0ba	951	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
marcozecchini	0:9fca2b23d0ba	952	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
marcozecchini	0:9fca2b23d0ba	953	MBEDTLS_SSL_COMPRESS_NULL ) );
marcozecchini	0:9fca2b23d0ba	954
marcozecchini	0:9fca2b23d0ba	955	*p++ = 1;
marcozecchini	0:9fca2b23d0ba	956	*p++ = MBEDTLS_SSL_COMPRESS_NULL;
marcozecchini	0:9fca2b23d0ba	957	}
marcozecchini	0:9fca2b23d0ba	958
marcozecchini	0:9fca2b23d0ba	959	// First write extensions, then the total length
marcozecchini	0:9fca2b23d0ba	960	//
marcozecchini	0:9fca2b23d0ba	961	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	962	ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	963	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	964	#endif
marcozecchini	0:9fca2b23d0ba	965
marcozecchini	0:9fca2b23d0ba	966	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	967	ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	968	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	969	#endif
marcozecchini	0:9fca2b23d0ba	970
marcozecchini	0:9fca2b23d0ba	971	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	972	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	973	ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	974	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	975	#endif
marcozecchini	0:9fca2b23d0ba	976
marcozecchini	0:9fca2b23d0ba	977	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	978	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	979	ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	980	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	981
marcozecchini	0:9fca2b23d0ba	982	ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	983	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	984	#endif
marcozecchini	0:9fca2b23d0ba	985
marcozecchini	0:9fca2b23d0ba	986	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	987	ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	988	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	989	#endif
marcozecchini	0:9fca2b23d0ba	990
marcozecchini	0:9fca2b23d0ba	991	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	992	ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	993	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	994	#endif
marcozecchini	0:9fca2b23d0ba	995
marcozecchini	0:9fca2b23d0ba	996	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	997	ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	998	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	999	#endif
marcozecchini	0:9fca2b23d0ba	1000
marcozecchini	0:9fca2b23d0ba	1001	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	1002	ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	1003	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	1004	#endif
marcozecchini	0:9fca2b23d0ba	1005
marcozecchini	0:9fca2b23d0ba	1006	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	1007	ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	1008	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	1009	#endif
marcozecchini	0:9fca2b23d0ba	1010
marcozecchini	0:9fca2b23d0ba	1011	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	1012	ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	1013	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	1014	#endif
marcozecchini	0:9fca2b23d0ba	1015
marcozecchini	0:9fca2b23d0ba	1016	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	1017	ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	1018	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	1019	#endif
marcozecchini	0:9fca2b23d0ba	1020
marcozecchini	0:9fca2b23d0ba	1021	/* olen unused if all extensions are disabled */
marcozecchini	0:9fca2b23d0ba	1022	((void) olen);
marcozecchini	0:9fca2b23d0ba	1023
marcozecchini	0:9fca2b23d0ba	1024	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
marcozecchini	0:9fca2b23d0ba	1025	ext_len ) );
marcozecchini	0:9fca2b23d0ba	1026
marcozecchini	0:9fca2b23d0ba	1027	if( ext_len > 0 )
marcozecchini	0:9fca2b23d0ba	1028	{
marcozecchini	0:9fca2b23d0ba	1029	*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	1030	*p++ = (unsigned char)( ( ext_len ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	1031	p += ext_len;
marcozecchini	0:9fca2b23d0ba	1032	}
marcozecchini	0:9fca2b23d0ba	1033
marcozecchini	0:9fca2b23d0ba	1034	ssl->out_msglen = p - buf;
marcozecchini	0:9fca2b23d0ba	1035	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	1036	ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
marcozecchini	0:9fca2b23d0ba	1037
marcozecchini	0:9fca2b23d0ba	1038	ssl->state++;
marcozecchini	0:9fca2b23d0ba	1039
marcozecchini	0:9fca2b23d0ba	1040	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1041	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1042	mbedtls_ssl_send_flight_completed( ssl );
marcozecchini	0:9fca2b23d0ba	1043	#endif
marcozecchini	0:9fca2b23d0ba	1044
marcozecchini	0:9fca2b23d0ba	1045	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1046	{
marcozecchini	0:9fca2b23d0ba	1047	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	1048	return( ret );
marcozecchini	0:9fca2b23d0ba	1049	}
marcozecchini	0:9fca2b23d0ba	1050
marcozecchini	0:9fca2b23d0ba	1051	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
marcozecchini	0:9fca2b23d0ba	1052
marcozecchini	0:9fca2b23d0ba	1053	return( 0 );
marcozecchini	0:9fca2b23d0ba	1054	}
marcozecchini	0:9fca2b23d0ba	1055
marcozecchini	0:9fca2b23d0ba	1056	static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1057	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1058	size_t len )
marcozecchini	0:9fca2b23d0ba	1059	{
marcozecchini	0:9fca2b23d0ba	1060	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1061	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1062	{
marcozecchini	0:9fca2b23d0ba	1063	/* Check verify-data in constant-time. The length OTOH is no secret */
marcozecchini	0:9fca2b23d0ba	1064	if( len != 1 + ssl->verify_data_len * 2 \|\|
marcozecchini	0:9fca2b23d0ba	1065	buf[0] != ssl->verify_data_len * 2 \|\|
marcozecchini	0:9fca2b23d0ba	1066	mbedtls_ssl_safer_memcmp( buf + 1,
marcozecchini	0:9fca2b23d0ba	1067	ssl->own_verify_data, ssl->verify_data_len ) != 0 \|\|
marcozecchini	0:9fca2b23d0ba	1068	mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
marcozecchini	0:9fca2b23d0ba	1069	ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
marcozecchini	0:9fca2b23d0ba	1070	{
marcozecchini	0:9fca2b23d0ba	1071	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
marcozecchini	0:9fca2b23d0ba	1072	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1073	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1074	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1075	}
marcozecchini	0:9fca2b23d0ba	1076	}
marcozecchini	0:9fca2b23d0ba	1077	else
marcozecchini	0:9fca2b23d0ba	1078	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	1079	{
marcozecchini	0:9fca2b23d0ba	1080	if( len != 1 \|\| buf[0] != 0x00 )
marcozecchini	0:9fca2b23d0ba	1081	{
marcozecchini	0:9fca2b23d0ba	1082	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
marcozecchini	0:9fca2b23d0ba	1083	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1084	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1085	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1086	}
marcozecchini	0:9fca2b23d0ba	1087
marcozecchini	0:9fca2b23d0ba	1088	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
marcozecchini	0:9fca2b23d0ba	1089	}
marcozecchini	0:9fca2b23d0ba	1090
marcozecchini	0:9fca2b23d0ba	1091	return( 0 );
marcozecchini	0:9fca2b23d0ba	1092	}
marcozecchini	0:9fca2b23d0ba	1093
marcozecchini	0:9fca2b23d0ba	1094	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	1095	static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1096	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1097	size_t len )
marcozecchini	0:9fca2b23d0ba	1098	{
marcozecchini	0:9fca2b23d0ba	1099	/*
marcozecchini	0:9fca2b23d0ba	1100	* server should use the extension only if we did,
marcozecchini	0:9fca2b23d0ba	1101	* and if so the server's value should match ours (and len is always 1)
marcozecchini	0:9fca2b23d0ba	1102	*/
marcozecchini	0:9fca2b23d0ba	1103	if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE \|\|
marcozecchini	0:9fca2b23d0ba	1104	len != 1 \|\|
marcozecchini	0:9fca2b23d0ba	1105	buf[0] != ssl->conf->mfl_code )
marcozecchini	0:9fca2b23d0ba	1106	{
marcozecchini	0:9fca2b23d0ba	1107	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
marcozecchini	0:9fca2b23d0ba	1108	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1109	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1110	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1111	}
marcozecchini	0:9fca2b23d0ba	1112
marcozecchini	0:9fca2b23d0ba	1113	return( 0 );
marcozecchini	0:9fca2b23d0ba	1114	}
marcozecchini	0:9fca2b23d0ba	1115	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
marcozecchini	0:9fca2b23d0ba	1116
marcozecchini	0:9fca2b23d0ba	1117	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	1118	static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1119	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1120	size_t len )
marcozecchini	0:9fca2b23d0ba	1121	{
marcozecchini	0:9fca2b23d0ba	1122	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	1123	len != 0 )
marcozecchini	0:9fca2b23d0ba	1124	{
marcozecchini	0:9fca2b23d0ba	1125	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
marcozecchini	0:9fca2b23d0ba	1126	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1127	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1128	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1129	}
marcozecchini	0:9fca2b23d0ba	1130
marcozecchini	0:9fca2b23d0ba	1131	((void) buf);
marcozecchini	0:9fca2b23d0ba	1132
marcozecchini	0:9fca2b23d0ba	1133	ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
marcozecchini	0:9fca2b23d0ba	1134
marcozecchini	0:9fca2b23d0ba	1135	return( 0 );
marcozecchini	0:9fca2b23d0ba	1136	}
marcozecchini	0:9fca2b23d0ba	1137	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
marcozecchini	0:9fca2b23d0ba	1138
marcozecchini	0:9fca2b23d0ba	1139	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	1140	static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1141	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1142	size_t len )
marcozecchini	0:9fca2b23d0ba	1143	{
marcozecchini	0:9fca2b23d0ba	1144	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	1145	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
marcozecchini	0:9fca2b23d0ba	1146	len != 0 )
marcozecchini	0:9fca2b23d0ba	1147	{
marcozecchini	0:9fca2b23d0ba	1148	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
marcozecchini	0:9fca2b23d0ba	1149	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1150	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1151	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1152	}
marcozecchini	0:9fca2b23d0ba	1153
marcozecchini	0:9fca2b23d0ba	1154	((void) buf);
marcozecchini	0:9fca2b23d0ba	1155
marcozecchini	0:9fca2b23d0ba	1156	ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
marcozecchini	0:9fca2b23d0ba	1157
marcozecchini	0:9fca2b23d0ba	1158	return( 0 );
marcozecchini	0:9fca2b23d0ba	1159	}
marcozecchini	0:9fca2b23d0ba	1160	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
marcozecchini	0:9fca2b23d0ba	1161
marcozecchini	0:9fca2b23d0ba	1162	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	1163	static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1164	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1165	size_t len )
marcozecchini	0:9fca2b23d0ba	1166	{
marcozecchini	0:9fca2b23d0ba	1167	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	1168	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
marcozecchini	0:9fca2b23d0ba	1169	len != 0 )
marcozecchini	0:9fca2b23d0ba	1170	{
marcozecchini	0:9fca2b23d0ba	1171	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
marcozecchini	0:9fca2b23d0ba	1172	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1173	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1174	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1175	}
marcozecchini	0:9fca2b23d0ba	1176
marcozecchini	0:9fca2b23d0ba	1177	((void) buf);
marcozecchini	0:9fca2b23d0ba	1178
marcozecchini	0:9fca2b23d0ba	1179	ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
marcozecchini	0:9fca2b23d0ba	1180
marcozecchini	0:9fca2b23d0ba	1181	return( 0 );
marcozecchini	0:9fca2b23d0ba	1182	}
marcozecchini	0:9fca2b23d0ba	1183	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
marcozecchini	0:9fca2b23d0ba	1184
marcozecchini	0:9fca2b23d0ba	1185	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	1186	static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1187	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1188	size_t len )
marcozecchini	0:9fca2b23d0ba	1189	{
marcozecchini	0:9fca2b23d0ba	1190	if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	1191	len != 0 )
marcozecchini	0:9fca2b23d0ba	1192	{
marcozecchini	0:9fca2b23d0ba	1193	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
marcozecchini	0:9fca2b23d0ba	1194	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1195	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1196	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1197	}
marcozecchini	0:9fca2b23d0ba	1198
marcozecchini	0:9fca2b23d0ba	1199	((void) buf);
marcozecchini	0:9fca2b23d0ba	1200
marcozecchini	0:9fca2b23d0ba	1201	ssl->handshake->new_session_ticket = 1;
marcozecchini	0:9fca2b23d0ba	1202
marcozecchini	0:9fca2b23d0ba	1203	return( 0 );
marcozecchini	0:9fca2b23d0ba	1204	}
marcozecchini	0:9fca2b23d0ba	1205	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	1206
marcozecchini	0:9fca2b23d0ba	1207	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	1208	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1209	static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1210	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1211	size_t len )
marcozecchini	0:9fca2b23d0ba	1212	{
marcozecchini	0:9fca2b23d0ba	1213	size_t list_size;
marcozecchini	0:9fca2b23d0ba	1214	const unsigned char *p;
marcozecchini	0:9fca2b23d0ba	1215
marcozecchini	0:9fca2b23d0ba	1216	list_size = buf[0];
marcozecchini	0:9fca2b23d0ba	1217	if( list_size + 1 != len )
marcozecchini	0:9fca2b23d0ba	1218	{
marcozecchini	0:9fca2b23d0ba	1219	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1220	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1221	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1222	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1223	}
marcozecchini	0:9fca2b23d0ba	1224
marcozecchini	0:9fca2b23d0ba	1225	p = buf + 1;
marcozecchini	0:9fca2b23d0ba	1226	while( list_size > 0 )
marcozecchini	0:9fca2b23d0ba	1227	{
marcozecchini	0:9fca2b23d0ba	1228	if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED \|\|
marcozecchini	0:9fca2b23d0ba	1229	p[0] == MBEDTLS_ECP_PF_COMPRESSED )
marcozecchini	0:9fca2b23d0ba	1230	{
marcozecchini	0:9fca2b23d0ba	1231	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	1232	ssl->handshake->ecdh_ctx.point_format = p[0];
marcozecchini	0:9fca2b23d0ba	1233	#endif
marcozecchini	0:9fca2b23d0ba	1234	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1235	ssl->handshake->ecjpake_ctx.point_format = p[0];
marcozecchini	0:9fca2b23d0ba	1236	#endif
marcozecchini	0:9fca2b23d0ba	1237	MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
marcozecchini	0:9fca2b23d0ba	1238	return( 0 );
marcozecchini	0:9fca2b23d0ba	1239	}
marcozecchini	0:9fca2b23d0ba	1240
marcozecchini	0:9fca2b23d0ba	1241	list_size--;
marcozecchini	0:9fca2b23d0ba	1242	p++;
marcozecchini	0:9fca2b23d0ba	1243	}
marcozecchini	0:9fca2b23d0ba	1244
marcozecchini	0:9fca2b23d0ba	1245	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
marcozecchini	0:9fca2b23d0ba	1246	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1247	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1248	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1249	}
marcozecchini	0:9fca2b23d0ba	1250	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
marcozecchini	0:9fca2b23d0ba	1251	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	1252
marcozecchini	0:9fca2b23d0ba	1253	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1254	static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1255	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	1256	size_t len )
marcozecchini	0:9fca2b23d0ba	1257	{
marcozecchini	0:9fca2b23d0ba	1258	int ret;
marcozecchini	0:9fca2b23d0ba	1259
marcozecchini	0:9fca2b23d0ba	1260	if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
marcozecchini	0:9fca2b23d0ba	1261	MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	1262	{
marcozecchini	0:9fca2b23d0ba	1263	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
marcozecchini	0:9fca2b23d0ba	1264	return( 0 );
marcozecchini	0:9fca2b23d0ba	1265	}
marcozecchini	0:9fca2b23d0ba	1266
marcozecchini	0:9fca2b23d0ba	1267	/* If we got here, we no longer need our cached extension */
marcozecchini	0:9fca2b23d0ba	1268	mbedtls_free( ssl->handshake->ecjpake_cache );
marcozecchini	0:9fca2b23d0ba	1269	ssl->handshake->ecjpake_cache = NULL;
marcozecchini	0:9fca2b23d0ba	1270	ssl->handshake->ecjpake_cache_len = 0;
marcozecchini	0:9fca2b23d0ba	1271
marcozecchini	0:9fca2b23d0ba	1272	if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	1273	buf, len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1274	{
marcozecchini	0:9fca2b23d0ba	1275	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
marcozecchini	0:9fca2b23d0ba	1276	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1277	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1278	return( ret );
marcozecchini	0:9fca2b23d0ba	1279	}
marcozecchini	0:9fca2b23d0ba	1280
marcozecchini	0:9fca2b23d0ba	1281	return( 0 );
marcozecchini	0:9fca2b23d0ba	1282	}
marcozecchini	0:9fca2b23d0ba	1283	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	1284
marcozecchini	0:9fca2b23d0ba	1285	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	1286	static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	1287	const unsigned char *buf, size_t len )
marcozecchini	0:9fca2b23d0ba	1288	{
marcozecchini	0:9fca2b23d0ba	1289	size_t list_len, name_len;
marcozecchini	0:9fca2b23d0ba	1290	const char **p;
marcozecchini	0:9fca2b23d0ba	1291
marcozecchini	0:9fca2b23d0ba	1292	/* If we didn't send it, the server shouldn't send it */
marcozecchini	0:9fca2b23d0ba	1293	if( ssl->conf->alpn_list == NULL )
marcozecchini	0:9fca2b23d0ba	1294	{
marcozecchini	0:9fca2b23d0ba	1295	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
marcozecchini	0:9fca2b23d0ba	1296	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1297	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1298	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1299	}
marcozecchini	0:9fca2b23d0ba	1300
marcozecchini	0:9fca2b23d0ba	1301	/*
marcozecchini	0:9fca2b23d0ba	1302	* opaque ProtocolName<1..2^8-1>;
marcozecchini	0:9fca2b23d0ba	1303	*
marcozecchini	0:9fca2b23d0ba	1304	* struct {
marcozecchini	0:9fca2b23d0ba	1305	* ProtocolName protocol_name_list<2..2^16-1>
marcozecchini	0:9fca2b23d0ba	1306	* } ProtocolNameList;
marcozecchini	0:9fca2b23d0ba	1307	*
marcozecchini	0:9fca2b23d0ba	1308	* the "ProtocolNameList" MUST contain exactly one "ProtocolName"
marcozecchini	0:9fca2b23d0ba	1309	*/
marcozecchini	0:9fca2b23d0ba	1310
marcozecchini	0:9fca2b23d0ba	1311	/* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
marcozecchini	0:9fca2b23d0ba	1312	if( len < 4 )
marcozecchini	0:9fca2b23d0ba	1313	{
marcozecchini	0:9fca2b23d0ba	1314	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1315	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1316	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1317	}
marcozecchini	0:9fca2b23d0ba	1318
marcozecchini	0:9fca2b23d0ba	1319	list_len = ( buf[0] << 8 ) \| buf[1];
marcozecchini	0:9fca2b23d0ba	1320	if( list_len != len - 2 )
marcozecchini	0:9fca2b23d0ba	1321	{
marcozecchini	0:9fca2b23d0ba	1322	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1323	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1324	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1325	}
marcozecchini	0:9fca2b23d0ba	1326
marcozecchini	0:9fca2b23d0ba	1327	name_len = buf[2];
marcozecchini	0:9fca2b23d0ba	1328	if( name_len != list_len - 1 )
marcozecchini	0:9fca2b23d0ba	1329	{
marcozecchini	0:9fca2b23d0ba	1330	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1331	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1332	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1333	}
marcozecchini	0:9fca2b23d0ba	1334
marcozecchini	0:9fca2b23d0ba	1335	/* Check that the server chosen protocol was in our list and save it */
marcozecchini	0:9fca2b23d0ba	1336	for( p = ssl->conf->alpn_list; *p != NULL; p++ )
marcozecchini	0:9fca2b23d0ba	1337	{
marcozecchini	0:9fca2b23d0ba	1338	if( name_len == strlen( *p ) &&
marcozecchini	0:9fca2b23d0ba	1339	memcmp( buf + 3, *p, name_len ) == 0 )
marcozecchini	0:9fca2b23d0ba	1340	{
marcozecchini	0:9fca2b23d0ba	1341	ssl->alpn_chosen = *p;
marcozecchini	0:9fca2b23d0ba	1342	return( 0 );
marcozecchini	0:9fca2b23d0ba	1343	}
marcozecchini	0:9fca2b23d0ba	1344	}
marcozecchini	0:9fca2b23d0ba	1345
marcozecchini	0:9fca2b23d0ba	1346	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
marcozecchini	0:9fca2b23d0ba	1347	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1348	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1349	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1350	}
marcozecchini	0:9fca2b23d0ba	1351	#endif /* MBEDTLS_SSL_ALPN */
marcozecchini	0:9fca2b23d0ba	1352
marcozecchini	0:9fca2b23d0ba	1353	/*
marcozecchini	0:9fca2b23d0ba	1354	* Parse HelloVerifyRequest. Only called after verifying the HS type.
marcozecchini	0:9fca2b23d0ba	1355	*/
marcozecchini	0:9fca2b23d0ba	1356	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1357	static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	1358	{
marcozecchini	0:9fca2b23d0ba	1359	const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	1360	int major_ver, minor_ver;
marcozecchini	0:9fca2b23d0ba	1361	unsigned char cookie_len;
marcozecchini	0:9fca2b23d0ba	1362
marcozecchini	0:9fca2b23d0ba	1363	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
marcozecchini	0:9fca2b23d0ba	1364
marcozecchini	0:9fca2b23d0ba	1365	/*
marcozecchini	0:9fca2b23d0ba	1366	* struct {
marcozecchini	0:9fca2b23d0ba	1367	* ProtocolVersion server_version;
marcozecchini	0:9fca2b23d0ba	1368	* opaque cookie<0..2^8-1>;
marcozecchini	0:9fca2b23d0ba	1369	* } HelloVerifyRequest;
marcozecchini	0:9fca2b23d0ba	1370	*/
marcozecchini	0:9fca2b23d0ba	1371	MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
marcozecchini	0:9fca2b23d0ba	1372	mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
marcozecchini	0:9fca2b23d0ba	1373	p += 2;
marcozecchini	0:9fca2b23d0ba	1374
marcozecchini	0:9fca2b23d0ba	1375	/*
marcozecchini	0:9fca2b23d0ba	1376	* Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
marcozecchini	0:9fca2b23d0ba	1377	* even is lower than our min version.
marcozecchini	0:9fca2b23d0ba	1378	*/
marcozecchini	0:9fca2b23d0ba	1379	if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 \|\|
marcozecchini	0:9fca2b23d0ba	1380	minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 \|\|
marcozecchini	0:9fca2b23d0ba	1381	major_ver > ssl->conf->max_major_ver \|\|
marcozecchini	0:9fca2b23d0ba	1382	minor_ver > ssl->conf->max_minor_ver )
marcozecchini	0:9fca2b23d0ba	1383	{
marcozecchini	0:9fca2b23d0ba	1384	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
marcozecchini	0:9fca2b23d0ba	1385
marcozecchini	0:9fca2b23d0ba	1386	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1387	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1388
marcozecchini	0:9fca2b23d0ba	1389	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1390	}
marcozecchini	0:9fca2b23d0ba	1391
marcozecchini	0:9fca2b23d0ba	1392	cookie_len = *p++;
marcozecchini	0:9fca2b23d0ba	1393	MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
marcozecchini	0:9fca2b23d0ba	1394
marcozecchini	0:9fca2b23d0ba	1395	if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
marcozecchini	0:9fca2b23d0ba	1396	{
marcozecchini	0:9fca2b23d0ba	1397	MBEDTLS_SSL_DEBUG_MSG( 1,
marcozecchini	0:9fca2b23d0ba	1398	( "cookie length does not match incoming message size" ) );
marcozecchini	0:9fca2b23d0ba	1399	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1400	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1401	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1402	}
marcozecchini	0:9fca2b23d0ba	1403
marcozecchini	0:9fca2b23d0ba	1404	mbedtls_free( ssl->handshake->verify_cookie );
marcozecchini	0:9fca2b23d0ba	1405
marcozecchini	0:9fca2b23d0ba	1406	ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
marcozecchini	0:9fca2b23d0ba	1407	if( ssl->handshake->verify_cookie == NULL )
marcozecchini	0:9fca2b23d0ba	1408	{
marcozecchini	0:9fca2b23d0ba	1409	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
marcozecchini	0:9fca2b23d0ba	1410	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
marcozecchini	0:9fca2b23d0ba	1411	}
marcozecchini	0:9fca2b23d0ba	1412
marcozecchini	0:9fca2b23d0ba	1413	memcpy( ssl->handshake->verify_cookie, p, cookie_len );
marcozecchini	0:9fca2b23d0ba	1414	ssl->handshake->verify_cookie_len = cookie_len;
marcozecchini	0:9fca2b23d0ba	1415
marcozecchini	0:9fca2b23d0ba	1416	/* Start over at ClientHello */
marcozecchini	0:9fca2b23d0ba	1417	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
marcozecchini	0:9fca2b23d0ba	1418	mbedtls_ssl_reset_checksum( ssl );
marcozecchini	0:9fca2b23d0ba	1419
marcozecchini	0:9fca2b23d0ba	1420	mbedtls_ssl_recv_flight_completed( ssl );
marcozecchini	0:9fca2b23d0ba	1421
marcozecchini	0:9fca2b23d0ba	1422	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
marcozecchini	0:9fca2b23d0ba	1423
marcozecchini	0:9fca2b23d0ba	1424	return( 0 );
marcozecchini	0:9fca2b23d0ba	1425	}
marcozecchini	0:9fca2b23d0ba	1426	#endif /* MBEDTLS_SSL_PROTO_DTLS */
marcozecchini	0:9fca2b23d0ba	1427
marcozecchini	0:9fca2b23d0ba	1428	static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	1429	{
marcozecchini	0:9fca2b23d0ba	1430	int ret, i;
marcozecchini	0:9fca2b23d0ba	1431	size_t n;
marcozecchini	0:9fca2b23d0ba	1432	size_t ext_len;
marcozecchini	0:9fca2b23d0ba	1433	unsigned char buf, ext;
marcozecchini	0:9fca2b23d0ba	1434	unsigned char comp;
marcozecchini	0:9fca2b23d0ba	1435	#if defined(MBEDTLS_ZLIB_SUPPORT)
marcozecchini	0:9fca2b23d0ba	1436	int accept_comp;
marcozecchini	0:9fca2b23d0ba	1437	#endif
marcozecchini	0:9fca2b23d0ba	1438	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1439	int renegotiation_info_seen = 0;
marcozecchini	0:9fca2b23d0ba	1440	#endif
marcozecchini	0:9fca2b23d0ba	1441	int handshake_failure = 0;
marcozecchini	0:9fca2b23d0ba	1442	const mbedtls_ssl_ciphersuite_t *suite_info;
marcozecchini	0:9fca2b23d0ba	1443	#if defined(MBEDTLS_DEBUG_C)
marcozecchini	0:9fca2b23d0ba	1444	uint32_t t;
marcozecchini	0:9fca2b23d0ba	1445	#endif
marcozecchini	0:9fca2b23d0ba	1446
marcozecchini	0:9fca2b23d0ba	1447	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
marcozecchini	0:9fca2b23d0ba	1448
marcozecchini	0:9fca2b23d0ba	1449	buf = ssl->in_msg;
marcozecchini	0:9fca2b23d0ba	1450
marcozecchini	0:9fca2b23d0ba	1451	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1452	{
marcozecchini	0:9fca2b23d0ba	1453	/* No alert on a read error. */
marcozecchini	0:9fca2b23d0ba	1454	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
marcozecchini	0:9fca2b23d0ba	1455	return( ret );
marcozecchini	0:9fca2b23d0ba	1456	}
marcozecchini	0:9fca2b23d0ba	1457
marcozecchini	0:9fca2b23d0ba	1458	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1459	{
marcozecchini	0:9fca2b23d0ba	1460	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1461	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
marcozecchini	0:9fca2b23d0ba	1462	{
marcozecchini	0:9fca2b23d0ba	1463	ssl->renego_records_seen++;
marcozecchini	0:9fca2b23d0ba	1464
marcozecchini	0:9fca2b23d0ba	1465	if( ssl->conf->renego_max_records >= 0 &&
marcozecchini	0:9fca2b23d0ba	1466	ssl->renego_records_seen > ssl->conf->renego_max_records )
marcozecchini	0:9fca2b23d0ba	1467	{
marcozecchini	0:9fca2b23d0ba	1468	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
marcozecchini	0:9fca2b23d0ba	1469	"but not honored by server" ) );
marcozecchini	0:9fca2b23d0ba	1470	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	1471	}
marcozecchini	0:9fca2b23d0ba	1472
marcozecchini	0:9fca2b23d0ba	1473	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
marcozecchini	0:9fca2b23d0ba	1474
marcozecchini	0:9fca2b23d0ba	1475	ssl->keep_current_message = 1;
marcozecchini	0:9fca2b23d0ba	1476	return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
marcozecchini	0:9fca2b23d0ba	1477	}
marcozecchini	0:9fca2b23d0ba	1478	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	1479
marcozecchini	0:9fca2b23d0ba	1480	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1481	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1482	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	1483	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	1484	}
marcozecchini	0:9fca2b23d0ba	1485
marcozecchini	0:9fca2b23d0ba	1486	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1487	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1488	{
marcozecchini	0:9fca2b23d0ba	1489	if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
marcozecchini	0:9fca2b23d0ba	1490	{
marcozecchini	0:9fca2b23d0ba	1491	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
marcozecchini	0:9fca2b23d0ba	1492	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
marcozecchini	0:9fca2b23d0ba	1493	return( ssl_parse_hello_verify_request( ssl ) );
marcozecchini	0:9fca2b23d0ba	1494	}
marcozecchini	0:9fca2b23d0ba	1495	else
marcozecchini	0:9fca2b23d0ba	1496	{
marcozecchini	0:9fca2b23d0ba	1497	/* We made it through the verification process */
marcozecchini	0:9fca2b23d0ba	1498	mbedtls_free( ssl->handshake->verify_cookie );
marcozecchini	0:9fca2b23d0ba	1499	ssl->handshake->verify_cookie = NULL;
marcozecchini	0:9fca2b23d0ba	1500	ssl->handshake->verify_cookie_len = 0;
marcozecchini	0:9fca2b23d0ba	1501	}
marcozecchini	0:9fca2b23d0ba	1502	}
marcozecchini	0:9fca2b23d0ba	1503	#endif /* MBEDTLS_SSL_PROTO_DTLS */
marcozecchini	0:9fca2b23d0ba	1504
marcozecchini	0:9fca2b23d0ba	1505	if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) \|\|
marcozecchini	0:9fca2b23d0ba	1506	buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
marcozecchini	0:9fca2b23d0ba	1507	{
marcozecchini	0:9fca2b23d0ba	1508	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1509	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1510	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1511	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1512	}
marcozecchini	0:9fca2b23d0ba	1513
marcozecchini	0:9fca2b23d0ba	1514	/*
marcozecchini	0:9fca2b23d0ba	1515	* 0 . 1 server_version
marcozecchini	0:9fca2b23d0ba	1516	* 2 . 33 random (maybe including 4 bytes of Unix time)
marcozecchini	0:9fca2b23d0ba	1517	* 34 . 34 session_id length = n
marcozecchini	0:9fca2b23d0ba	1518	* 35 . 34+n session_id
marcozecchini	0:9fca2b23d0ba	1519	* 35+n . 36+n cipher_suite
marcozecchini	0:9fca2b23d0ba	1520	* 37+n . 37+n compression_method
marcozecchini	0:9fca2b23d0ba	1521	*
marcozecchini	0:9fca2b23d0ba	1522	* 38+n . 39+n extensions length (optional)
marcozecchini	0:9fca2b23d0ba	1523	* 40+n . .. extensions
marcozecchini	0:9fca2b23d0ba	1524	*/
marcozecchini	0:9fca2b23d0ba	1525	buf += mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	1526
marcozecchini	0:9fca2b23d0ba	1527	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
marcozecchini	0:9fca2b23d0ba	1528	mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	1529	ssl->conf->transport, buf + 0 );
marcozecchini	0:9fca2b23d0ba	1530
marcozecchini	0:9fca2b23d0ba	1531	if( ssl->major_ver < ssl->conf->min_major_ver \|\|
marcozecchini	0:9fca2b23d0ba	1532	ssl->minor_ver < ssl->conf->min_minor_ver \|\|
marcozecchini	0:9fca2b23d0ba	1533	ssl->major_ver > ssl->conf->max_major_ver \|\|
marcozecchini	0:9fca2b23d0ba	1534	ssl->minor_ver > ssl->conf->max_minor_ver )
marcozecchini	0:9fca2b23d0ba	1535	{
marcozecchini	0:9fca2b23d0ba	1536	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
marcozecchini	0:9fca2b23d0ba	1537	" min: [%d:%d], server: [%d:%d], max: [%d:%d]",
marcozecchini	0:9fca2b23d0ba	1538	ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
marcozecchini	0:9fca2b23d0ba	1539	ssl->major_ver, ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	1540	ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
marcozecchini	0:9fca2b23d0ba	1541
marcozecchini	0:9fca2b23d0ba	1542	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1543	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1544
marcozecchini	0:9fca2b23d0ba	1545	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1546	}
marcozecchini	0:9fca2b23d0ba	1547
marcozecchini	0:9fca2b23d0ba	1548	#if defined(MBEDTLS_DEBUG_C)
marcozecchini	0:9fca2b23d0ba	1549	t = ( (uint32_t) buf[2] << 24 )
marcozecchini	0:9fca2b23d0ba	1550	\| ( (uint32_t) buf[3] << 16 )
marcozecchini	0:9fca2b23d0ba	1551	\| ( (uint32_t) buf[4] << 8 )
marcozecchini	0:9fca2b23d0ba	1552	\| ( (uint32_t) buf[5] );
marcozecchini	0:9fca2b23d0ba	1553	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
marcozecchini	0:9fca2b23d0ba	1554	#endif
marcozecchini	0:9fca2b23d0ba	1555
marcozecchini	0:9fca2b23d0ba	1556	memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
marcozecchini	0:9fca2b23d0ba	1557
marcozecchini	0:9fca2b23d0ba	1558	n = buf[34];
marcozecchini	0:9fca2b23d0ba	1559
marcozecchini	0:9fca2b23d0ba	1560	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
marcozecchini	0:9fca2b23d0ba	1561
marcozecchini	0:9fca2b23d0ba	1562	if( n > 32 )
marcozecchini	0:9fca2b23d0ba	1563	{
marcozecchini	0:9fca2b23d0ba	1564	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1565	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1566	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1567	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1568	}
marcozecchini	0:9fca2b23d0ba	1569
marcozecchini	0:9fca2b23d0ba	1570	if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
marcozecchini	0:9fca2b23d0ba	1571	{
marcozecchini	0:9fca2b23d0ba	1572	ext_len = ( ( buf[38 + n] << 8 )
marcozecchini	0:9fca2b23d0ba	1573	\| ( buf[39 + n] ) );
marcozecchini	0:9fca2b23d0ba	1574
marcozecchini	0:9fca2b23d0ba	1575	if( ( ext_len > 0 && ext_len < 4 ) \|\|
marcozecchini	0:9fca2b23d0ba	1576	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
marcozecchini	0:9fca2b23d0ba	1577	{
marcozecchini	0:9fca2b23d0ba	1578	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1579	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1580	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1581	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1582	}
marcozecchini	0:9fca2b23d0ba	1583	}
marcozecchini	0:9fca2b23d0ba	1584	else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
marcozecchini	0:9fca2b23d0ba	1585	{
marcozecchini	0:9fca2b23d0ba	1586	ext_len = 0;
marcozecchini	0:9fca2b23d0ba	1587	}
marcozecchini	0:9fca2b23d0ba	1588	else
marcozecchini	0:9fca2b23d0ba	1589	{
marcozecchini	0:9fca2b23d0ba	1590	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1591	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1592	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1593	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1594	}
marcozecchini	0:9fca2b23d0ba	1595
marcozecchini	0:9fca2b23d0ba	1596	/* ciphersuite (used later) */
marcozecchini	0:9fca2b23d0ba	1597	i = ( buf[35 + n] << 8 ) \| buf[36 + n];
marcozecchini	0:9fca2b23d0ba	1598
marcozecchini	0:9fca2b23d0ba	1599	/*
marcozecchini	0:9fca2b23d0ba	1600	* Read and check compression
marcozecchini	0:9fca2b23d0ba	1601	*/
marcozecchini	0:9fca2b23d0ba	1602	comp = buf[37 + n];
marcozecchini	0:9fca2b23d0ba	1603
marcozecchini	0:9fca2b23d0ba	1604	#if defined(MBEDTLS_ZLIB_SUPPORT)
marcozecchini	0:9fca2b23d0ba	1605	/* See comments in ssl_write_client_hello() */
marcozecchini	0:9fca2b23d0ba	1606	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1607	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1608	accept_comp = 0;
marcozecchini	0:9fca2b23d0ba	1609	else
marcozecchini	0:9fca2b23d0ba	1610	#endif
marcozecchini	0:9fca2b23d0ba	1611	accept_comp = 1;
marcozecchini	0:9fca2b23d0ba	1612
marcozecchini	0:9fca2b23d0ba	1613	if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
marcozecchini	0:9fca2b23d0ba	1614	( comp != MBEDTLS_SSL_COMPRESS_DEFLATE \|\| accept_comp == 0 ) )
marcozecchini	0:9fca2b23d0ba	1615	#else /* MBEDTLS_ZLIB_SUPPORT */
marcozecchini	0:9fca2b23d0ba	1616	if( comp != MBEDTLS_SSL_COMPRESS_NULL )
marcozecchini	0:9fca2b23d0ba	1617	#endif/* MBEDTLS_ZLIB_SUPPORT */
marcozecchini	0:9fca2b23d0ba	1618	{
marcozecchini	0:9fca2b23d0ba	1619	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
marcozecchini	0:9fca2b23d0ba	1620	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1621	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	1622	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
marcozecchini	0:9fca2b23d0ba	1623	}
marcozecchini	0:9fca2b23d0ba	1624
marcozecchini	0:9fca2b23d0ba	1625	/*
marcozecchini	0:9fca2b23d0ba	1626	* Initialize update checksum functions
marcozecchini	0:9fca2b23d0ba	1627	*/
marcozecchini	0:9fca2b23d0ba	1628	ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
marcozecchini	0:9fca2b23d0ba	1629
marcozecchini	0:9fca2b23d0ba	1630	if( ssl->transform_negotiate->ciphersuite_info == NULL )
marcozecchini	0:9fca2b23d0ba	1631	{
marcozecchini	0:9fca2b23d0ba	1632	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
marcozecchini	0:9fca2b23d0ba	1633	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1634	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	1635	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	1636	}
marcozecchini	0:9fca2b23d0ba	1637
marcozecchini	0:9fca2b23d0ba	1638	mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
marcozecchini	0:9fca2b23d0ba	1639
marcozecchini	0:9fca2b23d0ba	1640	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
marcozecchini	0:9fca2b23d0ba	1641	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
marcozecchini	0:9fca2b23d0ba	1642
marcozecchini	0:9fca2b23d0ba	1643	/*
marcozecchini	0:9fca2b23d0ba	1644	* Check if the session can be resumed
marcozecchini	0:9fca2b23d0ba	1645	*/
marcozecchini	0:9fca2b23d0ba	1646	if( ssl->handshake->resume == 0 \|\| n == 0 \|\|
marcozecchini	0:9fca2b23d0ba	1647	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1648	ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE \|\|
marcozecchini	0:9fca2b23d0ba	1649	#endif
marcozecchini	0:9fca2b23d0ba	1650	ssl->session_negotiate->ciphersuite != i \|\|
marcozecchini	0:9fca2b23d0ba	1651	ssl->session_negotiate->compression != comp \|\|
marcozecchini	0:9fca2b23d0ba	1652	ssl->session_negotiate->id_len != n \|\|
marcozecchini	0:9fca2b23d0ba	1653	memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
marcozecchini	0:9fca2b23d0ba	1654	{
marcozecchini	0:9fca2b23d0ba	1655	ssl->state++;
marcozecchini	0:9fca2b23d0ba	1656	ssl->handshake->resume = 0;
marcozecchini	0:9fca2b23d0ba	1657	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	1658	ssl->session_negotiate->start = mbedtls_time( NULL );
marcozecchini	0:9fca2b23d0ba	1659	#endif
marcozecchini	0:9fca2b23d0ba	1660	ssl->session_negotiate->ciphersuite = i;
marcozecchini	0:9fca2b23d0ba	1661	ssl->session_negotiate->compression = comp;
marcozecchini	0:9fca2b23d0ba	1662	ssl->session_negotiate->id_len = n;
marcozecchini	0:9fca2b23d0ba	1663	memcpy( ssl->session_negotiate->id, buf + 35, n );
marcozecchini	0:9fca2b23d0ba	1664	}
marcozecchini	0:9fca2b23d0ba	1665	else
marcozecchini	0:9fca2b23d0ba	1666	{
marcozecchini	0:9fca2b23d0ba	1667	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
marcozecchini	0:9fca2b23d0ba	1668
marcozecchini	0:9fca2b23d0ba	1669	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1670	{
marcozecchini	0:9fca2b23d0ba	1671	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
marcozecchini	0:9fca2b23d0ba	1672	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1673	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	1674	return( ret );
marcozecchini	0:9fca2b23d0ba	1675	}
marcozecchini	0:9fca2b23d0ba	1676	}
marcozecchini	0:9fca2b23d0ba	1677
marcozecchini	0:9fca2b23d0ba	1678	MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
marcozecchini	0:9fca2b23d0ba	1679	ssl->handshake->resume ? "a" : "no" ) );
marcozecchini	0:9fca2b23d0ba	1680
marcozecchini	0:9fca2b23d0ba	1681	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
marcozecchini	0:9fca2b23d0ba	1682	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
marcozecchini	0:9fca2b23d0ba	1683
marcozecchini	0:9fca2b23d0ba	1684	suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
marcozecchini	0:9fca2b23d0ba	1685	if( suite_info == NULL
marcozecchini	0:9fca2b23d0ba	1686	#if defined(MBEDTLS_ARC4_C)
marcozecchini	0:9fca2b23d0ba	1687	\|\| ( ssl->conf->arc4_disabled &&
marcozecchini	0:9fca2b23d0ba	1688	suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
marcozecchini	0:9fca2b23d0ba	1689	#endif
marcozecchini	0:9fca2b23d0ba	1690	)
marcozecchini	0:9fca2b23d0ba	1691	{
marcozecchini	0:9fca2b23d0ba	1692	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1693	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1694	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	1695	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1696	}
marcozecchini	0:9fca2b23d0ba	1697
marcozecchini	0:9fca2b23d0ba	1698	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
marcozecchini	0:9fca2b23d0ba	1699
marcozecchini	0:9fca2b23d0ba	1700	i = 0;
marcozecchini	0:9fca2b23d0ba	1701	while( 1 )
marcozecchini	0:9fca2b23d0ba	1702	{
marcozecchini	0:9fca2b23d0ba	1703	if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
marcozecchini	0:9fca2b23d0ba	1704	{
marcozecchini	0:9fca2b23d0ba	1705	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1706	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1707	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	1708	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1709	}
marcozecchini	0:9fca2b23d0ba	1710
marcozecchini	0:9fca2b23d0ba	1711	if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
marcozecchini	0:9fca2b23d0ba	1712	ssl->session_negotiate->ciphersuite )
marcozecchini	0:9fca2b23d0ba	1713	{
marcozecchini	0:9fca2b23d0ba	1714	break;
marcozecchini	0:9fca2b23d0ba	1715	}
marcozecchini	0:9fca2b23d0ba	1716	}
marcozecchini	0:9fca2b23d0ba	1717
marcozecchini	0:9fca2b23d0ba	1718	if( comp != MBEDTLS_SSL_COMPRESS_NULL
marcozecchini	0:9fca2b23d0ba	1719	#if defined(MBEDTLS_ZLIB_SUPPORT)
marcozecchini	0:9fca2b23d0ba	1720	&& comp != MBEDTLS_SSL_COMPRESS_DEFLATE
marcozecchini	0:9fca2b23d0ba	1721	#endif
marcozecchini	0:9fca2b23d0ba	1722	)
marcozecchini	0:9fca2b23d0ba	1723	{
marcozecchini	0:9fca2b23d0ba	1724	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1725	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1726	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	1727	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1728	}
marcozecchini	0:9fca2b23d0ba	1729	ssl->session_negotiate->compression = comp;
marcozecchini	0:9fca2b23d0ba	1730
marcozecchini	0:9fca2b23d0ba	1731	ext = buf + 40 + n;
marcozecchini	0:9fca2b23d0ba	1732
marcozecchini	0:9fca2b23d0ba	1733	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
marcozecchini	0:9fca2b23d0ba	1734
marcozecchini	0:9fca2b23d0ba	1735	while( ext_len )
marcozecchini	0:9fca2b23d0ba	1736	{
marcozecchini	0:9fca2b23d0ba	1737	unsigned int ext_id = ( ( ext[0] << 8 )
marcozecchini	0:9fca2b23d0ba	1738	\| ( ext[1] ) );
marcozecchini	0:9fca2b23d0ba	1739	unsigned int ext_size = ( ( ext[2] << 8 )
marcozecchini	0:9fca2b23d0ba	1740	\| ( ext[3] ) );
marcozecchini	0:9fca2b23d0ba	1741
marcozecchini	0:9fca2b23d0ba	1742	if( ext_size + 4 > ext_len )
marcozecchini	0:9fca2b23d0ba	1743	{
marcozecchini	0:9fca2b23d0ba	1744	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1745	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1746	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1747	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1748	}
marcozecchini	0:9fca2b23d0ba	1749
marcozecchini	0:9fca2b23d0ba	1750	switch( ext_id )
marcozecchini	0:9fca2b23d0ba	1751	{
marcozecchini	0:9fca2b23d0ba	1752	case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
marcozecchini	0:9fca2b23d0ba	1753	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
marcozecchini	0:9fca2b23d0ba	1754	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1755	renegotiation_info_seen = 1;
marcozecchini	0:9fca2b23d0ba	1756	#endif
marcozecchini	0:9fca2b23d0ba	1757
marcozecchini	0:9fca2b23d0ba	1758	if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
marcozecchini	0:9fca2b23d0ba	1759	ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1760	return( ret );
marcozecchini	0:9fca2b23d0ba	1761
marcozecchini	0:9fca2b23d0ba	1762	break;
marcozecchini	0:9fca2b23d0ba	1763
marcozecchini	0:9fca2b23d0ba	1764	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	1765	case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
marcozecchini	0:9fca2b23d0ba	1766	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
marcozecchini	0:9fca2b23d0ba	1767
marcozecchini	0:9fca2b23d0ba	1768	if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
marcozecchini	0:9fca2b23d0ba	1769	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1770	{
marcozecchini	0:9fca2b23d0ba	1771	return( ret );
marcozecchini	0:9fca2b23d0ba	1772	}
marcozecchini	0:9fca2b23d0ba	1773
marcozecchini	0:9fca2b23d0ba	1774	break;
marcozecchini	0:9fca2b23d0ba	1775	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
marcozecchini	0:9fca2b23d0ba	1776
marcozecchini	0:9fca2b23d0ba	1777	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	1778	case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
marcozecchini	0:9fca2b23d0ba	1779	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
marcozecchini	0:9fca2b23d0ba	1780
marcozecchini	0:9fca2b23d0ba	1781	if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
marcozecchini	0:9fca2b23d0ba	1782	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1783	{
marcozecchini	0:9fca2b23d0ba	1784	return( ret );
marcozecchini	0:9fca2b23d0ba	1785	}
marcozecchini	0:9fca2b23d0ba	1786
marcozecchini	0:9fca2b23d0ba	1787	break;
marcozecchini	0:9fca2b23d0ba	1788	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
marcozecchini	0:9fca2b23d0ba	1789
marcozecchini	0:9fca2b23d0ba	1790	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	1791	case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
marcozecchini	0:9fca2b23d0ba	1792	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
marcozecchini	0:9fca2b23d0ba	1793
marcozecchini	0:9fca2b23d0ba	1794	if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
marcozecchini	0:9fca2b23d0ba	1795	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1796	{
marcozecchini	0:9fca2b23d0ba	1797	return( ret );
marcozecchini	0:9fca2b23d0ba	1798	}
marcozecchini	0:9fca2b23d0ba	1799
marcozecchini	0:9fca2b23d0ba	1800	break;
marcozecchini	0:9fca2b23d0ba	1801	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
marcozecchini	0:9fca2b23d0ba	1802
marcozecchini	0:9fca2b23d0ba	1803	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	1804	case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
marcozecchini	0:9fca2b23d0ba	1805	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
marcozecchini	0:9fca2b23d0ba	1806
marcozecchini	0:9fca2b23d0ba	1807	if( ( ret = ssl_parse_extended_ms_ext( ssl,
marcozecchini	0:9fca2b23d0ba	1808	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1809	{
marcozecchini	0:9fca2b23d0ba	1810	return( ret );
marcozecchini	0:9fca2b23d0ba	1811	}
marcozecchini	0:9fca2b23d0ba	1812
marcozecchini	0:9fca2b23d0ba	1813	break;
marcozecchini	0:9fca2b23d0ba	1814	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
marcozecchini	0:9fca2b23d0ba	1815
marcozecchini	0:9fca2b23d0ba	1816	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	1817	case MBEDTLS_TLS_EXT_SESSION_TICKET:
marcozecchini	0:9fca2b23d0ba	1818	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
marcozecchini	0:9fca2b23d0ba	1819
marcozecchini	0:9fca2b23d0ba	1820	if( ( ret = ssl_parse_session_ticket_ext( ssl,
marcozecchini	0:9fca2b23d0ba	1821	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1822	{
marcozecchini	0:9fca2b23d0ba	1823	return( ret );
marcozecchini	0:9fca2b23d0ba	1824	}
marcozecchini	0:9fca2b23d0ba	1825
marcozecchini	0:9fca2b23d0ba	1826	break;
marcozecchini	0:9fca2b23d0ba	1827	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	1828
marcozecchini	0:9fca2b23d0ba	1829	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	1830	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1831	case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
marcozecchini	0:9fca2b23d0ba	1832	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
marcozecchini	0:9fca2b23d0ba	1833
marcozecchini	0:9fca2b23d0ba	1834	if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
marcozecchini	0:9fca2b23d0ba	1835	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1836	{
marcozecchini	0:9fca2b23d0ba	1837	return( ret );
marcozecchini	0:9fca2b23d0ba	1838	}
marcozecchini	0:9fca2b23d0ba	1839
marcozecchini	0:9fca2b23d0ba	1840	break;
marcozecchini	0:9fca2b23d0ba	1841	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
marcozecchini	0:9fca2b23d0ba	1842	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	1843
marcozecchini	0:9fca2b23d0ba	1844	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1845	case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
marcozecchini	0:9fca2b23d0ba	1846	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
marcozecchini	0:9fca2b23d0ba	1847
marcozecchini	0:9fca2b23d0ba	1848	if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
marcozecchini	0:9fca2b23d0ba	1849	ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1850	{
marcozecchini	0:9fca2b23d0ba	1851	return( ret );
marcozecchini	0:9fca2b23d0ba	1852	}
marcozecchini	0:9fca2b23d0ba	1853
marcozecchini	0:9fca2b23d0ba	1854	break;
marcozecchini	0:9fca2b23d0ba	1855	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	1856
marcozecchini	0:9fca2b23d0ba	1857	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	1858	case MBEDTLS_TLS_EXT_ALPN:
marcozecchini	0:9fca2b23d0ba	1859	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
marcozecchini	0:9fca2b23d0ba	1860
marcozecchini	0:9fca2b23d0ba	1861	if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1862	return( ret );
marcozecchini	0:9fca2b23d0ba	1863
marcozecchini	0:9fca2b23d0ba	1864	break;
marcozecchini	0:9fca2b23d0ba	1865	#endif /* MBEDTLS_SSL_ALPN */
marcozecchini	0:9fca2b23d0ba	1866
marcozecchini	0:9fca2b23d0ba	1867	default:
marcozecchini	0:9fca2b23d0ba	1868	MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
marcozecchini	0:9fca2b23d0ba	1869	ext_id ) );
marcozecchini	0:9fca2b23d0ba	1870	}
marcozecchini	0:9fca2b23d0ba	1871
marcozecchini	0:9fca2b23d0ba	1872	ext_len -= 4 + ext_size;
marcozecchini	0:9fca2b23d0ba	1873	ext += 4 + ext_size;
marcozecchini	0:9fca2b23d0ba	1874
marcozecchini	0:9fca2b23d0ba	1875	if( ext_len > 0 && ext_len < 4 )
marcozecchini	0:9fca2b23d0ba	1876	{
marcozecchini	0:9fca2b23d0ba	1877	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
marcozecchini	0:9fca2b23d0ba	1878	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1879	}
marcozecchini	0:9fca2b23d0ba	1880	}
marcozecchini	0:9fca2b23d0ba	1881
marcozecchini	0:9fca2b23d0ba	1882	/*
marcozecchini	0:9fca2b23d0ba	1883	* Renegotiation security checks
marcozecchini	0:9fca2b23d0ba	1884	*/
marcozecchini	0:9fca2b23d0ba	1885	if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1886	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1887	{
marcozecchini	0:9fca2b23d0ba	1888	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
marcozecchini	0:9fca2b23d0ba	1889	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1890	}
marcozecchini	0:9fca2b23d0ba	1891	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1892	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
marcozecchini	0:9fca2b23d0ba	1893	ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1894	renegotiation_info_seen == 0 )
marcozecchini	0:9fca2b23d0ba	1895	{
marcozecchini	0:9fca2b23d0ba	1896	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
marcozecchini	0:9fca2b23d0ba	1897	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1898	}
marcozecchini	0:9fca2b23d0ba	1899	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
marcozecchini	0:9fca2b23d0ba	1900	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1901	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
marcozecchini	0:9fca2b23d0ba	1902	{
marcozecchini	0:9fca2b23d0ba	1903	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
marcozecchini	0:9fca2b23d0ba	1904	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1905	}
marcozecchini	0:9fca2b23d0ba	1906	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
marcozecchini	0:9fca2b23d0ba	1907	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1908	renegotiation_info_seen == 1 )
marcozecchini	0:9fca2b23d0ba	1909	{
marcozecchini	0:9fca2b23d0ba	1910	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
marcozecchini	0:9fca2b23d0ba	1911	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1912	}
marcozecchini	0:9fca2b23d0ba	1913	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	1914
marcozecchini	0:9fca2b23d0ba	1915	if( handshake_failure == 1 )
marcozecchini	0:9fca2b23d0ba	1916	{
marcozecchini	0:9fca2b23d0ba	1917	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1918	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1919	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
marcozecchini	0:9fca2b23d0ba	1920	}
marcozecchini	0:9fca2b23d0ba	1921
marcozecchini	0:9fca2b23d0ba	1922	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
marcozecchini	0:9fca2b23d0ba	1923
marcozecchini	0:9fca2b23d0ba	1924	return( 0 );
marcozecchini	0:9fca2b23d0ba	1925	}
marcozecchini	0:9fca2b23d0ba	1926
marcozecchini	0:9fca2b23d0ba	1927	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	1928	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	1929	static int ssl_parse_server_dh_params( mbedtls_ssl_context ssl, unsigned char *p,
marcozecchini	0:9fca2b23d0ba	1930	unsigned char *end )
marcozecchini	0:9fca2b23d0ba	1931	{
marcozecchini	0:9fca2b23d0ba	1932	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	1933
marcozecchini	0:9fca2b23d0ba	1934	/*
marcozecchini	0:9fca2b23d0ba	1935	* Ephemeral DH parameters:
marcozecchini	0:9fca2b23d0ba	1936	*
marcozecchini	0:9fca2b23d0ba	1937	* struct {
marcozecchini	0:9fca2b23d0ba	1938	* opaque dh_p<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	1939	* opaque dh_g<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	1940	* opaque dh_Ys<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	1941	* } ServerDHParams;
marcozecchini	0:9fca2b23d0ba	1942	*/
marcozecchini	0:9fca2b23d0ba	1943	if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1944	{
marcozecchini	0:9fca2b23d0ba	1945	MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
marcozecchini	0:9fca2b23d0ba	1946	return( ret );
marcozecchini	0:9fca2b23d0ba	1947	}
marcozecchini	0:9fca2b23d0ba	1948
marcozecchini	0:9fca2b23d0ba	1949	if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
marcozecchini	0:9fca2b23d0ba	1950	{
marcozecchini	0:9fca2b23d0ba	1951	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
marcozecchini	0:9fca2b23d0ba	1952	ssl->handshake->dhm_ctx.len * 8,
marcozecchini	0:9fca2b23d0ba	1953	ssl->conf->dhm_min_bitlen ) );
marcozecchini	0:9fca2b23d0ba	1954	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	1955	}
marcozecchini	0:9fca2b23d0ba	1956
marcozecchini	0:9fca2b23d0ba	1957	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
marcozecchini	0:9fca2b23d0ba	1958	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
marcozecchini	0:9fca2b23d0ba	1959	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
marcozecchini	0:9fca2b23d0ba	1960
marcozecchini	0:9fca2b23d0ba	1961	return( ret );
marcozecchini	0:9fca2b23d0ba	1962	}
marcozecchini	0:9fca2b23d0ba	1963	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	1964	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	1965
marcozecchini	0:9fca2b23d0ba	1966	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	1967	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	1968	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	1969	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	1970	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	1971	static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	1972	{
marcozecchini	0:9fca2b23d0ba	1973	const mbedtls_ecp_curve_info *curve_info;
marcozecchini	0:9fca2b23d0ba	1974
marcozecchini	0:9fca2b23d0ba	1975	curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
marcozecchini	0:9fca2b23d0ba	1976	if( curve_info == NULL )
marcozecchini	0:9fca2b23d0ba	1977	{
marcozecchini	0:9fca2b23d0ba	1978	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	1979	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	1980	}
marcozecchini	0:9fca2b23d0ba	1981
marcozecchini	0:9fca2b23d0ba	1982	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
marcozecchini	0:9fca2b23d0ba	1983
marcozecchini	0:9fca2b23d0ba	1984	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	1985	if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
marcozecchini	0:9fca2b23d0ba	1986	#else
marcozecchini	0:9fca2b23d0ba	1987	if( ssl->handshake->ecdh_ctx.grp.nbits < 163 \|\|
marcozecchini	0:9fca2b23d0ba	1988	ssl->handshake->ecdh_ctx.grp.nbits > 521 )
marcozecchini	0:9fca2b23d0ba	1989	#endif
marcozecchini	0:9fca2b23d0ba	1990	return( -1 );
marcozecchini	0:9fca2b23d0ba	1991
marcozecchini	0:9fca2b23d0ba	1992	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
marcozecchini	0:9fca2b23d0ba	1993
marcozecchini	0:9fca2b23d0ba	1994	return( 0 );
marcozecchini	0:9fca2b23d0ba	1995	}
marcozecchini	0:9fca2b23d0ba	1996	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	1997	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	1998	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	1999	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2000	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2001
marcozecchini	0:9fca2b23d0ba	2002	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2003	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2004	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2005	static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2006	unsigned char **p,
marcozecchini	0:9fca2b23d0ba	2007	unsigned char *end )
marcozecchini	0:9fca2b23d0ba	2008	{
marcozecchini	0:9fca2b23d0ba	2009	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	2010
marcozecchini	0:9fca2b23d0ba	2011	/*
marcozecchini	0:9fca2b23d0ba	2012	* Ephemeral ECDH parameters:
marcozecchini	0:9fca2b23d0ba	2013	*
marcozecchini	0:9fca2b23d0ba	2014	* struct {
marcozecchini	0:9fca2b23d0ba	2015	* ECParameters curve_params;
marcozecchini	0:9fca2b23d0ba	2016	* ECPoint public;
marcozecchini	0:9fca2b23d0ba	2017	* } ServerECDHParams;
marcozecchini	0:9fca2b23d0ba	2018	*/
marcozecchini	0:9fca2b23d0ba	2019	if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	2020	(const unsigned char **) p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2021	{
marcozecchini	0:9fca2b23d0ba	2022	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
marcozecchini	0:9fca2b23d0ba	2023	return( ret );
marcozecchini	0:9fca2b23d0ba	2024	}
marcozecchini	0:9fca2b23d0ba	2025
marcozecchini	0:9fca2b23d0ba	2026	if( ssl_check_server_ecdh_params( ssl ) != 0 )
marcozecchini	0:9fca2b23d0ba	2027	{
marcozecchini	0:9fca2b23d0ba	2028	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
marcozecchini	0:9fca2b23d0ba	2029	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2030	}
marcozecchini	0:9fca2b23d0ba	2031
marcozecchini	0:9fca2b23d0ba	2032	return( ret );
marcozecchini	0:9fca2b23d0ba	2033	}
marcozecchini	0:9fca2b23d0ba	2034	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2035	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2036	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2037
marcozecchini	0:9fca2b23d0ba	2038	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2039	static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2040	unsigned char **p,
marcozecchini	0:9fca2b23d0ba	2041	unsigned char *end )
marcozecchini	0:9fca2b23d0ba	2042	{
marcozecchini	0:9fca2b23d0ba	2043	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	2044	size_t len;
marcozecchini	0:9fca2b23d0ba	2045	((void) ssl);
marcozecchini	0:9fca2b23d0ba	2046
marcozecchini	0:9fca2b23d0ba	2047	/*
marcozecchini	0:9fca2b23d0ba	2048	* PSK parameters:
marcozecchini	0:9fca2b23d0ba	2049	*
marcozecchini	0:9fca2b23d0ba	2050	* opaque psk_identity_hint<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2051	*/
marcozecchini	0:9fca2b23d0ba	2052	len = (p)[0] << 8 \| (p)[1];
marcozecchini	0:9fca2b23d0ba	2053	*p += 2;
marcozecchini	0:9fca2b23d0ba	2054
marcozecchini	0:9fca2b23d0ba	2055	if( (*p) + len > end )
marcozecchini	0:9fca2b23d0ba	2056	{
marcozecchini	0:9fca2b23d0ba	2057	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
marcozecchini	0:9fca2b23d0ba	2058	"(psk_identity_hint length)" ) );
marcozecchini	0:9fca2b23d0ba	2059	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2060	}
marcozecchini	0:9fca2b23d0ba	2061
marcozecchini	0:9fca2b23d0ba	2062	/*
marcozecchini	0:9fca2b23d0ba	2063	* Note: we currently ignore the PKS identity hint, as we only allow one
marcozecchini	0:9fca2b23d0ba	2064	* PSK to be provisionned on the client. This could be changed later if
marcozecchini	0:9fca2b23d0ba	2065	* someone needs that feature.
marcozecchini	0:9fca2b23d0ba	2066	*/
marcozecchini	0:9fca2b23d0ba	2067	*p += len;
marcozecchini	0:9fca2b23d0ba	2068	ret = 0;
marcozecchini	0:9fca2b23d0ba	2069
marcozecchini	0:9fca2b23d0ba	2070	return( ret );
marcozecchini	0:9fca2b23d0ba	2071	}
marcozecchini	0:9fca2b23d0ba	2072	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2073
marcozecchini	0:9fca2b23d0ba	2074	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2075	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2076	/*
marcozecchini	0:9fca2b23d0ba	2077	* Generate a pre-master secret and encrypt it with the server's RSA key
marcozecchini	0:9fca2b23d0ba	2078	*/
marcozecchini	0:9fca2b23d0ba	2079	static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2080	size_t offset, size_t *olen,
marcozecchini	0:9fca2b23d0ba	2081	size_t pms_offset )
marcozecchini	0:9fca2b23d0ba	2082	{
marcozecchini	0:9fca2b23d0ba	2083	int ret;
marcozecchini	0:9fca2b23d0ba	2084	size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
marcozecchini	0:9fca2b23d0ba	2085	unsigned char *p = ssl->handshake->premaster + pms_offset;
marcozecchini	0:9fca2b23d0ba	2086
marcozecchini	0:9fca2b23d0ba	2087	if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
marcozecchini	0:9fca2b23d0ba	2088	{
marcozecchini	0:9fca2b23d0ba	2089	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
marcozecchini	0:9fca2b23d0ba	2090	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
marcozecchini	0:9fca2b23d0ba	2091	}
marcozecchini	0:9fca2b23d0ba	2092
marcozecchini	0:9fca2b23d0ba	2093	/*
marcozecchini	0:9fca2b23d0ba	2094	* Generate (part of) the pre-master as
marcozecchini	0:9fca2b23d0ba	2095	* struct {
marcozecchini	0:9fca2b23d0ba	2096	* ProtocolVersion client_version;
marcozecchini	0:9fca2b23d0ba	2097	* opaque random[46];
marcozecchini	0:9fca2b23d0ba	2098	* } PreMasterSecret;
marcozecchini	0:9fca2b23d0ba	2099	*/
marcozecchini	0:9fca2b23d0ba	2100	mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
marcozecchini	0:9fca2b23d0ba	2101	ssl->conf->transport, p );
marcozecchini	0:9fca2b23d0ba	2102
marcozecchini	0:9fca2b23d0ba	2103	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2104	{
marcozecchini	0:9fca2b23d0ba	2105	MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
marcozecchini	0:9fca2b23d0ba	2106	return( ret );
marcozecchini	0:9fca2b23d0ba	2107	}
marcozecchini	0:9fca2b23d0ba	2108
marcozecchini	0:9fca2b23d0ba	2109	ssl->handshake->pmslen = 48;
marcozecchini	0:9fca2b23d0ba	2110
marcozecchini	0:9fca2b23d0ba	2111	if( ssl->session_negotiate->peer_cert == NULL )
marcozecchini	0:9fca2b23d0ba	2112	{
marcozecchini	0:9fca2b23d0ba	2113	MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
marcozecchini	0:9fca2b23d0ba	2114	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2115	}
marcozecchini	0:9fca2b23d0ba	2116
marcozecchini	0:9fca2b23d0ba	2117	/*
marcozecchini	0:9fca2b23d0ba	2118	* Now write it out, encrypted
marcozecchini	0:9fca2b23d0ba	2119	*/
marcozecchini	0:9fca2b23d0ba	2120	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
marcozecchini	0:9fca2b23d0ba	2121	MBEDTLS_PK_RSA ) )
marcozecchini	0:9fca2b23d0ba	2122	{
marcozecchini	0:9fca2b23d0ba	2123	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
marcozecchini	0:9fca2b23d0ba	2124	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
marcozecchini	0:9fca2b23d0ba	2125	}
marcozecchini	0:9fca2b23d0ba	2126
marcozecchini	0:9fca2b23d0ba	2127	if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
marcozecchini	0:9fca2b23d0ba	2128	p, ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	2129	ssl->out_msg + offset + len_bytes, olen,
marcozecchini	0:9fca2b23d0ba	2130	MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
marcozecchini	0:9fca2b23d0ba	2131	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2132	{
marcozecchini	0:9fca2b23d0ba	2133	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
marcozecchini	0:9fca2b23d0ba	2134	return( ret );
marcozecchini	0:9fca2b23d0ba	2135	}
marcozecchini	0:9fca2b23d0ba	2136
marcozecchini	0:9fca2b23d0ba	2137	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
marcozecchini	0:9fca2b23d0ba	2138	defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	2139	if( len_bytes == 2 )
marcozecchini	0:9fca2b23d0ba	2140	{
marcozecchini	0:9fca2b23d0ba	2141	ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
marcozecchini	0:9fca2b23d0ba	2142	ssl->out_msg[offset+1] = (unsigned char)( *olen );
marcozecchini	0:9fca2b23d0ba	2143	*olen += 2;
marcozecchini	0:9fca2b23d0ba	2144	}
marcozecchini	0:9fca2b23d0ba	2145	#endif
marcozecchini	0:9fca2b23d0ba	2146
marcozecchini	0:9fca2b23d0ba	2147	return( 0 );
marcozecchini	0:9fca2b23d0ba	2148	}
marcozecchini	0:9fca2b23d0ba	2149	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2150	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2151
marcozecchini	0:9fca2b23d0ba	2152	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	2153	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2154	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2155	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2156	static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2157	unsigned char **p,
marcozecchini	0:9fca2b23d0ba	2158	unsigned char *end,
marcozecchini	0:9fca2b23d0ba	2159	mbedtls_md_type_t *md_alg,
marcozecchini	0:9fca2b23d0ba	2160	mbedtls_pk_type_t *pk_alg )
marcozecchini	0:9fca2b23d0ba	2161	{
marcozecchini	0:9fca2b23d0ba	2162	((void) ssl);
marcozecchini	0:9fca2b23d0ba	2163	*md_alg = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	2164	*pk_alg = MBEDTLS_PK_NONE;
marcozecchini	0:9fca2b23d0ba	2165
marcozecchini	0:9fca2b23d0ba	2166	/* Only in TLS 1.2 */
marcozecchini	0:9fca2b23d0ba	2167	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	2168	{
marcozecchini	0:9fca2b23d0ba	2169	return( 0 );
marcozecchini	0:9fca2b23d0ba	2170	}
marcozecchini	0:9fca2b23d0ba	2171
marcozecchini	0:9fca2b23d0ba	2172	if( (*p) + 2 > end )
marcozecchini	0:9fca2b23d0ba	2173	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2174
marcozecchini	0:9fca2b23d0ba	2175	/*
marcozecchini	0:9fca2b23d0ba	2176	* Get hash algorithm
marcozecchini	0:9fca2b23d0ba	2177	*/
marcozecchini	0:9fca2b23d0ba	2178	if( ( md_alg = mbedtls_ssl_md_alg_from_hash( (p)[0] ) ) == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	2179	{
marcozecchini	0:9fca2b23d0ba	2180	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
marcozecchini	0:9fca2b23d0ba	2181	"HashAlgorithm %d", *(p)[0] ) );
marcozecchini	0:9fca2b23d0ba	2182	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2183	}
marcozecchini	0:9fca2b23d0ba	2184
marcozecchini	0:9fca2b23d0ba	2185	/*
marcozecchini	0:9fca2b23d0ba	2186	* Get signature algorithm
marcozecchini	0:9fca2b23d0ba	2187	*/
marcozecchini	0:9fca2b23d0ba	2188	if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( (p)[1] ) ) == MBEDTLS_PK_NONE )
marcozecchini	0:9fca2b23d0ba	2189	{
marcozecchini	0:9fca2b23d0ba	2190	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
marcozecchini	0:9fca2b23d0ba	2191	"SignatureAlgorithm %d", (*p)[1] ) );
marcozecchini	0:9fca2b23d0ba	2192	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2193	}
marcozecchini	0:9fca2b23d0ba	2194
marcozecchini	0:9fca2b23d0ba	2195	/*
marcozecchini	0:9fca2b23d0ba	2196	* Check if the hash is acceptable
marcozecchini	0:9fca2b23d0ba	2197	*/
marcozecchini	0:9fca2b23d0ba	2198	if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
marcozecchini	0:9fca2b23d0ba	2199	{
marcozecchini	0:9fca2b23d0ba	2200	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
marcozecchini	0:9fca2b23d0ba	2201	*(p)[0] ) );
marcozecchini	0:9fca2b23d0ba	2202	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2203	}
marcozecchini	0:9fca2b23d0ba	2204
marcozecchini	0:9fca2b23d0ba	2205	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
marcozecchini	0:9fca2b23d0ba	2206	MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
marcozecchini	0:9fca2b23d0ba	2207	*p += 2;
marcozecchini	0:9fca2b23d0ba	2208
marcozecchini	0:9fca2b23d0ba	2209	return( 0 );
marcozecchini	0:9fca2b23d0ba	2210	}
marcozecchini	0:9fca2b23d0ba	2211	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2212	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2213	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2214	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	2215
marcozecchini	0:9fca2b23d0ba	2216	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2217	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2218	static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2219	{
marcozecchini	0:9fca2b23d0ba	2220	int ret;
marcozecchini	0:9fca2b23d0ba	2221	const mbedtls_ecp_keypair *peer_key;
marcozecchini	0:9fca2b23d0ba	2222
marcozecchini	0:9fca2b23d0ba	2223	if( ssl->session_negotiate->peer_cert == NULL )
marcozecchini	0:9fca2b23d0ba	2224	{
marcozecchini	0:9fca2b23d0ba	2225	MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
marcozecchini	0:9fca2b23d0ba	2226	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2227	}
marcozecchini	0:9fca2b23d0ba	2228
marcozecchini	0:9fca2b23d0ba	2229	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
marcozecchini	0:9fca2b23d0ba	2230	MBEDTLS_PK_ECKEY ) )
marcozecchini	0:9fca2b23d0ba	2231	{
marcozecchini	0:9fca2b23d0ba	2232	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
marcozecchini	0:9fca2b23d0ba	2233	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
marcozecchini	0:9fca2b23d0ba	2234	}
marcozecchini	0:9fca2b23d0ba	2235
marcozecchini	0:9fca2b23d0ba	2236	peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
marcozecchini	0:9fca2b23d0ba	2237
marcozecchini	0:9fca2b23d0ba	2238	if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
marcozecchini	0:9fca2b23d0ba	2239	MBEDTLS_ECDH_THEIRS ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2240	{
marcozecchini	0:9fca2b23d0ba	2241	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
marcozecchini	0:9fca2b23d0ba	2242	return( ret );
marcozecchini	0:9fca2b23d0ba	2243	}
marcozecchini	0:9fca2b23d0ba	2244
marcozecchini	0:9fca2b23d0ba	2245	if( ssl_check_server_ecdh_params( ssl ) != 0 )
marcozecchini	0:9fca2b23d0ba	2246	{
marcozecchini	0:9fca2b23d0ba	2247	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
marcozecchini	0:9fca2b23d0ba	2248	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
marcozecchini	0:9fca2b23d0ba	2249	}
marcozecchini	0:9fca2b23d0ba	2250
marcozecchini	0:9fca2b23d0ba	2251	return( ret );
marcozecchini	0:9fca2b23d0ba	2252	}
marcozecchini	0:9fca2b23d0ba	2253	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\|
marcozecchini	0:9fca2b23d0ba	2254	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2255
marcozecchini	0:9fca2b23d0ba	2256	static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2257	{
marcozecchini	0:9fca2b23d0ba	2258	int ret;
marcozecchini	0:9fca2b23d0ba	2259	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2260	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2261	unsigned char p, end;
marcozecchini	0:9fca2b23d0ba	2262
marcozecchini	0:9fca2b23d0ba	2263	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2264
marcozecchini	0:9fca2b23d0ba	2265	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2266	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
marcozecchini	0:9fca2b23d0ba	2267	{
marcozecchini	0:9fca2b23d0ba	2268	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2269	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2270	return( 0 );
marcozecchini	0:9fca2b23d0ba	2271	}
marcozecchini	0:9fca2b23d0ba	2272	((void) p);
marcozecchini	0:9fca2b23d0ba	2273	((void) end);
marcozecchini	0:9fca2b23d0ba	2274	#endif
marcozecchini	0:9fca2b23d0ba	2275
marcozecchini	0:9fca2b23d0ba	2276	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2277	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2278	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
marcozecchini	0:9fca2b23d0ba	2279	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
marcozecchini	0:9fca2b23d0ba	2280	{
marcozecchini	0:9fca2b23d0ba	2281	if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2282	{
marcozecchini	0:9fca2b23d0ba	2283	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
marcozecchini	0:9fca2b23d0ba	2284	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2285	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	2286	return( ret );
marcozecchini	0:9fca2b23d0ba	2287	}
marcozecchini	0:9fca2b23d0ba	2288
marcozecchini	0:9fca2b23d0ba	2289	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2290	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2291	return( 0 );
marcozecchini	0:9fca2b23d0ba	2292	}
marcozecchini	0:9fca2b23d0ba	2293	((void) p);
marcozecchini	0:9fca2b23d0ba	2294	((void) end);
marcozecchini	0:9fca2b23d0ba	2295	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2296	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2297
marcozecchini	0:9fca2b23d0ba	2298	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2299	{
marcozecchini	0:9fca2b23d0ba	2300	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
marcozecchini	0:9fca2b23d0ba	2301	return( ret );
marcozecchini	0:9fca2b23d0ba	2302	}
marcozecchini	0:9fca2b23d0ba	2303
marcozecchini	0:9fca2b23d0ba	2304	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	2305	{
marcozecchini	0:9fca2b23d0ba	2306	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2307	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2308	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2309	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2310	}
marcozecchini	0:9fca2b23d0ba	2311
marcozecchini	0:9fca2b23d0ba	2312	/*
marcozecchini	0:9fca2b23d0ba	2313	* ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
marcozecchini	0:9fca2b23d0ba	2314	* doesn't use a psk_identity_hint
marcozecchini	0:9fca2b23d0ba	2315	*/
marcozecchini	0:9fca2b23d0ba	2316	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
marcozecchini	0:9fca2b23d0ba	2317	{
marcozecchini	0:9fca2b23d0ba	2318	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2319	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
marcozecchini	0:9fca2b23d0ba	2320	{
marcozecchini	0:9fca2b23d0ba	2321	/* Current message is probably either
marcozecchini	0:9fca2b23d0ba	2322	* CertificateRequest or ServerHelloDone */
marcozecchini	0:9fca2b23d0ba	2323	ssl->keep_current_message = 1;
marcozecchini	0:9fca2b23d0ba	2324	goto exit;
marcozecchini	0:9fca2b23d0ba	2325	}
marcozecchini	0:9fca2b23d0ba	2326
marcozecchini	0:9fca2b23d0ba	2327	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
marcozecchini	0:9fca2b23d0ba	2328	"not be skipped" ) );
marcozecchini	0:9fca2b23d0ba	2329	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2330	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2331
marcozecchini	0:9fca2b23d0ba	2332	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2333	}
marcozecchini	0:9fca2b23d0ba	2334
marcozecchini	0:9fca2b23d0ba	2335	p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	2336	end = ssl->in_msg + ssl->in_hslen;
marcozecchini	0:9fca2b23d0ba	2337	MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
marcozecchini	0:9fca2b23d0ba	2338
marcozecchini	0:9fca2b23d0ba	2339	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2340	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2341	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2342	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2343	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
marcozecchini	0:9fca2b23d0ba	2344	{
marcozecchini	0:9fca2b23d0ba	2345	if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
marcozecchini	0:9fca2b23d0ba	2346	{
marcozecchini	0:9fca2b23d0ba	2347	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2348	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2349	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	2350	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2351	}
marcozecchini	0:9fca2b23d0ba	2352	} /* FALLTROUGH */
marcozecchini	0:9fca2b23d0ba	2353	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2354
marcozecchini	0:9fca2b23d0ba	2355	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2356	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2357	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2358	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
marcozecchini	0:9fca2b23d0ba	2359	; /* nothing more to do */
marcozecchini	0:9fca2b23d0ba	2360	else
marcozecchini	0:9fca2b23d0ba	2361	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2362	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2363	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2364	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2365	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
marcozecchini	0:9fca2b23d0ba	2366	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
marcozecchini	0:9fca2b23d0ba	2367	{
marcozecchini	0:9fca2b23d0ba	2368	if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
marcozecchini	0:9fca2b23d0ba	2369	{
marcozecchini	0:9fca2b23d0ba	2370	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2371	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2372	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	2373	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2374	}
marcozecchini	0:9fca2b23d0ba	2375	}
marcozecchini	0:9fca2b23d0ba	2376	else
marcozecchini	0:9fca2b23d0ba	2377	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2378	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2379	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2380	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2381	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2382	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
marcozecchini	0:9fca2b23d0ba	2383	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2384	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
marcozecchini	0:9fca2b23d0ba	2385	{
marcozecchini	0:9fca2b23d0ba	2386	if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
marcozecchini	0:9fca2b23d0ba	2387	{
marcozecchini	0:9fca2b23d0ba	2388	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2389	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2390	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	2391	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2392	}
marcozecchini	0:9fca2b23d0ba	2393	}
marcozecchini	0:9fca2b23d0ba	2394	else
marcozecchini	0:9fca2b23d0ba	2395	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2396	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2397	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2398	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2399	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	2400	{
marcozecchini	0:9fca2b23d0ba	2401	ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	2402	p, end - p );
marcozecchini	0:9fca2b23d0ba	2403	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2404	{
marcozecchini	0:9fca2b23d0ba	2405	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
marcozecchini	0:9fca2b23d0ba	2406	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2407	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	2408	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2409	}
marcozecchini	0:9fca2b23d0ba	2410	}
marcozecchini	0:9fca2b23d0ba	2411	else
marcozecchini	0:9fca2b23d0ba	2412	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	2413	{
marcozecchini	0:9fca2b23d0ba	2414	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	2415	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2416	}
marcozecchini	0:9fca2b23d0ba	2417
marcozecchini	0:9fca2b23d0ba	2418	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
marcozecchini	0:9fca2b23d0ba	2419	if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2420	{
marcozecchini	0:9fca2b23d0ba	2421	size_t sig_len, hashlen;
marcozecchini	0:9fca2b23d0ba	2422	unsigned char hash[64];
marcozecchini	0:9fca2b23d0ba	2423	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	2424	mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
marcozecchini	0:9fca2b23d0ba	2425	unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	2426	size_t params_len = p - params;
marcozecchini	0:9fca2b23d0ba	2427
marcozecchini	0:9fca2b23d0ba	2428	/*
marcozecchini	0:9fca2b23d0ba	2429	* Handle the digitally-signed structure
marcozecchini	0:9fca2b23d0ba	2430	*/
marcozecchini	0:9fca2b23d0ba	2431	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	2432	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	2433	{
marcozecchini	0:9fca2b23d0ba	2434	if( ssl_parse_signature_algorithm( ssl, &p, end,
marcozecchini	0:9fca2b23d0ba	2435	&md_alg, &pk_alg ) != 0 )
marcozecchini	0:9fca2b23d0ba	2436	{
marcozecchini	0:9fca2b23d0ba	2437	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2438	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2439	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	2440	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2441	}
marcozecchini	0:9fca2b23d0ba	2442
marcozecchini	0:9fca2b23d0ba	2443	if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2444	{
marcozecchini	0:9fca2b23d0ba	2445	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2446	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2447	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	2448	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2449	}
marcozecchini	0:9fca2b23d0ba	2450	}
marcozecchini	0:9fca2b23d0ba	2451	else
marcozecchini	0:9fca2b23d0ba	2452	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	2453	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
marcozecchini	0:9fca2b23d0ba	2454	defined(MBEDTLS_SSL_PROTO_TLS1_1)
marcozecchini	0:9fca2b23d0ba	2455	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	2456	{
marcozecchini	0:9fca2b23d0ba	2457	pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
marcozecchini	0:9fca2b23d0ba	2458
marcozecchini	0:9fca2b23d0ba	2459	/* Default hash for ECDSA is SHA-1 */
marcozecchini	0:9fca2b23d0ba	2460	if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	2461	md_alg = MBEDTLS_MD_SHA1;
marcozecchini	0:9fca2b23d0ba	2462	}
marcozecchini	0:9fca2b23d0ba	2463	else
marcozecchini	0:9fca2b23d0ba	2464	#endif
marcozecchini	0:9fca2b23d0ba	2465	{
marcozecchini	0:9fca2b23d0ba	2466	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	2467	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2468	}
marcozecchini	0:9fca2b23d0ba	2469
marcozecchini	0:9fca2b23d0ba	2470	/*
marcozecchini	0:9fca2b23d0ba	2471	* Read signature
marcozecchini	0:9fca2b23d0ba	2472	*/
marcozecchini	0:9fca2b23d0ba	2473	sig_len = ( p[0] << 8 ) \| p[1];
marcozecchini	0:9fca2b23d0ba	2474	p += 2;
marcozecchini	0:9fca2b23d0ba	2475
marcozecchini	0:9fca2b23d0ba	2476	if( end != p + sig_len )
marcozecchini	0:9fca2b23d0ba	2477	{
marcozecchini	0:9fca2b23d0ba	2478	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2479	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2480	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	2481	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	2482	}
marcozecchini	0:9fca2b23d0ba	2483
marcozecchini	0:9fca2b23d0ba	2484	MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
marcozecchini	0:9fca2b23d0ba	2485
marcozecchini	0:9fca2b23d0ba	2486	/*
marcozecchini	0:9fca2b23d0ba	2487	* Compute the hash that has been signed
marcozecchini	0:9fca2b23d0ba	2488	*/
marcozecchini	0:9fca2b23d0ba	2489	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
marcozecchini	0:9fca2b23d0ba	2490	defined(MBEDTLS_SSL_PROTO_TLS1_1)
marcozecchini	0:9fca2b23d0ba	2491	if( md_alg == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	2492	{
marcozecchini	0:9fca2b23d0ba	2493	mbedtls_md5_context mbedtls_md5;
marcozecchini	0:9fca2b23d0ba	2494	mbedtls_sha1_context mbedtls_sha1;
marcozecchini	0:9fca2b23d0ba	2495
marcozecchini	0:9fca2b23d0ba	2496	mbedtls_md5_init( &mbedtls_md5 );
marcozecchini	0:9fca2b23d0ba	2497	mbedtls_sha1_init( &mbedtls_sha1 );
marcozecchini	0:9fca2b23d0ba	2498
marcozecchini	0:9fca2b23d0ba	2499	hashlen = 36;
marcozecchini	0:9fca2b23d0ba	2500
marcozecchini	0:9fca2b23d0ba	2501	/*
marcozecchini	0:9fca2b23d0ba	2502	* digitally-signed struct {
marcozecchini	0:9fca2b23d0ba	2503	* opaque md5_hash[16];
marcozecchini	0:9fca2b23d0ba	2504	* opaque sha_hash[20];
marcozecchini	0:9fca2b23d0ba	2505	* };
marcozecchini	0:9fca2b23d0ba	2506	*
marcozecchini	0:9fca2b23d0ba	2507	* md5_hash
marcozecchini	0:9fca2b23d0ba	2508	* MD5(ClientHello.random + ServerHello.random
marcozecchini	0:9fca2b23d0ba	2509	* + ServerParams);
marcozecchini	0:9fca2b23d0ba	2510	* sha_hash
marcozecchini	0:9fca2b23d0ba	2511	* SHA(ClientHello.random + ServerHello.random
marcozecchini	0:9fca2b23d0ba	2512	* + ServerParams);
marcozecchini	0:9fca2b23d0ba	2513	*/
marcozecchini	0:9fca2b23d0ba	2514	mbedtls_md5_starts( &mbedtls_md5 );
marcozecchini	0:9fca2b23d0ba	2515	mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
marcozecchini	0:9fca2b23d0ba	2516	mbedtls_md5_update( &mbedtls_md5, params, params_len );
marcozecchini	0:9fca2b23d0ba	2517	mbedtls_md5_finish( &mbedtls_md5, hash );
marcozecchini	0:9fca2b23d0ba	2518
marcozecchini	0:9fca2b23d0ba	2519	mbedtls_sha1_starts( &mbedtls_sha1 );
marcozecchini	0:9fca2b23d0ba	2520	mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
marcozecchini	0:9fca2b23d0ba	2521	mbedtls_sha1_update( &mbedtls_sha1, params, params_len );
marcozecchini	0:9fca2b23d0ba	2522	mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
marcozecchini	0:9fca2b23d0ba	2523
marcozecchini	0:9fca2b23d0ba	2524	mbedtls_md5_free( &mbedtls_md5 );
marcozecchini	0:9fca2b23d0ba	2525	mbedtls_sha1_free( &mbedtls_sha1 );
marcozecchini	0:9fca2b23d0ba	2526	}
marcozecchini	0:9fca2b23d0ba	2527	else
marcozecchini	0:9fca2b23d0ba	2528	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
marcozecchini	0:9fca2b23d0ba	2529	MBEDTLS_SSL_PROTO_TLS1_1 */
marcozecchini	0:9fca2b23d0ba	2530	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
marcozecchini	0:9fca2b23d0ba	2531	defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	2532	if( md_alg != MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	2533	{
marcozecchini	0:9fca2b23d0ba	2534	mbedtls_md_context_t ctx;
marcozecchini	0:9fca2b23d0ba	2535
marcozecchini	0:9fca2b23d0ba	2536	mbedtls_md_init( &ctx );
marcozecchini	0:9fca2b23d0ba	2537
marcozecchini	0:9fca2b23d0ba	2538	/* Info from md_alg will be used instead */
marcozecchini	0:9fca2b23d0ba	2539	hashlen = 0;
marcozecchini	0:9fca2b23d0ba	2540
marcozecchini	0:9fca2b23d0ba	2541	/*
marcozecchini	0:9fca2b23d0ba	2542	* digitally-signed struct {
marcozecchini	0:9fca2b23d0ba	2543	* opaque client_random[32];
marcozecchini	0:9fca2b23d0ba	2544	* opaque server_random[32];
marcozecchini	0:9fca2b23d0ba	2545	* ServerDHParams params;
marcozecchini	0:9fca2b23d0ba	2546	* };
marcozecchini	0:9fca2b23d0ba	2547	*/
marcozecchini	0:9fca2b23d0ba	2548	if( ( ret = mbedtls_md_setup( &ctx,
marcozecchini	0:9fca2b23d0ba	2549	mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2550	{
marcozecchini	0:9fca2b23d0ba	2551	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
marcozecchini	0:9fca2b23d0ba	2552	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2553	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2554	return( ret );
marcozecchini	0:9fca2b23d0ba	2555	}
marcozecchini	0:9fca2b23d0ba	2556
marcozecchini	0:9fca2b23d0ba	2557	mbedtls_md_starts( &ctx );
marcozecchini	0:9fca2b23d0ba	2558	mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
marcozecchini	0:9fca2b23d0ba	2559	mbedtls_md_update( &ctx, params, params_len );
marcozecchini	0:9fca2b23d0ba	2560	mbedtls_md_finish( &ctx, hash );
marcozecchini	0:9fca2b23d0ba	2561	mbedtls_md_free( &ctx );
marcozecchini	0:9fca2b23d0ba	2562	}
marcozecchini	0:9fca2b23d0ba	2563	else
marcozecchini	0:9fca2b23d0ba	2564	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
marcozecchini	0:9fca2b23d0ba	2565	MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	2566	{
marcozecchini	0:9fca2b23d0ba	2567	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	2568	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2569	}
marcozecchini	0:9fca2b23d0ba	2570
marcozecchini	0:9fca2b23d0ba	2571	MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
marcozecchini	0:9fca2b23d0ba	2572	(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
marcozecchini	0:9fca2b23d0ba	2573
marcozecchini	0:9fca2b23d0ba	2574	if( ssl->session_negotiate->peer_cert == NULL )
marcozecchini	0:9fca2b23d0ba	2575	{
marcozecchini	0:9fca2b23d0ba	2576	MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
marcozecchini	0:9fca2b23d0ba	2577	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2578	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	2579	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2580	}
marcozecchini	0:9fca2b23d0ba	2581
marcozecchini	0:9fca2b23d0ba	2582	/*
marcozecchini	0:9fca2b23d0ba	2583	* Verify signature
marcozecchini	0:9fca2b23d0ba	2584	*/
marcozecchini	0:9fca2b23d0ba	2585	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
marcozecchini	0:9fca2b23d0ba	2586	{
marcozecchini	0:9fca2b23d0ba	2587	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	2588	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2589	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	2590	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
marcozecchini	0:9fca2b23d0ba	2591	}
marcozecchini	0:9fca2b23d0ba	2592
marcozecchini	0:9fca2b23d0ba	2593	if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
marcozecchini	0:9fca2b23d0ba	2594	md_alg, hash, hashlen, p, sig_len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2595	{
marcozecchini	0:9fca2b23d0ba	2596	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2597	MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
marcozecchini	0:9fca2b23d0ba	2598	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
marcozecchini	0:9fca2b23d0ba	2599	return( ret );
marcozecchini	0:9fca2b23d0ba	2600	}
marcozecchini	0:9fca2b23d0ba	2601	}
marcozecchini	0:9fca2b23d0ba	2602	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
marcozecchini	0:9fca2b23d0ba	2603
marcozecchini	0:9fca2b23d0ba	2604	exit:
marcozecchini	0:9fca2b23d0ba	2605	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2606
marcozecchini	0:9fca2b23d0ba	2607	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2608
marcozecchini	0:9fca2b23d0ba	2609	return( 0 );
marcozecchini	0:9fca2b23d0ba	2610	}
marcozecchini	0:9fca2b23d0ba	2611
marcozecchini	0:9fca2b23d0ba	2612	#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
marcozecchini	0:9fca2b23d0ba	2613	static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2614	{
marcozecchini	0:9fca2b23d0ba	2615	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2616	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2617
marcozecchini	0:9fca2b23d0ba	2618	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2619
marcozecchini	0:9fca2b23d0ba	2620	if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2621	{
marcozecchini	0:9fca2b23d0ba	2622	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2623	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2624	return( 0 );
marcozecchini	0:9fca2b23d0ba	2625	}
marcozecchini	0:9fca2b23d0ba	2626
marcozecchini	0:9fca2b23d0ba	2627	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	2628	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2629	}
marcozecchini	0:9fca2b23d0ba	2630	#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
marcozecchini	0:9fca2b23d0ba	2631	static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2632	{
marcozecchini	0:9fca2b23d0ba	2633	int ret;
marcozecchini	0:9fca2b23d0ba	2634	unsigned char *buf;
marcozecchini	0:9fca2b23d0ba	2635	size_t n = 0;
marcozecchini	0:9fca2b23d0ba	2636	size_t cert_type_len = 0, dn_len = 0;
marcozecchini	0:9fca2b23d0ba	2637	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2638	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2639
marcozecchini	0:9fca2b23d0ba	2640	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2641
marcozecchini	0:9fca2b23d0ba	2642	if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2643	{
marcozecchini	0:9fca2b23d0ba	2644	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2645	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2646	return( 0 );
marcozecchini	0:9fca2b23d0ba	2647	}
marcozecchini	0:9fca2b23d0ba	2648
marcozecchini	0:9fca2b23d0ba	2649	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2650	{
marcozecchini	0:9fca2b23d0ba	2651	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
marcozecchini	0:9fca2b23d0ba	2652	return( ret );
marcozecchini	0:9fca2b23d0ba	2653	}
marcozecchini	0:9fca2b23d0ba	2654
marcozecchini	0:9fca2b23d0ba	2655	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	2656	{
marcozecchini	0:9fca2b23d0ba	2657	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
marcozecchini	0:9fca2b23d0ba	2658	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2659	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2660	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2661	}
marcozecchini	0:9fca2b23d0ba	2662
marcozecchini	0:9fca2b23d0ba	2663	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2664	ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
marcozecchini	0:9fca2b23d0ba	2665
marcozecchini	0:9fca2b23d0ba	2666	MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
marcozecchini	0:9fca2b23d0ba	2667	ssl->client_auth ? "a" : "no" ) );
marcozecchini	0:9fca2b23d0ba	2668
marcozecchini	0:9fca2b23d0ba	2669	if( ssl->client_auth == 0 )
marcozecchini	0:9fca2b23d0ba	2670	{
marcozecchini	0:9fca2b23d0ba	2671	/* Current message is probably the ServerHelloDone */
marcozecchini	0:9fca2b23d0ba	2672	ssl->keep_current_message = 1;
marcozecchini	0:9fca2b23d0ba	2673	goto exit;
marcozecchini	0:9fca2b23d0ba	2674	}
marcozecchini	0:9fca2b23d0ba	2675
marcozecchini	0:9fca2b23d0ba	2676	/*
marcozecchini	0:9fca2b23d0ba	2677	* struct {
marcozecchini	0:9fca2b23d0ba	2678	* ClientCertificateType certificate_types<1..2^8-1>;
marcozecchini	0:9fca2b23d0ba	2679	* SignatureAndHashAlgorithm
marcozecchini	0:9fca2b23d0ba	2680	* supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
marcozecchini	0:9fca2b23d0ba	2681	* DistinguishedName certificate_authorities<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2682	* } CertificateRequest;
marcozecchini	0:9fca2b23d0ba	2683	*
marcozecchini	0:9fca2b23d0ba	2684	* Since we only support a single certificate on clients, let's just
marcozecchini	0:9fca2b23d0ba	2685	* ignore all the information that's supposed to help us pick a
marcozecchini	0:9fca2b23d0ba	2686	* certificate.
marcozecchini	0:9fca2b23d0ba	2687	*
marcozecchini	0:9fca2b23d0ba	2688	* We could check that our certificate matches the request, and bail out
marcozecchini	0:9fca2b23d0ba	2689	* if it doesn't, but it's simpler to just send the certificate anyway,
marcozecchini	0:9fca2b23d0ba	2690	* and give the server the opportunity to decide if it should terminate
marcozecchini	0:9fca2b23d0ba	2691	* the connection when it doesn't like our certificate.
marcozecchini	0:9fca2b23d0ba	2692	*
marcozecchini	0:9fca2b23d0ba	2693	* Same goes for the hash in TLS 1.2's signature_algorithms: at this
marcozecchini	0:9fca2b23d0ba	2694	* point we only have one hash available (see comments in
marcozecchini	0:9fca2b23d0ba	2695	* write_certificate_verify), so let's just use what we have.
marcozecchini	0:9fca2b23d0ba	2696	*
marcozecchini	0:9fca2b23d0ba	2697	* However, we still minimally parse the message to check it is at least
marcozecchini	0:9fca2b23d0ba	2698	* superficially sane.
marcozecchini	0:9fca2b23d0ba	2699	*/
marcozecchini	0:9fca2b23d0ba	2700	buf = ssl->in_msg;
marcozecchini	0:9fca2b23d0ba	2701
marcozecchini	0:9fca2b23d0ba	2702	/* certificate_types */
marcozecchini	0:9fca2b23d0ba	2703	cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
marcozecchini	0:9fca2b23d0ba	2704	n = cert_type_len;
marcozecchini	0:9fca2b23d0ba	2705
marcozecchini	0:9fca2b23d0ba	2706	if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
marcozecchini	0:9fca2b23d0ba	2707	{
marcozecchini	0:9fca2b23d0ba	2708	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
marcozecchini	0:9fca2b23d0ba	2709	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2710	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	2711	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
marcozecchini	0:9fca2b23d0ba	2712	}
marcozecchini	0:9fca2b23d0ba	2713
marcozecchini	0:9fca2b23d0ba	2714	/* supported_signature_algorithms */
marcozecchini	0:9fca2b23d0ba	2715	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	2716	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	2717	{
marcozecchini	0:9fca2b23d0ba	2718	size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
marcozecchini	0:9fca2b23d0ba	2719	\| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
marcozecchini	0:9fca2b23d0ba	2720	#if defined(MBEDTLS_DEBUG_C)
marcozecchini	0:9fca2b23d0ba	2721	unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
marcozecchini	0:9fca2b23d0ba	2722	size_t i;
marcozecchini	0:9fca2b23d0ba	2723
marcozecchini	0:9fca2b23d0ba	2724	for( i = 0; i < sig_alg_len; i += 2 )
marcozecchini	0:9fca2b23d0ba	2725	{
marcozecchini	0:9fca2b23d0ba	2726	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
marcozecchini	0:9fca2b23d0ba	2727	",%d", sig_alg[i], sig_alg[i + 1] ) );
marcozecchini	0:9fca2b23d0ba	2728	}
marcozecchini	0:9fca2b23d0ba	2729	#endif
marcozecchini	0:9fca2b23d0ba	2730
marcozecchini	0:9fca2b23d0ba	2731	n += 2 + sig_alg_len;
marcozecchini	0:9fca2b23d0ba	2732
marcozecchini	0:9fca2b23d0ba	2733	if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
marcozecchini	0:9fca2b23d0ba	2734	{
marcozecchini	0:9fca2b23d0ba	2735	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
marcozecchini	0:9fca2b23d0ba	2736	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2737	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	2738	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
marcozecchini	0:9fca2b23d0ba	2739	}
marcozecchini	0:9fca2b23d0ba	2740	}
marcozecchini	0:9fca2b23d0ba	2741	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	2742
marcozecchini	0:9fca2b23d0ba	2743	/* certificate_authorities */
marcozecchini	0:9fca2b23d0ba	2744	dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
marcozecchini	0:9fca2b23d0ba	2745	\| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
marcozecchini	0:9fca2b23d0ba	2746
marcozecchini	0:9fca2b23d0ba	2747	n += dn_len;
marcozecchini	0:9fca2b23d0ba	2748	if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
marcozecchini	0:9fca2b23d0ba	2749	{
marcozecchini	0:9fca2b23d0ba	2750	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
marcozecchini	0:9fca2b23d0ba	2751	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2752	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	2753	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
marcozecchini	0:9fca2b23d0ba	2754	}
marcozecchini	0:9fca2b23d0ba	2755
marcozecchini	0:9fca2b23d0ba	2756	exit:
marcozecchini	0:9fca2b23d0ba	2757	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2758
marcozecchini	0:9fca2b23d0ba	2759	return( 0 );
marcozecchini	0:9fca2b23d0ba	2760	}
marcozecchini	0:9fca2b23d0ba	2761	#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
marcozecchini	0:9fca2b23d0ba	2762
marcozecchini	0:9fca2b23d0ba	2763	static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2764	{
marcozecchini	0:9fca2b23d0ba	2765	int ret;
marcozecchini	0:9fca2b23d0ba	2766
marcozecchini	0:9fca2b23d0ba	2767	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
marcozecchini	0:9fca2b23d0ba	2768
marcozecchini	0:9fca2b23d0ba	2769	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2770	{
marcozecchini	0:9fca2b23d0ba	2771	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
marcozecchini	0:9fca2b23d0ba	2772	return( ret );
marcozecchini	0:9fca2b23d0ba	2773	}
marcozecchini	0:9fca2b23d0ba	2774
marcozecchini	0:9fca2b23d0ba	2775	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	2776	{
marcozecchini	0:9fca2b23d0ba	2777	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
marcozecchini	0:9fca2b23d0ba	2778	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	2779	}
marcozecchini	0:9fca2b23d0ba	2780
marcozecchini	0:9fca2b23d0ba	2781	if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) \|\|
marcozecchini	0:9fca2b23d0ba	2782	ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
marcozecchini	0:9fca2b23d0ba	2783	{
marcozecchini	0:9fca2b23d0ba	2784	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
marcozecchini	0:9fca2b23d0ba	2785	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	2786	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	2787	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
marcozecchini	0:9fca2b23d0ba	2788	}
marcozecchini	0:9fca2b23d0ba	2789
marcozecchini	0:9fca2b23d0ba	2790	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2791
marcozecchini	0:9fca2b23d0ba	2792	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	2793	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	2794	mbedtls_ssl_recv_flight_completed( ssl );
marcozecchini	0:9fca2b23d0ba	2795	#endif
marcozecchini	0:9fca2b23d0ba	2796
marcozecchini	0:9fca2b23d0ba	2797	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
marcozecchini	0:9fca2b23d0ba	2798
marcozecchini	0:9fca2b23d0ba	2799	return( 0 );
marcozecchini	0:9fca2b23d0ba	2800	}
marcozecchini	0:9fca2b23d0ba	2801
marcozecchini	0:9fca2b23d0ba	2802	static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2803	{
marcozecchini	0:9fca2b23d0ba	2804	int ret;
marcozecchini	0:9fca2b23d0ba	2805	size_t i, n;
marcozecchini	0:9fca2b23d0ba	2806	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2807	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2808
marcozecchini	0:9fca2b23d0ba	2809	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2810
marcozecchini	0:9fca2b23d0ba	2811	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2812	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
marcozecchini	0:9fca2b23d0ba	2813	{
marcozecchini	0:9fca2b23d0ba	2814	/*
marcozecchini	0:9fca2b23d0ba	2815	* DHM key exchange -- send G^X mod P
marcozecchini	0:9fca2b23d0ba	2816	*/
marcozecchini	0:9fca2b23d0ba	2817	n = ssl->handshake->dhm_ctx.len;
marcozecchini	0:9fca2b23d0ba	2818
marcozecchini	0:9fca2b23d0ba	2819	ssl->out_msg[4] = (unsigned char)( n >> 8 );
marcozecchini	0:9fca2b23d0ba	2820	ssl->out_msg[5] = (unsigned char)( n );
marcozecchini	0:9fca2b23d0ba	2821	i = 6;
marcozecchini	0:9fca2b23d0ba	2822
marcozecchini	0:9fca2b23d0ba	2823	ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
marcozecchini	0:9fca2b23d0ba	2824	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
marcozecchini	0:9fca2b23d0ba	2825	&ssl->out_msg[i], n,
marcozecchini	0:9fca2b23d0ba	2826	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	2827	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2828	{
marcozecchini	0:9fca2b23d0ba	2829	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
marcozecchini	0:9fca2b23d0ba	2830	return( ret );
marcozecchini	0:9fca2b23d0ba	2831	}
marcozecchini	0:9fca2b23d0ba	2832
marcozecchini	0:9fca2b23d0ba	2833	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
marcozecchini	0:9fca2b23d0ba	2834	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
marcozecchini	0:9fca2b23d0ba	2835
marcozecchini	0:9fca2b23d0ba	2836	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
marcozecchini	0:9fca2b23d0ba	2837	ssl->handshake->premaster,
marcozecchini	0:9fca2b23d0ba	2838	MBEDTLS_PREMASTER_SIZE,
marcozecchini	0:9fca2b23d0ba	2839	&ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	2840	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2841	{
marcozecchini	0:9fca2b23d0ba	2842	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
marcozecchini	0:9fca2b23d0ba	2843	return( ret );
marcozecchini	0:9fca2b23d0ba	2844	}
marcozecchini	0:9fca2b23d0ba	2845
marcozecchini	0:9fca2b23d0ba	2846	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
marcozecchini	0:9fca2b23d0ba	2847	}
marcozecchini	0:9fca2b23d0ba	2848	else
marcozecchini	0:9fca2b23d0ba	2849	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2850	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2851	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2852	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2853	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2854	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
marcozecchini	0:9fca2b23d0ba	2855	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
marcozecchini	0:9fca2b23d0ba	2856	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
marcozecchini	0:9fca2b23d0ba	2857	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
marcozecchini	0:9fca2b23d0ba	2858	{
marcozecchini	0:9fca2b23d0ba	2859	/*
marcozecchini	0:9fca2b23d0ba	2860	* ECDH key exchange -- send client public value
marcozecchini	0:9fca2b23d0ba	2861	*/
marcozecchini	0:9fca2b23d0ba	2862	i = 4;
marcozecchini	0:9fca2b23d0ba	2863
marcozecchini	0:9fca2b23d0ba	2864	ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	2865	&n,
marcozecchini	0:9fca2b23d0ba	2866	&ssl->out_msg[i], 1000,
marcozecchini	0:9fca2b23d0ba	2867	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	2868	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2869	{
marcozecchini	0:9fca2b23d0ba	2870	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
marcozecchini	0:9fca2b23d0ba	2871	return( ret );
marcozecchini	0:9fca2b23d0ba	2872	}
marcozecchini	0:9fca2b23d0ba	2873
marcozecchini	0:9fca2b23d0ba	2874	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
marcozecchini	0:9fca2b23d0ba	2875
marcozecchini	0:9fca2b23d0ba	2876	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	2877	&ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	2878	ssl->handshake->premaster,
marcozecchini	0:9fca2b23d0ba	2879	MBEDTLS_MPI_MAX_SIZE,
marcozecchini	0:9fca2b23d0ba	2880	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2881	{
marcozecchini	0:9fca2b23d0ba	2882	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
marcozecchini	0:9fca2b23d0ba	2883	return( ret );
marcozecchini	0:9fca2b23d0ba	2884	}
marcozecchini	0:9fca2b23d0ba	2885
marcozecchini	0:9fca2b23d0ba	2886	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
marcozecchini	0:9fca2b23d0ba	2887	}
marcozecchini	0:9fca2b23d0ba	2888	else
marcozecchini	0:9fca2b23d0ba	2889	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2890	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2891	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2892	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2893	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2894	if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2895	{
marcozecchini	0:9fca2b23d0ba	2896	/*
marcozecchini	0:9fca2b23d0ba	2897	* opaque psk_identity<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2898	*/
marcozecchini	0:9fca2b23d0ba	2899	if( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL )
marcozecchini	0:9fca2b23d0ba	2900	{
marcozecchini	0:9fca2b23d0ba	2901	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
marcozecchini	0:9fca2b23d0ba	2902	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
marcozecchini	0:9fca2b23d0ba	2903	}
marcozecchini	0:9fca2b23d0ba	2904
marcozecchini	0:9fca2b23d0ba	2905	i = 4;
marcozecchini	0:9fca2b23d0ba	2906	n = ssl->conf->psk_identity_len;
marcozecchini	0:9fca2b23d0ba	2907
marcozecchini	0:9fca2b23d0ba	2908	if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
marcozecchini	0:9fca2b23d0ba	2909	{
marcozecchini	0:9fca2b23d0ba	2910	MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
marcozecchini	0:9fca2b23d0ba	2911	"SSL buffer too short" ) );
marcozecchini	0:9fca2b23d0ba	2912	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
marcozecchini	0:9fca2b23d0ba	2913	}
marcozecchini	0:9fca2b23d0ba	2914
marcozecchini	0:9fca2b23d0ba	2915	ssl->out_msg[i++] = (unsigned char)( n >> 8 );
marcozecchini	0:9fca2b23d0ba	2916	ssl->out_msg[i++] = (unsigned char)( n );
marcozecchini	0:9fca2b23d0ba	2917
marcozecchini	0:9fca2b23d0ba	2918	memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
marcozecchini	0:9fca2b23d0ba	2919	i += ssl->conf->psk_identity_len;
marcozecchini	0:9fca2b23d0ba	2920
marcozecchini	0:9fca2b23d0ba	2921	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2922	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
marcozecchini	0:9fca2b23d0ba	2923	{
marcozecchini	0:9fca2b23d0ba	2924	n = 0;
marcozecchini	0:9fca2b23d0ba	2925	}
marcozecchini	0:9fca2b23d0ba	2926	else
marcozecchini	0:9fca2b23d0ba	2927	#endif
marcozecchini	0:9fca2b23d0ba	2928	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2929	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
marcozecchini	0:9fca2b23d0ba	2930	{
marcozecchini	0:9fca2b23d0ba	2931	if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2932	return( ret );
marcozecchini	0:9fca2b23d0ba	2933	}
marcozecchini	0:9fca2b23d0ba	2934	else
marcozecchini	0:9fca2b23d0ba	2935	#endif
marcozecchini	0:9fca2b23d0ba	2936	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2937	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
marcozecchini	0:9fca2b23d0ba	2938	{
marcozecchini	0:9fca2b23d0ba	2939	/*
marcozecchini	0:9fca2b23d0ba	2940	* ClientDiffieHellmanPublic public (DHM send G^X mod P)
marcozecchini	0:9fca2b23d0ba	2941	*/
marcozecchini	0:9fca2b23d0ba	2942	n = ssl->handshake->dhm_ctx.len;
marcozecchini	0:9fca2b23d0ba	2943
marcozecchini	0:9fca2b23d0ba	2944	if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
marcozecchini	0:9fca2b23d0ba	2945	{
marcozecchini	0:9fca2b23d0ba	2946	MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
marcozecchini	0:9fca2b23d0ba	2947	" or SSL buffer too short" ) );
marcozecchini	0:9fca2b23d0ba	2948	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
marcozecchini	0:9fca2b23d0ba	2949	}
marcozecchini	0:9fca2b23d0ba	2950
marcozecchini	0:9fca2b23d0ba	2951	ssl->out_msg[i++] = (unsigned char)( n >> 8 );
marcozecchini	0:9fca2b23d0ba	2952	ssl->out_msg[i++] = (unsigned char)( n );
marcozecchini	0:9fca2b23d0ba	2953
marcozecchini	0:9fca2b23d0ba	2954	ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
marcozecchini	0:9fca2b23d0ba	2955	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
marcozecchini	0:9fca2b23d0ba	2956	&ssl->out_msg[i], n,
marcozecchini	0:9fca2b23d0ba	2957	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	2958	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2959	{
marcozecchini	0:9fca2b23d0ba	2960	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
marcozecchini	0:9fca2b23d0ba	2961	return( ret );
marcozecchini	0:9fca2b23d0ba	2962	}
marcozecchini	0:9fca2b23d0ba	2963	}
marcozecchini	0:9fca2b23d0ba	2964	else
marcozecchini	0:9fca2b23d0ba	2965	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2966	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2967	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
marcozecchini	0:9fca2b23d0ba	2968	{
marcozecchini	0:9fca2b23d0ba	2969	/*
marcozecchini	0:9fca2b23d0ba	2970	* ClientECDiffieHellmanPublic public;
marcozecchini	0:9fca2b23d0ba	2971	*/
marcozecchini	0:9fca2b23d0ba	2972	ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
marcozecchini	0:9fca2b23d0ba	2973	&ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
marcozecchini	0:9fca2b23d0ba	2974	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	2975	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2976	{
marcozecchini	0:9fca2b23d0ba	2977	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
marcozecchini	0:9fca2b23d0ba	2978	return( ret );
marcozecchini	0:9fca2b23d0ba	2979	}
marcozecchini	0:9fca2b23d0ba	2980
marcozecchini	0:9fca2b23d0ba	2981	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
marcozecchini	0:9fca2b23d0ba	2982	}
marcozecchini	0:9fca2b23d0ba	2983	else
marcozecchini	0:9fca2b23d0ba	2984	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2985	{
marcozecchini	0:9fca2b23d0ba	2986	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	2987	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2988	}
marcozecchini	0:9fca2b23d0ba	2989
marcozecchini	0:9fca2b23d0ba	2990	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
marcozecchini	0:9fca2b23d0ba	2991	ciphersuite_info->key_exchange ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2992	{
marcozecchini	0:9fca2b23d0ba	2993	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
marcozecchini	0:9fca2b23d0ba	2994	return( ret );
marcozecchini	0:9fca2b23d0ba	2995	}
marcozecchini	0:9fca2b23d0ba	2996	}
marcozecchini	0:9fca2b23d0ba	2997	else
marcozecchini	0:9fca2b23d0ba	2998	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2999	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	3000	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
marcozecchini	0:9fca2b23d0ba	3001	{
marcozecchini	0:9fca2b23d0ba	3002	i = 4;
marcozecchini	0:9fca2b23d0ba	3003	if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3004	return( ret );
marcozecchini	0:9fca2b23d0ba	3005	}
marcozecchini	0:9fca2b23d0ba	3006	else
marcozecchini	0:9fca2b23d0ba	3007	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3008	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	3009	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	3010	{
marcozecchini	0:9fca2b23d0ba	3011	i = 4;
marcozecchini	0:9fca2b23d0ba	3012
marcozecchini	0:9fca2b23d0ba	3013	ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	3014	ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
marcozecchini	0:9fca2b23d0ba	3015	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	3016	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	3017	{
marcozecchini	0:9fca2b23d0ba	3018	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
marcozecchini	0:9fca2b23d0ba	3019	return( ret );
marcozecchini	0:9fca2b23d0ba	3020	}
marcozecchini	0:9fca2b23d0ba	3021
marcozecchini	0:9fca2b23d0ba	3022	ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	3023	ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	3024	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	3025	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	3026	{
marcozecchini	0:9fca2b23d0ba	3027	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
marcozecchini	0:9fca2b23d0ba	3028	return( ret );
marcozecchini	0:9fca2b23d0ba	3029	}
marcozecchini	0:9fca2b23d0ba	3030	}
marcozecchini	0:9fca2b23d0ba	3031	else
marcozecchini	0:9fca2b23d0ba	3032	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3033	{
marcozecchini	0:9fca2b23d0ba	3034	((void) ciphersuite_info);
marcozecchini	0:9fca2b23d0ba	3035	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3036	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3037	}
marcozecchini	0:9fca2b23d0ba	3038
marcozecchini	0:9fca2b23d0ba	3039	ssl->out_msglen = i + n;
marcozecchini	0:9fca2b23d0ba	3040	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	3041	ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
marcozecchini	0:9fca2b23d0ba	3042
marcozecchini	0:9fca2b23d0ba	3043	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3044
marcozecchini	0:9fca2b23d0ba	3045	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3046	{
marcozecchini	0:9fca2b23d0ba	3047	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	3048	return( ret );
marcozecchini	0:9fca2b23d0ba	3049	}
marcozecchini	0:9fca2b23d0ba	3050
marcozecchini	0:9fca2b23d0ba	3051	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3052
marcozecchini	0:9fca2b23d0ba	3053	return( 0 );
marcozecchini	0:9fca2b23d0ba	3054	}
marcozecchini	0:9fca2b23d0ba	3055
marcozecchini	0:9fca2b23d0ba	3056	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3057	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3058	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3059	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3060	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
marcozecchini	0:9fca2b23d0ba	3061	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	3062	static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3063	{
marcozecchini	0:9fca2b23d0ba	3064	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	3065	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	3066	int ret;
marcozecchini	0:9fca2b23d0ba	3067
marcozecchini	0:9fca2b23d0ba	3068	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3069
marcozecchini	0:9fca2b23d0ba	3070	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3071	{
marcozecchini	0:9fca2b23d0ba	3072	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
marcozecchini	0:9fca2b23d0ba	3073	return( ret );
marcozecchini	0:9fca2b23d0ba	3074	}
marcozecchini	0:9fca2b23d0ba	3075
marcozecchini	0:9fca2b23d0ba	3076	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3077	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3078	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3079	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3080	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	3081	{
marcozecchini	0:9fca2b23d0ba	3082	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3083	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3084	return( 0 );
marcozecchini	0:9fca2b23d0ba	3085	}
marcozecchini	0:9fca2b23d0ba	3086
marcozecchini	0:9fca2b23d0ba	3087	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3088	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3089	}
marcozecchini	0:9fca2b23d0ba	3090	#else
marcozecchini	0:9fca2b23d0ba	3091	static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3092	{
marcozecchini	0:9fca2b23d0ba	3093	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	3094	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	3095	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	3096	size_t n = 0, offset = 0;
marcozecchini	0:9fca2b23d0ba	3097	unsigned char hash[48];
marcozecchini	0:9fca2b23d0ba	3098	unsigned char *hash_start = hash;
marcozecchini	0:9fca2b23d0ba	3099	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	3100	unsigned int hashlen;
marcozecchini	0:9fca2b23d0ba	3101
marcozecchini	0:9fca2b23d0ba	3102	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3103
marcozecchini	0:9fca2b23d0ba	3104	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3105	{
marcozecchini	0:9fca2b23d0ba	3106	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
marcozecchini	0:9fca2b23d0ba	3107	return( ret );
marcozecchini	0:9fca2b23d0ba	3108	}
marcozecchini	0:9fca2b23d0ba	3109
marcozecchini	0:9fca2b23d0ba	3110	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3111	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3112	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3113	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3114	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	3115	{
marcozecchini	0:9fca2b23d0ba	3116	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3117	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3118	return( 0 );
marcozecchini	0:9fca2b23d0ba	3119	}
marcozecchini	0:9fca2b23d0ba	3120
marcozecchini	0:9fca2b23d0ba	3121	if( ssl->client_auth == 0 \|\| mbedtls_ssl_own_cert( ssl ) == NULL )
marcozecchini	0:9fca2b23d0ba	3122	{
marcozecchini	0:9fca2b23d0ba	3123	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3124	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3125	return( 0 );
marcozecchini	0:9fca2b23d0ba	3126	}
marcozecchini	0:9fca2b23d0ba	3127
marcozecchini	0:9fca2b23d0ba	3128	if( mbedtls_ssl_own_key( ssl ) == NULL )
marcozecchini	0:9fca2b23d0ba	3129	{
marcozecchini	0:9fca2b23d0ba	3130	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
marcozecchini	0:9fca2b23d0ba	3131	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
marcozecchini	0:9fca2b23d0ba	3132	}
marcozecchini	0:9fca2b23d0ba	3133
marcozecchini	0:9fca2b23d0ba	3134	/*
marcozecchini	0:9fca2b23d0ba	3135	* Make an RSA signature of the handshake digests
marcozecchini	0:9fca2b23d0ba	3136	*/
marcozecchini	0:9fca2b23d0ba	3137	ssl->handshake->calc_verify( ssl, hash );
marcozecchini	0:9fca2b23d0ba	3138
marcozecchini	0:9fca2b23d0ba	3139	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
marcozecchini	0:9fca2b23d0ba	3140	defined(MBEDTLS_SSL_PROTO_TLS1_1)
marcozecchini	0:9fca2b23d0ba	3141	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	3142	{
marcozecchini	0:9fca2b23d0ba	3143	/*
marcozecchini	0:9fca2b23d0ba	3144	* digitally-signed struct {
marcozecchini	0:9fca2b23d0ba	3145	* opaque md5_hash[16];
marcozecchini	0:9fca2b23d0ba	3146	* opaque sha_hash[20];
marcozecchini	0:9fca2b23d0ba	3147	* };
marcozecchini	0:9fca2b23d0ba	3148	*
marcozecchini	0:9fca2b23d0ba	3149	* md5_hash
marcozecchini	0:9fca2b23d0ba	3150	* MD5(handshake_messages);
marcozecchini	0:9fca2b23d0ba	3151	*
marcozecchini	0:9fca2b23d0ba	3152	* sha_hash
marcozecchini	0:9fca2b23d0ba	3153	* SHA(handshake_messages);
marcozecchini	0:9fca2b23d0ba	3154	*/
marcozecchini	0:9fca2b23d0ba	3155	hashlen = 36;
marcozecchini	0:9fca2b23d0ba	3156	md_alg = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	3157
marcozecchini	0:9fca2b23d0ba	3158	/*
marcozecchini	0:9fca2b23d0ba	3159	* For ECDSA, default hash is SHA-1 only
marcozecchini	0:9fca2b23d0ba	3160	*/
marcozecchini	0:9fca2b23d0ba	3161	if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
marcozecchini	0:9fca2b23d0ba	3162	{
marcozecchini	0:9fca2b23d0ba	3163	hash_start += 16;
marcozecchini	0:9fca2b23d0ba	3164	hashlen -= 16;
marcozecchini	0:9fca2b23d0ba	3165	md_alg = MBEDTLS_MD_SHA1;
marcozecchini	0:9fca2b23d0ba	3166	}
marcozecchini	0:9fca2b23d0ba	3167	}
marcozecchini	0:9fca2b23d0ba	3168	else
marcozecchini	0:9fca2b23d0ba	3169	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
marcozecchini	0:9fca2b23d0ba	3170	MBEDTLS_SSL_PROTO_TLS1_1 */
marcozecchini	0:9fca2b23d0ba	3171	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3172	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	3173	{
marcozecchini	0:9fca2b23d0ba	3174	/*
marcozecchini	0:9fca2b23d0ba	3175	* digitally-signed struct {
marcozecchini	0:9fca2b23d0ba	3176	* opaque handshake_messages[handshake_messages_length];
marcozecchini	0:9fca2b23d0ba	3177	* };
marcozecchini	0:9fca2b23d0ba	3178	*
marcozecchini	0:9fca2b23d0ba	3179	* Taking shortcut here. We assume that the server always allows the
marcozecchini	0:9fca2b23d0ba	3180	* PRF Hash function and has sent it in the allowed signature
marcozecchini	0:9fca2b23d0ba	3181	* algorithms list received in the Certificate Request message.
marcozecchini	0:9fca2b23d0ba	3182	*
marcozecchini	0:9fca2b23d0ba	3183	* Until we encounter a server that does not, we will take this
marcozecchini	0:9fca2b23d0ba	3184	* shortcut.
marcozecchini	0:9fca2b23d0ba	3185	*
marcozecchini	0:9fca2b23d0ba	3186	* Reason: Otherwise we should have running hashes for SHA512 and SHA224
marcozecchini	0:9fca2b23d0ba	3187	* in order to satisfy 'weird' needs from the server side.
marcozecchini	0:9fca2b23d0ba	3188	*/
marcozecchini	0:9fca2b23d0ba	3189	if( ssl->transform_negotiate->ciphersuite_info->mac ==
marcozecchini	0:9fca2b23d0ba	3190	MBEDTLS_MD_SHA384 )
marcozecchini	0:9fca2b23d0ba	3191	{
marcozecchini	0:9fca2b23d0ba	3192	md_alg = MBEDTLS_MD_SHA384;
marcozecchini	0:9fca2b23d0ba	3193	ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
marcozecchini	0:9fca2b23d0ba	3194	}
marcozecchini	0:9fca2b23d0ba	3195	else
marcozecchini	0:9fca2b23d0ba	3196	{
marcozecchini	0:9fca2b23d0ba	3197	md_alg = MBEDTLS_MD_SHA256;
marcozecchini	0:9fca2b23d0ba	3198	ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
marcozecchini	0:9fca2b23d0ba	3199	}
marcozecchini	0:9fca2b23d0ba	3200	ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
marcozecchini	0:9fca2b23d0ba	3201
marcozecchini	0:9fca2b23d0ba	3202	/* Info from md_alg will be used instead */
marcozecchini	0:9fca2b23d0ba	3203	hashlen = 0;
marcozecchini	0:9fca2b23d0ba	3204	offset = 2;
marcozecchini	0:9fca2b23d0ba	3205	}
marcozecchini	0:9fca2b23d0ba	3206	else
marcozecchini	0:9fca2b23d0ba	3207	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	3208	{
marcozecchini	0:9fca2b23d0ba	3209	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3210	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3211	}
marcozecchini	0:9fca2b23d0ba	3212
marcozecchini	0:9fca2b23d0ba	3213	if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
marcozecchini	0:9fca2b23d0ba	3214	ssl->out_msg + 6 + offset, &n,
marcozecchini	0:9fca2b23d0ba	3215	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3216	{
marcozecchini	0:9fca2b23d0ba	3217	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
marcozecchini	0:9fca2b23d0ba	3218	return( ret );
marcozecchini	0:9fca2b23d0ba	3219	}
marcozecchini	0:9fca2b23d0ba	3220
marcozecchini	0:9fca2b23d0ba	3221	ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
marcozecchini	0:9fca2b23d0ba	3222	ssl->out_msg[5 + offset] = (unsigned char)( n );
marcozecchini	0:9fca2b23d0ba	3223
marcozecchini	0:9fca2b23d0ba	3224	ssl->out_msglen = 6 + n + offset;
marcozecchini	0:9fca2b23d0ba	3225	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	3226	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
marcozecchini	0:9fca2b23d0ba	3227
marcozecchini	0:9fca2b23d0ba	3228	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3229
marcozecchini	0:9fca2b23d0ba	3230	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3231	{
marcozecchini	0:9fca2b23d0ba	3232	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	3233	return( ret );
marcozecchini	0:9fca2b23d0ba	3234	}
marcozecchini	0:9fca2b23d0ba	3235
marcozecchini	0:9fca2b23d0ba	3236	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3237
marcozecchini	0:9fca2b23d0ba	3238	return( ret );
marcozecchini	0:9fca2b23d0ba	3239	}
marcozecchini	0:9fca2b23d0ba	3240	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3241	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3242	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3243	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3244	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3245	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3246
marcozecchini	0:9fca2b23d0ba	3247	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	3248	static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3249	{
marcozecchini	0:9fca2b23d0ba	3250	int ret;
marcozecchini	0:9fca2b23d0ba	3251	uint32_t lifetime;
marcozecchini	0:9fca2b23d0ba	3252	size_t ticket_len;
marcozecchini	0:9fca2b23d0ba	3253	unsigned char *ticket;
marcozecchini	0:9fca2b23d0ba	3254	const unsigned char *msg;
marcozecchini	0:9fca2b23d0ba	3255
marcozecchini	0:9fca2b23d0ba	3256	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
marcozecchini	0:9fca2b23d0ba	3257
marcozecchini	0:9fca2b23d0ba	3258	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3259	{
marcozecchini	0:9fca2b23d0ba	3260	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
marcozecchini	0:9fca2b23d0ba	3261	return( ret );
marcozecchini	0:9fca2b23d0ba	3262	}
marcozecchini	0:9fca2b23d0ba	3263
marcozecchini	0:9fca2b23d0ba	3264	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	3265	{
marcozecchini	0:9fca2b23d0ba	3266	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
marcozecchini	0:9fca2b23d0ba	3267	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	3268	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	3269	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
marcozecchini	0:9fca2b23d0ba	3270	}
marcozecchini	0:9fca2b23d0ba	3271
marcozecchini	0:9fca2b23d0ba	3272	/*
marcozecchini	0:9fca2b23d0ba	3273	* struct {
marcozecchini	0:9fca2b23d0ba	3274	* uint32 ticket_lifetime_hint;
marcozecchini	0:9fca2b23d0ba	3275	* opaque ticket<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	3276	* } NewSessionTicket;
marcozecchini	0:9fca2b23d0ba	3277	*
marcozecchini	0:9fca2b23d0ba	3278	* 0 . 3 ticket_lifetime_hint
marcozecchini	0:9fca2b23d0ba	3279	* 4 . 5 ticket_len (n)
marcozecchini	0:9fca2b23d0ba	3280	* 6 . 5+n ticket content
marcozecchini	0:9fca2b23d0ba	3281	*/
marcozecchini	0:9fca2b23d0ba	3282	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET \|\|
marcozecchini	0:9fca2b23d0ba	3283	ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
marcozecchini	0:9fca2b23d0ba	3284	{
marcozecchini	0:9fca2b23d0ba	3285	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
marcozecchini	0:9fca2b23d0ba	3286	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	3287	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	3288	return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
marcozecchini	0:9fca2b23d0ba	3289	}
marcozecchini	0:9fca2b23d0ba	3290
marcozecchini	0:9fca2b23d0ba	3291	msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	3292
marcozecchini	0:9fca2b23d0ba	3293	lifetime = ( msg[0] << 24 ) \| ( msg[1] << 16 ) \|
marcozecchini	0:9fca2b23d0ba	3294	( msg[2] << 8 ) \| ( msg[3] );
marcozecchini	0:9fca2b23d0ba	3295
marcozecchini	0:9fca2b23d0ba	3296	ticket_len = ( msg[4] << 8 ) \| ( msg[5] );
marcozecchini	0:9fca2b23d0ba	3297
marcozecchini	0:9fca2b23d0ba	3298	if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
marcozecchini	0:9fca2b23d0ba	3299	{
marcozecchini	0:9fca2b23d0ba	3300	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
marcozecchini	0:9fca2b23d0ba	3301	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	3302	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	3303	return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
marcozecchini	0:9fca2b23d0ba	3304	}
marcozecchini	0:9fca2b23d0ba	3305
marcozecchini	0:9fca2b23d0ba	3306	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
marcozecchini	0:9fca2b23d0ba	3307
marcozecchini	0:9fca2b23d0ba	3308	/* We're not waiting for a NewSessionTicket message any more */
marcozecchini	0:9fca2b23d0ba	3309	ssl->handshake->new_session_ticket = 0;
marcozecchini	0:9fca2b23d0ba	3310	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
marcozecchini	0:9fca2b23d0ba	3311
marcozecchini	0:9fca2b23d0ba	3312	/*
marcozecchini	0:9fca2b23d0ba	3313	* Zero-length ticket means the server changed his mind and doesn't want
marcozecchini	0:9fca2b23d0ba	3314	* to send a ticket after all, so just forget it
marcozecchini	0:9fca2b23d0ba	3315	*/
marcozecchini	0:9fca2b23d0ba	3316	if( ticket_len == 0 )
marcozecchini	0:9fca2b23d0ba	3317	return( 0 );
marcozecchini	0:9fca2b23d0ba	3318
marcozecchini	0:9fca2b23d0ba	3319	mbedtls_zeroize( ssl->session_negotiate->ticket,
marcozecchini	0:9fca2b23d0ba	3320	ssl->session_negotiate->ticket_len );
marcozecchini	0:9fca2b23d0ba	3321	mbedtls_free( ssl->session_negotiate->ticket );
marcozecchini	0:9fca2b23d0ba	3322	ssl->session_negotiate->ticket = NULL;
marcozecchini	0:9fca2b23d0ba	3323	ssl->session_negotiate->ticket_len = 0;
marcozecchini	0:9fca2b23d0ba	3324
marcozecchini	0:9fca2b23d0ba	3325	if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
marcozecchini	0:9fca2b23d0ba	3326	{
marcozecchini	0:9fca2b23d0ba	3327	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
marcozecchini	0:9fca2b23d0ba	3328	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	3329	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3330	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
marcozecchini	0:9fca2b23d0ba	3331	}
marcozecchini	0:9fca2b23d0ba	3332
marcozecchini	0:9fca2b23d0ba	3333	memcpy( ticket, msg + 6, ticket_len );
marcozecchini	0:9fca2b23d0ba	3334
marcozecchini	0:9fca2b23d0ba	3335	ssl->session_negotiate->ticket = ticket;
marcozecchini	0:9fca2b23d0ba	3336	ssl->session_negotiate->ticket_len = ticket_len;
marcozecchini	0:9fca2b23d0ba	3337	ssl->session_negotiate->ticket_lifetime = lifetime;
marcozecchini	0:9fca2b23d0ba	3338
marcozecchini	0:9fca2b23d0ba	3339	/*
marcozecchini	0:9fca2b23d0ba	3340	* RFC 5077 section 3.4:
marcozecchini	0:9fca2b23d0ba	3341	* "If the client receives a session ticket from the server, then it
marcozecchini	0:9fca2b23d0ba	3342	* discards any Session ID that was sent in the ServerHello."
marcozecchini	0:9fca2b23d0ba	3343	*/
marcozecchini	0:9fca2b23d0ba	3344	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
marcozecchini	0:9fca2b23d0ba	3345	ssl->session_negotiate->id_len = 0;
marcozecchini	0:9fca2b23d0ba	3346
marcozecchini	0:9fca2b23d0ba	3347	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
marcozecchini	0:9fca2b23d0ba	3348
marcozecchini	0:9fca2b23d0ba	3349	return( 0 );
marcozecchini	0:9fca2b23d0ba	3350	}
marcozecchini	0:9fca2b23d0ba	3351	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	3352
marcozecchini	0:9fca2b23d0ba	3353	/*
marcozecchini	0:9fca2b23d0ba	3354	* SSL handshake -- client side -- single step
marcozecchini	0:9fca2b23d0ba	3355	*/
marcozecchini	0:9fca2b23d0ba	3356	int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3357	{
marcozecchini	0:9fca2b23d0ba	3358	int ret = 0;
marcozecchini	0:9fca2b23d0ba	3359
marcozecchini	0:9fca2b23d0ba	3360	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER \|\| ssl->handshake == NULL )
marcozecchini	0:9fca2b23d0ba	3361	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	3362
marcozecchini	0:9fca2b23d0ba	3363	MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
marcozecchini	0:9fca2b23d0ba	3364
marcozecchini	0:9fca2b23d0ba	3365	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3366	return( ret );
marcozecchini	0:9fca2b23d0ba	3367
marcozecchini	0:9fca2b23d0ba	3368	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	3369	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
marcozecchini	0:9fca2b23d0ba	3370	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
marcozecchini	0:9fca2b23d0ba	3371	{
marcozecchini	0:9fca2b23d0ba	3372	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3373	return( ret );
marcozecchini	0:9fca2b23d0ba	3374	}
marcozecchini	0:9fca2b23d0ba	3375	#endif
marcozecchini	0:9fca2b23d0ba	3376
marcozecchini	0:9fca2b23d0ba	3377	/* Change state now, so that it is right in mbedtls_ssl_read_record(), used
marcozecchini	0:9fca2b23d0ba	3378	* by DTLS for dropping out-of-sequence ChangeCipherSpec records */
marcozecchini	0:9fca2b23d0ba	3379	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	3380	if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
marcozecchini	0:9fca2b23d0ba	3381	ssl->handshake->new_session_ticket != 0 )
marcozecchini	0:9fca2b23d0ba	3382	{
marcozecchini	0:9fca2b23d0ba	3383	ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
marcozecchini	0:9fca2b23d0ba	3384	}
marcozecchini	0:9fca2b23d0ba	3385	#endif
marcozecchini	0:9fca2b23d0ba	3386
marcozecchini	0:9fca2b23d0ba	3387	switch( ssl->state )
marcozecchini	0:9fca2b23d0ba	3388	{
marcozecchini	0:9fca2b23d0ba	3389	case MBEDTLS_SSL_HELLO_REQUEST:
marcozecchini	0:9fca2b23d0ba	3390	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
marcozecchini	0:9fca2b23d0ba	3391	break;
marcozecchini	0:9fca2b23d0ba	3392
marcozecchini	0:9fca2b23d0ba	3393	/*
marcozecchini	0:9fca2b23d0ba	3394	* ==> ClientHello
marcozecchini	0:9fca2b23d0ba	3395	*/
marcozecchini	0:9fca2b23d0ba	3396	case MBEDTLS_SSL_CLIENT_HELLO:
marcozecchini	0:9fca2b23d0ba	3397	ret = ssl_write_client_hello( ssl );
marcozecchini	0:9fca2b23d0ba	3398	break;
marcozecchini	0:9fca2b23d0ba	3399
marcozecchini	0:9fca2b23d0ba	3400	/*
marcozecchini	0:9fca2b23d0ba	3401	* <== ServerHello
marcozecchini	0:9fca2b23d0ba	3402	* Certificate
marcozecchini	0:9fca2b23d0ba	3403	* ( ServerKeyExchange )
marcozecchini	0:9fca2b23d0ba	3404	* ( CertificateRequest )
marcozecchini	0:9fca2b23d0ba	3405	* ServerHelloDone
marcozecchini	0:9fca2b23d0ba	3406	*/
marcozecchini	0:9fca2b23d0ba	3407	case MBEDTLS_SSL_SERVER_HELLO:
marcozecchini	0:9fca2b23d0ba	3408	ret = ssl_parse_server_hello( ssl );
marcozecchini	0:9fca2b23d0ba	3409	break;
marcozecchini	0:9fca2b23d0ba	3410
marcozecchini	0:9fca2b23d0ba	3411	case MBEDTLS_SSL_SERVER_CERTIFICATE:
marcozecchini	0:9fca2b23d0ba	3412	ret = mbedtls_ssl_parse_certificate( ssl );
marcozecchini	0:9fca2b23d0ba	3413	break;
marcozecchini	0:9fca2b23d0ba	3414
marcozecchini	0:9fca2b23d0ba	3415	case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
marcozecchini	0:9fca2b23d0ba	3416	ret = ssl_parse_server_key_exchange( ssl );
marcozecchini	0:9fca2b23d0ba	3417	break;
marcozecchini	0:9fca2b23d0ba	3418
marcozecchini	0:9fca2b23d0ba	3419	case MBEDTLS_SSL_CERTIFICATE_REQUEST:
marcozecchini	0:9fca2b23d0ba	3420	ret = ssl_parse_certificate_request( ssl );
marcozecchini	0:9fca2b23d0ba	3421	break;
marcozecchini	0:9fca2b23d0ba	3422
marcozecchini	0:9fca2b23d0ba	3423	case MBEDTLS_SSL_SERVER_HELLO_DONE:
marcozecchini	0:9fca2b23d0ba	3424	ret = ssl_parse_server_hello_done( ssl );
marcozecchini	0:9fca2b23d0ba	3425	break;
marcozecchini	0:9fca2b23d0ba	3426
marcozecchini	0:9fca2b23d0ba	3427	/*
marcozecchini	0:9fca2b23d0ba	3428	* ==> ( Certificate/Alert )
marcozecchini	0:9fca2b23d0ba	3429	* ClientKeyExchange
marcozecchini	0:9fca2b23d0ba	3430	* ( CertificateVerify )
marcozecchini	0:9fca2b23d0ba	3431	* ChangeCipherSpec
marcozecchini	0:9fca2b23d0ba	3432	* Finished
marcozecchini	0:9fca2b23d0ba	3433	*/
marcozecchini	0:9fca2b23d0ba	3434	case MBEDTLS_SSL_CLIENT_CERTIFICATE:
marcozecchini	0:9fca2b23d0ba	3435	ret = mbedtls_ssl_write_certificate( ssl );
marcozecchini	0:9fca2b23d0ba	3436	break;
marcozecchini	0:9fca2b23d0ba	3437
marcozecchini	0:9fca2b23d0ba	3438	case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
marcozecchini	0:9fca2b23d0ba	3439	ret = ssl_write_client_key_exchange( ssl );
marcozecchini	0:9fca2b23d0ba	3440	break;
marcozecchini	0:9fca2b23d0ba	3441
marcozecchini	0:9fca2b23d0ba	3442	case MBEDTLS_SSL_CERTIFICATE_VERIFY:
marcozecchini	0:9fca2b23d0ba	3443	ret = ssl_write_certificate_verify( ssl );
marcozecchini	0:9fca2b23d0ba	3444	break;
marcozecchini	0:9fca2b23d0ba	3445
marcozecchini	0:9fca2b23d0ba	3446	case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
marcozecchini	0:9fca2b23d0ba	3447	ret = mbedtls_ssl_write_change_cipher_spec( ssl );
marcozecchini	0:9fca2b23d0ba	3448	break;
marcozecchini	0:9fca2b23d0ba	3449
marcozecchini	0:9fca2b23d0ba	3450	case MBEDTLS_SSL_CLIENT_FINISHED:
marcozecchini	0:9fca2b23d0ba	3451	ret = mbedtls_ssl_write_finished( ssl );
marcozecchini	0:9fca2b23d0ba	3452	break;
marcozecchini	0:9fca2b23d0ba	3453
marcozecchini	0:9fca2b23d0ba	3454	/*
marcozecchini	0:9fca2b23d0ba	3455	* <== ( NewSessionTicket )
marcozecchini	0:9fca2b23d0ba	3456	* ChangeCipherSpec
marcozecchini	0:9fca2b23d0ba	3457	* Finished
marcozecchini	0:9fca2b23d0ba	3458	*/
marcozecchini	0:9fca2b23d0ba	3459	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	3460	case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
marcozecchini	0:9fca2b23d0ba	3461	ret = ssl_parse_new_session_ticket( ssl );
marcozecchini	0:9fca2b23d0ba	3462	break;
marcozecchini	0:9fca2b23d0ba	3463	#endif
marcozecchini	0:9fca2b23d0ba	3464
marcozecchini	0:9fca2b23d0ba	3465	case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
marcozecchini	0:9fca2b23d0ba	3466	ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
marcozecchini	0:9fca2b23d0ba	3467	break;
marcozecchini	0:9fca2b23d0ba	3468
marcozecchini	0:9fca2b23d0ba	3469	case MBEDTLS_SSL_SERVER_FINISHED:
marcozecchini	0:9fca2b23d0ba	3470	ret = mbedtls_ssl_parse_finished( ssl );
marcozecchini	0:9fca2b23d0ba	3471	break;
marcozecchini	0:9fca2b23d0ba	3472
marcozecchini	0:9fca2b23d0ba	3473	case MBEDTLS_SSL_FLUSH_BUFFERS:
marcozecchini	0:9fca2b23d0ba	3474	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
marcozecchini	0:9fca2b23d0ba	3475	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
marcozecchini	0:9fca2b23d0ba	3476	break;
marcozecchini	0:9fca2b23d0ba	3477
marcozecchini	0:9fca2b23d0ba	3478	case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
marcozecchini	0:9fca2b23d0ba	3479	mbedtls_ssl_handshake_wrapup( ssl );
marcozecchini	0:9fca2b23d0ba	3480	break;
marcozecchini	0:9fca2b23d0ba	3481
marcozecchini	0:9fca2b23d0ba	3482	default:
marcozecchini	0:9fca2b23d0ba	3483	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
marcozecchini	0:9fca2b23d0ba	3484	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	3485	}
marcozecchini	0:9fca2b23d0ba	3486
marcozecchini	0:9fca2b23d0ba	3487	return( ret );
marcozecchini	0:9fca2b23d0ba	3488	}
marcozecchini	0:9fca2b23d0ba	3489	#endif /* MBEDTLS_SSL_CLI_C */

Repository toolbox

Export to desktop IDE

Build repository

Repository details

Type:	Program
Mbed OS support:	Mbed OS
Created:	23 Feb 2019
Imports:	43
Forks:	0
Commits:	1
Dependents:	0
Dependencies:	0
Followers:	1

mbed-os/features/mbedtls/src/ssl_cli.c@0:9fca2b23d0ba, 2019-02-23 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning