Example_RTOS - Rtos API example

Users » marcozecchini » Code » Example_RTOS

Rtos API example

mbed-os/features/mbedtls/src/ssl_srv.c@0:9fca2b23d0ba, 2019-02-23 (annotated)

Committer:: marcozecchini
Date:: Sat Feb 23 12:13:36 2019 +0000
Revision:: 0:9fca2b23d0ba

final commit

Who changed what in which revision?

User	Revision	Line number	New contents of line
marcozecchini	0:9fca2b23d0ba	1	/*
marcozecchini	0:9fca2b23d0ba	2	* SSLv3/TLSv1 server-side functions
marcozecchini	0:9fca2b23d0ba	3	*
marcozecchini	0:9fca2b23d0ba	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
marcozecchini	0:9fca2b23d0ba	5	* SPDX-License-Identifier: Apache-2.0
marcozecchini	0:9fca2b23d0ba	6	*
marcozecchini	0:9fca2b23d0ba	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
marcozecchini	0:9fca2b23d0ba	8	* not use this file except in compliance with the License.
marcozecchini	0:9fca2b23d0ba	9	* You may obtain a copy of the License at
marcozecchini	0:9fca2b23d0ba	10	*
marcozecchini	0:9fca2b23d0ba	11	* http://www.apache.org/licenses/LICENSE-2.0
marcozecchini	0:9fca2b23d0ba	12	*
marcozecchini	0:9fca2b23d0ba	13	* Unless required by applicable law or agreed to in writing, software
marcozecchini	0:9fca2b23d0ba	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
marcozecchini	0:9fca2b23d0ba	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
marcozecchini	0:9fca2b23d0ba	16	* See the License for the specific language governing permissions and
marcozecchini	0:9fca2b23d0ba	17	* limitations under the License.
marcozecchini	0:9fca2b23d0ba	18	*
marcozecchini	0:9fca2b23d0ba	19	* This file is part of mbed TLS (https://tls.mbed.org)
marcozecchini	0:9fca2b23d0ba	20	*/
marcozecchini	0:9fca2b23d0ba	21
marcozecchini	0:9fca2b23d0ba	22	#if !defined(MBEDTLS_CONFIG_FILE)
marcozecchini	0:9fca2b23d0ba	23	#include "mbedtls/config.h"
marcozecchini	0:9fca2b23d0ba	24	#else
marcozecchini	0:9fca2b23d0ba	25	#include MBEDTLS_CONFIG_FILE
marcozecchini	0:9fca2b23d0ba	26	#endif
marcozecchini	0:9fca2b23d0ba	27
marcozecchini	0:9fca2b23d0ba	28	#if defined(MBEDTLS_SSL_SRV_C)
marcozecchini	0:9fca2b23d0ba	29
marcozecchini	0:9fca2b23d0ba	30	#if defined(MBEDTLS_PLATFORM_C)
marcozecchini	0:9fca2b23d0ba	31	#include "mbedtls/platform.h"
marcozecchini	0:9fca2b23d0ba	32	#else
marcozecchini	0:9fca2b23d0ba	33	#include <stdlib.h>
marcozecchini	0:9fca2b23d0ba	34	#define mbedtls_calloc calloc
marcozecchini	0:9fca2b23d0ba	35	#define mbedtls_free free
marcozecchini	0:9fca2b23d0ba	36	#endif
marcozecchini	0:9fca2b23d0ba	37
marcozecchini	0:9fca2b23d0ba	38	#include "mbedtls/debug.h"
marcozecchini	0:9fca2b23d0ba	39	#include "mbedtls/ssl.h"
marcozecchini	0:9fca2b23d0ba	40	#include "mbedtls/ssl_internal.h"
marcozecchini	0:9fca2b23d0ba	41
marcozecchini	0:9fca2b23d0ba	42	#include <string.h>
marcozecchini	0:9fca2b23d0ba	43
marcozecchini	0:9fca2b23d0ba	44	#if defined(MBEDTLS_ECP_C)
marcozecchini	0:9fca2b23d0ba	45	#include "mbedtls/ecp.h"
marcozecchini	0:9fca2b23d0ba	46	#endif
marcozecchini	0:9fca2b23d0ba	47
marcozecchini	0:9fca2b23d0ba	48	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	49	#include "mbedtls/platform_time.h"
marcozecchini	0:9fca2b23d0ba	50	#endif
marcozecchini	0:9fca2b23d0ba	51
marcozecchini	0:9fca2b23d0ba	52	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	53	/* Implementation that should never be optimized out by the compiler */
marcozecchini	0:9fca2b23d0ba	54	static void mbedtls_zeroize( void *v, size_t n ) {
marcozecchini	0:9fca2b23d0ba	55	volatile unsigned char p = v; while( n-- ) p++ = 0;
marcozecchini	0:9fca2b23d0ba	56	}
marcozecchini	0:9fca2b23d0ba	57	#endif
marcozecchini	0:9fca2b23d0ba	58
marcozecchini	0:9fca2b23d0ba	59	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
marcozecchini	0:9fca2b23d0ba	60	int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	61	const unsigned char *info,
marcozecchini	0:9fca2b23d0ba	62	size_t ilen )
marcozecchini	0:9fca2b23d0ba	63	{
marcozecchini	0:9fca2b23d0ba	64	if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
marcozecchini	0:9fca2b23d0ba	65	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	66
marcozecchini	0:9fca2b23d0ba	67	mbedtls_free( ssl->cli_id );
marcozecchini	0:9fca2b23d0ba	68
marcozecchini	0:9fca2b23d0ba	69	if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
marcozecchini	0:9fca2b23d0ba	70	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
marcozecchini	0:9fca2b23d0ba	71
marcozecchini	0:9fca2b23d0ba	72	memcpy( ssl->cli_id, info, ilen );
marcozecchini	0:9fca2b23d0ba	73	ssl->cli_id_len = ilen;
marcozecchini	0:9fca2b23d0ba	74
marcozecchini	0:9fca2b23d0ba	75	return( 0 );
marcozecchini	0:9fca2b23d0ba	76	}
marcozecchini	0:9fca2b23d0ba	77
marcozecchini	0:9fca2b23d0ba	78	void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
marcozecchini	0:9fca2b23d0ba	79	mbedtls_ssl_cookie_write_t *f_cookie_write,
marcozecchini	0:9fca2b23d0ba	80	mbedtls_ssl_cookie_check_t *f_cookie_check,
marcozecchini	0:9fca2b23d0ba	81	void *p_cookie )
marcozecchini	0:9fca2b23d0ba	82	{
marcozecchini	0:9fca2b23d0ba	83	conf->f_cookie_write = f_cookie_write;
marcozecchini	0:9fca2b23d0ba	84	conf->f_cookie_check = f_cookie_check;
marcozecchini	0:9fca2b23d0ba	85	conf->p_cookie = p_cookie;
marcozecchini	0:9fca2b23d0ba	86	}
marcozecchini	0:9fca2b23d0ba	87	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
marcozecchini	0:9fca2b23d0ba	88
marcozecchini	0:9fca2b23d0ba	89	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	90	static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	91	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	92	size_t len )
marcozecchini	0:9fca2b23d0ba	93	{
marcozecchini	0:9fca2b23d0ba	94	int ret;
marcozecchini	0:9fca2b23d0ba	95	size_t servername_list_size, hostname_len;
marcozecchini	0:9fca2b23d0ba	96	const unsigned char *p;
marcozecchini	0:9fca2b23d0ba	97
marcozecchini	0:9fca2b23d0ba	98	MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
marcozecchini	0:9fca2b23d0ba	99
marcozecchini	0:9fca2b23d0ba	100	servername_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
marcozecchini	0:9fca2b23d0ba	101	if( servername_list_size + 2 != len )
marcozecchini	0:9fca2b23d0ba	102	{
marcozecchini	0:9fca2b23d0ba	103	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	104	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	105	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	106	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	107	}
marcozecchini	0:9fca2b23d0ba	108
marcozecchini	0:9fca2b23d0ba	109	p = buf + 2;
marcozecchini	0:9fca2b23d0ba	110	while( servername_list_size > 0 )
marcozecchini	0:9fca2b23d0ba	111	{
marcozecchini	0:9fca2b23d0ba	112	hostname_len = ( ( p[1] << 8 ) \| p[2] );
marcozecchini	0:9fca2b23d0ba	113	if( hostname_len + 3 > servername_list_size )
marcozecchini	0:9fca2b23d0ba	114	{
marcozecchini	0:9fca2b23d0ba	115	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	116	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	117	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	118	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	119	}
marcozecchini	0:9fca2b23d0ba	120
marcozecchini	0:9fca2b23d0ba	121	if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
marcozecchini	0:9fca2b23d0ba	122	{
marcozecchini	0:9fca2b23d0ba	123	ret = ssl->conf->f_sni( ssl->conf->p_sni,
marcozecchini	0:9fca2b23d0ba	124	ssl, p + 3, hostname_len );
marcozecchini	0:9fca2b23d0ba	125	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	126	{
marcozecchini	0:9fca2b23d0ba	127	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
marcozecchini	0:9fca2b23d0ba	128	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	129	MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
marcozecchini	0:9fca2b23d0ba	130	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	131	}
marcozecchini	0:9fca2b23d0ba	132	return( 0 );
marcozecchini	0:9fca2b23d0ba	133	}
marcozecchini	0:9fca2b23d0ba	134
marcozecchini	0:9fca2b23d0ba	135	servername_list_size -= hostname_len + 3;
marcozecchini	0:9fca2b23d0ba	136	p += hostname_len + 3;
marcozecchini	0:9fca2b23d0ba	137	}
marcozecchini	0:9fca2b23d0ba	138
marcozecchini	0:9fca2b23d0ba	139	if( servername_list_size != 0 )
marcozecchini	0:9fca2b23d0ba	140	{
marcozecchini	0:9fca2b23d0ba	141	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	142	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	143	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	144	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	145	}
marcozecchini	0:9fca2b23d0ba	146
marcozecchini	0:9fca2b23d0ba	147	return( 0 );
marcozecchini	0:9fca2b23d0ba	148	}
marcozecchini	0:9fca2b23d0ba	149	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
marcozecchini	0:9fca2b23d0ba	150
marcozecchini	0:9fca2b23d0ba	151	static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	152	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	153	size_t len )
marcozecchini	0:9fca2b23d0ba	154	{
marcozecchini	0:9fca2b23d0ba	155	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	156	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	157	{
marcozecchini	0:9fca2b23d0ba	158	/* Check verify-data in constant-time. The length OTOH is no secret */
marcozecchini	0:9fca2b23d0ba	159	if( len != 1 + ssl->verify_data_len \|\|
marcozecchini	0:9fca2b23d0ba	160	buf[0] != ssl->verify_data_len \|\|
marcozecchini	0:9fca2b23d0ba	161	mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
marcozecchini	0:9fca2b23d0ba	162	ssl->verify_data_len ) != 0 )
marcozecchini	0:9fca2b23d0ba	163	{
marcozecchini	0:9fca2b23d0ba	164	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
marcozecchini	0:9fca2b23d0ba	165	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	166	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	167	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	168	}
marcozecchini	0:9fca2b23d0ba	169	}
marcozecchini	0:9fca2b23d0ba	170	else
marcozecchini	0:9fca2b23d0ba	171	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	172	{
marcozecchini	0:9fca2b23d0ba	173	if( len != 1 \|\| buf[0] != 0x0 )
marcozecchini	0:9fca2b23d0ba	174	{
marcozecchini	0:9fca2b23d0ba	175	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
marcozecchini	0:9fca2b23d0ba	176	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	177	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	178	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	179	}
marcozecchini	0:9fca2b23d0ba	180
marcozecchini	0:9fca2b23d0ba	181	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
marcozecchini	0:9fca2b23d0ba	182	}
marcozecchini	0:9fca2b23d0ba	183
marcozecchini	0:9fca2b23d0ba	184	return( 0 );
marcozecchini	0:9fca2b23d0ba	185	}
marcozecchini	0:9fca2b23d0ba	186
marcozecchini	0:9fca2b23d0ba	187	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	188	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	189
marcozecchini	0:9fca2b23d0ba	190	/*
marcozecchini	0:9fca2b23d0ba	191	* Status of the implementation of signature-algorithms extension:
marcozecchini	0:9fca2b23d0ba	192	*
marcozecchini	0:9fca2b23d0ba	193	* Currently, we are only considering the signature-algorithm extension
marcozecchini	0:9fca2b23d0ba	194	* to pick a ciphersuite which allows us to send the ServerKeyExchange
marcozecchini	0:9fca2b23d0ba	195	* message with a signature-hash combination that the user allows.
marcozecchini	0:9fca2b23d0ba	196	*
marcozecchini	0:9fca2b23d0ba	197	* We do not check whether all certificates in our certificate
marcozecchini	0:9fca2b23d0ba	198	* chain are signed with an allowed signature-hash pair.
marcozecchini	0:9fca2b23d0ba	199	* This needs to be done at a later stage.
marcozecchini	0:9fca2b23d0ba	200	*
marcozecchini	0:9fca2b23d0ba	201	*/
marcozecchini	0:9fca2b23d0ba	202	static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	203	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	204	size_t len )
marcozecchini	0:9fca2b23d0ba	205	{
marcozecchini	0:9fca2b23d0ba	206	size_t sig_alg_list_size;
marcozecchini	0:9fca2b23d0ba	207
marcozecchini	0:9fca2b23d0ba	208	const unsigned char *p;
marcozecchini	0:9fca2b23d0ba	209	const unsigned char *end = buf + len;
marcozecchini	0:9fca2b23d0ba	210
marcozecchini	0:9fca2b23d0ba	211	mbedtls_md_type_t md_cur;
marcozecchini	0:9fca2b23d0ba	212	mbedtls_pk_type_t sig_cur;
marcozecchini	0:9fca2b23d0ba	213
marcozecchini	0:9fca2b23d0ba	214	sig_alg_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
marcozecchini	0:9fca2b23d0ba	215	if( sig_alg_list_size + 2 != len \|\|
marcozecchini	0:9fca2b23d0ba	216	sig_alg_list_size % 2 != 0 )
marcozecchini	0:9fca2b23d0ba	217	{
marcozecchini	0:9fca2b23d0ba	218	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	219	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	220	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	221	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	222	}
marcozecchini	0:9fca2b23d0ba	223
marcozecchini	0:9fca2b23d0ba	224	/* Currently we only guarantee signing the ServerKeyExchange message according
marcozecchini	0:9fca2b23d0ba	225	* to the constraints specified in this extension (see above), so it suffices
marcozecchini	0:9fca2b23d0ba	226	* to remember only one suitable hash for each possible signature algorithm.
marcozecchini	0:9fca2b23d0ba	227	*
marcozecchini	0:9fca2b23d0ba	228	* This will change when we also consider certificate signatures,
marcozecchini	0:9fca2b23d0ba	229	* in which case we will need to remember the whole signature-hash
marcozecchini	0:9fca2b23d0ba	230	* pair list from the extension.
marcozecchini	0:9fca2b23d0ba	231	*/
marcozecchini	0:9fca2b23d0ba	232
marcozecchini	0:9fca2b23d0ba	233	for( p = buf + 2; p < end; p += 2 )
marcozecchini	0:9fca2b23d0ba	234	{
marcozecchini	0:9fca2b23d0ba	235	/* Silently ignore unknown signature or hash algorithms. */
marcozecchini	0:9fca2b23d0ba	236
marcozecchini	0:9fca2b23d0ba	237	if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
marcozecchini	0:9fca2b23d0ba	238	{
marcozecchini	0:9fca2b23d0ba	239	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
marcozecchini	0:9fca2b23d0ba	240	" unknown sig alg encoding %d", p[1] ) );
marcozecchini	0:9fca2b23d0ba	241	continue;
marcozecchini	0:9fca2b23d0ba	242	}
marcozecchini	0:9fca2b23d0ba	243
marcozecchini	0:9fca2b23d0ba	244	/* Check if we support the hash the user proposes */
marcozecchini	0:9fca2b23d0ba	245	md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
marcozecchini	0:9fca2b23d0ba	246	if( md_cur == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	247	{
marcozecchini	0:9fca2b23d0ba	248	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
marcozecchini	0:9fca2b23d0ba	249	" unknown hash alg encoding %d", p[0] ) );
marcozecchini	0:9fca2b23d0ba	250	continue;
marcozecchini	0:9fca2b23d0ba	251	}
marcozecchini	0:9fca2b23d0ba	252
marcozecchini	0:9fca2b23d0ba	253	if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
marcozecchini	0:9fca2b23d0ba	254	{
marcozecchini	0:9fca2b23d0ba	255	mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
marcozecchini	0:9fca2b23d0ba	256	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
marcozecchini	0:9fca2b23d0ba	257	" match sig %d and hash %d",
marcozecchini	0:9fca2b23d0ba	258	sig_cur, md_cur ) );
marcozecchini	0:9fca2b23d0ba	259	}
marcozecchini	0:9fca2b23d0ba	260	else
marcozecchini	0:9fca2b23d0ba	261	{
marcozecchini	0:9fca2b23d0ba	262	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
marcozecchini	0:9fca2b23d0ba	263	"hash alg %d not supported", md_cur ) );
marcozecchini	0:9fca2b23d0ba	264	}
marcozecchini	0:9fca2b23d0ba	265	}
marcozecchini	0:9fca2b23d0ba	266
marcozecchini	0:9fca2b23d0ba	267	return( 0 );
marcozecchini	0:9fca2b23d0ba	268	}
marcozecchini	0:9fca2b23d0ba	269	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
marcozecchini	0:9fca2b23d0ba	270	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
marcozecchini	0:9fca2b23d0ba	271
marcozecchini	0:9fca2b23d0ba	272	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	273	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	274	static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	275	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	276	size_t len )
marcozecchini	0:9fca2b23d0ba	277	{
marcozecchini	0:9fca2b23d0ba	278	size_t list_size, our_size;
marcozecchini	0:9fca2b23d0ba	279	const unsigned char *p;
marcozecchini	0:9fca2b23d0ba	280	const mbedtls_ecp_curve_info curve_info, *curves;
marcozecchini	0:9fca2b23d0ba	281
marcozecchini	0:9fca2b23d0ba	282	list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
marcozecchini	0:9fca2b23d0ba	283	if( list_size + 2 != len \|\|
marcozecchini	0:9fca2b23d0ba	284	list_size % 2 != 0 )
marcozecchini	0:9fca2b23d0ba	285	{
marcozecchini	0:9fca2b23d0ba	286	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	287	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	288	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	289	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	290	}
marcozecchini	0:9fca2b23d0ba	291
marcozecchini	0:9fca2b23d0ba	292	/* Should never happen unless client duplicates the extension */
marcozecchini	0:9fca2b23d0ba	293	if( ssl->handshake->curves != NULL )
marcozecchini	0:9fca2b23d0ba	294	{
marcozecchini	0:9fca2b23d0ba	295	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	296	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	297	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	298	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	299	}
marcozecchini	0:9fca2b23d0ba	300
marcozecchini	0:9fca2b23d0ba	301	/* Don't allow our peer to make us allocate too much memory,
marcozecchini	0:9fca2b23d0ba	302	* and leave room for a final 0 */
marcozecchini	0:9fca2b23d0ba	303	our_size = list_size / 2 + 1;
marcozecchini	0:9fca2b23d0ba	304	if( our_size > MBEDTLS_ECP_DP_MAX )
marcozecchini	0:9fca2b23d0ba	305	our_size = MBEDTLS_ECP_DP_MAX;
marcozecchini	0:9fca2b23d0ba	306
marcozecchini	0:9fca2b23d0ba	307	if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
marcozecchini	0:9fca2b23d0ba	308	{
marcozecchini	0:9fca2b23d0ba	309	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	310	MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	311	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
marcozecchini	0:9fca2b23d0ba	312	}
marcozecchini	0:9fca2b23d0ba	313
marcozecchini	0:9fca2b23d0ba	314	ssl->handshake->curves = curves;
marcozecchini	0:9fca2b23d0ba	315
marcozecchini	0:9fca2b23d0ba	316	p = buf + 2;
marcozecchini	0:9fca2b23d0ba	317	while( list_size > 0 && our_size > 1 )
marcozecchini	0:9fca2b23d0ba	318	{
marcozecchini	0:9fca2b23d0ba	319	curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) \| p[1] );
marcozecchini	0:9fca2b23d0ba	320
marcozecchini	0:9fca2b23d0ba	321	if( curve_info != NULL )
marcozecchini	0:9fca2b23d0ba	322	{
marcozecchini	0:9fca2b23d0ba	323	*curves++ = curve_info;
marcozecchini	0:9fca2b23d0ba	324	our_size--;
marcozecchini	0:9fca2b23d0ba	325	}
marcozecchini	0:9fca2b23d0ba	326
marcozecchini	0:9fca2b23d0ba	327	list_size -= 2;
marcozecchini	0:9fca2b23d0ba	328	p += 2;
marcozecchini	0:9fca2b23d0ba	329	}
marcozecchini	0:9fca2b23d0ba	330
marcozecchini	0:9fca2b23d0ba	331	return( 0 );
marcozecchini	0:9fca2b23d0ba	332	}
marcozecchini	0:9fca2b23d0ba	333
marcozecchini	0:9fca2b23d0ba	334	static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	335	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	336	size_t len )
marcozecchini	0:9fca2b23d0ba	337	{
marcozecchini	0:9fca2b23d0ba	338	size_t list_size;
marcozecchini	0:9fca2b23d0ba	339	const unsigned char *p;
marcozecchini	0:9fca2b23d0ba	340
marcozecchini	0:9fca2b23d0ba	341	list_size = buf[0];
marcozecchini	0:9fca2b23d0ba	342	if( list_size + 1 != len )
marcozecchini	0:9fca2b23d0ba	343	{
marcozecchini	0:9fca2b23d0ba	344	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	345	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	346	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	347	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	348	}
marcozecchini	0:9fca2b23d0ba	349
marcozecchini	0:9fca2b23d0ba	350	p = buf + 1;
marcozecchini	0:9fca2b23d0ba	351	while( list_size > 0 )
marcozecchini	0:9fca2b23d0ba	352	{
marcozecchini	0:9fca2b23d0ba	353	if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED \|\|
marcozecchini	0:9fca2b23d0ba	354	p[0] == MBEDTLS_ECP_PF_COMPRESSED )
marcozecchini	0:9fca2b23d0ba	355	{
marcozecchini	0:9fca2b23d0ba	356	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	357	ssl->handshake->ecdh_ctx.point_format = p[0];
marcozecchini	0:9fca2b23d0ba	358	#endif
marcozecchini	0:9fca2b23d0ba	359	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	360	ssl->handshake->ecjpake_ctx.point_format = p[0];
marcozecchini	0:9fca2b23d0ba	361	#endif
marcozecchini	0:9fca2b23d0ba	362	MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
marcozecchini	0:9fca2b23d0ba	363	return( 0 );
marcozecchini	0:9fca2b23d0ba	364	}
marcozecchini	0:9fca2b23d0ba	365
marcozecchini	0:9fca2b23d0ba	366	list_size--;
marcozecchini	0:9fca2b23d0ba	367	p++;
marcozecchini	0:9fca2b23d0ba	368	}
marcozecchini	0:9fca2b23d0ba	369
marcozecchini	0:9fca2b23d0ba	370	return( 0 );
marcozecchini	0:9fca2b23d0ba	371	}
marcozecchini	0:9fca2b23d0ba	372	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
marcozecchini	0:9fca2b23d0ba	373	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	374
marcozecchini	0:9fca2b23d0ba	375	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	376	static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	377	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	378	size_t len )
marcozecchini	0:9fca2b23d0ba	379	{
marcozecchini	0:9fca2b23d0ba	380	int ret;
marcozecchini	0:9fca2b23d0ba	381
marcozecchini	0:9fca2b23d0ba	382	if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
marcozecchini	0:9fca2b23d0ba	383	{
marcozecchini	0:9fca2b23d0ba	384	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
marcozecchini	0:9fca2b23d0ba	385	return( 0 );
marcozecchini	0:9fca2b23d0ba	386	}
marcozecchini	0:9fca2b23d0ba	387
marcozecchini	0:9fca2b23d0ba	388	if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	389	buf, len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	390	{
marcozecchini	0:9fca2b23d0ba	391	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
marcozecchini	0:9fca2b23d0ba	392	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	393	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	394	return( ret );
marcozecchini	0:9fca2b23d0ba	395	}
marcozecchini	0:9fca2b23d0ba	396
marcozecchini	0:9fca2b23d0ba	397	/* Only mark the extension as OK when we're sure it is */
marcozecchini	0:9fca2b23d0ba	398	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
marcozecchini	0:9fca2b23d0ba	399
marcozecchini	0:9fca2b23d0ba	400	return( 0 );
marcozecchini	0:9fca2b23d0ba	401	}
marcozecchini	0:9fca2b23d0ba	402	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	403
marcozecchini	0:9fca2b23d0ba	404	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	405	static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	406	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	407	size_t len )
marcozecchini	0:9fca2b23d0ba	408	{
marcozecchini	0:9fca2b23d0ba	409	if( len != 1 \|\| buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
marcozecchini	0:9fca2b23d0ba	410	{
marcozecchini	0:9fca2b23d0ba	411	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	412	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	413	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	414	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	415	}
marcozecchini	0:9fca2b23d0ba	416
marcozecchini	0:9fca2b23d0ba	417	ssl->session_negotiate->mfl_code = buf[0];
marcozecchini	0:9fca2b23d0ba	418
marcozecchini	0:9fca2b23d0ba	419	return( 0 );
marcozecchini	0:9fca2b23d0ba	420	}
marcozecchini	0:9fca2b23d0ba	421	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
marcozecchini	0:9fca2b23d0ba	422
marcozecchini	0:9fca2b23d0ba	423	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	424	static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	425	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	426	size_t len )
marcozecchini	0:9fca2b23d0ba	427	{
marcozecchini	0:9fca2b23d0ba	428	if( len != 0 )
marcozecchini	0:9fca2b23d0ba	429	{
marcozecchini	0:9fca2b23d0ba	430	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	431	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	432	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	433	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	434	}
marcozecchini	0:9fca2b23d0ba	435
marcozecchini	0:9fca2b23d0ba	436	((void) buf);
marcozecchini	0:9fca2b23d0ba	437
marcozecchini	0:9fca2b23d0ba	438	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
marcozecchini	0:9fca2b23d0ba	439	ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
marcozecchini	0:9fca2b23d0ba	440
marcozecchini	0:9fca2b23d0ba	441	return( 0 );
marcozecchini	0:9fca2b23d0ba	442	}
marcozecchini	0:9fca2b23d0ba	443	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
marcozecchini	0:9fca2b23d0ba	444
marcozecchini	0:9fca2b23d0ba	445	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	446	static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	447	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	448	size_t len )
marcozecchini	0:9fca2b23d0ba	449	{
marcozecchini	0:9fca2b23d0ba	450	if( len != 0 )
marcozecchini	0:9fca2b23d0ba	451	{
marcozecchini	0:9fca2b23d0ba	452	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	453	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	454	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	455	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	456	}
marcozecchini	0:9fca2b23d0ba	457
marcozecchini	0:9fca2b23d0ba	458	((void) buf);
marcozecchini	0:9fca2b23d0ba	459
marcozecchini	0:9fca2b23d0ba	460	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
marcozecchini	0:9fca2b23d0ba	461	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	462	{
marcozecchini	0:9fca2b23d0ba	463	ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
marcozecchini	0:9fca2b23d0ba	464	}
marcozecchini	0:9fca2b23d0ba	465
marcozecchini	0:9fca2b23d0ba	466	return( 0 );
marcozecchini	0:9fca2b23d0ba	467	}
marcozecchini	0:9fca2b23d0ba	468	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
marcozecchini	0:9fca2b23d0ba	469
marcozecchini	0:9fca2b23d0ba	470	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	471	static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	472	const unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	473	size_t len )
marcozecchini	0:9fca2b23d0ba	474	{
marcozecchini	0:9fca2b23d0ba	475	if( len != 0 )
marcozecchini	0:9fca2b23d0ba	476	{
marcozecchini	0:9fca2b23d0ba	477	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	478	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	479	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	480	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	481	}
marcozecchini	0:9fca2b23d0ba	482
marcozecchini	0:9fca2b23d0ba	483	((void) buf);
marcozecchini	0:9fca2b23d0ba	484
marcozecchini	0:9fca2b23d0ba	485	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
marcozecchini	0:9fca2b23d0ba	486	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	487	{
marcozecchini	0:9fca2b23d0ba	488	ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
marcozecchini	0:9fca2b23d0ba	489	}
marcozecchini	0:9fca2b23d0ba	490
marcozecchini	0:9fca2b23d0ba	491	return( 0 );
marcozecchini	0:9fca2b23d0ba	492	}
marcozecchini	0:9fca2b23d0ba	493	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
marcozecchini	0:9fca2b23d0ba	494
marcozecchini	0:9fca2b23d0ba	495	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	496	static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	497	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	498	size_t len )
marcozecchini	0:9fca2b23d0ba	499	{
marcozecchini	0:9fca2b23d0ba	500	int ret;
marcozecchini	0:9fca2b23d0ba	501	mbedtls_ssl_session session;
marcozecchini	0:9fca2b23d0ba	502
marcozecchini	0:9fca2b23d0ba	503	mbedtls_ssl_session_init( &session );
marcozecchini	0:9fca2b23d0ba	504
marcozecchini	0:9fca2b23d0ba	505	if( ssl->conf->f_ticket_parse == NULL \|\|
marcozecchini	0:9fca2b23d0ba	506	ssl->conf->f_ticket_write == NULL )
marcozecchini	0:9fca2b23d0ba	507	{
marcozecchini	0:9fca2b23d0ba	508	return( 0 );
marcozecchini	0:9fca2b23d0ba	509	}
marcozecchini	0:9fca2b23d0ba	510
marcozecchini	0:9fca2b23d0ba	511	/* Remember the client asked us to send a new ticket */
marcozecchini	0:9fca2b23d0ba	512	ssl->handshake->new_session_ticket = 1;
marcozecchini	0:9fca2b23d0ba	513
marcozecchini	0:9fca2b23d0ba	514	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
marcozecchini	0:9fca2b23d0ba	515
marcozecchini	0:9fca2b23d0ba	516	if( len == 0 )
marcozecchini	0:9fca2b23d0ba	517	return( 0 );
marcozecchini	0:9fca2b23d0ba	518
marcozecchini	0:9fca2b23d0ba	519	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	520	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	521	{
marcozecchini	0:9fca2b23d0ba	522	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
marcozecchini	0:9fca2b23d0ba	523	return( 0 );
marcozecchini	0:9fca2b23d0ba	524	}
marcozecchini	0:9fca2b23d0ba	525	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	526
marcozecchini	0:9fca2b23d0ba	527	/*
marcozecchini	0:9fca2b23d0ba	528	* Failures are ok: just ignore the ticket and proceed.
marcozecchini	0:9fca2b23d0ba	529	*/
marcozecchini	0:9fca2b23d0ba	530	if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
marcozecchini	0:9fca2b23d0ba	531	buf, len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	532	{
marcozecchini	0:9fca2b23d0ba	533	mbedtls_ssl_session_free( &session );
marcozecchini	0:9fca2b23d0ba	534
marcozecchini	0:9fca2b23d0ba	535	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
marcozecchini	0:9fca2b23d0ba	536	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
marcozecchini	0:9fca2b23d0ba	537	else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
marcozecchini	0:9fca2b23d0ba	538	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
marcozecchini	0:9fca2b23d0ba	539	else
marcozecchini	0:9fca2b23d0ba	540	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
marcozecchini	0:9fca2b23d0ba	541
marcozecchini	0:9fca2b23d0ba	542	return( 0 );
marcozecchini	0:9fca2b23d0ba	543	}
marcozecchini	0:9fca2b23d0ba	544
marcozecchini	0:9fca2b23d0ba	545	/*
marcozecchini	0:9fca2b23d0ba	546	* Keep the session ID sent by the client, since we MUST send it back to
marcozecchini	0:9fca2b23d0ba	547	* inform them we're accepting the ticket (RFC 5077 section 3.4)
marcozecchini	0:9fca2b23d0ba	548	*/
marcozecchini	0:9fca2b23d0ba	549	session.id_len = ssl->session_negotiate->id_len;
marcozecchini	0:9fca2b23d0ba	550	memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
marcozecchini	0:9fca2b23d0ba	551
marcozecchini	0:9fca2b23d0ba	552	mbedtls_ssl_session_free( ssl->session_negotiate );
marcozecchini	0:9fca2b23d0ba	553	memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
marcozecchini	0:9fca2b23d0ba	554
marcozecchini	0:9fca2b23d0ba	555	/* Zeroize instead of free as we copied the content */
marcozecchini	0:9fca2b23d0ba	556	mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
marcozecchini	0:9fca2b23d0ba	557
marcozecchini	0:9fca2b23d0ba	558	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
marcozecchini	0:9fca2b23d0ba	559
marcozecchini	0:9fca2b23d0ba	560	ssl->handshake->resume = 1;
marcozecchini	0:9fca2b23d0ba	561
marcozecchini	0:9fca2b23d0ba	562	/* Don't send a new ticket after all, this one is OK */
marcozecchini	0:9fca2b23d0ba	563	ssl->handshake->new_session_ticket = 0;
marcozecchini	0:9fca2b23d0ba	564
marcozecchini	0:9fca2b23d0ba	565	return( 0 );
marcozecchini	0:9fca2b23d0ba	566	}
marcozecchini	0:9fca2b23d0ba	567	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	568
marcozecchini	0:9fca2b23d0ba	569	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	570	static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	571	const unsigned char *buf, size_t len )
marcozecchini	0:9fca2b23d0ba	572	{
marcozecchini	0:9fca2b23d0ba	573	size_t list_len, cur_len, ours_len;
marcozecchini	0:9fca2b23d0ba	574	const unsigned char theirs, start, *end;
marcozecchini	0:9fca2b23d0ba	575	const char **ours;
marcozecchini	0:9fca2b23d0ba	576
marcozecchini	0:9fca2b23d0ba	577	/* If ALPN not configured, just ignore the extension */
marcozecchini	0:9fca2b23d0ba	578	if( ssl->conf->alpn_list == NULL )
marcozecchini	0:9fca2b23d0ba	579	return( 0 );
marcozecchini	0:9fca2b23d0ba	580
marcozecchini	0:9fca2b23d0ba	581	/*
marcozecchini	0:9fca2b23d0ba	582	* opaque ProtocolName<1..2^8-1>;
marcozecchini	0:9fca2b23d0ba	583	*
marcozecchini	0:9fca2b23d0ba	584	* struct {
marcozecchini	0:9fca2b23d0ba	585	* ProtocolName protocol_name_list<2..2^16-1>
marcozecchini	0:9fca2b23d0ba	586	* } ProtocolNameList;
marcozecchini	0:9fca2b23d0ba	587	*/
marcozecchini	0:9fca2b23d0ba	588
marcozecchini	0:9fca2b23d0ba	589	/* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
marcozecchini	0:9fca2b23d0ba	590	if( len < 4 )
marcozecchini	0:9fca2b23d0ba	591	{
marcozecchini	0:9fca2b23d0ba	592	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	593	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	594	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	595	}
marcozecchini	0:9fca2b23d0ba	596
marcozecchini	0:9fca2b23d0ba	597	list_len = ( buf[0] << 8 ) \| buf[1];
marcozecchini	0:9fca2b23d0ba	598	if( list_len != len - 2 )
marcozecchini	0:9fca2b23d0ba	599	{
marcozecchini	0:9fca2b23d0ba	600	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	601	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	602	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	603	}
marcozecchini	0:9fca2b23d0ba	604
marcozecchini	0:9fca2b23d0ba	605	/*
marcozecchini	0:9fca2b23d0ba	606	* Use our order of preference
marcozecchini	0:9fca2b23d0ba	607	*/
marcozecchini	0:9fca2b23d0ba	608	start = buf + 2;
marcozecchini	0:9fca2b23d0ba	609	end = buf + len;
marcozecchini	0:9fca2b23d0ba	610	for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
marcozecchini	0:9fca2b23d0ba	611	{
marcozecchini	0:9fca2b23d0ba	612	ours_len = strlen( *ours );
marcozecchini	0:9fca2b23d0ba	613	for( theirs = start; theirs != end; theirs += cur_len )
marcozecchini	0:9fca2b23d0ba	614	{
marcozecchini	0:9fca2b23d0ba	615	/* If the list is well formed, we should get equality first */
marcozecchini	0:9fca2b23d0ba	616	if( theirs > end )
marcozecchini	0:9fca2b23d0ba	617	{
marcozecchini	0:9fca2b23d0ba	618	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	619	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	620	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	621	}
marcozecchini	0:9fca2b23d0ba	622
marcozecchini	0:9fca2b23d0ba	623	cur_len = *theirs++;
marcozecchini	0:9fca2b23d0ba	624
marcozecchini	0:9fca2b23d0ba	625	/* Empty strings MUST NOT be included */
marcozecchini	0:9fca2b23d0ba	626	if( cur_len == 0 )
marcozecchini	0:9fca2b23d0ba	627	{
marcozecchini	0:9fca2b23d0ba	628	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	629	MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
marcozecchini	0:9fca2b23d0ba	630	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	631	}
marcozecchini	0:9fca2b23d0ba	632
marcozecchini	0:9fca2b23d0ba	633	if( cur_len == ours_len &&
marcozecchini	0:9fca2b23d0ba	634	memcmp( theirs, *ours, cur_len ) == 0 )
marcozecchini	0:9fca2b23d0ba	635	{
marcozecchini	0:9fca2b23d0ba	636	ssl->alpn_chosen = *ours;
marcozecchini	0:9fca2b23d0ba	637	return( 0 );
marcozecchini	0:9fca2b23d0ba	638	}
marcozecchini	0:9fca2b23d0ba	639	}
marcozecchini	0:9fca2b23d0ba	640	}
marcozecchini	0:9fca2b23d0ba	641
marcozecchini	0:9fca2b23d0ba	642	/* If we get there, no match was found */
marcozecchini	0:9fca2b23d0ba	643	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	644	MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
marcozecchini	0:9fca2b23d0ba	645	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	646	}
marcozecchini	0:9fca2b23d0ba	647	#endif /* MBEDTLS_SSL_ALPN */
marcozecchini	0:9fca2b23d0ba	648
marcozecchini	0:9fca2b23d0ba	649	/*
marcozecchini	0:9fca2b23d0ba	650	* Auxiliary functions for ServerHello parsing and related actions
marcozecchini	0:9fca2b23d0ba	651	*/
marcozecchini	0:9fca2b23d0ba	652
marcozecchini	0:9fca2b23d0ba	653	#if defined(MBEDTLS_X509_CRT_PARSE_C)
marcozecchini	0:9fca2b23d0ba	654	/*
marcozecchini	0:9fca2b23d0ba	655	* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
marcozecchini	0:9fca2b23d0ba	656	*/
marcozecchini	0:9fca2b23d0ba	657	#if defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	658	static int ssl_check_key_curve( mbedtls_pk_context *pk,
marcozecchini	0:9fca2b23d0ba	659	const mbedtls_ecp_curve_info **curves )
marcozecchini	0:9fca2b23d0ba	660	{
marcozecchini	0:9fca2b23d0ba	661	const mbedtls_ecp_curve_info **crv = curves;
marcozecchini	0:9fca2b23d0ba	662	mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
marcozecchini	0:9fca2b23d0ba	663
marcozecchini	0:9fca2b23d0ba	664	while( *crv != NULL )
marcozecchini	0:9fca2b23d0ba	665	{
marcozecchini	0:9fca2b23d0ba	666	if( (*crv)->grp_id == grp_id )
marcozecchini	0:9fca2b23d0ba	667	return( 0 );
marcozecchini	0:9fca2b23d0ba	668	crv++;
marcozecchini	0:9fca2b23d0ba	669	}
marcozecchini	0:9fca2b23d0ba	670
marcozecchini	0:9fca2b23d0ba	671	return( -1 );
marcozecchini	0:9fca2b23d0ba	672	}
marcozecchini	0:9fca2b23d0ba	673	#endif /* MBEDTLS_ECDSA_C */
marcozecchini	0:9fca2b23d0ba	674
marcozecchini	0:9fca2b23d0ba	675	/*
marcozecchini	0:9fca2b23d0ba	676	* Try picking a certificate for this ciphersuite,
marcozecchini	0:9fca2b23d0ba	677	* return 0 on success and -1 on failure.
marcozecchini	0:9fca2b23d0ba	678	*/
marcozecchini	0:9fca2b23d0ba	679	static int ssl_pick_cert( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	680	const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
marcozecchini	0:9fca2b23d0ba	681	{
marcozecchini	0:9fca2b23d0ba	682	mbedtls_ssl_key_cert cur, list, *fallback = NULL;
marcozecchini	0:9fca2b23d0ba	683	mbedtls_pk_type_t pk_alg =
marcozecchini	0:9fca2b23d0ba	684	mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
marcozecchini	0:9fca2b23d0ba	685	uint32_t flags;
marcozecchini	0:9fca2b23d0ba	686
marcozecchini	0:9fca2b23d0ba	687	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	688	if( ssl->handshake->sni_key_cert != NULL )
marcozecchini	0:9fca2b23d0ba	689	list = ssl->handshake->sni_key_cert;
marcozecchini	0:9fca2b23d0ba	690	else
marcozecchini	0:9fca2b23d0ba	691	#endif
marcozecchini	0:9fca2b23d0ba	692	list = ssl->conf->key_cert;
marcozecchini	0:9fca2b23d0ba	693
marcozecchini	0:9fca2b23d0ba	694	if( pk_alg == MBEDTLS_PK_NONE )
marcozecchini	0:9fca2b23d0ba	695	return( 0 );
marcozecchini	0:9fca2b23d0ba	696
marcozecchini	0:9fca2b23d0ba	697	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
marcozecchini	0:9fca2b23d0ba	698
marcozecchini	0:9fca2b23d0ba	699	if( list == NULL )
marcozecchini	0:9fca2b23d0ba	700	{
marcozecchini	0:9fca2b23d0ba	701	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
marcozecchini	0:9fca2b23d0ba	702	return( -1 );
marcozecchini	0:9fca2b23d0ba	703	}
marcozecchini	0:9fca2b23d0ba	704
marcozecchini	0:9fca2b23d0ba	705	for( cur = list; cur != NULL; cur = cur->next )
marcozecchini	0:9fca2b23d0ba	706	{
marcozecchini	0:9fca2b23d0ba	707	MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
marcozecchini	0:9fca2b23d0ba	708	cur->cert );
marcozecchini	0:9fca2b23d0ba	709
marcozecchini	0:9fca2b23d0ba	710	if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
marcozecchini	0:9fca2b23d0ba	711	{
marcozecchini	0:9fca2b23d0ba	712	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
marcozecchini	0:9fca2b23d0ba	713	continue;
marcozecchini	0:9fca2b23d0ba	714	}
marcozecchini	0:9fca2b23d0ba	715
marcozecchini	0:9fca2b23d0ba	716	/*
marcozecchini	0:9fca2b23d0ba	717	* This avoids sending the client a cert it'll reject based on
marcozecchini	0:9fca2b23d0ba	718	* keyUsage or other extensions.
marcozecchini	0:9fca2b23d0ba	719	*
marcozecchini	0:9fca2b23d0ba	720	* It also allows the user to provision different certificates for
marcozecchini	0:9fca2b23d0ba	721	* different uses based on keyUsage, eg if they want to avoid signing
marcozecchini	0:9fca2b23d0ba	722	* and decrypting with the same RSA key.
marcozecchini	0:9fca2b23d0ba	723	*/
marcozecchini	0:9fca2b23d0ba	724	if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
marcozecchini	0:9fca2b23d0ba	725	MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
marcozecchini	0:9fca2b23d0ba	726	{
marcozecchini	0:9fca2b23d0ba	727	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
marcozecchini	0:9fca2b23d0ba	728	"(extended) key usage extension" ) );
marcozecchini	0:9fca2b23d0ba	729	continue;
marcozecchini	0:9fca2b23d0ba	730	}
marcozecchini	0:9fca2b23d0ba	731
marcozecchini	0:9fca2b23d0ba	732	#if defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	733	if( pk_alg == MBEDTLS_PK_ECDSA &&
marcozecchini	0:9fca2b23d0ba	734	ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
marcozecchini	0:9fca2b23d0ba	735	{
marcozecchini	0:9fca2b23d0ba	736	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
marcozecchini	0:9fca2b23d0ba	737	continue;
marcozecchini	0:9fca2b23d0ba	738	}
marcozecchini	0:9fca2b23d0ba	739	#endif
marcozecchini	0:9fca2b23d0ba	740
marcozecchini	0:9fca2b23d0ba	741	/*
marcozecchini	0:9fca2b23d0ba	742	* Try to select a SHA-1 certificate for pre-1.2 clients, but still
marcozecchini	0:9fca2b23d0ba	743	* present them a SHA-higher cert rather than failing if it's the only
marcozecchini	0:9fca2b23d0ba	744	* one we got that satisfies the other conditions.
marcozecchini	0:9fca2b23d0ba	745	*/
marcozecchini	0:9fca2b23d0ba	746	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
marcozecchini	0:9fca2b23d0ba	747	cur->cert->sig_md != MBEDTLS_MD_SHA1 )
marcozecchini	0:9fca2b23d0ba	748	{
marcozecchini	0:9fca2b23d0ba	749	if( fallback == NULL )
marcozecchini	0:9fca2b23d0ba	750	fallback = cur;
marcozecchini	0:9fca2b23d0ba	751	{
marcozecchini	0:9fca2b23d0ba	752	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
marcozecchini	0:9fca2b23d0ba	753	"sha-2 with pre-TLS 1.2 client" ) );
marcozecchini	0:9fca2b23d0ba	754	continue;
marcozecchini	0:9fca2b23d0ba	755	}
marcozecchini	0:9fca2b23d0ba	756	}
marcozecchini	0:9fca2b23d0ba	757
marcozecchini	0:9fca2b23d0ba	758	/* If we get there, we got a winner */
marcozecchini	0:9fca2b23d0ba	759	break;
marcozecchini	0:9fca2b23d0ba	760	}
marcozecchini	0:9fca2b23d0ba	761
marcozecchini	0:9fca2b23d0ba	762	if( cur == NULL )
marcozecchini	0:9fca2b23d0ba	763	cur = fallback;
marcozecchini	0:9fca2b23d0ba	764
marcozecchini	0:9fca2b23d0ba	765	/* Do not update ssl->handshake->key_cert unless there is a match */
marcozecchini	0:9fca2b23d0ba	766	if( cur != NULL )
marcozecchini	0:9fca2b23d0ba	767	{
marcozecchini	0:9fca2b23d0ba	768	ssl->handshake->key_cert = cur;
marcozecchini	0:9fca2b23d0ba	769	MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
marcozecchini	0:9fca2b23d0ba	770	ssl->handshake->key_cert->cert );
marcozecchini	0:9fca2b23d0ba	771	return( 0 );
marcozecchini	0:9fca2b23d0ba	772	}
marcozecchini	0:9fca2b23d0ba	773
marcozecchini	0:9fca2b23d0ba	774	return( -1 );
marcozecchini	0:9fca2b23d0ba	775	}
marcozecchini	0:9fca2b23d0ba	776	#endif /* MBEDTLS_X509_CRT_PARSE_C */
marcozecchini	0:9fca2b23d0ba	777
marcozecchini	0:9fca2b23d0ba	778	/*
marcozecchini	0:9fca2b23d0ba	779	* Check if a given ciphersuite is suitable for use with our config/keys/etc
marcozecchini	0:9fca2b23d0ba	780	* Sets ciphersuite_info only if the suite matches.
marcozecchini	0:9fca2b23d0ba	781	*/
marcozecchini	0:9fca2b23d0ba	782	static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
marcozecchini	0:9fca2b23d0ba	783	const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
marcozecchini	0:9fca2b23d0ba	784	{
marcozecchini	0:9fca2b23d0ba	785	const mbedtls_ssl_ciphersuite_t *suite_info;
marcozecchini	0:9fca2b23d0ba	786
marcozecchini	0:9fca2b23d0ba	787	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	788	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	789	mbedtls_pk_type_t sig_type;
marcozecchini	0:9fca2b23d0ba	790	#endif
marcozecchini	0:9fca2b23d0ba	791
marcozecchini	0:9fca2b23d0ba	792	suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
marcozecchini	0:9fca2b23d0ba	793	if( suite_info == NULL )
marcozecchini	0:9fca2b23d0ba	794	{
marcozecchini	0:9fca2b23d0ba	795	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	796	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	797	}
marcozecchini	0:9fca2b23d0ba	798
marcozecchini	0:9fca2b23d0ba	799	MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
marcozecchini	0:9fca2b23d0ba	800
marcozecchini	0:9fca2b23d0ba	801	if( suite_info->min_minor_ver > ssl->minor_ver \|\|
marcozecchini	0:9fca2b23d0ba	802	suite_info->max_minor_ver < ssl->minor_ver )
marcozecchini	0:9fca2b23d0ba	803	{
marcozecchini	0:9fca2b23d0ba	804	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
marcozecchini	0:9fca2b23d0ba	805	return( 0 );
marcozecchini	0:9fca2b23d0ba	806	}
marcozecchini	0:9fca2b23d0ba	807
marcozecchini	0:9fca2b23d0ba	808	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	809	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
marcozecchini	0:9fca2b23d0ba	810	( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
marcozecchini	0:9fca2b23d0ba	811	return( 0 );
marcozecchini	0:9fca2b23d0ba	812	#endif
marcozecchini	0:9fca2b23d0ba	813
marcozecchini	0:9fca2b23d0ba	814	#if defined(MBEDTLS_ARC4_C)
marcozecchini	0:9fca2b23d0ba	815	if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
marcozecchini	0:9fca2b23d0ba	816	suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
marcozecchini	0:9fca2b23d0ba	817	{
marcozecchini	0:9fca2b23d0ba	818	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
marcozecchini	0:9fca2b23d0ba	819	return( 0 );
marcozecchini	0:9fca2b23d0ba	820	}
marcozecchini	0:9fca2b23d0ba	821	#endif
marcozecchini	0:9fca2b23d0ba	822
marcozecchini	0:9fca2b23d0ba	823	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	824	if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
marcozecchini	0:9fca2b23d0ba	825	( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
marcozecchini	0:9fca2b23d0ba	826	{
marcozecchini	0:9fca2b23d0ba	827	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
marcozecchini	0:9fca2b23d0ba	828	"not configured or ext missing" ) );
marcozecchini	0:9fca2b23d0ba	829	return( 0 );
marcozecchini	0:9fca2b23d0ba	830	}
marcozecchini	0:9fca2b23d0ba	831	#endif
marcozecchini	0:9fca2b23d0ba	832
marcozecchini	0:9fca2b23d0ba	833
marcozecchini	0:9fca2b23d0ba	834	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	835	if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
marcozecchini	0:9fca2b23d0ba	836	( ssl->handshake->curves == NULL \|\|
marcozecchini	0:9fca2b23d0ba	837	ssl->handshake->curves[0] == NULL ) )
marcozecchini	0:9fca2b23d0ba	838	{
marcozecchini	0:9fca2b23d0ba	839	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
marcozecchini	0:9fca2b23d0ba	840	"no common elliptic curve" ) );
marcozecchini	0:9fca2b23d0ba	841	return( 0 );
marcozecchini	0:9fca2b23d0ba	842	}
marcozecchini	0:9fca2b23d0ba	843	#endif
marcozecchini	0:9fca2b23d0ba	844
marcozecchini	0:9fca2b23d0ba	845	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	846	/* If the ciphersuite requires a pre-shared key and we don't
marcozecchini	0:9fca2b23d0ba	847	* have one, skip it now rather than failing later */
marcozecchini	0:9fca2b23d0ba	848	if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
marcozecchini	0:9fca2b23d0ba	849	ssl->conf->f_psk == NULL &&
marcozecchini	0:9fca2b23d0ba	850	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
marcozecchini	0:9fca2b23d0ba	851	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
marcozecchini	0:9fca2b23d0ba	852	{
marcozecchini	0:9fca2b23d0ba	853	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
marcozecchini	0:9fca2b23d0ba	854	return( 0 );
marcozecchini	0:9fca2b23d0ba	855	}
marcozecchini	0:9fca2b23d0ba	856	#endif
marcozecchini	0:9fca2b23d0ba	857
marcozecchini	0:9fca2b23d0ba	858	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	859	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	860	/* If the ciphersuite requires signing, check whether
marcozecchini	0:9fca2b23d0ba	861	* a suitable hash algorithm is present. */
marcozecchini	0:9fca2b23d0ba	862	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	863	{
marcozecchini	0:9fca2b23d0ba	864	sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
marcozecchini	0:9fca2b23d0ba	865	if( sig_type != MBEDTLS_PK_NONE &&
marcozecchini	0:9fca2b23d0ba	866	mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	867	{
marcozecchini	0:9fca2b23d0ba	868	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
marcozecchini	0:9fca2b23d0ba	869	"for signature algorithm %d", sig_type ) );
marcozecchini	0:9fca2b23d0ba	870	return( 0 );
marcozecchini	0:9fca2b23d0ba	871	}
marcozecchini	0:9fca2b23d0ba	872	}
marcozecchini	0:9fca2b23d0ba	873
marcozecchini	0:9fca2b23d0ba	874	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
marcozecchini	0:9fca2b23d0ba	875	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
marcozecchini	0:9fca2b23d0ba	876
marcozecchini	0:9fca2b23d0ba	877	#if defined(MBEDTLS_X509_CRT_PARSE_C)
marcozecchini	0:9fca2b23d0ba	878	/*
marcozecchini	0:9fca2b23d0ba	879	* Final check: if ciphersuite requires us to have a
marcozecchini	0:9fca2b23d0ba	880	* certificate/key of a particular type:
marcozecchini	0:9fca2b23d0ba	881	* - select the appropriate certificate if we have one, or
marcozecchini	0:9fca2b23d0ba	882	* - try the next ciphersuite if we don't
marcozecchini	0:9fca2b23d0ba	883	* This must be done last since we modify the key_cert list.
marcozecchini	0:9fca2b23d0ba	884	*/
marcozecchini	0:9fca2b23d0ba	885	if( ssl_pick_cert( ssl, suite_info ) != 0 )
marcozecchini	0:9fca2b23d0ba	886	{
marcozecchini	0:9fca2b23d0ba	887	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
marcozecchini	0:9fca2b23d0ba	888	"no suitable certificate" ) );
marcozecchini	0:9fca2b23d0ba	889	return( 0 );
marcozecchini	0:9fca2b23d0ba	890	}
marcozecchini	0:9fca2b23d0ba	891	#endif
marcozecchini	0:9fca2b23d0ba	892
marcozecchini	0:9fca2b23d0ba	893	*ciphersuite_info = suite_info;
marcozecchini	0:9fca2b23d0ba	894	return( 0 );
marcozecchini	0:9fca2b23d0ba	895	}
marcozecchini	0:9fca2b23d0ba	896
marcozecchini	0:9fca2b23d0ba	897	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
marcozecchini	0:9fca2b23d0ba	898	static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	899	{
marcozecchini	0:9fca2b23d0ba	900	int ret, got_common_suite;
marcozecchini	0:9fca2b23d0ba	901	unsigned int i, j;
marcozecchini	0:9fca2b23d0ba	902	size_t n;
marcozecchini	0:9fca2b23d0ba	903	unsigned int ciph_len, sess_len, chal_len;
marcozecchini	0:9fca2b23d0ba	904	unsigned char buf, p;
marcozecchini	0:9fca2b23d0ba	905	const int *ciphersuites;
marcozecchini	0:9fca2b23d0ba	906	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	907
marcozecchini	0:9fca2b23d0ba	908	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
marcozecchini	0:9fca2b23d0ba	909
marcozecchini	0:9fca2b23d0ba	910	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	911	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	912	{
marcozecchini	0:9fca2b23d0ba	913	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
marcozecchini	0:9fca2b23d0ba	914	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	915	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	916	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	917	}
marcozecchini	0:9fca2b23d0ba	918	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	919
marcozecchini	0:9fca2b23d0ba	920	buf = ssl->in_hdr;
marcozecchini	0:9fca2b23d0ba	921
marcozecchini	0:9fca2b23d0ba	922	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
marcozecchini	0:9fca2b23d0ba	923
marcozecchini	0:9fca2b23d0ba	924	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
marcozecchini	0:9fca2b23d0ba	925	buf[2] ) );
marcozecchini	0:9fca2b23d0ba	926	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
marcozecchini	0:9fca2b23d0ba	927	( ( buf[0] & 0x7F ) << 8 ) \| buf[1] ) );
marcozecchini	0:9fca2b23d0ba	928	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
marcozecchini	0:9fca2b23d0ba	929	buf[3], buf[4] ) );
marcozecchini	0:9fca2b23d0ba	930
marcozecchini	0:9fca2b23d0ba	931	/*
marcozecchini	0:9fca2b23d0ba	932	* SSLv2 Client Hello
marcozecchini	0:9fca2b23d0ba	933	*
marcozecchini	0:9fca2b23d0ba	934	* Record layer:
marcozecchini	0:9fca2b23d0ba	935	* 0 . 1 message length
marcozecchini	0:9fca2b23d0ba	936	*
marcozecchini	0:9fca2b23d0ba	937	* SSL layer:
marcozecchini	0:9fca2b23d0ba	938	* 2 . 2 message type
marcozecchini	0:9fca2b23d0ba	939	* 3 . 4 protocol version
marcozecchini	0:9fca2b23d0ba	940	*/
marcozecchini	0:9fca2b23d0ba	941	if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO \|\|
marcozecchini	0:9fca2b23d0ba	942	buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	943	{
marcozecchini	0:9fca2b23d0ba	944	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	945	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	946	}
marcozecchini	0:9fca2b23d0ba	947
marcozecchini	0:9fca2b23d0ba	948	n = ( ( buf[0] << 8 ) \| buf[1] ) & 0x7FFF;
marcozecchini	0:9fca2b23d0ba	949
marcozecchini	0:9fca2b23d0ba	950	if( n < 17 \|\| n > 512 )
marcozecchini	0:9fca2b23d0ba	951	{
marcozecchini	0:9fca2b23d0ba	952	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	953	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	954	}
marcozecchini	0:9fca2b23d0ba	955
marcozecchini	0:9fca2b23d0ba	956	ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
marcozecchini	0:9fca2b23d0ba	957	ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
marcozecchini	0:9fca2b23d0ba	958	? buf[4] : ssl->conf->max_minor_ver;
marcozecchini	0:9fca2b23d0ba	959
marcozecchini	0:9fca2b23d0ba	960	if( ssl->minor_ver < ssl->conf->min_minor_ver )
marcozecchini	0:9fca2b23d0ba	961	{
marcozecchini	0:9fca2b23d0ba	962	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
marcozecchini	0:9fca2b23d0ba	963	" [%d:%d] < [%d:%d]",
marcozecchini	0:9fca2b23d0ba	964	ssl->major_ver, ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	965	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
marcozecchini	0:9fca2b23d0ba	966
marcozecchini	0:9fca2b23d0ba	967	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	968	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	969	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	970	}
marcozecchini	0:9fca2b23d0ba	971
marcozecchini	0:9fca2b23d0ba	972	ssl->handshake->max_major_ver = buf[3];
marcozecchini	0:9fca2b23d0ba	973	ssl->handshake->max_minor_ver = buf[4];
marcozecchini	0:9fca2b23d0ba	974
marcozecchini	0:9fca2b23d0ba	975	if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	976	{
marcozecchini	0:9fca2b23d0ba	977	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
marcozecchini	0:9fca2b23d0ba	978	return( ret );
marcozecchini	0:9fca2b23d0ba	979	}
marcozecchini	0:9fca2b23d0ba	980
marcozecchini	0:9fca2b23d0ba	981	ssl->handshake->update_checksum( ssl, buf + 2, n );
marcozecchini	0:9fca2b23d0ba	982
marcozecchini	0:9fca2b23d0ba	983	buf = ssl->in_msg;
marcozecchini	0:9fca2b23d0ba	984	n = ssl->in_left - 5;
marcozecchini	0:9fca2b23d0ba	985
marcozecchini	0:9fca2b23d0ba	986	/*
marcozecchini	0:9fca2b23d0ba	987	* 0 . 1 ciphersuitelist length
marcozecchini	0:9fca2b23d0ba	988	* 2 . 3 session id length
marcozecchini	0:9fca2b23d0ba	989	* 4 . 5 challenge length
marcozecchini	0:9fca2b23d0ba	990	* 6 . .. ciphersuitelist
marcozecchini	0:9fca2b23d0ba	991	* .. . .. session id
marcozecchini	0:9fca2b23d0ba	992	* .. . .. challenge
marcozecchini	0:9fca2b23d0ba	993	*/
marcozecchini	0:9fca2b23d0ba	994	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
marcozecchini	0:9fca2b23d0ba	995
marcozecchini	0:9fca2b23d0ba	996	ciph_len = ( buf[0] << 8 ) \| buf[1];
marcozecchini	0:9fca2b23d0ba	997	sess_len = ( buf[2] << 8 ) \| buf[3];
marcozecchini	0:9fca2b23d0ba	998	chal_len = ( buf[4] << 8 ) \| buf[5];
marcozecchini	0:9fca2b23d0ba	999
marcozecchini	0:9fca2b23d0ba	1000	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
marcozecchini	0:9fca2b23d0ba	1001	ciph_len, sess_len, chal_len ) );
marcozecchini	0:9fca2b23d0ba	1002
marcozecchini	0:9fca2b23d0ba	1003	/*
marcozecchini	0:9fca2b23d0ba	1004	* Make sure each parameter length is valid
marcozecchini	0:9fca2b23d0ba	1005	*/
marcozecchini	0:9fca2b23d0ba	1006	if( ciph_len < 3 \|\| ( ciph_len % 3 ) != 0 )
marcozecchini	0:9fca2b23d0ba	1007	{
marcozecchini	0:9fca2b23d0ba	1008	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1009	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1010	}
marcozecchini	0:9fca2b23d0ba	1011
marcozecchini	0:9fca2b23d0ba	1012	if( sess_len > 32 )
marcozecchini	0:9fca2b23d0ba	1013	{
marcozecchini	0:9fca2b23d0ba	1014	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1015	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1016	}
marcozecchini	0:9fca2b23d0ba	1017
marcozecchini	0:9fca2b23d0ba	1018	if( chal_len < 8 \|\| chal_len > 32 )
marcozecchini	0:9fca2b23d0ba	1019	{
marcozecchini	0:9fca2b23d0ba	1020	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1021	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1022	}
marcozecchini	0:9fca2b23d0ba	1023
marcozecchini	0:9fca2b23d0ba	1024	if( n != 6 + ciph_len + sess_len + chal_len )
marcozecchini	0:9fca2b23d0ba	1025	{
marcozecchini	0:9fca2b23d0ba	1026	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1027	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1028	}
marcozecchini	0:9fca2b23d0ba	1029
marcozecchini	0:9fca2b23d0ba	1030	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
marcozecchini	0:9fca2b23d0ba	1031	buf + 6, ciph_len );
marcozecchini	0:9fca2b23d0ba	1032	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
marcozecchini	0:9fca2b23d0ba	1033	buf + 6 + ciph_len, sess_len );
marcozecchini	0:9fca2b23d0ba	1034	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
marcozecchini	0:9fca2b23d0ba	1035	buf + 6 + ciph_len + sess_len, chal_len );
marcozecchini	0:9fca2b23d0ba	1036
marcozecchini	0:9fca2b23d0ba	1037	p = buf + 6 + ciph_len;
marcozecchini	0:9fca2b23d0ba	1038	ssl->session_negotiate->id_len = sess_len;
marcozecchini	0:9fca2b23d0ba	1039	memset( ssl->session_negotiate->id, 0,
marcozecchini	0:9fca2b23d0ba	1040	sizeof( ssl->session_negotiate->id ) );
marcozecchini	0:9fca2b23d0ba	1041	memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
marcozecchini	0:9fca2b23d0ba	1042
marcozecchini	0:9fca2b23d0ba	1043	p += sess_len;
marcozecchini	0:9fca2b23d0ba	1044	memset( ssl->handshake->randbytes, 0, 64 );
marcozecchini	0:9fca2b23d0ba	1045	memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
marcozecchini	0:9fca2b23d0ba	1046
marcozecchini	0:9fca2b23d0ba	1047	/*
marcozecchini	0:9fca2b23d0ba	1048	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
marcozecchini	0:9fca2b23d0ba	1049	*/
marcozecchini	0:9fca2b23d0ba	1050	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
marcozecchini	0:9fca2b23d0ba	1051	{
marcozecchini	0:9fca2b23d0ba	1052	if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
marcozecchini	0:9fca2b23d0ba	1053	{
marcozecchini	0:9fca2b23d0ba	1054	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
marcozecchini	0:9fca2b23d0ba	1055	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1056	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
marcozecchini	0:9fca2b23d0ba	1057	{
marcozecchini	0:9fca2b23d0ba	1058	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
marcozecchini	0:9fca2b23d0ba	1059	"during renegotiation" ) );
marcozecchini	0:9fca2b23d0ba	1060
marcozecchini	0:9fca2b23d0ba	1061	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1062	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1063	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1064	}
marcozecchini	0:9fca2b23d0ba	1065	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	1066	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
marcozecchini	0:9fca2b23d0ba	1067	break;
marcozecchini	0:9fca2b23d0ba	1068	}
marcozecchini	0:9fca2b23d0ba	1069	}
marcozecchini	0:9fca2b23d0ba	1070
marcozecchini	0:9fca2b23d0ba	1071	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
marcozecchini	0:9fca2b23d0ba	1072	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
marcozecchini	0:9fca2b23d0ba	1073	{
marcozecchini	0:9fca2b23d0ba	1074	if( p[0] == 0 &&
marcozecchini	0:9fca2b23d0ba	1075	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
marcozecchini	0:9fca2b23d0ba	1076	p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
marcozecchini	0:9fca2b23d0ba	1077	{
marcozecchini	0:9fca2b23d0ba	1078	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
marcozecchini	0:9fca2b23d0ba	1079
marcozecchini	0:9fca2b23d0ba	1080	if( ssl->minor_ver < ssl->conf->max_minor_ver )
marcozecchini	0:9fca2b23d0ba	1081	{
marcozecchini	0:9fca2b23d0ba	1082	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
marcozecchini	0:9fca2b23d0ba	1083
marcozecchini	0:9fca2b23d0ba	1084	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1085	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
marcozecchini	0:9fca2b23d0ba	1086
marcozecchini	0:9fca2b23d0ba	1087	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1088	}
marcozecchini	0:9fca2b23d0ba	1089
marcozecchini	0:9fca2b23d0ba	1090	break;
marcozecchini	0:9fca2b23d0ba	1091	}
marcozecchini	0:9fca2b23d0ba	1092	}
marcozecchini	0:9fca2b23d0ba	1093	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
marcozecchini	0:9fca2b23d0ba	1094
marcozecchini	0:9fca2b23d0ba	1095	got_common_suite = 0;
marcozecchini	0:9fca2b23d0ba	1096	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
marcozecchini	0:9fca2b23d0ba	1097	ciphersuite_info = NULL;
marcozecchini	0:9fca2b23d0ba	1098	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
marcozecchini	0:9fca2b23d0ba	1099	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
marcozecchini	0:9fca2b23d0ba	1100	for( i = 0; ciphersuites[i] != 0; i++ )
marcozecchini	0:9fca2b23d0ba	1101	#else
marcozecchini	0:9fca2b23d0ba	1102	for( i = 0; ciphersuites[i] != 0; i++ )
marcozecchini	0:9fca2b23d0ba	1103	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
marcozecchini	0:9fca2b23d0ba	1104	#endif
marcozecchini	0:9fca2b23d0ba	1105	{
marcozecchini	0:9fca2b23d0ba	1106	if( p[0] != 0 \|\|
marcozecchini	0:9fca2b23d0ba	1107	p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
marcozecchini	0:9fca2b23d0ba	1108	p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
marcozecchini	0:9fca2b23d0ba	1109	continue;
marcozecchini	0:9fca2b23d0ba	1110
marcozecchini	0:9fca2b23d0ba	1111	got_common_suite = 1;
marcozecchini	0:9fca2b23d0ba	1112
marcozecchini	0:9fca2b23d0ba	1113	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
marcozecchini	0:9fca2b23d0ba	1114	&ciphersuite_info ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1115	return( ret );
marcozecchini	0:9fca2b23d0ba	1116
marcozecchini	0:9fca2b23d0ba	1117	if( ciphersuite_info != NULL )
marcozecchini	0:9fca2b23d0ba	1118	goto have_ciphersuite_v2;
marcozecchini	0:9fca2b23d0ba	1119	}
marcozecchini	0:9fca2b23d0ba	1120
marcozecchini	0:9fca2b23d0ba	1121	if( got_common_suite )
marcozecchini	0:9fca2b23d0ba	1122	{
marcozecchini	0:9fca2b23d0ba	1123	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
marcozecchini	0:9fca2b23d0ba	1124	"but none of them usable" ) );
marcozecchini	0:9fca2b23d0ba	1125	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
marcozecchini	0:9fca2b23d0ba	1126	}
marcozecchini	0:9fca2b23d0ba	1127	else
marcozecchini	0:9fca2b23d0ba	1128	{
marcozecchini	0:9fca2b23d0ba	1129	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
marcozecchini	0:9fca2b23d0ba	1130	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
marcozecchini	0:9fca2b23d0ba	1131	}
marcozecchini	0:9fca2b23d0ba	1132
marcozecchini	0:9fca2b23d0ba	1133	have_ciphersuite_v2:
marcozecchini	0:9fca2b23d0ba	1134	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
marcozecchini	0:9fca2b23d0ba	1135
marcozecchini	0:9fca2b23d0ba	1136	ssl->session_negotiate->ciphersuite = ciphersuites[i];
marcozecchini	0:9fca2b23d0ba	1137	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	1138
marcozecchini	0:9fca2b23d0ba	1139	/*
marcozecchini	0:9fca2b23d0ba	1140	* SSLv2 Client Hello relevant renegotiation security checks
marcozecchini	0:9fca2b23d0ba	1141	*/
marcozecchini	0:9fca2b23d0ba	1142	if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1143	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1144	{
marcozecchini	0:9fca2b23d0ba	1145	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
marcozecchini	0:9fca2b23d0ba	1146	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1147	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1148	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1149	}
marcozecchini	0:9fca2b23d0ba	1150
marcozecchini	0:9fca2b23d0ba	1151	ssl->in_left = 0;
marcozecchini	0:9fca2b23d0ba	1152	ssl->state++;
marcozecchini	0:9fca2b23d0ba	1153
marcozecchini	0:9fca2b23d0ba	1154	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
marcozecchini	0:9fca2b23d0ba	1155
marcozecchini	0:9fca2b23d0ba	1156	return( 0 );
marcozecchini	0:9fca2b23d0ba	1157	}
marcozecchini	0:9fca2b23d0ba	1158	#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
marcozecchini	0:9fca2b23d0ba	1159
marcozecchini	0:9fca2b23d0ba	1160	/* This function doesn't alert on errors that happen early during
marcozecchini	0:9fca2b23d0ba	1161	ClientHello parsing because they might indicate that the client is
marcozecchini	0:9fca2b23d0ba	1162	not talking SSL/TLS at all and would not understand our alert. */
marcozecchini	0:9fca2b23d0ba	1163	static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	1164	{
marcozecchini	0:9fca2b23d0ba	1165	int ret, got_common_suite;
marcozecchini	0:9fca2b23d0ba	1166	size_t i, j;
marcozecchini	0:9fca2b23d0ba	1167	size_t ciph_offset, comp_offset, ext_offset;
marcozecchini	0:9fca2b23d0ba	1168	size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
marcozecchini	0:9fca2b23d0ba	1169	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1170	size_t cookie_offset, cookie_len;
marcozecchini	0:9fca2b23d0ba	1171	#endif
marcozecchini	0:9fca2b23d0ba	1172	unsigned char buf, p, *ext;
marcozecchini	0:9fca2b23d0ba	1173	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1174	int renegotiation_info_seen = 0;
marcozecchini	0:9fca2b23d0ba	1175	#endif
marcozecchini	0:9fca2b23d0ba	1176	int handshake_failure = 0;
marcozecchini	0:9fca2b23d0ba	1177	const int *ciphersuites;
marcozecchini	0:9fca2b23d0ba	1178	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	1179	int major, minor;
marcozecchini	0:9fca2b23d0ba	1180
marcozecchini	0:9fca2b23d0ba	1181	/* If there is no signature-algorithm extension present,
marcozecchini	0:9fca2b23d0ba	1182	* we need to fall back to the default values for allowed
marcozecchini	0:9fca2b23d0ba	1183	* signature-hash pairs. */
marcozecchini	0:9fca2b23d0ba	1184	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	1185	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	1186	int sig_hash_alg_ext_present = 0;
marcozecchini	0:9fca2b23d0ba	1187	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
marcozecchini	0:9fca2b23d0ba	1188	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
marcozecchini	0:9fca2b23d0ba	1189
marcozecchini	0:9fca2b23d0ba	1190	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
marcozecchini	0:9fca2b23d0ba	1191
marcozecchini	0:9fca2b23d0ba	1192	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
marcozecchini	0:9fca2b23d0ba	1193	read_record_header:
marcozecchini	0:9fca2b23d0ba	1194	#endif
marcozecchini	0:9fca2b23d0ba	1195	/*
marcozecchini	0:9fca2b23d0ba	1196	* If renegotiating, then the input was read with mbedtls_ssl_read_record(),
marcozecchini	0:9fca2b23d0ba	1197	* otherwise read it ourselves manually in order to support SSLv2
marcozecchini	0:9fca2b23d0ba	1198	* ClientHello, which doesn't use the same record layer format.
marcozecchini	0:9fca2b23d0ba	1199	*/
marcozecchini	0:9fca2b23d0ba	1200	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1201	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1202	#endif
marcozecchini	0:9fca2b23d0ba	1203	{
marcozecchini	0:9fca2b23d0ba	1204	if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1205	{
marcozecchini	0:9fca2b23d0ba	1206	/* No alert on a read error. */
marcozecchini	0:9fca2b23d0ba	1207	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
marcozecchini	0:9fca2b23d0ba	1208	return( ret );
marcozecchini	0:9fca2b23d0ba	1209	}
marcozecchini	0:9fca2b23d0ba	1210	}
marcozecchini	0:9fca2b23d0ba	1211
marcozecchini	0:9fca2b23d0ba	1212	buf = ssl->in_hdr;
marcozecchini	0:9fca2b23d0ba	1213
marcozecchini	0:9fca2b23d0ba	1214	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
marcozecchini	0:9fca2b23d0ba	1215	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1216	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
marcozecchini	0:9fca2b23d0ba	1217	#endif
marcozecchini	0:9fca2b23d0ba	1218	if( ( buf[0] & 0x80 ) != 0 )
marcozecchini	0:9fca2b23d0ba	1219	return( ssl_parse_client_hello_v2( ssl ) );
marcozecchini	0:9fca2b23d0ba	1220	#endif
marcozecchini	0:9fca2b23d0ba	1221
marcozecchini	0:9fca2b23d0ba	1222	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
marcozecchini	0:9fca2b23d0ba	1223
marcozecchini	0:9fca2b23d0ba	1224	/*
marcozecchini	0:9fca2b23d0ba	1225	* SSLv3/TLS Client Hello
marcozecchini	0:9fca2b23d0ba	1226	*
marcozecchini	0:9fca2b23d0ba	1227	* Record layer:
marcozecchini	0:9fca2b23d0ba	1228	* 0 . 0 message type
marcozecchini	0:9fca2b23d0ba	1229	* 1 . 2 protocol version
marcozecchini	0:9fca2b23d0ba	1230	* 3 . 11 DTLS: epoch + record sequence number
marcozecchini	0:9fca2b23d0ba	1231	* 3 . 4 message length
marcozecchini	0:9fca2b23d0ba	1232	*/
marcozecchini	0:9fca2b23d0ba	1233	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
marcozecchini	0:9fca2b23d0ba	1234	buf[0] ) );
marcozecchini	0:9fca2b23d0ba	1235
marcozecchini	0:9fca2b23d0ba	1236	if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1237	{
marcozecchini	0:9fca2b23d0ba	1238	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1239	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1240	}
marcozecchini	0:9fca2b23d0ba	1241
marcozecchini	0:9fca2b23d0ba	1242	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
marcozecchini	0:9fca2b23d0ba	1243	( ssl->in_len[0] << 8 ) \| ssl->in_len[1] ) );
marcozecchini	0:9fca2b23d0ba	1244
marcozecchini	0:9fca2b23d0ba	1245	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
marcozecchini	0:9fca2b23d0ba	1246	buf[1], buf[2] ) );
marcozecchini	0:9fca2b23d0ba	1247
marcozecchini	0:9fca2b23d0ba	1248	mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
marcozecchini	0:9fca2b23d0ba	1249
marcozecchini	0:9fca2b23d0ba	1250	/* According to RFC 5246 Appendix E.1, the version here is typically
marcozecchini	0:9fca2b23d0ba	1251	* "{03,00}, the lowest version number supported by the client, [or] the
marcozecchini	0:9fca2b23d0ba	1252	* value of ClientHello.client_version", so the only meaningful check here
marcozecchini	0:9fca2b23d0ba	1253	* is the major version shouldn't be less than 3 */
marcozecchini	0:9fca2b23d0ba	1254	if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	1255	{
marcozecchini	0:9fca2b23d0ba	1256	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1257	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1258	}
marcozecchini	0:9fca2b23d0ba	1259
marcozecchini	0:9fca2b23d0ba	1260	/* For DTLS if this is the initial handshake, remember the client sequence
marcozecchini	0:9fca2b23d0ba	1261	* number to use it in our next message (RFC 6347 4.2.1) */
marcozecchini	0:9fca2b23d0ba	1262	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1263	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
marcozecchini	0:9fca2b23d0ba	1264	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1265	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
marcozecchini	0:9fca2b23d0ba	1266	#endif
marcozecchini	0:9fca2b23d0ba	1267	)
marcozecchini	0:9fca2b23d0ba	1268	{
marcozecchini	0:9fca2b23d0ba	1269	/* Epoch should be 0 for initial handshakes */
marcozecchini	0:9fca2b23d0ba	1270	if( ssl->in_ctr[0] != 0 \|\| ssl->in_ctr[1] != 0 )
marcozecchini	0:9fca2b23d0ba	1271	{
marcozecchini	0:9fca2b23d0ba	1272	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1273	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1274	}
marcozecchini	0:9fca2b23d0ba	1275
marcozecchini	0:9fca2b23d0ba	1276	memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
marcozecchini	0:9fca2b23d0ba	1277
marcozecchini	0:9fca2b23d0ba	1278	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
marcozecchini	0:9fca2b23d0ba	1279	if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
marcozecchini	0:9fca2b23d0ba	1280	{
marcozecchini	0:9fca2b23d0ba	1281	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
marcozecchini	0:9fca2b23d0ba	1282	ssl->next_record_offset = 0;
marcozecchini	0:9fca2b23d0ba	1283	ssl->in_left = 0;
marcozecchini	0:9fca2b23d0ba	1284	goto read_record_header;
marcozecchini	0:9fca2b23d0ba	1285	}
marcozecchini	0:9fca2b23d0ba	1286
marcozecchini	0:9fca2b23d0ba	1287	/* No MAC to check yet, so we can update right now */
marcozecchini	0:9fca2b23d0ba	1288	mbedtls_ssl_dtls_replay_update( ssl );
marcozecchini	0:9fca2b23d0ba	1289	#endif
marcozecchini	0:9fca2b23d0ba	1290	}
marcozecchini	0:9fca2b23d0ba	1291	#endif /* MBEDTLS_SSL_PROTO_DTLS */
marcozecchini	0:9fca2b23d0ba	1292
marcozecchini	0:9fca2b23d0ba	1293	msg_len = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
marcozecchini	0:9fca2b23d0ba	1294
marcozecchini	0:9fca2b23d0ba	1295	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1296	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1297	{
marcozecchini	0:9fca2b23d0ba	1298	/* Set by mbedtls_ssl_read_record() */
marcozecchini	0:9fca2b23d0ba	1299	msg_len = ssl->in_hslen;
marcozecchini	0:9fca2b23d0ba	1300	}
marcozecchini	0:9fca2b23d0ba	1301	else
marcozecchini	0:9fca2b23d0ba	1302	#endif
marcozecchini	0:9fca2b23d0ba	1303	{
marcozecchini	0:9fca2b23d0ba	1304	if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
marcozecchini	0:9fca2b23d0ba	1305	{
marcozecchini	0:9fca2b23d0ba	1306	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1307	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1308	}
marcozecchini	0:9fca2b23d0ba	1309
marcozecchini	0:9fca2b23d0ba	1310	if( ( ret = mbedtls_ssl_fetch_input( ssl,
marcozecchini	0:9fca2b23d0ba	1311	mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1312	{
marcozecchini	0:9fca2b23d0ba	1313	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
marcozecchini	0:9fca2b23d0ba	1314	return( ret );
marcozecchini	0:9fca2b23d0ba	1315	}
marcozecchini	0:9fca2b23d0ba	1316
marcozecchini	0:9fca2b23d0ba	1317	/* Done reading this record, get ready for the next one */
marcozecchini	0:9fca2b23d0ba	1318	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1319	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1320	ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	1321	else
marcozecchini	0:9fca2b23d0ba	1322	#endif
marcozecchini	0:9fca2b23d0ba	1323	ssl->in_left = 0;
marcozecchini	0:9fca2b23d0ba	1324	}
marcozecchini	0:9fca2b23d0ba	1325
marcozecchini	0:9fca2b23d0ba	1326	buf = ssl->in_msg;
marcozecchini	0:9fca2b23d0ba	1327
marcozecchini	0:9fca2b23d0ba	1328	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
marcozecchini	0:9fca2b23d0ba	1329
marcozecchini	0:9fca2b23d0ba	1330	ssl->handshake->update_checksum( ssl, buf, msg_len );
marcozecchini	0:9fca2b23d0ba	1331
marcozecchini	0:9fca2b23d0ba	1332	/*
marcozecchini	0:9fca2b23d0ba	1333	* Handshake layer:
marcozecchini	0:9fca2b23d0ba	1334	* 0 . 0 handshake type
marcozecchini	0:9fca2b23d0ba	1335	* 1 . 3 handshake length
marcozecchini	0:9fca2b23d0ba	1336	* 4 . 5 DTLS only: message seqence number
marcozecchini	0:9fca2b23d0ba	1337	* 6 . 8 DTLS only: fragment offset
marcozecchini	0:9fca2b23d0ba	1338	* 9 . 11 DTLS only: fragment length
marcozecchini	0:9fca2b23d0ba	1339	*/
marcozecchini	0:9fca2b23d0ba	1340	if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
marcozecchini	0:9fca2b23d0ba	1341	{
marcozecchini	0:9fca2b23d0ba	1342	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1343	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1344	}
marcozecchini	0:9fca2b23d0ba	1345
marcozecchini	0:9fca2b23d0ba	1346	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
marcozecchini	0:9fca2b23d0ba	1347
marcozecchini	0:9fca2b23d0ba	1348	if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
marcozecchini	0:9fca2b23d0ba	1349	{
marcozecchini	0:9fca2b23d0ba	1350	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1351	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1352	}
marcozecchini	0:9fca2b23d0ba	1353
marcozecchini	0:9fca2b23d0ba	1354	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
marcozecchini	0:9fca2b23d0ba	1355	( buf[1] << 16 ) \| ( buf[2] << 8 ) \| buf[3] ) );
marcozecchini	0:9fca2b23d0ba	1356
marcozecchini	0:9fca2b23d0ba	1357	/* We don't support fragmentation of ClientHello (yet?) */
marcozecchini	0:9fca2b23d0ba	1358	if( buf[1] != 0 \|\|
marcozecchini	0:9fca2b23d0ba	1359	msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) \| buf[3] ) )
marcozecchini	0:9fca2b23d0ba	1360	{
marcozecchini	0:9fca2b23d0ba	1361	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1362	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1363	}
marcozecchini	0:9fca2b23d0ba	1364
marcozecchini	0:9fca2b23d0ba	1365	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1366	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1367	{
marcozecchini	0:9fca2b23d0ba	1368	/*
marcozecchini	0:9fca2b23d0ba	1369	* Copy the client's handshake message_seq on initial handshakes,
marcozecchini	0:9fca2b23d0ba	1370	* check sequence number on renego.
marcozecchini	0:9fca2b23d0ba	1371	*/
marcozecchini	0:9fca2b23d0ba	1372	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1373	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
marcozecchini	0:9fca2b23d0ba	1374	{
marcozecchini	0:9fca2b23d0ba	1375	/* This couldn't be done in ssl_prepare_handshake_record() */
marcozecchini	0:9fca2b23d0ba	1376	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
marcozecchini	0:9fca2b23d0ba	1377	ssl->in_msg[5];
marcozecchini	0:9fca2b23d0ba	1378
marcozecchini	0:9fca2b23d0ba	1379	if( cli_msg_seq != ssl->handshake->in_msg_seq )
marcozecchini	0:9fca2b23d0ba	1380	{
marcozecchini	0:9fca2b23d0ba	1381	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
marcozecchini	0:9fca2b23d0ba	1382	"%d (expected %d)", cli_msg_seq,
marcozecchini	0:9fca2b23d0ba	1383	ssl->handshake->in_msg_seq ) );
marcozecchini	0:9fca2b23d0ba	1384	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1385	}
marcozecchini	0:9fca2b23d0ba	1386
marcozecchini	0:9fca2b23d0ba	1387	ssl->handshake->in_msg_seq++;
marcozecchini	0:9fca2b23d0ba	1388	}
marcozecchini	0:9fca2b23d0ba	1389	else
marcozecchini	0:9fca2b23d0ba	1390	#endif
marcozecchini	0:9fca2b23d0ba	1391	{
marcozecchini	0:9fca2b23d0ba	1392	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
marcozecchini	0:9fca2b23d0ba	1393	ssl->in_msg[5];
marcozecchini	0:9fca2b23d0ba	1394	ssl->handshake->out_msg_seq = cli_msg_seq;
marcozecchini	0:9fca2b23d0ba	1395	ssl->handshake->in_msg_seq = cli_msg_seq + 1;
marcozecchini	0:9fca2b23d0ba	1396	}
marcozecchini	0:9fca2b23d0ba	1397
marcozecchini	0:9fca2b23d0ba	1398	/*
marcozecchini	0:9fca2b23d0ba	1399	* For now we don't support fragmentation, so make sure
marcozecchini	0:9fca2b23d0ba	1400	* fragment_offset == 0 and fragment_length == length
marcozecchini	0:9fca2b23d0ba	1401	*/
marcozecchini	0:9fca2b23d0ba	1402	if( ssl->in_msg[6] != 0 \|\| ssl->in_msg[7] != 0 \|\| ssl->in_msg[8] != 0 \|\|
marcozecchini	0:9fca2b23d0ba	1403	memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
marcozecchini	0:9fca2b23d0ba	1404	{
marcozecchini	0:9fca2b23d0ba	1405	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
marcozecchini	0:9fca2b23d0ba	1406	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
marcozecchini	0:9fca2b23d0ba	1407	}
marcozecchini	0:9fca2b23d0ba	1408	}
marcozecchini	0:9fca2b23d0ba	1409	#endif /* MBEDTLS_SSL_PROTO_DTLS */
marcozecchini	0:9fca2b23d0ba	1410
marcozecchini	0:9fca2b23d0ba	1411	buf += mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	1412	msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	1413
marcozecchini	0:9fca2b23d0ba	1414	/*
marcozecchini	0:9fca2b23d0ba	1415	* ClientHello layer:
marcozecchini	0:9fca2b23d0ba	1416	* 0 . 1 protocol version
marcozecchini	0:9fca2b23d0ba	1417	* 2 . 33 random bytes (starting with 4 bytes of Unix time)
marcozecchini	0:9fca2b23d0ba	1418	* 34 . 35 session id length (1 byte)
marcozecchini	0:9fca2b23d0ba	1419	* 35 . 34+x session id
marcozecchini	0:9fca2b23d0ba	1420	* 35+x . 35+x DTLS only: cookie length (1 byte)
marcozecchini	0:9fca2b23d0ba	1421	* 36+x . .. DTLS only: cookie
marcozecchini	0:9fca2b23d0ba	1422	* .. . .. ciphersuite list length (2 bytes)
marcozecchini	0:9fca2b23d0ba	1423	* .. . .. ciphersuite list
marcozecchini	0:9fca2b23d0ba	1424	* .. . .. compression alg. list length (1 byte)
marcozecchini	0:9fca2b23d0ba	1425	* .. . .. compression alg. list
marcozecchini	0:9fca2b23d0ba	1426	* .. . .. extensions length (2 bytes, optional)
marcozecchini	0:9fca2b23d0ba	1427	* .. . .. extensions (optional)
marcozecchini	0:9fca2b23d0ba	1428	*/
marcozecchini	0:9fca2b23d0ba	1429
marcozecchini	0:9fca2b23d0ba	1430	/*
marcozecchini	0:9fca2b23d0ba	1431	* Minimal length (with everything empty and extensions ommitted) is
marcozecchini	0:9fca2b23d0ba	1432	* 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
marcozecchini	0:9fca2b23d0ba	1433	* read at least up to session id length without worrying.
marcozecchini	0:9fca2b23d0ba	1434	*/
marcozecchini	0:9fca2b23d0ba	1435	if( msg_len < 38 )
marcozecchini	0:9fca2b23d0ba	1436	{
marcozecchini	0:9fca2b23d0ba	1437	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1438	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1439	}
marcozecchini	0:9fca2b23d0ba	1440
marcozecchini	0:9fca2b23d0ba	1441	/*
marcozecchini	0:9fca2b23d0ba	1442	* Check and save the protocol version
marcozecchini	0:9fca2b23d0ba	1443	*/
marcozecchini	0:9fca2b23d0ba	1444	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
marcozecchini	0:9fca2b23d0ba	1445
marcozecchini	0:9fca2b23d0ba	1446	mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	1447	ssl->conf->transport, buf );
marcozecchini	0:9fca2b23d0ba	1448
marcozecchini	0:9fca2b23d0ba	1449	ssl->handshake->max_major_ver = ssl->major_ver;
marcozecchini	0:9fca2b23d0ba	1450	ssl->handshake->max_minor_ver = ssl->minor_ver;
marcozecchini	0:9fca2b23d0ba	1451
marcozecchini	0:9fca2b23d0ba	1452	if( ssl->major_ver < ssl->conf->min_major_ver \|\|
marcozecchini	0:9fca2b23d0ba	1453	ssl->minor_ver < ssl->conf->min_minor_ver )
marcozecchini	0:9fca2b23d0ba	1454	{
marcozecchini	0:9fca2b23d0ba	1455	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
marcozecchini	0:9fca2b23d0ba	1456	" [%d:%d] < [%d:%d]",
marcozecchini	0:9fca2b23d0ba	1457	ssl->major_ver, ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	1458	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
marcozecchini	0:9fca2b23d0ba	1459	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1460	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1461	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1462	}
marcozecchini	0:9fca2b23d0ba	1463
marcozecchini	0:9fca2b23d0ba	1464	if( ssl->major_ver > ssl->conf->max_major_ver )
marcozecchini	0:9fca2b23d0ba	1465	{
marcozecchini	0:9fca2b23d0ba	1466	ssl->major_ver = ssl->conf->max_major_ver;
marcozecchini	0:9fca2b23d0ba	1467	ssl->minor_ver = ssl->conf->max_minor_ver;
marcozecchini	0:9fca2b23d0ba	1468	}
marcozecchini	0:9fca2b23d0ba	1469	else if( ssl->minor_ver > ssl->conf->max_minor_ver )
marcozecchini	0:9fca2b23d0ba	1470	ssl->minor_ver = ssl->conf->max_minor_ver;
marcozecchini	0:9fca2b23d0ba	1471
marcozecchini	0:9fca2b23d0ba	1472	/*
marcozecchini	0:9fca2b23d0ba	1473	* Save client random (inc. Unix time)
marcozecchini	0:9fca2b23d0ba	1474	*/
marcozecchini	0:9fca2b23d0ba	1475	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
marcozecchini	0:9fca2b23d0ba	1476
marcozecchini	0:9fca2b23d0ba	1477	memcpy( ssl->handshake->randbytes, buf + 2, 32 );
marcozecchini	0:9fca2b23d0ba	1478
marcozecchini	0:9fca2b23d0ba	1479	/*
marcozecchini	0:9fca2b23d0ba	1480	* Check the session ID length and save session ID
marcozecchini	0:9fca2b23d0ba	1481	*/
marcozecchini	0:9fca2b23d0ba	1482	sess_len = buf[34];
marcozecchini	0:9fca2b23d0ba	1483
marcozecchini	0:9fca2b23d0ba	1484	if( sess_len > sizeof( ssl->session_negotiate->id ) \|\|
marcozecchini	0:9fca2b23d0ba	1485	sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
marcozecchini	0:9fca2b23d0ba	1486	{
marcozecchini	0:9fca2b23d0ba	1487	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1488	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1489	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1490	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1491	}
marcozecchini	0:9fca2b23d0ba	1492
marcozecchini	0:9fca2b23d0ba	1493	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
marcozecchini	0:9fca2b23d0ba	1494
marcozecchini	0:9fca2b23d0ba	1495	ssl->session_negotiate->id_len = sess_len;
marcozecchini	0:9fca2b23d0ba	1496	memset( ssl->session_negotiate->id, 0,
marcozecchini	0:9fca2b23d0ba	1497	sizeof( ssl->session_negotiate->id ) );
marcozecchini	0:9fca2b23d0ba	1498	memcpy( ssl->session_negotiate->id, buf + 35,
marcozecchini	0:9fca2b23d0ba	1499	ssl->session_negotiate->id_len );
marcozecchini	0:9fca2b23d0ba	1500
marcozecchini	0:9fca2b23d0ba	1501	/*
marcozecchini	0:9fca2b23d0ba	1502	* Check the cookie length and content
marcozecchini	0:9fca2b23d0ba	1503	*/
marcozecchini	0:9fca2b23d0ba	1504	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1505	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1506	{
marcozecchini	0:9fca2b23d0ba	1507	cookie_offset = 35 + sess_len;
marcozecchini	0:9fca2b23d0ba	1508	cookie_len = buf[cookie_offset];
marcozecchini	0:9fca2b23d0ba	1509
marcozecchini	0:9fca2b23d0ba	1510	if( cookie_offset + 1 + cookie_len + 2 > msg_len )
marcozecchini	0:9fca2b23d0ba	1511	{
marcozecchini	0:9fca2b23d0ba	1512	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1513	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1514	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
marcozecchini	0:9fca2b23d0ba	1515	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1516	}
marcozecchini	0:9fca2b23d0ba	1517
marcozecchini	0:9fca2b23d0ba	1518	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
marcozecchini	0:9fca2b23d0ba	1519	buf + cookie_offset + 1, cookie_len );
marcozecchini	0:9fca2b23d0ba	1520
marcozecchini	0:9fca2b23d0ba	1521	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
marcozecchini	0:9fca2b23d0ba	1522	if( ssl->conf->f_cookie_check != NULL
marcozecchini	0:9fca2b23d0ba	1523	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1524	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
marcozecchini	0:9fca2b23d0ba	1525	#endif
marcozecchini	0:9fca2b23d0ba	1526	)
marcozecchini	0:9fca2b23d0ba	1527	{
marcozecchini	0:9fca2b23d0ba	1528	if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
marcozecchini	0:9fca2b23d0ba	1529	buf + cookie_offset + 1, cookie_len,
marcozecchini	0:9fca2b23d0ba	1530	ssl->cli_id, ssl->cli_id_len ) != 0 )
marcozecchini	0:9fca2b23d0ba	1531	{
marcozecchini	0:9fca2b23d0ba	1532	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
marcozecchini	0:9fca2b23d0ba	1533	ssl->handshake->verify_cookie_len = 1;
marcozecchini	0:9fca2b23d0ba	1534	}
marcozecchini	0:9fca2b23d0ba	1535	else
marcozecchini	0:9fca2b23d0ba	1536	{
marcozecchini	0:9fca2b23d0ba	1537	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
marcozecchini	0:9fca2b23d0ba	1538	ssl->handshake->verify_cookie_len = 0;
marcozecchini	0:9fca2b23d0ba	1539	}
marcozecchini	0:9fca2b23d0ba	1540	}
marcozecchini	0:9fca2b23d0ba	1541	else
marcozecchini	0:9fca2b23d0ba	1542	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
marcozecchini	0:9fca2b23d0ba	1543	{
marcozecchini	0:9fca2b23d0ba	1544	/* We know we didn't send a cookie, so it should be empty */
marcozecchini	0:9fca2b23d0ba	1545	if( cookie_len != 0 )
marcozecchini	0:9fca2b23d0ba	1546	{
marcozecchini	0:9fca2b23d0ba	1547	/* This may be an attacker's probe, so don't send an alert */
marcozecchini	0:9fca2b23d0ba	1548	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1549	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1550	}
marcozecchini	0:9fca2b23d0ba	1551
marcozecchini	0:9fca2b23d0ba	1552	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
marcozecchini	0:9fca2b23d0ba	1553	}
marcozecchini	0:9fca2b23d0ba	1554
marcozecchini	0:9fca2b23d0ba	1555	/*
marcozecchini	0:9fca2b23d0ba	1556	* Check the ciphersuitelist length (will be parsed later)
marcozecchini	0:9fca2b23d0ba	1557	*/
marcozecchini	0:9fca2b23d0ba	1558	ciph_offset = cookie_offset + 1 + cookie_len;
marcozecchini	0:9fca2b23d0ba	1559	}
marcozecchini	0:9fca2b23d0ba	1560	else
marcozecchini	0:9fca2b23d0ba	1561	#endif /* MBEDTLS_SSL_PROTO_DTLS */
marcozecchini	0:9fca2b23d0ba	1562	ciph_offset = 35 + sess_len;
marcozecchini	0:9fca2b23d0ba	1563
marcozecchini	0:9fca2b23d0ba	1564	ciph_len = ( buf[ciph_offset + 0] << 8 )
marcozecchini	0:9fca2b23d0ba	1565	\| ( buf[ciph_offset + 1] );
marcozecchini	0:9fca2b23d0ba	1566
marcozecchini	0:9fca2b23d0ba	1567	if( ciph_len < 2 \|\|
marcozecchini	0:9fca2b23d0ba	1568	ciph_len + 2 + ciph_offset + 1 > msg_len \|\| /* 1 for comp. alg. len */
marcozecchini	0:9fca2b23d0ba	1569	( ciph_len % 2 ) != 0 )
marcozecchini	0:9fca2b23d0ba	1570	{
marcozecchini	0:9fca2b23d0ba	1571	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1572	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1573	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1574	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1575	}
marcozecchini	0:9fca2b23d0ba	1576
marcozecchini	0:9fca2b23d0ba	1577	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
marcozecchini	0:9fca2b23d0ba	1578	buf + ciph_offset + 2, ciph_len );
marcozecchini	0:9fca2b23d0ba	1579
marcozecchini	0:9fca2b23d0ba	1580	/*
marcozecchini	0:9fca2b23d0ba	1581	* Check the compression algorithms length and pick one
marcozecchini	0:9fca2b23d0ba	1582	*/
marcozecchini	0:9fca2b23d0ba	1583	comp_offset = ciph_offset + 2 + ciph_len;
marcozecchini	0:9fca2b23d0ba	1584
marcozecchini	0:9fca2b23d0ba	1585	comp_len = buf[comp_offset];
marcozecchini	0:9fca2b23d0ba	1586
marcozecchini	0:9fca2b23d0ba	1587	if( comp_len < 1 \|\|
marcozecchini	0:9fca2b23d0ba	1588	comp_len > 16 \|\|
marcozecchini	0:9fca2b23d0ba	1589	comp_len + comp_offset + 1 > msg_len )
marcozecchini	0:9fca2b23d0ba	1590	{
marcozecchini	0:9fca2b23d0ba	1591	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1592	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1593	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1594	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1595	}
marcozecchini	0:9fca2b23d0ba	1596
marcozecchini	0:9fca2b23d0ba	1597	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
marcozecchini	0:9fca2b23d0ba	1598	buf + comp_offset + 1, comp_len );
marcozecchini	0:9fca2b23d0ba	1599
marcozecchini	0:9fca2b23d0ba	1600	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
marcozecchini	0:9fca2b23d0ba	1601	#if defined(MBEDTLS_ZLIB_SUPPORT)
marcozecchini	0:9fca2b23d0ba	1602	for( i = 0; i < comp_len; ++i )
marcozecchini	0:9fca2b23d0ba	1603	{
marcozecchini	0:9fca2b23d0ba	1604	if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
marcozecchini	0:9fca2b23d0ba	1605	{
marcozecchini	0:9fca2b23d0ba	1606	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
marcozecchini	0:9fca2b23d0ba	1607	break;
marcozecchini	0:9fca2b23d0ba	1608	}
marcozecchini	0:9fca2b23d0ba	1609	}
marcozecchini	0:9fca2b23d0ba	1610	#endif
marcozecchini	0:9fca2b23d0ba	1611
marcozecchini	0:9fca2b23d0ba	1612	/* See comments in ssl_write_client_hello() */
marcozecchini	0:9fca2b23d0ba	1613	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1614	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1615	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
marcozecchini	0:9fca2b23d0ba	1616	#endif
marcozecchini	0:9fca2b23d0ba	1617
marcozecchini	0:9fca2b23d0ba	1618	/* Do not parse the extensions if the protocol is SSLv3 */
marcozecchini	0:9fca2b23d0ba	1619	#if defined(MBEDTLS_SSL_PROTO_SSL3)
marcozecchini	0:9fca2b23d0ba	1620	if( ( ssl->major_ver != 3 ) \|\| ( ssl->minor_ver != 0 ) )
marcozecchini	0:9fca2b23d0ba	1621	{
marcozecchini	0:9fca2b23d0ba	1622	#endif
marcozecchini	0:9fca2b23d0ba	1623	/*
marcozecchini	0:9fca2b23d0ba	1624	* Check the extension length
marcozecchini	0:9fca2b23d0ba	1625	*/
marcozecchini	0:9fca2b23d0ba	1626	ext_offset = comp_offset + 1 + comp_len;
marcozecchini	0:9fca2b23d0ba	1627	if( msg_len > ext_offset )
marcozecchini	0:9fca2b23d0ba	1628	{
marcozecchini	0:9fca2b23d0ba	1629	if( msg_len < ext_offset + 2 )
marcozecchini	0:9fca2b23d0ba	1630	{
marcozecchini	0:9fca2b23d0ba	1631	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1632	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1633	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1634	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1635	}
marcozecchini	0:9fca2b23d0ba	1636
marcozecchini	0:9fca2b23d0ba	1637	ext_len = ( buf[ext_offset + 0] << 8 )
marcozecchini	0:9fca2b23d0ba	1638	\| ( buf[ext_offset + 1] );
marcozecchini	0:9fca2b23d0ba	1639
marcozecchini	0:9fca2b23d0ba	1640	if( ( ext_len > 0 && ext_len < 4 ) \|\|
marcozecchini	0:9fca2b23d0ba	1641	msg_len != ext_offset + 2 + ext_len )
marcozecchini	0:9fca2b23d0ba	1642	{
marcozecchini	0:9fca2b23d0ba	1643	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1644	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1645	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1646	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1647	}
marcozecchini	0:9fca2b23d0ba	1648	}
marcozecchini	0:9fca2b23d0ba	1649	else
marcozecchini	0:9fca2b23d0ba	1650	ext_len = 0;
marcozecchini	0:9fca2b23d0ba	1651
marcozecchini	0:9fca2b23d0ba	1652	ext = buf + ext_offset + 2;
marcozecchini	0:9fca2b23d0ba	1653	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
marcozecchini	0:9fca2b23d0ba	1654
marcozecchini	0:9fca2b23d0ba	1655	while( ext_len != 0 )
marcozecchini	0:9fca2b23d0ba	1656	{
marcozecchini	0:9fca2b23d0ba	1657	unsigned int ext_id = ( ( ext[0] << 8 )
marcozecchini	0:9fca2b23d0ba	1658	\| ( ext[1] ) );
marcozecchini	0:9fca2b23d0ba	1659	unsigned int ext_size = ( ( ext[2] << 8 )
marcozecchini	0:9fca2b23d0ba	1660	\| ( ext[3] ) );
marcozecchini	0:9fca2b23d0ba	1661
marcozecchini	0:9fca2b23d0ba	1662	if( ext_size + 4 > ext_len )
marcozecchini	0:9fca2b23d0ba	1663	{
marcozecchini	0:9fca2b23d0ba	1664	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1665	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1666	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1667	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1668	}
marcozecchini	0:9fca2b23d0ba	1669	switch( ext_id )
marcozecchini	0:9fca2b23d0ba	1670	{
marcozecchini	0:9fca2b23d0ba	1671	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	1672	case MBEDTLS_TLS_EXT_SERVERNAME:
marcozecchini	0:9fca2b23d0ba	1673	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
marcozecchini	0:9fca2b23d0ba	1674	if( ssl->conf->f_sni == NULL )
marcozecchini	0:9fca2b23d0ba	1675	break;
marcozecchini	0:9fca2b23d0ba	1676
marcozecchini	0:9fca2b23d0ba	1677	ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1678	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1679	return( ret );
marcozecchini	0:9fca2b23d0ba	1680	break;
marcozecchini	0:9fca2b23d0ba	1681	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
marcozecchini	0:9fca2b23d0ba	1682
marcozecchini	0:9fca2b23d0ba	1683	case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
marcozecchini	0:9fca2b23d0ba	1684	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
marcozecchini	0:9fca2b23d0ba	1685	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1686	renegotiation_info_seen = 1;
marcozecchini	0:9fca2b23d0ba	1687	#endif
marcozecchini	0:9fca2b23d0ba	1688
marcozecchini	0:9fca2b23d0ba	1689	ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1690	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1691	return( ret );
marcozecchini	0:9fca2b23d0ba	1692	break;
marcozecchini	0:9fca2b23d0ba	1693
marcozecchini	0:9fca2b23d0ba	1694	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	1695	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	1696	case MBEDTLS_TLS_EXT_SIG_ALG:
marcozecchini	0:9fca2b23d0ba	1697	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
marcozecchini	0:9fca2b23d0ba	1698	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1699	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
marcozecchini	0:9fca2b23d0ba	1700	break;
marcozecchini	0:9fca2b23d0ba	1701	#endif
marcozecchini	0:9fca2b23d0ba	1702	ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1703	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1704	return( ret );
marcozecchini	0:9fca2b23d0ba	1705
marcozecchini	0:9fca2b23d0ba	1706	sig_hash_alg_ext_present = 1;
marcozecchini	0:9fca2b23d0ba	1707	break;
marcozecchini	0:9fca2b23d0ba	1708	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
marcozecchini	0:9fca2b23d0ba	1709	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
marcozecchini	0:9fca2b23d0ba	1710
marcozecchini	0:9fca2b23d0ba	1711	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	1712	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1713	case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
marcozecchini	0:9fca2b23d0ba	1714	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
marcozecchini	0:9fca2b23d0ba	1715
marcozecchini	0:9fca2b23d0ba	1716	ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1717	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1718	return( ret );
marcozecchini	0:9fca2b23d0ba	1719	break;
marcozecchini	0:9fca2b23d0ba	1720
marcozecchini	0:9fca2b23d0ba	1721	case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
marcozecchini	0:9fca2b23d0ba	1722	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
marcozecchini	0:9fca2b23d0ba	1723	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
marcozecchini	0:9fca2b23d0ba	1724
marcozecchini	0:9fca2b23d0ba	1725	ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1726	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1727	return( ret );
marcozecchini	0:9fca2b23d0ba	1728	break;
marcozecchini	0:9fca2b23d0ba	1729	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
marcozecchini	0:9fca2b23d0ba	1730	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	1731
marcozecchini	0:9fca2b23d0ba	1732	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	1733	case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
marcozecchini	0:9fca2b23d0ba	1734	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
marcozecchini	0:9fca2b23d0ba	1735
marcozecchini	0:9fca2b23d0ba	1736	ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1737	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1738	return( ret );
marcozecchini	0:9fca2b23d0ba	1739	break;
marcozecchini	0:9fca2b23d0ba	1740	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	1741
marcozecchini	0:9fca2b23d0ba	1742	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	1743	case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
marcozecchini	0:9fca2b23d0ba	1744	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
marcozecchini	0:9fca2b23d0ba	1745
marcozecchini	0:9fca2b23d0ba	1746	ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1747	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1748	return( ret );
marcozecchini	0:9fca2b23d0ba	1749	break;
marcozecchini	0:9fca2b23d0ba	1750	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
marcozecchini	0:9fca2b23d0ba	1751
marcozecchini	0:9fca2b23d0ba	1752	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	1753	case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
marcozecchini	0:9fca2b23d0ba	1754	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
marcozecchini	0:9fca2b23d0ba	1755
marcozecchini	0:9fca2b23d0ba	1756	ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1757	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1758	return( ret );
marcozecchini	0:9fca2b23d0ba	1759	break;
marcozecchini	0:9fca2b23d0ba	1760	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
marcozecchini	0:9fca2b23d0ba	1761
marcozecchini	0:9fca2b23d0ba	1762	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	1763	case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
marcozecchini	0:9fca2b23d0ba	1764	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
marcozecchini	0:9fca2b23d0ba	1765
marcozecchini	0:9fca2b23d0ba	1766	ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1767	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1768	return( ret );
marcozecchini	0:9fca2b23d0ba	1769	break;
marcozecchini	0:9fca2b23d0ba	1770	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
marcozecchini	0:9fca2b23d0ba	1771
marcozecchini	0:9fca2b23d0ba	1772	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	1773	case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
marcozecchini	0:9fca2b23d0ba	1774	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
marcozecchini	0:9fca2b23d0ba	1775
marcozecchini	0:9fca2b23d0ba	1776	ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1777	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1778	return( ret );
marcozecchini	0:9fca2b23d0ba	1779	break;
marcozecchini	0:9fca2b23d0ba	1780	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
marcozecchini	0:9fca2b23d0ba	1781
marcozecchini	0:9fca2b23d0ba	1782	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	1783	case MBEDTLS_TLS_EXT_SESSION_TICKET:
marcozecchini	0:9fca2b23d0ba	1784	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
marcozecchini	0:9fca2b23d0ba	1785
marcozecchini	0:9fca2b23d0ba	1786	ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1787	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1788	return( ret );
marcozecchini	0:9fca2b23d0ba	1789	break;
marcozecchini	0:9fca2b23d0ba	1790	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	1791
marcozecchini	0:9fca2b23d0ba	1792	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	1793	case MBEDTLS_TLS_EXT_ALPN:
marcozecchini	0:9fca2b23d0ba	1794	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
marcozecchini	0:9fca2b23d0ba	1795
marcozecchini	0:9fca2b23d0ba	1796	ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
marcozecchini	0:9fca2b23d0ba	1797	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	1798	return( ret );
marcozecchini	0:9fca2b23d0ba	1799	break;
marcozecchini	0:9fca2b23d0ba	1800	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	1801
marcozecchini	0:9fca2b23d0ba	1802	default:
marcozecchini	0:9fca2b23d0ba	1803	MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
marcozecchini	0:9fca2b23d0ba	1804	ext_id ) );
marcozecchini	0:9fca2b23d0ba	1805	}
marcozecchini	0:9fca2b23d0ba	1806
marcozecchini	0:9fca2b23d0ba	1807	ext_len -= 4 + ext_size;
marcozecchini	0:9fca2b23d0ba	1808	ext += 4 + ext_size;
marcozecchini	0:9fca2b23d0ba	1809
marcozecchini	0:9fca2b23d0ba	1810	if( ext_len > 0 && ext_len < 4 )
marcozecchini	0:9fca2b23d0ba	1811	{
marcozecchini	0:9fca2b23d0ba	1812	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
marcozecchini	0:9fca2b23d0ba	1813	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1814	MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
marcozecchini	0:9fca2b23d0ba	1815	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1816	}
marcozecchini	0:9fca2b23d0ba	1817	}
marcozecchini	0:9fca2b23d0ba	1818	#if defined(MBEDTLS_SSL_PROTO_SSL3)
marcozecchini	0:9fca2b23d0ba	1819	}
marcozecchini	0:9fca2b23d0ba	1820	#endif
marcozecchini	0:9fca2b23d0ba	1821
marcozecchini	0:9fca2b23d0ba	1822	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
marcozecchini	0:9fca2b23d0ba	1823	for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
marcozecchini	0:9fca2b23d0ba	1824	{
marcozecchini	0:9fca2b23d0ba	1825	if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
marcozecchini	0:9fca2b23d0ba	1826	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
marcozecchini	0:9fca2b23d0ba	1827	{
marcozecchini	0:9fca2b23d0ba	1828	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
marcozecchini	0:9fca2b23d0ba	1829
marcozecchini	0:9fca2b23d0ba	1830	if( ssl->minor_ver < ssl->conf->max_minor_ver )
marcozecchini	0:9fca2b23d0ba	1831	{
marcozecchini	0:9fca2b23d0ba	1832	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
marcozecchini	0:9fca2b23d0ba	1833
marcozecchini	0:9fca2b23d0ba	1834	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1835	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
marcozecchini	0:9fca2b23d0ba	1836
marcozecchini	0:9fca2b23d0ba	1837	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1838	}
marcozecchini	0:9fca2b23d0ba	1839
marcozecchini	0:9fca2b23d0ba	1840	break;
marcozecchini	0:9fca2b23d0ba	1841	}
marcozecchini	0:9fca2b23d0ba	1842	}
marcozecchini	0:9fca2b23d0ba	1843	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
marcozecchini	0:9fca2b23d0ba	1844
marcozecchini	0:9fca2b23d0ba	1845	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	1846	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	1847
marcozecchini	0:9fca2b23d0ba	1848	/*
marcozecchini	0:9fca2b23d0ba	1849	* Try to fall back to default hash SHA1 if the client
marcozecchini	0:9fca2b23d0ba	1850	* hasn't provided any preferred signature-hash combinations.
marcozecchini	0:9fca2b23d0ba	1851	*/
marcozecchini	0:9fca2b23d0ba	1852	if( sig_hash_alg_ext_present == 0 )
marcozecchini	0:9fca2b23d0ba	1853	{
marcozecchini	0:9fca2b23d0ba	1854	mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
marcozecchini	0:9fca2b23d0ba	1855
marcozecchini	0:9fca2b23d0ba	1856	if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
marcozecchini	0:9fca2b23d0ba	1857	md_default = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	1858
marcozecchini	0:9fca2b23d0ba	1859	mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
marcozecchini	0:9fca2b23d0ba	1860	}
marcozecchini	0:9fca2b23d0ba	1861
marcozecchini	0:9fca2b23d0ba	1862	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
marcozecchini	0:9fca2b23d0ba	1863	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
marcozecchini	0:9fca2b23d0ba	1864
marcozecchini	0:9fca2b23d0ba	1865	/*
marcozecchini	0:9fca2b23d0ba	1866	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
marcozecchini	0:9fca2b23d0ba	1867	*/
marcozecchini	0:9fca2b23d0ba	1868	for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
marcozecchini	0:9fca2b23d0ba	1869	{
marcozecchini	0:9fca2b23d0ba	1870	if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
marcozecchini	0:9fca2b23d0ba	1871	{
marcozecchini	0:9fca2b23d0ba	1872	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
marcozecchini	0:9fca2b23d0ba	1873	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1874	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
marcozecchini	0:9fca2b23d0ba	1875	{
marcozecchini	0:9fca2b23d0ba	1876	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
marcozecchini	0:9fca2b23d0ba	1877	"during renegotiation" ) );
marcozecchini	0:9fca2b23d0ba	1878	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1879	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1880	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1881	}
marcozecchini	0:9fca2b23d0ba	1882	#endif
marcozecchini	0:9fca2b23d0ba	1883	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
marcozecchini	0:9fca2b23d0ba	1884	break;
marcozecchini	0:9fca2b23d0ba	1885	}
marcozecchini	0:9fca2b23d0ba	1886	}
marcozecchini	0:9fca2b23d0ba	1887
marcozecchini	0:9fca2b23d0ba	1888	/*
marcozecchini	0:9fca2b23d0ba	1889	* Renegotiation security checks
marcozecchini	0:9fca2b23d0ba	1890	*/
marcozecchini	0:9fca2b23d0ba	1891	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1892	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	1893	{
marcozecchini	0:9fca2b23d0ba	1894	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
marcozecchini	0:9fca2b23d0ba	1895	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1896	}
marcozecchini	0:9fca2b23d0ba	1897	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	1898	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
marcozecchini	0:9fca2b23d0ba	1899	ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1900	renegotiation_info_seen == 0 )
marcozecchini	0:9fca2b23d0ba	1901	{
marcozecchini	0:9fca2b23d0ba	1902	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
marcozecchini	0:9fca2b23d0ba	1903	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1904	}
marcozecchini	0:9fca2b23d0ba	1905	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
marcozecchini	0:9fca2b23d0ba	1906	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1907	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
marcozecchini	0:9fca2b23d0ba	1908	{
marcozecchini	0:9fca2b23d0ba	1909	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
marcozecchini	0:9fca2b23d0ba	1910	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1911	}
marcozecchini	0:9fca2b23d0ba	1912	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
marcozecchini	0:9fca2b23d0ba	1913	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
marcozecchini	0:9fca2b23d0ba	1914	renegotiation_info_seen == 1 )
marcozecchini	0:9fca2b23d0ba	1915	{
marcozecchini	0:9fca2b23d0ba	1916	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
marcozecchini	0:9fca2b23d0ba	1917	handshake_failure = 1;
marcozecchini	0:9fca2b23d0ba	1918	}
marcozecchini	0:9fca2b23d0ba	1919	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	1920
marcozecchini	0:9fca2b23d0ba	1921	if( handshake_failure == 1 )
marcozecchini	0:9fca2b23d0ba	1922	{
marcozecchini	0:9fca2b23d0ba	1923	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1924	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1925	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
marcozecchini	0:9fca2b23d0ba	1926	}
marcozecchini	0:9fca2b23d0ba	1927
marcozecchini	0:9fca2b23d0ba	1928	/*
marcozecchini	0:9fca2b23d0ba	1929	* Search for a matching ciphersuite
marcozecchini	0:9fca2b23d0ba	1930	* (At the end because we need information from the EC-based extensions
marcozecchini	0:9fca2b23d0ba	1931	* and certificate from the SNI callback triggered by the SNI extension.)
marcozecchini	0:9fca2b23d0ba	1932	*/
marcozecchini	0:9fca2b23d0ba	1933	got_common_suite = 0;
marcozecchini	0:9fca2b23d0ba	1934	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
marcozecchini	0:9fca2b23d0ba	1935	ciphersuite_info = NULL;
marcozecchini	0:9fca2b23d0ba	1936	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
marcozecchini	0:9fca2b23d0ba	1937	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
marcozecchini	0:9fca2b23d0ba	1938	for( i = 0; ciphersuites[i] != 0; i++ )
marcozecchini	0:9fca2b23d0ba	1939	#else
marcozecchini	0:9fca2b23d0ba	1940	for( i = 0; ciphersuites[i] != 0; i++ )
marcozecchini	0:9fca2b23d0ba	1941	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
marcozecchini	0:9fca2b23d0ba	1942	#endif
marcozecchini	0:9fca2b23d0ba	1943	{
marcozecchini	0:9fca2b23d0ba	1944	if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
marcozecchini	0:9fca2b23d0ba	1945	p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
marcozecchini	0:9fca2b23d0ba	1946	continue;
marcozecchini	0:9fca2b23d0ba	1947
marcozecchini	0:9fca2b23d0ba	1948	got_common_suite = 1;
marcozecchini	0:9fca2b23d0ba	1949
marcozecchini	0:9fca2b23d0ba	1950	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
marcozecchini	0:9fca2b23d0ba	1951	&ciphersuite_info ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	1952	return( ret );
marcozecchini	0:9fca2b23d0ba	1953
marcozecchini	0:9fca2b23d0ba	1954	if( ciphersuite_info != NULL )
marcozecchini	0:9fca2b23d0ba	1955	goto have_ciphersuite;
marcozecchini	0:9fca2b23d0ba	1956	}
marcozecchini	0:9fca2b23d0ba	1957
marcozecchini	0:9fca2b23d0ba	1958	if( got_common_suite )
marcozecchini	0:9fca2b23d0ba	1959	{
marcozecchini	0:9fca2b23d0ba	1960	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
marcozecchini	0:9fca2b23d0ba	1961	"but none of them usable" ) );
marcozecchini	0:9fca2b23d0ba	1962	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1963	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1964	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
marcozecchini	0:9fca2b23d0ba	1965	}
marcozecchini	0:9fca2b23d0ba	1966	else
marcozecchini	0:9fca2b23d0ba	1967	{
marcozecchini	0:9fca2b23d0ba	1968	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
marcozecchini	0:9fca2b23d0ba	1969	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	1970	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
marcozecchini	0:9fca2b23d0ba	1971	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
marcozecchini	0:9fca2b23d0ba	1972	}
marcozecchini	0:9fca2b23d0ba	1973
marcozecchini	0:9fca2b23d0ba	1974	have_ciphersuite:
marcozecchini	0:9fca2b23d0ba	1975	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
marcozecchini	0:9fca2b23d0ba	1976
marcozecchini	0:9fca2b23d0ba	1977	ssl->session_negotiate->ciphersuite = ciphersuites[i];
marcozecchini	0:9fca2b23d0ba	1978	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	1979
marcozecchini	0:9fca2b23d0ba	1980	ssl->state++;
marcozecchini	0:9fca2b23d0ba	1981
marcozecchini	0:9fca2b23d0ba	1982	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	1983	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	1984	mbedtls_ssl_recv_flight_completed( ssl );
marcozecchini	0:9fca2b23d0ba	1985	#endif
marcozecchini	0:9fca2b23d0ba	1986
marcozecchini	0:9fca2b23d0ba	1987	/* Debugging-only output for testsuite */
marcozecchini	0:9fca2b23d0ba	1988	#if defined(MBEDTLS_DEBUG_C) && \
marcozecchini	0:9fca2b23d0ba	1989	defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
marcozecchini	0:9fca2b23d0ba	1990	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
marcozecchini	0:9fca2b23d0ba	1991	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	1992	{
marcozecchini	0:9fca2b23d0ba	1993	mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
marcozecchini	0:9fca2b23d0ba	1994	if( sig_alg != MBEDTLS_PK_NONE )
marcozecchini	0:9fca2b23d0ba	1995	{
marcozecchini	0:9fca2b23d0ba	1996	mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
marcozecchini	0:9fca2b23d0ba	1997	sig_alg );
marcozecchini	0:9fca2b23d0ba	1998	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
marcozecchini	0:9fca2b23d0ba	1999	mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
marcozecchini	0:9fca2b23d0ba	2000	}
marcozecchini	0:9fca2b23d0ba	2001	else
marcozecchini	0:9fca2b23d0ba	2002	{
marcozecchini	0:9fca2b23d0ba	2003	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
marcozecchini	0:9fca2b23d0ba	2004	"%d - should not happen", sig_alg ) );
marcozecchini	0:9fca2b23d0ba	2005	}
marcozecchini	0:9fca2b23d0ba	2006	}
marcozecchini	0:9fca2b23d0ba	2007	#endif
marcozecchini	0:9fca2b23d0ba	2008
marcozecchini	0:9fca2b23d0ba	2009	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
marcozecchini	0:9fca2b23d0ba	2010
marcozecchini	0:9fca2b23d0ba	2011	return( 0 );
marcozecchini	0:9fca2b23d0ba	2012	}
marcozecchini	0:9fca2b23d0ba	2013
marcozecchini	0:9fca2b23d0ba	2014	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	2015	static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2016	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2017	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2018	{
marcozecchini	0:9fca2b23d0ba	2019	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2020
marcozecchini	0:9fca2b23d0ba	2021	if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
marcozecchini	0:9fca2b23d0ba	2022	{
marcozecchini	0:9fca2b23d0ba	2023	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2024	return;
marcozecchini	0:9fca2b23d0ba	2025	}
marcozecchini	0:9fca2b23d0ba	2026
marcozecchini	0:9fca2b23d0ba	2027	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
marcozecchini	0:9fca2b23d0ba	2028
marcozecchini	0:9fca2b23d0ba	2029	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2030	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2031
marcozecchini	0:9fca2b23d0ba	2032	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2033	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2034
marcozecchini	0:9fca2b23d0ba	2035	*olen = 4;
marcozecchini	0:9fca2b23d0ba	2036	}
marcozecchini	0:9fca2b23d0ba	2037	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
marcozecchini	0:9fca2b23d0ba	2038
marcozecchini	0:9fca2b23d0ba	2039	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	2040	static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2041	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2042	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2043	{
marcozecchini	0:9fca2b23d0ba	2044	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2045	const mbedtls_ssl_ciphersuite_t *suite = NULL;
marcozecchini	0:9fca2b23d0ba	2046	const mbedtls_cipher_info_t *cipher = NULL;
marcozecchini	0:9fca2b23d0ba	2047
marcozecchini	0:9fca2b23d0ba	2048	if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	2049	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	2050	{
marcozecchini	0:9fca2b23d0ba	2051	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2052	return;
marcozecchini	0:9fca2b23d0ba	2053	}
marcozecchini	0:9fca2b23d0ba	2054
marcozecchini	0:9fca2b23d0ba	2055	/*
marcozecchini	0:9fca2b23d0ba	2056	* RFC 7366: "If a server receives an encrypt-then-MAC request extension
marcozecchini	0:9fca2b23d0ba	2057	* from a client and then selects a stream or Authenticated Encryption
marcozecchini	0:9fca2b23d0ba	2058	* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
marcozecchini	0:9fca2b23d0ba	2059	* encrypt-then-MAC response extension back to the client."
marcozecchini	0:9fca2b23d0ba	2060	*/
marcozecchini	0:9fca2b23d0ba	2061	if( ( suite = mbedtls_ssl_ciphersuite_from_id(
marcozecchini	0:9fca2b23d0ba	2062	ssl->session_negotiate->ciphersuite ) ) == NULL \|\|
marcozecchini	0:9fca2b23d0ba	2063	( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL \|\|
marcozecchini	0:9fca2b23d0ba	2064	cipher->mode != MBEDTLS_MODE_CBC )
marcozecchini	0:9fca2b23d0ba	2065	{
marcozecchini	0:9fca2b23d0ba	2066	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2067	return;
marcozecchini	0:9fca2b23d0ba	2068	}
marcozecchini	0:9fca2b23d0ba	2069
marcozecchini	0:9fca2b23d0ba	2070	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
marcozecchini	0:9fca2b23d0ba	2071
marcozecchini	0:9fca2b23d0ba	2072	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2073	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2074
marcozecchini	0:9fca2b23d0ba	2075	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2076	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2077
marcozecchini	0:9fca2b23d0ba	2078	*olen = 4;
marcozecchini	0:9fca2b23d0ba	2079	}
marcozecchini	0:9fca2b23d0ba	2080	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
marcozecchini	0:9fca2b23d0ba	2081
marcozecchini	0:9fca2b23d0ba	2082	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	2083	static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2084	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2085	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2086	{
marcozecchini	0:9fca2b23d0ba	2087	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2088
marcozecchini	0:9fca2b23d0ba	2089	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
marcozecchini	0:9fca2b23d0ba	2090	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	2091	{
marcozecchini	0:9fca2b23d0ba	2092	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2093	return;
marcozecchini	0:9fca2b23d0ba	2094	}
marcozecchini	0:9fca2b23d0ba	2095
marcozecchini	0:9fca2b23d0ba	2096	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
marcozecchini	0:9fca2b23d0ba	2097	"extension" ) );
marcozecchini	0:9fca2b23d0ba	2098
marcozecchini	0:9fca2b23d0ba	2099	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2100	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2101
marcozecchini	0:9fca2b23d0ba	2102	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2103	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2104
marcozecchini	0:9fca2b23d0ba	2105	*olen = 4;
marcozecchini	0:9fca2b23d0ba	2106	}
marcozecchini	0:9fca2b23d0ba	2107	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
marcozecchini	0:9fca2b23d0ba	2108
marcozecchini	0:9fca2b23d0ba	2109	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	2110	static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2111	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2112	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2113	{
marcozecchini	0:9fca2b23d0ba	2114	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2115
marcozecchini	0:9fca2b23d0ba	2116	if( ssl->handshake->new_session_ticket == 0 )
marcozecchini	0:9fca2b23d0ba	2117	{
marcozecchini	0:9fca2b23d0ba	2118	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2119	return;
marcozecchini	0:9fca2b23d0ba	2120	}
marcozecchini	0:9fca2b23d0ba	2121
marcozecchini	0:9fca2b23d0ba	2122	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
marcozecchini	0:9fca2b23d0ba	2123
marcozecchini	0:9fca2b23d0ba	2124	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2125	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2126
marcozecchini	0:9fca2b23d0ba	2127	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2128	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2129
marcozecchini	0:9fca2b23d0ba	2130	*olen = 4;
marcozecchini	0:9fca2b23d0ba	2131	}
marcozecchini	0:9fca2b23d0ba	2132	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	2133
marcozecchini	0:9fca2b23d0ba	2134	static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2135	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2136	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2137	{
marcozecchini	0:9fca2b23d0ba	2138	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2139
marcozecchini	0:9fca2b23d0ba	2140	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
marcozecchini	0:9fca2b23d0ba	2141	{
marcozecchini	0:9fca2b23d0ba	2142	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2143	return;
marcozecchini	0:9fca2b23d0ba	2144	}
marcozecchini	0:9fca2b23d0ba	2145
marcozecchini	0:9fca2b23d0ba	2146	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
marcozecchini	0:9fca2b23d0ba	2147
marcozecchini	0:9fca2b23d0ba	2148	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2149	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2150
marcozecchini	0:9fca2b23d0ba	2151	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	2152	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	2153	{
marcozecchini	0:9fca2b23d0ba	2154	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2155	p++ = ( ssl->verify_data_len 2 + 1 ) & 0xFF;
marcozecchini	0:9fca2b23d0ba	2156	p++ = ssl->verify_data_len 2 & 0xFF;
marcozecchini	0:9fca2b23d0ba	2157
marcozecchini	0:9fca2b23d0ba	2158	memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
marcozecchini	0:9fca2b23d0ba	2159	p += ssl->verify_data_len;
marcozecchini	0:9fca2b23d0ba	2160	memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
marcozecchini	0:9fca2b23d0ba	2161	p += ssl->verify_data_len;
marcozecchini	0:9fca2b23d0ba	2162	}
marcozecchini	0:9fca2b23d0ba	2163	else
marcozecchini	0:9fca2b23d0ba	2164	#endif /* MBEDTLS_SSL_RENEGOTIATION */
marcozecchini	0:9fca2b23d0ba	2165	{
marcozecchini	0:9fca2b23d0ba	2166	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2167	*p++ = 0x01;
marcozecchini	0:9fca2b23d0ba	2168	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2169	}
marcozecchini	0:9fca2b23d0ba	2170
marcozecchini	0:9fca2b23d0ba	2171	*olen = p - buf;
marcozecchini	0:9fca2b23d0ba	2172	}
marcozecchini	0:9fca2b23d0ba	2173
marcozecchini	0:9fca2b23d0ba	2174	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	2175	static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2176	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2177	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2178	{
marcozecchini	0:9fca2b23d0ba	2179	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2180
marcozecchini	0:9fca2b23d0ba	2181	if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
marcozecchini	0:9fca2b23d0ba	2182	{
marcozecchini	0:9fca2b23d0ba	2183	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2184	return;
marcozecchini	0:9fca2b23d0ba	2185	}
marcozecchini	0:9fca2b23d0ba	2186
marcozecchini	0:9fca2b23d0ba	2187	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
marcozecchini	0:9fca2b23d0ba	2188
marcozecchini	0:9fca2b23d0ba	2189	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2190	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2191
marcozecchini	0:9fca2b23d0ba	2192	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2193	*p++ = 1;
marcozecchini	0:9fca2b23d0ba	2194
marcozecchini	0:9fca2b23d0ba	2195	*p++ = ssl->session_negotiate->mfl_code;
marcozecchini	0:9fca2b23d0ba	2196
marcozecchini	0:9fca2b23d0ba	2197	*olen = 5;
marcozecchini	0:9fca2b23d0ba	2198	}
marcozecchini	0:9fca2b23d0ba	2199	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
marcozecchini	0:9fca2b23d0ba	2200
marcozecchini	0:9fca2b23d0ba	2201	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	2202	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2203	static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2204	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2205	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2206	{
marcozecchini	0:9fca2b23d0ba	2207	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2208	((void) ssl);
marcozecchini	0:9fca2b23d0ba	2209
marcozecchini	0:9fca2b23d0ba	2210	if( ( ssl->handshake->cli_exts &
marcozecchini	0:9fca2b23d0ba	2211	MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
marcozecchini	0:9fca2b23d0ba	2212	{
marcozecchini	0:9fca2b23d0ba	2213	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2214	return;
marcozecchini	0:9fca2b23d0ba	2215	}
marcozecchini	0:9fca2b23d0ba	2216
marcozecchini	0:9fca2b23d0ba	2217	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
marcozecchini	0:9fca2b23d0ba	2218
marcozecchini	0:9fca2b23d0ba	2219	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2220	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2221
marcozecchini	0:9fca2b23d0ba	2222	*p++ = 0x00;
marcozecchini	0:9fca2b23d0ba	2223	*p++ = 2;
marcozecchini	0:9fca2b23d0ba	2224
marcozecchini	0:9fca2b23d0ba	2225	*p++ = 1;
marcozecchini	0:9fca2b23d0ba	2226	*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
marcozecchini	0:9fca2b23d0ba	2227
marcozecchini	0:9fca2b23d0ba	2228	*olen = 6;
marcozecchini	0:9fca2b23d0ba	2229	}
marcozecchini	0:9fca2b23d0ba	2230	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\| MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	2231
marcozecchini	0:9fca2b23d0ba	2232	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2233	static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2234	unsigned char *buf,
marcozecchini	0:9fca2b23d0ba	2235	size_t *olen )
marcozecchini	0:9fca2b23d0ba	2236	{
marcozecchini	0:9fca2b23d0ba	2237	int ret;
marcozecchini	0:9fca2b23d0ba	2238	unsigned char *p = buf;
marcozecchini	0:9fca2b23d0ba	2239	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	2240	size_t kkpp_len;
marcozecchini	0:9fca2b23d0ba	2241
marcozecchini	0:9fca2b23d0ba	2242	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2243
marcozecchini	0:9fca2b23d0ba	2244	/* Skip costly computation if not needed */
marcozecchini	0:9fca2b23d0ba	2245	if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
marcozecchini	0:9fca2b23d0ba	2246	MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	2247	return;
marcozecchini	0:9fca2b23d0ba	2248
marcozecchini	0:9fca2b23d0ba	2249	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
marcozecchini	0:9fca2b23d0ba	2250
marcozecchini	0:9fca2b23d0ba	2251	if( end - p < 4 )
marcozecchini	0:9fca2b23d0ba	2252	{
marcozecchini	0:9fca2b23d0ba	2253	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
marcozecchini	0:9fca2b23d0ba	2254	return;
marcozecchini	0:9fca2b23d0ba	2255	}
marcozecchini	0:9fca2b23d0ba	2256
marcozecchini	0:9fca2b23d0ba	2257	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2258	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2259
marcozecchini	0:9fca2b23d0ba	2260	ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	2261	p + 2, end - p - 2, &kkpp_len,
marcozecchini	0:9fca2b23d0ba	2262	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	2263	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2264	{
marcozecchini	0:9fca2b23d0ba	2265	MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
marcozecchini	0:9fca2b23d0ba	2266	return;
marcozecchini	0:9fca2b23d0ba	2267	}
marcozecchini	0:9fca2b23d0ba	2268
marcozecchini	0:9fca2b23d0ba	2269	*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2270	*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2271
marcozecchini	0:9fca2b23d0ba	2272	*olen = kkpp_len + 4;
marcozecchini	0:9fca2b23d0ba	2273	}
marcozecchini	0:9fca2b23d0ba	2274	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	2275
marcozecchini	0:9fca2b23d0ba	2276	#if defined(MBEDTLS_SSL_ALPN )
marcozecchini	0:9fca2b23d0ba	2277	static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	2278	unsigned char buf, size_t olen )
marcozecchini	0:9fca2b23d0ba	2279	{
marcozecchini	0:9fca2b23d0ba	2280	if( ssl->alpn_chosen == NULL )
marcozecchini	0:9fca2b23d0ba	2281	{
marcozecchini	0:9fca2b23d0ba	2282	*olen = 0;
marcozecchini	0:9fca2b23d0ba	2283	return;
marcozecchini	0:9fca2b23d0ba	2284	}
marcozecchini	0:9fca2b23d0ba	2285
marcozecchini	0:9fca2b23d0ba	2286	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
marcozecchini	0:9fca2b23d0ba	2287
marcozecchini	0:9fca2b23d0ba	2288	/*
marcozecchini	0:9fca2b23d0ba	2289	* 0 . 1 ext identifier
marcozecchini	0:9fca2b23d0ba	2290	* 2 . 3 ext length
marcozecchini	0:9fca2b23d0ba	2291	* 4 . 5 protocol list length
marcozecchini	0:9fca2b23d0ba	2292	* 6 . 6 protocol name length
marcozecchini	0:9fca2b23d0ba	2293	* 7 . 7+n protocol name
marcozecchini	0:9fca2b23d0ba	2294	*/
marcozecchini	0:9fca2b23d0ba	2295	buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2296	buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2297
marcozecchini	0:9fca2b23d0ba	2298	*olen = 7 + strlen( ssl->alpn_chosen );
marcozecchini	0:9fca2b23d0ba	2299
marcozecchini	0:9fca2b23d0ba	2300	buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2301	buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2302
marcozecchini	0:9fca2b23d0ba	2303	buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2304	buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2305
marcozecchini	0:9fca2b23d0ba	2306	buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2307
marcozecchini	0:9fca2b23d0ba	2308	memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
marcozecchini	0:9fca2b23d0ba	2309	}
marcozecchini	0:9fca2b23d0ba	2310	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C */
marcozecchini	0:9fca2b23d0ba	2311
marcozecchini	0:9fca2b23d0ba	2312	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
marcozecchini	0:9fca2b23d0ba	2313	static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2314	{
marcozecchini	0:9fca2b23d0ba	2315	int ret;
marcozecchini	0:9fca2b23d0ba	2316	unsigned char *p = ssl->out_msg + 4;
marcozecchini	0:9fca2b23d0ba	2317	unsigned char *cookie_len_byte;
marcozecchini	0:9fca2b23d0ba	2318
marcozecchini	0:9fca2b23d0ba	2319	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
marcozecchini	0:9fca2b23d0ba	2320
marcozecchini	0:9fca2b23d0ba	2321	/*
marcozecchini	0:9fca2b23d0ba	2322	* struct {
marcozecchini	0:9fca2b23d0ba	2323	* ProtocolVersion server_version;
marcozecchini	0:9fca2b23d0ba	2324	* opaque cookie<0..2^8-1>;
marcozecchini	0:9fca2b23d0ba	2325	* } HelloVerifyRequest;
marcozecchini	0:9fca2b23d0ba	2326	*/
marcozecchini	0:9fca2b23d0ba	2327
marcozecchini	0:9fca2b23d0ba	2328	/* The RFC is not clear on this point, but sending the actual negotiated
marcozecchini	0:9fca2b23d0ba	2329	* version looks like the most interoperable thing to do. */
marcozecchini	0:9fca2b23d0ba	2330	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	2331	ssl->conf->transport, p );
marcozecchini	0:9fca2b23d0ba	2332	MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
marcozecchini	0:9fca2b23d0ba	2333	p += 2;
marcozecchini	0:9fca2b23d0ba	2334
marcozecchini	0:9fca2b23d0ba	2335	/* If we get here, f_cookie_check is not null */
marcozecchini	0:9fca2b23d0ba	2336	if( ssl->conf->f_cookie_write == NULL )
marcozecchini	0:9fca2b23d0ba	2337	{
marcozecchini	0:9fca2b23d0ba	2338	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
marcozecchini	0:9fca2b23d0ba	2339	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2340	}
marcozecchini	0:9fca2b23d0ba	2341
marcozecchini	0:9fca2b23d0ba	2342	/* Skip length byte until we know the length */
marcozecchini	0:9fca2b23d0ba	2343	cookie_len_byte = p++;
marcozecchini	0:9fca2b23d0ba	2344
marcozecchini	0:9fca2b23d0ba	2345	if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
marcozecchini	0:9fca2b23d0ba	2346	&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
marcozecchini	0:9fca2b23d0ba	2347	ssl->cli_id, ssl->cli_id_len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2348	{
marcozecchini	0:9fca2b23d0ba	2349	MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
marcozecchini	0:9fca2b23d0ba	2350	return( ret );
marcozecchini	0:9fca2b23d0ba	2351	}
marcozecchini	0:9fca2b23d0ba	2352
marcozecchini	0:9fca2b23d0ba	2353	*cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
marcozecchini	0:9fca2b23d0ba	2354
marcozecchini	0:9fca2b23d0ba	2355	MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
marcozecchini	0:9fca2b23d0ba	2356
marcozecchini	0:9fca2b23d0ba	2357	ssl->out_msglen = p - ssl->out_msg;
marcozecchini	0:9fca2b23d0ba	2358	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	2359	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
marcozecchini	0:9fca2b23d0ba	2360
marcozecchini	0:9fca2b23d0ba	2361	ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
marcozecchini	0:9fca2b23d0ba	2362
marcozecchini	0:9fca2b23d0ba	2363	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2364	{
marcozecchini	0:9fca2b23d0ba	2365	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	2366	return( ret );
marcozecchini	0:9fca2b23d0ba	2367	}
marcozecchini	0:9fca2b23d0ba	2368
marcozecchini	0:9fca2b23d0ba	2369	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
marcozecchini	0:9fca2b23d0ba	2370
marcozecchini	0:9fca2b23d0ba	2371	return( 0 );
marcozecchini	0:9fca2b23d0ba	2372	}
marcozecchini	0:9fca2b23d0ba	2373	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
marcozecchini	0:9fca2b23d0ba	2374
marcozecchini	0:9fca2b23d0ba	2375	static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2376	{
marcozecchini	0:9fca2b23d0ba	2377	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	2378	mbedtls_time_t t;
marcozecchini	0:9fca2b23d0ba	2379	#endif
marcozecchini	0:9fca2b23d0ba	2380	int ret;
marcozecchini	0:9fca2b23d0ba	2381	size_t olen, ext_len = 0, n;
marcozecchini	0:9fca2b23d0ba	2382	unsigned char buf, p;
marcozecchini	0:9fca2b23d0ba	2383
marcozecchini	0:9fca2b23d0ba	2384	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
marcozecchini	0:9fca2b23d0ba	2385
marcozecchini	0:9fca2b23d0ba	2386	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
marcozecchini	0:9fca2b23d0ba	2387	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
marcozecchini	0:9fca2b23d0ba	2388	ssl->handshake->verify_cookie_len != 0 )
marcozecchini	0:9fca2b23d0ba	2389	{
marcozecchini	0:9fca2b23d0ba	2390	MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
marcozecchini	0:9fca2b23d0ba	2391	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
marcozecchini	0:9fca2b23d0ba	2392
marcozecchini	0:9fca2b23d0ba	2393	return( ssl_write_hello_verify_request( ssl ) );
marcozecchini	0:9fca2b23d0ba	2394	}
marcozecchini	0:9fca2b23d0ba	2395	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
marcozecchini	0:9fca2b23d0ba	2396
marcozecchini	0:9fca2b23d0ba	2397	if( ssl->conf->f_rng == NULL )
marcozecchini	0:9fca2b23d0ba	2398	{
marcozecchini	0:9fca2b23d0ba	2399	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
marcozecchini	0:9fca2b23d0ba	2400	return( MBEDTLS_ERR_SSL_NO_RNG );
marcozecchini	0:9fca2b23d0ba	2401	}
marcozecchini	0:9fca2b23d0ba	2402
marcozecchini	0:9fca2b23d0ba	2403	/*
marcozecchini	0:9fca2b23d0ba	2404	* 0 . 0 handshake type
marcozecchini	0:9fca2b23d0ba	2405	* 1 . 3 handshake length
marcozecchini	0:9fca2b23d0ba	2406	* 4 . 5 protocol version
marcozecchini	0:9fca2b23d0ba	2407	* 6 . 9 UNIX time()
marcozecchini	0:9fca2b23d0ba	2408	* 10 . 37 random bytes
marcozecchini	0:9fca2b23d0ba	2409	*/
marcozecchini	0:9fca2b23d0ba	2410	buf = ssl->out_msg;
marcozecchini	0:9fca2b23d0ba	2411	p = buf + 4;
marcozecchini	0:9fca2b23d0ba	2412
marcozecchini	0:9fca2b23d0ba	2413	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
marcozecchini	0:9fca2b23d0ba	2414	ssl->conf->transport, p );
marcozecchini	0:9fca2b23d0ba	2415	p += 2;
marcozecchini	0:9fca2b23d0ba	2416
marcozecchini	0:9fca2b23d0ba	2417	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
marcozecchini	0:9fca2b23d0ba	2418	buf[4], buf[5] ) );
marcozecchini	0:9fca2b23d0ba	2419
marcozecchini	0:9fca2b23d0ba	2420	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	2421	t = mbedtls_time( NULL );
marcozecchini	0:9fca2b23d0ba	2422	*p++ = (unsigned char)( t >> 24 );
marcozecchini	0:9fca2b23d0ba	2423	*p++ = (unsigned char)( t >> 16 );
marcozecchini	0:9fca2b23d0ba	2424	*p++ = (unsigned char)( t >> 8 );
marcozecchini	0:9fca2b23d0ba	2425	*p++ = (unsigned char)( t );
marcozecchini	0:9fca2b23d0ba	2426
marcozecchini	0:9fca2b23d0ba	2427	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
marcozecchini	0:9fca2b23d0ba	2428	#else
marcozecchini	0:9fca2b23d0ba	2429	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2430	return( ret );
marcozecchini	0:9fca2b23d0ba	2431
marcozecchini	0:9fca2b23d0ba	2432	p += 4;
marcozecchini	0:9fca2b23d0ba	2433	#endif /* MBEDTLS_HAVE_TIME */
marcozecchini	0:9fca2b23d0ba	2434
marcozecchini	0:9fca2b23d0ba	2435	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2436	return( ret );
marcozecchini	0:9fca2b23d0ba	2437
marcozecchini	0:9fca2b23d0ba	2438	p += 28;
marcozecchini	0:9fca2b23d0ba	2439
marcozecchini	0:9fca2b23d0ba	2440	memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
marcozecchini	0:9fca2b23d0ba	2441
marcozecchini	0:9fca2b23d0ba	2442	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
marcozecchini	0:9fca2b23d0ba	2443
marcozecchini	0:9fca2b23d0ba	2444	/*
marcozecchini	0:9fca2b23d0ba	2445	* Resume is 0 by default, see ssl_handshake_init().
marcozecchini	0:9fca2b23d0ba	2446	* It may be already set to 1 by ssl_parse_session_ticket_ext().
marcozecchini	0:9fca2b23d0ba	2447	* If not, try looking up session ID in our cache.
marcozecchini	0:9fca2b23d0ba	2448	*/
marcozecchini	0:9fca2b23d0ba	2449	if( ssl->handshake->resume == 0 &&
marcozecchini	0:9fca2b23d0ba	2450	#if defined(MBEDTLS_SSL_RENEGOTIATION)
marcozecchini	0:9fca2b23d0ba	2451	ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
marcozecchini	0:9fca2b23d0ba	2452	#endif
marcozecchini	0:9fca2b23d0ba	2453	ssl->session_negotiate->id_len != 0 &&
marcozecchini	0:9fca2b23d0ba	2454	ssl->conf->f_get_cache != NULL &&
marcozecchini	0:9fca2b23d0ba	2455	ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
marcozecchini	0:9fca2b23d0ba	2456	{
marcozecchini	0:9fca2b23d0ba	2457	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
marcozecchini	0:9fca2b23d0ba	2458	ssl->handshake->resume = 1;
marcozecchini	0:9fca2b23d0ba	2459	}
marcozecchini	0:9fca2b23d0ba	2460
marcozecchini	0:9fca2b23d0ba	2461	if( ssl->handshake->resume == 0 )
marcozecchini	0:9fca2b23d0ba	2462	{
marcozecchini	0:9fca2b23d0ba	2463	/*
marcozecchini	0:9fca2b23d0ba	2464	* New session, create a new session id,
marcozecchini	0:9fca2b23d0ba	2465	* unless we're about to issue a session ticket
marcozecchini	0:9fca2b23d0ba	2466	*/
marcozecchini	0:9fca2b23d0ba	2467	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2468
marcozecchini	0:9fca2b23d0ba	2469	#if defined(MBEDTLS_HAVE_TIME)
marcozecchini	0:9fca2b23d0ba	2470	ssl->session_negotiate->start = mbedtls_time( NULL );
marcozecchini	0:9fca2b23d0ba	2471	#endif
marcozecchini	0:9fca2b23d0ba	2472
marcozecchini	0:9fca2b23d0ba	2473	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	2474	if( ssl->handshake->new_session_ticket != 0 )
marcozecchini	0:9fca2b23d0ba	2475	{
marcozecchini	0:9fca2b23d0ba	2476	ssl->session_negotiate->id_len = n = 0;
marcozecchini	0:9fca2b23d0ba	2477	memset( ssl->session_negotiate->id, 0, 32 );
marcozecchini	0:9fca2b23d0ba	2478	}
marcozecchini	0:9fca2b23d0ba	2479	else
marcozecchini	0:9fca2b23d0ba	2480	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	2481	{
marcozecchini	0:9fca2b23d0ba	2482	ssl->session_negotiate->id_len = n = 32;
marcozecchini	0:9fca2b23d0ba	2483	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
marcozecchini	0:9fca2b23d0ba	2484	n ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2485	return( ret );
marcozecchini	0:9fca2b23d0ba	2486	}
marcozecchini	0:9fca2b23d0ba	2487	}
marcozecchini	0:9fca2b23d0ba	2488	else
marcozecchini	0:9fca2b23d0ba	2489	{
marcozecchini	0:9fca2b23d0ba	2490	/*
marcozecchini	0:9fca2b23d0ba	2491	* Resuming a session
marcozecchini	0:9fca2b23d0ba	2492	*/
marcozecchini	0:9fca2b23d0ba	2493	n = ssl->session_negotiate->id_len;
marcozecchini	0:9fca2b23d0ba	2494	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
marcozecchini	0:9fca2b23d0ba	2495
marcozecchini	0:9fca2b23d0ba	2496	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2497	{
marcozecchini	0:9fca2b23d0ba	2498	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
marcozecchini	0:9fca2b23d0ba	2499	return( ret );
marcozecchini	0:9fca2b23d0ba	2500	}
marcozecchini	0:9fca2b23d0ba	2501	}
marcozecchini	0:9fca2b23d0ba	2502
marcozecchini	0:9fca2b23d0ba	2503	/*
marcozecchini	0:9fca2b23d0ba	2504	* 38 . 38 session id length
marcozecchini	0:9fca2b23d0ba	2505	* 39 . 38+n session id
marcozecchini	0:9fca2b23d0ba	2506	* 39+n . 40+n chosen ciphersuite
marcozecchini	0:9fca2b23d0ba	2507	* 41+n . 41+n chosen compression alg.
marcozecchini	0:9fca2b23d0ba	2508	* 42+n . 43+n extensions length
marcozecchini	0:9fca2b23d0ba	2509	* 44+n . 43+n+m extensions
marcozecchini	0:9fca2b23d0ba	2510	*/
marcozecchini	0:9fca2b23d0ba	2511	*p++ = (unsigned char) ssl->session_negotiate->id_len;
marcozecchini	0:9fca2b23d0ba	2512	memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
marcozecchini	0:9fca2b23d0ba	2513	p += ssl->session_negotiate->id_len;
marcozecchini	0:9fca2b23d0ba	2514
marcozecchini	0:9fca2b23d0ba	2515	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
marcozecchini	0:9fca2b23d0ba	2516	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
marcozecchini	0:9fca2b23d0ba	2517	MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
marcozecchini	0:9fca2b23d0ba	2518	ssl->handshake->resume ? "a" : "no" ) );
marcozecchini	0:9fca2b23d0ba	2519
marcozecchini	0:9fca2b23d0ba	2520	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
marcozecchini	0:9fca2b23d0ba	2521	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
marcozecchini	0:9fca2b23d0ba	2522	*p++ = (unsigned char)( ssl->session_negotiate->compression );
marcozecchini	0:9fca2b23d0ba	2523
marcozecchini	0:9fca2b23d0ba	2524	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
marcozecchini	0:9fca2b23d0ba	2525	mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
marcozecchini	0:9fca2b23d0ba	2526	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
marcozecchini	0:9fca2b23d0ba	2527	ssl->session_negotiate->compression ) );
marcozecchini	0:9fca2b23d0ba	2528
marcozecchini	0:9fca2b23d0ba	2529	/* Do not write the extensions if the protocol is SSLv3 */
marcozecchini	0:9fca2b23d0ba	2530	#if defined(MBEDTLS_SSL_PROTO_SSL3)
marcozecchini	0:9fca2b23d0ba	2531	if( ( ssl->major_ver != 3 ) \|\| ( ssl->minor_ver != 0 ) )
marcozecchini	0:9fca2b23d0ba	2532	{
marcozecchini	0:9fca2b23d0ba	2533	#endif
marcozecchini	0:9fca2b23d0ba	2534
marcozecchini	0:9fca2b23d0ba	2535	/*
marcozecchini	0:9fca2b23d0ba	2536	* First write extensions, then the total length
marcozecchini	0:9fca2b23d0ba	2537	*/
marcozecchini	0:9fca2b23d0ba	2538	ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2539	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2540
marcozecchini	0:9fca2b23d0ba	2541	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
marcozecchini	0:9fca2b23d0ba	2542	ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2543	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2544	#endif
marcozecchini	0:9fca2b23d0ba	2545
marcozecchini	0:9fca2b23d0ba	2546	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
marcozecchini	0:9fca2b23d0ba	2547	ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2548	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2549	#endif
marcozecchini	0:9fca2b23d0ba	2550
marcozecchini	0:9fca2b23d0ba	2551	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
marcozecchini	0:9fca2b23d0ba	2552	ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2553	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2554	#endif
marcozecchini	0:9fca2b23d0ba	2555
marcozecchini	0:9fca2b23d0ba	2556	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
marcozecchini	0:9fca2b23d0ba	2557	ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2558	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2559	#endif
marcozecchini	0:9fca2b23d0ba	2560
marcozecchini	0:9fca2b23d0ba	2561	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	2562	ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2563	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2564	#endif
marcozecchini	0:9fca2b23d0ba	2565
marcozecchini	0:9fca2b23d0ba	2566	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
marcozecchini	0:9fca2b23d0ba	2567	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2568	ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2569	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2570	#endif
marcozecchini	0:9fca2b23d0ba	2571
marcozecchini	0:9fca2b23d0ba	2572	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2573	ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2574	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2575	#endif
marcozecchini	0:9fca2b23d0ba	2576
marcozecchini	0:9fca2b23d0ba	2577	#if defined(MBEDTLS_SSL_ALPN)
marcozecchini	0:9fca2b23d0ba	2578	ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
marcozecchini	0:9fca2b23d0ba	2579	ext_len += olen;
marcozecchini	0:9fca2b23d0ba	2580	#endif
marcozecchini	0:9fca2b23d0ba	2581
marcozecchini	0:9fca2b23d0ba	2582	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
marcozecchini	0:9fca2b23d0ba	2583
marcozecchini	0:9fca2b23d0ba	2584	if( ext_len > 0 )
marcozecchini	0:9fca2b23d0ba	2585	{
marcozecchini	0:9fca2b23d0ba	2586	*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2587	*p++ = (unsigned char)( ( ext_len ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	2588	p += ext_len;
marcozecchini	0:9fca2b23d0ba	2589	}
marcozecchini	0:9fca2b23d0ba	2590
marcozecchini	0:9fca2b23d0ba	2591	#if defined(MBEDTLS_SSL_PROTO_SSL3)
marcozecchini	0:9fca2b23d0ba	2592	}
marcozecchini	0:9fca2b23d0ba	2593	#endif
marcozecchini	0:9fca2b23d0ba	2594
marcozecchini	0:9fca2b23d0ba	2595	ssl->out_msglen = p - buf;
marcozecchini	0:9fca2b23d0ba	2596	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	2597	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
marcozecchini	0:9fca2b23d0ba	2598
marcozecchini	0:9fca2b23d0ba	2599	ret = mbedtls_ssl_write_record( ssl );
marcozecchini	0:9fca2b23d0ba	2600
marcozecchini	0:9fca2b23d0ba	2601	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
marcozecchini	0:9fca2b23d0ba	2602
marcozecchini	0:9fca2b23d0ba	2603	return( ret );
marcozecchini	0:9fca2b23d0ba	2604	}
marcozecchini	0:9fca2b23d0ba	2605
marcozecchini	0:9fca2b23d0ba	2606	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	2607	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	2608	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	2609	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	2610	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
marcozecchini	0:9fca2b23d0ba	2611	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2612	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2613	{
marcozecchini	0:9fca2b23d0ba	2614	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2615	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2616
marcozecchini	0:9fca2b23d0ba	2617	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2618
marcozecchini	0:9fca2b23d0ba	2619	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2620	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2621	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2622	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2623	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	2624	{
marcozecchini	0:9fca2b23d0ba	2625	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2626	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2627	return( 0 );
marcozecchini	0:9fca2b23d0ba	2628	}
marcozecchini	0:9fca2b23d0ba	2629
marcozecchini	0:9fca2b23d0ba	2630	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	2631	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	2632	}
marcozecchini	0:9fca2b23d0ba	2633	#else
marcozecchini	0:9fca2b23d0ba	2634	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2635	{
marcozecchini	0:9fca2b23d0ba	2636	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	2637	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2638	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2639	size_t dn_size, total_dn_size; /* excluding length bytes */
marcozecchini	0:9fca2b23d0ba	2640	size_t ct_len, sa_len; /* including length bytes */
marcozecchini	0:9fca2b23d0ba	2641	unsigned char buf, p;
marcozecchini	0:9fca2b23d0ba	2642	const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	2643	const mbedtls_x509_crt *crt;
marcozecchini	0:9fca2b23d0ba	2644	int authmode;
marcozecchini	0:9fca2b23d0ba	2645
marcozecchini	0:9fca2b23d0ba	2646	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2647
marcozecchini	0:9fca2b23d0ba	2648	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2649
marcozecchini	0:9fca2b23d0ba	2650	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	2651	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
marcozecchini	0:9fca2b23d0ba	2652	authmode = ssl->handshake->sni_authmode;
marcozecchini	0:9fca2b23d0ba	2653	else
marcozecchini	0:9fca2b23d0ba	2654	#endif
marcozecchini	0:9fca2b23d0ba	2655	authmode = ssl->conf->authmode;
marcozecchini	0:9fca2b23d0ba	2656
marcozecchini	0:9fca2b23d0ba	2657	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2658	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2659	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2660	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2661	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
marcozecchini	0:9fca2b23d0ba	2662	authmode == MBEDTLS_SSL_VERIFY_NONE )
marcozecchini	0:9fca2b23d0ba	2663	{
marcozecchini	0:9fca2b23d0ba	2664	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2665	return( 0 );
marcozecchini	0:9fca2b23d0ba	2666	}
marcozecchini	0:9fca2b23d0ba	2667
marcozecchini	0:9fca2b23d0ba	2668	/*
marcozecchini	0:9fca2b23d0ba	2669	* 0 . 0 handshake type
marcozecchini	0:9fca2b23d0ba	2670	* 1 . 3 handshake length
marcozecchini	0:9fca2b23d0ba	2671	* 4 . 4 cert type count
marcozecchini	0:9fca2b23d0ba	2672	* 5 .. m-1 cert types
marcozecchini	0:9fca2b23d0ba	2673	* m .. m+1 sig alg length (TLS 1.2 only)
marcozecchini	0:9fca2b23d0ba	2674	* m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
marcozecchini	0:9fca2b23d0ba	2675	* n .. n+1 length of all DNs
marcozecchini	0:9fca2b23d0ba	2676	* n+2 .. n+3 length of DN 1
marcozecchini	0:9fca2b23d0ba	2677	* n+4 .. ... Distinguished Name #1
marcozecchini	0:9fca2b23d0ba	2678	* ... .. ... length of DN 2, etc.
marcozecchini	0:9fca2b23d0ba	2679	*/
marcozecchini	0:9fca2b23d0ba	2680	buf = ssl->out_msg;
marcozecchini	0:9fca2b23d0ba	2681	p = buf + 4;
marcozecchini	0:9fca2b23d0ba	2682
marcozecchini	0:9fca2b23d0ba	2683	/*
marcozecchini	0:9fca2b23d0ba	2684	* Supported certificate types
marcozecchini	0:9fca2b23d0ba	2685	*
marcozecchini	0:9fca2b23d0ba	2686	* ClientCertificateType certificate_types<1..2^8-1>;
marcozecchini	0:9fca2b23d0ba	2687	* enum { (255) } ClientCertificateType;
marcozecchini	0:9fca2b23d0ba	2688	*/
marcozecchini	0:9fca2b23d0ba	2689	ct_len = 0;
marcozecchini	0:9fca2b23d0ba	2690
marcozecchini	0:9fca2b23d0ba	2691	#if defined(MBEDTLS_RSA_C)
marcozecchini	0:9fca2b23d0ba	2692	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
marcozecchini	0:9fca2b23d0ba	2693	#endif
marcozecchini	0:9fca2b23d0ba	2694	#if defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	2695	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
marcozecchini	0:9fca2b23d0ba	2696	#endif
marcozecchini	0:9fca2b23d0ba	2697
marcozecchini	0:9fca2b23d0ba	2698	p[0] = (unsigned char) ct_len++;
marcozecchini	0:9fca2b23d0ba	2699	p += ct_len;
marcozecchini	0:9fca2b23d0ba	2700
marcozecchini	0:9fca2b23d0ba	2701	sa_len = 0;
marcozecchini	0:9fca2b23d0ba	2702	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	2703	/*
marcozecchini	0:9fca2b23d0ba	2704	* Add signature_algorithms for verify (TLS 1.2)
marcozecchini	0:9fca2b23d0ba	2705	*
marcozecchini	0:9fca2b23d0ba	2706	* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
marcozecchini	0:9fca2b23d0ba	2707	*
marcozecchini	0:9fca2b23d0ba	2708	* struct {
marcozecchini	0:9fca2b23d0ba	2709	* HashAlgorithm hash;
marcozecchini	0:9fca2b23d0ba	2710	* SignatureAlgorithm signature;
marcozecchini	0:9fca2b23d0ba	2711	* } SignatureAndHashAlgorithm;
marcozecchini	0:9fca2b23d0ba	2712	*
marcozecchini	0:9fca2b23d0ba	2713	* enum { (255) } HashAlgorithm;
marcozecchini	0:9fca2b23d0ba	2714	* enum { (255) } SignatureAlgorithm;
marcozecchini	0:9fca2b23d0ba	2715	*/
marcozecchini	0:9fca2b23d0ba	2716	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	2717	{
marcozecchini	0:9fca2b23d0ba	2718	const int *cur;
marcozecchini	0:9fca2b23d0ba	2719
marcozecchini	0:9fca2b23d0ba	2720	/*
marcozecchini	0:9fca2b23d0ba	2721	* Supported signature algorithms
marcozecchini	0:9fca2b23d0ba	2722	*/
marcozecchini	0:9fca2b23d0ba	2723	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
marcozecchini	0:9fca2b23d0ba	2724	{
marcozecchini	0:9fca2b23d0ba	2725	unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
marcozecchini	0:9fca2b23d0ba	2726
marcozecchini	0:9fca2b23d0ba	2727	if( MBEDTLS_SSL_HASH_NONE == hash \|\| mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
marcozecchini	0:9fca2b23d0ba	2728	continue;
marcozecchini	0:9fca2b23d0ba	2729
marcozecchini	0:9fca2b23d0ba	2730	#if defined(MBEDTLS_RSA_C)
marcozecchini	0:9fca2b23d0ba	2731	p[2 + sa_len++] = hash;
marcozecchini	0:9fca2b23d0ba	2732	p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
marcozecchini	0:9fca2b23d0ba	2733	#endif
marcozecchini	0:9fca2b23d0ba	2734	#if defined(MBEDTLS_ECDSA_C)
marcozecchini	0:9fca2b23d0ba	2735	p[2 + sa_len++] = hash;
marcozecchini	0:9fca2b23d0ba	2736	p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
marcozecchini	0:9fca2b23d0ba	2737	#endif
marcozecchini	0:9fca2b23d0ba	2738	}
marcozecchini	0:9fca2b23d0ba	2739
marcozecchini	0:9fca2b23d0ba	2740	p[0] = (unsigned char)( sa_len >> 8 );
marcozecchini	0:9fca2b23d0ba	2741	p[1] = (unsigned char)( sa_len );
marcozecchini	0:9fca2b23d0ba	2742	sa_len += 2;
marcozecchini	0:9fca2b23d0ba	2743	p += sa_len;
marcozecchini	0:9fca2b23d0ba	2744	}
marcozecchini	0:9fca2b23d0ba	2745	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	2746
marcozecchini	0:9fca2b23d0ba	2747	/*
marcozecchini	0:9fca2b23d0ba	2748	* DistinguishedName certificate_authorities<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2749	* opaque DistinguishedName<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2750	*/
marcozecchini	0:9fca2b23d0ba	2751	p += 2;
marcozecchini	0:9fca2b23d0ba	2752
marcozecchini	0:9fca2b23d0ba	2753	total_dn_size = 0;
marcozecchini	0:9fca2b23d0ba	2754
marcozecchini	0:9fca2b23d0ba	2755	if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
marcozecchini	0:9fca2b23d0ba	2756	{
marcozecchini	0:9fca2b23d0ba	2757	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
marcozecchini	0:9fca2b23d0ba	2758	if( ssl->handshake->sni_ca_chain != NULL )
marcozecchini	0:9fca2b23d0ba	2759	crt = ssl->handshake->sni_ca_chain;
marcozecchini	0:9fca2b23d0ba	2760	else
marcozecchini	0:9fca2b23d0ba	2761	#endif
marcozecchini	0:9fca2b23d0ba	2762	crt = ssl->conf->ca_chain;
marcozecchini	0:9fca2b23d0ba	2763
marcozecchini	0:9fca2b23d0ba	2764	while( crt != NULL && crt->version != 0 )
marcozecchini	0:9fca2b23d0ba	2765	{
marcozecchini	0:9fca2b23d0ba	2766	dn_size = crt->subject_raw.len;
marcozecchini	0:9fca2b23d0ba	2767
marcozecchini	0:9fca2b23d0ba	2768	if( end < p \|\|
marcozecchini	0:9fca2b23d0ba	2769	(size_t)( end - p ) < dn_size \|\|
marcozecchini	0:9fca2b23d0ba	2770	(size_t)( end - p ) < 2 + dn_size )
marcozecchini	0:9fca2b23d0ba	2771	{
marcozecchini	0:9fca2b23d0ba	2772	MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
marcozecchini	0:9fca2b23d0ba	2773	break;
marcozecchini	0:9fca2b23d0ba	2774	}
marcozecchini	0:9fca2b23d0ba	2775
marcozecchini	0:9fca2b23d0ba	2776	*p++ = (unsigned char)( dn_size >> 8 );
marcozecchini	0:9fca2b23d0ba	2777	*p++ = (unsigned char)( dn_size );
marcozecchini	0:9fca2b23d0ba	2778	memcpy( p, crt->subject_raw.p, dn_size );
marcozecchini	0:9fca2b23d0ba	2779	p += dn_size;
marcozecchini	0:9fca2b23d0ba	2780
marcozecchini	0:9fca2b23d0ba	2781	MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
marcozecchini	0:9fca2b23d0ba	2782
marcozecchini	0:9fca2b23d0ba	2783	total_dn_size += 2 + dn_size;
marcozecchini	0:9fca2b23d0ba	2784	crt = crt->next;
marcozecchini	0:9fca2b23d0ba	2785	}
marcozecchini	0:9fca2b23d0ba	2786	}
marcozecchini	0:9fca2b23d0ba	2787
marcozecchini	0:9fca2b23d0ba	2788	ssl->out_msglen = p - buf;
marcozecchini	0:9fca2b23d0ba	2789	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	2790	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
marcozecchini	0:9fca2b23d0ba	2791	ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
marcozecchini	0:9fca2b23d0ba	2792	ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
marcozecchini	0:9fca2b23d0ba	2793
marcozecchini	0:9fca2b23d0ba	2794	ret = mbedtls_ssl_write_record( ssl );
marcozecchini	0:9fca2b23d0ba	2795
marcozecchini	0:9fca2b23d0ba	2796	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
marcozecchini	0:9fca2b23d0ba	2797
marcozecchini	0:9fca2b23d0ba	2798	return( ret );
marcozecchini	0:9fca2b23d0ba	2799	}
marcozecchini	0:9fca2b23d0ba	2800	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	2801	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	2802	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	2803	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	2804	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	2805	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2806
marcozecchini	0:9fca2b23d0ba	2807	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2808	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	2809	static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2810	{
marcozecchini	0:9fca2b23d0ba	2811	int ret;
marcozecchini	0:9fca2b23d0ba	2812
marcozecchini	0:9fca2b23d0ba	2813	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
marcozecchini	0:9fca2b23d0ba	2814	{
marcozecchini	0:9fca2b23d0ba	2815	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
marcozecchini	0:9fca2b23d0ba	2816	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
marcozecchini	0:9fca2b23d0ba	2817	}
marcozecchini	0:9fca2b23d0ba	2818
marcozecchini	0:9fca2b23d0ba	2819	if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	2820	mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
marcozecchini	0:9fca2b23d0ba	2821	MBEDTLS_ECDH_OURS ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2822	{
marcozecchini	0:9fca2b23d0ba	2823	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
marcozecchini	0:9fca2b23d0ba	2824	return( ret );
marcozecchini	0:9fca2b23d0ba	2825	}
marcozecchini	0:9fca2b23d0ba	2826
marcozecchini	0:9fca2b23d0ba	2827	return( 0 );
marcozecchini	0:9fca2b23d0ba	2828	}
marcozecchini	0:9fca2b23d0ba	2829	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\|
marcozecchini	0:9fca2b23d0ba	2830	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	2831
marcozecchini	0:9fca2b23d0ba	2832	static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	2833	{
marcozecchini	0:9fca2b23d0ba	2834	int ret;
marcozecchini	0:9fca2b23d0ba	2835	size_t n = 0;
marcozecchini	0:9fca2b23d0ba	2836	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	2837	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	2838
marcozecchini	0:9fca2b23d0ba	2839	#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
marcozecchini	0:9fca2b23d0ba	2840	unsigned char *p = ssl->out_msg + 4;
marcozecchini	0:9fca2b23d0ba	2841	size_t len;
marcozecchini	0:9fca2b23d0ba	2842	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
marcozecchini	0:9fca2b23d0ba	2843	unsigned char *dig_signed = p;
marcozecchini	0:9fca2b23d0ba	2844	size_t dig_signed_len = 0;
marcozecchini	0:9fca2b23d0ba	2845	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
marcozecchini	0:9fca2b23d0ba	2846	#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
marcozecchini	0:9fca2b23d0ba	2847
marcozecchini	0:9fca2b23d0ba	2848	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2849
marcozecchini	0:9fca2b23d0ba	2850	/*
marcozecchini	0:9fca2b23d0ba	2851	*
marcozecchini	0:9fca2b23d0ba	2852	* Part 1: Extract static ECDH parameters and abort
marcozecchini	0:9fca2b23d0ba	2853	* if ServerKeyExchange not needed.
marcozecchini	0:9fca2b23d0ba	2854	*
marcozecchini	0:9fca2b23d0ba	2855	*/
marcozecchini	0:9fca2b23d0ba	2856
marcozecchini	0:9fca2b23d0ba	2857	/* For suites involving ECDH, extract DH parameters
marcozecchini	0:9fca2b23d0ba	2858	* from certificate at this point. */
marcozecchini	0:9fca2b23d0ba	2859	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
marcozecchini	0:9fca2b23d0ba	2860	if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2861	{
marcozecchini	0:9fca2b23d0ba	2862	ssl_get_ecdh_params_from_cert( ssl );
marcozecchini	0:9fca2b23d0ba	2863	}
marcozecchini	0:9fca2b23d0ba	2864	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
marcozecchini	0:9fca2b23d0ba	2865
marcozecchini	0:9fca2b23d0ba	2866	/* Key exchanges not involving ephemeral keys don't use
marcozecchini	0:9fca2b23d0ba	2867	* ServerKeyExchange, so end here. */
marcozecchini	0:9fca2b23d0ba	2868	#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
marcozecchini	0:9fca2b23d0ba	2869	if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2870	{
marcozecchini	0:9fca2b23d0ba	2871	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	2872	ssl->state++;
marcozecchini	0:9fca2b23d0ba	2873	return( 0 );
marcozecchini	0:9fca2b23d0ba	2874	}
marcozecchini	0:9fca2b23d0ba	2875	#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
marcozecchini	0:9fca2b23d0ba	2876
marcozecchini	0:9fca2b23d0ba	2877	/*
marcozecchini	0:9fca2b23d0ba	2878	*
marcozecchini	0:9fca2b23d0ba	2879	* Part 2: Provide key exchange parameters for chosen ciphersuite.
marcozecchini	0:9fca2b23d0ba	2880	*
marcozecchini	0:9fca2b23d0ba	2881	*/
marcozecchini	0:9fca2b23d0ba	2882
marcozecchini	0:9fca2b23d0ba	2883	/*
marcozecchini	0:9fca2b23d0ba	2884	* - ECJPAKE key exchanges
marcozecchini	0:9fca2b23d0ba	2885	*/
marcozecchini	0:9fca2b23d0ba	2886	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2887	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	2888	{
marcozecchini	0:9fca2b23d0ba	2889	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
marcozecchini	0:9fca2b23d0ba	2890
marcozecchini	0:9fca2b23d0ba	2891	ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	2892	p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	2893	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	2894	{
marcozecchini	0:9fca2b23d0ba	2895	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
marcozecchini	0:9fca2b23d0ba	2896	return( ret );
marcozecchini	0:9fca2b23d0ba	2897	}
marcozecchini	0:9fca2b23d0ba	2898
marcozecchini	0:9fca2b23d0ba	2899	p += len;
marcozecchini	0:9fca2b23d0ba	2900	n += len;
marcozecchini	0:9fca2b23d0ba	2901	}
marcozecchini	0:9fca2b23d0ba	2902	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	2903
marcozecchini	0:9fca2b23d0ba	2904	/*
marcozecchini	0:9fca2b23d0ba	2905	* For (EC)DHE key exchanges with PSK, parameters are prefixed by support
marcozecchini	0:9fca2b23d0ba	2906	* identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
marcozecchini	0:9fca2b23d0ba	2907	* we use empty support identity hints here.
marcozecchini	0:9fca2b23d0ba	2908	**/
marcozecchini	0:9fca2b23d0ba	2909	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	2910	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	2911	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	2912	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
marcozecchini	0:9fca2b23d0ba	2913	{
marcozecchini	0:9fca2b23d0ba	2914	*(p++) = 0x00;
marcozecchini	0:9fca2b23d0ba	2915	*(p++) = 0x00;
marcozecchini	0:9fca2b23d0ba	2916
marcozecchini	0:9fca2b23d0ba	2917	n += 2;
marcozecchini	0:9fca2b23d0ba	2918	}
marcozecchini	0:9fca2b23d0ba	2919	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	2920	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	2921
marcozecchini	0:9fca2b23d0ba	2922	/*
marcozecchini	0:9fca2b23d0ba	2923	* - DHE key exchanges
marcozecchini	0:9fca2b23d0ba	2924	*/
marcozecchini	0:9fca2b23d0ba	2925	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2926	if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2927	{
marcozecchini	0:9fca2b23d0ba	2928	if( ssl->conf->dhm_P.p == NULL \|\| ssl->conf->dhm_G.p == NULL )
marcozecchini	0:9fca2b23d0ba	2929	{
marcozecchini	0:9fca2b23d0ba	2930	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
marcozecchini	0:9fca2b23d0ba	2931	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	2932	}
marcozecchini	0:9fca2b23d0ba	2933
marcozecchini	0:9fca2b23d0ba	2934	/*
marcozecchini	0:9fca2b23d0ba	2935	* Ephemeral DH parameters:
marcozecchini	0:9fca2b23d0ba	2936	*
marcozecchini	0:9fca2b23d0ba	2937	* struct {
marcozecchini	0:9fca2b23d0ba	2938	* opaque dh_p<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2939	* opaque dh_g<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2940	* opaque dh_Ys<1..2^16-1>;
marcozecchini	0:9fca2b23d0ba	2941	* } ServerDHParams;
marcozecchini	0:9fca2b23d0ba	2942	*/
marcozecchini	0:9fca2b23d0ba	2943	if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 \|\|
marcozecchini	0:9fca2b23d0ba	2944	( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2945	{
marcozecchini	0:9fca2b23d0ba	2946	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
marcozecchini	0:9fca2b23d0ba	2947	return( ret );
marcozecchini	0:9fca2b23d0ba	2948	}
marcozecchini	0:9fca2b23d0ba	2949
marcozecchini	0:9fca2b23d0ba	2950	if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
marcozecchini	0:9fca2b23d0ba	2951	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
marcozecchini	0:9fca2b23d0ba	2952	p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	2953	{
marcozecchini	0:9fca2b23d0ba	2954	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
marcozecchini	0:9fca2b23d0ba	2955	return( ret );
marcozecchini	0:9fca2b23d0ba	2956	}
marcozecchini	0:9fca2b23d0ba	2957
marcozecchini	0:9fca2b23d0ba	2958	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
marcozecchini	0:9fca2b23d0ba	2959	dig_signed = p;
marcozecchini	0:9fca2b23d0ba	2960	dig_signed_len = len;
marcozecchini	0:9fca2b23d0ba	2961	#endif
marcozecchini	0:9fca2b23d0ba	2962
marcozecchini	0:9fca2b23d0ba	2963	p += len;
marcozecchini	0:9fca2b23d0ba	2964	n += len;
marcozecchini	0:9fca2b23d0ba	2965
marcozecchini	0:9fca2b23d0ba	2966	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
marcozecchini	0:9fca2b23d0ba	2967	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
marcozecchini	0:9fca2b23d0ba	2968	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
marcozecchini	0:9fca2b23d0ba	2969	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
marcozecchini	0:9fca2b23d0ba	2970	}
marcozecchini	0:9fca2b23d0ba	2971	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
marcozecchini	0:9fca2b23d0ba	2972
marcozecchini	0:9fca2b23d0ba	2973	/*
marcozecchini	0:9fca2b23d0ba	2974	* - ECDHE key exchanges
marcozecchini	0:9fca2b23d0ba	2975	*/
marcozecchini	0:9fca2b23d0ba	2976	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
marcozecchini	0:9fca2b23d0ba	2977	if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	2978	{
marcozecchini	0:9fca2b23d0ba	2979	/*
marcozecchini	0:9fca2b23d0ba	2980	* Ephemeral ECDH parameters:
marcozecchini	0:9fca2b23d0ba	2981	*
marcozecchini	0:9fca2b23d0ba	2982	* struct {
marcozecchini	0:9fca2b23d0ba	2983	* ECParameters curve_params;
marcozecchini	0:9fca2b23d0ba	2984	* ECPoint public;
marcozecchini	0:9fca2b23d0ba	2985	* } ServerECDHParams;
marcozecchini	0:9fca2b23d0ba	2986	*/
marcozecchini	0:9fca2b23d0ba	2987	const mbedtls_ecp_curve_info **curve = NULL;
marcozecchini	0:9fca2b23d0ba	2988	const mbedtls_ecp_group_id *gid;
marcozecchini	0:9fca2b23d0ba	2989
marcozecchini	0:9fca2b23d0ba	2990	/* Match our preference list against the offered curves */
marcozecchini	0:9fca2b23d0ba	2991	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
marcozecchini	0:9fca2b23d0ba	2992	for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
marcozecchini	0:9fca2b23d0ba	2993	if( (curve)->grp_id == gid )
marcozecchini	0:9fca2b23d0ba	2994	goto curve_matching_done;
marcozecchini	0:9fca2b23d0ba	2995
marcozecchini	0:9fca2b23d0ba	2996	curve_matching_done:
marcozecchini	0:9fca2b23d0ba	2997	if( curve == NULL \|\| *curve == NULL )
marcozecchini	0:9fca2b23d0ba	2998	{
marcozecchini	0:9fca2b23d0ba	2999	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
marcozecchini	0:9fca2b23d0ba	3000	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
marcozecchini	0:9fca2b23d0ba	3001	}
marcozecchini	0:9fca2b23d0ba	3002
marcozecchini	0:9fca2b23d0ba	3003	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
marcozecchini	0:9fca2b23d0ba	3004
marcozecchini	0:9fca2b23d0ba	3005	if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
marcozecchini	0:9fca2b23d0ba	3006	(*curve)->grp_id ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3007	{
marcozecchini	0:9fca2b23d0ba	3008	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
marcozecchini	0:9fca2b23d0ba	3009	return( ret );
marcozecchini	0:9fca2b23d0ba	3010	}
marcozecchini	0:9fca2b23d0ba	3011
marcozecchini	0:9fca2b23d0ba	3012	if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
marcozecchini	0:9fca2b23d0ba	3013	p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
marcozecchini	0:9fca2b23d0ba	3014	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3015	{
marcozecchini	0:9fca2b23d0ba	3016	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
marcozecchini	0:9fca2b23d0ba	3017	return( ret );
marcozecchini	0:9fca2b23d0ba	3018	}
marcozecchini	0:9fca2b23d0ba	3019
marcozecchini	0:9fca2b23d0ba	3020	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
marcozecchini	0:9fca2b23d0ba	3021	dig_signed = p;
marcozecchini	0:9fca2b23d0ba	3022	dig_signed_len = len;
marcozecchini	0:9fca2b23d0ba	3023	#endif
marcozecchini	0:9fca2b23d0ba	3024
marcozecchini	0:9fca2b23d0ba	3025	p += len;
marcozecchini	0:9fca2b23d0ba	3026	n += len;
marcozecchini	0:9fca2b23d0ba	3027
marcozecchini	0:9fca2b23d0ba	3028	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
marcozecchini	0:9fca2b23d0ba	3029	}
marcozecchini	0:9fca2b23d0ba	3030	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
marcozecchini	0:9fca2b23d0ba	3031
marcozecchini	0:9fca2b23d0ba	3032	/*
marcozecchini	0:9fca2b23d0ba	3033	*
marcozecchini	0:9fca2b23d0ba	3034	* Part 3: For key exchanges involving the server signing the
marcozecchini	0:9fca2b23d0ba	3035	* exchange parameters, compute and add the signature here.
marcozecchini	0:9fca2b23d0ba	3036	*
marcozecchini	0:9fca2b23d0ba	3037	*/
marcozecchini	0:9fca2b23d0ba	3038	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
marcozecchini	0:9fca2b23d0ba	3039	if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
marcozecchini	0:9fca2b23d0ba	3040	{
marcozecchini	0:9fca2b23d0ba	3041	size_t signature_len = 0;
marcozecchini	0:9fca2b23d0ba	3042	unsigned int hashlen = 0;
marcozecchini	0:9fca2b23d0ba	3043	unsigned char hash[64];
marcozecchini	0:9fca2b23d0ba	3044
marcozecchini	0:9fca2b23d0ba	3045	/*
marcozecchini	0:9fca2b23d0ba	3046	* 3.1: Choose hash algorithm:
marcozecchini	0:9fca2b23d0ba	3047	* A: For TLS 1.2, obey signature-hash-algorithm extension
marcozecchini	0:9fca2b23d0ba	3048	* to choose appropriate hash.
marcozecchini	0:9fca2b23d0ba	3049	* B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
marcozecchini	0:9fca2b23d0ba	3050	* (RFC 4492, Sec. 5.4)
marcozecchini	0:9fca2b23d0ba	3051	* C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
marcozecchini	0:9fca2b23d0ba	3052	*/
marcozecchini	0:9fca2b23d0ba	3053
marcozecchini	0:9fca2b23d0ba	3054	mbedtls_md_type_t md_alg;
marcozecchini	0:9fca2b23d0ba	3055
marcozecchini	0:9fca2b23d0ba	3056	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3057	mbedtls_pk_type_t sig_alg =
marcozecchini	0:9fca2b23d0ba	3058	mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
marcozecchini	0:9fca2b23d0ba	3059	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	3060	{
marcozecchini	0:9fca2b23d0ba	3061	/* A: For TLS 1.2, obey signature-hash-algorithm extension
marcozecchini	0:9fca2b23d0ba	3062	* (RFC 5246, Sec. 7.4.1.4.1). */
marcozecchini	0:9fca2b23d0ba	3063	if( sig_alg == MBEDTLS_PK_NONE \|\|
marcozecchini	0:9fca2b23d0ba	3064	( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
marcozecchini	0:9fca2b23d0ba	3065	sig_alg ) ) == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	3066	{
marcozecchini	0:9fca2b23d0ba	3067	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3068	/* (... because we choose a cipher suite
marcozecchini	0:9fca2b23d0ba	3069	* only if there is a matching hash.) */
marcozecchini	0:9fca2b23d0ba	3070	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3071	}
marcozecchini	0:9fca2b23d0ba	3072	}
marcozecchini	0:9fca2b23d0ba	3073	else
marcozecchini	0:9fca2b23d0ba	3074	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	3075	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
marcozecchini	0:9fca2b23d0ba	3076	defined(MBEDTLS_SSL_PROTO_TLS1_1)
marcozecchini	0:9fca2b23d0ba	3077	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
marcozecchini	0:9fca2b23d0ba	3078	{
marcozecchini	0:9fca2b23d0ba	3079	/* B: Default hash SHA1 */
marcozecchini	0:9fca2b23d0ba	3080	md_alg = MBEDTLS_MD_SHA1;
marcozecchini	0:9fca2b23d0ba	3081	}
marcozecchini	0:9fca2b23d0ba	3082	else
marcozecchini	0:9fca2b23d0ba	3083	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
marcozecchini	0:9fca2b23d0ba	3084	MBEDTLS_SSL_PROTO_TLS1_1 */
marcozecchini	0:9fca2b23d0ba	3085	{
marcozecchini	0:9fca2b23d0ba	3086	/* C: MD5 + SHA1 */
marcozecchini	0:9fca2b23d0ba	3087	md_alg = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	3088	}
marcozecchini	0:9fca2b23d0ba	3089
marcozecchini	0:9fca2b23d0ba	3090	MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
marcozecchini	0:9fca2b23d0ba	3091
marcozecchini	0:9fca2b23d0ba	3092	/*
marcozecchini	0:9fca2b23d0ba	3093	* 3.2: Compute the hash to be signed
marcozecchini	0:9fca2b23d0ba	3094	*/
marcozecchini	0:9fca2b23d0ba	3095	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
marcozecchini	0:9fca2b23d0ba	3096	defined(MBEDTLS_SSL_PROTO_TLS1_1)
marcozecchini	0:9fca2b23d0ba	3097	if( md_alg == MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	3098	{
marcozecchini	0:9fca2b23d0ba	3099	mbedtls_md5_context mbedtls_md5;
marcozecchini	0:9fca2b23d0ba	3100	mbedtls_sha1_context mbedtls_sha1;
marcozecchini	0:9fca2b23d0ba	3101
marcozecchini	0:9fca2b23d0ba	3102	mbedtls_md5_init( &mbedtls_md5 );
marcozecchini	0:9fca2b23d0ba	3103	mbedtls_sha1_init( &mbedtls_sha1 );
marcozecchini	0:9fca2b23d0ba	3104
marcozecchini	0:9fca2b23d0ba	3105	/*
marcozecchini	0:9fca2b23d0ba	3106	* digitally-signed struct {
marcozecchini	0:9fca2b23d0ba	3107	* opaque md5_hash[16];
marcozecchini	0:9fca2b23d0ba	3108	* opaque sha_hash[20];
marcozecchini	0:9fca2b23d0ba	3109	* };
marcozecchini	0:9fca2b23d0ba	3110	*
marcozecchini	0:9fca2b23d0ba	3111	* md5_hash
marcozecchini	0:9fca2b23d0ba	3112	* MD5(ClientHello.random + ServerHello.random
marcozecchini	0:9fca2b23d0ba	3113	* + ServerParams);
marcozecchini	0:9fca2b23d0ba	3114	* sha_hash
marcozecchini	0:9fca2b23d0ba	3115	* SHA(ClientHello.random + ServerHello.random
marcozecchini	0:9fca2b23d0ba	3116	* + ServerParams);
marcozecchini	0:9fca2b23d0ba	3117	*/
marcozecchini	0:9fca2b23d0ba	3118
marcozecchini	0:9fca2b23d0ba	3119	mbedtls_md5_starts( &mbedtls_md5 );
marcozecchini	0:9fca2b23d0ba	3120	mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
marcozecchini	0:9fca2b23d0ba	3121	mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
marcozecchini	0:9fca2b23d0ba	3122	mbedtls_md5_finish( &mbedtls_md5, hash );
marcozecchini	0:9fca2b23d0ba	3123
marcozecchini	0:9fca2b23d0ba	3124	mbedtls_sha1_starts( &mbedtls_sha1 );
marcozecchini	0:9fca2b23d0ba	3125	mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
marcozecchini	0:9fca2b23d0ba	3126	mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
marcozecchini	0:9fca2b23d0ba	3127	mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
marcozecchini	0:9fca2b23d0ba	3128
marcozecchini	0:9fca2b23d0ba	3129	hashlen = 36;
marcozecchini	0:9fca2b23d0ba	3130
marcozecchini	0:9fca2b23d0ba	3131	mbedtls_md5_free( &mbedtls_md5 );
marcozecchini	0:9fca2b23d0ba	3132	mbedtls_sha1_free( &mbedtls_sha1 );
marcozecchini	0:9fca2b23d0ba	3133	}
marcozecchini	0:9fca2b23d0ba	3134	else
marcozecchini	0:9fca2b23d0ba	3135	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
marcozecchini	0:9fca2b23d0ba	3136	MBEDTLS_SSL_PROTO_TLS1_1 */
marcozecchini	0:9fca2b23d0ba	3137	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
marcozecchini	0:9fca2b23d0ba	3138	defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3139	if( md_alg != MBEDTLS_MD_NONE )
marcozecchini	0:9fca2b23d0ba	3140	{
marcozecchini	0:9fca2b23d0ba	3141	mbedtls_md_context_t ctx;
marcozecchini	0:9fca2b23d0ba	3142	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
marcozecchini	0:9fca2b23d0ba	3143
marcozecchini	0:9fca2b23d0ba	3144	mbedtls_md_init( &ctx );
marcozecchini	0:9fca2b23d0ba	3145
marcozecchini	0:9fca2b23d0ba	3146	/* Info from md_alg will be used instead */
marcozecchini	0:9fca2b23d0ba	3147	hashlen = 0;
marcozecchini	0:9fca2b23d0ba	3148
marcozecchini	0:9fca2b23d0ba	3149	/*
marcozecchini	0:9fca2b23d0ba	3150	* digitally-signed struct {
marcozecchini	0:9fca2b23d0ba	3151	* opaque client_random[32];
marcozecchini	0:9fca2b23d0ba	3152	* opaque server_random[32];
marcozecchini	0:9fca2b23d0ba	3153	* ServerDHParams params;
marcozecchini	0:9fca2b23d0ba	3154	* };
marcozecchini	0:9fca2b23d0ba	3155	*/
marcozecchini	0:9fca2b23d0ba	3156	if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3157	{
marcozecchini	0:9fca2b23d0ba	3158	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
marcozecchini	0:9fca2b23d0ba	3159	return( ret );
marcozecchini	0:9fca2b23d0ba	3160	}
marcozecchini	0:9fca2b23d0ba	3161
marcozecchini	0:9fca2b23d0ba	3162	mbedtls_md_starts( &ctx );
marcozecchini	0:9fca2b23d0ba	3163	mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
marcozecchini	0:9fca2b23d0ba	3164	mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
marcozecchini	0:9fca2b23d0ba	3165	mbedtls_md_finish( &ctx, hash );
marcozecchini	0:9fca2b23d0ba	3166	mbedtls_md_free( &ctx );
marcozecchini	0:9fca2b23d0ba	3167	}
marcozecchini	0:9fca2b23d0ba	3168	else
marcozecchini	0:9fca2b23d0ba	3169	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
marcozecchini	0:9fca2b23d0ba	3170	MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	3171	{
marcozecchini	0:9fca2b23d0ba	3172	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3173	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3174	}
marcozecchini	0:9fca2b23d0ba	3175
marcozecchini	0:9fca2b23d0ba	3176	MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
marcozecchini	0:9fca2b23d0ba	3177	(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
marcozecchini	0:9fca2b23d0ba	3178
marcozecchini	0:9fca2b23d0ba	3179	/*
marcozecchini	0:9fca2b23d0ba	3180	* 3.3: Compute and add the signature
marcozecchini	0:9fca2b23d0ba	3181	*/
marcozecchini	0:9fca2b23d0ba	3182	if( mbedtls_ssl_own_key( ssl ) == NULL )
marcozecchini	0:9fca2b23d0ba	3183	{
marcozecchini	0:9fca2b23d0ba	3184	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
marcozecchini	0:9fca2b23d0ba	3185	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
marcozecchini	0:9fca2b23d0ba	3186	}
marcozecchini	0:9fca2b23d0ba	3187
marcozecchini	0:9fca2b23d0ba	3188	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3189	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	3190	{
marcozecchini	0:9fca2b23d0ba	3191	/*
marcozecchini	0:9fca2b23d0ba	3192	* For TLS 1.2, we need to specify signature and hash algorithm
marcozecchini	0:9fca2b23d0ba	3193	* explicitly through a prefix to the signature.
marcozecchini	0:9fca2b23d0ba	3194	*
marcozecchini	0:9fca2b23d0ba	3195	* struct {
marcozecchini	0:9fca2b23d0ba	3196	* HashAlgorithm hash;
marcozecchini	0:9fca2b23d0ba	3197	* SignatureAlgorithm signature;
marcozecchini	0:9fca2b23d0ba	3198	* } SignatureAndHashAlgorithm;
marcozecchini	0:9fca2b23d0ba	3199	*
marcozecchini	0:9fca2b23d0ba	3200	* struct {
marcozecchini	0:9fca2b23d0ba	3201	* SignatureAndHashAlgorithm algorithm;
marcozecchini	0:9fca2b23d0ba	3202	* opaque signature<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	3203	* } DigitallySigned;
marcozecchini	0:9fca2b23d0ba	3204	*
marcozecchini	0:9fca2b23d0ba	3205	*/
marcozecchini	0:9fca2b23d0ba	3206
marcozecchini	0:9fca2b23d0ba	3207	*(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
marcozecchini	0:9fca2b23d0ba	3208	*(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
marcozecchini	0:9fca2b23d0ba	3209
marcozecchini	0:9fca2b23d0ba	3210	n += 2;
marcozecchini	0:9fca2b23d0ba	3211	}
marcozecchini	0:9fca2b23d0ba	3212	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	3213
marcozecchini	0:9fca2b23d0ba	3214	if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
marcozecchini	0:9fca2b23d0ba	3215	p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3216	{
marcozecchini	0:9fca2b23d0ba	3217	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
marcozecchini	0:9fca2b23d0ba	3218	return( ret );
marcozecchini	0:9fca2b23d0ba	3219	}
marcozecchini	0:9fca2b23d0ba	3220
marcozecchini	0:9fca2b23d0ba	3221	*(p++) = (unsigned char)( signature_len >> 8 );
marcozecchini	0:9fca2b23d0ba	3222	*(p++) = (unsigned char)( signature_len );
marcozecchini	0:9fca2b23d0ba	3223	n += 2;
marcozecchini	0:9fca2b23d0ba	3224
marcozecchini	0:9fca2b23d0ba	3225	MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
marcozecchini	0:9fca2b23d0ba	3226
marcozecchini	0:9fca2b23d0ba	3227	n += signature_len;
marcozecchini	0:9fca2b23d0ba	3228	}
marcozecchini	0:9fca2b23d0ba	3229	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
marcozecchini	0:9fca2b23d0ba	3230
marcozecchini	0:9fca2b23d0ba	3231	/* Done with actual work; add header and send. */
marcozecchini	0:9fca2b23d0ba	3232
marcozecchini	0:9fca2b23d0ba	3233	ssl->out_msglen = 4 + n;
marcozecchini	0:9fca2b23d0ba	3234	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	3235	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
marcozecchini	0:9fca2b23d0ba	3236
marcozecchini	0:9fca2b23d0ba	3237	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3238
marcozecchini	0:9fca2b23d0ba	3239	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3240	{
marcozecchini	0:9fca2b23d0ba	3241	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	3242	return( ret );
marcozecchini	0:9fca2b23d0ba	3243	}
marcozecchini	0:9fca2b23d0ba	3244
marcozecchini	0:9fca2b23d0ba	3245	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3246
marcozecchini	0:9fca2b23d0ba	3247	return( 0 );
marcozecchini	0:9fca2b23d0ba	3248	}
marcozecchini	0:9fca2b23d0ba	3249
marcozecchini	0:9fca2b23d0ba	3250	static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3251	{
marcozecchini	0:9fca2b23d0ba	3252	int ret;
marcozecchini	0:9fca2b23d0ba	3253
marcozecchini	0:9fca2b23d0ba	3254	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
marcozecchini	0:9fca2b23d0ba	3255
marcozecchini	0:9fca2b23d0ba	3256	ssl->out_msglen = 4;
marcozecchini	0:9fca2b23d0ba	3257	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	3258	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
marcozecchini	0:9fca2b23d0ba	3259
marcozecchini	0:9fca2b23d0ba	3260	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3261
marcozecchini	0:9fca2b23d0ba	3262	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	3263	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
marcozecchini	0:9fca2b23d0ba	3264	mbedtls_ssl_send_flight_completed( ssl );
marcozecchini	0:9fca2b23d0ba	3265	#endif
marcozecchini	0:9fca2b23d0ba	3266
marcozecchini	0:9fca2b23d0ba	3267	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3268	{
marcozecchini	0:9fca2b23d0ba	3269	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	3270	return( ret );
marcozecchini	0:9fca2b23d0ba	3271	}
marcozecchini	0:9fca2b23d0ba	3272
marcozecchini	0:9fca2b23d0ba	3273	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
marcozecchini	0:9fca2b23d0ba	3274
marcozecchini	0:9fca2b23d0ba	3275	return( 0 );
marcozecchini	0:9fca2b23d0ba	3276	}
marcozecchini	0:9fca2b23d0ba	3277
marcozecchini	0:9fca2b23d0ba	3278	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	3279	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3280	static int ssl_parse_client_dh_public( mbedtls_ssl_context ssl, unsigned char *p,
marcozecchini	0:9fca2b23d0ba	3281	const unsigned char *end )
marcozecchini	0:9fca2b23d0ba	3282	{
marcozecchini	0:9fca2b23d0ba	3283	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	3284	size_t n;
marcozecchini	0:9fca2b23d0ba	3285
marcozecchini	0:9fca2b23d0ba	3286	/*
marcozecchini	0:9fca2b23d0ba	3287	* Receive G^Y mod P, premaster = (G^Y)^X mod P
marcozecchini	0:9fca2b23d0ba	3288	*/
marcozecchini	0:9fca2b23d0ba	3289	if( *p + 2 > end )
marcozecchini	0:9fca2b23d0ba	3290	{
marcozecchini	0:9fca2b23d0ba	3291	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3292	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3293	}
marcozecchini	0:9fca2b23d0ba	3294
marcozecchini	0:9fca2b23d0ba	3295	n = ( (p)[0] << 8 ) \| (p)[1];
marcozecchini	0:9fca2b23d0ba	3296	*p += 2;
marcozecchini	0:9fca2b23d0ba	3297
marcozecchini	0:9fca2b23d0ba	3298	if( *p + n > end )
marcozecchini	0:9fca2b23d0ba	3299	{
marcozecchini	0:9fca2b23d0ba	3300	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3301	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3302	}
marcozecchini	0:9fca2b23d0ba	3303
marcozecchini	0:9fca2b23d0ba	3304	if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3305	{
marcozecchini	0:9fca2b23d0ba	3306	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
marcozecchini	0:9fca2b23d0ba	3307	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
marcozecchini	0:9fca2b23d0ba	3308	}
marcozecchini	0:9fca2b23d0ba	3309
marcozecchini	0:9fca2b23d0ba	3310	*p += n;
marcozecchini	0:9fca2b23d0ba	3311
marcozecchini	0:9fca2b23d0ba	3312	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
marcozecchini	0:9fca2b23d0ba	3313
marcozecchini	0:9fca2b23d0ba	3314	return( ret );
marcozecchini	0:9fca2b23d0ba	3315	}
marcozecchini	0:9fca2b23d0ba	3316	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	3317	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3318
marcozecchini	0:9fca2b23d0ba	3319	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	3320	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3321	static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
marcozecchini	0:9fca2b23d0ba	3322	const unsigned char *p,
marcozecchini	0:9fca2b23d0ba	3323	const unsigned char *end,
marcozecchini	0:9fca2b23d0ba	3324	size_t pms_offset )
marcozecchini	0:9fca2b23d0ba	3325	{
marcozecchini	0:9fca2b23d0ba	3326	int ret;
marcozecchini	0:9fca2b23d0ba	3327	size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
marcozecchini	0:9fca2b23d0ba	3328	unsigned char *pms = ssl->handshake->premaster + pms_offset;
marcozecchini	0:9fca2b23d0ba	3329	unsigned char ver[2];
marcozecchini	0:9fca2b23d0ba	3330	unsigned char fake_pms[48], peer_pms[48];
marcozecchini	0:9fca2b23d0ba	3331	unsigned char mask;
marcozecchini	0:9fca2b23d0ba	3332	size_t i, peer_pmslen;
marcozecchini	0:9fca2b23d0ba	3333	unsigned int diff;
marcozecchini	0:9fca2b23d0ba	3334
marcozecchini	0:9fca2b23d0ba	3335	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
marcozecchini	0:9fca2b23d0ba	3336	{
marcozecchini	0:9fca2b23d0ba	3337	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
marcozecchini	0:9fca2b23d0ba	3338	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
marcozecchini	0:9fca2b23d0ba	3339	}
marcozecchini	0:9fca2b23d0ba	3340
marcozecchini	0:9fca2b23d0ba	3341	/*
marcozecchini	0:9fca2b23d0ba	3342	* Decrypt the premaster using own private RSA key
marcozecchini	0:9fca2b23d0ba	3343	*/
marcozecchini	0:9fca2b23d0ba	3344	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
marcozecchini	0:9fca2b23d0ba	3345	defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3346	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
marcozecchini	0:9fca2b23d0ba	3347	{
marcozecchini	0:9fca2b23d0ba	3348	if( *p++ != ( ( len >> 8 ) & 0xFF ) \|\|
marcozecchini	0:9fca2b23d0ba	3349	*p++ != ( ( len ) & 0xFF ) )
marcozecchini	0:9fca2b23d0ba	3350	{
marcozecchini	0:9fca2b23d0ba	3351	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3352	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3353	}
marcozecchini	0:9fca2b23d0ba	3354	}
marcozecchini	0:9fca2b23d0ba	3355	#endif
marcozecchini	0:9fca2b23d0ba	3356
marcozecchini	0:9fca2b23d0ba	3357	if( p + len != end )
marcozecchini	0:9fca2b23d0ba	3358	{
marcozecchini	0:9fca2b23d0ba	3359	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3360	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3361	}
marcozecchini	0:9fca2b23d0ba	3362
marcozecchini	0:9fca2b23d0ba	3363	mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
marcozecchini	0:9fca2b23d0ba	3364	ssl->handshake->max_minor_ver,
marcozecchini	0:9fca2b23d0ba	3365	ssl->conf->transport, ver );
marcozecchini	0:9fca2b23d0ba	3366
marcozecchini	0:9fca2b23d0ba	3367	/*
marcozecchini	0:9fca2b23d0ba	3368	* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
marcozecchini	0:9fca2b23d0ba	3369	* must not cause the connection to end immediately; instead, send a
marcozecchini	0:9fca2b23d0ba	3370	* bad_record_mac later in the handshake.
marcozecchini	0:9fca2b23d0ba	3371	* Also, avoid data-dependant branches here to protect against
marcozecchini	0:9fca2b23d0ba	3372	* timing-based variants.
marcozecchini	0:9fca2b23d0ba	3373	*/
marcozecchini	0:9fca2b23d0ba	3374	ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
marcozecchini	0:9fca2b23d0ba	3375	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	3376	return( ret );
marcozecchini	0:9fca2b23d0ba	3377
marcozecchini	0:9fca2b23d0ba	3378	ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
marcozecchini	0:9fca2b23d0ba	3379	peer_pms, &peer_pmslen,
marcozecchini	0:9fca2b23d0ba	3380	sizeof( peer_pms ),
marcozecchini	0:9fca2b23d0ba	3381	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	3382
marcozecchini	0:9fca2b23d0ba	3383	diff = (unsigned int) ret;
marcozecchini	0:9fca2b23d0ba	3384	diff \|= peer_pmslen ^ 48;
marcozecchini	0:9fca2b23d0ba	3385	diff \|= peer_pms[0] ^ ver[0];
marcozecchini	0:9fca2b23d0ba	3386	diff \|= peer_pms[1] ^ ver[1];
marcozecchini	0:9fca2b23d0ba	3387
marcozecchini	0:9fca2b23d0ba	3388	#if defined(MBEDTLS_SSL_DEBUG_ALL)
marcozecchini	0:9fca2b23d0ba	3389	if( diff != 0 )
marcozecchini	0:9fca2b23d0ba	3390	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3391	#endif
marcozecchini	0:9fca2b23d0ba	3392
marcozecchini	0:9fca2b23d0ba	3393	if( sizeof( ssl->handshake->premaster ) < pms_offset \|\|
marcozecchini	0:9fca2b23d0ba	3394	sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
marcozecchini	0:9fca2b23d0ba	3395	{
marcozecchini	0:9fca2b23d0ba	3396	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3397	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3398	}
marcozecchini	0:9fca2b23d0ba	3399	ssl->handshake->pmslen = 48;
marcozecchini	0:9fca2b23d0ba	3400
marcozecchini	0:9fca2b23d0ba	3401	/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
marcozecchini	0:9fca2b23d0ba	3402	/* MSVC has a warning about unary minus on unsigned, but this is
marcozecchini	0:9fca2b23d0ba	3403	* well-defined and precisely what we want to do here */
marcozecchini	0:9fca2b23d0ba	3404	#if defined(_MSC_VER)
marcozecchini	0:9fca2b23d0ba	3405	#pragma warning( push )
marcozecchini	0:9fca2b23d0ba	3406	#pragma warning( disable : 4146 )
marcozecchini	0:9fca2b23d0ba	3407	#endif
marcozecchini	0:9fca2b23d0ba	3408	mask = - ( ( diff \| - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
marcozecchini	0:9fca2b23d0ba	3409	#if defined(_MSC_VER)
marcozecchini	0:9fca2b23d0ba	3410	#pragma warning( pop )
marcozecchini	0:9fca2b23d0ba	3411	#endif
marcozecchini	0:9fca2b23d0ba	3412
marcozecchini	0:9fca2b23d0ba	3413	for( i = 0; i < ssl->handshake->pmslen; i++ )
marcozecchini	0:9fca2b23d0ba	3414	pms[i] = ( mask & fake_pms[i] ) \| ( (~mask) & peer_pms[i] );
marcozecchini	0:9fca2b23d0ba	3415
marcozecchini	0:9fca2b23d0ba	3416	return( 0 );
marcozecchini	0:9fca2b23d0ba	3417	}
marcozecchini	0:9fca2b23d0ba	3418	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	3419	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3420
marcozecchini	0:9fca2b23d0ba	3421	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3422	static int ssl_parse_client_psk_identity( mbedtls_ssl_context ssl, unsigned char *p,
marcozecchini	0:9fca2b23d0ba	3423	const unsigned char *end )
marcozecchini	0:9fca2b23d0ba	3424	{
marcozecchini	0:9fca2b23d0ba	3425	int ret = 0;
marcozecchini	0:9fca2b23d0ba	3426	size_t n;
marcozecchini	0:9fca2b23d0ba	3427
marcozecchini	0:9fca2b23d0ba	3428	if( ssl->conf->f_psk == NULL &&
marcozecchini	0:9fca2b23d0ba	3429	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
marcozecchini	0:9fca2b23d0ba	3430	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
marcozecchini	0:9fca2b23d0ba	3431	{
marcozecchini	0:9fca2b23d0ba	3432	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
marcozecchini	0:9fca2b23d0ba	3433	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
marcozecchini	0:9fca2b23d0ba	3434	}
marcozecchini	0:9fca2b23d0ba	3435
marcozecchini	0:9fca2b23d0ba	3436	/*
marcozecchini	0:9fca2b23d0ba	3437	* Receive client pre-shared key identity name
marcozecchini	0:9fca2b23d0ba	3438	*/
marcozecchini	0:9fca2b23d0ba	3439	if( *p + 2 > end )
marcozecchini	0:9fca2b23d0ba	3440	{
marcozecchini	0:9fca2b23d0ba	3441	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3442	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3443	}
marcozecchini	0:9fca2b23d0ba	3444
marcozecchini	0:9fca2b23d0ba	3445	n = ( (p)[0] << 8 ) \| (p)[1];
marcozecchini	0:9fca2b23d0ba	3446	*p += 2;
marcozecchini	0:9fca2b23d0ba	3447
marcozecchini	0:9fca2b23d0ba	3448	if( n < 1 \|\| n > 65535 \|\| *p + n > end )
marcozecchini	0:9fca2b23d0ba	3449	{
marcozecchini	0:9fca2b23d0ba	3450	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3451	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3452	}
marcozecchini	0:9fca2b23d0ba	3453
marcozecchini	0:9fca2b23d0ba	3454	if( ssl->conf->f_psk != NULL )
marcozecchini	0:9fca2b23d0ba	3455	{
marcozecchini	0:9fca2b23d0ba	3456	if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
marcozecchini	0:9fca2b23d0ba	3457	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
marcozecchini	0:9fca2b23d0ba	3458	}
marcozecchini	0:9fca2b23d0ba	3459	else
marcozecchini	0:9fca2b23d0ba	3460	{
marcozecchini	0:9fca2b23d0ba	3461	/* Identity is not a big secret since clients send it in the clear,
marcozecchini	0:9fca2b23d0ba	3462	* but treat it carefully anyway, just in case */
marcozecchini	0:9fca2b23d0ba	3463	if( n != ssl->conf->psk_identity_len \|\|
marcozecchini	0:9fca2b23d0ba	3464	mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
marcozecchini	0:9fca2b23d0ba	3465	{
marcozecchini	0:9fca2b23d0ba	3466	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
marcozecchini	0:9fca2b23d0ba	3467	}
marcozecchini	0:9fca2b23d0ba	3468	}
marcozecchini	0:9fca2b23d0ba	3469
marcozecchini	0:9fca2b23d0ba	3470	if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
marcozecchini	0:9fca2b23d0ba	3471	{
marcozecchini	0:9fca2b23d0ba	3472	MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
marcozecchini	0:9fca2b23d0ba	3473	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
marcozecchini	0:9fca2b23d0ba	3474	MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
marcozecchini	0:9fca2b23d0ba	3475	return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
marcozecchini	0:9fca2b23d0ba	3476	}
marcozecchini	0:9fca2b23d0ba	3477
marcozecchini	0:9fca2b23d0ba	3478	*p += n;
marcozecchini	0:9fca2b23d0ba	3479
marcozecchini	0:9fca2b23d0ba	3480	return( 0 );
marcozecchini	0:9fca2b23d0ba	3481	}
marcozecchini	0:9fca2b23d0ba	3482	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3483
marcozecchini	0:9fca2b23d0ba	3484	static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3485	{
marcozecchini	0:9fca2b23d0ba	3486	int ret;
marcozecchini	0:9fca2b23d0ba	3487	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	3488	unsigned char p, end;
marcozecchini	0:9fca2b23d0ba	3489
marcozecchini	0:9fca2b23d0ba	3490	ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	3491
marcozecchini	0:9fca2b23d0ba	3492	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3493
marcozecchini	0:9fca2b23d0ba	3494	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3495	{
marcozecchini	0:9fca2b23d0ba	3496	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
marcozecchini	0:9fca2b23d0ba	3497	return( ret );
marcozecchini	0:9fca2b23d0ba	3498	}
marcozecchini	0:9fca2b23d0ba	3499
marcozecchini	0:9fca2b23d0ba	3500	p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	3501	end = ssl->in_msg + ssl->in_hslen;
marcozecchini	0:9fca2b23d0ba	3502
marcozecchini	0:9fca2b23d0ba	3503	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
marcozecchini	0:9fca2b23d0ba	3504	{
marcozecchini	0:9fca2b23d0ba	3505	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3506	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3507	}
marcozecchini	0:9fca2b23d0ba	3508
marcozecchini	0:9fca2b23d0ba	3509	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
marcozecchini	0:9fca2b23d0ba	3510	{
marcozecchini	0:9fca2b23d0ba	3511	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
marcozecchini	0:9fca2b23d0ba	3512	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3513	}
marcozecchini	0:9fca2b23d0ba	3514
marcozecchini	0:9fca2b23d0ba	3515	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	3516	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
marcozecchini	0:9fca2b23d0ba	3517	{
marcozecchini	0:9fca2b23d0ba	3518	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3519	{
marcozecchini	0:9fca2b23d0ba	3520	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
marcozecchini	0:9fca2b23d0ba	3521	return( ret );
marcozecchini	0:9fca2b23d0ba	3522	}
marcozecchini	0:9fca2b23d0ba	3523
marcozecchini	0:9fca2b23d0ba	3524	if( p != end )
marcozecchini	0:9fca2b23d0ba	3525	{
marcozecchini	0:9fca2b23d0ba	3526	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3527	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3528	}
marcozecchini	0:9fca2b23d0ba	3529
marcozecchini	0:9fca2b23d0ba	3530	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
marcozecchini	0:9fca2b23d0ba	3531	ssl->handshake->premaster,
marcozecchini	0:9fca2b23d0ba	3532	MBEDTLS_PREMASTER_SIZE,
marcozecchini	0:9fca2b23d0ba	3533	&ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	3534	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3535	{
marcozecchini	0:9fca2b23d0ba	3536	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
marcozecchini	0:9fca2b23d0ba	3537	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
marcozecchini	0:9fca2b23d0ba	3538	}
marcozecchini	0:9fca2b23d0ba	3539
marcozecchini	0:9fca2b23d0ba	3540	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
marcozecchini	0:9fca2b23d0ba	3541	}
marcozecchini	0:9fca2b23d0ba	3542	else
marcozecchini	0:9fca2b23d0ba	3543	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3544	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	3545	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	3546	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
marcozecchini	0:9fca2b23d0ba	3547	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	3548	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
marcozecchini	0:9fca2b23d0ba	3549	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
marcozecchini	0:9fca2b23d0ba	3550	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
marcozecchini	0:9fca2b23d0ba	3551	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
marcozecchini	0:9fca2b23d0ba	3552	{
marcozecchini	0:9fca2b23d0ba	3553	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	3554	p, end - p) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3555	{
marcozecchini	0:9fca2b23d0ba	3556	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
marcozecchini	0:9fca2b23d0ba	3557	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
marcozecchini	0:9fca2b23d0ba	3558	}
marcozecchini	0:9fca2b23d0ba	3559
marcozecchini	0:9fca2b23d0ba	3560	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
marcozecchini	0:9fca2b23d0ba	3561
marcozecchini	0:9fca2b23d0ba	3562	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	3563	&ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	3564	ssl->handshake->premaster,
marcozecchini	0:9fca2b23d0ba	3565	MBEDTLS_MPI_MAX_SIZE,
marcozecchini	0:9fca2b23d0ba	3566	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3567	{
marcozecchini	0:9fca2b23d0ba	3568	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
marcozecchini	0:9fca2b23d0ba	3569	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
marcozecchini	0:9fca2b23d0ba	3570	}
marcozecchini	0:9fca2b23d0ba	3571
marcozecchini	0:9fca2b23d0ba	3572	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
marcozecchini	0:9fca2b23d0ba	3573	}
marcozecchini	0:9fca2b23d0ba	3574	else
marcozecchini	0:9fca2b23d0ba	3575	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	3576	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	3577	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
marcozecchini	0:9fca2b23d0ba	3578	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3579	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3580	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
marcozecchini	0:9fca2b23d0ba	3581	{
marcozecchini	0:9fca2b23d0ba	3582	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3583	{
marcozecchini	0:9fca2b23d0ba	3584	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
marcozecchini	0:9fca2b23d0ba	3585	return( ret );
marcozecchini	0:9fca2b23d0ba	3586	}
marcozecchini	0:9fca2b23d0ba	3587
marcozecchini	0:9fca2b23d0ba	3588	if( p != end )
marcozecchini	0:9fca2b23d0ba	3589	{
marcozecchini	0:9fca2b23d0ba	3590	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3591	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3592	}
marcozecchini	0:9fca2b23d0ba	3593
marcozecchini	0:9fca2b23d0ba	3594	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
marcozecchini	0:9fca2b23d0ba	3595	ciphersuite_info->key_exchange ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3596	{
marcozecchini	0:9fca2b23d0ba	3597	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
marcozecchini	0:9fca2b23d0ba	3598	return( ret );
marcozecchini	0:9fca2b23d0ba	3599	}
marcozecchini	0:9fca2b23d0ba	3600	}
marcozecchini	0:9fca2b23d0ba	3601	else
marcozecchini	0:9fca2b23d0ba	3602	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3603	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3604	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
marcozecchini	0:9fca2b23d0ba	3605	{
marcozecchini	0:9fca2b23d0ba	3606	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3607	{
marcozecchini	0:9fca2b23d0ba	3608	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
marcozecchini	0:9fca2b23d0ba	3609	return( ret );
marcozecchini	0:9fca2b23d0ba	3610	}
marcozecchini	0:9fca2b23d0ba	3611
marcozecchini	0:9fca2b23d0ba	3612	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3613	{
marcozecchini	0:9fca2b23d0ba	3614	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
marcozecchini	0:9fca2b23d0ba	3615	return( ret );
marcozecchini	0:9fca2b23d0ba	3616	}
marcozecchini	0:9fca2b23d0ba	3617
marcozecchini	0:9fca2b23d0ba	3618	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
marcozecchini	0:9fca2b23d0ba	3619	ciphersuite_info->key_exchange ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3620	{
marcozecchini	0:9fca2b23d0ba	3621	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
marcozecchini	0:9fca2b23d0ba	3622	return( ret );
marcozecchini	0:9fca2b23d0ba	3623	}
marcozecchini	0:9fca2b23d0ba	3624	}
marcozecchini	0:9fca2b23d0ba	3625	else
marcozecchini	0:9fca2b23d0ba	3626	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3627	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3628	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
marcozecchini	0:9fca2b23d0ba	3629	{
marcozecchini	0:9fca2b23d0ba	3630	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3631	{
marcozecchini	0:9fca2b23d0ba	3632	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
marcozecchini	0:9fca2b23d0ba	3633	return( ret );
marcozecchini	0:9fca2b23d0ba	3634	}
marcozecchini	0:9fca2b23d0ba	3635	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3636	{
marcozecchini	0:9fca2b23d0ba	3637	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
marcozecchini	0:9fca2b23d0ba	3638	return( ret );
marcozecchini	0:9fca2b23d0ba	3639	}
marcozecchini	0:9fca2b23d0ba	3640
marcozecchini	0:9fca2b23d0ba	3641	if( p != end )
marcozecchini	0:9fca2b23d0ba	3642	{
marcozecchini	0:9fca2b23d0ba	3643	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3644	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3645	}
marcozecchini	0:9fca2b23d0ba	3646
marcozecchini	0:9fca2b23d0ba	3647	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
marcozecchini	0:9fca2b23d0ba	3648	ciphersuite_info->key_exchange ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3649	{
marcozecchini	0:9fca2b23d0ba	3650	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
marcozecchini	0:9fca2b23d0ba	3651	return( ret );
marcozecchini	0:9fca2b23d0ba	3652	}
marcozecchini	0:9fca2b23d0ba	3653	}
marcozecchini	0:9fca2b23d0ba	3654	else
marcozecchini	0:9fca2b23d0ba	3655	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3656	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
marcozecchini	0:9fca2b23d0ba	3657	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
marcozecchini	0:9fca2b23d0ba	3658	{
marcozecchini	0:9fca2b23d0ba	3659	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3660	{
marcozecchini	0:9fca2b23d0ba	3661	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
marcozecchini	0:9fca2b23d0ba	3662	return( ret );
marcozecchini	0:9fca2b23d0ba	3663	}
marcozecchini	0:9fca2b23d0ba	3664
marcozecchini	0:9fca2b23d0ba	3665	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
marcozecchini	0:9fca2b23d0ba	3666	p, end - p ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3667	{
marcozecchini	0:9fca2b23d0ba	3668	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
marcozecchini	0:9fca2b23d0ba	3669	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
marcozecchini	0:9fca2b23d0ba	3670	}
marcozecchini	0:9fca2b23d0ba	3671
marcozecchini	0:9fca2b23d0ba	3672	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
marcozecchini	0:9fca2b23d0ba	3673
marcozecchini	0:9fca2b23d0ba	3674	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
marcozecchini	0:9fca2b23d0ba	3675	ciphersuite_info->key_exchange ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3676	{
marcozecchini	0:9fca2b23d0ba	3677	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
marcozecchini	0:9fca2b23d0ba	3678	return( ret );
marcozecchini	0:9fca2b23d0ba	3679	}
marcozecchini	0:9fca2b23d0ba	3680	}
marcozecchini	0:9fca2b23d0ba	3681	else
marcozecchini	0:9fca2b23d0ba	3682	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
marcozecchini	0:9fca2b23d0ba	3683	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	3684	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
marcozecchini	0:9fca2b23d0ba	3685	{
marcozecchini	0:9fca2b23d0ba	3686	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3687	{
marcozecchini	0:9fca2b23d0ba	3688	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
marcozecchini	0:9fca2b23d0ba	3689	return( ret );
marcozecchini	0:9fca2b23d0ba	3690	}
marcozecchini	0:9fca2b23d0ba	3691	}
marcozecchini	0:9fca2b23d0ba	3692	else
marcozecchini	0:9fca2b23d0ba	3693	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3694	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
marcozecchini	0:9fca2b23d0ba	3695	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	3696	{
marcozecchini	0:9fca2b23d0ba	3697	ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	3698	p, end - p );
marcozecchini	0:9fca2b23d0ba	3699	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	3700	{
marcozecchini	0:9fca2b23d0ba	3701	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
marcozecchini	0:9fca2b23d0ba	3702	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
marcozecchini	0:9fca2b23d0ba	3703	}
marcozecchini	0:9fca2b23d0ba	3704
marcozecchini	0:9fca2b23d0ba	3705	ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
marcozecchini	0:9fca2b23d0ba	3706	ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
marcozecchini	0:9fca2b23d0ba	3707	ssl->conf->f_rng, ssl->conf->p_rng );
marcozecchini	0:9fca2b23d0ba	3708	if( ret != 0 )
marcozecchini	0:9fca2b23d0ba	3709	{
marcozecchini	0:9fca2b23d0ba	3710	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
marcozecchini	0:9fca2b23d0ba	3711	return( ret );
marcozecchini	0:9fca2b23d0ba	3712	}
marcozecchini	0:9fca2b23d0ba	3713	}
marcozecchini	0:9fca2b23d0ba	3714	else
marcozecchini	0:9fca2b23d0ba	3715	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
marcozecchini	0:9fca2b23d0ba	3716	{
marcozecchini	0:9fca2b23d0ba	3717	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3718	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3719	}
marcozecchini	0:9fca2b23d0ba	3720
marcozecchini	0:9fca2b23d0ba	3721	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3722	{
marcozecchini	0:9fca2b23d0ba	3723	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
marcozecchini	0:9fca2b23d0ba	3724	return( ret );
marcozecchini	0:9fca2b23d0ba	3725	}
marcozecchini	0:9fca2b23d0ba	3726
marcozecchini	0:9fca2b23d0ba	3727	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3728
marcozecchini	0:9fca2b23d0ba	3729	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
marcozecchini	0:9fca2b23d0ba	3730
marcozecchini	0:9fca2b23d0ba	3731	return( 0 );
marcozecchini	0:9fca2b23d0ba	3732	}
marcozecchini	0:9fca2b23d0ba	3733
marcozecchini	0:9fca2b23d0ba	3734	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3735	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3736	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3737	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
marcozecchini	0:9fca2b23d0ba	3738	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
marcozecchini	0:9fca2b23d0ba	3739	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
marcozecchini	0:9fca2b23d0ba	3740	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3741	{
marcozecchini	0:9fca2b23d0ba	3742	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	3743	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	3744
marcozecchini	0:9fca2b23d0ba	3745	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3746
marcozecchini	0:9fca2b23d0ba	3747	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3748	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3749	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3750	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3751	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
marcozecchini	0:9fca2b23d0ba	3752	{
marcozecchini	0:9fca2b23d0ba	3753	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3754	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3755	return( 0 );
marcozecchini	0:9fca2b23d0ba	3756	}
marcozecchini	0:9fca2b23d0ba	3757
marcozecchini	0:9fca2b23d0ba	3758	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3759	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3760	}
marcozecchini	0:9fca2b23d0ba	3761	#else
marcozecchini	0:9fca2b23d0ba	3762	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3763	{
marcozecchini	0:9fca2b23d0ba	3764	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
marcozecchini	0:9fca2b23d0ba	3765	size_t i, sig_len;
marcozecchini	0:9fca2b23d0ba	3766	unsigned char hash[48];
marcozecchini	0:9fca2b23d0ba	3767	unsigned char *hash_start = hash;
marcozecchini	0:9fca2b23d0ba	3768	size_t hashlen;
marcozecchini	0:9fca2b23d0ba	3769	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3770	mbedtls_pk_type_t pk_alg;
marcozecchini	0:9fca2b23d0ba	3771	#endif
marcozecchini	0:9fca2b23d0ba	3772	mbedtls_md_type_t md_alg;
marcozecchini	0:9fca2b23d0ba	3773	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
marcozecchini	0:9fca2b23d0ba	3774	ssl->transform_negotiate->ciphersuite_info;
marcozecchini	0:9fca2b23d0ba	3775
marcozecchini	0:9fca2b23d0ba	3776	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3777
marcozecchini	0:9fca2b23d0ba	3778	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3779	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3780	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3781	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
marcozecchini	0:9fca2b23d0ba	3782	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
marcozecchini	0:9fca2b23d0ba	3783	ssl->session_negotiate->peer_cert == NULL )
marcozecchini	0:9fca2b23d0ba	3784	{
marcozecchini	0:9fca2b23d0ba	3785	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3786	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3787	return( 0 );
marcozecchini	0:9fca2b23d0ba	3788	}
marcozecchini	0:9fca2b23d0ba	3789
marcozecchini	0:9fca2b23d0ba	3790	/* Read the message without adding it to the checksum */
marcozecchini	0:9fca2b23d0ba	3791	do {
marcozecchini	0:9fca2b23d0ba	3792
marcozecchini	0:9fca2b23d0ba	3793	if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3794	{
marcozecchini	0:9fca2b23d0ba	3795	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
marcozecchini	0:9fca2b23d0ba	3796	return( ret );
marcozecchini	0:9fca2b23d0ba	3797	}
marcozecchini	0:9fca2b23d0ba	3798
marcozecchini	0:9fca2b23d0ba	3799	ret = mbedtls_ssl_handle_message_type( ssl );
marcozecchini	0:9fca2b23d0ba	3800
marcozecchini	0:9fca2b23d0ba	3801	} while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
marcozecchini	0:9fca2b23d0ba	3802
marcozecchini	0:9fca2b23d0ba	3803	if( 0 != ret )
marcozecchini	0:9fca2b23d0ba	3804	{
marcozecchini	0:9fca2b23d0ba	3805	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
marcozecchini	0:9fca2b23d0ba	3806	return( ret );
marcozecchini	0:9fca2b23d0ba	3807	}
marcozecchini	0:9fca2b23d0ba	3808
marcozecchini	0:9fca2b23d0ba	3809	ssl->state++;
marcozecchini	0:9fca2b23d0ba	3810
marcozecchini	0:9fca2b23d0ba	3811	/* Process the message contents */
marcozecchini	0:9fca2b23d0ba	3812	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
marcozecchini	0:9fca2b23d0ba	3813	ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
marcozecchini	0:9fca2b23d0ba	3814	{
marcozecchini	0:9fca2b23d0ba	3815	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
marcozecchini	0:9fca2b23d0ba	3816	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3817	}
marcozecchini	0:9fca2b23d0ba	3818
marcozecchini	0:9fca2b23d0ba	3819	i = mbedtls_ssl_hs_hdr_len( ssl );
marcozecchini	0:9fca2b23d0ba	3820
marcozecchini	0:9fca2b23d0ba	3821	/*
marcozecchini	0:9fca2b23d0ba	3822	* struct {
marcozecchini	0:9fca2b23d0ba	3823	* SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
marcozecchini	0:9fca2b23d0ba	3824	* opaque signature<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	3825	* } DigitallySigned;
marcozecchini	0:9fca2b23d0ba	3826	*/
marcozecchini	0:9fca2b23d0ba	3827	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
marcozecchini	0:9fca2b23d0ba	3828	defined(MBEDTLS_SSL_PROTO_TLS1_1)
marcozecchini	0:9fca2b23d0ba	3829	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	3830	{
marcozecchini	0:9fca2b23d0ba	3831	md_alg = MBEDTLS_MD_NONE;
marcozecchini	0:9fca2b23d0ba	3832	hashlen = 36;
marcozecchini	0:9fca2b23d0ba	3833
marcozecchini	0:9fca2b23d0ba	3834	/* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
marcozecchini	0:9fca2b23d0ba	3835	if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
marcozecchini	0:9fca2b23d0ba	3836	MBEDTLS_PK_ECDSA ) )
marcozecchini	0:9fca2b23d0ba	3837	{
marcozecchini	0:9fca2b23d0ba	3838	hash_start += 16;
marcozecchini	0:9fca2b23d0ba	3839	hashlen -= 16;
marcozecchini	0:9fca2b23d0ba	3840	md_alg = MBEDTLS_MD_SHA1;
marcozecchini	0:9fca2b23d0ba	3841	}
marcozecchini	0:9fca2b23d0ba	3842	}
marcozecchini	0:9fca2b23d0ba	3843	else
marcozecchini	0:9fca2b23d0ba	3844	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\|
marcozecchini	0:9fca2b23d0ba	3845	MBEDTLS_SSL_PROTO_TLS1_1 */
marcozecchini	0:9fca2b23d0ba	3846	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
marcozecchini	0:9fca2b23d0ba	3847	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
marcozecchini	0:9fca2b23d0ba	3848	{
marcozecchini	0:9fca2b23d0ba	3849	if( i + 2 > ssl->in_hslen )
marcozecchini	0:9fca2b23d0ba	3850	{
marcozecchini	0:9fca2b23d0ba	3851	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
marcozecchini	0:9fca2b23d0ba	3852	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3853	}
marcozecchini	0:9fca2b23d0ba	3854
marcozecchini	0:9fca2b23d0ba	3855	/*
marcozecchini	0:9fca2b23d0ba	3856	* Hash
marcozecchini	0:9fca2b23d0ba	3857	*/
marcozecchini	0:9fca2b23d0ba	3858	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
marcozecchini	0:9fca2b23d0ba	3859
marcozecchini	0:9fca2b23d0ba	3860	if( md_alg == MBEDTLS_MD_NONE \|\| mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
marcozecchini	0:9fca2b23d0ba	3861	{
marcozecchini	0:9fca2b23d0ba	3862	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
marcozecchini	0:9fca2b23d0ba	3863	" for verify message" ) );
marcozecchini	0:9fca2b23d0ba	3864	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3865	}
marcozecchini	0:9fca2b23d0ba	3866
marcozecchini	0:9fca2b23d0ba	3867	#if !defined(MBEDTLS_MD_SHA1)
marcozecchini	0:9fca2b23d0ba	3868	if( MBEDTLS_MD_SHA1 == md_alg )
marcozecchini	0:9fca2b23d0ba	3869	hash_start += 16;
marcozecchini	0:9fca2b23d0ba	3870	#endif
marcozecchini	0:9fca2b23d0ba	3871
marcozecchini	0:9fca2b23d0ba	3872	/* Info from md_alg will be used instead */
marcozecchini	0:9fca2b23d0ba	3873	hashlen = 0;
marcozecchini	0:9fca2b23d0ba	3874
marcozecchini	0:9fca2b23d0ba	3875	i++;
marcozecchini	0:9fca2b23d0ba	3876
marcozecchini	0:9fca2b23d0ba	3877	/*
marcozecchini	0:9fca2b23d0ba	3878	* Signature
marcozecchini	0:9fca2b23d0ba	3879	*/
marcozecchini	0:9fca2b23d0ba	3880	if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
marcozecchini	0:9fca2b23d0ba	3881	== MBEDTLS_PK_NONE )
marcozecchini	0:9fca2b23d0ba	3882	{
marcozecchini	0:9fca2b23d0ba	3883	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
marcozecchini	0:9fca2b23d0ba	3884	" for verify message" ) );
marcozecchini	0:9fca2b23d0ba	3885	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3886	}
marcozecchini	0:9fca2b23d0ba	3887
marcozecchini	0:9fca2b23d0ba	3888	/*
marcozecchini	0:9fca2b23d0ba	3889	* Check the certificate's key type matches the signature alg
marcozecchini	0:9fca2b23d0ba	3890	*/
marcozecchini	0:9fca2b23d0ba	3891	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
marcozecchini	0:9fca2b23d0ba	3892	{
marcozecchini	0:9fca2b23d0ba	3893	MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
marcozecchini	0:9fca2b23d0ba	3894	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3895	}
marcozecchini	0:9fca2b23d0ba	3896
marcozecchini	0:9fca2b23d0ba	3897	i++;
marcozecchini	0:9fca2b23d0ba	3898	}
marcozecchini	0:9fca2b23d0ba	3899	else
marcozecchini	0:9fca2b23d0ba	3900	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
marcozecchini	0:9fca2b23d0ba	3901	{
marcozecchini	0:9fca2b23d0ba	3902	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
marcozecchini	0:9fca2b23d0ba	3903	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
marcozecchini	0:9fca2b23d0ba	3904	}
marcozecchini	0:9fca2b23d0ba	3905
marcozecchini	0:9fca2b23d0ba	3906	if( i + 2 > ssl->in_hslen )
marcozecchini	0:9fca2b23d0ba	3907	{
marcozecchini	0:9fca2b23d0ba	3908	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
marcozecchini	0:9fca2b23d0ba	3909	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3910	}
marcozecchini	0:9fca2b23d0ba	3911
marcozecchini	0:9fca2b23d0ba	3912	sig_len = ( ssl->in_msg[i] << 8 ) \| ssl->in_msg[i+1];
marcozecchini	0:9fca2b23d0ba	3913	i += 2;
marcozecchini	0:9fca2b23d0ba	3914
marcozecchini	0:9fca2b23d0ba	3915	if( i + sig_len != ssl->in_hslen )
marcozecchini	0:9fca2b23d0ba	3916	{
marcozecchini	0:9fca2b23d0ba	3917	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
marcozecchini	0:9fca2b23d0ba	3918	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
marcozecchini	0:9fca2b23d0ba	3919	}
marcozecchini	0:9fca2b23d0ba	3920
marcozecchini	0:9fca2b23d0ba	3921	/* Calculate hash and verify signature */
marcozecchini	0:9fca2b23d0ba	3922	ssl->handshake->calc_verify( ssl, hash );
marcozecchini	0:9fca2b23d0ba	3923
marcozecchini	0:9fca2b23d0ba	3924	if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
marcozecchini	0:9fca2b23d0ba	3925	md_alg, hash_start, hashlen,
marcozecchini	0:9fca2b23d0ba	3926	ssl->in_msg + i, sig_len ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3927	{
marcozecchini	0:9fca2b23d0ba	3928	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
marcozecchini	0:9fca2b23d0ba	3929	return( ret );
marcozecchini	0:9fca2b23d0ba	3930	}
marcozecchini	0:9fca2b23d0ba	3931
marcozecchini	0:9fca2b23d0ba	3932	mbedtls_ssl_update_handshake_status( ssl );
marcozecchini	0:9fca2b23d0ba	3933
marcozecchini	0:9fca2b23d0ba	3934	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
marcozecchini	0:9fca2b23d0ba	3935
marcozecchini	0:9fca2b23d0ba	3936	return( ret );
marcozecchini	0:9fca2b23d0ba	3937	}
marcozecchini	0:9fca2b23d0ba	3938	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3939	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3940	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3941	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3942	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
marcozecchini	0:9fca2b23d0ba	3943	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
marcozecchini	0:9fca2b23d0ba	3944
marcozecchini	0:9fca2b23d0ba	3945	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	3946	static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	3947	{
marcozecchini	0:9fca2b23d0ba	3948	int ret;
marcozecchini	0:9fca2b23d0ba	3949	size_t tlen;
marcozecchini	0:9fca2b23d0ba	3950	uint32_t lifetime;
marcozecchini	0:9fca2b23d0ba	3951
marcozecchini	0:9fca2b23d0ba	3952	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
marcozecchini	0:9fca2b23d0ba	3953
marcozecchini	0:9fca2b23d0ba	3954	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
marcozecchini	0:9fca2b23d0ba	3955	ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
marcozecchini	0:9fca2b23d0ba	3956
marcozecchini	0:9fca2b23d0ba	3957	/*
marcozecchini	0:9fca2b23d0ba	3958	* struct {
marcozecchini	0:9fca2b23d0ba	3959	* uint32 ticket_lifetime_hint;
marcozecchini	0:9fca2b23d0ba	3960	* opaque ticket<0..2^16-1>;
marcozecchini	0:9fca2b23d0ba	3961	* } NewSessionTicket;
marcozecchini	0:9fca2b23d0ba	3962	*
marcozecchini	0:9fca2b23d0ba	3963	* 4 . 7 ticket_lifetime_hint (0 = unspecified)
marcozecchini	0:9fca2b23d0ba	3964	* 8 . 9 ticket_len (n)
marcozecchini	0:9fca2b23d0ba	3965	* 10 . 9+n ticket content
marcozecchini	0:9fca2b23d0ba	3966	*/
marcozecchini	0:9fca2b23d0ba	3967
marcozecchini	0:9fca2b23d0ba	3968	if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
marcozecchini	0:9fca2b23d0ba	3969	ssl->session_negotiate,
marcozecchini	0:9fca2b23d0ba	3970	ssl->out_msg + 10,
marcozecchini	0:9fca2b23d0ba	3971	ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
marcozecchini	0:9fca2b23d0ba	3972	&tlen, &lifetime ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3973	{
marcozecchini	0:9fca2b23d0ba	3974	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
marcozecchini	0:9fca2b23d0ba	3975	tlen = 0;
marcozecchini	0:9fca2b23d0ba	3976	}
marcozecchini	0:9fca2b23d0ba	3977
marcozecchini	0:9fca2b23d0ba	3978	ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
marcozecchini	0:9fca2b23d0ba	3979	ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
marcozecchini	0:9fca2b23d0ba	3980	ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
marcozecchini	0:9fca2b23d0ba	3981	ssl->out_msg[7] = ( lifetime ) & 0xFF;
marcozecchini	0:9fca2b23d0ba	3982
marcozecchini	0:9fca2b23d0ba	3983	ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	3984	ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
marcozecchini	0:9fca2b23d0ba	3985
marcozecchini	0:9fca2b23d0ba	3986	ssl->out_msglen = 10 + tlen;
marcozecchini	0:9fca2b23d0ba	3987
marcozecchini	0:9fca2b23d0ba	3988	/*
marcozecchini	0:9fca2b23d0ba	3989	* Morally equivalent to updating ssl->state, but NewSessionTicket and
marcozecchini	0:9fca2b23d0ba	3990	* ChangeCipherSpec share the same state.
marcozecchini	0:9fca2b23d0ba	3991	*/
marcozecchini	0:9fca2b23d0ba	3992	ssl->handshake->new_session_ticket = 0;
marcozecchini	0:9fca2b23d0ba	3993
marcozecchini	0:9fca2b23d0ba	3994	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	3995	{
marcozecchini	0:9fca2b23d0ba	3996	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
marcozecchini	0:9fca2b23d0ba	3997	return( ret );
marcozecchini	0:9fca2b23d0ba	3998	}
marcozecchini	0:9fca2b23d0ba	3999
marcozecchini	0:9fca2b23d0ba	4000	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
marcozecchini	0:9fca2b23d0ba	4001
marcozecchini	0:9fca2b23d0ba	4002	return( 0 );
marcozecchini	0:9fca2b23d0ba	4003	}
marcozecchini	0:9fca2b23d0ba	4004	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
marcozecchini	0:9fca2b23d0ba	4005
marcozecchini	0:9fca2b23d0ba	4006	/*
marcozecchini	0:9fca2b23d0ba	4007	* SSL handshake -- server side -- single step
marcozecchini	0:9fca2b23d0ba	4008	*/
marcozecchini	0:9fca2b23d0ba	4009	int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
marcozecchini	0:9fca2b23d0ba	4010	{
marcozecchini	0:9fca2b23d0ba	4011	int ret = 0;
marcozecchini	0:9fca2b23d0ba	4012
marcozecchini	0:9fca2b23d0ba	4013	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER \|\| ssl->handshake == NULL )
marcozecchini	0:9fca2b23d0ba	4014	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	4015
marcozecchini	0:9fca2b23d0ba	4016	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
marcozecchini	0:9fca2b23d0ba	4017
marcozecchini	0:9fca2b23d0ba	4018	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	4019	return( ret );
marcozecchini	0:9fca2b23d0ba	4020
marcozecchini	0:9fca2b23d0ba	4021	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	4022	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
marcozecchini	0:9fca2b23d0ba	4023	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
marcozecchini	0:9fca2b23d0ba	4024	{
marcozecchini	0:9fca2b23d0ba	4025	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
marcozecchini	0:9fca2b23d0ba	4026	return( ret );
marcozecchini	0:9fca2b23d0ba	4027	}
marcozecchini	0:9fca2b23d0ba	4028	#endif
marcozecchini	0:9fca2b23d0ba	4029
marcozecchini	0:9fca2b23d0ba	4030	switch( ssl->state )
marcozecchini	0:9fca2b23d0ba	4031	{
marcozecchini	0:9fca2b23d0ba	4032	case MBEDTLS_SSL_HELLO_REQUEST:
marcozecchini	0:9fca2b23d0ba	4033	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
marcozecchini	0:9fca2b23d0ba	4034	break;
marcozecchini	0:9fca2b23d0ba	4035
marcozecchini	0:9fca2b23d0ba	4036	/*
marcozecchini	0:9fca2b23d0ba	4037	* <== ClientHello
marcozecchini	0:9fca2b23d0ba	4038	*/
marcozecchini	0:9fca2b23d0ba	4039	case MBEDTLS_SSL_CLIENT_HELLO:
marcozecchini	0:9fca2b23d0ba	4040	ret = ssl_parse_client_hello( ssl );
marcozecchini	0:9fca2b23d0ba	4041	break;
marcozecchini	0:9fca2b23d0ba	4042
marcozecchini	0:9fca2b23d0ba	4043	#if defined(MBEDTLS_SSL_PROTO_DTLS)
marcozecchini	0:9fca2b23d0ba	4044	case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
marcozecchini	0:9fca2b23d0ba	4045	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
marcozecchini	0:9fca2b23d0ba	4046	#endif
marcozecchini	0:9fca2b23d0ba	4047
marcozecchini	0:9fca2b23d0ba	4048	/*
marcozecchini	0:9fca2b23d0ba	4049	* ==> ServerHello
marcozecchini	0:9fca2b23d0ba	4050	* Certificate
marcozecchini	0:9fca2b23d0ba	4051	* ( ServerKeyExchange )
marcozecchini	0:9fca2b23d0ba	4052	* ( CertificateRequest )
marcozecchini	0:9fca2b23d0ba	4053	* ServerHelloDone
marcozecchini	0:9fca2b23d0ba	4054	*/
marcozecchini	0:9fca2b23d0ba	4055	case MBEDTLS_SSL_SERVER_HELLO:
marcozecchini	0:9fca2b23d0ba	4056	ret = ssl_write_server_hello( ssl );
marcozecchini	0:9fca2b23d0ba	4057	break;
marcozecchini	0:9fca2b23d0ba	4058
marcozecchini	0:9fca2b23d0ba	4059	case MBEDTLS_SSL_SERVER_CERTIFICATE:
marcozecchini	0:9fca2b23d0ba	4060	ret = mbedtls_ssl_write_certificate( ssl );
marcozecchini	0:9fca2b23d0ba	4061	break;
marcozecchini	0:9fca2b23d0ba	4062
marcozecchini	0:9fca2b23d0ba	4063	case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
marcozecchini	0:9fca2b23d0ba	4064	ret = ssl_write_server_key_exchange( ssl );
marcozecchini	0:9fca2b23d0ba	4065	break;
marcozecchini	0:9fca2b23d0ba	4066
marcozecchini	0:9fca2b23d0ba	4067	case MBEDTLS_SSL_CERTIFICATE_REQUEST:
marcozecchini	0:9fca2b23d0ba	4068	ret = ssl_write_certificate_request( ssl );
marcozecchini	0:9fca2b23d0ba	4069	break;
marcozecchini	0:9fca2b23d0ba	4070
marcozecchini	0:9fca2b23d0ba	4071	case MBEDTLS_SSL_SERVER_HELLO_DONE:
marcozecchini	0:9fca2b23d0ba	4072	ret = ssl_write_server_hello_done( ssl );
marcozecchini	0:9fca2b23d0ba	4073	break;
marcozecchini	0:9fca2b23d0ba	4074
marcozecchini	0:9fca2b23d0ba	4075	/*
marcozecchini	0:9fca2b23d0ba	4076	* <== ( Certificate/Alert )
marcozecchini	0:9fca2b23d0ba	4077	* ClientKeyExchange
marcozecchini	0:9fca2b23d0ba	4078	* ( CertificateVerify )
marcozecchini	0:9fca2b23d0ba	4079	* ChangeCipherSpec
marcozecchini	0:9fca2b23d0ba	4080	* Finished
marcozecchini	0:9fca2b23d0ba	4081	*/
marcozecchini	0:9fca2b23d0ba	4082	case MBEDTLS_SSL_CLIENT_CERTIFICATE:
marcozecchini	0:9fca2b23d0ba	4083	ret = mbedtls_ssl_parse_certificate( ssl );
marcozecchini	0:9fca2b23d0ba	4084	break;
marcozecchini	0:9fca2b23d0ba	4085
marcozecchini	0:9fca2b23d0ba	4086	case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
marcozecchini	0:9fca2b23d0ba	4087	ret = ssl_parse_client_key_exchange( ssl );
marcozecchini	0:9fca2b23d0ba	4088	break;
marcozecchini	0:9fca2b23d0ba	4089
marcozecchini	0:9fca2b23d0ba	4090	case MBEDTLS_SSL_CERTIFICATE_VERIFY:
marcozecchini	0:9fca2b23d0ba	4091	ret = ssl_parse_certificate_verify( ssl );
marcozecchini	0:9fca2b23d0ba	4092	break;
marcozecchini	0:9fca2b23d0ba	4093
marcozecchini	0:9fca2b23d0ba	4094	case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
marcozecchini	0:9fca2b23d0ba	4095	ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
marcozecchini	0:9fca2b23d0ba	4096	break;
marcozecchini	0:9fca2b23d0ba	4097
marcozecchini	0:9fca2b23d0ba	4098	case MBEDTLS_SSL_CLIENT_FINISHED:
marcozecchini	0:9fca2b23d0ba	4099	ret = mbedtls_ssl_parse_finished( ssl );
marcozecchini	0:9fca2b23d0ba	4100	break;
marcozecchini	0:9fca2b23d0ba	4101
marcozecchini	0:9fca2b23d0ba	4102	/*
marcozecchini	0:9fca2b23d0ba	4103	* ==> ( NewSessionTicket )
marcozecchini	0:9fca2b23d0ba	4104	* ChangeCipherSpec
marcozecchini	0:9fca2b23d0ba	4105	* Finished
marcozecchini	0:9fca2b23d0ba	4106	*/
marcozecchini	0:9fca2b23d0ba	4107	case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
marcozecchini	0:9fca2b23d0ba	4108	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
marcozecchini	0:9fca2b23d0ba	4109	if( ssl->handshake->new_session_ticket != 0 )
marcozecchini	0:9fca2b23d0ba	4110	ret = ssl_write_new_session_ticket( ssl );
marcozecchini	0:9fca2b23d0ba	4111	else
marcozecchini	0:9fca2b23d0ba	4112	#endif
marcozecchini	0:9fca2b23d0ba	4113	ret = mbedtls_ssl_write_change_cipher_spec( ssl );
marcozecchini	0:9fca2b23d0ba	4114	break;
marcozecchini	0:9fca2b23d0ba	4115
marcozecchini	0:9fca2b23d0ba	4116	case MBEDTLS_SSL_SERVER_FINISHED:
marcozecchini	0:9fca2b23d0ba	4117	ret = mbedtls_ssl_write_finished( ssl );
marcozecchini	0:9fca2b23d0ba	4118	break;
marcozecchini	0:9fca2b23d0ba	4119
marcozecchini	0:9fca2b23d0ba	4120	case MBEDTLS_SSL_FLUSH_BUFFERS:
marcozecchini	0:9fca2b23d0ba	4121	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
marcozecchini	0:9fca2b23d0ba	4122	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
marcozecchini	0:9fca2b23d0ba	4123	break;
marcozecchini	0:9fca2b23d0ba	4124
marcozecchini	0:9fca2b23d0ba	4125	case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
marcozecchini	0:9fca2b23d0ba	4126	mbedtls_ssl_handshake_wrapup( ssl );
marcozecchini	0:9fca2b23d0ba	4127	break;
marcozecchini	0:9fca2b23d0ba	4128
marcozecchini	0:9fca2b23d0ba	4129	default:
marcozecchini	0:9fca2b23d0ba	4130	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
marcozecchini	0:9fca2b23d0ba	4131	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
marcozecchini	0:9fca2b23d0ba	4132	}
marcozecchini	0:9fca2b23d0ba	4133
marcozecchini	0:9fca2b23d0ba	4134	return( ret );
marcozecchini	0:9fca2b23d0ba	4135	}
marcozecchini	0:9fca2b23d0ba	4136	#endif /* MBEDTLS_SSL_SRV_C */

Repository toolbox

Export to desktop IDE

Build repository

Repository details

Type:	Program
Mbed OS support:	Mbed OS
Created:	23 Feb 2019
Imports:	43
Forks:	0
Commits:	1
Dependents:	0
Dependencies:	0
Followers:	1

mbed-os/features/mbedtls/src/ssl_srv.c@0:9fca2b23d0ba, 2019-02-23 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning