ssl_srv.c

00001 /*
00002  *  SSLv3/TLSv1 server-side functions
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 
00022 #if !defined(MBEDTLS_CONFIG_FILE)
00023 #include "mbedtls/config.h"
00024 #else
00025 #include MBEDTLS_CONFIG_FILE
00026 #endif
00027 
00028 #if defined(MBEDTLS_SSL_SRV_C)
00029 
00030 #if defined(MBEDTLS_PLATFORM_C)
00031 #include "mbedtls/platform.h"
00032 #else
00033 #include <stdlib.h>
00034 #define mbedtls_calloc    calloc
00035 #define mbedtls_free      free
00036 #endif
00037 
00038 #include "mbedtls/debug.h"
00039 #include "mbedtls/ssl.h"
00040 #include "mbedtls/ssl_internal.h"
00041 
00042 #include <string.h>
00043 
00044 #if defined(MBEDTLS_ECP_C)
00045 #include "mbedtls/ecp.h"
00046 #endif
00047 
00048 #if defined(MBEDTLS_HAVE_TIME)
00049 #include "mbedtls/platform_time.h"
00050 #endif
00051 
00052 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
00053 /* Implementation that should never be optimized out by the compiler */
00054 static void mbedtls_zeroize( void *v, size_t n ) {
00055     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
00056 }
00057 #endif
00058 
00059 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
00060 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
00061                                  const unsigned char *info,
00062                                  size_t ilen )
00063 {
00064     if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
00065         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
00066 
00067     mbedtls_free( ssl->cli_id );
00068 
00069     if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
00070         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00071 
00072     memcpy( ssl->cli_id, info, ilen );
00073     ssl->cli_id_len = ilen;
00074 
00075     return( 0 );
00076 }
00077 
00078 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
00079                            mbedtls_ssl_cookie_write_t *f_cookie_write,
00080                            mbedtls_ssl_cookie_check_t *f_cookie_check,
00081                            void *p_cookie )
00082 {
00083     conf->f_cookie_write = f_cookie_write;
00084     conf->f_cookie_check = f_cookie_check;
00085     conf->p_cookie        = p_cookie;
00086 }
00087 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
00088 
00089 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00090 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
00091                                      const unsigned char *buf,
00092                                      size_t len )
00093 {
00094     int ret;
00095     size_t servername_list_size, hostname_len;
00096     const unsigned char *p;
00097 
00098     MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
00099 
00100     servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00101     if( servername_list_size + 2 != len )
00102     {
00103         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00104         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00105                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00106         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00107     }
00108 
00109     p = buf + 2;
00110     while( servername_list_size > 0 )
00111     {
00112         hostname_len = ( ( p[1] << 8 ) | p[2] );
00113         if( hostname_len + 3 > servername_list_size )
00114         {
00115             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00116             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00117                                             MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00118             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00119         }
00120 
00121         if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
00122         {
00123             ret = ssl->conf->f_sni( ssl->conf->p_sni,
00124                                     ssl, p + 3, hostname_len );
00125             if( ret != 0 )
00126             {
00127                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
00128                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00129                         MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
00130                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00131             }
00132             return( 0 );
00133         }
00134 
00135         servername_list_size -= hostname_len + 3;
00136         p += hostname_len + 3;
00137     }
00138 
00139     if( servername_list_size != 0 )
00140     {
00141         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00142         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00143                                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00144         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00145     }
00146 
00147     return( 0 );
00148 }
00149 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
00150 
00151 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
00152                                          const unsigned char *buf,
00153                                          size_t len )
00154 {
00155 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00156     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00157     {
00158         /* Check verify-data in constant-time. The length OTOH is no secret */
00159         if( len    != 1 + ssl->verify_data_len ||
00160             buf[0] !=     ssl->verify_data_len ||
00161             mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
00162                           ssl->verify_data_len ) != 0 )
00163         {
00164             MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
00165             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00166                                             MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
00167             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00168         }
00169     }
00170     else
00171 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00172     {
00173         if( len != 1 || buf[0] != 0x0 )
00174         {
00175             MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
00176             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00177                                             MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
00178             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00179         }
00180 
00181         ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
00182     }
00183 
00184     return( 0 );
00185 }
00186 
00187 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00188     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00189 
00190 /*
00191  * Status of the implementation of signature-algorithms extension:
00192  *
00193  * Currently, we are only considering the signature-algorithm extension
00194  * to pick a ciphersuite which allows us to send the ServerKeyExchange
00195  * message with a signature-hash combination that the user allows.
00196  *
00197  * We do *not* check whether all certificates in our certificate
00198  * chain are signed with an allowed signature-hash pair.
00199  * This needs to be done at a later stage.
00200  *
00201  */
00202 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
00203                                                const unsigned char *buf,
00204                                                size_t len )
00205 {
00206     size_t sig_alg_list_size;
00207 
00208     const unsigned char *p;
00209     const unsigned char *end = buf + len;
00210 
00211     mbedtls_md_type_t md_cur;
00212     mbedtls_pk_type_t sig_cur;
00213 
00214     sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00215     if( sig_alg_list_size + 2 != len ||
00216         sig_alg_list_size % 2 != 0 )
00217     {
00218         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00219         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00220                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00221         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00222     }
00223 
00224     /* Currently we only guarantee signing the ServerKeyExchange message according
00225      * to the constraints specified in this extension (see above), so it suffices
00226      * to remember only one suitable hash for each possible signature algorithm.
00227      *
00228      * This will change when we also consider certificate signatures,
00229      * in which case we will need to remember the whole signature-hash
00230      * pair list from the extension.
00231      */
00232 
00233     for( p = buf + 2; p < end; p += 2 )
00234     {
00235         /* Silently ignore unknown signature or hash algorithms. */
00236 
00237         if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
00238         {
00239             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
00240                                         " unknown sig alg encoding %d", p[1] ) );
00241             continue;
00242         }
00243 
00244         /* Check if we support the hash the user proposes */
00245         md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
00246         if( md_cur == MBEDTLS_MD_NONE )
00247         {
00248             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
00249                                         " unknown hash alg encoding %d", p[0] ) );
00250             continue;
00251         }
00252 
00253         if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
00254         {
00255             mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
00256             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
00257                                         " match sig %d and hash %d",
00258                                         sig_cur, md_cur ) );
00259         }
00260         else
00261         {
00262             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
00263                                         "hash alg %d not supported", md_cur ) );
00264         }
00265     }
00266 
00267     return( 0 );
00268 }
00269 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
00270           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00271 
00272 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
00273     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00274 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
00275                                                 const unsigned char *buf,
00276                                                 size_t len )
00277 {
00278     size_t list_size, our_size;
00279     const unsigned char *p;
00280     const mbedtls_ecp_curve_info *curve_info, **curves;
00281 
00282     list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00283     if( list_size + 2 != len ||
00284         list_size % 2 != 0 )
00285     {
00286         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00287         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00288                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00289         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00290     }
00291 
00292     /* Should never happen unless client duplicates the extension */
00293     if( ssl->handshake->curves != NULL )
00294     {
00295         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00296         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00297                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00298         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00299     }
00300 
00301     /* Don't allow our peer to make us allocate too much memory,
00302      * and leave room for a final 0 */
00303     our_size = list_size / 2 + 1;
00304     if( our_size > MBEDTLS_ECP_DP_MAX )
00305         our_size = MBEDTLS_ECP_DP_MAX;
00306 
00307     if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
00308     {
00309         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00310                                         MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
00311         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
00312     }
00313 
00314     ssl->handshake->curves = curves;
00315 
00316     p = buf + 2;
00317     while( list_size > 0 && our_size > 1 )
00318     {
00319         curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
00320 
00321         if( curve_info != NULL )
00322         {
00323             *curves++ = curve_info;
00324             our_size--;
00325         }
00326 
00327         list_size -= 2;
00328         p += 2;
00329     }
00330 
00331     return( 0 );
00332 }
00333 
00334 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
00335                                               const unsigned char *buf,
00336                                               size_t len )
00337 {
00338     size_t list_size;
00339     const unsigned char *p;
00340 
00341     list_size = buf[0];
00342     if( list_size + 1 != len )
00343     {
00344         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00345         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00346                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00347         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00348     }
00349 
00350     p = buf + 1;
00351     while( list_size > 0 )
00352     {
00353         if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
00354             p[0] == MBEDTLS_ECP_PF_COMPRESSED )
00355         {
00356 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
00357             ssl->handshake->ecdh_ctx.point_format = p[0];
00358 #endif
00359 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00360             ssl->handshake->ecjpake_ctx.point_format = p[0];
00361 #endif
00362             MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00363             return( 0 );
00364         }
00365 
00366         list_size--;
00367         p++;
00368     }
00369 
00370     return( 0 );
00371 }
00372 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
00373           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00374 
00375 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00376 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
00377                                    const unsigned char *buf,
00378                                    size_t len )
00379 {
00380     int ret;
00381 
00382     if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
00383     {
00384         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
00385         return( 0 );
00386     }
00387 
00388     if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
00389                                                 buf, len ) ) != 0 )
00390     {
00391         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
00392         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00393                                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00394         return( ret );
00395     }
00396 
00397     /* Only mark the extension as OK when we're sure it is */
00398     ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
00399 
00400     return( 0 );
00401 }
00402 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
00403 
00404 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
00405 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
00406                                               const unsigned char *buf,
00407                                               size_t len )
00408 {
00409     if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
00410     {
00411         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00412         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00413                                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00414         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00415     }
00416 
00417     ssl->session_negotiate->mfl_code = buf[0];
00418 
00419     return( 0 );
00420 }
00421 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
00422 
00423 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
00424 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
00425                                          const unsigned char *buf,
00426                                          size_t len )
00427 {
00428     if( len != 0 )
00429     {
00430         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00431         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00432                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00433         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00434     }
00435 
00436     ((void) buf);
00437 
00438     if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
00439         ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
00440 
00441     return( 0 );
00442 }
00443 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
00444 
00445 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00446 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
00447                                       const unsigned char *buf,
00448                                       size_t len )
00449 {
00450     if( len != 0 )
00451     {
00452         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00453         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00454                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00455         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00456     }
00457 
00458     ((void) buf);
00459 
00460     if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
00461         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
00462     {
00463         ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
00464     }
00465 
00466     return( 0 );
00467 }
00468 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
00469 
00470 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
00471 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
00472                                       const unsigned char *buf,
00473                                       size_t len )
00474 {
00475     if( len != 0 )
00476     {
00477         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00478         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00479                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00480         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00481     }
00482 
00483     ((void) buf);
00484 
00485     if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
00486         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
00487     {
00488         ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
00489     }
00490 
00491     return( 0 );
00492 }
00493 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
00494 
00495 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
00496 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
00497                                          unsigned char *buf,
00498                                          size_t len )
00499 {
00500     int ret;
00501     mbedtls_ssl_session session;
00502 
00503     mbedtls_ssl_session_init( &session );
00504 
00505     if( ssl->conf->f_ticket_parse == NULL ||
00506         ssl->conf->f_ticket_write == NULL )
00507     {
00508         return( 0 );
00509     }
00510 
00511     /* Remember the client asked us to send a new ticket */
00512     ssl->handshake->new_session_ticket = 1;
00513 
00514     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
00515 
00516     if( len == 0 )
00517         return( 0 );
00518 
00519 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00520     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00521     {
00522         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
00523         return( 0 );
00524     }
00525 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00526 
00527     /*
00528      * Failures are ok: just ignore the ticket and proceed.
00529      */
00530     if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
00531                                            buf, len ) ) != 0 )
00532     {
00533         mbedtls_ssl_session_free( &session );
00534 
00535         if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
00536             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
00537         else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
00538             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
00539         else
00540             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
00541 
00542         return( 0 );
00543     }
00544 
00545     /*
00546      * Keep the session ID sent by the client, since we MUST send it back to
00547      * inform them we're accepting the ticket  (RFC 5077 section 3.4)
00548      */
00549     session.id_len = ssl->session_negotiate->id_len;
00550     memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
00551 
00552     mbedtls_ssl_session_free( ssl->session_negotiate );
00553     memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
00554 
00555     /* Zeroize instead of free as we copied the content */
00556     mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
00557 
00558     MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
00559 
00560     ssl->handshake->resume = 1;
00561 
00562     /* Don't send a new ticket after all, this one is OK */
00563     ssl->handshake->new_session_ticket = 0;
00564 
00565     return( 0 );
00566 }
00567 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
00568 
00569 #if defined(MBEDTLS_SSL_ALPN)
00570 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
00571                                const unsigned char *buf, size_t len )
00572 {
00573     size_t list_len, cur_len, ours_len;
00574     const unsigned char *theirs, *start, *end;
00575     const char **ours;
00576 
00577     /* If ALPN not configured, just ignore the extension */
00578     if( ssl->conf->alpn_list == NULL )
00579         return( 0 );
00580 
00581     /*
00582      * opaque ProtocolName<1..2^8-1>;
00583      *
00584      * struct {
00585      *     ProtocolName protocol_name_list<2..2^16-1>
00586      * } ProtocolNameList;
00587      */
00588 
00589     /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
00590     if( len < 4 )
00591     {
00592         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00593                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00594         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00595     }
00596 
00597     list_len = ( buf[0] << 8 ) | buf[1];
00598     if( list_len != len - 2 )
00599     {
00600         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00601                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
00602         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00603     }
00604 
00605     /*
00606      * Use our order of preference
00607      */
00608     start = buf + 2;
00609     end = buf + len;
00610     for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
00611     {
00612         ours_len = strlen( *ours );
00613         for( theirs = start; theirs != end; theirs += cur_len )
00614         {
00615             /* If the list is well formed, we should get equality first */
00616             if( theirs > end )
00617             {
00618                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00619                                                 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00620                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00621             }
00622 
00623             cur_len = *theirs++;
00624 
00625             /* Empty strings MUST NOT be included */
00626             if( cur_len == 0 )
00627             {
00628                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00629                                                 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
00630                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00631             }
00632 
00633             if( cur_len == ours_len &&
00634                 memcmp( theirs, *ours, cur_len ) == 0 )
00635             {
00636                 ssl->alpn_chosen = *ours;
00637                 return( 0 );
00638             }
00639         }
00640     }
00641 
00642     /* If we get there, no match was found */
00643     mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00644                             MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
00645     return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00646 }
00647 #endif /* MBEDTLS_SSL_ALPN */
00648 
00649 /*
00650  * Auxiliary functions for ServerHello parsing and related actions
00651  */
00652 
00653 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00654 /*
00655  * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
00656  */
00657 #if defined(MBEDTLS_ECDSA_C)
00658 static int ssl_check_key_curve( mbedtls_pk_context *pk,
00659                                 const mbedtls_ecp_curve_info **curves )
00660 {
00661     const mbedtls_ecp_curve_info **crv = curves;
00662     mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ;
00663 
00664     while( *crv != NULL )
00665     {
00666         if( (*crv)->grp_id == grp_id )
00667             return( 0 );
00668         crv++;
00669     }
00670 
00671     return( -1 );
00672 }
00673 #endif /* MBEDTLS_ECDSA_C */
00674 
00675 /*
00676  * Try picking a certificate for this ciphersuite,
00677  * return 0 on success and -1 on failure.
00678  */
00679 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
00680                           const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
00681 {
00682     mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
00683     mbedtls_pk_type_t pk_alg =
00684         mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
00685     uint32_t flags;
00686 
00687 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00688     if( ssl->handshake->sni_key_cert != NULL )
00689         list = ssl->handshake->sni_key_cert;
00690     else
00691 #endif
00692         list = ssl->conf->key_cert;
00693 
00694     if( pk_alg == MBEDTLS_PK_NONE )
00695         return( 0 );
00696 
00697     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
00698 
00699     if( list == NULL )
00700     {
00701         MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
00702         return( -1 );
00703     }
00704 
00705     for( cur = list; cur != NULL; cur = cur->next )
00706     {
00707         MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
00708                           cur->cert );
00709 
00710         if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
00711         {
00712             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
00713             continue;
00714         }
00715 
00716         /*
00717          * This avoids sending the client a cert it'll reject based on
00718          * keyUsage or other extensions.
00719          *
00720          * It also allows the user to provision different certificates for
00721          * different uses based on keyUsage, eg if they want to avoid signing
00722          * and decrypting with the same RSA key.
00723          */
00724         if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
00725                                   MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
00726         {
00727             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
00728                                 "(extended) key usage extension" ) );
00729             continue;
00730         }
00731 
00732 #if defined(MBEDTLS_ECDSA_C)
00733         if( pk_alg == MBEDTLS_PK_ECDSA &&
00734             ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
00735         {
00736             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
00737             continue;
00738         }
00739 #endif
00740 
00741         /*
00742          * Try to select a SHA-1 certificate for pre-1.2 clients, but still
00743          * present them a SHA-higher cert rather than failing if it's the only
00744          * one we got that satisfies the other conditions.
00745          */
00746         if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
00747             cur->cert->sig_md != MBEDTLS_MD_SHA1 )
00748         {
00749             if( fallback == NULL )
00750                 fallback = cur;
00751             {
00752                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
00753                                     "sha-2 with pre-TLS 1.2 client" ) );
00754             continue;
00755             }
00756         }
00757 
00758         /* If we get there, we got a winner */
00759         break;
00760     }
00761 
00762     if( cur == NULL )
00763         cur = fallback;
00764 
00765     /* Do not update ssl->handshake->key_cert unless there is a match */
00766     if( cur != NULL )
00767     {
00768         ssl->handshake->key_cert = cur;
00769         MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
00770                           ssl->handshake->key_cert->cert );
00771         return( 0 );
00772     }
00773 
00774     return( -1 );
00775 }
00776 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00777 
00778 /*
00779  * Check if a given ciphersuite is suitable for use with our config/keys/etc
00780  * Sets ciphersuite_info only if the suite matches.
00781  */
00782 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
00783                                   const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
00784 {
00785     const mbedtls_ssl_ciphersuite_t *suite_info;
00786 
00787 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00788     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)    
00789     mbedtls_pk_type_t sig_type;
00790 #endif
00791 
00792     suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
00793     if( suite_info == NULL )
00794     {
00795         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00796         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
00797     }
00798 
00799     MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
00800 
00801     if( suite_info->min_minor_ver > ssl->minor_ver ||
00802         suite_info->max_minor_ver < ssl->minor_ver )
00803     {
00804         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
00805         return( 0 );
00806     }
00807 
00808 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00809     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
00810         ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
00811         return( 0 );
00812 #endif
00813 
00814 #if defined(MBEDTLS_ARC4_C)
00815     if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
00816             suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
00817     {
00818         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
00819         return( 0 );
00820     }
00821 #endif
00822 
00823 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00824     if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
00825         ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
00826     {
00827         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
00828                                     "not configured or ext missing" ) );
00829         return( 0 );
00830     }
00831 #endif
00832 
00833 
00834 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
00835     if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
00836         ( ssl->handshake->curves == NULL ||
00837           ssl->handshake->curves[0] == NULL ) )
00838     {
00839         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00840                             "no common elliptic curve" ) );
00841         return( 0 );
00842     }
00843 #endif
00844 
00845 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
00846     /* If the ciphersuite requires a pre-shared key and we don't
00847      * have one, skip it now rather than failing later */
00848     if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
00849         ssl->conf->f_psk == NULL &&
00850         ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
00851           ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
00852     {
00853         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
00854         return( 0 );
00855     }
00856 #endif
00857 
00858 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
00859     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
00860     /* If the ciphersuite requires signing, check whether
00861      * a suitable hash algorithm is present. */
00862     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
00863     {
00864         sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
00865         if( sig_type != MBEDTLS_PK_NONE &&
00866             mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
00867         {
00868             MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
00869                                         "for signature algorithm %d", sig_type ) );
00870             return( 0 );
00871         }
00872     }
00873 
00874 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
00875           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
00876 
00877 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00878     /*
00879      * Final check: if ciphersuite requires us to have a
00880      * certificate/key of a particular type:
00881      * - select the appropriate certificate if we have one, or
00882      * - try the next ciphersuite if we don't
00883      * This must be done last since we modify the key_cert list.
00884      */
00885     if( ssl_pick_cert( ssl, suite_info ) != 0 )
00886     {
00887         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00888                             "no suitable certificate" ) );
00889         return( 0 );
00890     }
00891 #endif
00892 
00893     *ciphersuite_info = suite_info;
00894     return( 0 );
00895 }
00896 
00897 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
00898 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
00899 {
00900     int ret, got_common_suite;
00901     unsigned int i, j;
00902     size_t n;
00903     unsigned int ciph_len, sess_len, chal_len;
00904     unsigned char *buf, *p;
00905     const int *ciphersuites;
00906     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
00907 
00908     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
00909 
00910 #if defined(MBEDTLS_SSL_RENEGOTIATION)
00911     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
00912     {
00913         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
00914         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00915                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
00916         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00917     }
00918 #endif /* MBEDTLS_SSL_RENEGOTIATION */
00919 
00920     buf = ssl->in_hdr;
00921 
00922     MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00923 
00924     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00925                    buf[2] ) );
00926     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00927                    ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00928     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00929                    buf[3], buf[4] ) );
00930 
00931     /*
00932      * SSLv2 Client Hello
00933      *
00934      * Record layer:
00935      *     0  .   1   message length
00936      *
00937      * SSL layer:
00938      *     2  .   2   message type
00939      *     3  .   4   protocol version
00940      */
00941     if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
00942         buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
00943     {
00944         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00945         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00946     }
00947 
00948     n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00949 
00950     if( n < 17 || n > 512 )
00951     {
00952         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00953         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
00954     }
00955 
00956     ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
00957     ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
00958                      ? buf[4]  : ssl->conf->max_minor_ver;
00959 
00960     if( ssl->minor_ver < ssl->conf->min_minor_ver )
00961     {
00962         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
00963                             " [%d:%d] < [%d:%d]",
00964                             ssl->major_ver, ssl->minor_ver,
00965                             ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
00966 
00967         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
00968                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
00969         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
00970     }
00971 
00972     ssl->handshake->max_major_ver = buf[3];
00973     ssl->handshake->max_minor_ver = buf[4];
00974 
00975     if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00976     {
00977         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
00978         return( ret );
00979     }
00980 
00981     ssl->handshake->update_checksum( ssl, buf + 2, n );
00982 
00983     buf = ssl->in_msg;
00984     n = ssl->in_left - 5;
00985 
00986     /*
00987      *    0  .   1   ciphersuitelist length
00988      *    2  .   3   session id length
00989      *    4  .   5   challenge length
00990      *    6  .  ..   ciphersuitelist
00991      *   ..  .  ..   session id
00992      *   ..  .  ..   challenge
00993      */
00994     MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
00995 
00996     ciph_len = ( buf[0] << 8 ) | buf[1];
00997     sess_len = ( buf[2] << 8 ) | buf[3];
00998     chal_len = ( buf[4] << 8 ) | buf[5];
00999 
01000     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
01001                    ciph_len, sess_len, chal_len ) );
01002 
01003     /*
01004      * Make sure each parameter length is valid
01005      */
01006     if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
01007     {
01008         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01009         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01010     }
01011 
01012     if( sess_len > 32 )
01013     {
01014         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01015         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01016     }
01017 
01018     if( chal_len < 8 || chal_len > 32 )
01019     {
01020         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01021         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01022     }
01023 
01024     if( n != 6 + ciph_len + sess_len + chal_len )
01025     {
01026         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01027         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01028     }
01029 
01030     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01031                    buf + 6, ciph_len );
01032     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
01033                    buf + 6 + ciph_len, sess_len );
01034     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
01035                    buf + 6 + ciph_len + sess_len, chal_len );
01036 
01037     p = buf + 6 + ciph_len;
01038     ssl->session_negotiate->id_len = sess_len;
01039     memset( ssl->session_negotiate->id, 0,
01040             sizeof( ssl->session_negotiate->id ) );
01041     memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
01042 
01043     p += sess_len;
01044     memset( ssl->handshake->randbytes, 0, 64 );
01045     memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
01046 
01047     /*
01048      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01049      */
01050     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
01051     {
01052         if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
01053         {
01054             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01055 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01056             if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01057             {
01058                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
01059                                     "during renegotiation" ) );
01060 
01061                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01062                                                 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01063                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01064             }
01065 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01066             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
01067             break;
01068         }
01069     }
01070 
01071 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
01072     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
01073     {
01074         if( p[0] == 0 &&
01075             p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
01076             p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
01077         {
01078             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
01079 
01080             if( ssl->minor_ver < ssl->conf->max_minor_ver )
01081             {
01082                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
01083 
01084                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01085                                         MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01086 
01087                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01088             }
01089 
01090             break;
01091         }
01092     }
01093 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
01094 
01095     got_common_suite = 0;
01096     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
01097     ciphersuite_info = NULL;
01098 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01099     for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01100         for( i = 0; ciphersuites[i] != 0; i++ )
01101 #else
01102     for( i = 0; ciphersuites[i] != 0; i++ )
01103         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01104 #endif
01105         {
01106             if( p[0] != 0 ||
01107                 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01108                 p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
01109                 continue;
01110 
01111             got_common_suite = 1;
01112 
01113             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01114                                                &ciphersuite_info ) ) != 0 )
01115                 return( ret );
01116 
01117             if( ciphersuite_info != NULL )
01118                 goto have_ciphersuite_v2;
01119         }
01120 
01121     if( got_common_suite )
01122     {
01123         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01124                             "but none of them usable" ) );
01125         return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
01126     }
01127     else
01128     {
01129         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01130         return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
01131     }
01132 
01133 have_ciphersuite_v2:
01134     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01135 
01136     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01137     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01138 
01139     /*
01140      * SSLv2 Client Hello relevant renegotiation security checks
01141      */
01142     if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01143         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
01144     {
01145         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01146         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01147                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01148         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01149     }
01150 
01151     ssl->in_left = 0;
01152     ssl->state++;
01153 
01154     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
01155 
01156     return( 0 );
01157 }
01158 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
01159 
01160 /* This function doesn't alert on errors that happen early during
01161    ClientHello parsing because they might indicate that the client is
01162    not talking SSL/TLS at all and would not understand our alert. */
01163 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
01164 {
01165     int ret, got_common_suite;
01166     size_t i, j;
01167     size_t ciph_offset, comp_offset, ext_offset;
01168     size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
01169 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01170     size_t cookie_offset, cookie_len;
01171 #endif
01172     unsigned char *buf, *p, *ext;
01173 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01174     int renegotiation_info_seen = 0;
01175 #endif
01176     int handshake_failure = 0;
01177     const int *ciphersuites;
01178     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
01179     int major, minor;
01180 
01181     /* If there is no signature-algorithm extension present,
01182      * we need to fall back to the default values for allowed
01183      * signature-hash pairs. */
01184 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01185     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01186     int sig_hash_alg_ext_present = 0;
01187 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01188           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01189 
01190     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
01191 
01192 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01193 read_record_header:
01194 #endif
01195     /*
01196      * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
01197      * otherwise read it ourselves manually in order to support SSLv2
01198      * ClientHello, which doesn't use the same record layer format.
01199      */
01200 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01201     if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
01202 #endif
01203     {
01204         if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
01205         {
01206             /* No alert on a read error. */
01207             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
01208             return( ret );
01209         }
01210     }
01211 
01212     buf = ssl->in_hdr;
01213 
01214 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
01215 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01216     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
01217 #endif
01218         if( ( buf[0] & 0x80 ) != 0 )
01219             return( ssl_parse_client_hello_v2( ssl ) );
01220 #endif
01221 
01222     MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
01223 
01224     /*
01225      * SSLv3/TLS Client Hello
01226      *
01227      * Record layer:
01228      *     0  .   0   message type
01229      *     1  .   2   protocol version
01230      *     3  .   11  DTLS: epoch + record sequence number
01231      *     3  .   4   message length
01232      */
01233     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
01234                    buf[0] ) );
01235 
01236     if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
01237     {
01238         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01239         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01240     }
01241 
01242     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
01243                    ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
01244 
01245     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
01246                    buf[1], buf[2] ) );
01247 
01248     mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
01249 
01250     /* According to RFC 5246 Appendix E.1, the version here is typically
01251      * "{03,00}, the lowest version number supported by the client, [or] the
01252      * value of ClientHello.client_version", so the only meaningful check here
01253      * is the major version shouldn't be less than 3 */
01254     if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
01255     {
01256         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01257         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01258     }
01259 
01260     /* For DTLS if this is the initial handshake, remember the client sequence
01261      * number to use it in our next message (RFC 6347 4.2.1) */
01262 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01263     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
01264 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01265         && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
01266 #endif
01267         )
01268     {
01269         /* Epoch should be 0 for initial handshakes */
01270         if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
01271         {
01272             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01273             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01274         }
01275 
01276         memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
01277 
01278 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01279         if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
01280         {
01281             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
01282             ssl->next_record_offset = 0;
01283             ssl->in_left = 0;
01284             goto read_record_header;
01285         }
01286 
01287         /* No MAC to check yet, so we can update right now */
01288         mbedtls_ssl_dtls_replay_update( ssl );
01289 #endif
01290     }
01291 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01292 
01293     msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
01294 
01295 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01296     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
01297     {
01298         /* Set by mbedtls_ssl_read_record() */
01299         msg_len = ssl->in_hslen;
01300     }
01301     else
01302 #endif
01303     {
01304         if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
01305         {
01306             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01307             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01308         }
01309 
01310         if( ( ret = mbedtls_ssl_fetch_input( ssl,
01311                        mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
01312         {
01313             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
01314             return( ret );
01315         }
01316 
01317     /* Done reading this record, get ready for the next one */
01318 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01319         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01320             ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
01321         else
01322 #endif
01323             ssl->in_left = 0;
01324     }
01325 
01326     buf = ssl->in_msg;
01327 
01328     MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
01329 
01330     ssl->handshake->update_checksum( ssl, buf, msg_len );
01331 
01332     /*
01333      * Handshake layer:
01334      *     0  .   0   handshake type
01335      *     1  .   3   handshake length
01336      *     4  .   5   DTLS only: message seqence number
01337      *     6  .   8   DTLS only: fragment offset
01338      *     9  .  11   DTLS only: fragment length
01339      */
01340     if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
01341     {
01342         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01343         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01344     }
01345 
01346     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
01347 
01348     if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
01349     {
01350         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01351         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01352     }
01353 
01354     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
01355                    ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
01356 
01357     /* We don't support fragmentation of ClientHello (yet?) */
01358     if( buf[1] != 0 ||
01359         msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
01360     {
01361         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01362         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01363     }
01364 
01365 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01366     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01367     {
01368         /*
01369          * Copy the client's handshake message_seq on initial handshakes,
01370          * check sequence number on renego.
01371          */
01372 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01373         if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01374         {
01375             /* This couldn't be done in ssl_prepare_handshake_record() */
01376             unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
01377                                          ssl->in_msg[5];
01378 
01379             if( cli_msg_seq != ssl->handshake->in_msg_seq )
01380             {
01381                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
01382                                     "%d (expected %d)", cli_msg_seq,
01383                                     ssl->handshake->in_msg_seq ) );
01384                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01385             }
01386 
01387             ssl->handshake->in_msg_seq++;
01388         }
01389         else
01390 #endif
01391         {
01392             unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
01393                                          ssl->in_msg[5];
01394             ssl->handshake->out_msg_seq = cli_msg_seq;
01395             ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
01396         }
01397 
01398         /*
01399          * For now we don't support fragmentation, so make sure
01400          * fragment_offset == 0 and fragment_length == length
01401          */
01402         if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
01403             memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
01404         {
01405             MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
01406             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
01407         }
01408     }
01409 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01410 
01411     buf += mbedtls_ssl_hs_hdr_len( ssl );
01412     msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
01413 
01414     /*
01415      * ClientHello layer:
01416      *     0  .   1   protocol version
01417      *     2  .  33   random bytes (starting with 4 bytes of Unix time)
01418      *    34  .  35   session id length (1 byte)
01419      *    35  . 34+x  session id
01420      *   35+x . 35+x  DTLS only: cookie length (1 byte)
01421      *   36+x .  ..   DTLS only: cookie
01422      *    ..  .  ..   ciphersuite list length (2 bytes)
01423      *    ..  .  ..   ciphersuite list
01424      *    ..  .  ..   compression alg. list length (1 byte)
01425      *    ..  .  ..   compression alg. list
01426      *    ..  .  ..   extensions length (2 bytes, optional)
01427      *    ..  .  ..   extensions (optional)
01428      */
01429 
01430     /*
01431      * Minimal length (with everything empty and extensions ommitted) is
01432      * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
01433      * read at least up to session id length without worrying.
01434      */
01435     if( msg_len < 38 )
01436     {
01437         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01438         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01439     }
01440 
01441     /*
01442      * Check and save the protocol version
01443      */
01444     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
01445 
01446     mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
01447                       ssl->conf->transport, buf );
01448 
01449     ssl->handshake->max_major_ver = ssl->major_ver;
01450     ssl->handshake->max_minor_ver = ssl->minor_ver;
01451 
01452     if( ssl->major_ver < ssl->conf->min_major_ver ||
01453         ssl->minor_ver < ssl->conf->min_minor_ver )
01454     {
01455         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01456                             " [%d:%d] < [%d:%d]",
01457                             ssl->major_ver, ssl->minor_ver,
01458                             ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
01459         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01460                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
01461         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01462     }
01463 
01464     if( ssl->major_ver > ssl->conf->max_major_ver )
01465     {
01466         ssl->major_ver = ssl->conf->max_major_ver;
01467         ssl->minor_ver = ssl->conf->max_minor_ver;
01468     }
01469     else if( ssl->minor_ver > ssl->conf->max_minor_ver )
01470         ssl->minor_ver = ssl->conf->max_minor_ver;
01471 
01472     /*
01473      * Save client random (inc. Unix time)
01474      */
01475     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
01476 
01477     memcpy( ssl->handshake->randbytes, buf + 2, 32 );
01478 
01479     /*
01480      * Check the session ID length and save session ID
01481      */
01482     sess_len = buf[34];
01483 
01484     if( sess_len > sizeof( ssl->session_negotiate->id ) ||
01485         sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
01486     {
01487         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01488         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01489                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01490         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01491     }
01492 
01493     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
01494 
01495     ssl->session_negotiate->id_len = sess_len;
01496     memset( ssl->session_negotiate->id, 0,
01497             sizeof( ssl->session_negotiate->id ) );
01498     memcpy( ssl->session_negotiate->id, buf + 35,
01499             ssl->session_negotiate->id_len );
01500 
01501     /*
01502      * Check the cookie length and content
01503      */
01504 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01505     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01506     {
01507         cookie_offset = 35 + sess_len;
01508         cookie_len = buf[cookie_offset];
01509 
01510         if( cookie_offset + 1 + cookie_len + 2 > msg_len )
01511         {
01512             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01513             mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01514                                             MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
01515             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01516         }
01517 
01518         MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
01519                        buf + cookie_offset + 1, cookie_len );
01520 
01521 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
01522         if( ssl->conf->f_cookie_check != NULL
01523 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01524             && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
01525 #endif
01526             )
01527         {
01528             if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
01529                                      buf + cookie_offset + 1, cookie_len,
01530                                      ssl->cli_id, ssl->cli_id_len ) != 0 )
01531             {
01532                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
01533                 ssl->handshake->verify_cookie_len = 1;
01534             }
01535             else
01536             {
01537                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
01538                 ssl->handshake->verify_cookie_len = 0;
01539             }
01540         }
01541         else
01542 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
01543         {
01544             /* We know we didn't send a cookie, so it should be empty */
01545             if( cookie_len != 0 )
01546             {
01547                 /* This may be an attacker's probe, so don't send an alert */
01548                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01549                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01550             }
01551 
01552             MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
01553         }
01554 
01555     /*
01556      * Check the ciphersuitelist length (will be parsed later)
01557      */
01558         ciph_offset = cookie_offset + 1 + cookie_len;
01559     }
01560     else
01561 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01562         ciph_offset = 35 + sess_len;
01563 
01564     ciph_len = ( buf[ciph_offset + 0] << 8 )
01565              | ( buf[ciph_offset + 1]      );
01566 
01567     if( ciph_len < 2 ||
01568         ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
01569         ( ciph_len % 2 ) != 0 )
01570     {
01571         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01572         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01573                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01574         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01575     }
01576 
01577     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01578                    buf + ciph_offset + 2,  ciph_len );
01579 
01580     /*
01581      * Check the compression algorithms length and pick one
01582      */
01583     comp_offset = ciph_offset + 2 + ciph_len;
01584 
01585     comp_len = buf[comp_offset];
01586 
01587     if( comp_len < 1 ||
01588         comp_len > 16 ||
01589         comp_len + comp_offset + 1 > msg_len )
01590     {
01591         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01592         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01593                                         MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01594         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01595     }
01596 
01597     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
01598                       buf + comp_offset + 1, comp_len );
01599 
01600     ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
01601 #if defined(MBEDTLS_ZLIB_SUPPORT)
01602     for( i = 0; i < comp_len; ++i )
01603     {
01604         if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
01605         {
01606             ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
01607             break;
01608         }
01609     }
01610 #endif
01611 
01612     /* See comments in ssl_write_client_hello() */
01613 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01614     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01615         ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
01616 #endif
01617 
01618     /* Do not parse the extensions if the protocol is SSLv3 */
01619 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01620     if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
01621     {
01622 #endif
01623         /*
01624          * Check the extension length
01625          */
01626         ext_offset = comp_offset + 1 + comp_len;
01627         if( msg_len > ext_offset )
01628         {
01629             if( msg_len < ext_offset + 2 )
01630             {
01631                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01632                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01633                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01634                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01635             }
01636 
01637             ext_len = ( buf[ext_offset + 0] << 8 )
01638                     | ( buf[ext_offset + 1]      );
01639 
01640             if( ( ext_len > 0 && ext_len < 4 ) ||
01641                 msg_len != ext_offset + 2 + ext_len )
01642             {
01643                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01644                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01645                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01646                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01647             }
01648         }
01649         else
01650             ext_len = 0;
01651 
01652         ext = buf + ext_offset + 2;
01653         MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
01654 
01655         while( ext_len != 0 )
01656         {
01657             unsigned int ext_id   = ( ( ext[0] <<  8 )
01658                                     | ( ext[1]       ) );
01659             unsigned int ext_size = ( ( ext[2] <<  8 )
01660                                     | ( ext[3]       ) );
01661 
01662             if( ext_size + 4 > ext_len )
01663             {
01664                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01665                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01666                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01667                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01668             }
01669             switch( ext_id )
01670             {
01671 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
01672             case MBEDTLS_TLS_EXT_SERVERNAME:
01673                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
01674                 if( ssl->conf->f_sni == NULL )
01675                     break;
01676 
01677                 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
01678                 if( ret != 0 )
01679                     return( ret );
01680                 break;
01681 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
01682 
01683             case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
01684                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
01685 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01686                 renegotiation_info_seen = 1;
01687 #endif
01688 
01689                 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
01690                 if( ret != 0 )
01691                     return( ret );
01692                 break;
01693 
01694 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01695     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01696             case MBEDTLS_TLS_EXT_SIG_ALG:
01697                     MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
01698 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01699                 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01700                     break;
01701 #endif
01702                 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
01703                 if( ret != 0 )
01704                     return( ret );
01705 
01706                 sig_hash_alg_ext_present = 1;
01707                 break;
01708 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01709           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01710 
01711 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
01712     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
01713             case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
01714                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
01715 
01716                 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
01717                 if( ret != 0 )
01718                     return( ret );
01719                 break;
01720 
01721             case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
01722                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
01723                 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
01724 
01725                 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
01726                 if( ret != 0 )
01727                     return( ret );
01728                 break;
01729 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
01730           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
01731 
01732 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
01733             case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
01734                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
01735 
01736                 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
01737                 if( ret != 0 )
01738                     return( ret );
01739                 break;
01740 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
01741 
01742 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
01743             case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
01744                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
01745 
01746                 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
01747                 if( ret != 0 )
01748                     return( ret );
01749                 break;
01750 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
01751 
01752 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
01753             case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
01754                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
01755 
01756                 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
01757                 if( ret != 0 )
01758                     return( ret );
01759                 break;
01760 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
01761 
01762 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01763             case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
01764                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
01765 
01766                 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
01767                 if( ret != 0 )
01768                     return( ret );
01769                 break;
01770 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
01771 
01772 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
01773             case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
01774                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
01775 
01776                 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
01777                 if( ret != 0 )
01778                     return( ret );
01779                 break;
01780 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
01781 
01782 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
01783             case MBEDTLS_TLS_EXT_SESSION_TICKET:
01784                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
01785 
01786                 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
01787                 if( ret != 0 )
01788                     return( ret );
01789                 break;
01790 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01791 
01792 #if defined(MBEDTLS_SSL_ALPN)
01793             case MBEDTLS_TLS_EXT_ALPN:
01794                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
01795 
01796                 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
01797                 if( ret != 0 )
01798                     return( ret );
01799                 break;
01800 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
01801 
01802             default:
01803                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01804                                ext_id ) );
01805             }
01806 
01807             ext_len -= 4 + ext_size;
01808             ext += 4 + ext_size;
01809 
01810             if( ext_len > 0 && ext_len < 4 )
01811             {
01812                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01813                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01814                                                 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
01815                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01816             }
01817         }
01818 #if defined(MBEDTLS_SSL_PROTO_SSL3)
01819     }
01820 #endif
01821 
01822 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
01823     for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
01824     {
01825         if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
01826             p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
01827         {
01828             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
01829 
01830             if( ssl->minor_ver < ssl->conf->max_minor_ver )
01831             {
01832                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
01833 
01834                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01835                                         MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01836 
01837                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01838             }
01839 
01840             break;
01841         }
01842     }
01843 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
01844 
01845 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
01846     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01847 
01848     /*
01849      * Try to fall back to default hash SHA1 if the client
01850      * hasn't provided any preferred signature-hash combinations.
01851      */
01852     if( sig_hash_alg_ext_present == 0 )
01853     {
01854         mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
01855 
01856         if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
01857             md_default = MBEDTLS_MD_NONE;
01858 
01859         mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
01860     }
01861 
01862 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
01863           MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
01864 
01865     /*
01866      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01867      */
01868     for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
01869     {
01870         if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
01871         {
01872             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01873 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01874             if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
01875             {
01876                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
01877                                             "during renegotiation" ) );
01878                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01879                                                 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01880                 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01881             }
01882 #endif
01883             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
01884             break;
01885         }
01886     }
01887 
01888     /*
01889      * Renegotiation security checks
01890      */
01891     if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
01892         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
01893     {
01894         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01895         handshake_failure = 1;
01896     }
01897 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01898     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01899              ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
01900              renegotiation_info_seen == 0 )
01901     {
01902         MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01903         handshake_failure = 1;
01904     }
01905     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01906              ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01907              ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
01908     {
01909         MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01910         handshake_failure = 1;
01911     }
01912     else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
01913              ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
01914              renegotiation_info_seen == 1 )
01915     {
01916         MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01917         handshake_failure = 1;
01918     }
01919 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01920 
01921     if( handshake_failure == 1 )
01922     {
01923         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01924                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01925         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
01926     }
01927 
01928     /*
01929      * Search for a matching ciphersuite
01930      * (At the end because we need information from the EC-based extensions
01931      * and certificate from the SNI callback triggered by the SNI extension.)
01932      */
01933     got_common_suite = 0;
01934     ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
01935     ciphersuite_info = NULL;
01936 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01937     for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
01938         for( i = 0; ciphersuites[i] != 0; i++ )
01939 #else
01940     for( i = 0; ciphersuites[i] != 0; i++ )
01941         for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
01942 #endif
01943         {
01944             if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01945                 p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
01946                 continue;
01947 
01948             got_common_suite = 1;
01949 
01950             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01951                                                &ciphersuite_info ) ) != 0 )
01952                 return( ret );
01953 
01954             if( ciphersuite_info != NULL )
01955                 goto have_ciphersuite;
01956         }
01957 
01958     if( got_common_suite )
01959     {
01960         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01961                             "but none of them usable" ) );
01962         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01963                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01964         return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
01965     }
01966     else
01967     {
01968         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01969         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
01970                                         MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
01971         return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
01972     }
01973 
01974 have_ciphersuite:
01975     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01976 
01977     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01978     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01979 
01980     ssl->state++;
01981 
01982 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01983     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
01984         mbedtls_ssl_recv_flight_completed( ssl );
01985 #endif
01986 
01987     /* Debugging-only output for testsuite */
01988 #if defined(MBEDTLS_DEBUG_C)                         && \
01989     defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
01990     defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01991     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
01992     {
01993         mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
01994         if( sig_alg != MBEDTLS_PK_NONE )
01995         {
01996             mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
01997                                                                   sig_alg );
01998             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
01999                                         mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
02000         }
02001         else
02002         {
02003             MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
02004                                         "%d - should not happen", sig_alg ) );
02005         }
02006     }
02007 #endif
02008 
02009     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
02010 
02011     return( 0 );
02012 }
02013 
02014 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
02015 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
02016                                           unsigned char *buf,
02017                                           size_t *olen )
02018 {
02019     unsigned char *p = buf;
02020 
02021     if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
02022     {
02023         *olen = 0;
02024         return;
02025     }
02026 
02027     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
02028 
02029     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
02030     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
02031 
02032     *p++ = 0x00;
02033     *p++ = 0x00;
02034 
02035     *olen = 4;
02036 }
02037 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
02038 
02039 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
02040 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
02041                                             unsigned char *buf,
02042                                             size_t *olen )
02043 {
02044     unsigned char *p = buf;
02045     const mbedtls_ssl_ciphersuite_t *suite = NULL;
02046     const mbedtls_cipher_info_t *cipher = NULL;
02047 
02048     if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
02049         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
02050     {
02051         *olen = 0;
02052         return;
02053     }
02054 
02055     /*
02056      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
02057      * from a client and then selects a stream or Authenticated Encryption
02058      * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
02059      * encrypt-then-MAC response extension back to the client."
02060      */
02061     if( ( suite = mbedtls_ssl_ciphersuite_from_id(
02062                     ssl->session_negotiate->ciphersuite ) ) == NULL ||
02063         ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
02064         cipher->mode != MBEDTLS_MODE_CBC )
02065     {
02066         *olen = 0;
02067         return;
02068     }
02069 
02070     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
02071 
02072     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
02073     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
02074 
02075     *p++ = 0x00;
02076     *p++ = 0x00;
02077 
02078     *olen = 4;
02079 }
02080 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
02081 
02082 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
02083 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
02084                                        unsigned char *buf,
02085                                        size_t *olen )
02086 {
02087     unsigned char *p = buf;
02088 
02089     if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
02090         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
02091     {
02092         *olen = 0;
02093         return;
02094     }
02095 
02096     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
02097                         "extension" ) );
02098 
02099     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
02100     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
02101 
02102     *p++ = 0x00;
02103     *p++ = 0x00;
02104 
02105     *olen = 4;
02106 }
02107 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
02108 
02109 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02110 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
02111                                           unsigned char *buf,
02112                                           size_t *olen )
02113 {
02114     unsigned char *p = buf;
02115 
02116     if( ssl->handshake->new_session_ticket == 0 )
02117     {
02118         *olen = 0;
02119         return;
02120     }
02121 
02122     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
02123 
02124     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
02125     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
02126 
02127     *p++ = 0x00;
02128     *p++ = 0x00;
02129 
02130     *olen = 4;
02131 }
02132 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
02133 
02134 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
02135                                          unsigned char *buf,
02136                                          size_t *olen )
02137 {
02138     unsigned char *p = buf;
02139 
02140     if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
02141     {
02142         *olen = 0;
02143         return;
02144     }
02145 
02146     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
02147 
02148     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
02149     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
02150 
02151 #if defined(MBEDTLS_SSL_RENEGOTIATION)
02152     if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
02153     {
02154         *p++ = 0x00;
02155         *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
02156         *p++ = ssl->verify_data_len * 2 & 0xFF;
02157 
02158         memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
02159         p += ssl->verify_data_len;
02160         memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
02161         p += ssl->verify_data_len;
02162     }
02163     else
02164 #endif /* MBEDTLS_SSL_RENEGOTIATION */
02165     {
02166         *p++ = 0x00;
02167         *p++ = 0x01;
02168         *p++ = 0x00;
02169     }
02170 
02171     *olen = p - buf;
02172 }
02173 
02174 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
02175 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
02176                                                unsigned char *buf,
02177                                                size_t *olen )
02178 {
02179     unsigned char *p = buf;
02180 
02181     if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
02182     {
02183         *olen = 0;
02184         return;
02185     }
02186 
02187     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
02188 
02189     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
02190     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
02191 
02192     *p++ = 0x00;
02193     *p++ = 1;
02194 
02195     *p++ = ssl->session_negotiate->mfl_code;
02196 
02197     *olen = 5;
02198 }
02199 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
02200 
02201 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
02202     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02203 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
02204                                                    unsigned char *buf,
02205                                                    size_t *olen )
02206 {
02207     unsigned char *p = buf;
02208     ((void) ssl);
02209 
02210     if( ( ssl->handshake->cli_exts &
02211           MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
02212     {
02213         *olen = 0;
02214         return;
02215     }
02216 
02217     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
02218 
02219     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
02220     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
02221 
02222     *p++ = 0x00;
02223     *p++ = 2;
02224 
02225     *p++ = 1;
02226     *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
02227 
02228     *olen = 6;
02229 }
02230 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02231 
02232 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02233 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
02234                                         unsigned char *buf,
02235                                         size_t *olen )
02236 {
02237     int ret;
02238     unsigned char *p = buf;
02239     const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02240     size_t kkpp_len;
02241 
02242     *olen = 0;
02243 
02244     /* Skip costly computation if not needed */
02245     if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
02246         MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02247         return;
02248 
02249     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
02250 
02251     if( end - p < 4 )
02252     {
02253         MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
02254         return;
02255     }
02256 
02257     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
02258     *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
02259 
02260     ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
02261                                         p + 2, end - p - 2, &kkpp_len,
02262                                         ssl->conf->f_rng, ssl->conf->p_rng );
02263     if( ret != 0 )
02264     {
02265         MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
02266         return;
02267     }
02268 
02269     *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
02270     *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
02271 
02272     *olen = kkpp_len + 4;
02273 }
02274 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02275 
02276 #if defined(MBEDTLS_SSL_ALPN )
02277 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
02278                                 unsigned char *buf, size_t *olen )
02279 {
02280     if( ssl->alpn_chosen == NULL )
02281     {
02282         *olen = 0;
02283         return;
02284     }
02285 
02286     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
02287 
02288     /*
02289      * 0 . 1    ext identifier
02290      * 2 . 3    ext length
02291      * 4 . 5    protocol list length
02292      * 6 . 6    protocol name length
02293      * 7 . 7+n  protocol name
02294      */
02295     buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
02296     buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
02297 
02298     *olen = 7 + strlen( ssl->alpn_chosen );
02299 
02300     buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
02301     buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
02302 
02303     buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
02304     buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
02305 
02306     buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
02307 
02308     memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
02309 }
02310 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
02311 
02312 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
02313 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
02314 {
02315     int ret;
02316     unsigned char *p = ssl->out_msg + 4;
02317     unsigned char *cookie_len_byte;
02318 
02319     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
02320 
02321     /*
02322      * struct {
02323      *   ProtocolVersion server_version;
02324      *   opaque cookie<0..2^8-1>;
02325      * } HelloVerifyRequest;
02326      */
02327 
02328     /* The RFC is not clear on this point, but sending the actual negotiated
02329      * version looks like the most interoperable thing to do. */
02330     mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02331                        ssl->conf->transport, p );
02332     MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
02333     p += 2;
02334 
02335     /* If we get here, f_cookie_check is not null */
02336     if( ssl->conf->f_cookie_write == NULL )
02337     {
02338         MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
02339         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02340     }
02341 
02342     /* Skip length byte until we know the length */
02343     cookie_len_byte = p++;
02344 
02345     if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
02346                                      &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
02347                                      ssl->cli_id, ssl->cli_id_len ) ) != 0 )
02348     {
02349         MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
02350         return( ret );
02351     }
02352 
02353     *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
02354 
02355     MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
02356 
02357     ssl->out_msglen  = p - ssl->out_msg;
02358     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02359     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
02360 
02361     ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
02362 
02363     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
02364     {
02365         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
02366         return( ret );
02367     }
02368 
02369     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
02370 
02371     return( 0 );
02372 }
02373 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
02374 
02375 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
02376 {
02377 #if defined(MBEDTLS_HAVE_TIME)
02378     mbedtls_time_t t;
02379 #endif
02380     int ret;
02381     size_t olen, ext_len = 0, n;
02382     unsigned char *buf, *p;
02383 
02384     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
02385 
02386 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
02387     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
02388         ssl->handshake->verify_cookie_len != 0 )
02389     {
02390         MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
02391         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02392 
02393         return( ssl_write_hello_verify_request( ssl ) );
02394     }
02395 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
02396 
02397     if( ssl->conf->f_rng == NULL )
02398     {
02399         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
02400         return( MBEDTLS_ERR_SSL_NO_RNG );
02401     }
02402 
02403     /*
02404      *     0  .   0   handshake type
02405      *     1  .   3   handshake length
02406      *     4  .   5   protocol version
02407      *     6  .   9   UNIX time()
02408      *    10  .  37   random bytes
02409      */
02410     buf = ssl->out_msg;
02411     p = buf + 4;
02412 
02413     mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
02414                        ssl->conf->transport, p );
02415     p += 2;
02416 
02417     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
02418                         buf[4], buf[5] ) );
02419 
02420 #if defined(MBEDTLS_HAVE_TIME)
02421     t = mbedtls_time( NULL );
02422     *p++ = (unsigned char)( t >> 24 );
02423     *p++ = (unsigned char)( t >> 16 );
02424     *p++ = (unsigned char)( t >>  8 );
02425     *p++ = (unsigned char)( t       );
02426 
02427     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
02428 #else
02429     if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
02430         return( ret );
02431 
02432     p += 4;
02433 #endif /* MBEDTLS_HAVE_TIME */
02434 
02435     if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
02436         return( ret );
02437 
02438     p += 28;
02439 
02440     memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
02441 
02442     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
02443 
02444     /*
02445      * Resume is 0  by default, see ssl_handshake_init().
02446      * It may be already set to 1 by ssl_parse_session_ticket_ext().
02447      * If not, try looking up session ID in our cache.
02448      */
02449     if( ssl->handshake->resume == 0 &&
02450 #if defined(MBEDTLS_SSL_RENEGOTIATION)
02451         ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
02452 #endif
02453         ssl->session_negotiate->id_len != 0 &&
02454         ssl->conf->f_get_cache != NULL &&
02455         ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
02456     {
02457         MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
02458         ssl->handshake->resume = 1;
02459     }
02460 
02461     if( ssl->handshake->resume == 0 )
02462     {
02463         /*
02464          * New session, create a new session id,
02465          * unless we're about to issue a session ticket
02466          */
02467         ssl->state++;
02468 
02469 #if defined(MBEDTLS_HAVE_TIME)
02470         ssl->session_negotiate->start = mbedtls_time( NULL );
02471 #endif
02472 
02473 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02474         if( ssl->handshake->new_session_ticket != 0 )
02475         {
02476             ssl->session_negotiate->id_len = n = 0;
02477             memset( ssl->session_negotiate->id, 0, 32 );
02478         }
02479         else
02480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
02481         {
02482             ssl->session_negotiate->id_len = n = 32;
02483             if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
02484                                     n ) ) != 0 )
02485                 return( ret );
02486         }
02487     }
02488     else
02489     {
02490         /*
02491          * Resuming a session
02492          */
02493         n = ssl->session_negotiate->id_len;
02494         ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
02495 
02496         if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
02497         {
02498             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
02499             return( ret );
02500         }
02501     }
02502 
02503     /*
02504      *    38  .  38     session id length
02505      *    39  . 38+n    session id
02506      *   39+n . 40+n    chosen ciphersuite
02507      *   41+n . 41+n    chosen compression alg.
02508      *   42+n . 43+n    extensions length
02509      *   44+n . 43+n+m  extensions
02510      */
02511     *p++ = (unsigned char) ssl->session_negotiate->id_len;
02512     memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
02513     p += ssl->session_negotiate->id_len;
02514 
02515     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
02516     MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
02517     MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
02518                    ssl->handshake->resume ? "a" : "no" ) );
02519 
02520     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
02521     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
02522     *p++ = (unsigned char)( ssl->session_negotiate->compression      );
02523 
02524     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
02525            mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
02526     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
02527                    ssl->session_negotiate->compression ) );
02528 
02529     /* Do not write the extensions if the protocol is SSLv3 */
02530 #if defined(MBEDTLS_SSL_PROTO_SSL3)
02531     if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
02532     {
02533 #endif
02534 
02535     /*
02536      *  First write extensions, then the total length
02537      */
02538     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
02539     ext_len += olen;
02540 
02541 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
02542     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
02543     ext_len += olen;
02544 #endif
02545 
02546 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
02547     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
02548     ext_len += olen;
02549 #endif
02550 
02551 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
02552     ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
02553     ext_len += olen;
02554 #endif
02555 
02556 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
02557     ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
02558     ext_len += olen;
02559 #endif
02560 
02561 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
02562     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
02563     ext_len += olen;
02564 #endif
02565 
02566 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
02567     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02568     ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
02569     ext_len += olen;
02570 #endif
02571 
02572 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02573     ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
02574     ext_len += olen;
02575 #endif
02576 
02577 #if defined(MBEDTLS_SSL_ALPN)
02578     ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
02579     ext_len += olen;
02580 #endif
02581 
02582     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
02583 
02584     if( ext_len > 0 )
02585     {
02586         *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
02587         *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
02588         p += ext_len;
02589     }
02590 
02591 #if defined(MBEDTLS_SSL_PROTO_SSL3)
02592     }
02593 #endif
02594 
02595     ssl->out_msglen  = p - buf;
02596     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02597     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
02598 
02599     ret = mbedtls_ssl_write_record( ssl );
02600 
02601     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02602 
02603     return( ret );
02604 }
02605 
02606 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
02607     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
02608     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
02609     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
02610     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
02611     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02612 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
02613 {
02614     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02615         ssl->transform_negotiate->ciphersuite_info;
02616 
02617     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02618 
02619     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02620         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
02621         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02622         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
02623         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02624     {
02625         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02626         ssl->state++;
02627         return( 0 );
02628     }
02629 
02630     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02631     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
02632 }
02633 #else
02634 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
02635 {
02636     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
02637     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02638         ssl->transform_negotiate->ciphersuite_info;
02639     size_t dn_size, total_dn_size; /* excluding length bytes */
02640     size_t ct_len, sa_len; /* including length bytes */
02641     unsigned char *buf, *p;
02642     const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02643     const mbedtls_x509_crt *crt;
02644     int authmode;
02645 
02646     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02647 
02648     ssl->state++;
02649 
02650 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02651     if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
02652         authmode = ssl->handshake->sni_authmode;
02653     else
02654 #endif
02655         authmode = ssl->conf->authmode;
02656 
02657     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
02658         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
02659         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02660         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
02661         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
02662         authmode == MBEDTLS_SSL_VERIFY_NONE )
02663     {
02664         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02665         return( 0 );
02666     }
02667 
02668     /*
02669      *     0  .   0   handshake type
02670      *     1  .   3   handshake length
02671      *     4  .   4   cert type count
02672      *     5  .. m-1  cert types
02673      *     m  .. m+1  sig alg length (TLS 1.2 only)
02674      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
02675      *     n  .. n+1  length of all DNs
02676      *    n+2 .. n+3  length of DN 1
02677      *    n+4 .. ...  Distinguished Name #1
02678      *    ... .. ...  length of DN 2, etc.
02679      */
02680     buf = ssl->out_msg;
02681     p = buf + 4;
02682 
02683     /*
02684      * Supported certificate types
02685      *
02686      *     ClientCertificateType certificate_types<1..2^8-1>;
02687      *     enum { (255) } ClientCertificateType;
02688      */
02689     ct_len = 0;
02690 
02691 #if defined(MBEDTLS_RSA_C)
02692     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
02693 #endif
02694 #if defined(MBEDTLS_ECDSA_C)
02695     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
02696 #endif
02697 
02698     p[0] = (unsigned char) ct_len++;
02699     p += ct_len;
02700 
02701     sa_len = 0;
02702 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
02703     /*
02704      * Add signature_algorithms for verify (TLS 1.2)
02705      *
02706      *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
02707      *
02708      *     struct {
02709      *           HashAlgorithm hash;
02710      *           SignatureAlgorithm signature;
02711      *     } SignatureAndHashAlgorithm;
02712      *
02713      *     enum { (255) } HashAlgorithm;
02714      *     enum { (255) } SignatureAlgorithm;
02715      */
02716     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
02717     {
02718         const int *cur;
02719 
02720         /*
02721          * Supported signature algorithms
02722          */
02723         for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
02724         {
02725             unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
02726 
02727             if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
02728                 continue;
02729 
02730 #if defined(MBEDTLS_RSA_C)
02731             p[2 + sa_len++] = hash;
02732             p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
02733 #endif
02734 #if defined(MBEDTLS_ECDSA_C)
02735             p[2 + sa_len++] = hash;
02736             p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
02737 #endif
02738         }
02739 
02740         p[0] = (unsigned char)( sa_len >> 8 );
02741         p[1] = (unsigned char)( sa_len      );
02742         sa_len += 2;
02743         p += sa_len;
02744     }
02745 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
02746 
02747     /*
02748      * DistinguishedName certificate_authorities<0..2^16-1>;
02749      * opaque DistinguishedName<1..2^16-1>;
02750      */
02751     p += 2;
02752 
02753     total_dn_size = 0;
02754 
02755     if( ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
02756     {
02757 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02758         if( ssl->handshake->sni_ca_chain != NULL )
02759             crt = ssl->handshake->sni_ca_chain;
02760         else
02761 #endif
02762             crt = ssl->conf->ca_chain;
02763 
02764         while( crt != NULL && crt->version != 0 )
02765         {
02766             dn_size = crt->subject_raw.len;
02767 
02768             if( end < p ||
02769                 (size_t)( end - p ) < dn_size ||
02770                 (size_t)( end - p ) < 2 + dn_size )
02771             {
02772                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
02773                 break;
02774             }
02775 
02776             *p++ = (unsigned char)( dn_size >> 8 );
02777             *p++ = (unsigned char)( dn_size      );
02778             memcpy( p, crt->subject_raw.p, dn_size );
02779             p += dn_size;
02780 
02781             MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
02782 
02783             total_dn_size += 2 + dn_size;
02784             crt = crt->next;
02785         }
02786     }
02787 
02788     ssl->out_msglen  = p - buf;
02789     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
02790     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
02791     ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
02792     ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
02793 
02794     ret = mbedtls_ssl_write_record( ssl );
02795 
02796     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
02797 
02798     return( ret );
02799 }
02800 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
02801           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
02802           !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
02803           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
02804           !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
02805           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
02806 
02807 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
02808     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
02809 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
02810 {
02811     int ret;
02812 
02813     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
02814     {
02815         MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
02816         return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
02817     }
02818 
02819     if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
02820                                  mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
02821                                  MBEDTLS_ECDH_OURS ) ) != 0 )
02822     {
02823         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
02824         return( ret );
02825     }
02826 
02827     return( 0 );
02828 }
02829 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
02830           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
02831 
02832 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
02833 {
02834     int ret;
02835     size_t n = 0;
02836     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
02837                             ssl->transform_negotiate->ciphersuite_info;
02838 
02839 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
02840     unsigned char *p = ssl->out_msg + 4;
02841     size_t len;
02842 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
02843     unsigned char *dig_signed = p;
02844     size_t dig_signed_len = 0;
02845 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
02846 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
02847 
02848     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
02849 
02850     /*
02851      *
02852      * Part 1: Extract static ECDH parameters and abort
02853      *         if ServerKeyExchange not needed.
02854      *
02855      */
02856 
02857     /* For suites involving ECDH, extract DH parameters
02858      * from certificate at this point. */
02859 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
02860     if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
02861     {
02862         ssl_get_ecdh_params_from_cert( ssl );
02863     }
02864 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
02865 
02866     /* Key exchanges not involving ephemeral keys don't use
02867      * ServerKeyExchange, so end here. */
02868 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
02869     if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
02870     {
02871         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
02872         ssl->state++;
02873         return( 0 );
02874     }
02875 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
02876 
02877     /*
02878      *
02879      * Part 2: Provide key exchange parameters for chosen ciphersuite.
02880      *
02881      */
02882 
02883     /*
02884      * - ECJPAKE key exchanges
02885      */
02886 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
02887     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
02888     {
02889         const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
02890 
02891         ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
02892                 p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
02893         if( ret != 0 )
02894         {
02895             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
02896             return( ret );
02897         }
02898 
02899         p += len;
02900         n += len;
02901     }
02902 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
02903 
02904     /*
02905      * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
02906      * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
02907      * we use empty support identity hints here.
02908      **/
02909 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
02910     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02911     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
02912         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
02913     {
02914         *(p++) = 0x00;
02915         *(p++) = 0x00;
02916 
02917         n += 2;
02918     }
02919 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
02920           MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
02921 
02922     /*
02923      * - DHE key exchanges
02924      */
02925 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
02926     if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
02927     {
02928         if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
02929         {
02930             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
02931             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
02932         }
02933 
02934         /*
02935          * Ephemeral DH parameters:
02936          *
02937          * struct {
02938          *     opaque dh_p<1..2^16-1>;
02939          *     opaque dh_g<1..2^16-1>;
02940          *     opaque dh_Ys<1..2^16-1>;
02941          * } ServerDHParams;
02942          */
02943         if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 ||
02944             ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
02945         {
02946             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
02947             return( ret );
02948         }
02949 
02950         if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
02951                         (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
02952                         p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
02953         {
02954             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
02955             return( ret );
02956         }
02957 
02958 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)        
02959         dig_signed = p;
02960         dig_signed_len = len;
02961 #endif
02962 
02963         p += len;
02964         n += len;
02965 
02966         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
02967         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
02968         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
02969         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
02970     }
02971 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
02972 
02973     /*
02974      * - ECDHE key exchanges
02975      */
02976 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
02977     if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
02978     {
02979         /*
02980          * Ephemeral ECDH parameters:
02981          *
02982          * struct {
02983          *     ECParameters curve_params;
02984          *     ECPoint      public;
02985          * } ServerECDHParams;
02986          */
02987         const mbedtls_ecp_curve_info **curve = NULL;
02988         const mbedtls_ecp_group_id *gid;
02989 
02990         /* Match our preference list against the offered curves */
02991         for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
02992             for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
02993                 if( (*curve)->grp_id == *gid )
02994                     goto curve_matching_done;
02995 
02996 curve_matching_done:
02997         if( curve == NULL || *curve == NULL )
02998         {
02999             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
03000             return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
03001         }
03002 
03003         MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
03004 
03005         if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
03006                                        (*curve)->grp_id ) ) != 0 )
03007         {
03008             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
03009             return( ret );
03010         }
03011 
03012         if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
03013                                       p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
03014                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03015         {
03016             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
03017             return( ret );
03018         }
03019 
03020 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
03021         dig_signed     = p;
03022         dig_signed_len = len;
03023 #endif
03024 
03025         p += len;
03026         n += len;
03027 
03028         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
03029     }
03030 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
03031 
03032     /*
03033      *
03034      * Part 3: For key exchanges involving the server signing the
03035      *         exchange parameters, compute and add the signature here.
03036      *
03037      */
03038 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
03039     if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
03040     {
03041         size_t signature_len = 0;
03042         unsigned int hashlen = 0;
03043         unsigned char hash[64];
03044 
03045         /*
03046          * 3.1: Choose hash algorithm:
03047          * A: For TLS 1.2, obey signature-hash-algorithm extension 
03048          *    to choose appropriate hash.
03049          * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
03050          *    (RFC 4492, Sec. 5.4)
03051          * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
03052          */
03053 
03054         mbedtls_md_type_t md_alg;
03055 
03056 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03057         mbedtls_pk_type_t sig_alg =
03058             mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
03059         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03060         {
03061             /* A: For TLS 1.2, obey signature-hash-algorithm extension
03062              *    (RFC 5246, Sec. 7.4.1.4.1). */
03063             if( sig_alg == MBEDTLS_PK_NONE ||
03064                 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
03065                                                           sig_alg ) ) == MBEDTLS_MD_NONE )
03066             {
03067                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03068                 /* (... because we choose a cipher suite 
03069                  *      only if there is a matching hash.) */
03070                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03071             }
03072         }
03073         else
03074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03075 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03076     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03077         if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
03078         {
03079             /* B: Default hash SHA1 */
03080             md_alg = MBEDTLS_MD_SHA1;
03081         }
03082         else
03083 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
03084           MBEDTLS_SSL_PROTO_TLS1_1 */
03085         {
03086             /* C: MD5 + SHA1 */
03087             md_alg = MBEDTLS_MD_NONE;
03088         }
03089 
03090         MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
03091 
03092         /*
03093          * 3.2: Compute the hash to be signed
03094          */
03095 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03096     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03097         if( md_alg == MBEDTLS_MD_NONE )
03098         {
03099             mbedtls_md5_context mbedtls_md5;
03100             mbedtls_sha1_context mbedtls_sha1;
03101 
03102             mbedtls_md5_init(  &mbedtls_md5  );
03103             mbedtls_sha1_init( &mbedtls_sha1 );
03104 
03105             /*
03106              * digitally-signed struct {
03107              *     opaque md5_hash[16];
03108              *     opaque sha_hash[20];
03109              * };
03110              *
03111              * md5_hash
03112              *     MD5(ClientHello.random + ServerHello.random
03113              *                            + ServerParams);
03114              * sha_hash
03115              *     SHA(ClientHello.random + ServerHello.random
03116              *                            + ServerParams);
03117              */
03118 
03119             mbedtls_md5_starts( &mbedtls_md5 );
03120             mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes,  64 );
03121             mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
03122             mbedtls_md5_finish( &mbedtls_md5, hash );
03123 
03124             mbedtls_sha1_starts( &mbedtls_sha1 );
03125             mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes,  64 );
03126             mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
03127             mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
03128 
03129             hashlen = 36;
03130 
03131             mbedtls_md5_free(  &mbedtls_md5  );
03132             mbedtls_sha1_free( &mbedtls_sha1 );
03133         }
03134         else
03135 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
03136           MBEDTLS_SSL_PROTO_TLS1_1 */
03137 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03138     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03139         if( md_alg != MBEDTLS_MD_NONE )
03140         {
03141             mbedtls_md_context_t ctx;
03142             const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
03143 
03144             mbedtls_md_init( &ctx );
03145 
03146             /* Info from md_alg will be used instead */
03147             hashlen = 0;
03148 
03149             /*
03150              * digitally-signed struct {
03151              *     opaque client_random[32];
03152              *     opaque server_random[32];
03153              *     ServerDHParams params;
03154              * };
03155              */
03156             if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
03157             {
03158                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
03159                 return( ret );
03160             }
03161 
03162             mbedtls_md_starts( &ctx );
03163             mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
03164             mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
03165             mbedtls_md_finish( &ctx, hash );
03166             mbedtls_md_free( &ctx );
03167         }
03168         else
03169 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
03170           MBEDTLS_SSL_PROTO_TLS1_2 */
03171         {
03172             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03173             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03174         }
03175 
03176         MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
03177             (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
03178 
03179         /*
03180          * 3.3: Compute and add the signature
03181          */
03182         if( mbedtls_ssl_own_key( ssl ) == NULL )
03183         {
03184             MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
03185             return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03186         }
03187 
03188 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03189         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03190         {
03191             /*
03192              * For TLS 1.2, we need to specify signature and hash algorithm
03193              * explicitly through a prefix to the signature.
03194              *
03195              * struct {
03196              *    HashAlgorithm hash;
03197              *    SignatureAlgorithm signature;
03198              * } SignatureAndHashAlgorithm;
03199              *
03200              * struct {
03201              *    SignatureAndHashAlgorithm algorithm;
03202              *    opaque signature<0..2^16-1>;
03203              * } DigitallySigned;
03204              *
03205              */
03206 
03207             *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
03208             *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
03209 
03210             n += 2;
03211         }
03212 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03213 
03214         if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
03215                         p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03216         {
03217             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
03218             return( ret );
03219         }
03220 
03221         *(p++) = (unsigned char)( signature_len >> 8 );
03222         *(p++) = (unsigned char)( signature_len      );
03223         n += 2;
03224 
03225         MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
03226 
03227         n += signature_len;
03228     }
03229 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
03230 
03231     /* Done with actual work; add header and send. */
03232 
03233     ssl->out_msglen  = 4 + n;
03234     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03235     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
03236 
03237     ssl->state++;
03238 
03239     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03240     {
03241         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03242         return( ret );
03243     }
03244 
03245     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
03246 
03247     return( 0 );
03248 }
03249 
03250 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
03251 {
03252     int ret;
03253 
03254     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
03255 
03256     ssl->out_msglen  = 4;
03257     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03258     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
03259 
03260     ssl->state++;
03261 
03262 #if defined(MBEDTLS_SSL_PROTO_DTLS)
03263     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
03264         mbedtls_ssl_send_flight_completed( ssl );
03265 #endif
03266 
03267     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03268     {
03269         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03270         return( ret );
03271     }
03272 
03273     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
03274 
03275     return( 0 );
03276 }
03277 
03278 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
03279     defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
03280 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
03281                                        const unsigned char *end )
03282 {
03283     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
03284     size_t n;
03285 
03286     /*
03287      * Receive G^Y mod P, premaster = (G^Y)^X mod P
03288      */
03289     if( *p + 2 > end )
03290     {
03291         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03292         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03293     }
03294 
03295     n = ( (*p)[0] << 8 ) | (*p)[1];
03296     *p += 2;
03297 
03298     if( *p + n > end )
03299     {
03300         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03301         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03302     }
03303 
03304     if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
03305     {
03306         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
03307         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03308     }
03309 
03310     *p += n;
03311 
03312     MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
03313 
03314     return( ret );
03315 }
03316 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
03317           MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
03318 
03319 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
03320     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
03321 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
03322                                     const unsigned char *p,
03323                                     const unsigned char *end,
03324                                     size_t pms_offset )
03325 {
03326     int ret;
03327     size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
03328     unsigned char *pms = ssl->handshake->premaster + pms_offset;
03329     unsigned char ver[2];
03330     unsigned char fake_pms[48], peer_pms[48];
03331     unsigned char mask;
03332     size_t i, peer_pmslen;
03333     unsigned int diff;
03334 
03335     if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
03336     {
03337         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
03338         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03339     }
03340 
03341     /*
03342      * Decrypt the premaster using own private RSA key
03343      */
03344 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
03345     defined(MBEDTLS_SSL_PROTO_TLS1_2)
03346     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
03347     {
03348         if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
03349             *p++ != ( ( len      ) & 0xFF ) )
03350         {
03351             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03352             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03353         }
03354     }
03355 #endif
03356 
03357     if( p + len != end )
03358     {
03359         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03360         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03361     }
03362 
03363     mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
03364                        ssl->handshake->max_minor_ver,
03365                        ssl->conf->transport, ver );
03366 
03367     /*
03368      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
03369      * must not cause the connection to end immediately; instead, send a
03370      * bad_record_mac later in the handshake.
03371      * Also, avoid data-dependant branches here to protect against
03372      * timing-based variants.
03373      */
03374     ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
03375     if( ret != 0 )
03376         return( ret );
03377 
03378     ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
03379                       peer_pms, &peer_pmslen,
03380                       sizeof( peer_pms ),
03381                       ssl->conf->f_rng, ssl->conf->p_rng );
03382 
03383     diff  = (unsigned int) ret;
03384     diff |= peer_pmslen ^ 48;
03385     diff |= peer_pms[0] ^ ver[0];
03386     diff |= peer_pms[1] ^ ver[1];
03387 
03388 #if defined(MBEDTLS_SSL_DEBUG_ALL)
03389     if( diff != 0 )
03390         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03391 #endif
03392 
03393     if( sizeof( ssl->handshake->premaster ) < pms_offset ||
03394         sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
03395     {
03396         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03397         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03398     }
03399     ssl->handshake->pmslen = 48;
03400 
03401     /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
03402     /* MSVC has a warning about unary minus on unsigned, but this is
03403      * well-defined and precisely what we want to do here */
03404 #if defined(_MSC_VER)
03405 #pragma warning( push )
03406 #pragma warning( disable : 4146 )
03407 #endif
03408     mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
03409 #if defined(_MSC_VER)
03410 #pragma warning( pop )
03411 #endif
03412 
03413     for( i = 0; i < ssl->handshake->pmslen; i++ )
03414         pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
03415 
03416     return( 0 );
03417 }
03418 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
03419           MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
03420 
03421 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
03422 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
03423                                           const unsigned char *end )
03424 {
03425     int ret = 0;
03426     size_t n;
03427 
03428     if( ssl->conf->f_psk == NULL &&
03429         ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
03430           ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
03431     {
03432         MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
03433         return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
03434     }
03435 
03436     /*
03437      * Receive client pre-shared key identity name
03438      */
03439     if( *p + 2 > end )
03440     {
03441         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03442         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03443     }
03444 
03445     n = ( (*p)[0] << 8 ) | (*p)[1];
03446     *p += 2;
03447 
03448     if( n < 1 || n > 65535 || *p + n > end )
03449     {
03450         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03451         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03452     }
03453 
03454     if( ssl->conf->f_psk != NULL )
03455     {
03456         if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
03457             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
03458     }
03459     else
03460     {
03461         /* Identity is not a big secret since clients send it in the clear,
03462          * but treat it carefully anyway, just in case */
03463         if( n != ssl->conf->psk_identity_len ||
03464             mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
03465         {
03466             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
03467         }
03468     }
03469 
03470     if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
03471     {
03472         MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
03473         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
03474                                         MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
03475         return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
03476     }
03477 
03478     *p += n;
03479 
03480     return( 0 );
03481 }
03482 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
03483 
03484 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
03485 {
03486     int ret;
03487     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
03488     unsigned char *p, *end;
03489 
03490     ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03491 
03492     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
03493 
03494     if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
03495     {
03496         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
03497         return( ret );
03498     }
03499 
03500     p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
03501     end = ssl->in_msg + ssl->in_hslen;
03502 
03503     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
03504     {
03505         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03506         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03507     }
03508 
03509     if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
03510     {
03511         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03512         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03513     }
03514 
03515 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
03516     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
03517     {
03518         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03519         {
03520             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03521             return( ret );
03522         }
03523 
03524         if( p != end )
03525         {
03526             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03527             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03528         }
03529 
03530         if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
03531                                       ssl->handshake->premaster,
03532                                       MBEDTLS_PREMASTER_SIZE,
03533                                      &ssl->handshake->pmslen,
03534                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03535         {
03536             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
03537             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03538         }
03539 
03540         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
03541     }
03542     else
03543 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
03544 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
03545     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
03546     defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
03547     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
03548     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
03549         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
03550         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
03551         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
03552     {
03553         if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
03554                                       p, end - p) ) != 0 )
03555         {
03556             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
03557             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03558         }
03559 
03560         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03561 
03562         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
03563                                       &ssl->handshake->pmslen,
03564                                        ssl->handshake->premaster,
03565                                        MBEDTLS_MPI_MAX_SIZE,
03566                                        ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
03567         {
03568             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
03569             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03570         }
03571 
03572         MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
03573     }
03574     else
03575 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
03576           MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
03577           MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
03578           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
03579 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
03580     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
03581     {
03582         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03583         {
03584             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03585             return( ret );
03586         }
03587 
03588         if( p != end )
03589         {
03590             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03591             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03592         }
03593 
03594         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03595                         ciphersuite_info->key_exchange ) ) != 0 )
03596         {
03597             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03598             return( ret );
03599         }
03600     }
03601     else
03602 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
03603 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
03604     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
03605     {
03606         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03607         {
03608             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03609             return( ret );
03610         }
03611 
03612         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
03613         {
03614             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
03615             return( ret );
03616         }
03617 
03618         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03619                         ciphersuite_info->key_exchange ) ) != 0 )
03620         {
03621             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03622             return( ret );
03623         }
03624     }
03625     else
03626 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
03627 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
03628     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
03629     {
03630         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03631         {
03632             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03633             return( ret );
03634         }
03635         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03636         {
03637             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03638             return( ret );
03639         }
03640 
03641         if( p != end )
03642         {
03643             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03644             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03645         }
03646 
03647         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03648                         ciphersuite_info->key_exchange ) ) != 0 )
03649         {
03650             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03651             return( ret );
03652         }
03653     }
03654     else
03655 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
03656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
03657     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
03658     {
03659         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03660         {
03661             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03662             return( ret );
03663         }
03664 
03665         if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
03666                                        p, end - p ) ) != 0 )
03667         {
03668             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
03669             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03670         }
03671 
03672         MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03673 
03674         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
03675                         ciphersuite_info->key_exchange ) ) != 0 )
03676         {
03677             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
03678             return( ret );
03679         }
03680     }
03681     else
03682 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
03683 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
03684     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
03685     {
03686         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
03687         {
03688             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
03689             return( ret );
03690         }
03691     }
03692     else
03693 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
03694 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
03695     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
03696     {
03697         ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
03698                                               p, end - p );
03699         if( ret != 0 )
03700         {
03701             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
03702             return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
03703         }
03704 
03705         ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
03706                 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
03707                 ssl->conf->f_rng, ssl->conf->p_rng );
03708         if( ret != 0 )
03709         {
03710             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
03711             return( ret );
03712         }
03713     }
03714     else
03715 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
03716     {
03717         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03718         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03719     }
03720 
03721     if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
03722     {
03723         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
03724         return( ret );
03725     }
03726 
03727     ssl->state++;
03728 
03729     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
03730 
03731     return( 0 );
03732 }
03733 
03734 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
03735     !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
03736     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
03737     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
03738     !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
03739     !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
03740 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
03741 {
03742     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
03743         ssl->transform_negotiate->ciphersuite_info;
03744 
03745     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03746 
03747     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
03748         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
03749         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
03750         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
03751         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
03752     {
03753         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03754         ssl->state++;
03755         return( 0 );
03756     }
03757 
03758     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03759     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03760 }
03761 #else
03762 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
03763 {
03764     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
03765     size_t i, sig_len;
03766     unsigned char hash[48];
03767     unsigned char *hash_start = hash;
03768     size_t hashlen;
03769 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03770     mbedtls_pk_type_t pk_alg;
03771 #endif
03772     mbedtls_md_type_t md_alg;
03773     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
03774         ssl->transform_negotiate->ciphersuite_info;
03775 
03776     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03777 
03778     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
03779         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
03780         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
03781         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
03782         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
03783         ssl->session_negotiate->peer_cert == NULL )
03784     {
03785         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03786         ssl->state++;
03787         return( 0 );
03788     }
03789 
03790     /* Read the message without adding it to the checksum */
03791     do {
03792 
03793         if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
03794         {
03795             MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
03796             return( ret );
03797         }
03798 
03799         ret = mbedtls_ssl_handle_message_type( ssl );
03800 
03801     } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
03802 
03803     if( 0 != ret )
03804     {
03805         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
03806         return( ret );
03807     }
03808 
03809     ssl->state++;
03810 
03811     /* Process the message contents */
03812     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
03813         ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
03814     {
03815         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03816         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03817     }
03818 
03819     i = mbedtls_ssl_hs_hdr_len( ssl );
03820 
03821     /*
03822      *  struct {
03823      *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
03824      *     opaque signature<0..2^16-1>;
03825      *  } DigitallySigned;
03826      */
03827 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
03828     defined(MBEDTLS_SSL_PROTO_TLS1_1)
03829     if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
03830     {
03831         md_alg = MBEDTLS_MD_NONE;
03832         hashlen = 36;
03833 
03834         /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
03835         if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
03836                         MBEDTLS_PK_ECDSA ) )
03837         {
03838             hash_start += 16;
03839             hashlen -= 16;
03840             md_alg = MBEDTLS_MD_SHA1;
03841         }
03842     }
03843     else
03844 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
03845           MBEDTLS_SSL_PROTO_TLS1_1 */
03846 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
03847     if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
03848     {
03849         if( i + 2 > ssl->in_hslen )
03850         {
03851             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03852             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03853         }
03854 
03855         /*
03856          * Hash
03857          */
03858         md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
03859 
03860         if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
03861         {
03862             MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03863                                 " for verify message" ) );
03864             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03865         }
03866 
03867 #if !defined(MBEDTLS_MD_SHA1)
03868         if( MBEDTLS_MD_SHA1 == md_alg )
03869             hash_start += 16;
03870 #endif
03871 
03872         /* Info from md_alg will be used instead */
03873         hashlen = 0;
03874 
03875         i++;
03876 
03877         /*
03878          * Signature
03879          */
03880         if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
03881                         == MBEDTLS_PK_NONE )
03882         {
03883             MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03884                                 " for verify message" ) );
03885             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03886         }
03887 
03888         /*
03889          * Check the certificate's key type matches the signature alg
03890          */
03891         if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
03892         {
03893             MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
03894             return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03895         }
03896 
03897         i++;
03898     }
03899     else
03900 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
03901     {
03902         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03903         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
03904     }
03905 
03906     if( i + 2 > ssl->in_hslen )
03907     {
03908         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03909         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03910     }
03911 
03912     sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
03913     i += 2;
03914 
03915     if( i + sig_len != ssl->in_hslen )
03916     {
03917         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03918         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03919     }
03920 
03921     /* Calculate hash and verify signature */
03922     ssl->handshake->calc_verify( ssl, hash );
03923 
03924     if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
03925                            md_alg, hash_start, hashlen,
03926                            ssl->in_msg + i, sig_len ) ) != 0 )
03927     {
03928         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
03929         return( ret );
03930     }
03931 
03932     mbedtls_ssl_update_handshake_status( ssl );
03933 
03934     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
03935 
03936     return( ret );
03937 }
03938 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
03939           !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
03940           !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
03941           !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
03942           !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
03943           !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
03944 
03945 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
03946 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
03947 {
03948     int ret;
03949     size_t tlen;
03950     uint32_t lifetime;
03951 
03952     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
03953 
03954     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
03955     ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
03956 
03957     /*
03958      * struct {
03959      *     uint32 ticket_lifetime_hint;
03960      *     opaque ticket<0..2^16-1>;
03961      * } NewSessionTicket;
03962      *
03963      * 4  .  7   ticket_lifetime_hint (0 = unspecified)
03964      * 8  .  9   ticket_len (n)
03965      * 10 .  9+n ticket content
03966      */
03967 
03968     if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
03969                                 ssl->session_negotiate,
03970                                 ssl->out_msg + 10,
03971                                 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
03972                                 &tlen, &lifetime ) ) != 0 )
03973     {
03974         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
03975         tlen = 0;
03976     }
03977 
03978     ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
03979     ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
03980     ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
03981     ssl->out_msg[7] = ( lifetime       ) & 0xFF;
03982 
03983     ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
03984     ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
03985 
03986     ssl->out_msglen = 10 + tlen;
03987 
03988     /*
03989      * Morally equivalent to updating ssl->state, but NewSessionTicket and
03990      * ChangeCipherSpec share the same state.
03991      */
03992     ssl->handshake->new_session_ticket = 0;
03993 
03994     if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
03995     {
03996         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
03997         return( ret );
03998     }
03999 
04000     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
04001 
04002     return( 0 );
04003 }
04004 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
04005 
04006 /*
04007  * SSL handshake -- server side -- single step
04008  */
04009 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
04010 {
04011     int ret = 0;
04012 
04013     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
04014         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
04015 
04016     MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
04017 
04018     if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
04019         return( ret );
04020 
04021 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04022     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
04023         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
04024     {
04025         if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
04026             return( ret );
04027     }
04028 #endif
04029 
04030     switch( ssl->state )
04031     {
04032         case MBEDTLS_SSL_HELLO_REQUEST:
04033             ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
04034             break;
04035 
04036         /*
04037          *  <==   ClientHello
04038          */
04039         case MBEDTLS_SSL_CLIENT_HELLO:
04040             ret = ssl_parse_client_hello( ssl );
04041             break;
04042 
04043 #if defined(MBEDTLS_SSL_PROTO_DTLS)
04044         case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
04045             return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
04046 #endif
04047 
04048         /*
04049          *  ==>   ServerHello
04050          *        Certificate
04051          *      ( ServerKeyExchange  )
04052          *      ( CertificateRequest )
04053          *        ServerHelloDone
04054          */
04055         case MBEDTLS_SSL_SERVER_HELLO:
04056             ret = ssl_write_server_hello( ssl );
04057             break;
04058 
04059         case MBEDTLS_SSL_SERVER_CERTIFICATE:
04060             ret = mbedtls_ssl_write_certificate( ssl );
04061             break;
04062 
04063         case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
04064             ret = ssl_write_server_key_exchange( ssl );
04065             break;
04066 
04067         case MBEDTLS_SSL_CERTIFICATE_REQUEST:
04068             ret = ssl_write_certificate_request( ssl );
04069             break;
04070 
04071         case MBEDTLS_SSL_SERVER_HELLO_DONE:
04072             ret = ssl_write_server_hello_done( ssl );
04073             break;
04074 
04075         /*
04076          *  <== ( Certificate/Alert  )
04077          *        ClientKeyExchange
04078          *      ( CertificateVerify  )
04079          *        ChangeCipherSpec
04080          *        Finished
04081          */
04082         case MBEDTLS_SSL_CLIENT_CERTIFICATE:
04083             ret = mbedtls_ssl_parse_certificate( ssl );
04084             break;
04085 
04086         case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
04087             ret = ssl_parse_client_key_exchange( ssl );
04088             break;
04089 
04090         case MBEDTLS_SSL_CERTIFICATE_VERIFY:
04091             ret = ssl_parse_certificate_verify( ssl );
04092             break;
04093 
04094         case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
04095             ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
04096             break;
04097 
04098         case MBEDTLS_SSL_CLIENT_FINISHED:
04099             ret = mbedtls_ssl_parse_finished( ssl );
04100             break;
04101 
04102         /*
04103          *  ==> ( NewSessionTicket )
04104          *        ChangeCipherSpec
04105          *        Finished
04106          */
04107         case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
04108 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
04109             if( ssl->handshake->new_session_ticket != 0 )
04110                 ret = ssl_write_new_session_ticket( ssl );
04111             else
04112 #endif
04113                 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
04114             break;
04115 
04116         case MBEDTLS_SSL_SERVER_FINISHED:
04117             ret = mbedtls_ssl_write_finished( ssl );
04118             break;
04119 
04120         case MBEDTLS_SSL_FLUSH_BUFFERS:
04121             MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
04122             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
04123             break;
04124 
04125         case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
04126             mbedtls_ssl_handshake_wrapup( ssl );
04127             break;
04128 
04129         default:
04130             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
04131             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
04132     }
04133 
04134     return( ret );
04135 }
04136 #endif /* MBEDTLS_SSL_SRV_C */