pegasus_dev

Users » switches » Code » pegasus_dev

features/mbedtls/src/ssl_tls.c@3:1198227e6421, 2016-12-16 (annotated)

Committer:: switches
Date:: Fri Dec 16 16:27:57 2016 +0000
Revision:: 3:1198227e6421
Parent:: 0:5c4d7b2438d3

Changed ADC scale for MAX32625 platforms to 1.2V full scale to match MAX32630 platforms

Who changed what in which revision?

User	Revision	Line number	New contents of line
switches	0:5c4d7b2438d3	1	/*
switches	0:5c4d7b2438d3	2	* SSLv3/TLSv1 shared functions
switches	0:5c4d7b2438d3	3	*
switches	0:5c4d7b2438d3	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
switches	0:5c4d7b2438d3	5	* SPDX-License-Identifier: Apache-2.0
switches	0:5c4d7b2438d3	6	*
switches	0:5c4d7b2438d3	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
switches	0:5c4d7b2438d3	8	* not use this file except in compliance with the License.
switches	0:5c4d7b2438d3	9	* You may obtain a copy of the License at
switches	0:5c4d7b2438d3	10	*
switches	0:5c4d7b2438d3	11	* http://www.apache.org/licenses/LICENSE-2.0
switches	0:5c4d7b2438d3	12	*
switches	0:5c4d7b2438d3	13	* Unless required by applicable law or agreed to in writing, software
switches	0:5c4d7b2438d3	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
switches	0:5c4d7b2438d3	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
switches	0:5c4d7b2438d3	16	* See the License for the specific language governing permissions and
switches	0:5c4d7b2438d3	17	* limitations under the License.
switches	0:5c4d7b2438d3	18	*
switches	0:5c4d7b2438d3	19	* This file is part of mbed TLS (https://tls.mbed.org)
switches	0:5c4d7b2438d3	20	*/
switches	0:5c4d7b2438d3	21	/*
switches	0:5c4d7b2438d3	22	* The SSL 3.0 specification was drafted by Netscape in 1996,
switches	0:5c4d7b2438d3	23	* and became an IETF standard in 1999.
switches	0:5c4d7b2438d3	24	*
switches	0:5c4d7b2438d3	25	* http://wp.netscape.com/eng/ssl3/
switches	0:5c4d7b2438d3	26	* http://www.ietf.org/rfc/rfc2246.txt
switches	0:5c4d7b2438d3	27	* http://www.ietf.org/rfc/rfc4346.txt
switches	0:5c4d7b2438d3	28	*/
switches	0:5c4d7b2438d3	29
switches	0:5c4d7b2438d3	30	#if !defined(MBEDTLS_CONFIG_FILE)
switches	0:5c4d7b2438d3	31	#include "mbedtls/config.h"
switches	0:5c4d7b2438d3	32	#else
switches	0:5c4d7b2438d3	33	#include MBEDTLS_CONFIG_FILE
switches	0:5c4d7b2438d3	34	#endif
switches	0:5c4d7b2438d3	35
switches	0:5c4d7b2438d3	36	#if defined(MBEDTLS_SSL_TLS_C)
switches	0:5c4d7b2438d3	37
switches	0:5c4d7b2438d3	38	#if defined(MBEDTLS_PLATFORM_C)
switches	0:5c4d7b2438d3	39	#include "mbedtls/platform.h"
switches	0:5c4d7b2438d3	40	#else
switches	0:5c4d7b2438d3	41	#include <stdlib.h>
switches	0:5c4d7b2438d3	42	#define mbedtls_calloc calloc
switches	0:5c4d7b2438d3	43	#define mbedtls_free free
switches	0:5c4d7b2438d3	44	#endif
switches	0:5c4d7b2438d3	45
switches	0:5c4d7b2438d3	46	#include "mbedtls/debug.h"
switches	0:5c4d7b2438d3	47	#include "mbedtls/ssl.h"
switches	0:5c4d7b2438d3	48	#include "mbedtls/ssl_internal.h"
switches	0:5c4d7b2438d3	49
switches	0:5c4d7b2438d3	50	#include <string.h>
switches	0:5c4d7b2438d3	51
switches	0:5c4d7b2438d3	52	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	53	#include "mbedtls/oid.h"
switches	0:5c4d7b2438d3	54	#endif
switches	0:5c4d7b2438d3	55
switches	0:5c4d7b2438d3	56	/* Implementation that should never be optimized out by the compiler */
switches	0:5c4d7b2438d3	57	static void mbedtls_zeroize( void *v, size_t n ) {
switches	0:5c4d7b2438d3	58	volatile unsigned char p = v; while( n-- ) p++ = 0;
switches	0:5c4d7b2438d3	59	}
switches	0:5c4d7b2438d3	60
switches	0:5c4d7b2438d3	61	/* Length of the "epoch" field in the record header */
switches	0:5c4d7b2438d3	62	static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	63	{
switches	0:5c4d7b2438d3	64	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	65	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	66	return( 2 );
switches	0:5c4d7b2438d3	67	#else
switches	0:5c4d7b2438d3	68	((void) ssl);
switches	0:5c4d7b2438d3	69	#endif
switches	0:5c4d7b2438d3	70	return( 0 );
switches	0:5c4d7b2438d3	71	}
switches	0:5c4d7b2438d3	72
switches	0:5c4d7b2438d3	73	/*
switches	0:5c4d7b2438d3	74	* Start a timer.
switches	0:5c4d7b2438d3	75	* Passing millisecs = 0 cancels a running timer.
switches	0:5c4d7b2438d3	76	*/
switches	0:5c4d7b2438d3	77	static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
switches	0:5c4d7b2438d3	78	{
switches	0:5c4d7b2438d3	79	if( ssl->f_set_timer == NULL )
switches	0:5c4d7b2438d3	80	return;
switches	0:5c4d7b2438d3	81
switches	0:5c4d7b2438d3	82	MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
switches	0:5c4d7b2438d3	83	ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
switches	0:5c4d7b2438d3	84	}
switches	0:5c4d7b2438d3	85
switches	0:5c4d7b2438d3	86	/*
switches	0:5c4d7b2438d3	87	* Return -1 is timer is expired, 0 if it isn't.
switches	0:5c4d7b2438d3	88	*/
switches	0:5c4d7b2438d3	89	static int ssl_check_timer( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	90	{
switches	0:5c4d7b2438d3	91	if( ssl->f_get_timer == NULL )
switches	0:5c4d7b2438d3	92	return( 0 );
switches	0:5c4d7b2438d3	93
switches	0:5c4d7b2438d3	94	if( ssl->f_get_timer( ssl->p_timer ) == 2 )
switches	0:5c4d7b2438d3	95	{
switches	0:5c4d7b2438d3	96	MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
switches	0:5c4d7b2438d3	97	return( -1 );
switches	0:5c4d7b2438d3	98	}
switches	0:5c4d7b2438d3	99
switches	0:5c4d7b2438d3	100	return( 0 );
switches	0:5c4d7b2438d3	101	}
switches	0:5c4d7b2438d3	102
switches	0:5c4d7b2438d3	103	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	104	/*
switches	0:5c4d7b2438d3	105	* Double the retransmit timeout value, within the allowed range,
switches	0:5c4d7b2438d3	106	* returning -1 if the maximum value has already been reached.
switches	0:5c4d7b2438d3	107	*/
switches	0:5c4d7b2438d3	108	static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	109	{
switches	0:5c4d7b2438d3	110	uint32_t new_timeout;
switches	0:5c4d7b2438d3	111
switches	0:5c4d7b2438d3	112	if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
switches	0:5c4d7b2438d3	113	return( -1 );
switches	0:5c4d7b2438d3	114
switches	0:5c4d7b2438d3	115	new_timeout = 2 * ssl->handshake->retransmit_timeout;
switches	0:5c4d7b2438d3	116
switches	0:5c4d7b2438d3	117	/* Avoid arithmetic overflow and range overflow */
switches	0:5c4d7b2438d3	118	if( new_timeout < ssl->handshake->retransmit_timeout \|\|
switches	0:5c4d7b2438d3	119	new_timeout > ssl->conf->hs_timeout_max )
switches	0:5c4d7b2438d3	120	{
switches	0:5c4d7b2438d3	121	new_timeout = ssl->conf->hs_timeout_max;
switches	0:5c4d7b2438d3	122	}
switches	0:5c4d7b2438d3	123
switches	0:5c4d7b2438d3	124	ssl->handshake->retransmit_timeout = new_timeout;
switches	0:5c4d7b2438d3	125	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
switches	0:5c4d7b2438d3	126	ssl->handshake->retransmit_timeout ) );
switches	0:5c4d7b2438d3	127
switches	0:5c4d7b2438d3	128	return( 0 );
switches	0:5c4d7b2438d3	129	}
switches	0:5c4d7b2438d3	130
switches	0:5c4d7b2438d3	131	static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	132	{
switches	0:5c4d7b2438d3	133	ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
switches	0:5c4d7b2438d3	134	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
switches	0:5c4d7b2438d3	135	ssl->handshake->retransmit_timeout ) );
switches	0:5c4d7b2438d3	136	}
switches	0:5c4d7b2438d3	137	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	138
switches	0:5c4d7b2438d3	139	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
switches	0:5c4d7b2438d3	140	/*
switches	0:5c4d7b2438d3	141	* Convert max_fragment_length codes to length.
switches	0:5c4d7b2438d3	142	* RFC 6066 says:
switches	0:5c4d7b2438d3	143	* enum{
switches	0:5c4d7b2438d3	144	* 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
switches	0:5c4d7b2438d3	145	* } MaxFragmentLength;
switches	0:5c4d7b2438d3	146	* and we add 0 -> extension unused
switches	0:5c4d7b2438d3	147	*/
switches	0:5c4d7b2438d3	148	static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
switches	0:5c4d7b2438d3	149	{
switches	0:5c4d7b2438d3	150	MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
switches	0:5c4d7b2438d3	151	512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
switches	0:5c4d7b2438d3	152	1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
switches	0:5c4d7b2438d3	153	2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
switches	0:5c4d7b2438d3	154	4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
switches	0:5c4d7b2438d3	155	};
switches	0:5c4d7b2438d3	156	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
switches	0:5c4d7b2438d3	157
switches	0:5c4d7b2438d3	158	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	159	static int ssl_session_copy( mbedtls_ssl_session dst, const mbedtls_ssl_session src )
switches	0:5c4d7b2438d3	160	{
switches	0:5c4d7b2438d3	161	mbedtls_ssl_session_free( dst );
switches	0:5c4d7b2438d3	162	memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
switches	0:5c4d7b2438d3	163
switches	0:5c4d7b2438d3	164	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	165	if( src->peer_cert != NULL )
switches	0:5c4d7b2438d3	166	{
switches	0:5c4d7b2438d3	167	int ret;
switches	0:5c4d7b2438d3	168
switches	0:5c4d7b2438d3	169	dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
switches	0:5c4d7b2438d3	170	if( dst->peer_cert == NULL )
switches	0:5c4d7b2438d3	171	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	172
switches	0:5c4d7b2438d3	173	mbedtls_x509_crt_init( dst->peer_cert );
switches	0:5c4d7b2438d3	174
switches	0:5c4d7b2438d3	175	if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
switches	0:5c4d7b2438d3	176	src->peer_cert->raw.len ) ) != 0 )
switches	0:5c4d7b2438d3	177	{
switches	0:5c4d7b2438d3	178	mbedtls_free( dst->peer_cert );
switches	0:5c4d7b2438d3	179	dst->peer_cert = NULL;
switches	0:5c4d7b2438d3	180	return( ret );
switches	0:5c4d7b2438d3	181	}
switches	0:5c4d7b2438d3	182	}
switches	0:5c4d7b2438d3	183	#endif /* MBEDTLS_X509_CRT_PARSE_C */
switches	0:5c4d7b2438d3	184
switches	0:5c4d7b2438d3	185	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	186	if( src->ticket != NULL )
switches	0:5c4d7b2438d3	187	{
switches	0:5c4d7b2438d3	188	dst->ticket = mbedtls_calloc( 1, src->ticket_len );
switches	0:5c4d7b2438d3	189	if( dst->ticket == NULL )
switches	0:5c4d7b2438d3	190	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	191
switches	0:5c4d7b2438d3	192	memcpy( dst->ticket, src->ticket, src->ticket_len );
switches	0:5c4d7b2438d3	193	}
switches	0:5c4d7b2438d3	194	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	195
switches	0:5c4d7b2438d3	196	return( 0 );
switches	0:5c4d7b2438d3	197	}
switches	0:5c4d7b2438d3	198	#endif /* MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	199
switches	0:5c4d7b2438d3	200	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	201	int (mbedtls_ssl_hw_record_init)( mbedtls_ssl_context ssl,
switches	0:5c4d7b2438d3	202	const unsigned char key_enc, const unsigned char key_dec,
switches	0:5c4d7b2438d3	203	size_t keylen,
switches	0:5c4d7b2438d3	204	const unsigned char iv_enc, const unsigned char iv_dec,
switches	0:5c4d7b2438d3	205	size_t ivlen,
switches	0:5c4d7b2438d3	206	const unsigned char mac_enc, const unsigned char mac_dec,
switches	0:5c4d7b2438d3	207	size_t maclen ) = NULL;
switches	0:5c4d7b2438d3	208	int (mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context ssl, int direction) = NULL;
switches	0:5c4d7b2438d3	209	int (mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context ssl ) = NULL;
switches	0:5c4d7b2438d3	210	int (mbedtls_ssl_hw_record_write)( mbedtls_ssl_context ssl ) = NULL;
switches	0:5c4d7b2438d3	211	int (mbedtls_ssl_hw_record_read)( mbedtls_ssl_context ssl ) = NULL;
switches	0:5c4d7b2438d3	212	int (mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context ssl ) = NULL;
switches	0:5c4d7b2438d3	213	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
switches	0:5c4d7b2438d3	214
switches	0:5c4d7b2438d3	215	/*
switches	0:5c4d7b2438d3	216	* Key material generation
switches	0:5c4d7b2438d3	217	*/
switches	0:5c4d7b2438d3	218	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	219	static int ssl3_prf( const unsigned char *secret, size_t slen,
switches	0:5c4d7b2438d3	220	const char *label,
switches	0:5c4d7b2438d3	221	const unsigned char *random, size_t rlen,
switches	0:5c4d7b2438d3	222	unsigned char *dstbuf, size_t dlen )
switches	0:5c4d7b2438d3	223	{
switches	0:5c4d7b2438d3	224	size_t i;
switches	0:5c4d7b2438d3	225	mbedtls_md5_context md5;
switches	0:5c4d7b2438d3	226	mbedtls_sha1_context sha1;
switches	0:5c4d7b2438d3	227	unsigned char padding[16];
switches	0:5c4d7b2438d3	228	unsigned char sha1sum[20];
switches	0:5c4d7b2438d3	229	((void)label);
switches	0:5c4d7b2438d3	230
switches	0:5c4d7b2438d3	231	mbedtls_md5_init( &md5 );
switches	0:5c4d7b2438d3	232	mbedtls_sha1_init( &sha1 );
switches	0:5c4d7b2438d3	233
switches	0:5c4d7b2438d3	234	/*
switches	0:5c4d7b2438d3	235	* SSLv3:
switches	0:5c4d7b2438d3	236	* block =
switches	0:5c4d7b2438d3	237	* MD5( secret + SHA1( 'A' + secret + random ) ) +
switches	0:5c4d7b2438d3	238	* MD5( secret + SHA1( 'BB' + secret + random ) ) +
switches	0:5c4d7b2438d3	239	* MD5( secret + SHA1( 'CCC' + secret + random ) ) +
switches	0:5c4d7b2438d3	240	* ...
switches	0:5c4d7b2438d3	241	*/
switches	0:5c4d7b2438d3	242	for( i = 0; i < dlen / 16; i++ )
switches	0:5c4d7b2438d3	243	{
switches	0:5c4d7b2438d3	244	memset( padding, (unsigned char) ('A' + i), 1 + i );
switches	0:5c4d7b2438d3	245
switches	0:5c4d7b2438d3	246	mbedtls_sha1_starts( &sha1 );
switches	0:5c4d7b2438d3	247	mbedtls_sha1_update( &sha1, padding, 1 + i );
switches	0:5c4d7b2438d3	248	mbedtls_sha1_update( &sha1, secret, slen );
switches	0:5c4d7b2438d3	249	mbedtls_sha1_update( &sha1, random, rlen );
switches	0:5c4d7b2438d3	250	mbedtls_sha1_finish( &sha1, sha1sum );
switches	0:5c4d7b2438d3	251
switches	0:5c4d7b2438d3	252	mbedtls_md5_starts( &md5 );
switches	0:5c4d7b2438d3	253	mbedtls_md5_update( &md5, secret, slen );
switches	0:5c4d7b2438d3	254	mbedtls_md5_update( &md5, sha1sum, 20 );
switches	0:5c4d7b2438d3	255	mbedtls_md5_finish( &md5, dstbuf + i * 16 );
switches	0:5c4d7b2438d3	256	}
switches	0:5c4d7b2438d3	257
switches	0:5c4d7b2438d3	258	mbedtls_md5_free( &md5 );
switches	0:5c4d7b2438d3	259	mbedtls_sha1_free( &sha1 );
switches	0:5c4d7b2438d3	260
switches	0:5c4d7b2438d3	261	mbedtls_zeroize( padding, sizeof( padding ) );
switches	0:5c4d7b2438d3	262	mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
switches	0:5c4d7b2438d3	263
switches	0:5c4d7b2438d3	264	return( 0 );
switches	0:5c4d7b2438d3	265	}
switches	0:5c4d7b2438d3	266	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	267
switches	0:5c4d7b2438d3	268	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	269	static int tls1_prf( const unsigned char *secret, size_t slen,
switches	0:5c4d7b2438d3	270	const char *label,
switches	0:5c4d7b2438d3	271	const unsigned char *random, size_t rlen,
switches	0:5c4d7b2438d3	272	unsigned char *dstbuf, size_t dlen )
switches	0:5c4d7b2438d3	273	{
switches	0:5c4d7b2438d3	274	size_t nb, hs;
switches	0:5c4d7b2438d3	275	size_t i, j, k;
switches	0:5c4d7b2438d3	276	const unsigned char S1, S2;
switches	0:5c4d7b2438d3	277	unsigned char tmp[128];
switches	0:5c4d7b2438d3	278	unsigned char h_i[20];
switches	0:5c4d7b2438d3	279	const mbedtls_md_info_t *md_info;
switches	0:5c4d7b2438d3	280	mbedtls_md_context_t md_ctx;
switches	0:5c4d7b2438d3	281	int ret;
switches	0:5c4d7b2438d3	282
switches	0:5c4d7b2438d3	283	mbedtls_md_init( &md_ctx );
switches	0:5c4d7b2438d3	284
switches	0:5c4d7b2438d3	285	if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
switches	0:5c4d7b2438d3	286	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	287
switches	0:5c4d7b2438d3	288	hs = ( slen + 1 ) / 2;
switches	0:5c4d7b2438d3	289	S1 = secret;
switches	0:5c4d7b2438d3	290	S2 = secret + slen - hs;
switches	0:5c4d7b2438d3	291
switches	0:5c4d7b2438d3	292	nb = strlen( label );
switches	0:5c4d7b2438d3	293	memcpy( tmp + 20, label, nb );
switches	0:5c4d7b2438d3	294	memcpy( tmp + 20 + nb, random, rlen );
switches	0:5c4d7b2438d3	295	nb += rlen;
switches	0:5c4d7b2438d3	296
switches	0:5c4d7b2438d3	297	/*
switches	0:5c4d7b2438d3	298	* First compute P_md5(secret,label+random)[0..dlen]
switches	0:5c4d7b2438d3	299	*/
switches	0:5c4d7b2438d3	300	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
switches	0:5c4d7b2438d3	301	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	302
switches	0:5c4d7b2438d3	303	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
switches	0:5c4d7b2438d3	304	return( ret );
switches	0:5c4d7b2438d3	305
switches	0:5c4d7b2438d3	306	mbedtls_md_hmac_starts( &md_ctx, S1, hs );
switches	0:5c4d7b2438d3	307	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
switches	0:5c4d7b2438d3	308	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
switches	0:5c4d7b2438d3	309
switches	0:5c4d7b2438d3	310	for( i = 0; i < dlen; i += 16 )
switches	0:5c4d7b2438d3	311	{
switches	0:5c4d7b2438d3	312	mbedtls_md_hmac_reset ( &md_ctx );
switches	0:5c4d7b2438d3	313	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
switches	0:5c4d7b2438d3	314	mbedtls_md_hmac_finish( &md_ctx, h_i );
switches	0:5c4d7b2438d3	315
switches	0:5c4d7b2438d3	316	mbedtls_md_hmac_reset ( &md_ctx );
switches	0:5c4d7b2438d3	317	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
switches	0:5c4d7b2438d3	318	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
switches	0:5c4d7b2438d3	319
switches	0:5c4d7b2438d3	320	k = ( i + 16 > dlen ) ? dlen % 16 : 16;
switches	0:5c4d7b2438d3	321
switches	0:5c4d7b2438d3	322	for( j = 0; j < k; j++ )
switches	0:5c4d7b2438d3	323	dstbuf[i + j] = h_i[j];
switches	0:5c4d7b2438d3	324	}
switches	0:5c4d7b2438d3	325
switches	0:5c4d7b2438d3	326	mbedtls_md_free( &md_ctx );
switches	0:5c4d7b2438d3	327
switches	0:5c4d7b2438d3	328	/*
switches	0:5c4d7b2438d3	329	* XOR out with P_sha1(secret,label+random)[0..dlen]
switches	0:5c4d7b2438d3	330	*/
switches	0:5c4d7b2438d3	331	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
switches	0:5c4d7b2438d3	332	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	333
switches	0:5c4d7b2438d3	334	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
switches	0:5c4d7b2438d3	335	return( ret );
switches	0:5c4d7b2438d3	336
switches	0:5c4d7b2438d3	337	mbedtls_md_hmac_starts( &md_ctx, S2, hs );
switches	0:5c4d7b2438d3	338	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
switches	0:5c4d7b2438d3	339	mbedtls_md_hmac_finish( &md_ctx, tmp );
switches	0:5c4d7b2438d3	340
switches	0:5c4d7b2438d3	341	for( i = 0; i < dlen; i += 20 )
switches	0:5c4d7b2438d3	342	{
switches	0:5c4d7b2438d3	343	mbedtls_md_hmac_reset ( &md_ctx );
switches	0:5c4d7b2438d3	344	mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
switches	0:5c4d7b2438d3	345	mbedtls_md_hmac_finish( &md_ctx, h_i );
switches	0:5c4d7b2438d3	346
switches	0:5c4d7b2438d3	347	mbedtls_md_hmac_reset ( &md_ctx );
switches	0:5c4d7b2438d3	348	mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
switches	0:5c4d7b2438d3	349	mbedtls_md_hmac_finish( &md_ctx, tmp );
switches	0:5c4d7b2438d3	350
switches	0:5c4d7b2438d3	351	k = ( i + 20 > dlen ) ? dlen % 20 : 20;
switches	0:5c4d7b2438d3	352
switches	0:5c4d7b2438d3	353	for( j = 0; j < k; j++ )
switches	0:5c4d7b2438d3	354	dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
switches	0:5c4d7b2438d3	355	}
switches	0:5c4d7b2438d3	356
switches	0:5c4d7b2438d3	357	mbedtls_md_free( &md_ctx );
switches	0:5c4d7b2438d3	358
switches	0:5c4d7b2438d3	359	mbedtls_zeroize( tmp, sizeof( tmp ) );
switches	0:5c4d7b2438d3	360	mbedtls_zeroize( h_i, sizeof( h_i ) );
switches	0:5c4d7b2438d3	361
switches	0:5c4d7b2438d3	362	return( 0 );
switches	0:5c4d7b2438d3	363	}
switches	0:5c4d7b2438d3	364	#endif /* MBEDTLS_SSL_PROTO_TLS1) \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
switches	0:5c4d7b2438d3	365
switches	0:5c4d7b2438d3	366	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	367	static int tls_prf_generic( mbedtls_md_type_t md_type,
switches	0:5c4d7b2438d3	368	const unsigned char *secret, size_t slen,
switches	0:5c4d7b2438d3	369	const char *label,
switches	0:5c4d7b2438d3	370	const unsigned char *random, size_t rlen,
switches	0:5c4d7b2438d3	371	unsigned char *dstbuf, size_t dlen )
switches	0:5c4d7b2438d3	372	{
switches	0:5c4d7b2438d3	373	size_t nb;
switches	0:5c4d7b2438d3	374	size_t i, j, k, md_len;
switches	0:5c4d7b2438d3	375	unsigned char tmp[128];
switches	0:5c4d7b2438d3	376	unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
switches	0:5c4d7b2438d3	377	const mbedtls_md_info_t *md_info;
switches	0:5c4d7b2438d3	378	mbedtls_md_context_t md_ctx;
switches	0:5c4d7b2438d3	379	int ret;
switches	0:5c4d7b2438d3	380
switches	0:5c4d7b2438d3	381	mbedtls_md_init( &md_ctx );
switches	0:5c4d7b2438d3	382
switches	0:5c4d7b2438d3	383	if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
switches	0:5c4d7b2438d3	384	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	385
switches	0:5c4d7b2438d3	386	md_len = mbedtls_md_get_size( md_info );
switches	0:5c4d7b2438d3	387
switches	0:5c4d7b2438d3	388	if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
switches	0:5c4d7b2438d3	389	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	390
switches	0:5c4d7b2438d3	391	nb = strlen( label );
switches	0:5c4d7b2438d3	392	memcpy( tmp + md_len, label, nb );
switches	0:5c4d7b2438d3	393	memcpy( tmp + md_len + nb, random, rlen );
switches	0:5c4d7b2438d3	394	nb += rlen;
switches	0:5c4d7b2438d3	395
switches	0:5c4d7b2438d3	396	/*
switches	0:5c4d7b2438d3	397	* Compute P_<hash>(secret, label + random)[0..dlen]
switches	0:5c4d7b2438d3	398	*/
switches	0:5c4d7b2438d3	399	if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
switches	0:5c4d7b2438d3	400	return( ret );
switches	0:5c4d7b2438d3	401
switches	0:5c4d7b2438d3	402	mbedtls_md_hmac_starts( &md_ctx, secret, slen );
switches	0:5c4d7b2438d3	403	mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
switches	0:5c4d7b2438d3	404	mbedtls_md_hmac_finish( &md_ctx, tmp );
switches	0:5c4d7b2438d3	405
switches	0:5c4d7b2438d3	406	for( i = 0; i < dlen; i += md_len )
switches	0:5c4d7b2438d3	407	{
switches	0:5c4d7b2438d3	408	mbedtls_md_hmac_reset ( &md_ctx );
switches	0:5c4d7b2438d3	409	mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
switches	0:5c4d7b2438d3	410	mbedtls_md_hmac_finish( &md_ctx, h_i );
switches	0:5c4d7b2438d3	411
switches	0:5c4d7b2438d3	412	mbedtls_md_hmac_reset ( &md_ctx );
switches	0:5c4d7b2438d3	413	mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
switches	0:5c4d7b2438d3	414	mbedtls_md_hmac_finish( &md_ctx, tmp );
switches	0:5c4d7b2438d3	415
switches	0:5c4d7b2438d3	416	k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
switches	0:5c4d7b2438d3	417
switches	0:5c4d7b2438d3	418	for( j = 0; j < k; j++ )
switches	0:5c4d7b2438d3	419	dstbuf[i + j] = h_i[j];
switches	0:5c4d7b2438d3	420	}
switches	0:5c4d7b2438d3	421
switches	0:5c4d7b2438d3	422	mbedtls_md_free( &md_ctx );
switches	0:5c4d7b2438d3	423
switches	0:5c4d7b2438d3	424	mbedtls_zeroize( tmp, sizeof( tmp ) );
switches	0:5c4d7b2438d3	425	mbedtls_zeroize( h_i, sizeof( h_i ) );
switches	0:5c4d7b2438d3	426
switches	0:5c4d7b2438d3	427	return( 0 );
switches	0:5c4d7b2438d3	428	}
switches	0:5c4d7b2438d3	429
switches	0:5c4d7b2438d3	430	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	431	static int tls_prf_sha256( const unsigned char *secret, size_t slen,
switches	0:5c4d7b2438d3	432	const char *label,
switches	0:5c4d7b2438d3	433	const unsigned char *random, size_t rlen,
switches	0:5c4d7b2438d3	434	unsigned char *dstbuf, size_t dlen )
switches	0:5c4d7b2438d3	435	{
switches	0:5c4d7b2438d3	436	return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
switches	0:5c4d7b2438d3	437	label, random, rlen, dstbuf, dlen ) );
switches	0:5c4d7b2438d3	438	}
switches	0:5c4d7b2438d3	439	#endif /* MBEDTLS_SHA256_C */
switches	0:5c4d7b2438d3	440
switches	0:5c4d7b2438d3	441	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	442	static int tls_prf_sha384( const unsigned char *secret, size_t slen,
switches	0:5c4d7b2438d3	443	const char *label,
switches	0:5c4d7b2438d3	444	const unsigned char *random, size_t rlen,
switches	0:5c4d7b2438d3	445	unsigned char *dstbuf, size_t dlen )
switches	0:5c4d7b2438d3	446	{
switches	0:5c4d7b2438d3	447	return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
switches	0:5c4d7b2438d3	448	label, random, rlen, dstbuf, dlen ) );
switches	0:5c4d7b2438d3	449	}
switches	0:5c4d7b2438d3	450	#endif /* MBEDTLS_SHA512_C */
switches	0:5c4d7b2438d3	451	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	452
switches	0:5c4d7b2438d3	453	static void ssl_update_checksum_start( mbedtls_ssl_context , const unsigned char , size_t );
switches	0:5c4d7b2438d3	454
switches	0:5c4d7b2438d3	455	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	456	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	457	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context , const unsigned char , size_t );
switches	0:5c4d7b2438d3	458	#endif
switches	0:5c4d7b2438d3	459
switches	0:5c4d7b2438d3	460	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	461	static void ssl_calc_verify_ssl( mbedtls_ssl_context , unsigned char );
switches	0:5c4d7b2438d3	462	static void ssl_calc_finished_ssl( mbedtls_ssl_context , unsigned char , int );
switches	0:5c4d7b2438d3	463	#endif
switches	0:5c4d7b2438d3	464
switches	0:5c4d7b2438d3	465	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	466	static void ssl_calc_verify_tls( mbedtls_ssl_context , unsigned char );
switches	0:5c4d7b2438d3	467	static void ssl_calc_finished_tls( mbedtls_ssl_context , unsigned char , int );
switches	0:5c4d7b2438d3	468	#endif
switches	0:5c4d7b2438d3	469
switches	0:5c4d7b2438d3	470	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	471	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	472	static void ssl_update_checksum_sha256( mbedtls_ssl_context , const unsigned char , size_t );
switches	0:5c4d7b2438d3	473	static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context ,unsigned char );
switches	0:5c4d7b2438d3	474	static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context ,unsigned char , int );
switches	0:5c4d7b2438d3	475	#endif
switches	0:5c4d7b2438d3	476
switches	0:5c4d7b2438d3	477	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	478	static void ssl_update_checksum_sha384( mbedtls_ssl_context , const unsigned char , size_t );
switches	0:5c4d7b2438d3	479	static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context , unsigned char );
switches	0:5c4d7b2438d3	480	static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context , unsigned char , int );
switches	0:5c4d7b2438d3	481	#endif
switches	0:5c4d7b2438d3	482	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	483
switches	0:5c4d7b2438d3	484	int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	485	{
switches	0:5c4d7b2438d3	486	int ret = 0;
switches	0:5c4d7b2438d3	487	unsigned char tmp[64];
switches	0:5c4d7b2438d3	488	unsigned char keyblk[256];
switches	0:5c4d7b2438d3	489	unsigned char *key1;
switches	0:5c4d7b2438d3	490	unsigned char *key2;
switches	0:5c4d7b2438d3	491	unsigned char *mac_enc;
switches	0:5c4d7b2438d3	492	unsigned char *mac_dec;
switches	0:5c4d7b2438d3	493	size_t iv_copy_len;
switches	0:5c4d7b2438d3	494	const mbedtls_cipher_info_t *cipher_info;
switches	0:5c4d7b2438d3	495	const mbedtls_md_info_t *md_info;
switches	0:5c4d7b2438d3	496
switches	0:5c4d7b2438d3	497	mbedtls_ssl_session *session = ssl->session_negotiate;
switches	0:5c4d7b2438d3	498	mbedtls_ssl_transform *transform = ssl->transform_negotiate;
switches	0:5c4d7b2438d3	499	mbedtls_ssl_handshake_params *handshake = ssl->handshake;
switches	0:5c4d7b2438d3	500
switches	0:5c4d7b2438d3	501	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
switches	0:5c4d7b2438d3	502
switches	0:5c4d7b2438d3	503	cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
switches	0:5c4d7b2438d3	504	if( cipher_info == NULL )
switches	0:5c4d7b2438d3	505	{
switches	0:5c4d7b2438d3	506	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
switches	0:5c4d7b2438d3	507	transform->ciphersuite_info->cipher ) );
switches	0:5c4d7b2438d3	508	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	509	}
switches	0:5c4d7b2438d3	510
switches	0:5c4d7b2438d3	511	md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
switches	0:5c4d7b2438d3	512	if( md_info == NULL )
switches	0:5c4d7b2438d3	513	{
switches	0:5c4d7b2438d3	514	MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
switches	0:5c4d7b2438d3	515	transform->ciphersuite_info->mac ) );
switches	0:5c4d7b2438d3	516	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	517	}
switches	0:5c4d7b2438d3	518
switches	0:5c4d7b2438d3	519	/*
switches	0:5c4d7b2438d3	520	* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
switches	0:5c4d7b2438d3	521	*/
switches	0:5c4d7b2438d3	522	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	523	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	524	{
switches	0:5c4d7b2438d3	525	handshake->tls_prf = ssl3_prf;
switches	0:5c4d7b2438d3	526	handshake->calc_verify = ssl_calc_verify_ssl;
switches	0:5c4d7b2438d3	527	handshake->calc_finished = ssl_calc_finished_ssl;
switches	0:5c4d7b2438d3	528	}
switches	0:5c4d7b2438d3	529	else
switches	0:5c4d7b2438d3	530	#endif
switches	0:5c4d7b2438d3	531	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	532	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	533	{
switches	0:5c4d7b2438d3	534	handshake->tls_prf = tls1_prf;
switches	0:5c4d7b2438d3	535	handshake->calc_verify = ssl_calc_verify_tls;
switches	0:5c4d7b2438d3	536	handshake->calc_finished = ssl_calc_finished_tls;
switches	0:5c4d7b2438d3	537	}
switches	0:5c4d7b2438d3	538	else
switches	0:5c4d7b2438d3	539	#endif
switches	0:5c4d7b2438d3	540	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	541	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	542	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
switches	0:5c4d7b2438d3	543	transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
switches	0:5c4d7b2438d3	544	{
switches	0:5c4d7b2438d3	545	handshake->tls_prf = tls_prf_sha384;
switches	0:5c4d7b2438d3	546	handshake->calc_verify = ssl_calc_verify_tls_sha384;
switches	0:5c4d7b2438d3	547	handshake->calc_finished = ssl_calc_finished_tls_sha384;
switches	0:5c4d7b2438d3	548	}
switches	0:5c4d7b2438d3	549	else
switches	0:5c4d7b2438d3	550	#endif
switches	0:5c4d7b2438d3	551	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	552	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	553	{
switches	0:5c4d7b2438d3	554	handshake->tls_prf = tls_prf_sha256;
switches	0:5c4d7b2438d3	555	handshake->calc_verify = ssl_calc_verify_tls_sha256;
switches	0:5c4d7b2438d3	556	handshake->calc_finished = ssl_calc_finished_tls_sha256;
switches	0:5c4d7b2438d3	557	}
switches	0:5c4d7b2438d3	558	else
switches	0:5c4d7b2438d3	559	#endif
switches	0:5c4d7b2438d3	560	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	561	{
switches	0:5c4d7b2438d3	562	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	563	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	564	}
switches	0:5c4d7b2438d3	565
switches	0:5c4d7b2438d3	566	/*
switches	0:5c4d7b2438d3	567	* SSLv3:
switches	0:5c4d7b2438d3	568	* master =
switches	0:5c4d7b2438d3	569	* MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
switches	0:5c4d7b2438d3	570	* MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
switches	0:5c4d7b2438d3	571	* MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
switches	0:5c4d7b2438d3	572	*
switches	0:5c4d7b2438d3	573	* TLSv1+:
switches	0:5c4d7b2438d3	574	* master = PRF( premaster, "master secret", randbytes )[0..47]
switches	0:5c4d7b2438d3	575	*/
switches	0:5c4d7b2438d3	576	if( handshake->resume == 0 )
switches	0:5c4d7b2438d3	577	{
switches	0:5c4d7b2438d3	578	MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
switches	0:5c4d7b2438d3	579	handshake->pmslen );
switches	0:5c4d7b2438d3	580
switches	0:5c4d7b2438d3	581	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
switches	0:5c4d7b2438d3	582	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
switches	0:5c4d7b2438d3	583	{
switches	0:5c4d7b2438d3	584	unsigned char session_hash[48];
switches	0:5c4d7b2438d3	585	size_t hash_len;
switches	0:5c4d7b2438d3	586
switches	0:5c4d7b2438d3	587	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
switches	0:5c4d7b2438d3	588
switches	0:5c4d7b2438d3	589	ssl->handshake->calc_verify( ssl, session_hash );
switches	0:5c4d7b2438d3	590
switches	0:5c4d7b2438d3	591	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	592	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	593	{
switches	0:5c4d7b2438d3	594	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	595	if( ssl->transform_negotiate->ciphersuite_info->mac ==
switches	0:5c4d7b2438d3	596	MBEDTLS_MD_SHA384 )
switches	0:5c4d7b2438d3	597	{
switches	0:5c4d7b2438d3	598	hash_len = 48;
switches	0:5c4d7b2438d3	599	}
switches	0:5c4d7b2438d3	600	else
switches	0:5c4d7b2438d3	601	#endif
switches	0:5c4d7b2438d3	602	hash_len = 32;
switches	0:5c4d7b2438d3	603	}
switches	0:5c4d7b2438d3	604	else
switches	0:5c4d7b2438d3	605	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	606	hash_len = 36;
switches	0:5c4d7b2438d3	607
switches	0:5c4d7b2438d3	608	MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
switches	0:5c4d7b2438d3	609
switches	0:5c4d7b2438d3	610	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
switches	0:5c4d7b2438d3	611	"extended master secret",
switches	0:5c4d7b2438d3	612	session_hash, hash_len,
switches	0:5c4d7b2438d3	613	session->master, 48 );
switches	0:5c4d7b2438d3	614	if( ret != 0 )
switches	0:5c4d7b2438d3	615	{
switches	0:5c4d7b2438d3	616	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
switches	0:5c4d7b2438d3	617	return( ret );
switches	0:5c4d7b2438d3	618	}
switches	0:5c4d7b2438d3	619
switches	0:5c4d7b2438d3	620	}
switches	0:5c4d7b2438d3	621	else
switches	0:5c4d7b2438d3	622	#endif
switches	0:5c4d7b2438d3	623	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
switches	0:5c4d7b2438d3	624	"master secret",
switches	0:5c4d7b2438d3	625	handshake->randbytes, 64,
switches	0:5c4d7b2438d3	626	session->master, 48 );
switches	0:5c4d7b2438d3	627	if( ret != 0 )
switches	0:5c4d7b2438d3	628	{
switches	0:5c4d7b2438d3	629	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
switches	0:5c4d7b2438d3	630	return( ret );
switches	0:5c4d7b2438d3	631	}
switches	0:5c4d7b2438d3	632
switches	0:5c4d7b2438d3	633	mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
switches	0:5c4d7b2438d3	634	}
switches	0:5c4d7b2438d3	635	else
switches	0:5c4d7b2438d3	636	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
switches	0:5c4d7b2438d3	637
switches	0:5c4d7b2438d3	638	/*
switches	0:5c4d7b2438d3	639	* Swap the client and server random values.
switches	0:5c4d7b2438d3	640	*/
switches	0:5c4d7b2438d3	641	memcpy( tmp, handshake->randbytes, 64 );
switches	0:5c4d7b2438d3	642	memcpy( handshake->randbytes, tmp + 32, 32 );
switches	0:5c4d7b2438d3	643	memcpy( handshake->randbytes + 32, tmp, 32 );
switches	0:5c4d7b2438d3	644	mbedtls_zeroize( tmp, sizeof( tmp ) );
switches	0:5c4d7b2438d3	645
switches	0:5c4d7b2438d3	646	/*
switches	0:5c4d7b2438d3	647	* SSLv3:
switches	0:5c4d7b2438d3	648	* key block =
switches	0:5c4d7b2438d3	649	* MD5( master + SHA1( 'A' + master + randbytes ) ) +
switches	0:5c4d7b2438d3	650	* MD5( master + SHA1( 'BB' + master + randbytes ) ) +
switches	0:5c4d7b2438d3	651	* MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
switches	0:5c4d7b2438d3	652	* MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
switches	0:5c4d7b2438d3	653	* ...
switches	0:5c4d7b2438d3	654	*
switches	0:5c4d7b2438d3	655	* TLSv1:
switches	0:5c4d7b2438d3	656	* key block = PRF( master, "key expansion", randbytes )
switches	0:5c4d7b2438d3	657	*/
switches	0:5c4d7b2438d3	658	ret = handshake->tls_prf( session->master, 48, "key expansion",
switches	0:5c4d7b2438d3	659	handshake->randbytes, 64, keyblk, 256 );
switches	0:5c4d7b2438d3	660	if( ret != 0 )
switches	0:5c4d7b2438d3	661	{
switches	0:5c4d7b2438d3	662	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
switches	0:5c4d7b2438d3	663	return( ret );
switches	0:5c4d7b2438d3	664	}
switches	0:5c4d7b2438d3	665
switches	0:5c4d7b2438d3	666	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
switches	0:5c4d7b2438d3	667	mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
switches	0:5c4d7b2438d3	668	MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
switches	0:5c4d7b2438d3	669	MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
switches	0:5c4d7b2438d3	670	MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
switches	0:5c4d7b2438d3	671
switches	0:5c4d7b2438d3	672	mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
switches	0:5c4d7b2438d3	673
switches	0:5c4d7b2438d3	674	/*
switches	0:5c4d7b2438d3	675	* Determine the appropriate key, IV and MAC length.
switches	0:5c4d7b2438d3	676	*/
switches	0:5c4d7b2438d3	677
switches	0:5c4d7b2438d3	678	transform->keylen = cipher_info->key_bitlen / 8;
switches	0:5c4d7b2438d3	679
switches	0:5c4d7b2438d3	680	if( cipher_info->mode == MBEDTLS_MODE_GCM \|\|
switches	0:5c4d7b2438d3	681	cipher_info->mode == MBEDTLS_MODE_CCM )
switches	0:5c4d7b2438d3	682	{
switches	0:5c4d7b2438d3	683	transform->maclen = 0;
switches	0:5c4d7b2438d3	684
switches	0:5c4d7b2438d3	685	transform->ivlen = 12;
switches	0:5c4d7b2438d3	686	transform->fixed_ivlen = 4;
switches	0:5c4d7b2438d3	687
switches	0:5c4d7b2438d3	688	/* Minimum length is expicit IV + tag */
switches	0:5c4d7b2438d3	689	transform->minlen = transform->ivlen - transform->fixed_ivlen
switches	0:5c4d7b2438d3	690	+ ( transform->ciphersuite_info->flags &
switches	0:5c4d7b2438d3	691	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
switches	0:5c4d7b2438d3	692	}
switches	0:5c4d7b2438d3	693	else
switches	0:5c4d7b2438d3	694	{
switches	0:5c4d7b2438d3	695	/* Initialize HMAC contexts */
switches	0:5c4d7b2438d3	696	if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 \|\|
switches	0:5c4d7b2438d3	697	( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
switches	0:5c4d7b2438d3	698	{
switches	0:5c4d7b2438d3	699	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
switches	0:5c4d7b2438d3	700	return( ret );
switches	0:5c4d7b2438d3	701	}
switches	0:5c4d7b2438d3	702
switches	0:5c4d7b2438d3	703	/* Get MAC length */
switches	0:5c4d7b2438d3	704	transform->maclen = mbedtls_md_get_size( md_info );
switches	0:5c4d7b2438d3	705
switches	0:5c4d7b2438d3	706	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
switches	0:5c4d7b2438d3	707	/*
switches	0:5c4d7b2438d3	708	* If HMAC is to be truncated, we shall keep the leftmost bytes,
switches	0:5c4d7b2438d3	709	* (rfc 6066 page 13 or rfc 2104 section 4),
switches	0:5c4d7b2438d3	710	* so we only need to adjust the length here.
switches	0:5c4d7b2438d3	711	*/
switches	0:5c4d7b2438d3	712	if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
switches	0:5c4d7b2438d3	713	transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
switches	0:5c4d7b2438d3	714	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
switches	0:5c4d7b2438d3	715
switches	0:5c4d7b2438d3	716	/* IV length */
switches	0:5c4d7b2438d3	717	transform->ivlen = cipher_info->iv_size;
switches	0:5c4d7b2438d3	718
switches	0:5c4d7b2438d3	719	/* Minimum length */
switches	0:5c4d7b2438d3	720	if( cipher_info->mode == MBEDTLS_MODE_STREAM )
switches	0:5c4d7b2438d3	721	transform->minlen = transform->maclen;
switches	0:5c4d7b2438d3	722	else
switches	0:5c4d7b2438d3	723	{
switches	0:5c4d7b2438d3	724	/*
switches	0:5c4d7b2438d3	725	* GenericBlockCipher:
switches	0:5c4d7b2438d3	726	* 1. if EtM is in use: one block plus MAC
switches	0:5c4d7b2438d3	727	* otherwise: * first multiple of blocklen greater than maclen
switches	0:5c4d7b2438d3	728	* 2. IV except for SSL3 and TLS 1.0
switches	0:5c4d7b2438d3	729	*/
switches	0:5c4d7b2438d3	730	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	731	if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
switches	0:5c4d7b2438d3	732	{
switches	0:5c4d7b2438d3	733	transform->minlen = transform->maclen
switches	0:5c4d7b2438d3	734	+ cipher_info->block_size;
switches	0:5c4d7b2438d3	735	}
switches	0:5c4d7b2438d3	736	else
switches	0:5c4d7b2438d3	737	#endif
switches	0:5c4d7b2438d3	738	{
switches	0:5c4d7b2438d3	739	transform->minlen = transform->maclen
switches	0:5c4d7b2438d3	740	+ cipher_info->block_size
switches	0:5c4d7b2438d3	741	- transform->maclen % cipher_info->block_size;
switches	0:5c4d7b2438d3	742	}
switches	0:5c4d7b2438d3	743
switches	0:5c4d7b2438d3	744	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
switches	0:5c4d7b2438d3	745	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
switches	0:5c4d7b2438d3	746	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
switches	0:5c4d7b2438d3	747	; /* No need to adjust minlen */
switches	0:5c4d7b2438d3	748	else
switches	0:5c4d7b2438d3	749	#endif
switches	0:5c4d7b2438d3	750	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	751	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 \|\|
switches	0:5c4d7b2438d3	752	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	753	{
switches	0:5c4d7b2438d3	754	transform->minlen += transform->ivlen;
switches	0:5c4d7b2438d3	755	}
switches	0:5c4d7b2438d3	756	else
switches	0:5c4d7b2438d3	757	#endif
switches	0:5c4d7b2438d3	758	{
switches	0:5c4d7b2438d3	759	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	760	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	761	}
switches	0:5c4d7b2438d3	762	}
switches	0:5c4d7b2438d3	763	}
switches	0:5c4d7b2438d3	764
switches	0:5c4d7b2438d3	765	MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
switches	0:5c4d7b2438d3	766	transform->keylen, transform->minlen, transform->ivlen,
switches	0:5c4d7b2438d3	767	transform->maclen ) );
switches	0:5c4d7b2438d3	768
switches	0:5c4d7b2438d3	769	/*
switches	0:5c4d7b2438d3	770	* Finally setup the cipher contexts, IVs and MAC secrets.
switches	0:5c4d7b2438d3	771	*/
switches	0:5c4d7b2438d3	772	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	773	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	774	{
switches	0:5c4d7b2438d3	775	key1 = keyblk + transform->maclen * 2;
switches	0:5c4d7b2438d3	776	key2 = keyblk + transform->maclen * 2 + transform->keylen;
switches	0:5c4d7b2438d3	777
switches	0:5c4d7b2438d3	778	mac_enc = keyblk;
switches	0:5c4d7b2438d3	779	mac_dec = keyblk + transform->maclen;
switches	0:5c4d7b2438d3	780
switches	0:5c4d7b2438d3	781	/*
switches	0:5c4d7b2438d3	782	* This is not used in TLS v1.1.
switches	0:5c4d7b2438d3	783	*/
switches	0:5c4d7b2438d3	784	iv_copy_len = ( transform->fixed_ivlen ) ?
switches	0:5c4d7b2438d3	785	transform->fixed_ivlen : transform->ivlen;
switches	0:5c4d7b2438d3	786	memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
switches	0:5c4d7b2438d3	787	memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
switches	0:5c4d7b2438d3	788	iv_copy_len );
switches	0:5c4d7b2438d3	789	}
switches	0:5c4d7b2438d3	790	else
switches	0:5c4d7b2438d3	791	#endif /* MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	792	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	793	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	794	{
switches	0:5c4d7b2438d3	795	key1 = keyblk + transform->maclen * 2 + transform->keylen;
switches	0:5c4d7b2438d3	796	key2 = keyblk + transform->maclen * 2;
switches	0:5c4d7b2438d3	797
switches	0:5c4d7b2438d3	798	mac_enc = keyblk + transform->maclen;
switches	0:5c4d7b2438d3	799	mac_dec = keyblk;
switches	0:5c4d7b2438d3	800
switches	0:5c4d7b2438d3	801	/*
switches	0:5c4d7b2438d3	802	* This is not used in TLS v1.1.
switches	0:5c4d7b2438d3	803	*/
switches	0:5c4d7b2438d3	804	iv_copy_len = ( transform->fixed_ivlen ) ?
switches	0:5c4d7b2438d3	805	transform->fixed_ivlen : transform->ivlen;
switches	0:5c4d7b2438d3	806	memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
switches	0:5c4d7b2438d3	807	memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
switches	0:5c4d7b2438d3	808	iv_copy_len );
switches	0:5c4d7b2438d3	809	}
switches	0:5c4d7b2438d3	810	else
switches	0:5c4d7b2438d3	811	#endif /* MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	812	{
switches	0:5c4d7b2438d3	813	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	814	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	815	}
switches	0:5c4d7b2438d3	816
switches	0:5c4d7b2438d3	817	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	818	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	819	{
switches	0:5c4d7b2438d3	820	if( transform->maclen > sizeof transform->mac_enc )
switches	0:5c4d7b2438d3	821	{
switches	0:5c4d7b2438d3	822	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	823	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	824	}
switches	0:5c4d7b2438d3	825
switches	0:5c4d7b2438d3	826	memcpy( transform->mac_enc, mac_enc, transform->maclen );
switches	0:5c4d7b2438d3	827	memcpy( transform->mac_dec, mac_dec, transform->maclen );
switches	0:5c4d7b2438d3	828	}
switches	0:5c4d7b2438d3	829	else
switches	0:5c4d7b2438d3	830	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	831	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	832	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	833	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
switches	0:5c4d7b2438d3	834	{
switches	0:5c4d7b2438d3	835	mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
switches	0:5c4d7b2438d3	836	mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
switches	0:5c4d7b2438d3	837	}
switches	0:5c4d7b2438d3	838	else
switches	0:5c4d7b2438d3	839	#endif
switches	0:5c4d7b2438d3	840	{
switches	0:5c4d7b2438d3	841	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	842	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	843	}
switches	0:5c4d7b2438d3	844
switches	0:5c4d7b2438d3	845	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	846	if( mbedtls_ssl_hw_record_init != NULL )
switches	0:5c4d7b2438d3	847	{
switches	0:5c4d7b2438d3	848	int ret = 0;
switches	0:5c4d7b2438d3	849
switches	0:5c4d7b2438d3	850	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
switches	0:5c4d7b2438d3	851
switches	0:5c4d7b2438d3	852	if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
switches	0:5c4d7b2438d3	853	transform->iv_enc, transform->iv_dec,
switches	0:5c4d7b2438d3	854	iv_copy_len,
switches	0:5c4d7b2438d3	855	mac_enc, mac_dec,
switches	0:5c4d7b2438d3	856	transform->maclen ) ) != 0 )
switches	0:5c4d7b2438d3	857	{
switches	0:5c4d7b2438d3	858	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
switches	0:5c4d7b2438d3	859	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	860	}
switches	0:5c4d7b2438d3	861	}
switches	0:5c4d7b2438d3	862	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
switches	0:5c4d7b2438d3	863
switches	0:5c4d7b2438d3	864	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
switches	0:5c4d7b2438d3	865	if( ssl->conf->f_export_keys != NULL )
switches	0:5c4d7b2438d3	866	{
switches	0:5c4d7b2438d3	867	ssl->conf->f_export_keys( ssl->conf->p_export_keys,
switches	0:5c4d7b2438d3	868	session->master, keyblk,
switches	0:5c4d7b2438d3	869	transform->maclen, transform->keylen,
switches	0:5c4d7b2438d3	870	iv_copy_len );
switches	0:5c4d7b2438d3	871	}
switches	0:5c4d7b2438d3	872	#endif
switches	0:5c4d7b2438d3	873
switches	0:5c4d7b2438d3	874	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
switches	0:5c4d7b2438d3	875	cipher_info ) ) != 0 )
switches	0:5c4d7b2438d3	876	{
switches	0:5c4d7b2438d3	877	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
switches	0:5c4d7b2438d3	878	return( ret );
switches	0:5c4d7b2438d3	879	}
switches	0:5c4d7b2438d3	880
switches	0:5c4d7b2438d3	881	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
switches	0:5c4d7b2438d3	882	cipher_info ) ) != 0 )
switches	0:5c4d7b2438d3	883	{
switches	0:5c4d7b2438d3	884	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
switches	0:5c4d7b2438d3	885	return( ret );
switches	0:5c4d7b2438d3	886	}
switches	0:5c4d7b2438d3	887
switches	0:5c4d7b2438d3	888	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
switches	0:5c4d7b2438d3	889	cipher_info->key_bitlen,
switches	0:5c4d7b2438d3	890	MBEDTLS_ENCRYPT ) ) != 0 )
switches	0:5c4d7b2438d3	891	{
switches	0:5c4d7b2438d3	892	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
switches	0:5c4d7b2438d3	893	return( ret );
switches	0:5c4d7b2438d3	894	}
switches	0:5c4d7b2438d3	895
switches	0:5c4d7b2438d3	896	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
switches	0:5c4d7b2438d3	897	cipher_info->key_bitlen,
switches	0:5c4d7b2438d3	898	MBEDTLS_DECRYPT ) ) != 0 )
switches	0:5c4d7b2438d3	899	{
switches	0:5c4d7b2438d3	900	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
switches	0:5c4d7b2438d3	901	return( ret );
switches	0:5c4d7b2438d3	902	}
switches	0:5c4d7b2438d3	903
switches	0:5c4d7b2438d3	904	#if defined(MBEDTLS_CIPHER_MODE_CBC)
switches	0:5c4d7b2438d3	905	if( cipher_info->mode == MBEDTLS_MODE_CBC )
switches	0:5c4d7b2438d3	906	{
switches	0:5c4d7b2438d3	907	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
switches	0:5c4d7b2438d3	908	MBEDTLS_PADDING_NONE ) ) != 0 )
switches	0:5c4d7b2438d3	909	{
switches	0:5c4d7b2438d3	910	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
switches	0:5c4d7b2438d3	911	return( ret );
switches	0:5c4d7b2438d3	912	}
switches	0:5c4d7b2438d3	913
switches	0:5c4d7b2438d3	914	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
switches	0:5c4d7b2438d3	915	MBEDTLS_PADDING_NONE ) ) != 0 )
switches	0:5c4d7b2438d3	916	{
switches	0:5c4d7b2438d3	917	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
switches	0:5c4d7b2438d3	918	return( ret );
switches	0:5c4d7b2438d3	919	}
switches	0:5c4d7b2438d3	920	}
switches	0:5c4d7b2438d3	921	#endif /* MBEDTLS_CIPHER_MODE_CBC */
switches	0:5c4d7b2438d3	922
switches	0:5c4d7b2438d3	923	mbedtls_zeroize( keyblk, sizeof( keyblk ) );
switches	0:5c4d7b2438d3	924
switches	0:5c4d7b2438d3	925	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	926	// Initialize compression
switches	0:5c4d7b2438d3	927	//
switches	0:5c4d7b2438d3	928	if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
switches	0:5c4d7b2438d3	929	{
switches	0:5c4d7b2438d3	930	if( ssl->compress_buf == NULL )
switches	0:5c4d7b2438d3	931	{
switches	0:5c4d7b2438d3	932	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
switches	0:5c4d7b2438d3	933	ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
switches	0:5c4d7b2438d3	934	if( ssl->compress_buf == NULL )
switches	0:5c4d7b2438d3	935	{
switches	0:5c4d7b2438d3	936	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
switches	0:5c4d7b2438d3	937	MBEDTLS_SSL_BUFFER_LEN ) );
switches	0:5c4d7b2438d3	938	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	939	}
switches	0:5c4d7b2438d3	940	}
switches	0:5c4d7b2438d3	941
switches	0:5c4d7b2438d3	942	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
switches	0:5c4d7b2438d3	943
switches	0:5c4d7b2438d3	944	memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
switches	0:5c4d7b2438d3	945	memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
switches	0:5c4d7b2438d3	946
switches	0:5c4d7b2438d3	947	if( deflateInit( &transform->ctx_deflate,
switches	0:5c4d7b2438d3	948	Z_DEFAULT_COMPRESSION ) != Z_OK \|\|
switches	0:5c4d7b2438d3	949	inflateInit( &transform->ctx_inflate ) != Z_OK )
switches	0:5c4d7b2438d3	950	{
switches	0:5c4d7b2438d3	951	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
switches	0:5c4d7b2438d3	952	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
switches	0:5c4d7b2438d3	953	}
switches	0:5c4d7b2438d3	954	}
switches	0:5c4d7b2438d3	955	#endif /* MBEDTLS_ZLIB_SUPPORT */
switches	0:5c4d7b2438d3	956
switches	0:5c4d7b2438d3	957	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
switches	0:5c4d7b2438d3	958
switches	0:5c4d7b2438d3	959	return( 0 );
switches	0:5c4d7b2438d3	960	}
switches	0:5c4d7b2438d3	961
switches	0:5c4d7b2438d3	962	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	963	void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
switches	0:5c4d7b2438d3	964	{
switches	0:5c4d7b2438d3	965	mbedtls_md5_context md5;
switches	0:5c4d7b2438d3	966	mbedtls_sha1_context sha1;
switches	0:5c4d7b2438d3	967	unsigned char pad_1[48];
switches	0:5c4d7b2438d3	968	unsigned char pad_2[48];
switches	0:5c4d7b2438d3	969
switches	0:5c4d7b2438d3	970	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
switches	0:5c4d7b2438d3	971
switches	0:5c4d7b2438d3	972	mbedtls_md5_init( &md5 );
switches	0:5c4d7b2438d3	973	mbedtls_sha1_init( &sha1 );
switches	0:5c4d7b2438d3	974
switches	0:5c4d7b2438d3	975	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
switches	0:5c4d7b2438d3	976	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
switches	0:5c4d7b2438d3	977
switches	0:5c4d7b2438d3	978	memset( pad_1, 0x36, 48 );
switches	0:5c4d7b2438d3	979	memset( pad_2, 0x5C, 48 );
switches	0:5c4d7b2438d3	980
switches	0:5c4d7b2438d3	981	mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
switches	0:5c4d7b2438d3	982	mbedtls_md5_update( &md5, pad_1, 48 );
switches	0:5c4d7b2438d3	983	mbedtls_md5_finish( &md5, hash );
switches	0:5c4d7b2438d3	984
switches	0:5c4d7b2438d3	985	mbedtls_md5_starts( &md5 );
switches	0:5c4d7b2438d3	986	mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
switches	0:5c4d7b2438d3	987	mbedtls_md5_update( &md5, pad_2, 48 );
switches	0:5c4d7b2438d3	988	mbedtls_md5_update( &md5, hash, 16 );
switches	0:5c4d7b2438d3	989	mbedtls_md5_finish( &md5, hash );
switches	0:5c4d7b2438d3	990
switches	0:5c4d7b2438d3	991	mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
switches	0:5c4d7b2438d3	992	mbedtls_sha1_update( &sha1, pad_1, 40 );
switches	0:5c4d7b2438d3	993	mbedtls_sha1_finish( &sha1, hash + 16 );
switches	0:5c4d7b2438d3	994
switches	0:5c4d7b2438d3	995	mbedtls_sha1_starts( &sha1 );
switches	0:5c4d7b2438d3	996	mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
switches	0:5c4d7b2438d3	997	mbedtls_sha1_update( &sha1, pad_2, 40 );
switches	0:5c4d7b2438d3	998	mbedtls_sha1_update( &sha1, hash + 16, 20 );
switches	0:5c4d7b2438d3	999	mbedtls_sha1_finish( &sha1, hash + 16 );
switches	0:5c4d7b2438d3	1000
switches	0:5c4d7b2438d3	1001	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
switches	0:5c4d7b2438d3	1002	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
switches	0:5c4d7b2438d3	1003
switches	0:5c4d7b2438d3	1004	mbedtls_md5_free( &md5 );
switches	0:5c4d7b2438d3	1005	mbedtls_sha1_free( &sha1 );
switches	0:5c4d7b2438d3	1006
switches	0:5c4d7b2438d3	1007	return;
switches	0:5c4d7b2438d3	1008	}
switches	0:5c4d7b2438d3	1009	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	1010
switches	0:5c4d7b2438d3	1011	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	1012	void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
switches	0:5c4d7b2438d3	1013	{
switches	0:5c4d7b2438d3	1014	mbedtls_md5_context md5;
switches	0:5c4d7b2438d3	1015	mbedtls_sha1_context sha1;
switches	0:5c4d7b2438d3	1016
switches	0:5c4d7b2438d3	1017	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
switches	0:5c4d7b2438d3	1018
switches	0:5c4d7b2438d3	1019	mbedtls_md5_init( &md5 );
switches	0:5c4d7b2438d3	1020	mbedtls_sha1_init( &sha1 );
switches	0:5c4d7b2438d3	1021
switches	0:5c4d7b2438d3	1022	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
switches	0:5c4d7b2438d3	1023	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
switches	0:5c4d7b2438d3	1024
switches	0:5c4d7b2438d3	1025	mbedtls_md5_finish( &md5, hash );
switches	0:5c4d7b2438d3	1026	mbedtls_sha1_finish( &sha1, hash + 16 );
switches	0:5c4d7b2438d3	1027
switches	0:5c4d7b2438d3	1028	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
switches	0:5c4d7b2438d3	1029	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
switches	0:5c4d7b2438d3	1030
switches	0:5c4d7b2438d3	1031	mbedtls_md5_free( &md5 );
switches	0:5c4d7b2438d3	1032	mbedtls_sha1_free( &sha1 );
switches	0:5c4d7b2438d3	1033
switches	0:5c4d7b2438d3	1034	return;
switches	0:5c4d7b2438d3	1035	}
switches	0:5c4d7b2438d3	1036	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
switches	0:5c4d7b2438d3	1037
switches	0:5c4d7b2438d3	1038	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1039	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	1040	void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
switches	0:5c4d7b2438d3	1041	{
switches	0:5c4d7b2438d3	1042	mbedtls_sha256_context sha256;
switches	0:5c4d7b2438d3	1043
switches	0:5c4d7b2438d3	1044	mbedtls_sha256_init( &sha256 );
switches	0:5c4d7b2438d3	1045
switches	0:5c4d7b2438d3	1046	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
switches	0:5c4d7b2438d3	1047
switches	0:5c4d7b2438d3	1048	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
switches	0:5c4d7b2438d3	1049	mbedtls_sha256_finish( &sha256, hash );
switches	0:5c4d7b2438d3	1050
switches	0:5c4d7b2438d3	1051	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
switches	0:5c4d7b2438d3	1052	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
switches	0:5c4d7b2438d3	1053
switches	0:5c4d7b2438d3	1054	mbedtls_sha256_free( &sha256 );
switches	0:5c4d7b2438d3	1055
switches	0:5c4d7b2438d3	1056	return;
switches	0:5c4d7b2438d3	1057	}
switches	0:5c4d7b2438d3	1058	#endif /* MBEDTLS_SHA256_C */
switches	0:5c4d7b2438d3	1059
switches	0:5c4d7b2438d3	1060	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	1061	void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
switches	0:5c4d7b2438d3	1062	{
switches	0:5c4d7b2438d3	1063	mbedtls_sha512_context sha512;
switches	0:5c4d7b2438d3	1064
switches	0:5c4d7b2438d3	1065	mbedtls_sha512_init( &sha512 );
switches	0:5c4d7b2438d3	1066
switches	0:5c4d7b2438d3	1067	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
switches	0:5c4d7b2438d3	1068
switches	0:5c4d7b2438d3	1069	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
switches	0:5c4d7b2438d3	1070	mbedtls_sha512_finish( &sha512, hash );
switches	0:5c4d7b2438d3	1071
switches	0:5c4d7b2438d3	1072	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
switches	0:5c4d7b2438d3	1073	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
switches	0:5c4d7b2438d3	1074
switches	0:5c4d7b2438d3	1075	mbedtls_sha512_free( &sha512 );
switches	0:5c4d7b2438d3	1076
switches	0:5c4d7b2438d3	1077	return;
switches	0:5c4d7b2438d3	1078	}
switches	0:5c4d7b2438d3	1079	#endif /* MBEDTLS_SHA512_C */
switches	0:5c4d7b2438d3	1080	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	1081
switches	0:5c4d7b2438d3	1082	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
switches	0:5c4d7b2438d3	1083	int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
switches	0:5c4d7b2438d3	1084	{
switches	0:5c4d7b2438d3	1085	unsigned char *p = ssl->handshake->premaster;
switches	0:5c4d7b2438d3	1086	unsigned char *end = p + sizeof( ssl->handshake->premaster );
switches	0:5c4d7b2438d3	1087	const unsigned char *psk = ssl->conf->psk;
switches	0:5c4d7b2438d3	1088	size_t psk_len = ssl->conf->psk_len;
switches	0:5c4d7b2438d3	1089
switches	0:5c4d7b2438d3	1090	/* If the psk callback was called, use its result */
switches	0:5c4d7b2438d3	1091	if( ssl->handshake->psk != NULL )
switches	0:5c4d7b2438d3	1092	{
switches	0:5c4d7b2438d3	1093	psk = ssl->handshake->psk;
switches	0:5c4d7b2438d3	1094	psk_len = ssl->handshake->psk_len;
switches	0:5c4d7b2438d3	1095	}
switches	0:5c4d7b2438d3	1096
switches	0:5c4d7b2438d3	1097	/*
switches	0:5c4d7b2438d3	1098	* PMS = struct {
switches	0:5c4d7b2438d3	1099	* opaque other_secret<0..2^16-1>;
switches	0:5c4d7b2438d3	1100	* opaque psk<0..2^16-1>;
switches	0:5c4d7b2438d3	1101	* };
switches	0:5c4d7b2438d3	1102	* with "other_secret" depending on the particular key exchange
switches	0:5c4d7b2438d3	1103	*/
switches	0:5c4d7b2438d3	1104	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
switches	0:5c4d7b2438d3	1105	if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
switches	0:5c4d7b2438d3	1106	{
switches	0:5c4d7b2438d3	1107	if( end - p < 2 )
switches	0:5c4d7b2438d3	1108	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	1109
switches	0:5c4d7b2438d3	1110	*(p++) = (unsigned char)( psk_len >> 8 );
switches	0:5c4d7b2438d3	1111	*(p++) = (unsigned char)( psk_len );
switches	0:5c4d7b2438d3	1112
switches	0:5c4d7b2438d3	1113	if( end < p \|\| (size_t)( end - p ) < psk_len )
switches	0:5c4d7b2438d3	1114	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	1115
switches	0:5c4d7b2438d3	1116	memset( p, 0, psk_len );
switches	0:5c4d7b2438d3	1117	p += psk_len;
switches	0:5c4d7b2438d3	1118	}
switches	0:5c4d7b2438d3	1119	else
switches	0:5c4d7b2438d3	1120	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
switches	0:5c4d7b2438d3	1121	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
switches	0:5c4d7b2438d3	1122	if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
switches	0:5c4d7b2438d3	1123	{
switches	0:5c4d7b2438d3	1124	/*
switches	0:5c4d7b2438d3	1125	* other_secret already set by the ClientKeyExchange message,
switches	0:5c4d7b2438d3	1126	* and is 48 bytes long
switches	0:5c4d7b2438d3	1127	*/
switches	0:5c4d7b2438d3	1128	*p++ = 0;
switches	0:5c4d7b2438d3	1129	*p++ = 48;
switches	0:5c4d7b2438d3	1130	p += 48;
switches	0:5c4d7b2438d3	1131	}
switches	0:5c4d7b2438d3	1132	else
switches	0:5c4d7b2438d3	1133	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
switches	0:5c4d7b2438d3	1134	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
switches	0:5c4d7b2438d3	1135	if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
switches	0:5c4d7b2438d3	1136	{
switches	0:5c4d7b2438d3	1137	int ret;
switches	0:5c4d7b2438d3	1138	size_t len;
switches	0:5c4d7b2438d3	1139
switches	0:5c4d7b2438d3	1140	/* Write length only when we know the actual value */
switches	0:5c4d7b2438d3	1141	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
switches	0:5c4d7b2438d3	1142	p + 2, end - ( p + 2 ), &len,
switches	0:5c4d7b2438d3	1143	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
switches	0:5c4d7b2438d3	1144	{
switches	0:5c4d7b2438d3	1145	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
switches	0:5c4d7b2438d3	1146	return( ret );
switches	0:5c4d7b2438d3	1147	}
switches	0:5c4d7b2438d3	1148	*(p++) = (unsigned char)( len >> 8 );
switches	0:5c4d7b2438d3	1149	*(p++) = (unsigned char)( len );
switches	0:5c4d7b2438d3	1150	p += len;
switches	0:5c4d7b2438d3	1151
switches	0:5c4d7b2438d3	1152	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
switches	0:5c4d7b2438d3	1153	}
switches	0:5c4d7b2438d3	1154	else
switches	0:5c4d7b2438d3	1155	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
switches	0:5c4d7b2438d3	1156	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
switches	0:5c4d7b2438d3	1157	if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
switches	0:5c4d7b2438d3	1158	{
switches	0:5c4d7b2438d3	1159	int ret;
switches	0:5c4d7b2438d3	1160	size_t zlen;
switches	0:5c4d7b2438d3	1161
switches	0:5c4d7b2438d3	1162	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
switches	0:5c4d7b2438d3	1163	p + 2, end - ( p + 2 ),
switches	0:5c4d7b2438d3	1164	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
switches	0:5c4d7b2438d3	1165	{
switches	0:5c4d7b2438d3	1166	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
switches	0:5c4d7b2438d3	1167	return( ret );
switches	0:5c4d7b2438d3	1168	}
switches	0:5c4d7b2438d3	1169
switches	0:5c4d7b2438d3	1170	*(p++) = (unsigned char)( zlen >> 8 );
switches	0:5c4d7b2438d3	1171	*(p++) = (unsigned char)( zlen );
switches	0:5c4d7b2438d3	1172	p += zlen;
switches	0:5c4d7b2438d3	1173
switches	0:5c4d7b2438d3	1174	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
switches	0:5c4d7b2438d3	1175	}
switches	0:5c4d7b2438d3	1176	else
switches	0:5c4d7b2438d3	1177	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
switches	0:5c4d7b2438d3	1178	{
switches	0:5c4d7b2438d3	1179	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1180	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1181	}
switches	0:5c4d7b2438d3	1182
switches	0:5c4d7b2438d3	1183	/* opaque psk<0..2^16-1>; */
switches	0:5c4d7b2438d3	1184	if( end - p < 2 )
switches	0:5c4d7b2438d3	1185	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	1186
switches	0:5c4d7b2438d3	1187	*(p++) = (unsigned char)( psk_len >> 8 );
switches	0:5c4d7b2438d3	1188	*(p++) = (unsigned char)( psk_len );
switches	0:5c4d7b2438d3	1189
switches	0:5c4d7b2438d3	1190	if( end < p \|\| (size_t)( end - p ) < psk_len )
switches	0:5c4d7b2438d3	1191	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	1192
switches	0:5c4d7b2438d3	1193	memcpy( p, psk, psk_len );
switches	0:5c4d7b2438d3	1194	p += psk_len;
switches	0:5c4d7b2438d3	1195
switches	0:5c4d7b2438d3	1196	ssl->handshake->pmslen = p - ssl->handshake->premaster;
switches	0:5c4d7b2438d3	1197
switches	0:5c4d7b2438d3	1198	return( 0 );
switches	0:5c4d7b2438d3	1199	}
switches	0:5c4d7b2438d3	1200	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
switches	0:5c4d7b2438d3	1201
switches	0:5c4d7b2438d3	1202	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	1203	/*
switches	0:5c4d7b2438d3	1204	* SSLv3.0 MAC functions
switches	0:5c4d7b2438d3	1205	*/
switches	0:5c4d7b2438d3	1206	static void ssl_mac( mbedtls_md_context_t md_ctx, unsigned char secret,
switches	0:5c4d7b2438d3	1207	unsigned char *buf, size_t len,
switches	0:5c4d7b2438d3	1208	unsigned char *ctr, int type )
switches	0:5c4d7b2438d3	1209	{
switches	0:5c4d7b2438d3	1210	unsigned char header[11];
switches	0:5c4d7b2438d3	1211	unsigned char padding[48];
switches	0:5c4d7b2438d3	1212	int padlen;
switches	0:5c4d7b2438d3	1213	int md_size = mbedtls_md_get_size( md_ctx->md_info );
switches	0:5c4d7b2438d3	1214	int md_type = mbedtls_md_get_type( md_ctx->md_info );
switches	0:5c4d7b2438d3	1215
switches	0:5c4d7b2438d3	1216	/* Only MD5 and SHA-1 supported */
switches	0:5c4d7b2438d3	1217	if( md_type == MBEDTLS_MD_MD5 )
switches	0:5c4d7b2438d3	1218	padlen = 48;
switches	0:5c4d7b2438d3	1219	else
switches	0:5c4d7b2438d3	1220	padlen = 40;
switches	0:5c4d7b2438d3	1221
switches	0:5c4d7b2438d3	1222	memcpy( header, ctr, 8 );
switches	0:5c4d7b2438d3	1223	header[ 8] = (unsigned char) type;
switches	0:5c4d7b2438d3	1224	header[ 9] = (unsigned char)( len >> 8 );
switches	0:5c4d7b2438d3	1225	header[10] = (unsigned char)( len );
switches	0:5c4d7b2438d3	1226
switches	0:5c4d7b2438d3	1227	memset( padding, 0x36, padlen );
switches	0:5c4d7b2438d3	1228	mbedtls_md_starts( md_ctx );
switches	0:5c4d7b2438d3	1229	mbedtls_md_update( md_ctx, secret, md_size );
switches	0:5c4d7b2438d3	1230	mbedtls_md_update( md_ctx, padding, padlen );
switches	0:5c4d7b2438d3	1231	mbedtls_md_update( md_ctx, header, 11 );
switches	0:5c4d7b2438d3	1232	mbedtls_md_update( md_ctx, buf, len );
switches	0:5c4d7b2438d3	1233	mbedtls_md_finish( md_ctx, buf + len );
switches	0:5c4d7b2438d3	1234
switches	0:5c4d7b2438d3	1235	memset( padding, 0x5C, padlen );
switches	0:5c4d7b2438d3	1236	mbedtls_md_starts( md_ctx );
switches	0:5c4d7b2438d3	1237	mbedtls_md_update( md_ctx, secret, md_size );
switches	0:5c4d7b2438d3	1238	mbedtls_md_update( md_ctx, padding, padlen );
switches	0:5c4d7b2438d3	1239	mbedtls_md_update( md_ctx, buf + len, md_size );
switches	0:5c4d7b2438d3	1240	mbedtls_md_finish( md_ctx, buf + len );
switches	0:5c4d7b2438d3	1241	}
switches	0:5c4d7b2438d3	1242	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	1243
switches	0:5c4d7b2438d3	1244	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER) \|\| \
switches	0:5c4d7b2438d3	1245	( defined(MBEDTLS_CIPHER_MODE_CBC) && \
switches	0:5c4d7b2438d3	1246	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) ) )
switches	0:5c4d7b2438d3	1247	#define SSL_SOME_MODES_USE_MAC
switches	0:5c4d7b2438d3	1248	#endif
switches	0:5c4d7b2438d3	1249
switches	0:5c4d7b2438d3	1250	/*
switches	0:5c4d7b2438d3	1251	* Encryption/decryption functions
switches	0:5c4d7b2438d3	1252	*/
switches	0:5c4d7b2438d3	1253	static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	1254	{
switches	0:5c4d7b2438d3	1255	mbedtls_cipher_mode_t mode;
switches	0:5c4d7b2438d3	1256	int auth_done = 0;
switches	0:5c4d7b2438d3	1257
switches	0:5c4d7b2438d3	1258	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
switches	0:5c4d7b2438d3	1259
switches	0:5c4d7b2438d3	1260	if( ssl->session_out == NULL \|\| ssl->transform_out == NULL )
switches	0:5c4d7b2438d3	1261	{
switches	0:5c4d7b2438d3	1262	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1263	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1264	}
switches	0:5c4d7b2438d3	1265
switches	0:5c4d7b2438d3	1266	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
switches	0:5c4d7b2438d3	1267
switches	0:5c4d7b2438d3	1268	MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
switches	0:5c4d7b2438d3	1269	ssl->out_msg, ssl->out_msglen );
switches	0:5c4d7b2438d3	1270
switches	0:5c4d7b2438d3	1271	/*
switches	0:5c4d7b2438d3	1272	* Add MAC before if needed
switches	0:5c4d7b2438d3	1273	*/
switches	0:5c4d7b2438d3	1274	#if defined(SSL_SOME_MODES_USE_MAC)
switches	0:5c4d7b2438d3	1275	if( mode == MBEDTLS_MODE_STREAM \|\|
switches	0:5c4d7b2438d3	1276	( mode == MBEDTLS_MODE_CBC
switches	0:5c4d7b2438d3	1277	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	1278	&& ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
switches	0:5c4d7b2438d3	1279	#endif
switches	0:5c4d7b2438d3	1280	) )
switches	0:5c4d7b2438d3	1281	{
switches	0:5c4d7b2438d3	1282	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	1283	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	1284	{
switches	0:5c4d7b2438d3	1285	ssl_mac( &ssl->transform_out->md_ctx_enc,
switches	0:5c4d7b2438d3	1286	ssl->transform_out->mac_enc,
switches	0:5c4d7b2438d3	1287	ssl->out_msg, ssl->out_msglen,
switches	0:5c4d7b2438d3	1288	ssl->out_ctr, ssl->out_msgtype );
switches	0:5c4d7b2438d3	1289	}
switches	0:5c4d7b2438d3	1290	else
switches	0:5c4d7b2438d3	1291	#endif
switches	0:5c4d7b2438d3	1292	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	1293	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1294	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
switches	0:5c4d7b2438d3	1295	{
switches	0:5c4d7b2438d3	1296	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	1297	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
switches	0:5c4d7b2438d3	1298	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
switches	0:5c4d7b2438d3	1299	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
switches	0:5c4d7b2438d3	1300	ssl->out_msg, ssl->out_msglen );
switches	0:5c4d7b2438d3	1301	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
switches	0:5c4d7b2438d3	1302	ssl->out_msg + ssl->out_msglen );
switches	0:5c4d7b2438d3	1303	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
switches	0:5c4d7b2438d3	1304	}
switches	0:5c4d7b2438d3	1305	else
switches	0:5c4d7b2438d3	1306	#endif
switches	0:5c4d7b2438d3	1307	{
switches	0:5c4d7b2438d3	1308	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1309	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1310	}
switches	0:5c4d7b2438d3	1311
switches	0:5c4d7b2438d3	1312	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
switches	0:5c4d7b2438d3	1313	ssl->out_msg + ssl->out_msglen,
switches	0:5c4d7b2438d3	1314	ssl->transform_out->maclen );
switches	0:5c4d7b2438d3	1315
switches	0:5c4d7b2438d3	1316	ssl->out_msglen += ssl->transform_out->maclen;
switches	0:5c4d7b2438d3	1317	auth_done++;
switches	0:5c4d7b2438d3	1318	}
switches	0:5c4d7b2438d3	1319	#endif /* AEAD not the only option */
switches	0:5c4d7b2438d3	1320
switches	0:5c4d7b2438d3	1321	/*
switches	0:5c4d7b2438d3	1322	* Encrypt
switches	0:5c4d7b2438d3	1323	*/
switches	0:5c4d7b2438d3	1324	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
switches	0:5c4d7b2438d3	1325	if( mode == MBEDTLS_MODE_STREAM )
switches	0:5c4d7b2438d3	1326	{
switches	0:5c4d7b2438d3	1327	int ret;
switches	0:5c4d7b2438d3	1328	size_t olen = 0;
switches	0:5c4d7b2438d3	1329
switches	0:5c4d7b2438d3	1330	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
switches	0:5c4d7b2438d3	1331	"including %d bytes of padding",
switches	0:5c4d7b2438d3	1332	ssl->out_msglen, 0 ) );
switches	0:5c4d7b2438d3	1333
switches	0:5c4d7b2438d3	1334	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
switches	0:5c4d7b2438d3	1335	ssl->transform_out->iv_enc,
switches	0:5c4d7b2438d3	1336	ssl->transform_out->ivlen,
switches	0:5c4d7b2438d3	1337	ssl->out_msg, ssl->out_msglen,
switches	0:5c4d7b2438d3	1338	ssl->out_msg, &olen ) ) != 0 )
switches	0:5c4d7b2438d3	1339	{
switches	0:5c4d7b2438d3	1340	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
switches	0:5c4d7b2438d3	1341	return( ret );
switches	0:5c4d7b2438d3	1342	}
switches	0:5c4d7b2438d3	1343
switches	0:5c4d7b2438d3	1344	if( ssl->out_msglen != olen )
switches	0:5c4d7b2438d3	1345	{
switches	0:5c4d7b2438d3	1346	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1347	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1348	}
switches	0:5c4d7b2438d3	1349	}
switches	0:5c4d7b2438d3	1350	else
switches	0:5c4d7b2438d3	1351	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
switches	0:5c4d7b2438d3	1352	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CCM_C)
switches	0:5c4d7b2438d3	1353	if( mode == MBEDTLS_MODE_GCM \|\|
switches	0:5c4d7b2438d3	1354	mode == MBEDTLS_MODE_CCM )
switches	0:5c4d7b2438d3	1355	{
switches	0:5c4d7b2438d3	1356	int ret;
switches	0:5c4d7b2438d3	1357	size_t enc_msglen, olen;
switches	0:5c4d7b2438d3	1358	unsigned char *enc_msg;
switches	0:5c4d7b2438d3	1359	unsigned char add_data[13];
switches	0:5c4d7b2438d3	1360	unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
switches	0:5c4d7b2438d3	1361	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
switches	0:5c4d7b2438d3	1362
switches	0:5c4d7b2438d3	1363	memcpy( add_data, ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	1364	add_data[8] = ssl->out_msgtype;
switches	0:5c4d7b2438d3	1365	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
switches	0:5c4d7b2438d3	1366	ssl->conf->transport, add_data + 9 );
switches	0:5c4d7b2438d3	1367	add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
switches	0:5c4d7b2438d3	1368	add_data[12] = ssl->out_msglen & 0xFF;
switches	0:5c4d7b2438d3	1369
switches	0:5c4d7b2438d3	1370	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
switches	0:5c4d7b2438d3	1371	add_data, 13 );
switches	0:5c4d7b2438d3	1372
switches	0:5c4d7b2438d3	1373	/*
switches	0:5c4d7b2438d3	1374	* Generate IV
switches	0:5c4d7b2438d3	1375	*/
switches	0:5c4d7b2438d3	1376	if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
switches	0:5c4d7b2438d3	1377	{
switches	0:5c4d7b2438d3	1378	/* Reminder if we ever add an AEAD mode with a different size */
switches	0:5c4d7b2438d3	1379	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1380	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1381	}
switches	0:5c4d7b2438d3	1382
switches	0:5c4d7b2438d3	1383	memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
switches	0:5c4d7b2438d3	1384	ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	1385	memcpy( ssl->out_iv, ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	1386
switches	0:5c4d7b2438d3	1387	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
switches	0:5c4d7b2438d3	1388	ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
switches	0:5c4d7b2438d3	1389
switches	0:5c4d7b2438d3	1390	/*
switches	0:5c4d7b2438d3	1391	* Fix pointer positions and message length with added IV
switches	0:5c4d7b2438d3	1392	*/
switches	0:5c4d7b2438d3	1393	enc_msg = ssl->out_msg;
switches	0:5c4d7b2438d3	1394	enc_msglen = ssl->out_msglen;
switches	0:5c4d7b2438d3	1395	ssl->out_msglen += ssl->transform_out->ivlen -
switches	0:5c4d7b2438d3	1396	ssl->transform_out->fixed_ivlen;
switches	0:5c4d7b2438d3	1397
switches	0:5c4d7b2438d3	1398	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
switches	0:5c4d7b2438d3	1399	"including %d bytes of padding",
switches	0:5c4d7b2438d3	1400	ssl->out_msglen, 0 ) );
switches	0:5c4d7b2438d3	1401
switches	0:5c4d7b2438d3	1402	/*
switches	0:5c4d7b2438d3	1403	* Encrypt and authenticate
switches	0:5c4d7b2438d3	1404	*/
switches	0:5c4d7b2438d3	1405	if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
switches	0:5c4d7b2438d3	1406	ssl->transform_out->iv_enc,
switches	0:5c4d7b2438d3	1407	ssl->transform_out->ivlen,
switches	0:5c4d7b2438d3	1408	add_data, 13,
switches	0:5c4d7b2438d3	1409	enc_msg, enc_msglen,
switches	0:5c4d7b2438d3	1410	enc_msg, &olen,
switches	0:5c4d7b2438d3	1411	enc_msg + enc_msglen, taglen ) ) != 0 )
switches	0:5c4d7b2438d3	1412	{
switches	0:5c4d7b2438d3	1413	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
switches	0:5c4d7b2438d3	1414	return( ret );
switches	0:5c4d7b2438d3	1415	}
switches	0:5c4d7b2438d3	1416
switches	0:5c4d7b2438d3	1417	if( olen != enc_msglen )
switches	0:5c4d7b2438d3	1418	{
switches	0:5c4d7b2438d3	1419	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1420	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1421	}
switches	0:5c4d7b2438d3	1422
switches	0:5c4d7b2438d3	1423	ssl->out_msglen += taglen;
switches	0:5c4d7b2438d3	1424	auth_done++;
switches	0:5c4d7b2438d3	1425
switches	0:5c4d7b2438d3	1426	MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
switches	0:5c4d7b2438d3	1427	}
switches	0:5c4d7b2438d3	1428	else
switches	0:5c4d7b2438d3	1429	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
switches	0:5c4d7b2438d3	1430	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
switches	0:5c4d7b2438d3	1431	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) )
switches	0:5c4d7b2438d3	1432	if( mode == MBEDTLS_MODE_CBC )
switches	0:5c4d7b2438d3	1433	{
switches	0:5c4d7b2438d3	1434	int ret;
switches	0:5c4d7b2438d3	1435	unsigned char *enc_msg;
switches	0:5c4d7b2438d3	1436	size_t enc_msglen, padlen, olen = 0, i;
switches	0:5c4d7b2438d3	1437
switches	0:5c4d7b2438d3	1438	padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
switches	0:5c4d7b2438d3	1439	ssl->transform_out->ivlen;
switches	0:5c4d7b2438d3	1440	if( padlen == ssl->transform_out->ivlen )
switches	0:5c4d7b2438d3	1441	padlen = 0;
switches	0:5c4d7b2438d3	1442
switches	0:5c4d7b2438d3	1443	for( i = 0; i <= padlen; i++ )
switches	0:5c4d7b2438d3	1444	ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
switches	0:5c4d7b2438d3	1445
switches	0:5c4d7b2438d3	1446	ssl->out_msglen += padlen + 1;
switches	0:5c4d7b2438d3	1447
switches	0:5c4d7b2438d3	1448	enc_msglen = ssl->out_msglen;
switches	0:5c4d7b2438d3	1449	enc_msg = ssl->out_msg;
switches	0:5c4d7b2438d3	1450
switches	0:5c4d7b2438d3	1451	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1452	/*
switches	0:5c4d7b2438d3	1453	* Prepend per-record IV for block cipher in TLS v1.1 and up as per
switches	0:5c4d7b2438d3	1454	* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
switches	0:5c4d7b2438d3	1455	*/
switches	0:5c4d7b2438d3	1456	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	1457	{
switches	0:5c4d7b2438d3	1458	/*
switches	0:5c4d7b2438d3	1459	* Generate IV
switches	0:5c4d7b2438d3	1460	*/
switches	0:5c4d7b2438d3	1461	ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
switches	0:5c4d7b2438d3	1462	ssl->transform_out->ivlen );
switches	0:5c4d7b2438d3	1463	if( ret != 0 )
switches	0:5c4d7b2438d3	1464	return( ret );
switches	0:5c4d7b2438d3	1465
switches	0:5c4d7b2438d3	1466	memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
switches	0:5c4d7b2438d3	1467	ssl->transform_out->ivlen );
switches	0:5c4d7b2438d3	1468
switches	0:5c4d7b2438d3	1469	/*
switches	0:5c4d7b2438d3	1470	* Fix pointer positions and message length with added IV
switches	0:5c4d7b2438d3	1471	*/
switches	0:5c4d7b2438d3	1472	enc_msg = ssl->out_msg;
switches	0:5c4d7b2438d3	1473	enc_msglen = ssl->out_msglen;
switches	0:5c4d7b2438d3	1474	ssl->out_msglen += ssl->transform_out->ivlen;
switches	0:5c4d7b2438d3	1475	}
switches	0:5c4d7b2438d3	1476	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	1477
switches	0:5c4d7b2438d3	1478	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
switches	0:5c4d7b2438d3	1479	"including %d bytes of IV and %d bytes of padding",
switches	0:5c4d7b2438d3	1480	ssl->out_msglen, ssl->transform_out->ivlen,
switches	0:5c4d7b2438d3	1481	padlen + 1 ) );
switches	0:5c4d7b2438d3	1482
switches	0:5c4d7b2438d3	1483	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
switches	0:5c4d7b2438d3	1484	ssl->transform_out->iv_enc,
switches	0:5c4d7b2438d3	1485	ssl->transform_out->ivlen,
switches	0:5c4d7b2438d3	1486	enc_msg, enc_msglen,
switches	0:5c4d7b2438d3	1487	enc_msg, &olen ) ) != 0 )
switches	0:5c4d7b2438d3	1488	{
switches	0:5c4d7b2438d3	1489	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
switches	0:5c4d7b2438d3	1490	return( ret );
switches	0:5c4d7b2438d3	1491	}
switches	0:5c4d7b2438d3	1492
switches	0:5c4d7b2438d3	1493	if( enc_msglen != olen )
switches	0:5c4d7b2438d3	1494	{
switches	0:5c4d7b2438d3	1495	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1496	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1497	}
switches	0:5c4d7b2438d3	1498
switches	0:5c4d7b2438d3	1499	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
switches	0:5c4d7b2438d3	1500	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	1501	{
switches	0:5c4d7b2438d3	1502	/*
switches	0:5c4d7b2438d3	1503	* Save IV in SSL3 and TLS1
switches	0:5c4d7b2438d3	1504	*/
switches	0:5c4d7b2438d3	1505	memcpy( ssl->transform_out->iv_enc,
switches	0:5c4d7b2438d3	1506	ssl->transform_out->cipher_ctx_enc.iv,
switches	0:5c4d7b2438d3	1507	ssl->transform_out->ivlen );
switches	0:5c4d7b2438d3	1508	}
switches	0:5c4d7b2438d3	1509	#endif
switches	0:5c4d7b2438d3	1510
switches	0:5c4d7b2438d3	1511	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	1512	if( auth_done == 0 )
switches	0:5c4d7b2438d3	1513	{
switches	0:5c4d7b2438d3	1514	/*
switches	0:5c4d7b2438d3	1515	* MAC(MAC_write_key, seq_num +
switches	0:5c4d7b2438d3	1516	* TLSCipherText.type +
switches	0:5c4d7b2438d3	1517	* TLSCipherText.version +
switches	0:5c4d7b2438d3	1518	* length_of( (IV +) ENC(...) ) +
switches	0:5c4d7b2438d3	1519	* IV + // except for TLS 1.0
switches	0:5c4d7b2438d3	1520	* ENC(content + padding + padding_length));
switches	0:5c4d7b2438d3	1521	*/
switches	0:5c4d7b2438d3	1522	unsigned char pseudo_hdr[13];
switches	0:5c4d7b2438d3	1523
switches	0:5c4d7b2438d3	1524	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
switches	0:5c4d7b2438d3	1525
switches	0:5c4d7b2438d3	1526	memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	1527	memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
switches	0:5c4d7b2438d3	1528	pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
switches	0:5c4d7b2438d3	1529	pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
switches	0:5c4d7b2438d3	1530
switches	0:5c4d7b2438d3	1531	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
switches	0:5c4d7b2438d3	1532
switches	0:5c4d7b2438d3	1533	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
switches	0:5c4d7b2438d3	1534	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
switches	0:5c4d7b2438d3	1535	ssl->out_iv, ssl->out_msglen );
switches	0:5c4d7b2438d3	1536	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
switches	0:5c4d7b2438d3	1537	ssl->out_iv + ssl->out_msglen );
switches	0:5c4d7b2438d3	1538	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
switches	0:5c4d7b2438d3	1539
switches	0:5c4d7b2438d3	1540	ssl->out_msglen += ssl->transform_out->maclen;
switches	0:5c4d7b2438d3	1541	auth_done++;
switches	0:5c4d7b2438d3	1542	}
switches	0:5c4d7b2438d3	1543	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
switches	0:5c4d7b2438d3	1544	}
switches	0:5c4d7b2438d3	1545	else
switches	0:5c4d7b2438d3	1546	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
switches	0:5c4d7b2438d3	1547	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C ) */
switches	0:5c4d7b2438d3	1548	{
switches	0:5c4d7b2438d3	1549	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1550	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1551	}
switches	0:5c4d7b2438d3	1552
switches	0:5c4d7b2438d3	1553	/* Make extra sure authentication was performed, exactly once */
switches	0:5c4d7b2438d3	1554	if( auth_done != 1 )
switches	0:5c4d7b2438d3	1555	{
switches	0:5c4d7b2438d3	1556	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1557	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1558	}
switches	0:5c4d7b2438d3	1559
switches	0:5c4d7b2438d3	1560	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
switches	0:5c4d7b2438d3	1561
switches	0:5c4d7b2438d3	1562	return( 0 );
switches	0:5c4d7b2438d3	1563	}
switches	0:5c4d7b2438d3	1564
switches	0:5c4d7b2438d3	1565	#define SSL_MAX_MAC_SIZE 48
switches	0:5c4d7b2438d3	1566
switches	0:5c4d7b2438d3	1567	static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	1568	{
switches	0:5c4d7b2438d3	1569	size_t i;
switches	0:5c4d7b2438d3	1570	mbedtls_cipher_mode_t mode;
switches	0:5c4d7b2438d3	1571	int auth_done = 0;
switches	0:5c4d7b2438d3	1572	#if defined(SSL_SOME_MODES_USE_MAC)
switches	0:5c4d7b2438d3	1573	size_t padlen = 0, correct = 1;
switches	0:5c4d7b2438d3	1574	#endif
switches	0:5c4d7b2438d3	1575
switches	0:5c4d7b2438d3	1576	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
switches	0:5c4d7b2438d3	1577
switches	0:5c4d7b2438d3	1578	if( ssl->session_in == NULL \|\| ssl->transform_in == NULL )
switches	0:5c4d7b2438d3	1579	{
switches	0:5c4d7b2438d3	1580	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1581	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1582	}
switches	0:5c4d7b2438d3	1583
switches	0:5c4d7b2438d3	1584	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
switches	0:5c4d7b2438d3	1585
switches	0:5c4d7b2438d3	1586	if( ssl->in_msglen < ssl->transform_in->minlen )
switches	0:5c4d7b2438d3	1587	{
switches	0:5c4d7b2438d3	1588	MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
switches	0:5c4d7b2438d3	1589	ssl->in_msglen, ssl->transform_in->minlen ) );
switches	0:5c4d7b2438d3	1590	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	1591	}
switches	0:5c4d7b2438d3	1592
switches	0:5c4d7b2438d3	1593	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
switches	0:5c4d7b2438d3	1594	if( mode == MBEDTLS_MODE_STREAM )
switches	0:5c4d7b2438d3	1595	{
switches	0:5c4d7b2438d3	1596	int ret;
switches	0:5c4d7b2438d3	1597	size_t olen = 0;
switches	0:5c4d7b2438d3	1598
switches	0:5c4d7b2438d3	1599	padlen = 0;
switches	0:5c4d7b2438d3	1600
switches	0:5c4d7b2438d3	1601	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
switches	0:5c4d7b2438d3	1602	ssl->transform_in->iv_dec,
switches	0:5c4d7b2438d3	1603	ssl->transform_in->ivlen,
switches	0:5c4d7b2438d3	1604	ssl->in_msg, ssl->in_msglen,
switches	0:5c4d7b2438d3	1605	ssl->in_msg, &olen ) ) != 0 )
switches	0:5c4d7b2438d3	1606	{
switches	0:5c4d7b2438d3	1607	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
switches	0:5c4d7b2438d3	1608	return( ret );
switches	0:5c4d7b2438d3	1609	}
switches	0:5c4d7b2438d3	1610
switches	0:5c4d7b2438d3	1611	if( ssl->in_msglen != olen )
switches	0:5c4d7b2438d3	1612	{
switches	0:5c4d7b2438d3	1613	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1614	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1615	}
switches	0:5c4d7b2438d3	1616	}
switches	0:5c4d7b2438d3	1617	else
switches	0:5c4d7b2438d3	1618	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
switches	0:5c4d7b2438d3	1619	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CCM_C)
switches	0:5c4d7b2438d3	1620	if( mode == MBEDTLS_MODE_GCM \|\|
switches	0:5c4d7b2438d3	1621	mode == MBEDTLS_MODE_CCM )
switches	0:5c4d7b2438d3	1622	{
switches	0:5c4d7b2438d3	1623	int ret;
switches	0:5c4d7b2438d3	1624	size_t dec_msglen, olen;
switches	0:5c4d7b2438d3	1625	unsigned char *dec_msg;
switches	0:5c4d7b2438d3	1626	unsigned char *dec_msg_result;
switches	0:5c4d7b2438d3	1627	unsigned char add_data[13];
switches	0:5c4d7b2438d3	1628	unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
switches	0:5c4d7b2438d3	1629	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
switches	0:5c4d7b2438d3	1630	size_t explicit_iv_len = ssl->transform_in->ivlen -
switches	0:5c4d7b2438d3	1631	ssl->transform_in->fixed_ivlen;
switches	0:5c4d7b2438d3	1632
switches	0:5c4d7b2438d3	1633	if( ssl->in_msglen < explicit_iv_len + taglen )
switches	0:5c4d7b2438d3	1634	{
switches	0:5c4d7b2438d3	1635	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
switches	0:5c4d7b2438d3	1636	"+ taglen (%d)", ssl->in_msglen,
switches	0:5c4d7b2438d3	1637	explicit_iv_len, taglen ) );
switches	0:5c4d7b2438d3	1638	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	1639	}
switches	0:5c4d7b2438d3	1640	dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
switches	0:5c4d7b2438d3	1641
switches	0:5c4d7b2438d3	1642	dec_msg = ssl->in_msg;
switches	0:5c4d7b2438d3	1643	dec_msg_result = ssl->in_msg;
switches	0:5c4d7b2438d3	1644	ssl->in_msglen = dec_msglen;
switches	0:5c4d7b2438d3	1645
switches	0:5c4d7b2438d3	1646	memcpy( add_data, ssl->in_ctr, 8 );
switches	0:5c4d7b2438d3	1647	add_data[8] = ssl->in_msgtype;
switches	0:5c4d7b2438d3	1648	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
switches	0:5c4d7b2438d3	1649	ssl->conf->transport, add_data + 9 );
switches	0:5c4d7b2438d3	1650	add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
switches	0:5c4d7b2438d3	1651	add_data[12] = ssl->in_msglen & 0xFF;
switches	0:5c4d7b2438d3	1652
switches	0:5c4d7b2438d3	1653	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
switches	0:5c4d7b2438d3	1654	add_data, 13 );
switches	0:5c4d7b2438d3	1655
switches	0:5c4d7b2438d3	1656	memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
switches	0:5c4d7b2438d3	1657	ssl->in_iv,
switches	0:5c4d7b2438d3	1658	ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
switches	0:5c4d7b2438d3	1659
switches	0:5c4d7b2438d3	1660	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
switches	0:5c4d7b2438d3	1661	ssl->transform_in->ivlen );
switches	0:5c4d7b2438d3	1662	MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
switches	0:5c4d7b2438d3	1663
switches	0:5c4d7b2438d3	1664	/*
switches	0:5c4d7b2438d3	1665	* Decrypt and authenticate
switches	0:5c4d7b2438d3	1666	*/
switches	0:5c4d7b2438d3	1667	if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
switches	0:5c4d7b2438d3	1668	ssl->transform_in->iv_dec,
switches	0:5c4d7b2438d3	1669	ssl->transform_in->ivlen,
switches	0:5c4d7b2438d3	1670	add_data, 13,
switches	0:5c4d7b2438d3	1671	dec_msg, dec_msglen,
switches	0:5c4d7b2438d3	1672	dec_msg_result, &olen,
switches	0:5c4d7b2438d3	1673	dec_msg + dec_msglen, taglen ) ) != 0 )
switches	0:5c4d7b2438d3	1674	{
switches	0:5c4d7b2438d3	1675	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
switches	0:5c4d7b2438d3	1676
switches	0:5c4d7b2438d3	1677	if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
switches	0:5c4d7b2438d3	1678	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	1679
switches	0:5c4d7b2438d3	1680	return( ret );
switches	0:5c4d7b2438d3	1681	}
switches	0:5c4d7b2438d3	1682	auth_done++;
switches	0:5c4d7b2438d3	1683
switches	0:5c4d7b2438d3	1684	if( olen != dec_msglen )
switches	0:5c4d7b2438d3	1685	{
switches	0:5c4d7b2438d3	1686	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1687	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1688	}
switches	0:5c4d7b2438d3	1689	}
switches	0:5c4d7b2438d3	1690	else
switches	0:5c4d7b2438d3	1691	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
switches	0:5c4d7b2438d3	1692	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
switches	0:5c4d7b2438d3	1693	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) )
switches	0:5c4d7b2438d3	1694	if( mode == MBEDTLS_MODE_CBC )
switches	0:5c4d7b2438d3	1695	{
switches	0:5c4d7b2438d3	1696	/*
switches	0:5c4d7b2438d3	1697	* Decrypt and check the padding
switches	0:5c4d7b2438d3	1698	*/
switches	0:5c4d7b2438d3	1699	int ret;
switches	0:5c4d7b2438d3	1700	unsigned char *dec_msg;
switches	0:5c4d7b2438d3	1701	unsigned char *dec_msg_result;
switches	0:5c4d7b2438d3	1702	size_t dec_msglen;
switches	0:5c4d7b2438d3	1703	size_t minlen = 0;
switches	0:5c4d7b2438d3	1704	size_t olen = 0;
switches	0:5c4d7b2438d3	1705
switches	0:5c4d7b2438d3	1706	/*
switches	0:5c4d7b2438d3	1707	* Check immediate ciphertext sanity
switches	0:5c4d7b2438d3	1708	*/
switches	0:5c4d7b2438d3	1709	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1710	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	1711	minlen += ssl->transform_in->ivlen;
switches	0:5c4d7b2438d3	1712	#endif
switches	0:5c4d7b2438d3	1713
switches	0:5c4d7b2438d3	1714	if( ssl->in_msglen < minlen + ssl->transform_in->ivlen \|\|
switches	0:5c4d7b2438d3	1715	ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
switches	0:5c4d7b2438d3	1716	{
switches	0:5c4d7b2438d3	1717	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
switches	0:5c4d7b2438d3	1718	"+ 1 ) ( + expl IV )", ssl->in_msglen,
switches	0:5c4d7b2438d3	1719	ssl->transform_in->ivlen,
switches	0:5c4d7b2438d3	1720	ssl->transform_in->maclen ) );
switches	0:5c4d7b2438d3	1721	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	1722	}
switches	0:5c4d7b2438d3	1723
switches	0:5c4d7b2438d3	1724	dec_msglen = ssl->in_msglen;
switches	0:5c4d7b2438d3	1725	dec_msg = ssl->in_msg;
switches	0:5c4d7b2438d3	1726	dec_msg_result = ssl->in_msg;
switches	0:5c4d7b2438d3	1727
switches	0:5c4d7b2438d3	1728	/*
switches	0:5c4d7b2438d3	1729	* Authenticate before decrypt if enabled
switches	0:5c4d7b2438d3	1730	*/
switches	0:5c4d7b2438d3	1731	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	1732	if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
switches	0:5c4d7b2438d3	1733	{
switches	0:5c4d7b2438d3	1734	unsigned char computed_mac[SSL_MAX_MAC_SIZE];
switches	0:5c4d7b2438d3	1735	unsigned char pseudo_hdr[13];
switches	0:5c4d7b2438d3	1736
switches	0:5c4d7b2438d3	1737	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
switches	0:5c4d7b2438d3	1738
switches	0:5c4d7b2438d3	1739	dec_msglen -= ssl->transform_in->maclen;
switches	0:5c4d7b2438d3	1740	ssl->in_msglen -= ssl->transform_in->maclen;
switches	0:5c4d7b2438d3	1741
switches	0:5c4d7b2438d3	1742	memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
switches	0:5c4d7b2438d3	1743	memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
switches	0:5c4d7b2438d3	1744	pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
switches	0:5c4d7b2438d3	1745	pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
switches	0:5c4d7b2438d3	1746
switches	0:5c4d7b2438d3	1747	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
switches	0:5c4d7b2438d3	1748
switches	0:5c4d7b2438d3	1749	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
switches	0:5c4d7b2438d3	1750	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
switches	0:5c4d7b2438d3	1751	ssl->in_iv, ssl->in_msglen );
switches	0:5c4d7b2438d3	1752	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
switches	0:5c4d7b2438d3	1753	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
switches	0:5c4d7b2438d3	1754
switches	0:5c4d7b2438d3	1755	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
switches	0:5c4d7b2438d3	1756	ssl->transform_in->maclen );
switches	0:5c4d7b2438d3	1757	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
switches	0:5c4d7b2438d3	1758	ssl->transform_in->maclen );
switches	0:5c4d7b2438d3	1759
switches	0:5c4d7b2438d3	1760	if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
switches	0:5c4d7b2438d3	1761	ssl->transform_in->maclen ) != 0 )
switches	0:5c4d7b2438d3	1762	{
switches	0:5c4d7b2438d3	1763	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
switches	0:5c4d7b2438d3	1764
switches	0:5c4d7b2438d3	1765	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	1766	}
switches	0:5c4d7b2438d3	1767	auth_done++;
switches	0:5c4d7b2438d3	1768	}
switches	0:5c4d7b2438d3	1769	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
switches	0:5c4d7b2438d3	1770
switches	0:5c4d7b2438d3	1771	/*
switches	0:5c4d7b2438d3	1772	* Check length sanity
switches	0:5c4d7b2438d3	1773	*/
switches	0:5c4d7b2438d3	1774	if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
switches	0:5c4d7b2438d3	1775	{
switches	0:5c4d7b2438d3	1776	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
switches	0:5c4d7b2438d3	1777	ssl->in_msglen, ssl->transform_in->ivlen ) );
switches	0:5c4d7b2438d3	1778	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	1779	}
switches	0:5c4d7b2438d3	1780
switches	0:5c4d7b2438d3	1781	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1782	/*
switches	0:5c4d7b2438d3	1783	* Initialize for prepended IV for block cipher in TLS v1.1 and up
switches	0:5c4d7b2438d3	1784	*/
switches	0:5c4d7b2438d3	1785	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	1786	{
switches	0:5c4d7b2438d3	1787	dec_msglen -= ssl->transform_in->ivlen;
switches	0:5c4d7b2438d3	1788	ssl->in_msglen -= ssl->transform_in->ivlen;
switches	0:5c4d7b2438d3	1789
switches	0:5c4d7b2438d3	1790	for( i = 0; i < ssl->transform_in->ivlen; i++ )
switches	0:5c4d7b2438d3	1791	ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
switches	0:5c4d7b2438d3	1792	}
switches	0:5c4d7b2438d3	1793	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	1794
switches	0:5c4d7b2438d3	1795	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
switches	0:5c4d7b2438d3	1796	ssl->transform_in->iv_dec,
switches	0:5c4d7b2438d3	1797	ssl->transform_in->ivlen,
switches	0:5c4d7b2438d3	1798	dec_msg, dec_msglen,
switches	0:5c4d7b2438d3	1799	dec_msg_result, &olen ) ) != 0 )
switches	0:5c4d7b2438d3	1800	{
switches	0:5c4d7b2438d3	1801	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
switches	0:5c4d7b2438d3	1802	return( ret );
switches	0:5c4d7b2438d3	1803	}
switches	0:5c4d7b2438d3	1804
switches	0:5c4d7b2438d3	1805	if( dec_msglen != olen )
switches	0:5c4d7b2438d3	1806	{
switches	0:5c4d7b2438d3	1807	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1808	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1809	}
switches	0:5c4d7b2438d3	1810
switches	0:5c4d7b2438d3	1811	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
switches	0:5c4d7b2438d3	1812	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	1813	{
switches	0:5c4d7b2438d3	1814	/*
switches	0:5c4d7b2438d3	1815	* Save IV in SSL3 and TLS1
switches	0:5c4d7b2438d3	1816	*/
switches	0:5c4d7b2438d3	1817	memcpy( ssl->transform_in->iv_dec,
switches	0:5c4d7b2438d3	1818	ssl->transform_in->cipher_ctx_dec.iv,
switches	0:5c4d7b2438d3	1819	ssl->transform_in->ivlen );
switches	0:5c4d7b2438d3	1820	}
switches	0:5c4d7b2438d3	1821	#endif
switches	0:5c4d7b2438d3	1822
switches	0:5c4d7b2438d3	1823	padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
switches	0:5c4d7b2438d3	1824
switches	0:5c4d7b2438d3	1825	if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
switches	0:5c4d7b2438d3	1826	auth_done == 0 )
switches	0:5c4d7b2438d3	1827	{
switches	0:5c4d7b2438d3	1828	#if defined(MBEDTLS_SSL_DEBUG_ALL)
switches	0:5c4d7b2438d3	1829	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
switches	0:5c4d7b2438d3	1830	ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
switches	0:5c4d7b2438d3	1831	#endif
switches	0:5c4d7b2438d3	1832	padlen = 0;
switches	0:5c4d7b2438d3	1833	correct = 0;
switches	0:5c4d7b2438d3	1834	}
switches	0:5c4d7b2438d3	1835
switches	0:5c4d7b2438d3	1836	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	1837	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	1838	{
switches	0:5c4d7b2438d3	1839	if( padlen > ssl->transform_in->ivlen )
switches	0:5c4d7b2438d3	1840	{
switches	0:5c4d7b2438d3	1841	#if defined(MBEDTLS_SSL_DEBUG_ALL)
switches	0:5c4d7b2438d3	1842	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
switches	0:5c4d7b2438d3	1843	"should be no more than %d",
switches	0:5c4d7b2438d3	1844	padlen, ssl->transform_in->ivlen ) );
switches	0:5c4d7b2438d3	1845	#endif
switches	0:5c4d7b2438d3	1846	correct = 0;
switches	0:5c4d7b2438d3	1847	}
switches	0:5c4d7b2438d3	1848	}
switches	0:5c4d7b2438d3	1849	else
switches	0:5c4d7b2438d3	1850	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	1851	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	1852	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1853	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	1854	{
switches	0:5c4d7b2438d3	1855	/*
switches	0:5c4d7b2438d3	1856	* TLSv1+: always check the padding up to the first failure
switches	0:5c4d7b2438d3	1857	* and fake check up to 256 bytes of padding
switches	0:5c4d7b2438d3	1858	*/
switches	0:5c4d7b2438d3	1859	size_t pad_count = 0, real_count = 1;
switches	0:5c4d7b2438d3	1860	size_t padding_idx = ssl->in_msglen - padlen - 1;
switches	0:5c4d7b2438d3	1861
switches	0:5c4d7b2438d3	1862	/*
switches	0:5c4d7b2438d3	1863	* Padding is guaranteed to be incorrect if:
switches	0:5c4d7b2438d3	1864	* 1. padlen >= ssl->in_msglen
switches	0:5c4d7b2438d3	1865	*
switches	0:5c4d7b2438d3	1866	* 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
switches	0:5c4d7b2438d3	1867	* ssl->transform_in->maclen
switches	0:5c4d7b2438d3	1868	*
switches	0:5c4d7b2438d3	1869	* In both cases we reset padding_idx to a safe value (0) to
switches	0:5c4d7b2438d3	1870	* prevent out-of-buffer reads.
switches	0:5c4d7b2438d3	1871	*/
switches	0:5c4d7b2438d3	1872	correct &= ( ssl->in_msglen >= padlen + 1 );
switches	0:5c4d7b2438d3	1873	correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
switches	0:5c4d7b2438d3	1874	ssl->transform_in->maclen );
switches	0:5c4d7b2438d3	1875
switches	0:5c4d7b2438d3	1876	padding_idx *= correct;
switches	0:5c4d7b2438d3	1877
switches	0:5c4d7b2438d3	1878	for( i = 1; i <= 256; i++ )
switches	0:5c4d7b2438d3	1879	{
switches	0:5c4d7b2438d3	1880	real_count &= ( i <= padlen );
switches	0:5c4d7b2438d3	1881	pad_count += real_count *
switches	0:5c4d7b2438d3	1882	( ssl->in_msg[padding_idx + i] == padlen - 1 );
switches	0:5c4d7b2438d3	1883	}
switches	0:5c4d7b2438d3	1884
switches	0:5c4d7b2438d3	1885	correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
switches	0:5c4d7b2438d3	1886
switches	0:5c4d7b2438d3	1887	#if defined(MBEDTLS_SSL_DEBUG_ALL)
switches	0:5c4d7b2438d3	1888	if( padlen > 0 && correct == 0 )
switches	0:5c4d7b2438d3	1889	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
switches	0:5c4d7b2438d3	1890	#endif
switches	0:5c4d7b2438d3	1891	padlen &= correct * 0x1FF;
switches	0:5c4d7b2438d3	1892	}
switches	0:5c4d7b2438d3	1893	else
switches	0:5c4d7b2438d3	1894	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
switches	0:5c4d7b2438d3	1895	MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	1896	{
switches	0:5c4d7b2438d3	1897	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1898	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1899	}
switches	0:5c4d7b2438d3	1900
switches	0:5c4d7b2438d3	1901	ssl->in_msglen -= padlen;
switches	0:5c4d7b2438d3	1902	}
switches	0:5c4d7b2438d3	1903	else
switches	0:5c4d7b2438d3	1904	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
switches	0:5c4d7b2438d3	1905	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C ) */
switches	0:5c4d7b2438d3	1906	{
switches	0:5c4d7b2438d3	1907	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1908	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1909	}
switches	0:5c4d7b2438d3	1910
switches	0:5c4d7b2438d3	1911	MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
switches	0:5c4d7b2438d3	1912	ssl->in_msg, ssl->in_msglen );
switches	0:5c4d7b2438d3	1913
switches	0:5c4d7b2438d3	1914	/*
switches	0:5c4d7b2438d3	1915	* Authenticate if not done yet.
switches	0:5c4d7b2438d3	1916	* Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
switches	0:5c4d7b2438d3	1917	*/
switches	0:5c4d7b2438d3	1918	#if defined(SSL_SOME_MODES_USE_MAC)
switches	0:5c4d7b2438d3	1919	if( auth_done == 0 )
switches	0:5c4d7b2438d3	1920	{
switches	0:5c4d7b2438d3	1921	unsigned char tmp[SSL_MAX_MAC_SIZE];
switches	0:5c4d7b2438d3	1922
switches	0:5c4d7b2438d3	1923	ssl->in_msglen -= ssl->transform_in->maclen;
switches	0:5c4d7b2438d3	1924
switches	0:5c4d7b2438d3	1925	ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
switches	0:5c4d7b2438d3	1926	ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
switches	0:5c4d7b2438d3	1927
switches	0:5c4d7b2438d3	1928	memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
switches	0:5c4d7b2438d3	1929
switches	0:5c4d7b2438d3	1930	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	1931	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	1932	{
switches	0:5c4d7b2438d3	1933	ssl_mac( &ssl->transform_in->md_ctx_dec,
switches	0:5c4d7b2438d3	1934	ssl->transform_in->mac_dec,
switches	0:5c4d7b2438d3	1935	ssl->in_msg, ssl->in_msglen,
switches	0:5c4d7b2438d3	1936	ssl->in_ctr, ssl->in_msgtype );
switches	0:5c4d7b2438d3	1937	}
switches	0:5c4d7b2438d3	1938	else
switches	0:5c4d7b2438d3	1939	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	1940	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	1941	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	1942	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	1943	{
switches	0:5c4d7b2438d3	1944	/*
switches	0:5c4d7b2438d3	1945	* Process MAC and always update for padlen afterwards to make
switches	0:5c4d7b2438d3	1946	* total time independent of padlen
switches	0:5c4d7b2438d3	1947	*
switches	0:5c4d7b2438d3	1948	* extra_run compensates MAC check for padlen
switches	0:5c4d7b2438d3	1949	*
switches	0:5c4d7b2438d3	1950	* Known timing attacks:
switches	0:5c4d7b2438d3	1951	* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
switches	0:5c4d7b2438d3	1952	*
switches	0:5c4d7b2438d3	1953	* We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
switches	0:5c4d7b2438d3	1954	* correctly. (We round down instead of up, so -56 is the correct
switches	0:5c4d7b2438d3	1955	* value for our calculations instead of -55)
switches	0:5c4d7b2438d3	1956	*/
switches	0:5c4d7b2438d3	1957	size_t j, extra_run = 0;
switches	0:5c4d7b2438d3	1958	extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
switches	0:5c4d7b2438d3	1959	( 13 + ssl->in_msglen + 8 ) / 64;
switches	0:5c4d7b2438d3	1960
switches	0:5c4d7b2438d3	1961	extra_run &= correct * 0xFF;
switches	0:5c4d7b2438d3	1962
switches	0:5c4d7b2438d3	1963	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
switches	0:5c4d7b2438d3	1964	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
switches	0:5c4d7b2438d3	1965	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
switches	0:5c4d7b2438d3	1966	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
switches	0:5c4d7b2438d3	1967	ssl->in_msglen );
switches	0:5c4d7b2438d3	1968	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec,
switches	0:5c4d7b2438d3	1969	ssl->in_msg + ssl->in_msglen );
switches	0:5c4d7b2438d3	1970	/* Call mbedtls_md_process at least once due to cache attacks */
switches	0:5c4d7b2438d3	1971	for( j = 0; j < extra_run + 1; j++ )
switches	0:5c4d7b2438d3	1972	mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
switches	0:5c4d7b2438d3	1973
switches	0:5c4d7b2438d3	1974	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
switches	0:5c4d7b2438d3	1975	}
switches	0:5c4d7b2438d3	1976	else
switches	0:5c4d7b2438d3	1977	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
switches	0:5c4d7b2438d3	1978	MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	1979	{
switches	0:5c4d7b2438d3	1980	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	1981	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	1982	}
switches	0:5c4d7b2438d3	1983
switches	0:5c4d7b2438d3	1984	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
switches	0:5c4d7b2438d3	1985	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
switches	0:5c4d7b2438d3	1986	ssl->transform_in->maclen );
switches	0:5c4d7b2438d3	1987
switches	0:5c4d7b2438d3	1988	if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
switches	0:5c4d7b2438d3	1989	ssl->transform_in->maclen ) != 0 )
switches	0:5c4d7b2438d3	1990	{
switches	0:5c4d7b2438d3	1991	#if defined(MBEDTLS_SSL_DEBUG_ALL)
switches	0:5c4d7b2438d3	1992	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
switches	0:5c4d7b2438d3	1993	#endif
switches	0:5c4d7b2438d3	1994	correct = 0;
switches	0:5c4d7b2438d3	1995	}
switches	0:5c4d7b2438d3	1996	auth_done++;
switches	0:5c4d7b2438d3	1997
switches	0:5c4d7b2438d3	1998	/*
switches	0:5c4d7b2438d3	1999	* Finally check the correct flag
switches	0:5c4d7b2438d3	2000	*/
switches	0:5c4d7b2438d3	2001	if( correct == 0 )
switches	0:5c4d7b2438d3	2002	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	2003	}
switches	0:5c4d7b2438d3	2004	#endif /* SSL_SOME_MODES_USE_MAC */
switches	0:5c4d7b2438d3	2005
switches	0:5c4d7b2438d3	2006	/* Make extra sure authentication was performed, exactly once */
switches	0:5c4d7b2438d3	2007	if( auth_done != 1 )
switches	0:5c4d7b2438d3	2008	{
switches	0:5c4d7b2438d3	2009	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	2010	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	2011	}
switches	0:5c4d7b2438d3	2012
switches	0:5c4d7b2438d3	2013	if( ssl->in_msglen == 0 )
switches	0:5c4d7b2438d3	2014	{
switches	0:5c4d7b2438d3	2015	ssl->nb_zero++;
switches	0:5c4d7b2438d3	2016
switches	0:5c4d7b2438d3	2017	/*
switches	0:5c4d7b2438d3	2018	* Three or more empty messages may be a DoS attack
switches	0:5c4d7b2438d3	2019	* (excessive CPU consumption).
switches	0:5c4d7b2438d3	2020	*/
switches	0:5c4d7b2438d3	2021	if( ssl->nb_zero > 3 )
switches	0:5c4d7b2438d3	2022	{
switches	0:5c4d7b2438d3	2023	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
switches	0:5c4d7b2438d3	2024	"messages, possible DoS attack" ) );
switches	0:5c4d7b2438d3	2025	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	2026	}
switches	0:5c4d7b2438d3	2027	}
switches	0:5c4d7b2438d3	2028	else
switches	0:5c4d7b2438d3	2029	ssl->nb_zero = 0;
switches	0:5c4d7b2438d3	2030
switches	0:5c4d7b2438d3	2031	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2032	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	2033	{
switches	0:5c4d7b2438d3	2034	; /* in_ctr read from peer, not maintained internally */
switches	0:5c4d7b2438d3	2035	}
switches	0:5c4d7b2438d3	2036	else
switches	0:5c4d7b2438d3	2037	#endif
switches	0:5c4d7b2438d3	2038	{
switches	0:5c4d7b2438d3	2039	for( i = 8; i > ssl_ep_len( ssl ); i-- )
switches	0:5c4d7b2438d3	2040	if( ++ssl->in_ctr[i - 1] != 0 )
switches	0:5c4d7b2438d3	2041	break;
switches	0:5c4d7b2438d3	2042
switches	0:5c4d7b2438d3	2043	/* The loop goes to its end iff the counter is wrapping */
switches	0:5c4d7b2438d3	2044	if( i == ssl_ep_len( ssl ) )
switches	0:5c4d7b2438d3	2045	{
switches	0:5c4d7b2438d3	2046	MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
switches	0:5c4d7b2438d3	2047	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
switches	0:5c4d7b2438d3	2048	}
switches	0:5c4d7b2438d3	2049	}
switches	0:5c4d7b2438d3	2050
switches	0:5c4d7b2438d3	2051	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
switches	0:5c4d7b2438d3	2052
switches	0:5c4d7b2438d3	2053	return( 0 );
switches	0:5c4d7b2438d3	2054	}
switches	0:5c4d7b2438d3	2055
switches	0:5c4d7b2438d3	2056	#undef MAC_NONE
switches	0:5c4d7b2438d3	2057	#undef MAC_PLAINTEXT
switches	0:5c4d7b2438d3	2058	#undef MAC_CIPHERTEXT
switches	0:5c4d7b2438d3	2059
switches	0:5c4d7b2438d3	2060	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	2061	/*
switches	0:5c4d7b2438d3	2062	* Compression/decompression functions
switches	0:5c4d7b2438d3	2063	*/
switches	0:5c4d7b2438d3	2064	static int ssl_compress_buf( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2065	{
switches	0:5c4d7b2438d3	2066	int ret;
switches	0:5c4d7b2438d3	2067	unsigned char *msg_post = ssl->out_msg;
switches	0:5c4d7b2438d3	2068	size_t len_pre = ssl->out_msglen;
switches	0:5c4d7b2438d3	2069	unsigned char *msg_pre = ssl->compress_buf;
switches	0:5c4d7b2438d3	2070
switches	0:5c4d7b2438d3	2071	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
switches	0:5c4d7b2438d3	2072
switches	0:5c4d7b2438d3	2073	if( len_pre == 0 )
switches	0:5c4d7b2438d3	2074	return( 0 );
switches	0:5c4d7b2438d3	2075
switches	0:5c4d7b2438d3	2076	memcpy( msg_pre, ssl->out_msg, len_pre );
switches	0:5c4d7b2438d3	2077
switches	0:5c4d7b2438d3	2078	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
switches	0:5c4d7b2438d3	2079	ssl->out_msglen ) );
switches	0:5c4d7b2438d3	2080
switches	0:5c4d7b2438d3	2081	MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
switches	0:5c4d7b2438d3	2082	ssl->out_msg, ssl->out_msglen );
switches	0:5c4d7b2438d3	2083
switches	0:5c4d7b2438d3	2084	ssl->transform_out->ctx_deflate.next_in = msg_pre;
switches	0:5c4d7b2438d3	2085	ssl->transform_out->ctx_deflate.avail_in = len_pre;
switches	0:5c4d7b2438d3	2086	ssl->transform_out->ctx_deflate.next_out = msg_post;
switches	0:5c4d7b2438d3	2087	ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN;
switches	0:5c4d7b2438d3	2088
switches	0:5c4d7b2438d3	2089	ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
switches	0:5c4d7b2438d3	2090	if( ret != Z_OK )
switches	0:5c4d7b2438d3	2091	{
switches	0:5c4d7b2438d3	2092	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
switches	0:5c4d7b2438d3	2093	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
switches	0:5c4d7b2438d3	2094	}
switches	0:5c4d7b2438d3	2095
switches	0:5c4d7b2438d3	2096	ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
switches	0:5c4d7b2438d3	2097	ssl->transform_out->ctx_deflate.avail_out;
switches	0:5c4d7b2438d3	2098
switches	0:5c4d7b2438d3	2099	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
switches	0:5c4d7b2438d3	2100	ssl->out_msglen ) );
switches	0:5c4d7b2438d3	2101
switches	0:5c4d7b2438d3	2102	MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
switches	0:5c4d7b2438d3	2103	ssl->out_msg, ssl->out_msglen );
switches	0:5c4d7b2438d3	2104
switches	0:5c4d7b2438d3	2105	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
switches	0:5c4d7b2438d3	2106
switches	0:5c4d7b2438d3	2107	return( 0 );
switches	0:5c4d7b2438d3	2108	}
switches	0:5c4d7b2438d3	2109
switches	0:5c4d7b2438d3	2110	static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2111	{
switches	0:5c4d7b2438d3	2112	int ret;
switches	0:5c4d7b2438d3	2113	unsigned char *msg_post = ssl->in_msg;
switches	0:5c4d7b2438d3	2114	size_t len_pre = ssl->in_msglen;
switches	0:5c4d7b2438d3	2115	unsigned char *msg_pre = ssl->compress_buf;
switches	0:5c4d7b2438d3	2116
switches	0:5c4d7b2438d3	2117	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
switches	0:5c4d7b2438d3	2118
switches	0:5c4d7b2438d3	2119	if( len_pre == 0 )
switches	0:5c4d7b2438d3	2120	return( 0 );
switches	0:5c4d7b2438d3	2121
switches	0:5c4d7b2438d3	2122	memcpy( msg_pre, ssl->in_msg, len_pre );
switches	0:5c4d7b2438d3	2123
switches	0:5c4d7b2438d3	2124	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
switches	0:5c4d7b2438d3	2125	ssl->in_msglen ) );
switches	0:5c4d7b2438d3	2126
switches	0:5c4d7b2438d3	2127	MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
switches	0:5c4d7b2438d3	2128	ssl->in_msg, ssl->in_msglen );
switches	0:5c4d7b2438d3	2129
switches	0:5c4d7b2438d3	2130	ssl->transform_in->ctx_inflate.next_in = msg_pre;
switches	0:5c4d7b2438d3	2131	ssl->transform_in->ctx_inflate.avail_in = len_pre;
switches	0:5c4d7b2438d3	2132	ssl->transform_in->ctx_inflate.next_out = msg_post;
switches	0:5c4d7b2438d3	2133	ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN;
switches	0:5c4d7b2438d3	2134
switches	0:5c4d7b2438d3	2135	ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
switches	0:5c4d7b2438d3	2136	if( ret != Z_OK )
switches	0:5c4d7b2438d3	2137	{
switches	0:5c4d7b2438d3	2138	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
switches	0:5c4d7b2438d3	2139	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
switches	0:5c4d7b2438d3	2140	}
switches	0:5c4d7b2438d3	2141
switches	0:5c4d7b2438d3	2142	ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN -
switches	0:5c4d7b2438d3	2143	ssl->transform_in->ctx_inflate.avail_out;
switches	0:5c4d7b2438d3	2144
switches	0:5c4d7b2438d3	2145	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
switches	0:5c4d7b2438d3	2146	ssl->in_msglen ) );
switches	0:5c4d7b2438d3	2147
switches	0:5c4d7b2438d3	2148	MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
switches	0:5c4d7b2438d3	2149	ssl->in_msg, ssl->in_msglen );
switches	0:5c4d7b2438d3	2150
switches	0:5c4d7b2438d3	2151	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
switches	0:5c4d7b2438d3	2152
switches	0:5c4d7b2438d3	2153	return( 0 );
switches	0:5c4d7b2438d3	2154	}
switches	0:5c4d7b2438d3	2155	#endif /* MBEDTLS_ZLIB_SUPPORT */
switches	0:5c4d7b2438d3	2156
switches	0:5c4d7b2438d3	2157	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	2158	static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
switches	0:5c4d7b2438d3	2159
switches	0:5c4d7b2438d3	2160	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2161	static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2162	{
switches	0:5c4d7b2438d3	2163	/* If renegotiation is not enforced, retransmit until we would reach max
switches	0:5c4d7b2438d3	2164	* timeout if we were using the usual handshake doubling scheme */
switches	0:5c4d7b2438d3	2165	if( ssl->conf->renego_max_records < 0 )
switches	0:5c4d7b2438d3	2166	{
switches	0:5c4d7b2438d3	2167	uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
switches	0:5c4d7b2438d3	2168	unsigned char doublings = 1;
switches	0:5c4d7b2438d3	2169
switches	0:5c4d7b2438d3	2170	while( ratio != 0 )
switches	0:5c4d7b2438d3	2171	{
switches	0:5c4d7b2438d3	2172	++doublings;
switches	0:5c4d7b2438d3	2173	ratio >>= 1;
switches	0:5c4d7b2438d3	2174	}
switches	0:5c4d7b2438d3	2175
switches	0:5c4d7b2438d3	2176	if( ++ssl->renego_records_seen > doublings )
switches	0:5c4d7b2438d3	2177	{
switches	0:5c4d7b2438d3	2178	MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
switches	0:5c4d7b2438d3	2179	return( 0 );
switches	0:5c4d7b2438d3	2180	}
switches	0:5c4d7b2438d3	2181	}
switches	0:5c4d7b2438d3	2182
switches	0:5c4d7b2438d3	2183	return( ssl_write_hello_request( ssl ) );
switches	0:5c4d7b2438d3	2184	}
switches	0:5c4d7b2438d3	2185	#endif
switches	0:5c4d7b2438d3	2186	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
switches	0:5c4d7b2438d3	2187
switches	0:5c4d7b2438d3	2188	/*
switches	0:5c4d7b2438d3	2189	* Fill the input message buffer by appending data to it.
switches	0:5c4d7b2438d3	2190	* The amount of data already fetched is in ssl->in_left.
switches	0:5c4d7b2438d3	2191	*
switches	0:5c4d7b2438d3	2192	* If we return 0, is it guaranteed that (at least) nb_want bytes are
switches	0:5c4d7b2438d3	2193	* available (from this read and/or a previous one). Otherwise, an error code
switches	0:5c4d7b2438d3	2194	* is returned (possibly EOF or WANT_READ).
switches	0:5c4d7b2438d3	2195	*
switches	0:5c4d7b2438d3	2196	* With stream transport (TLS) on success ssl->in_left == nb_want, but
switches	0:5c4d7b2438d3	2197	* with datagram transport (DTLS) on success ssl->in_left >= nb_want,
switches	0:5c4d7b2438d3	2198	* since we always read a whole datagram at once.
switches	0:5c4d7b2438d3	2199	*
switches	0:5c4d7b2438d3	2200	* For DTLS, it is up to the caller to set ssl->next_record_offset when
switches	0:5c4d7b2438d3	2201	* they're done reading a record.
switches	0:5c4d7b2438d3	2202	*/
switches	0:5c4d7b2438d3	2203	int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
switches	0:5c4d7b2438d3	2204	{
switches	0:5c4d7b2438d3	2205	int ret;
switches	0:5c4d7b2438d3	2206	size_t len;
switches	0:5c4d7b2438d3	2207
switches	0:5c4d7b2438d3	2208	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
switches	0:5c4d7b2438d3	2209
switches	0:5c4d7b2438d3	2210	if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
switches	0:5c4d7b2438d3	2211	{
switches	0:5c4d7b2438d3	2212	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
switches	0:5c4d7b2438d3	2213	"or mbedtls_ssl_set_bio()" ) );
switches	0:5c4d7b2438d3	2214	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	2215	}
switches	0:5c4d7b2438d3	2216
switches	0:5c4d7b2438d3	2217	if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
switches	0:5c4d7b2438d3	2218	{
switches	0:5c4d7b2438d3	2219	MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
switches	0:5c4d7b2438d3	2220	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	2221	}
switches	0:5c4d7b2438d3	2222
switches	0:5c4d7b2438d3	2223	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2224	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	2225	{
switches	0:5c4d7b2438d3	2226	uint32_t timeout;
switches	0:5c4d7b2438d3	2227
switches	0:5c4d7b2438d3	2228	/* Just to be sure */
switches	0:5c4d7b2438d3	2229	if( ssl->f_set_timer == NULL \|\| ssl->f_get_timer == NULL )
switches	0:5c4d7b2438d3	2230	{
switches	0:5c4d7b2438d3	2231	MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
switches	0:5c4d7b2438d3	2232	"mbedtls_ssl_set_timer_cb() for DTLS" ) );
switches	0:5c4d7b2438d3	2233	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	2234	}
switches	0:5c4d7b2438d3	2235
switches	0:5c4d7b2438d3	2236	/*
switches	0:5c4d7b2438d3	2237	* The point is, we need to always read a full datagram at once, so we
switches	0:5c4d7b2438d3	2238	* sometimes read more then requested, and handle the additional data.
switches	0:5c4d7b2438d3	2239	* It could be the rest of the current record (while fetching the
switches	0:5c4d7b2438d3	2240	* header) and/or some other records in the same datagram.
switches	0:5c4d7b2438d3	2241	*/
switches	0:5c4d7b2438d3	2242
switches	0:5c4d7b2438d3	2243	/*
switches	0:5c4d7b2438d3	2244	* Move to the next record in the already read datagram if applicable
switches	0:5c4d7b2438d3	2245	*/
switches	0:5c4d7b2438d3	2246	if( ssl->next_record_offset != 0 )
switches	0:5c4d7b2438d3	2247	{
switches	0:5c4d7b2438d3	2248	if( ssl->in_left < ssl->next_record_offset )
switches	0:5c4d7b2438d3	2249	{
switches	0:5c4d7b2438d3	2250	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	2251	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	2252	}
switches	0:5c4d7b2438d3	2253
switches	0:5c4d7b2438d3	2254	ssl->in_left -= ssl->next_record_offset;
switches	0:5c4d7b2438d3	2255
switches	0:5c4d7b2438d3	2256	if( ssl->in_left != 0 )
switches	0:5c4d7b2438d3	2257	{
switches	0:5c4d7b2438d3	2258	MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
switches	0:5c4d7b2438d3	2259	ssl->next_record_offset ) );
switches	0:5c4d7b2438d3	2260	memmove( ssl->in_hdr,
switches	0:5c4d7b2438d3	2261	ssl->in_hdr + ssl->next_record_offset,
switches	0:5c4d7b2438d3	2262	ssl->in_left );
switches	0:5c4d7b2438d3	2263	}
switches	0:5c4d7b2438d3	2264
switches	0:5c4d7b2438d3	2265	ssl->next_record_offset = 0;
switches	0:5c4d7b2438d3	2266	}
switches	0:5c4d7b2438d3	2267
switches	0:5c4d7b2438d3	2268	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
switches	0:5c4d7b2438d3	2269	ssl->in_left, nb_want ) );
switches	0:5c4d7b2438d3	2270
switches	0:5c4d7b2438d3	2271	/*
switches	0:5c4d7b2438d3	2272	* Done if we already have enough data.
switches	0:5c4d7b2438d3	2273	*/
switches	0:5c4d7b2438d3	2274	if( nb_want <= ssl->in_left)
switches	0:5c4d7b2438d3	2275	{
switches	0:5c4d7b2438d3	2276	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
switches	0:5c4d7b2438d3	2277	return( 0 );
switches	0:5c4d7b2438d3	2278	}
switches	0:5c4d7b2438d3	2279
switches	0:5c4d7b2438d3	2280	/*
switches	0:5c4d7b2438d3	2281	* A record can't be split accross datagrams. If we need to read but
switches	0:5c4d7b2438d3	2282	* are not at the beginning of a new record, the caller did something
switches	0:5c4d7b2438d3	2283	* wrong.
switches	0:5c4d7b2438d3	2284	*/
switches	0:5c4d7b2438d3	2285	if( ssl->in_left != 0 )
switches	0:5c4d7b2438d3	2286	{
switches	0:5c4d7b2438d3	2287	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	2288	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	2289	}
switches	0:5c4d7b2438d3	2290
switches	0:5c4d7b2438d3	2291	/*
switches	0:5c4d7b2438d3	2292	* Don't even try to read if time's out already.
switches	0:5c4d7b2438d3	2293	* This avoids by-passing the timer when repeatedly receiving messages
switches	0:5c4d7b2438d3	2294	* that will end up being dropped.
switches	0:5c4d7b2438d3	2295	*/
switches	0:5c4d7b2438d3	2296	if( ssl_check_timer( ssl ) != 0 )
switches	0:5c4d7b2438d3	2297	ret = MBEDTLS_ERR_SSL_TIMEOUT;
switches	0:5c4d7b2438d3	2298	else
switches	0:5c4d7b2438d3	2299	{
switches	0:5c4d7b2438d3	2300	len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
switches	0:5c4d7b2438d3	2301
switches	0:5c4d7b2438d3	2302	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	2303	timeout = ssl->handshake->retransmit_timeout;
switches	0:5c4d7b2438d3	2304	else
switches	0:5c4d7b2438d3	2305	timeout = ssl->conf->read_timeout;
switches	0:5c4d7b2438d3	2306
switches	0:5c4d7b2438d3	2307	MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
switches	0:5c4d7b2438d3	2308
switches	0:5c4d7b2438d3	2309	if( ssl->f_recv_timeout != NULL )
switches	0:5c4d7b2438d3	2310	ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
switches	0:5c4d7b2438d3	2311	timeout );
switches	0:5c4d7b2438d3	2312	else
switches	0:5c4d7b2438d3	2313	ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
switches	0:5c4d7b2438d3	2314
switches	0:5c4d7b2438d3	2315	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
switches	0:5c4d7b2438d3	2316
switches	0:5c4d7b2438d3	2317	if( ret == 0 )
switches	0:5c4d7b2438d3	2318	return( MBEDTLS_ERR_SSL_CONN_EOF );
switches	0:5c4d7b2438d3	2319	}
switches	0:5c4d7b2438d3	2320
switches	0:5c4d7b2438d3	2321	if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
switches	0:5c4d7b2438d3	2322	{
switches	0:5c4d7b2438d3	2323	MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
switches	0:5c4d7b2438d3	2324	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	2325
switches	0:5c4d7b2438d3	2326	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	2327	{
switches	0:5c4d7b2438d3	2328	if( ssl_double_retransmit_timeout( ssl ) != 0 )
switches	0:5c4d7b2438d3	2329	{
switches	0:5c4d7b2438d3	2330	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
switches	0:5c4d7b2438d3	2331	return( MBEDTLS_ERR_SSL_TIMEOUT );
switches	0:5c4d7b2438d3	2332	}
switches	0:5c4d7b2438d3	2333
switches	0:5c4d7b2438d3	2334	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2335	{
switches	0:5c4d7b2438d3	2336	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
switches	0:5c4d7b2438d3	2337	return( ret );
switches	0:5c4d7b2438d3	2338	}
switches	0:5c4d7b2438d3	2339
switches	0:5c4d7b2438d3	2340	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	2341	}
switches	0:5c4d7b2438d3	2342	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	2343	else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	2344	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
switches	0:5c4d7b2438d3	2345	{
switches	0:5c4d7b2438d3	2346	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2347	{
switches	0:5c4d7b2438d3	2348	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
switches	0:5c4d7b2438d3	2349	return( ret );
switches	0:5c4d7b2438d3	2350	}
switches	0:5c4d7b2438d3	2351
switches	0:5c4d7b2438d3	2352	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	2353	}
switches	0:5c4d7b2438d3	2354	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
switches	0:5c4d7b2438d3	2355	}
switches	0:5c4d7b2438d3	2356
switches	0:5c4d7b2438d3	2357	if( ret < 0 )
switches	0:5c4d7b2438d3	2358	return( ret );
switches	0:5c4d7b2438d3	2359
switches	0:5c4d7b2438d3	2360	ssl->in_left = ret;
switches	0:5c4d7b2438d3	2361	}
switches	0:5c4d7b2438d3	2362	else
switches	0:5c4d7b2438d3	2363	#endif
switches	0:5c4d7b2438d3	2364	{
switches	0:5c4d7b2438d3	2365	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
switches	0:5c4d7b2438d3	2366	ssl->in_left, nb_want ) );
switches	0:5c4d7b2438d3	2367
switches	0:5c4d7b2438d3	2368	while( ssl->in_left < nb_want )
switches	0:5c4d7b2438d3	2369	{
switches	0:5c4d7b2438d3	2370	len = nb_want - ssl->in_left;
switches	0:5c4d7b2438d3	2371
switches	0:5c4d7b2438d3	2372	if( ssl_check_timer( ssl ) != 0 )
switches	0:5c4d7b2438d3	2373	ret = MBEDTLS_ERR_SSL_TIMEOUT;
switches	0:5c4d7b2438d3	2374	else
switches	0:5c4d7b2438d3	2375	{
switches	0:5c4d7b2438d3	2376	if( ssl->f_recv_timeout != NULL )
switches	0:5c4d7b2438d3	2377	{
switches	0:5c4d7b2438d3	2378	ret = ssl->f_recv_timeout( ssl->p_bio,
switches	0:5c4d7b2438d3	2379	ssl->in_hdr + ssl->in_left, len,
switches	0:5c4d7b2438d3	2380	ssl->conf->read_timeout );
switches	0:5c4d7b2438d3	2381	}
switches	0:5c4d7b2438d3	2382	else
switches	0:5c4d7b2438d3	2383	{
switches	0:5c4d7b2438d3	2384	ret = ssl->f_recv( ssl->p_bio,
switches	0:5c4d7b2438d3	2385	ssl->in_hdr + ssl->in_left, len );
switches	0:5c4d7b2438d3	2386	}
switches	0:5c4d7b2438d3	2387	}
switches	0:5c4d7b2438d3	2388
switches	0:5c4d7b2438d3	2389	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
switches	0:5c4d7b2438d3	2390	ssl->in_left, nb_want ) );
switches	0:5c4d7b2438d3	2391	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
switches	0:5c4d7b2438d3	2392
switches	0:5c4d7b2438d3	2393	if( ret == 0 )
switches	0:5c4d7b2438d3	2394	return( MBEDTLS_ERR_SSL_CONN_EOF );
switches	0:5c4d7b2438d3	2395
switches	0:5c4d7b2438d3	2396	if( ret < 0 )
switches	0:5c4d7b2438d3	2397	return( ret );
switches	0:5c4d7b2438d3	2398
switches	0:5c4d7b2438d3	2399	ssl->in_left += ret;
switches	0:5c4d7b2438d3	2400	}
switches	0:5c4d7b2438d3	2401	}
switches	0:5c4d7b2438d3	2402
switches	0:5c4d7b2438d3	2403	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
switches	0:5c4d7b2438d3	2404
switches	0:5c4d7b2438d3	2405	return( 0 );
switches	0:5c4d7b2438d3	2406	}
switches	0:5c4d7b2438d3	2407
switches	0:5c4d7b2438d3	2408	/*
switches	0:5c4d7b2438d3	2409	* Flush any data not yet written
switches	0:5c4d7b2438d3	2410	*/
switches	0:5c4d7b2438d3	2411	int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2412	{
switches	0:5c4d7b2438d3	2413	int ret;
switches	0:5c4d7b2438d3	2414	unsigned char *buf, i;
switches	0:5c4d7b2438d3	2415
switches	0:5c4d7b2438d3	2416	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
switches	0:5c4d7b2438d3	2417
switches	0:5c4d7b2438d3	2418	if( ssl->f_send == NULL )
switches	0:5c4d7b2438d3	2419	{
switches	0:5c4d7b2438d3	2420	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
switches	0:5c4d7b2438d3	2421	"or mbedtls_ssl_set_bio()" ) );
switches	0:5c4d7b2438d3	2422	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	2423	}
switches	0:5c4d7b2438d3	2424
switches	0:5c4d7b2438d3	2425	/* Avoid incrementing counter if data is flushed */
switches	0:5c4d7b2438d3	2426	if( ssl->out_left == 0 )
switches	0:5c4d7b2438d3	2427	{
switches	0:5c4d7b2438d3	2428	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
switches	0:5c4d7b2438d3	2429	return( 0 );
switches	0:5c4d7b2438d3	2430	}
switches	0:5c4d7b2438d3	2431
switches	0:5c4d7b2438d3	2432	while( ssl->out_left > 0 )
switches	0:5c4d7b2438d3	2433	{
switches	0:5c4d7b2438d3	2434	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
switches	0:5c4d7b2438d3	2435	mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
switches	0:5c4d7b2438d3	2436
switches	0:5c4d7b2438d3	2437	buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
switches	0:5c4d7b2438d3	2438	ssl->out_msglen - ssl->out_left;
switches	0:5c4d7b2438d3	2439	ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
switches	0:5c4d7b2438d3	2440
switches	0:5c4d7b2438d3	2441	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
switches	0:5c4d7b2438d3	2442
switches	0:5c4d7b2438d3	2443	if( ret <= 0 )
switches	0:5c4d7b2438d3	2444	return( ret );
switches	0:5c4d7b2438d3	2445
switches	0:5c4d7b2438d3	2446	ssl->out_left -= ret;
switches	0:5c4d7b2438d3	2447	}
switches	0:5c4d7b2438d3	2448
switches	0:5c4d7b2438d3	2449	for( i = 8; i > ssl_ep_len( ssl ); i-- )
switches	0:5c4d7b2438d3	2450	if( ++ssl->out_ctr[i - 1] != 0 )
switches	0:5c4d7b2438d3	2451	break;
switches	0:5c4d7b2438d3	2452
switches	0:5c4d7b2438d3	2453	/* The loop goes to its end iff the counter is wrapping */
switches	0:5c4d7b2438d3	2454	if( i == ssl_ep_len( ssl ) )
switches	0:5c4d7b2438d3	2455	{
switches	0:5c4d7b2438d3	2456	MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
switches	0:5c4d7b2438d3	2457	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
switches	0:5c4d7b2438d3	2458	}
switches	0:5c4d7b2438d3	2459
switches	0:5c4d7b2438d3	2460	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
switches	0:5c4d7b2438d3	2461
switches	0:5c4d7b2438d3	2462	return( 0 );
switches	0:5c4d7b2438d3	2463	}
switches	0:5c4d7b2438d3	2464
switches	0:5c4d7b2438d3	2465	/*
switches	0:5c4d7b2438d3	2466	* Functions to handle the DTLS retransmission state machine
switches	0:5c4d7b2438d3	2467	*/
switches	0:5c4d7b2438d3	2468	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2469	/*
switches	0:5c4d7b2438d3	2470	* Append current handshake message to current outgoing flight
switches	0:5c4d7b2438d3	2471	*/
switches	0:5c4d7b2438d3	2472	static int ssl_flight_append( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2473	{
switches	0:5c4d7b2438d3	2474	mbedtls_ssl_flight_item *msg;
switches	0:5c4d7b2438d3	2475
switches	0:5c4d7b2438d3	2476	/* Allocate space for current message */
switches	0:5c4d7b2438d3	2477	if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
switches	0:5c4d7b2438d3	2478	{
switches	0:5c4d7b2438d3	2479	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
switches	0:5c4d7b2438d3	2480	sizeof( mbedtls_ssl_flight_item ) ) );
switches	0:5c4d7b2438d3	2481	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	2482	}
switches	0:5c4d7b2438d3	2483
switches	0:5c4d7b2438d3	2484	if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
switches	0:5c4d7b2438d3	2485	{
switches	0:5c4d7b2438d3	2486	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
switches	0:5c4d7b2438d3	2487	mbedtls_free( msg );
switches	0:5c4d7b2438d3	2488	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	2489	}
switches	0:5c4d7b2438d3	2490
switches	0:5c4d7b2438d3	2491	/* Copy current handshake message with headers */
switches	0:5c4d7b2438d3	2492	memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
switches	0:5c4d7b2438d3	2493	msg->len = ssl->out_msglen;
switches	0:5c4d7b2438d3	2494	msg->type = ssl->out_msgtype;
switches	0:5c4d7b2438d3	2495	msg->next = NULL;
switches	0:5c4d7b2438d3	2496
switches	0:5c4d7b2438d3	2497	/* Append to the current flight */
switches	0:5c4d7b2438d3	2498	if( ssl->handshake->flight == NULL )
switches	0:5c4d7b2438d3	2499	ssl->handshake->flight = msg;
switches	0:5c4d7b2438d3	2500	else
switches	0:5c4d7b2438d3	2501	{
switches	0:5c4d7b2438d3	2502	mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
switches	0:5c4d7b2438d3	2503	while( cur->next != NULL )
switches	0:5c4d7b2438d3	2504	cur = cur->next;
switches	0:5c4d7b2438d3	2505	cur->next = msg;
switches	0:5c4d7b2438d3	2506	}
switches	0:5c4d7b2438d3	2507
switches	0:5c4d7b2438d3	2508	return( 0 );
switches	0:5c4d7b2438d3	2509	}
switches	0:5c4d7b2438d3	2510
switches	0:5c4d7b2438d3	2511	/*
switches	0:5c4d7b2438d3	2512	* Free the current flight of handshake messages
switches	0:5c4d7b2438d3	2513	*/
switches	0:5c4d7b2438d3	2514	static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
switches	0:5c4d7b2438d3	2515	{
switches	0:5c4d7b2438d3	2516	mbedtls_ssl_flight_item *cur = flight;
switches	0:5c4d7b2438d3	2517	mbedtls_ssl_flight_item *next;
switches	0:5c4d7b2438d3	2518
switches	0:5c4d7b2438d3	2519	while( cur != NULL )
switches	0:5c4d7b2438d3	2520	{
switches	0:5c4d7b2438d3	2521	next = cur->next;
switches	0:5c4d7b2438d3	2522
switches	0:5c4d7b2438d3	2523	mbedtls_free( cur->p );
switches	0:5c4d7b2438d3	2524	mbedtls_free( cur );
switches	0:5c4d7b2438d3	2525
switches	0:5c4d7b2438d3	2526	cur = next;
switches	0:5c4d7b2438d3	2527	}
switches	0:5c4d7b2438d3	2528	}
switches	0:5c4d7b2438d3	2529
switches	0:5c4d7b2438d3	2530	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	2531	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
switches	0:5c4d7b2438d3	2532	#endif
switches	0:5c4d7b2438d3	2533
switches	0:5c4d7b2438d3	2534	/*
switches	0:5c4d7b2438d3	2535	* Swap transform_out and out_ctr with the alternative ones
switches	0:5c4d7b2438d3	2536	*/
switches	0:5c4d7b2438d3	2537	static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2538	{
switches	0:5c4d7b2438d3	2539	mbedtls_ssl_transform *tmp_transform;
switches	0:5c4d7b2438d3	2540	unsigned char tmp_out_ctr[8];
switches	0:5c4d7b2438d3	2541
switches	0:5c4d7b2438d3	2542	if( ssl->transform_out == ssl->handshake->alt_transform_out )
switches	0:5c4d7b2438d3	2543	{
switches	0:5c4d7b2438d3	2544	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
switches	0:5c4d7b2438d3	2545	return;
switches	0:5c4d7b2438d3	2546	}
switches	0:5c4d7b2438d3	2547
switches	0:5c4d7b2438d3	2548	MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
switches	0:5c4d7b2438d3	2549
switches	0:5c4d7b2438d3	2550	/* Swap transforms */
switches	0:5c4d7b2438d3	2551	tmp_transform = ssl->transform_out;
switches	0:5c4d7b2438d3	2552	ssl->transform_out = ssl->handshake->alt_transform_out;
switches	0:5c4d7b2438d3	2553	ssl->handshake->alt_transform_out = tmp_transform;
switches	0:5c4d7b2438d3	2554
switches	0:5c4d7b2438d3	2555	/* Swap epoch + sequence_number */
switches	0:5c4d7b2438d3	2556	memcpy( tmp_out_ctr, ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	2557	memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 );
switches	0:5c4d7b2438d3	2558	memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
switches	0:5c4d7b2438d3	2559
switches	0:5c4d7b2438d3	2560	/* Adjust to the newly activated transform */
switches	0:5c4d7b2438d3	2561	if( ssl->transform_out != NULL &&
switches	0:5c4d7b2438d3	2562	ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	2563	{
switches	0:5c4d7b2438d3	2564	ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
switches	0:5c4d7b2438d3	2565	ssl->transform_out->fixed_ivlen;
switches	0:5c4d7b2438d3	2566	}
switches	0:5c4d7b2438d3	2567	else
switches	0:5c4d7b2438d3	2568	ssl->out_msg = ssl->out_iv;
switches	0:5c4d7b2438d3	2569
switches	0:5c4d7b2438d3	2570	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	2571	if( mbedtls_ssl_hw_record_activate != NULL )
switches	0:5c4d7b2438d3	2572	{
switches	0:5c4d7b2438d3	2573	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
switches	0:5c4d7b2438d3	2574	{
switches	0:5c4d7b2438d3	2575	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
switches	0:5c4d7b2438d3	2576	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	2577	}
switches	0:5c4d7b2438d3	2578	}
switches	0:5c4d7b2438d3	2579	#endif
switches	0:5c4d7b2438d3	2580	}
switches	0:5c4d7b2438d3	2581
switches	0:5c4d7b2438d3	2582	/*
switches	0:5c4d7b2438d3	2583	* Retransmit the current flight of messages.
switches	0:5c4d7b2438d3	2584	*
switches	0:5c4d7b2438d3	2585	* Need to remember the current message in case flush_output returns
switches	0:5c4d7b2438d3	2586	* WANT_WRITE, causing us to exit this function and come back later.
switches	0:5c4d7b2438d3	2587	* This function must be called until state is no longer SENDING.
switches	0:5c4d7b2438d3	2588	*/
switches	0:5c4d7b2438d3	2589	int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2590	{
switches	0:5c4d7b2438d3	2591	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
switches	0:5c4d7b2438d3	2592
switches	0:5c4d7b2438d3	2593	if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
switches	0:5c4d7b2438d3	2594	{
switches	0:5c4d7b2438d3	2595	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
switches	0:5c4d7b2438d3	2596
switches	0:5c4d7b2438d3	2597	ssl->handshake->cur_msg = ssl->handshake->flight;
switches	0:5c4d7b2438d3	2598	ssl_swap_epochs( ssl );
switches	0:5c4d7b2438d3	2599
switches	0:5c4d7b2438d3	2600	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
switches	0:5c4d7b2438d3	2601	}
switches	0:5c4d7b2438d3	2602
switches	0:5c4d7b2438d3	2603	while( ssl->handshake->cur_msg != NULL )
switches	0:5c4d7b2438d3	2604	{
switches	0:5c4d7b2438d3	2605	int ret;
switches	0:5c4d7b2438d3	2606	mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
switches	0:5c4d7b2438d3	2607
switches	0:5c4d7b2438d3	2608	/* Swap epochs before sending Finished: we can't do it after
switches	0:5c4d7b2438d3	2609	* sending ChangeCipherSpec, in case write returns WANT_READ.
switches	0:5c4d7b2438d3	2610	* Must be done before copying, may change out_msg pointer */
switches	0:5c4d7b2438d3	2611	if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	2612	cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
switches	0:5c4d7b2438d3	2613	{
switches	0:5c4d7b2438d3	2614	ssl_swap_epochs( ssl );
switches	0:5c4d7b2438d3	2615	}
switches	0:5c4d7b2438d3	2616
switches	0:5c4d7b2438d3	2617	memcpy( ssl->out_msg, cur->p, cur->len );
switches	0:5c4d7b2438d3	2618	ssl->out_msglen = cur->len;
switches	0:5c4d7b2438d3	2619	ssl->out_msgtype = cur->type;
switches	0:5c4d7b2438d3	2620
switches	0:5c4d7b2438d3	2621	ssl->handshake->cur_msg = cur->next;
switches	0:5c4d7b2438d3	2622
switches	0:5c4d7b2438d3	2623	MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
switches	0:5c4d7b2438d3	2624
switches	0:5c4d7b2438d3	2625	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2626	{
switches	0:5c4d7b2438d3	2627	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	2628	return( ret );
switches	0:5c4d7b2438d3	2629	}
switches	0:5c4d7b2438d3	2630	}
switches	0:5c4d7b2438d3	2631
switches	0:5c4d7b2438d3	2632	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	2633	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
switches	0:5c4d7b2438d3	2634	else
switches	0:5c4d7b2438d3	2635	{
switches	0:5c4d7b2438d3	2636	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
switches	0:5c4d7b2438d3	2637	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
switches	0:5c4d7b2438d3	2638	}
switches	0:5c4d7b2438d3	2639
switches	0:5c4d7b2438d3	2640	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
switches	0:5c4d7b2438d3	2641
switches	0:5c4d7b2438d3	2642	return( 0 );
switches	0:5c4d7b2438d3	2643	}
switches	0:5c4d7b2438d3	2644
switches	0:5c4d7b2438d3	2645	/*
switches	0:5c4d7b2438d3	2646	* To be called when the last message of an incoming flight is received.
switches	0:5c4d7b2438d3	2647	*/
switches	0:5c4d7b2438d3	2648	void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2649	{
switches	0:5c4d7b2438d3	2650	/* We won't need to resend that one any more */
switches	0:5c4d7b2438d3	2651	ssl_flight_free( ssl->handshake->flight );
switches	0:5c4d7b2438d3	2652	ssl->handshake->flight = NULL;
switches	0:5c4d7b2438d3	2653	ssl->handshake->cur_msg = NULL;
switches	0:5c4d7b2438d3	2654
switches	0:5c4d7b2438d3	2655	/* The next incoming flight will start with this msg_seq */
switches	0:5c4d7b2438d3	2656	ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
switches	0:5c4d7b2438d3	2657
switches	0:5c4d7b2438d3	2658	/* Cancel timer */
switches	0:5c4d7b2438d3	2659	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	2660
switches	0:5c4d7b2438d3	2661	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	2662	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
switches	0:5c4d7b2438d3	2663	{
switches	0:5c4d7b2438d3	2664	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
switches	0:5c4d7b2438d3	2665	}
switches	0:5c4d7b2438d3	2666	else
switches	0:5c4d7b2438d3	2667	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
switches	0:5c4d7b2438d3	2668	}
switches	0:5c4d7b2438d3	2669
switches	0:5c4d7b2438d3	2670	/*
switches	0:5c4d7b2438d3	2671	* To be called when the last message of an outgoing flight is send.
switches	0:5c4d7b2438d3	2672	*/
switches	0:5c4d7b2438d3	2673	void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2674	{
switches	0:5c4d7b2438d3	2675	ssl_reset_retransmit_timeout( ssl );
switches	0:5c4d7b2438d3	2676	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
switches	0:5c4d7b2438d3	2677
switches	0:5c4d7b2438d3	2678	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	2679	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
switches	0:5c4d7b2438d3	2680	{
switches	0:5c4d7b2438d3	2681	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
switches	0:5c4d7b2438d3	2682	}
switches	0:5c4d7b2438d3	2683	else
switches	0:5c4d7b2438d3	2684	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
switches	0:5c4d7b2438d3	2685	}
switches	0:5c4d7b2438d3	2686	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	2687
switches	0:5c4d7b2438d3	2688	/*
switches	0:5c4d7b2438d3	2689	* Record layer functions
switches	0:5c4d7b2438d3	2690	*/
switches	0:5c4d7b2438d3	2691
switches	0:5c4d7b2438d3	2692	/*
switches	0:5c4d7b2438d3	2693	* Write current record.
switches	0:5c4d7b2438d3	2694	* Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
switches	0:5c4d7b2438d3	2695	*/
switches	0:5c4d7b2438d3	2696	int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2697	{
switches	0:5c4d7b2438d3	2698	int ret, done = 0, out_msg_type;
switches	0:5c4d7b2438d3	2699	size_t len = ssl->out_msglen;
switches	0:5c4d7b2438d3	2700
switches	0:5c4d7b2438d3	2701	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
switches	0:5c4d7b2438d3	2702
switches	0:5c4d7b2438d3	2703	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2704	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	2705	ssl->handshake != NULL &&
switches	0:5c4d7b2438d3	2706	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
switches	0:5c4d7b2438d3	2707	{
switches	0:5c4d7b2438d3	2708	; /* Skip special handshake treatment when resending */
switches	0:5c4d7b2438d3	2709	}
switches	0:5c4d7b2438d3	2710	else
switches	0:5c4d7b2438d3	2711	#endif
switches	0:5c4d7b2438d3	2712	if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
switches	0:5c4d7b2438d3	2713	{
switches	0:5c4d7b2438d3	2714	out_msg_type = ssl->out_msg[0];
switches	0:5c4d7b2438d3	2715
switches	0:5c4d7b2438d3	2716	if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
switches	0:5c4d7b2438d3	2717	ssl->handshake == NULL )
switches	0:5c4d7b2438d3	2718	{
switches	0:5c4d7b2438d3	2719	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	2720	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	2721	}
switches	0:5c4d7b2438d3	2722
switches	0:5c4d7b2438d3	2723	ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
switches	0:5c4d7b2438d3	2724	ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
switches	0:5c4d7b2438d3	2725	ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
switches	0:5c4d7b2438d3	2726
switches	0:5c4d7b2438d3	2727	/*
switches	0:5c4d7b2438d3	2728	* DTLS has additional fields in the Handshake layer,
switches	0:5c4d7b2438d3	2729	* between the length field and the actual payload:
switches	0:5c4d7b2438d3	2730	* uint16 message_seq;
switches	0:5c4d7b2438d3	2731	* uint24 fragment_offset;
switches	0:5c4d7b2438d3	2732	* uint24 fragment_length;
switches	0:5c4d7b2438d3	2733	*/
switches	0:5c4d7b2438d3	2734	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2735	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	2736	{
switches	0:5c4d7b2438d3	2737	/* Make room for the additional DTLS fields */
switches	0:5c4d7b2438d3	2738	memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
switches	0:5c4d7b2438d3	2739	ssl->out_msglen += 8;
switches	0:5c4d7b2438d3	2740	len += 8;
switches	0:5c4d7b2438d3	2741
switches	0:5c4d7b2438d3	2742	/* Write message_seq and update it, except for HelloRequest */
switches	0:5c4d7b2438d3	2743	if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
switches	0:5c4d7b2438d3	2744	{
switches	0:5c4d7b2438d3	2745	ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
switches	0:5c4d7b2438d3	2746	ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
switches	0:5c4d7b2438d3	2747	++( ssl->handshake->out_msg_seq );
switches	0:5c4d7b2438d3	2748	}
switches	0:5c4d7b2438d3	2749	else
switches	0:5c4d7b2438d3	2750	{
switches	0:5c4d7b2438d3	2751	ssl->out_msg[4] = 0;
switches	0:5c4d7b2438d3	2752	ssl->out_msg[5] = 0;
switches	0:5c4d7b2438d3	2753	}
switches	0:5c4d7b2438d3	2754
switches	0:5c4d7b2438d3	2755	/* We don't fragment, so frag_offset = 0 and frag_len = len */
switches	0:5c4d7b2438d3	2756	memset( ssl->out_msg + 6, 0x00, 3 );
switches	0:5c4d7b2438d3	2757	memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
switches	0:5c4d7b2438d3	2758	}
switches	0:5c4d7b2438d3	2759	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	2760
switches	0:5c4d7b2438d3	2761	if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
switches	0:5c4d7b2438d3	2762	ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
switches	0:5c4d7b2438d3	2763	}
switches	0:5c4d7b2438d3	2764
switches	0:5c4d7b2438d3	2765	/* Save handshake and CCS messages for resending */
switches	0:5c4d7b2438d3	2766	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2767	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	2768	ssl->handshake != NULL &&
switches	0:5c4d7b2438d3	2769	ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
switches	0:5c4d7b2438d3	2770	( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC \|\|
switches	0:5c4d7b2438d3	2771	ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
switches	0:5c4d7b2438d3	2772	{
switches	0:5c4d7b2438d3	2773	if( ( ret = ssl_flight_append( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2774	{
switches	0:5c4d7b2438d3	2775	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
switches	0:5c4d7b2438d3	2776	return( ret );
switches	0:5c4d7b2438d3	2777	}
switches	0:5c4d7b2438d3	2778	}
switches	0:5c4d7b2438d3	2779	#endif
switches	0:5c4d7b2438d3	2780
switches	0:5c4d7b2438d3	2781	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	2782	if( ssl->transform_out != NULL &&
switches	0:5c4d7b2438d3	2783	ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
switches	0:5c4d7b2438d3	2784	{
switches	0:5c4d7b2438d3	2785	if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2786	{
switches	0:5c4d7b2438d3	2787	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
switches	0:5c4d7b2438d3	2788	return( ret );
switches	0:5c4d7b2438d3	2789	}
switches	0:5c4d7b2438d3	2790
switches	0:5c4d7b2438d3	2791	len = ssl->out_msglen;
switches	0:5c4d7b2438d3	2792	}
switches	0:5c4d7b2438d3	2793	#endif /MBEDTLS_ZLIB_SUPPORT /
switches	0:5c4d7b2438d3	2794
switches	0:5c4d7b2438d3	2795	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	2796	if( mbedtls_ssl_hw_record_write != NULL )
switches	0:5c4d7b2438d3	2797	{
switches	0:5c4d7b2438d3	2798	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
switches	0:5c4d7b2438d3	2799
switches	0:5c4d7b2438d3	2800	ret = mbedtls_ssl_hw_record_write( ssl );
switches	0:5c4d7b2438d3	2801	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
switches	0:5c4d7b2438d3	2802	{
switches	0:5c4d7b2438d3	2803	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
switches	0:5c4d7b2438d3	2804	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	2805	}
switches	0:5c4d7b2438d3	2806
switches	0:5c4d7b2438d3	2807	if( ret == 0 )
switches	0:5c4d7b2438d3	2808	done = 1;
switches	0:5c4d7b2438d3	2809	}
switches	0:5c4d7b2438d3	2810	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
switches	0:5c4d7b2438d3	2811	if( !done )
switches	0:5c4d7b2438d3	2812	{
switches	0:5c4d7b2438d3	2813	ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
switches	0:5c4d7b2438d3	2814	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
switches	0:5c4d7b2438d3	2815	ssl->conf->transport, ssl->out_hdr + 1 );
switches	0:5c4d7b2438d3	2816
switches	0:5c4d7b2438d3	2817	ssl->out_len[0] = (unsigned char)( len >> 8 );
switches	0:5c4d7b2438d3	2818	ssl->out_len[1] = (unsigned char)( len );
switches	0:5c4d7b2438d3	2819
switches	0:5c4d7b2438d3	2820	if( ssl->transform_out != NULL )
switches	0:5c4d7b2438d3	2821	{
switches	0:5c4d7b2438d3	2822	if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2823	{
switches	0:5c4d7b2438d3	2824	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
switches	0:5c4d7b2438d3	2825	return( ret );
switches	0:5c4d7b2438d3	2826	}
switches	0:5c4d7b2438d3	2827
switches	0:5c4d7b2438d3	2828	len = ssl->out_msglen;
switches	0:5c4d7b2438d3	2829	ssl->out_len[0] = (unsigned char)( len >> 8 );
switches	0:5c4d7b2438d3	2830	ssl->out_len[1] = (unsigned char)( len );
switches	0:5c4d7b2438d3	2831	}
switches	0:5c4d7b2438d3	2832
switches	0:5c4d7b2438d3	2833	ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
switches	0:5c4d7b2438d3	2834
switches	0:5c4d7b2438d3	2835	MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
switches	0:5c4d7b2438d3	2836	"version = [%d:%d], msglen = %d",
switches	0:5c4d7b2438d3	2837	ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
switches	0:5c4d7b2438d3	2838	( ssl->out_len[0] << 8 ) \| ssl->out_len[1] ) );
switches	0:5c4d7b2438d3	2839
switches	0:5c4d7b2438d3	2840	MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
switches	0:5c4d7b2438d3	2841	ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
switches	0:5c4d7b2438d3	2842	}
switches	0:5c4d7b2438d3	2843
switches	0:5c4d7b2438d3	2844	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	2845	{
switches	0:5c4d7b2438d3	2846	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
switches	0:5c4d7b2438d3	2847	return( ret );
switches	0:5c4d7b2438d3	2848	}
switches	0:5c4d7b2438d3	2849
switches	0:5c4d7b2438d3	2850	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
switches	0:5c4d7b2438d3	2851
switches	0:5c4d7b2438d3	2852	return( 0 );
switches	0:5c4d7b2438d3	2853	}
switches	0:5c4d7b2438d3	2854
switches	0:5c4d7b2438d3	2855	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	2856	/*
switches	0:5c4d7b2438d3	2857	* Mark bits in bitmask (used for DTLS HS reassembly)
switches	0:5c4d7b2438d3	2858	*/
switches	0:5c4d7b2438d3	2859	static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
switches	0:5c4d7b2438d3	2860	{
switches	0:5c4d7b2438d3	2861	unsigned int start_bits, end_bits;
switches	0:5c4d7b2438d3	2862
switches	0:5c4d7b2438d3	2863	start_bits = 8 - ( offset % 8 );
switches	0:5c4d7b2438d3	2864	if( start_bits != 8 )
switches	0:5c4d7b2438d3	2865	{
switches	0:5c4d7b2438d3	2866	size_t first_byte_idx = offset / 8;
switches	0:5c4d7b2438d3	2867
switches	0:5c4d7b2438d3	2868	/* Special case */
switches	0:5c4d7b2438d3	2869	if( len <= start_bits )
switches	0:5c4d7b2438d3	2870	{
switches	0:5c4d7b2438d3	2871	for( ; len != 0; len-- )
switches	0:5c4d7b2438d3	2872	mask[first_byte_idx] \|= 1 << ( start_bits - len );
switches	0:5c4d7b2438d3	2873
switches	0:5c4d7b2438d3	2874	/* Avoid potential issues with offset or len becoming invalid */
switches	0:5c4d7b2438d3	2875	return;
switches	0:5c4d7b2438d3	2876	}
switches	0:5c4d7b2438d3	2877
switches	0:5c4d7b2438d3	2878	offset += start_bits; /* Now offset % 8 == 0 */
switches	0:5c4d7b2438d3	2879	len -= start_bits;
switches	0:5c4d7b2438d3	2880
switches	0:5c4d7b2438d3	2881	for( ; start_bits != 0; start_bits-- )
switches	0:5c4d7b2438d3	2882	mask[first_byte_idx] \|= 1 << ( start_bits - 1 );
switches	0:5c4d7b2438d3	2883	}
switches	0:5c4d7b2438d3	2884
switches	0:5c4d7b2438d3	2885	end_bits = len % 8;
switches	0:5c4d7b2438d3	2886	if( end_bits != 0 )
switches	0:5c4d7b2438d3	2887	{
switches	0:5c4d7b2438d3	2888	size_t last_byte_idx = ( offset + len ) / 8;
switches	0:5c4d7b2438d3	2889
switches	0:5c4d7b2438d3	2890	len -= end_bits; /* Now len % 8 == 0 */
switches	0:5c4d7b2438d3	2891
switches	0:5c4d7b2438d3	2892	for( ; end_bits != 0; end_bits-- )
switches	0:5c4d7b2438d3	2893	mask[last_byte_idx] \|= 1 << ( 8 - end_bits );
switches	0:5c4d7b2438d3	2894	}
switches	0:5c4d7b2438d3	2895
switches	0:5c4d7b2438d3	2896	memset( mask + offset / 8, 0xFF, len / 8 );
switches	0:5c4d7b2438d3	2897	}
switches	0:5c4d7b2438d3	2898
switches	0:5c4d7b2438d3	2899	/*
switches	0:5c4d7b2438d3	2900	* Check that bitmask is full
switches	0:5c4d7b2438d3	2901	*/
switches	0:5c4d7b2438d3	2902	static int ssl_bitmask_check( unsigned char *mask, size_t len )
switches	0:5c4d7b2438d3	2903	{
switches	0:5c4d7b2438d3	2904	size_t i;
switches	0:5c4d7b2438d3	2905
switches	0:5c4d7b2438d3	2906	for( i = 0; i < len / 8; i++ )
switches	0:5c4d7b2438d3	2907	if( mask[i] != 0xFF )
switches	0:5c4d7b2438d3	2908	return( -1 );
switches	0:5c4d7b2438d3	2909
switches	0:5c4d7b2438d3	2910	for( i = 0; i < len % 8; i++ )
switches	0:5c4d7b2438d3	2911	if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
switches	0:5c4d7b2438d3	2912	return( -1 );
switches	0:5c4d7b2438d3	2913
switches	0:5c4d7b2438d3	2914	return( 0 );
switches	0:5c4d7b2438d3	2915	}
switches	0:5c4d7b2438d3	2916
switches	0:5c4d7b2438d3	2917	/*
switches	0:5c4d7b2438d3	2918	* Reassemble fragmented DTLS handshake messages.
switches	0:5c4d7b2438d3	2919	*
switches	0:5c4d7b2438d3	2920	* Use a temporary buffer for reassembly, divided in two parts:
switches	0:5c4d7b2438d3	2921	* - the first holds the reassembled message (including handshake header),
switches	0:5c4d7b2438d3	2922	* - the second holds a bitmask indicating which parts of the message
switches	0:5c4d7b2438d3	2923	* (excluding headers) have been received so far.
switches	0:5c4d7b2438d3	2924	*/
switches	0:5c4d7b2438d3	2925	static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	2926	{
switches	0:5c4d7b2438d3	2927	unsigned char msg, bitmask;
switches	0:5c4d7b2438d3	2928	size_t frag_len, frag_off;
switches	0:5c4d7b2438d3	2929	size_t msg_len = ssl->in_hslen - 12; /* Without headers */
switches	0:5c4d7b2438d3	2930
switches	0:5c4d7b2438d3	2931	if( ssl->handshake == NULL )
switches	0:5c4d7b2438d3	2932	{
switches	0:5c4d7b2438d3	2933	MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
switches	0:5c4d7b2438d3	2934	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	2935	}
switches	0:5c4d7b2438d3	2936
switches	0:5c4d7b2438d3	2937	/*
switches	0:5c4d7b2438d3	2938	* For first fragment, check size and allocate buffer
switches	0:5c4d7b2438d3	2939	*/
switches	0:5c4d7b2438d3	2940	if( ssl->handshake->hs_msg == NULL )
switches	0:5c4d7b2438d3	2941	{
switches	0:5c4d7b2438d3	2942	size_t alloc_len;
switches	0:5c4d7b2438d3	2943
switches	0:5c4d7b2438d3	2944	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
switches	0:5c4d7b2438d3	2945	msg_len ) );
switches	0:5c4d7b2438d3	2946
switches	0:5c4d7b2438d3	2947	if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
switches	0:5c4d7b2438d3	2948	{
switches	0:5c4d7b2438d3	2949	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
switches	0:5c4d7b2438d3	2950	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	2951	}
switches	0:5c4d7b2438d3	2952
switches	0:5c4d7b2438d3	2953	/* The bitmask needs one bit per byte of message excluding header */
switches	0:5c4d7b2438d3	2954	alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
switches	0:5c4d7b2438d3	2955
switches	0:5c4d7b2438d3	2956	ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
switches	0:5c4d7b2438d3	2957	if( ssl->handshake->hs_msg == NULL )
switches	0:5c4d7b2438d3	2958	{
switches	0:5c4d7b2438d3	2959	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
switches	0:5c4d7b2438d3	2960	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	2961	}
switches	0:5c4d7b2438d3	2962
switches	0:5c4d7b2438d3	2963	/* Prepare final header: copy msg_type, length and message_seq,
switches	0:5c4d7b2438d3	2964	* then add standardised fragment_offset and fragment_length */
switches	0:5c4d7b2438d3	2965	memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
switches	0:5c4d7b2438d3	2966	memset( ssl->handshake->hs_msg + 6, 0, 3 );
switches	0:5c4d7b2438d3	2967	memcpy( ssl->handshake->hs_msg + 9,
switches	0:5c4d7b2438d3	2968	ssl->handshake->hs_msg + 1, 3 );
switches	0:5c4d7b2438d3	2969	}
switches	0:5c4d7b2438d3	2970	else
switches	0:5c4d7b2438d3	2971	{
switches	0:5c4d7b2438d3	2972	/* Make sure msg_type and length are consistent */
switches	0:5c4d7b2438d3	2973	if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
switches	0:5c4d7b2438d3	2974	{
switches	0:5c4d7b2438d3	2975	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
switches	0:5c4d7b2438d3	2976	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	2977	}
switches	0:5c4d7b2438d3	2978	}
switches	0:5c4d7b2438d3	2979
switches	0:5c4d7b2438d3	2980	msg = ssl->handshake->hs_msg + 12;
switches	0:5c4d7b2438d3	2981	bitmask = msg + msg_len;
switches	0:5c4d7b2438d3	2982
switches	0:5c4d7b2438d3	2983	/*
switches	0:5c4d7b2438d3	2984	* Check and copy current fragment
switches	0:5c4d7b2438d3	2985	*/
switches	0:5c4d7b2438d3	2986	frag_off = ( ssl->in_msg[6] << 16 ) \|
switches	0:5c4d7b2438d3	2987	( ssl->in_msg[7] << 8 ) \|
switches	0:5c4d7b2438d3	2988	ssl->in_msg[8];
switches	0:5c4d7b2438d3	2989	frag_len = ( ssl->in_msg[9] << 16 ) \|
switches	0:5c4d7b2438d3	2990	( ssl->in_msg[10] << 8 ) \|
switches	0:5c4d7b2438d3	2991	ssl->in_msg[11];
switches	0:5c4d7b2438d3	2992
switches	0:5c4d7b2438d3	2993	if( frag_off + frag_len > msg_len )
switches	0:5c4d7b2438d3	2994	{
switches	0:5c4d7b2438d3	2995	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
switches	0:5c4d7b2438d3	2996	frag_off, frag_len, msg_len ) );
switches	0:5c4d7b2438d3	2997	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	2998	}
switches	0:5c4d7b2438d3	2999
switches	0:5c4d7b2438d3	3000	if( frag_len + 12 > ssl->in_msglen )
switches	0:5c4d7b2438d3	3001	{
switches	0:5c4d7b2438d3	3002	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
switches	0:5c4d7b2438d3	3003	frag_len, ssl->in_msglen ) );
switches	0:5c4d7b2438d3	3004	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3005	}
switches	0:5c4d7b2438d3	3006
switches	0:5c4d7b2438d3	3007	MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
switches	0:5c4d7b2438d3	3008	frag_off, frag_len ) );
switches	0:5c4d7b2438d3	3009
switches	0:5c4d7b2438d3	3010	memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
switches	0:5c4d7b2438d3	3011	ssl_bitmask_set( bitmask, frag_off, frag_len );
switches	0:5c4d7b2438d3	3012
switches	0:5c4d7b2438d3	3013	/*
switches	0:5c4d7b2438d3	3014	* Do we have the complete message by now?
switches	0:5c4d7b2438d3	3015	* If yes, finalize it, else ask to read the next record.
switches	0:5c4d7b2438d3	3016	*/
switches	0:5c4d7b2438d3	3017	if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
switches	0:5c4d7b2438d3	3018	{
switches	0:5c4d7b2438d3	3019	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
switches	0:5c4d7b2438d3	3020	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	3021	}
switches	0:5c4d7b2438d3	3022
switches	0:5c4d7b2438d3	3023	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
switches	0:5c4d7b2438d3	3024
switches	0:5c4d7b2438d3	3025	if( frag_len + 12 < ssl->in_msglen )
switches	0:5c4d7b2438d3	3026	{
switches	0:5c4d7b2438d3	3027	/*
switches	0:5c4d7b2438d3	3028	* We'got more handshake messages in the same record.
switches	0:5c4d7b2438d3	3029	* This case is not handled now because no know implementation does
switches	0:5c4d7b2438d3	3030	* that and it's hard to test, so we prefer to fail cleanly for now.
switches	0:5c4d7b2438d3	3031	*/
switches	0:5c4d7b2438d3	3032	MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
switches	0:5c4d7b2438d3	3033	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	3034	}
switches	0:5c4d7b2438d3	3035
switches	0:5c4d7b2438d3	3036	if( ssl->in_left > ssl->next_record_offset )
switches	0:5c4d7b2438d3	3037	{
switches	0:5c4d7b2438d3	3038	/*
switches	0:5c4d7b2438d3	3039	* We've got more data in the buffer after the current record,
switches	0:5c4d7b2438d3	3040	* that we don't want to overwrite. Move it before writing the
switches	0:5c4d7b2438d3	3041	* reassembled message, and adjust in_left and next_record_offset.
switches	0:5c4d7b2438d3	3042	*/
switches	0:5c4d7b2438d3	3043	unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
switches	0:5c4d7b2438d3	3044	unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
switches	0:5c4d7b2438d3	3045	size_t remain_len = ssl->in_left - ssl->next_record_offset;
switches	0:5c4d7b2438d3	3046
switches	0:5c4d7b2438d3	3047	/* First compute and check new lengths */
switches	0:5c4d7b2438d3	3048	ssl->next_record_offset = new_remain - ssl->in_hdr;
switches	0:5c4d7b2438d3	3049	ssl->in_left = ssl->next_record_offset + remain_len;
switches	0:5c4d7b2438d3	3050
switches	0:5c4d7b2438d3	3051	if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
switches	0:5c4d7b2438d3	3052	(size_t)( ssl->in_hdr - ssl->in_buf ) )
switches	0:5c4d7b2438d3	3053	{
switches	0:5c4d7b2438d3	3054	MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
switches	0:5c4d7b2438d3	3055	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
switches	0:5c4d7b2438d3	3056	}
switches	0:5c4d7b2438d3	3057
switches	0:5c4d7b2438d3	3058	memmove( new_remain, cur_remain, remain_len );
switches	0:5c4d7b2438d3	3059	}
switches	0:5c4d7b2438d3	3060
switches	0:5c4d7b2438d3	3061	memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
switches	0:5c4d7b2438d3	3062
switches	0:5c4d7b2438d3	3063	mbedtls_free( ssl->handshake->hs_msg );
switches	0:5c4d7b2438d3	3064	ssl->handshake->hs_msg = NULL;
switches	0:5c4d7b2438d3	3065
switches	0:5c4d7b2438d3	3066	MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
switches	0:5c4d7b2438d3	3067	ssl->in_msg, ssl->in_hslen );
switches	0:5c4d7b2438d3	3068
switches	0:5c4d7b2438d3	3069	return( 0 );
switches	0:5c4d7b2438d3	3070	}
switches	0:5c4d7b2438d3	3071	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	3072
switches	0:5c4d7b2438d3	3073	int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3074	{
switches	0:5c4d7b2438d3	3075	if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
switches	0:5c4d7b2438d3	3076	{
switches	0:5c4d7b2438d3	3077	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
switches	0:5c4d7b2438d3	3078	ssl->in_msglen ) );
switches	0:5c4d7b2438d3	3079	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3080	}
switches	0:5c4d7b2438d3	3081
switches	0:5c4d7b2438d3	3082	ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
switches	0:5c4d7b2438d3	3083	( ssl->in_msg[1] << 16 ) \|
switches	0:5c4d7b2438d3	3084	( ssl->in_msg[2] << 8 ) \|
switches	0:5c4d7b2438d3	3085	ssl->in_msg[3] );
switches	0:5c4d7b2438d3	3086
switches	0:5c4d7b2438d3	3087	MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
switches	0:5c4d7b2438d3	3088	" %d, type = %d, hslen = %d",
switches	0:5c4d7b2438d3	3089	ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
switches	0:5c4d7b2438d3	3090
switches	0:5c4d7b2438d3	3091	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3092	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	3093	{
switches	0:5c4d7b2438d3	3094	int ret;
switches	0:5c4d7b2438d3	3095	unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) \| ssl->in_msg[5];
switches	0:5c4d7b2438d3	3096
switches	0:5c4d7b2438d3	3097	/* ssl->handshake is NULL when receiving ClientHello for renego */
switches	0:5c4d7b2438d3	3098	if( ssl->handshake != NULL &&
switches	0:5c4d7b2438d3	3099	recv_msg_seq != ssl->handshake->in_msg_seq )
switches	0:5c4d7b2438d3	3100	{
switches	0:5c4d7b2438d3	3101	/* Retransmit only on last message from previous flight, to avoid
switches	0:5c4d7b2438d3	3102	* too many retransmissions.
switches	0:5c4d7b2438d3	3103	* Besides, No sane server ever retransmits HelloVerifyRequest */
switches	0:5c4d7b2438d3	3104	if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
switches	0:5c4d7b2438d3	3105	ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
switches	0:5c4d7b2438d3	3106	{
switches	0:5c4d7b2438d3	3107	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
switches	0:5c4d7b2438d3	3108	"message_seq = %d, start_of_flight = %d",
switches	0:5c4d7b2438d3	3109	recv_msg_seq,
switches	0:5c4d7b2438d3	3110	ssl->handshake->in_flight_start_seq ) );
switches	0:5c4d7b2438d3	3111
switches	0:5c4d7b2438d3	3112	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3113	{
switches	0:5c4d7b2438d3	3114	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
switches	0:5c4d7b2438d3	3115	return( ret );
switches	0:5c4d7b2438d3	3116	}
switches	0:5c4d7b2438d3	3117	}
switches	0:5c4d7b2438d3	3118	else
switches	0:5c4d7b2438d3	3119	{
switches	0:5c4d7b2438d3	3120	MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
switches	0:5c4d7b2438d3	3121	"message_seq = %d, expected = %d",
switches	0:5c4d7b2438d3	3122	recv_msg_seq,
switches	0:5c4d7b2438d3	3123	ssl->handshake->in_msg_seq ) );
switches	0:5c4d7b2438d3	3124	}
switches	0:5c4d7b2438d3	3125
switches	0:5c4d7b2438d3	3126	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	3127	}
switches	0:5c4d7b2438d3	3128	/* Wait until message completion to increment in_msg_seq */
switches	0:5c4d7b2438d3	3129
switches	0:5c4d7b2438d3	3130	/* Reassemble if current message is fragmented or reassembly is
switches	0:5c4d7b2438d3	3131	* already in progress */
switches	0:5c4d7b2438d3	3132	if( ssl->in_msglen < ssl->in_hslen \|\|
switches	0:5c4d7b2438d3	3133	memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 \|\|
switches	0:5c4d7b2438d3	3134	memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 \|\|
switches	0:5c4d7b2438d3	3135	( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
switches	0:5c4d7b2438d3	3136	{
switches	0:5c4d7b2438d3	3137	MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
switches	0:5c4d7b2438d3	3138
switches	0:5c4d7b2438d3	3139	if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3140	{
switches	0:5c4d7b2438d3	3141	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
switches	0:5c4d7b2438d3	3142	return( ret );
switches	0:5c4d7b2438d3	3143	}
switches	0:5c4d7b2438d3	3144	}
switches	0:5c4d7b2438d3	3145	}
switches	0:5c4d7b2438d3	3146	else
switches	0:5c4d7b2438d3	3147	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	3148	/* With TLS we don't handle fragmentation (for now) */
switches	0:5c4d7b2438d3	3149	if( ssl->in_msglen < ssl->in_hslen )
switches	0:5c4d7b2438d3	3150	{
switches	0:5c4d7b2438d3	3151	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
switches	0:5c4d7b2438d3	3152	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	3153	}
switches	0:5c4d7b2438d3	3154
switches	0:5c4d7b2438d3	3155	return( 0 );
switches	0:5c4d7b2438d3	3156	}
switches	0:5c4d7b2438d3	3157
switches	0:5c4d7b2438d3	3158	void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3159	{
switches	0:5c4d7b2438d3	3160
switches	0:5c4d7b2438d3	3161	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
switches	0:5c4d7b2438d3	3162	ssl->handshake != NULL )
switches	0:5c4d7b2438d3	3163	{
switches	0:5c4d7b2438d3	3164	ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
switches	0:5c4d7b2438d3	3165	}
switches	0:5c4d7b2438d3	3166
switches	0:5c4d7b2438d3	3167	/* Handshake message is complete, increment counter */
switches	0:5c4d7b2438d3	3168	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3169	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	3170	ssl->handshake != NULL )
switches	0:5c4d7b2438d3	3171	{
switches	0:5c4d7b2438d3	3172	ssl->handshake->in_msg_seq++;
switches	0:5c4d7b2438d3	3173	}
switches	0:5c4d7b2438d3	3174	#endif
switches	0:5c4d7b2438d3	3175	}
switches	0:5c4d7b2438d3	3176
switches	0:5c4d7b2438d3	3177	/*
switches	0:5c4d7b2438d3	3178	* DTLS anti-replay: RFC 6347 4.1.2.6
switches	0:5c4d7b2438d3	3179	*
switches	0:5c4d7b2438d3	3180	* in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
switches	0:5c4d7b2438d3	3181	* Bit n is set iff record number in_window_top - n has been seen.
switches	0:5c4d7b2438d3	3182	*
switches	0:5c4d7b2438d3	3183	* Usually, in_window_top is the last record number seen and the lsb of
switches	0:5c4d7b2438d3	3184	* in_window is set. The only exception is the initial state (record number 0
switches	0:5c4d7b2438d3	3185	* not seen yet).
switches	0:5c4d7b2438d3	3186	*/
switches	0:5c4d7b2438d3	3187	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	3188	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3189	{
switches	0:5c4d7b2438d3	3190	ssl->in_window_top = 0;
switches	0:5c4d7b2438d3	3191	ssl->in_window = 0;
switches	0:5c4d7b2438d3	3192	}
switches	0:5c4d7b2438d3	3193
switches	0:5c4d7b2438d3	3194	static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
switches	0:5c4d7b2438d3	3195	{
switches	0:5c4d7b2438d3	3196	return( ( (uint64_t) buf[0] << 40 ) \|
switches	0:5c4d7b2438d3	3197	( (uint64_t) buf[1] << 32 ) \|
switches	0:5c4d7b2438d3	3198	( (uint64_t) buf[2] << 24 ) \|
switches	0:5c4d7b2438d3	3199	( (uint64_t) buf[3] << 16 ) \|
switches	0:5c4d7b2438d3	3200	( (uint64_t) buf[4] << 8 ) \|
switches	0:5c4d7b2438d3	3201	( (uint64_t) buf[5] ) );
switches	0:5c4d7b2438d3	3202	}
switches	0:5c4d7b2438d3	3203
switches	0:5c4d7b2438d3	3204	/*
switches	0:5c4d7b2438d3	3205	* Return 0 if sequence number is acceptable, -1 otherwise
switches	0:5c4d7b2438d3	3206	*/
switches	0:5c4d7b2438d3	3207	int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3208	{
switches	0:5c4d7b2438d3	3209	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
switches	0:5c4d7b2438d3	3210	uint64_t bit;
switches	0:5c4d7b2438d3	3211
switches	0:5c4d7b2438d3	3212	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
switches	0:5c4d7b2438d3	3213	return( 0 );
switches	0:5c4d7b2438d3	3214
switches	0:5c4d7b2438d3	3215	if( rec_seqnum > ssl->in_window_top )
switches	0:5c4d7b2438d3	3216	return( 0 );
switches	0:5c4d7b2438d3	3217
switches	0:5c4d7b2438d3	3218	bit = ssl->in_window_top - rec_seqnum;
switches	0:5c4d7b2438d3	3219
switches	0:5c4d7b2438d3	3220	if( bit >= 64 )
switches	0:5c4d7b2438d3	3221	return( -1 );
switches	0:5c4d7b2438d3	3222
switches	0:5c4d7b2438d3	3223	if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
switches	0:5c4d7b2438d3	3224	return( -1 );
switches	0:5c4d7b2438d3	3225
switches	0:5c4d7b2438d3	3226	return( 0 );
switches	0:5c4d7b2438d3	3227	}
switches	0:5c4d7b2438d3	3228
switches	0:5c4d7b2438d3	3229	/*
switches	0:5c4d7b2438d3	3230	* Update replay window on new validated record
switches	0:5c4d7b2438d3	3231	*/
switches	0:5c4d7b2438d3	3232	void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3233	{
switches	0:5c4d7b2438d3	3234	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
switches	0:5c4d7b2438d3	3235
switches	0:5c4d7b2438d3	3236	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
switches	0:5c4d7b2438d3	3237	return;
switches	0:5c4d7b2438d3	3238
switches	0:5c4d7b2438d3	3239	if( rec_seqnum > ssl->in_window_top )
switches	0:5c4d7b2438d3	3240	{
switches	0:5c4d7b2438d3	3241	/* Update window_top and the contents of the window */
switches	0:5c4d7b2438d3	3242	uint64_t shift = rec_seqnum - ssl->in_window_top;
switches	0:5c4d7b2438d3	3243
switches	0:5c4d7b2438d3	3244	if( shift >= 64 )
switches	0:5c4d7b2438d3	3245	ssl->in_window = 1;
switches	0:5c4d7b2438d3	3246	else
switches	0:5c4d7b2438d3	3247	{
switches	0:5c4d7b2438d3	3248	ssl->in_window <<= shift;
switches	0:5c4d7b2438d3	3249	ssl->in_window \|= 1;
switches	0:5c4d7b2438d3	3250	}
switches	0:5c4d7b2438d3	3251
switches	0:5c4d7b2438d3	3252	ssl->in_window_top = rec_seqnum;
switches	0:5c4d7b2438d3	3253	}
switches	0:5c4d7b2438d3	3254	else
switches	0:5c4d7b2438d3	3255	{
switches	0:5c4d7b2438d3	3256	/* Mark that number as seen in the current window */
switches	0:5c4d7b2438d3	3257	uint64_t bit = ssl->in_window_top - rec_seqnum;
switches	0:5c4d7b2438d3	3258
switches	0:5c4d7b2438d3	3259	if( bit < 64 ) /* Always true, but be extra sure */
switches	0:5c4d7b2438d3	3260	ssl->in_window \|= (uint64_t) 1 << bit;
switches	0:5c4d7b2438d3	3261	}
switches	0:5c4d7b2438d3	3262	}
switches	0:5c4d7b2438d3	3263	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
switches	0:5c4d7b2438d3	3264
switches	0:5c4d7b2438d3	3265	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	3266	/* Forward declaration */
switches	0:5c4d7b2438d3	3267	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
switches	0:5c4d7b2438d3	3268
switches	0:5c4d7b2438d3	3269	/*
switches	0:5c4d7b2438d3	3270	* Without any SSL context, check if a datagram looks like a ClientHello with
switches	0:5c4d7b2438d3	3271	* a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
switches	0:5c4d7b2438d3	3272	* Both input and output include full DTLS headers.
switches	0:5c4d7b2438d3	3273	*
switches	0:5c4d7b2438d3	3274	* - if cookie is valid, return 0
switches	0:5c4d7b2438d3	3275	* - if ClientHello looks superficially valid but cookie is not,
switches	0:5c4d7b2438d3	3276	* fill obuf and set olen, then
switches	0:5c4d7b2438d3	3277	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
switches	0:5c4d7b2438d3	3278	* - otherwise return a specific error code
switches	0:5c4d7b2438d3	3279	*/
switches	0:5c4d7b2438d3	3280	static int ssl_check_dtls_clihlo_cookie(
switches	0:5c4d7b2438d3	3281	mbedtls_ssl_cookie_write_t *f_cookie_write,
switches	0:5c4d7b2438d3	3282	mbedtls_ssl_cookie_check_t *f_cookie_check,
switches	0:5c4d7b2438d3	3283	void *p_cookie,
switches	0:5c4d7b2438d3	3284	const unsigned char *cli_id, size_t cli_id_len,
switches	0:5c4d7b2438d3	3285	const unsigned char *in, size_t in_len,
switches	0:5c4d7b2438d3	3286	unsigned char obuf, size_t buf_len, size_t olen )
switches	0:5c4d7b2438d3	3287	{
switches	0:5c4d7b2438d3	3288	size_t sid_len, cookie_len;
switches	0:5c4d7b2438d3	3289	unsigned char *p;
switches	0:5c4d7b2438d3	3290
switches	0:5c4d7b2438d3	3291	if( f_cookie_write == NULL \|\| f_cookie_check == NULL )
switches	0:5c4d7b2438d3	3292	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	3293
switches	0:5c4d7b2438d3	3294	/*
switches	0:5c4d7b2438d3	3295	* Structure of ClientHello with record and handshake headers,
switches	0:5c4d7b2438d3	3296	* and expected values. We don't need to check a lot, more checks will be
switches	0:5c4d7b2438d3	3297	* done when actually parsing the ClientHello - skipping those checks
switches	0:5c4d7b2438d3	3298	* avoids code duplication and does not make cookie forging any easier.
switches	0:5c4d7b2438d3	3299	*
switches	0:5c4d7b2438d3	3300	* 0-0 ContentType type; copied, must be handshake
switches	0:5c4d7b2438d3	3301	* 1-2 ProtocolVersion version; copied
switches	0:5c4d7b2438d3	3302	* 3-4 uint16 epoch; copied, must be 0
switches	0:5c4d7b2438d3	3303	* 5-10 uint48 sequence_number; copied
switches	0:5c4d7b2438d3	3304	* 11-12 uint16 length; (ignored)
switches	0:5c4d7b2438d3	3305	*
switches	0:5c4d7b2438d3	3306	* 13-13 HandshakeType msg_type; (ignored)
switches	0:5c4d7b2438d3	3307	* 14-16 uint24 length; (ignored)
switches	0:5c4d7b2438d3	3308	* 17-18 uint16 message_seq; copied
switches	0:5c4d7b2438d3	3309	* 19-21 uint24 fragment_offset; copied, must be 0
switches	0:5c4d7b2438d3	3310	* 22-24 uint24 fragment_length; (ignored)
switches	0:5c4d7b2438d3	3311	*
switches	0:5c4d7b2438d3	3312	* 25-26 ProtocolVersion client_version; (ignored)
switches	0:5c4d7b2438d3	3313	* 27-58 Random random; (ignored)
switches	0:5c4d7b2438d3	3314	* 59-xx SessionID session_id; 1 byte len + sid_len content
switches	0:5c4d7b2438d3	3315	* 60+ opaque cookie<0..2^8-1>; 1 byte len + content
switches	0:5c4d7b2438d3	3316	* ...
switches	0:5c4d7b2438d3	3317	*
switches	0:5c4d7b2438d3	3318	* Minimum length is 61 bytes.
switches	0:5c4d7b2438d3	3319	*/
switches	0:5c4d7b2438d3	3320	if( in_len < 61 \|\|
switches	0:5c4d7b2438d3	3321	in[0] != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
switches	0:5c4d7b2438d3	3322	in[3] != 0 \|\| in[4] != 0 \|\|
switches	0:5c4d7b2438d3	3323	in[19] != 0 \|\| in[20] != 0 \|\| in[21] != 0 )
switches	0:5c4d7b2438d3	3324	{
switches	0:5c4d7b2438d3	3325	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
switches	0:5c4d7b2438d3	3326	}
switches	0:5c4d7b2438d3	3327
switches	0:5c4d7b2438d3	3328	sid_len = in[59];
switches	0:5c4d7b2438d3	3329	if( sid_len > in_len - 61 )
switches	0:5c4d7b2438d3	3330	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
switches	0:5c4d7b2438d3	3331
switches	0:5c4d7b2438d3	3332	cookie_len = in[60 + sid_len];
switches	0:5c4d7b2438d3	3333	if( cookie_len > in_len - 60 )
switches	0:5c4d7b2438d3	3334	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
switches	0:5c4d7b2438d3	3335
switches	0:5c4d7b2438d3	3336	if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
switches	0:5c4d7b2438d3	3337	cli_id, cli_id_len ) == 0 )
switches	0:5c4d7b2438d3	3338	{
switches	0:5c4d7b2438d3	3339	/* Valid cookie */
switches	0:5c4d7b2438d3	3340	return( 0 );
switches	0:5c4d7b2438d3	3341	}
switches	0:5c4d7b2438d3	3342
switches	0:5c4d7b2438d3	3343	/*
switches	0:5c4d7b2438d3	3344	* If we get here, we've got an invalid cookie, let's prepare HVR.
switches	0:5c4d7b2438d3	3345	*
switches	0:5c4d7b2438d3	3346	* 0-0 ContentType type; copied
switches	0:5c4d7b2438d3	3347	* 1-2 ProtocolVersion version; copied
switches	0:5c4d7b2438d3	3348	* 3-4 uint16 epoch; copied
switches	0:5c4d7b2438d3	3349	* 5-10 uint48 sequence_number; copied
switches	0:5c4d7b2438d3	3350	* 11-12 uint16 length; olen - 13
switches	0:5c4d7b2438d3	3351	*
switches	0:5c4d7b2438d3	3352	* 13-13 HandshakeType msg_type; hello_verify_request
switches	0:5c4d7b2438d3	3353	* 14-16 uint24 length; olen - 25
switches	0:5c4d7b2438d3	3354	* 17-18 uint16 message_seq; copied
switches	0:5c4d7b2438d3	3355	* 19-21 uint24 fragment_offset; copied
switches	0:5c4d7b2438d3	3356	* 22-24 uint24 fragment_length; olen - 25
switches	0:5c4d7b2438d3	3357	*
switches	0:5c4d7b2438d3	3358	* 25-26 ProtocolVersion server_version; 0xfe 0xff
switches	0:5c4d7b2438d3	3359	* 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
switches	0:5c4d7b2438d3	3360	*
switches	0:5c4d7b2438d3	3361	* Minimum length is 28.
switches	0:5c4d7b2438d3	3362	*/
switches	0:5c4d7b2438d3	3363	if( buf_len < 28 )
switches	0:5c4d7b2438d3	3364	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
switches	0:5c4d7b2438d3	3365
switches	0:5c4d7b2438d3	3366	/* Copy most fields and adapt others */
switches	0:5c4d7b2438d3	3367	memcpy( obuf, in, 25 );
switches	0:5c4d7b2438d3	3368	obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
switches	0:5c4d7b2438d3	3369	obuf[25] = 0xfe;
switches	0:5c4d7b2438d3	3370	obuf[26] = 0xff;
switches	0:5c4d7b2438d3	3371
switches	0:5c4d7b2438d3	3372	/* Generate and write actual cookie */
switches	0:5c4d7b2438d3	3373	p = obuf + 28;
switches	0:5c4d7b2438d3	3374	if( f_cookie_write( p_cookie,
switches	0:5c4d7b2438d3	3375	&p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
switches	0:5c4d7b2438d3	3376	{
switches	0:5c4d7b2438d3	3377	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	3378	}
switches	0:5c4d7b2438d3	3379
switches	0:5c4d7b2438d3	3380	*olen = p - obuf;
switches	0:5c4d7b2438d3	3381
switches	0:5c4d7b2438d3	3382	/* Go back and fill length fields */
switches	0:5c4d7b2438d3	3383	obuf[27] = (unsigned char)( *olen - 28 );
switches	0:5c4d7b2438d3	3384
switches	0:5c4d7b2438d3	3385	obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
switches	0:5c4d7b2438d3	3386	obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
switches	0:5c4d7b2438d3	3387	obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
switches	0:5c4d7b2438d3	3388
switches	0:5c4d7b2438d3	3389	obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
switches	0:5c4d7b2438d3	3390	obuf[12] = (unsigned char)( ( *olen - 13 ) );
switches	0:5c4d7b2438d3	3391
switches	0:5c4d7b2438d3	3392	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
switches	0:5c4d7b2438d3	3393	}
switches	0:5c4d7b2438d3	3394
switches	0:5c4d7b2438d3	3395	/*
switches	0:5c4d7b2438d3	3396	* Handle possible client reconnect with the same UDP quadruplet
switches	0:5c4d7b2438d3	3397	* (RFC 6347 Section 4.2.8).
switches	0:5c4d7b2438d3	3398	*
switches	0:5c4d7b2438d3	3399	* Called by ssl_parse_record_header() in case we receive an epoch 0 record
switches	0:5c4d7b2438d3	3400	* that looks like a ClientHello.
switches	0:5c4d7b2438d3	3401	*
switches	0:5c4d7b2438d3	3402	* - if the input looks like a ClientHello without cookies,
switches	0:5c4d7b2438d3	3403	* send back HelloVerifyRequest, then
switches	0:5c4d7b2438d3	3404	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
switches	0:5c4d7b2438d3	3405	* - if the input looks like a ClientHello with a valid cookie,
switches	0:5c4d7b2438d3	3406	* reset the session of the current context, and
switches	0:5c4d7b2438d3	3407	* return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
switches	0:5c4d7b2438d3	3408	* - if anything goes wrong, return a specific error code
switches	0:5c4d7b2438d3	3409	*
switches	0:5c4d7b2438d3	3410	* mbedtls_ssl_read_record() will ignore the record if anything else than
switches	0:5c4d7b2438d3	3411	* MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
switches	0:5c4d7b2438d3	3412	* cannot not return 0.
switches	0:5c4d7b2438d3	3413	*/
switches	0:5c4d7b2438d3	3414	static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3415	{
switches	0:5c4d7b2438d3	3416	int ret;
switches	0:5c4d7b2438d3	3417	size_t len;
switches	0:5c4d7b2438d3	3418
switches	0:5c4d7b2438d3	3419	ret = ssl_check_dtls_clihlo_cookie(
switches	0:5c4d7b2438d3	3420	ssl->conf->f_cookie_write,
switches	0:5c4d7b2438d3	3421	ssl->conf->f_cookie_check,
switches	0:5c4d7b2438d3	3422	ssl->conf->p_cookie,
switches	0:5c4d7b2438d3	3423	ssl->cli_id, ssl->cli_id_len,
switches	0:5c4d7b2438d3	3424	ssl->in_buf, ssl->in_left,
switches	0:5c4d7b2438d3	3425	ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
switches	0:5c4d7b2438d3	3426
switches	0:5c4d7b2438d3	3427	MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
switches	0:5c4d7b2438d3	3428
switches	0:5c4d7b2438d3	3429	if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
switches	0:5c4d7b2438d3	3430	{
switches	0:5c4d7b2438d3	3431	/* Dont check write errors as we can't do anything here.
switches	0:5c4d7b2438d3	3432	* If the error is permanent we'll catch it later,
switches	0:5c4d7b2438d3	3433	* if it's not, then hopefully it'll work next time. */
switches	0:5c4d7b2438d3	3434	(void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
switches	0:5c4d7b2438d3	3435
switches	0:5c4d7b2438d3	3436	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
switches	0:5c4d7b2438d3	3437	}
switches	0:5c4d7b2438d3	3438
switches	0:5c4d7b2438d3	3439	if( ret == 0 )
switches	0:5c4d7b2438d3	3440	{
switches	0:5c4d7b2438d3	3441	/* Got a valid cookie, partially reset context */
switches	0:5c4d7b2438d3	3442	if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
switches	0:5c4d7b2438d3	3443	{
switches	0:5c4d7b2438d3	3444	MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
switches	0:5c4d7b2438d3	3445	return( ret );
switches	0:5c4d7b2438d3	3446	}
switches	0:5c4d7b2438d3	3447
switches	0:5c4d7b2438d3	3448	return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
switches	0:5c4d7b2438d3	3449	}
switches	0:5c4d7b2438d3	3450
switches	0:5c4d7b2438d3	3451	return( ret );
switches	0:5c4d7b2438d3	3452	}
switches	0:5c4d7b2438d3	3453	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	3454
switches	0:5c4d7b2438d3	3455	/*
switches	0:5c4d7b2438d3	3456	* ContentType type;
switches	0:5c4d7b2438d3	3457	* ProtocolVersion version;
switches	0:5c4d7b2438d3	3458	* uint16 epoch; // DTLS only
switches	0:5c4d7b2438d3	3459	* uint48 sequence_number; // DTLS only
switches	0:5c4d7b2438d3	3460	* uint16 length;
switches	0:5c4d7b2438d3	3461	*
switches	0:5c4d7b2438d3	3462	* Return 0 if header looks sane (and, for DTLS, the record is expected)
switches	0:5c4d7b2438d3	3463	* MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
switches	0:5c4d7b2438d3	3464	* MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
switches	0:5c4d7b2438d3	3465	*
switches	0:5c4d7b2438d3	3466	* With DTLS, mbedtls_ssl_read_record() will:
switches	0:5c4d7b2438d3	3467	* 1. proceed with the record if this function returns 0
switches	0:5c4d7b2438d3	3468	* 2. drop only the current record if this function returns UNEXPECTED_RECORD
switches	0:5c4d7b2438d3	3469	* 3. return CLIENT_RECONNECT if this function return that value
switches	0:5c4d7b2438d3	3470	* 4. drop the whole datagram if this function returns anything else.
switches	0:5c4d7b2438d3	3471	* Point 2 is needed when the peer is resending, and we have already received
switches	0:5c4d7b2438d3	3472	* the first record from a datagram but are still waiting for the others.
switches	0:5c4d7b2438d3	3473	*/
switches	0:5c4d7b2438d3	3474	static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3475	{
switches	0:5c4d7b2438d3	3476	int ret;
switches	0:5c4d7b2438d3	3477	int major_ver, minor_ver;
switches	0:5c4d7b2438d3	3478
switches	0:5c4d7b2438d3	3479	MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
switches	0:5c4d7b2438d3	3480
switches	0:5c4d7b2438d3	3481	ssl->in_msgtype = ssl->in_hdr[0];
switches	0:5c4d7b2438d3	3482	ssl->in_msglen = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
switches	0:5c4d7b2438d3	3483	mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
switches	0:5c4d7b2438d3	3484
switches	0:5c4d7b2438d3	3485	MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
switches	0:5c4d7b2438d3	3486	"version = [%d:%d], msglen = %d",
switches	0:5c4d7b2438d3	3487	ssl->in_msgtype,
switches	0:5c4d7b2438d3	3488	major_ver, minor_ver, ssl->in_msglen ) );
switches	0:5c4d7b2438d3	3489
switches	0:5c4d7b2438d3	3490	/* Check record type */
switches	0:5c4d7b2438d3	3491	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	3492	ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
switches	0:5c4d7b2438d3	3493	ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
switches	0:5c4d7b2438d3	3494	ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
switches	0:5c4d7b2438d3	3495	{
switches	0:5c4d7b2438d3	3496	MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
switches	0:5c4d7b2438d3	3497
switches	0:5c4d7b2438d3	3498	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
switches	0:5c4d7b2438d3	3499	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
switches	0:5c4d7b2438d3	3500	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
switches	0:5c4d7b2438d3	3501	{
switches	0:5c4d7b2438d3	3502	return( ret );
switches	0:5c4d7b2438d3	3503	}
switches	0:5c4d7b2438d3	3504
switches	0:5c4d7b2438d3	3505	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3506	}
switches	0:5c4d7b2438d3	3507
switches	0:5c4d7b2438d3	3508	/* Check version */
switches	0:5c4d7b2438d3	3509	if( major_ver != ssl->major_ver )
switches	0:5c4d7b2438d3	3510	{
switches	0:5c4d7b2438d3	3511	MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
switches	0:5c4d7b2438d3	3512	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3513	}
switches	0:5c4d7b2438d3	3514
switches	0:5c4d7b2438d3	3515	if( minor_ver > ssl->conf->max_minor_ver )
switches	0:5c4d7b2438d3	3516	{
switches	0:5c4d7b2438d3	3517	MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
switches	0:5c4d7b2438d3	3518	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3519	}
switches	0:5c4d7b2438d3	3520
switches	0:5c4d7b2438d3	3521	/* Check length against the size of our buffer */
switches	0:5c4d7b2438d3	3522	if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
switches	0:5c4d7b2438d3	3523	- (size_t)( ssl->in_msg - ssl->in_buf ) )
switches	0:5c4d7b2438d3	3524	{
switches	0:5c4d7b2438d3	3525	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
switches	0:5c4d7b2438d3	3526	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3527	}
switches	0:5c4d7b2438d3	3528
switches	0:5c4d7b2438d3	3529	/* Check length against bounds of the current transform and version */
switches	0:5c4d7b2438d3	3530	if( ssl->transform_in == NULL )
switches	0:5c4d7b2438d3	3531	{
switches	0:5c4d7b2438d3	3532	if( ssl->in_msglen < 1 \|\|
switches	0:5c4d7b2438d3	3533	ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
switches	0:5c4d7b2438d3	3534	{
switches	0:5c4d7b2438d3	3535	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
switches	0:5c4d7b2438d3	3536	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3537	}
switches	0:5c4d7b2438d3	3538	}
switches	0:5c4d7b2438d3	3539	else
switches	0:5c4d7b2438d3	3540	{
switches	0:5c4d7b2438d3	3541	if( ssl->in_msglen < ssl->transform_in->minlen )
switches	0:5c4d7b2438d3	3542	{
switches	0:5c4d7b2438d3	3543	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
switches	0:5c4d7b2438d3	3544	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3545	}
switches	0:5c4d7b2438d3	3546
switches	0:5c4d7b2438d3	3547	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	3548	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
switches	0:5c4d7b2438d3	3549	ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
switches	0:5c4d7b2438d3	3550	{
switches	0:5c4d7b2438d3	3551	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
switches	0:5c4d7b2438d3	3552	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3553	}
switches	0:5c4d7b2438d3	3554	#endif
switches	0:5c4d7b2438d3	3555	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	3556	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	3557	/*
switches	0:5c4d7b2438d3	3558	* TLS encrypted messages can have up to 256 bytes of padding
switches	0:5c4d7b2438d3	3559	*/
switches	0:5c4d7b2438d3	3560	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
switches	0:5c4d7b2438d3	3561	ssl->in_msglen > ssl->transform_in->minlen +
switches	0:5c4d7b2438d3	3562	MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
switches	0:5c4d7b2438d3	3563	{
switches	0:5c4d7b2438d3	3564	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
switches	0:5c4d7b2438d3	3565	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3566	}
switches	0:5c4d7b2438d3	3567	#endif
switches	0:5c4d7b2438d3	3568	}
switches	0:5c4d7b2438d3	3569
switches	0:5c4d7b2438d3	3570	/*
switches	0:5c4d7b2438d3	3571	* DTLS-related tests done last, because most of them may result in
switches	0:5c4d7b2438d3	3572	* silently dropping the record (but not the whole datagram), and we only
switches	0:5c4d7b2438d3	3573	* want to consider that after ensuring that the "basic" fields (type,
switches	0:5c4d7b2438d3	3574	* version, length) are sane.
switches	0:5c4d7b2438d3	3575	*/
switches	0:5c4d7b2438d3	3576	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3577	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	3578	{
switches	0:5c4d7b2438d3	3579	unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) \| ssl->in_ctr[1];
switches	0:5c4d7b2438d3	3580
switches	0:5c4d7b2438d3	3581	/* Drop unexpected ChangeCipherSpec messages */
switches	0:5c4d7b2438d3	3582	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
switches	0:5c4d7b2438d3	3583	ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
switches	0:5c4d7b2438d3	3584	ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
switches	0:5c4d7b2438d3	3585	{
switches	0:5c4d7b2438d3	3586	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
switches	0:5c4d7b2438d3	3587	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
switches	0:5c4d7b2438d3	3588	}
switches	0:5c4d7b2438d3	3589
switches	0:5c4d7b2438d3	3590	/* Drop unexpected ApplicationData records,
switches	0:5c4d7b2438d3	3591	* except at the beginning of renegotiations */
switches	0:5c4d7b2438d3	3592	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
switches	0:5c4d7b2438d3	3593	ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
switches	0:5c4d7b2438d3	3594	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	3595	&& ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
switches	0:5c4d7b2438d3	3596	ssl->state == MBEDTLS_SSL_SERVER_HELLO )
switches	0:5c4d7b2438d3	3597	#endif
switches	0:5c4d7b2438d3	3598	)
switches	0:5c4d7b2438d3	3599	{
switches	0:5c4d7b2438d3	3600	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
switches	0:5c4d7b2438d3	3601	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
switches	0:5c4d7b2438d3	3602	}
switches	0:5c4d7b2438d3	3603
switches	0:5c4d7b2438d3	3604	/* Check epoch (and sequence number) with DTLS */
switches	0:5c4d7b2438d3	3605	if( rec_epoch != ssl->in_epoch )
switches	0:5c4d7b2438d3	3606	{
switches	0:5c4d7b2438d3	3607	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
switches	0:5c4d7b2438d3	3608	"expected %d, received %d",
switches	0:5c4d7b2438d3	3609	ssl->in_epoch, rec_epoch ) );
switches	0:5c4d7b2438d3	3610
switches	0:5c4d7b2438d3	3611	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	3612	/*
switches	0:5c4d7b2438d3	3613	* Check for an epoch 0 ClientHello. We can't use in_msg here to
switches	0:5c4d7b2438d3	3614	* access the first byte of record content (handshake type), as we
switches	0:5c4d7b2438d3	3615	* have an active transform (possibly iv_len != 0), so use the
switches	0:5c4d7b2438d3	3616	* fact that the record header len is 13 instead.
switches	0:5c4d7b2438d3	3617	*/
switches	0:5c4d7b2438d3	3618	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	3619	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
switches	0:5c4d7b2438d3	3620	rec_epoch == 0 &&
switches	0:5c4d7b2438d3	3621	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	3622	ssl->in_left > 13 &&
switches	0:5c4d7b2438d3	3623	ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
switches	0:5c4d7b2438d3	3624	{
switches	0:5c4d7b2438d3	3625	MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
switches	0:5c4d7b2438d3	3626	"from the same port" ) );
switches	0:5c4d7b2438d3	3627	return( ssl_handle_possible_reconnect( ssl ) );
switches	0:5c4d7b2438d3	3628	}
switches	0:5c4d7b2438d3	3629	else
switches	0:5c4d7b2438d3	3630	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	3631	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
switches	0:5c4d7b2438d3	3632	}
switches	0:5c4d7b2438d3	3633
switches	0:5c4d7b2438d3	3634	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	3635	/* Replay detection only works for the current epoch */
switches	0:5c4d7b2438d3	3636	if( rec_epoch == ssl->in_epoch &&
switches	0:5c4d7b2438d3	3637	mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
switches	0:5c4d7b2438d3	3638	{
switches	0:5c4d7b2438d3	3639	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
switches	0:5c4d7b2438d3	3640	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
switches	0:5c4d7b2438d3	3641	}
switches	0:5c4d7b2438d3	3642	#endif
switches	0:5c4d7b2438d3	3643	}
switches	0:5c4d7b2438d3	3644	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	3645
switches	0:5c4d7b2438d3	3646	return( 0 );
switches	0:5c4d7b2438d3	3647	}
switches	0:5c4d7b2438d3	3648
switches	0:5c4d7b2438d3	3649	/*
switches	0:5c4d7b2438d3	3650	* If applicable, decrypt (and decompress) record content
switches	0:5c4d7b2438d3	3651	*/
switches	0:5c4d7b2438d3	3652	static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3653	{
switches	0:5c4d7b2438d3	3654	int ret, done = 0;
switches	0:5c4d7b2438d3	3655
switches	0:5c4d7b2438d3	3656	MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
switches	0:5c4d7b2438d3	3657	ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
switches	0:5c4d7b2438d3	3658
switches	0:5c4d7b2438d3	3659	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	3660	if( mbedtls_ssl_hw_record_read != NULL )
switches	0:5c4d7b2438d3	3661	{
switches	0:5c4d7b2438d3	3662	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
switches	0:5c4d7b2438d3	3663
switches	0:5c4d7b2438d3	3664	ret = mbedtls_ssl_hw_record_read( ssl );
switches	0:5c4d7b2438d3	3665	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
switches	0:5c4d7b2438d3	3666	{
switches	0:5c4d7b2438d3	3667	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
switches	0:5c4d7b2438d3	3668	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	3669	}
switches	0:5c4d7b2438d3	3670
switches	0:5c4d7b2438d3	3671	if( ret == 0 )
switches	0:5c4d7b2438d3	3672	done = 1;
switches	0:5c4d7b2438d3	3673	}
switches	0:5c4d7b2438d3	3674	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
switches	0:5c4d7b2438d3	3675	if( !done && ssl->transform_in != NULL )
switches	0:5c4d7b2438d3	3676	{
switches	0:5c4d7b2438d3	3677	if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3678	{
switches	0:5c4d7b2438d3	3679	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
switches	0:5c4d7b2438d3	3680	return( ret );
switches	0:5c4d7b2438d3	3681	}
switches	0:5c4d7b2438d3	3682
switches	0:5c4d7b2438d3	3683	MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
switches	0:5c4d7b2438d3	3684	ssl->in_msg, ssl->in_msglen );
switches	0:5c4d7b2438d3	3685
switches	0:5c4d7b2438d3	3686	if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
switches	0:5c4d7b2438d3	3687	{
switches	0:5c4d7b2438d3	3688	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
switches	0:5c4d7b2438d3	3689	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
switches	0:5c4d7b2438d3	3690	}
switches	0:5c4d7b2438d3	3691	}
switches	0:5c4d7b2438d3	3692
switches	0:5c4d7b2438d3	3693	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	3694	if( ssl->transform_in != NULL &&
switches	0:5c4d7b2438d3	3695	ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
switches	0:5c4d7b2438d3	3696	{
switches	0:5c4d7b2438d3	3697	if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3698	{
switches	0:5c4d7b2438d3	3699	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
switches	0:5c4d7b2438d3	3700	return( ret );
switches	0:5c4d7b2438d3	3701	}
switches	0:5c4d7b2438d3	3702	}
switches	0:5c4d7b2438d3	3703	#endif /* MBEDTLS_ZLIB_SUPPORT */
switches	0:5c4d7b2438d3	3704
switches	0:5c4d7b2438d3	3705	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	3706	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	3707	{
switches	0:5c4d7b2438d3	3708	mbedtls_ssl_dtls_replay_update( ssl );
switches	0:5c4d7b2438d3	3709	}
switches	0:5c4d7b2438d3	3710	#endif
switches	0:5c4d7b2438d3	3711
switches	0:5c4d7b2438d3	3712	return( 0 );
switches	0:5c4d7b2438d3	3713	}
switches	0:5c4d7b2438d3	3714
switches	0:5c4d7b2438d3	3715	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
switches	0:5c4d7b2438d3	3716
switches	0:5c4d7b2438d3	3717	/*
switches	0:5c4d7b2438d3	3718	* Read a record.
switches	0:5c4d7b2438d3	3719	*
switches	0:5c4d7b2438d3	3720	* Silently ignore non-fatal alert (and for DTLS, invalid records as well,
switches	0:5c4d7b2438d3	3721	* RFC 6347 4.1.2.7) and continue reading until a valid record is found.
switches	0:5c4d7b2438d3	3722	*
switches	0:5c4d7b2438d3	3723	*/
switches	0:5c4d7b2438d3	3724	int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3725	{
switches	0:5c4d7b2438d3	3726	int ret;
switches	0:5c4d7b2438d3	3727
switches	0:5c4d7b2438d3	3728	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
switches	0:5c4d7b2438d3	3729
switches	0:5c4d7b2438d3	3730	do {
switches	0:5c4d7b2438d3	3731
switches	0:5c4d7b2438d3	3732	if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3733	{
switches	0:5c4d7b2438d3	3734	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
switches	0:5c4d7b2438d3	3735	return( ret );
switches	0:5c4d7b2438d3	3736	}
switches	0:5c4d7b2438d3	3737
switches	0:5c4d7b2438d3	3738	ret = mbedtls_ssl_handle_message_type( ssl );
switches	0:5c4d7b2438d3	3739
switches	0:5c4d7b2438d3	3740	} while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
switches	0:5c4d7b2438d3	3741
switches	0:5c4d7b2438d3	3742	if( 0 != ret )
switches	0:5c4d7b2438d3	3743	{
switches	0:5c4d7b2438d3	3744	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
switches	0:5c4d7b2438d3	3745	return( ret );
switches	0:5c4d7b2438d3	3746	}
switches	0:5c4d7b2438d3	3747
switches	0:5c4d7b2438d3	3748	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
switches	0:5c4d7b2438d3	3749	{
switches	0:5c4d7b2438d3	3750	mbedtls_ssl_update_handshake_status( ssl );
switches	0:5c4d7b2438d3	3751	}
switches	0:5c4d7b2438d3	3752
switches	0:5c4d7b2438d3	3753	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
switches	0:5c4d7b2438d3	3754
switches	0:5c4d7b2438d3	3755	return( 0 );
switches	0:5c4d7b2438d3	3756	}
switches	0:5c4d7b2438d3	3757
switches	0:5c4d7b2438d3	3758	int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3759	{
switches	0:5c4d7b2438d3	3760	int ret;
switches	0:5c4d7b2438d3	3761
switches	0:5c4d7b2438d3	3762	if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
switches	0:5c4d7b2438d3	3763	{
switches	0:5c4d7b2438d3	3764	/*
switches	0:5c4d7b2438d3	3765	* Get next Handshake message in the current record
switches	0:5c4d7b2438d3	3766	*/
switches	0:5c4d7b2438d3	3767	ssl->in_msglen -= ssl->in_hslen;
switches	0:5c4d7b2438d3	3768
switches	0:5c4d7b2438d3	3769	memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
switches	0:5c4d7b2438d3	3770	ssl->in_msglen );
switches	0:5c4d7b2438d3	3771
switches	0:5c4d7b2438d3	3772	MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
switches	0:5c4d7b2438d3	3773	ssl->in_msg, ssl->in_msglen );
switches	0:5c4d7b2438d3	3774
switches	0:5c4d7b2438d3	3775	return( 0 );
switches	0:5c4d7b2438d3	3776	}
switches	0:5c4d7b2438d3	3777
switches	0:5c4d7b2438d3	3778	ssl->in_hslen = 0;
switches	0:5c4d7b2438d3	3779
switches	0:5c4d7b2438d3	3780	/*
switches	0:5c4d7b2438d3	3781	* Read the record header and parse it
switches	0:5c4d7b2438d3	3782	*/
switches	0:5c4d7b2438d3	3783	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3784	read_record_header:
switches	0:5c4d7b2438d3	3785	#endif
switches	0:5c4d7b2438d3	3786
switches	0:5c4d7b2438d3	3787	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
switches	0:5c4d7b2438d3	3788	{
switches	0:5c4d7b2438d3	3789	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
switches	0:5c4d7b2438d3	3790	return( ret );
switches	0:5c4d7b2438d3	3791	}
switches	0:5c4d7b2438d3	3792
switches	0:5c4d7b2438d3	3793	if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3794	{
switches	0:5c4d7b2438d3	3795	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3796	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	3797	ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
switches	0:5c4d7b2438d3	3798	{
switches	0:5c4d7b2438d3	3799	if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
switches	0:5c4d7b2438d3	3800	{
switches	0:5c4d7b2438d3	3801	/* Skip unexpected record (but not whole datagram) */
switches	0:5c4d7b2438d3	3802	ssl->next_record_offset = ssl->in_msglen
switches	0:5c4d7b2438d3	3803	+ mbedtls_ssl_hdr_len( ssl );
switches	0:5c4d7b2438d3	3804
switches	0:5c4d7b2438d3	3805	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
switches	0:5c4d7b2438d3	3806	"(header)" ) );
switches	0:5c4d7b2438d3	3807	}
switches	0:5c4d7b2438d3	3808	else
switches	0:5c4d7b2438d3	3809	{
switches	0:5c4d7b2438d3	3810	/* Skip invalid record and the rest of the datagram */
switches	0:5c4d7b2438d3	3811	ssl->next_record_offset = 0;
switches	0:5c4d7b2438d3	3812	ssl->in_left = 0;
switches	0:5c4d7b2438d3	3813
switches	0:5c4d7b2438d3	3814	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
switches	0:5c4d7b2438d3	3815	"(header)" ) );
switches	0:5c4d7b2438d3	3816	}
switches	0:5c4d7b2438d3	3817
switches	0:5c4d7b2438d3	3818	/* Get next record */
switches	0:5c4d7b2438d3	3819	goto read_record_header;
switches	0:5c4d7b2438d3	3820	}
switches	0:5c4d7b2438d3	3821	#endif
switches	0:5c4d7b2438d3	3822	return( ret );
switches	0:5c4d7b2438d3	3823	}
switches	0:5c4d7b2438d3	3824
switches	0:5c4d7b2438d3	3825	/*
switches	0:5c4d7b2438d3	3826	* Read and optionally decrypt the message contents
switches	0:5c4d7b2438d3	3827	*/
switches	0:5c4d7b2438d3	3828	if( ( ret = mbedtls_ssl_fetch_input( ssl,
switches	0:5c4d7b2438d3	3829	mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
switches	0:5c4d7b2438d3	3830	{
switches	0:5c4d7b2438d3	3831	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
switches	0:5c4d7b2438d3	3832	return( ret );
switches	0:5c4d7b2438d3	3833	}
switches	0:5c4d7b2438d3	3834
switches	0:5c4d7b2438d3	3835	/* Done reading this record, get ready for the next one */
switches	0:5c4d7b2438d3	3836	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3837	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	3838	ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
switches	0:5c4d7b2438d3	3839	else
switches	0:5c4d7b2438d3	3840	#endif
switches	0:5c4d7b2438d3	3841	ssl->in_left = 0;
switches	0:5c4d7b2438d3	3842
switches	0:5c4d7b2438d3	3843	if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3844	{
switches	0:5c4d7b2438d3	3845	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3846	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	3847	{
switches	0:5c4d7b2438d3	3848	/* Silently discard invalid records */
switches	0:5c4d7b2438d3	3849	if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD \|\|
switches	0:5c4d7b2438d3	3850	ret == MBEDTLS_ERR_SSL_INVALID_MAC )
switches	0:5c4d7b2438d3	3851	{
switches	0:5c4d7b2438d3	3852	/* Except when waiting for Finished as a bad mac here
switches	0:5c4d7b2438d3	3853	* probably means something went wrong in the handshake
switches	0:5c4d7b2438d3	3854	* (eg wrong psk used, mitm downgrade attempt, etc.) */
switches	0:5c4d7b2438d3	3855	if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED \|\|
switches	0:5c4d7b2438d3	3856	ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
switches	0:5c4d7b2438d3	3857	{
switches	0:5c4d7b2438d3	3858	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
switches	0:5c4d7b2438d3	3859	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
switches	0:5c4d7b2438d3	3860	{
switches	0:5c4d7b2438d3	3861	mbedtls_ssl_send_alert_message( ssl,
switches	0:5c4d7b2438d3	3862	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
switches	0:5c4d7b2438d3	3863	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
switches	0:5c4d7b2438d3	3864	}
switches	0:5c4d7b2438d3	3865	#endif
switches	0:5c4d7b2438d3	3866	return( ret );
switches	0:5c4d7b2438d3	3867	}
switches	0:5c4d7b2438d3	3868
switches	0:5c4d7b2438d3	3869	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
switches	0:5c4d7b2438d3	3870	if( ssl->conf->badmac_limit != 0 &&
switches	0:5c4d7b2438d3	3871	++ssl->badmac_seen >= ssl->conf->badmac_limit )
switches	0:5c4d7b2438d3	3872	{
switches	0:5c4d7b2438d3	3873	MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
switches	0:5c4d7b2438d3	3874	return( MBEDTLS_ERR_SSL_INVALID_MAC );
switches	0:5c4d7b2438d3	3875	}
switches	0:5c4d7b2438d3	3876	#endif
switches	0:5c4d7b2438d3	3877
switches	0:5c4d7b2438d3	3878	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
switches	0:5c4d7b2438d3	3879	goto read_record_header;
switches	0:5c4d7b2438d3	3880	}
switches	0:5c4d7b2438d3	3881
switches	0:5c4d7b2438d3	3882	return( ret );
switches	0:5c4d7b2438d3	3883	}
switches	0:5c4d7b2438d3	3884	else
switches	0:5c4d7b2438d3	3885	#endif
switches	0:5c4d7b2438d3	3886	{
switches	0:5c4d7b2438d3	3887	/* Error out (and send alert) on invalid records */
switches	0:5c4d7b2438d3	3888	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
switches	0:5c4d7b2438d3	3889	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
switches	0:5c4d7b2438d3	3890	{
switches	0:5c4d7b2438d3	3891	mbedtls_ssl_send_alert_message( ssl,
switches	0:5c4d7b2438d3	3892	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
switches	0:5c4d7b2438d3	3893	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
switches	0:5c4d7b2438d3	3894	}
switches	0:5c4d7b2438d3	3895	#endif
switches	0:5c4d7b2438d3	3896	return( ret );
switches	0:5c4d7b2438d3	3897	}
switches	0:5c4d7b2438d3	3898	}
switches	0:5c4d7b2438d3	3899
switches	0:5c4d7b2438d3	3900	/*
switches	0:5c4d7b2438d3	3901	* When we sent the last flight of the handshake, we MUST respond to a
switches	0:5c4d7b2438d3	3902	* retransmit of the peer's previous flight with a retransmit. (In
switches	0:5c4d7b2438d3	3903	* practice, only the Finished message will make it, other messages
switches	0:5c4d7b2438d3	3904	* including CCS use the old transform so they're dropped as invalid.)
switches	0:5c4d7b2438d3	3905	*
switches	0:5c4d7b2438d3	3906	* If the record we received is not a handshake message, however, it
switches	0:5c4d7b2438d3	3907	* means the peer received our last flight so we can clean up
switches	0:5c4d7b2438d3	3908	* handshake info.
switches	0:5c4d7b2438d3	3909	*
switches	0:5c4d7b2438d3	3910	* This check needs to be done before prepare_handshake() due to an edge
switches	0:5c4d7b2438d3	3911	* case: if the client immediately requests renegotiation, this
switches	0:5c4d7b2438d3	3912	* finishes the current handshake first, avoiding the new ClientHello
switches	0:5c4d7b2438d3	3913	* being mistaken for an ancient message in the current handshake.
switches	0:5c4d7b2438d3	3914	*/
switches	0:5c4d7b2438d3	3915	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	3916	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	3917	ssl->handshake != NULL &&
switches	0:5c4d7b2438d3	3918	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	3919	{
switches	0:5c4d7b2438d3	3920	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	3921	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
switches	0:5c4d7b2438d3	3922	{
switches	0:5c4d7b2438d3	3923	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
switches	0:5c4d7b2438d3	3924
switches	0:5c4d7b2438d3	3925	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3926	{
switches	0:5c4d7b2438d3	3927	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
switches	0:5c4d7b2438d3	3928	return( ret );
switches	0:5c4d7b2438d3	3929	}
switches	0:5c4d7b2438d3	3930
switches	0:5c4d7b2438d3	3931	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	3932	}
switches	0:5c4d7b2438d3	3933	else
switches	0:5c4d7b2438d3	3934	{
switches	0:5c4d7b2438d3	3935	ssl_handshake_wrapup_free_hs_transform( ssl );
switches	0:5c4d7b2438d3	3936	}
switches	0:5c4d7b2438d3	3937	}
switches	0:5c4d7b2438d3	3938	#endif
switches	0:5c4d7b2438d3	3939
switches	0:5c4d7b2438d3	3940	return( 0 );
switches	0:5c4d7b2438d3	3941	}
switches	0:5c4d7b2438d3	3942
switches	0:5c4d7b2438d3	3943	int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	3944	{
switches	0:5c4d7b2438d3	3945	int ret;
switches	0:5c4d7b2438d3	3946
switches	0:5c4d7b2438d3	3947	/*
switches	0:5c4d7b2438d3	3948	* Handle particular types of records
switches	0:5c4d7b2438d3	3949	*/
switches	0:5c4d7b2438d3	3950	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
switches	0:5c4d7b2438d3	3951	{
switches	0:5c4d7b2438d3	3952	if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	3953	{
switches	0:5c4d7b2438d3	3954	return( ret );
switches	0:5c4d7b2438d3	3955	}
switches	0:5c4d7b2438d3	3956	}
switches	0:5c4d7b2438d3	3957
switches	0:5c4d7b2438d3	3958	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
switches	0:5c4d7b2438d3	3959	{
switches	0:5c4d7b2438d3	3960	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
switches	0:5c4d7b2438d3	3961	ssl->in_msg[0], ssl->in_msg[1] ) );
switches	0:5c4d7b2438d3	3962
switches	0:5c4d7b2438d3	3963	/*
switches	0:5c4d7b2438d3	3964	* Ignore non-fatal alerts, except close_notify and no_renegotiation
switches	0:5c4d7b2438d3	3965	*/
switches	0:5c4d7b2438d3	3966	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
switches	0:5c4d7b2438d3	3967	{
switches	0:5c4d7b2438d3	3968	MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
switches	0:5c4d7b2438d3	3969	ssl->in_msg[1] ) );
switches	0:5c4d7b2438d3	3970	return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
switches	0:5c4d7b2438d3	3971	}
switches	0:5c4d7b2438d3	3972
switches	0:5c4d7b2438d3	3973	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
switches	0:5c4d7b2438d3	3974	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
switches	0:5c4d7b2438d3	3975	{
switches	0:5c4d7b2438d3	3976	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
switches	0:5c4d7b2438d3	3977	return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
switches	0:5c4d7b2438d3	3978	}
switches	0:5c4d7b2438d3	3979
switches	0:5c4d7b2438d3	3980	#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
switches	0:5c4d7b2438d3	3981	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
switches	0:5c4d7b2438d3	3982	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
switches	0:5c4d7b2438d3	3983	{
switches	0:5c4d7b2438d3	3984	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
switches	0:5c4d7b2438d3	3985	/* Will be handled when trying to parse ServerHello */
switches	0:5c4d7b2438d3	3986	return( 0 );
switches	0:5c4d7b2438d3	3987	}
switches	0:5c4d7b2438d3	3988	#endif
switches	0:5c4d7b2438d3	3989
switches	0:5c4d7b2438d3	3990	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	3991	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
switches	0:5c4d7b2438d3	3992	ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	3993	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
switches	0:5c4d7b2438d3	3994	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
switches	0:5c4d7b2438d3	3995	{
switches	0:5c4d7b2438d3	3996	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
switches	0:5c4d7b2438d3	3997	/* Will be handled in mbedtls_ssl_parse_certificate() */
switches	0:5c4d7b2438d3	3998	return( 0 );
switches	0:5c4d7b2438d3	3999	}
switches	0:5c4d7b2438d3	4000	#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	4001
switches	0:5c4d7b2438d3	4002	/* Silently ignore: fetch new message */
switches	0:5c4d7b2438d3	4003	return MBEDTLS_ERR_SSL_NON_FATAL;
switches	0:5c4d7b2438d3	4004	}
switches	0:5c4d7b2438d3	4005
switches	0:5c4d7b2438d3	4006	return( 0 );
switches	0:5c4d7b2438d3	4007	}
switches	0:5c4d7b2438d3	4008
switches	0:5c4d7b2438d3	4009	int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4010	{
switches	0:5c4d7b2438d3	4011	int ret;
switches	0:5c4d7b2438d3	4012
switches	0:5c4d7b2438d3	4013	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
switches	0:5c4d7b2438d3	4014	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
switches	0:5c4d7b2438d3	4015	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
switches	0:5c4d7b2438d3	4016	{
switches	0:5c4d7b2438d3	4017	return( ret );
switches	0:5c4d7b2438d3	4018	}
switches	0:5c4d7b2438d3	4019
switches	0:5c4d7b2438d3	4020	return( 0 );
switches	0:5c4d7b2438d3	4021	}
switches	0:5c4d7b2438d3	4022
switches	0:5c4d7b2438d3	4023	int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	4024	unsigned char level,
switches	0:5c4d7b2438d3	4025	unsigned char message )
switches	0:5c4d7b2438d3	4026	{
switches	0:5c4d7b2438d3	4027	int ret;
switches	0:5c4d7b2438d3	4028
switches	0:5c4d7b2438d3	4029	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	4030	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	4031
switches	0:5c4d7b2438d3	4032	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
switches	0:5c4d7b2438d3	4033
switches	0:5c4d7b2438d3	4034	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
switches	0:5c4d7b2438d3	4035	ssl->out_msglen = 2;
switches	0:5c4d7b2438d3	4036	ssl->out_msg[0] = level;
switches	0:5c4d7b2438d3	4037	ssl->out_msg[1] = message;
switches	0:5c4d7b2438d3	4038
switches	0:5c4d7b2438d3	4039	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	4040	{
switches	0:5c4d7b2438d3	4041	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	4042	return( ret );
switches	0:5c4d7b2438d3	4043	}
switches	0:5c4d7b2438d3	4044
switches	0:5c4d7b2438d3	4045	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
switches	0:5c4d7b2438d3	4046
switches	0:5c4d7b2438d3	4047	return( 0 );
switches	0:5c4d7b2438d3	4048	}
switches	0:5c4d7b2438d3	4049
switches	0:5c4d7b2438d3	4050	/*
switches	0:5c4d7b2438d3	4051	* Handshake functions
switches	0:5c4d7b2438d3	4052	*/
switches	0:5c4d7b2438d3	4053	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
switches	0:5c4d7b2438d3	4054	!defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
switches	0:5c4d7b2438d3	4055	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
switches	0:5c4d7b2438d3	4056	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
switches	0:5c4d7b2438d3	4057	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
switches	0:5c4d7b2438d3	4058	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
switches	0:5c4d7b2438d3	4059	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
switches	0:5c4d7b2438d3	4060	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4061	{
switches	0:5c4d7b2438d3	4062	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
switches	0:5c4d7b2438d3	4063
switches	0:5c4d7b2438d3	4064	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
switches	0:5c4d7b2438d3	4065
switches	0:5c4d7b2438d3	4066	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
switches	0:5c4d7b2438d3	4067	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
switches	0:5c4d7b2438d3	4068	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
switches	0:5c4d7b2438d3	4069	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
switches	0:5c4d7b2438d3	4070	{
switches	0:5c4d7b2438d3	4071	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
switches	0:5c4d7b2438d3	4072	ssl->state++;
switches	0:5c4d7b2438d3	4073	return( 0 );
switches	0:5c4d7b2438d3	4074	}
switches	0:5c4d7b2438d3	4075
switches	0:5c4d7b2438d3	4076	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	4077	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	4078	}
switches	0:5c4d7b2438d3	4079
switches	0:5c4d7b2438d3	4080	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4081	{
switches	0:5c4d7b2438d3	4082	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
switches	0:5c4d7b2438d3	4083
switches	0:5c4d7b2438d3	4084	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
switches	0:5c4d7b2438d3	4085
switches	0:5c4d7b2438d3	4086	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
switches	0:5c4d7b2438d3	4087	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
switches	0:5c4d7b2438d3	4088	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
switches	0:5c4d7b2438d3	4089	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
switches	0:5c4d7b2438d3	4090	{
switches	0:5c4d7b2438d3	4091	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
switches	0:5c4d7b2438d3	4092	ssl->state++;
switches	0:5c4d7b2438d3	4093	return( 0 );
switches	0:5c4d7b2438d3	4094	}
switches	0:5c4d7b2438d3	4095
switches	0:5c4d7b2438d3	4096	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	4097	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	4098	}
switches	0:5c4d7b2438d3	4099	#else
switches	0:5c4d7b2438d3	4100	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4101	{
switches	0:5c4d7b2438d3	4102	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
switches	0:5c4d7b2438d3	4103	size_t i, n;
switches	0:5c4d7b2438d3	4104	const mbedtls_x509_crt *crt;
switches	0:5c4d7b2438d3	4105	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
switches	0:5c4d7b2438d3	4106
switches	0:5c4d7b2438d3	4107	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
switches	0:5c4d7b2438d3	4108
switches	0:5c4d7b2438d3	4109	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
switches	0:5c4d7b2438d3	4110	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
switches	0:5c4d7b2438d3	4111	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
switches	0:5c4d7b2438d3	4112	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
switches	0:5c4d7b2438d3	4113	{
switches	0:5c4d7b2438d3	4114	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
switches	0:5c4d7b2438d3	4115	ssl->state++;
switches	0:5c4d7b2438d3	4116	return( 0 );
switches	0:5c4d7b2438d3	4117	}
switches	0:5c4d7b2438d3	4118
switches	0:5c4d7b2438d3	4119	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	4120	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	4121	{
switches	0:5c4d7b2438d3	4122	if( ssl->client_auth == 0 )
switches	0:5c4d7b2438d3	4123	{
switches	0:5c4d7b2438d3	4124	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
switches	0:5c4d7b2438d3	4125	ssl->state++;
switches	0:5c4d7b2438d3	4126	return( 0 );
switches	0:5c4d7b2438d3	4127	}
switches	0:5c4d7b2438d3	4128
switches	0:5c4d7b2438d3	4129	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	4130	/*
switches	0:5c4d7b2438d3	4131	* If using SSLv3 and got no cert, send an Alert message
switches	0:5c4d7b2438d3	4132	* (otherwise an empty Certificate message will be sent).
switches	0:5c4d7b2438d3	4133	*/
switches	0:5c4d7b2438d3	4134	if( mbedtls_ssl_own_cert( ssl ) == NULL &&
switches	0:5c4d7b2438d3	4135	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	4136	{
switches	0:5c4d7b2438d3	4137	ssl->out_msglen = 2;
switches	0:5c4d7b2438d3	4138	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
switches	0:5c4d7b2438d3	4139	ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
switches	0:5c4d7b2438d3	4140	ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
switches	0:5c4d7b2438d3	4141
switches	0:5c4d7b2438d3	4142	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
switches	0:5c4d7b2438d3	4143	goto write_msg;
switches	0:5c4d7b2438d3	4144	}
switches	0:5c4d7b2438d3	4145	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	4146	}
switches	0:5c4d7b2438d3	4147	#endif /* MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	4148	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	4149	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	4150	{
switches	0:5c4d7b2438d3	4151	if( mbedtls_ssl_own_cert( ssl ) == NULL )
switches	0:5c4d7b2438d3	4152	{
switches	0:5c4d7b2438d3	4153	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
switches	0:5c4d7b2438d3	4154	return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
switches	0:5c4d7b2438d3	4155	}
switches	0:5c4d7b2438d3	4156	}
switches	0:5c4d7b2438d3	4157	#endif
switches	0:5c4d7b2438d3	4158
switches	0:5c4d7b2438d3	4159	MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
switches	0:5c4d7b2438d3	4160
switches	0:5c4d7b2438d3	4161	/*
switches	0:5c4d7b2438d3	4162	* 0 . 0 handshake type
switches	0:5c4d7b2438d3	4163	* 1 . 3 handshake length
switches	0:5c4d7b2438d3	4164	* 4 . 6 length of all certs
switches	0:5c4d7b2438d3	4165	* 7 . 9 length of cert. 1
switches	0:5c4d7b2438d3	4166	* 10 . n-1 peer certificate
switches	0:5c4d7b2438d3	4167	* n . n+2 length of cert. 2
switches	0:5c4d7b2438d3	4168	* n+3 . ... upper level cert, etc.
switches	0:5c4d7b2438d3	4169	*/
switches	0:5c4d7b2438d3	4170	i = 7;
switches	0:5c4d7b2438d3	4171	crt = mbedtls_ssl_own_cert( ssl );
switches	0:5c4d7b2438d3	4172
switches	0:5c4d7b2438d3	4173	while( crt != NULL )
switches	0:5c4d7b2438d3	4174	{
switches	0:5c4d7b2438d3	4175	n = crt->raw.len;
switches	0:5c4d7b2438d3	4176	if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
switches	0:5c4d7b2438d3	4177	{
switches	0:5c4d7b2438d3	4178	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
switches	0:5c4d7b2438d3	4179	i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
switches	0:5c4d7b2438d3	4180	return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
switches	0:5c4d7b2438d3	4181	}
switches	0:5c4d7b2438d3	4182
switches	0:5c4d7b2438d3	4183	ssl->out_msg[i ] = (unsigned char)( n >> 16 );
switches	0:5c4d7b2438d3	4184	ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
switches	0:5c4d7b2438d3	4185	ssl->out_msg[i + 2] = (unsigned char)( n );
switches	0:5c4d7b2438d3	4186
switches	0:5c4d7b2438d3	4187	i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
switches	0:5c4d7b2438d3	4188	i += n; crt = crt->next;
switches	0:5c4d7b2438d3	4189	}
switches	0:5c4d7b2438d3	4190
switches	0:5c4d7b2438d3	4191	ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
switches	0:5c4d7b2438d3	4192	ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
switches	0:5c4d7b2438d3	4193	ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
switches	0:5c4d7b2438d3	4194
switches	0:5c4d7b2438d3	4195	ssl->out_msglen = i;
switches	0:5c4d7b2438d3	4196	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
switches	0:5c4d7b2438d3	4197	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
switches	0:5c4d7b2438d3	4198
switches	0:5c4d7b2438d3	4199	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	4200	write_msg:
switches	0:5c4d7b2438d3	4201	#endif
switches	0:5c4d7b2438d3	4202
switches	0:5c4d7b2438d3	4203	ssl->state++;
switches	0:5c4d7b2438d3	4204
switches	0:5c4d7b2438d3	4205	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	4206	{
switches	0:5c4d7b2438d3	4207	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	4208	return( ret );
switches	0:5c4d7b2438d3	4209	}
switches	0:5c4d7b2438d3	4210
switches	0:5c4d7b2438d3	4211	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
switches	0:5c4d7b2438d3	4212
switches	0:5c4d7b2438d3	4213	return( ret );
switches	0:5c4d7b2438d3	4214	}
switches	0:5c4d7b2438d3	4215
switches	0:5c4d7b2438d3	4216	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4217	{
switches	0:5c4d7b2438d3	4218	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
switches	0:5c4d7b2438d3	4219	size_t i, n;
switches	0:5c4d7b2438d3	4220	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
switches	0:5c4d7b2438d3	4221	int authmode = ssl->conf->authmode;
switches	0:5c4d7b2438d3	4222
switches	0:5c4d7b2438d3	4223	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
switches	0:5c4d7b2438d3	4224
switches	0:5c4d7b2438d3	4225	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
switches	0:5c4d7b2438d3	4226	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
switches	0:5c4d7b2438d3	4227	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
switches	0:5c4d7b2438d3	4228	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
switches	0:5c4d7b2438d3	4229	{
switches	0:5c4d7b2438d3	4230	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
switches	0:5c4d7b2438d3	4231	ssl->state++;
switches	0:5c4d7b2438d3	4232	return( 0 );
switches	0:5c4d7b2438d3	4233	}
switches	0:5c4d7b2438d3	4234
switches	0:5c4d7b2438d3	4235	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	4236	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	4237	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
switches	0:5c4d7b2438d3	4238	{
switches	0:5c4d7b2438d3	4239	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
switches	0:5c4d7b2438d3	4240	ssl->state++;
switches	0:5c4d7b2438d3	4241	return( 0 );
switches	0:5c4d7b2438d3	4242	}
switches	0:5c4d7b2438d3	4243
switches	0:5c4d7b2438d3	4244	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
switches	0:5c4d7b2438d3	4245	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
switches	0:5c4d7b2438d3	4246	authmode = ssl->handshake->sni_authmode;
switches	0:5c4d7b2438d3	4247	#endif
switches	0:5c4d7b2438d3	4248
switches	0:5c4d7b2438d3	4249	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	4250	authmode == MBEDTLS_SSL_VERIFY_NONE )
switches	0:5c4d7b2438d3	4251	{
switches	0:5c4d7b2438d3	4252	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
switches	0:5c4d7b2438d3	4253	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
switches	0:5c4d7b2438d3	4254	ssl->state++;
switches	0:5c4d7b2438d3	4255	return( 0 );
switches	0:5c4d7b2438d3	4256	}
switches	0:5c4d7b2438d3	4257	#endif
switches	0:5c4d7b2438d3	4258
switches	0:5c4d7b2438d3	4259	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	4260	{
switches	0:5c4d7b2438d3	4261	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
switches	0:5c4d7b2438d3	4262	return( ret );
switches	0:5c4d7b2438d3	4263	}
switches	0:5c4d7b2438d3	4264
switches	0:5c4d7b2438d3	4265	ssl->state++;
switches	0:5c4d7b2438d3	4266
switches	0:5c4d7b2438d3	4267	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	4268	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	4269	/*
switches	0:5c4d7b2438d3	4270	* Check if the client sent an empty certificate
switches	0:5c4d7b2438d3	4271	*/
switches	0:5c4d7b2438d3	4272	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	4273	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	4274	{
switches	0:5c4d7b2438d3	4275	if( ssl->in_msglen == 2 &&
switches	0:5c4d7b2438d3	4276	ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
switches	0:5c4d7b2438d3	4277	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
switches	0:5c4d7b2438d3	4278	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
switches	0:5c4d7b2438d3	4279	{
switches	0:5c4d7b2438d3	4280	MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
switches	0:5c4d7b2438d3	4281
switches	0:5c4d7b2438d3	4282	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
switches	0:5c4d7b2438d3	4283	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
switches	0:5c4d7b2438d3	4284	return( 0 );
switches	0:5c4d7b2438d3	4285	else
switches	0:5c4d7b2438d3	4286	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
switches	0:5c4d7b2438d3	4287	}
switches	0:5c4d7b2438d3	4288	}
switches	0:5c4d7b2438d3	4289	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	4290
switches	0:5c4d7b2438d3	4291	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	4292	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	4293	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	4294	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	4295	{
switches	0:5c4d7b2438d3	4296	if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
switches	0:5c4d7b2438d3	4297	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
switches	0:5c4d7b2438d3	4298	ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
switches	0:5c4d7b2438d3	4299	memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
switches	0:5c4d7b2438d3	4300	{
switches	0:5c4d7b2438d3	4301	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
switches	0:5c4d7b2438d3	4302
switches	0:5c4d7b2438d3	4303	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
switches	0:5c4d7b2438d3	4304	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
switches	0:5c4d7b2438d3	4305	return( 0 );
switches	0:5c4d7b2438d3	4306	else
switches	0:5c4d7b2438d3	4307	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
switches	0:5c4d7b2438d3	4308	}
switches	0:5c4d7b2438d3	4309	}
switches	0:5c4d7b2438d3	4310	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
switches	0:5c4d7b2438d3	4311	MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	4312	#endif /* MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	4313
switches	0:5c4d7b2438d3	4314	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
switches	0:5c4d7b2438d3	4315	{
switches	0:5c4d7b2438d3	4316	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
switches	0:5c4d7b2438d3	4317	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	4318	}
switches	0:5c4d7b2438d3	4319
switches	0:5c4d7b2438d3	4320	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE \|\|
switches	0:5c4d7b2438d3	4321	ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
switches	0:5c4d7b2438d3	4322	{
switches	0:5c4d7b2438d3	4323	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
switches	0:5c4d7b2438d3	4324	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
switches	0:5c4d7b2438d3	4325	}
switches	0:5c4d7b2438d3	4326
switches	0:5c4d7b2438d3	4327	i = mbedtls_ssl_hs_hdr_len( ssl );
switches	0:5c4d7b2438d3	4328
switches	0:5c4d7b2438d3	4329	/*
switches	0:5c4d7b2438d3	4330	* Same message structure as in mbedtls_ssl_write_certificate()
switches	0:5c4d7b2438d3	4331	*/
switches	0:5c4d7b2438d3	4332	n = ( ssl->in_msg[i+1] << 8 ) \| ssl->in_msg[i+2];
switches	0:5c4d7b2438d3	4333
switches	0:5c4d7b2438d3	4334	if( ssl->in_msg[i] != 0 \|\|
switches	0:5c4d7b2438d3	4335	ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
switches	0:5c4d7b2438d3	4336	{
switches	0:5c4d7b2438d3	4337	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
switches	0:5c4d7b2438d3	4338	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
switches	0:5c4d7b2438d3	4339	}
switches	0:5c4d7b2438d3	4340
switches	0:5c4d7b2438d3	4341	/* In case we tried to reuse a session but it failed */
switches	0:5c4d7b2438d3	4342	if( ssl->session_negotiate->peer_cert != NULL )
switches	0:5c4d7b2438d3	4343	{
switches	0:5c4d7b2438d3	4344	mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
switches	0:5c4d7b2438d3	4345	mbedtls_free( ssl->session_negotiate->peer_cert );
switches	0:5c4d7b2438d3	4346	}
switches	0:5c4d7b2438d3	4347
switches	0:5c4d7b2438d3	4348	if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
switches	0:5c4d7b2438d3	4349	sizeof( mbedtls_x509_crt ) ) ) == NULL )
switches	0:5c4d7b2438d3	4350	{
switches	0:5c4d7b2438d3	4351	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
switches	0:5c4d7b2438d3	4352	sizeof( mbedtls_x509_crt ) ) );
switches	0:5c4d7b2438d3	4353	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	4354	}
switches	0:5c4d7b2438d3	4355
switches	0:5c4d7b2438d3	4356	mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
switches	0:5c4d7b2438d3	4357
switches	0:5c4d7b2438d3	4358	i += 3;
switches	0:5c4d7b2438d3	4359
switches	0:5c4d7b2438d3	4360	while( i < ssl->in_hslen )
switches	0:5c4d7b2438d3	4361	{
switches	0:5c4d7b2438d3	4362	if( ssl->in_msg[i] != 0 )
switches	0:5c4d7b2438d3	4363	{
switches	0:5c4d7b2438d3	4364	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
switches	0:5c4d7b2438d3	4365	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
switches	0:5c4d7b2438d3	4366	}
switches	0:5c4d7b2438d3	4367
switches	0:5c4d7b2438d3	4368	n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
switches	0:5c4d7b2438d3	4369	\| (unsigned int) ssl->in_msg[i + 2];
switches	0:5c4d7b2438d3	4370	i += 3;
switches	0:5c4d7b2438d3	4371
switches	0:5c4d7b2438d3	4372	if( n < 128 \|\| i + n > ssl->in_hslen )
switches	0:5c4d7b2438d3	4373	{
switches	0:5c4d7b2438d3	4374	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
switches	0:5c4d7b2438d3	4375	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
switches	0:5c4d7b2438d3	4376	}
switches	0:5c4d7b2438d3	4377
switches	0:5c4d7b2438d3	4378	ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
switches	0:5c4d7b2438d3	4379	ssl->in_msg + i, n );
switches	0:5c4d7b2438d3	4380	if( 0 != ret && ( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND ) != ret )
switches	0:5c4d7b2438d3	4381	{
switches	0:5c4d7b2438d3	4382	MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
switches	0:5c4d7b2438d3	4383	return( ret );
switches	0:5c4d7b2438d3	4384	}
switches	0:5c4d7b2438d3	4385
switches	0:5c4d7b2438d3	4386	i += n;
switches	0:5c4d7b2438d3	4387	}
switches	0:5c4d7b2438d3	4388
switches	0:5c4d7b2438d3	4389	MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
switches	0:5c4d7b2438d3	4390
switches	0:5c4d7b2438d3	4391	/*
switches	0:5c4d7b2438d3	4392	* On client, make sure the server cert doesn't change during renego to
switches	0:5c4d7b2438d3	4393	* avoid "triple handshake" attack: https://secure-resumption.com/
switches	0:5c4d7b2438d3	4394	*/
switches	0:5c4d7b2438d3	4395	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	4396	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
switches	0:5c4d7b2438d3	4397	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
switches	0:5c4d7b2438d3	4398	{
switches	0:5c4d7b2438d3	4399	if( ssl->session->peer_cert == NULL )
switches	0:5c4d7b2438d3	4400	{
switches	0:5c4d7b2438d3	4401	MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
switches	0:5c4d7b2438d3	4402	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
switches	0:5c4d7b2438d3	4403	}
switches	0:5c4d7b2438d3	4404
switches	0:5c4d7b2438d3	4405	if( ssl->session->peer_cert->raw.len !=
switches	0:5c4d7b2438d3	4406	ssl->session_negotiate->peer_cert->raw.len \|\|
switches	0:5c4d7b2438d3	4407	memcmp( ssl->session->peer_cert->raw.p,
switches	0:5c4d7b2438d3	4408	ssl->session_negotiate->peer_cert->raw.p,
switches	0:5c4d7b2438d3	4409	ssl->session->peer_cert->raw.len ) != 0 )
switches	0:5c4d7b2438d3	4410	{
switches	0:5c4d7b2438d3	4411	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
switches	0:5c4d7b2438d3	4412	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
switches	0:5c4d7b2438d3	4413	}
switches	0:5c4d7b2438d3	4414	}
switches	0:5c4d7b2438d3	4415	#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	4416
switches	0:5c4d7b2438d3	4417	if( authmode != MBEDTLS_SSL_VERIFY_NONE )
switches	0:5c4d7b2438d3	4418	{
switches	0:5c4d7b2438d3	4419	mbedtls_x509_crt *ca_chain;
switches	0:5c4d7b2438d3	4420	mbedtls_x509_crl *ca_crl;
switches	0:5c4d7b2438d3	4421
switches	0:5c4d7b2438d3	4422	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
switches	0:5c4d7b2438d3	4423	if( ssl->handshake->sni_ca_chain != NULL )
switches	0:5c4d7b2438d3	4424	{
switches	0:5c4d7b2438d3	4425	ca_chain = ssl->handshake->sni_ca_chain;
switches	0:5c4d7b2438d3	4426	ca_crl = ssl->handshake->sni_ca_crl;
switches	0:5c4d7b2438d3	4427	}
switches	0:5c4d7b2438d3	4428	else
switches	0:5c4d7b2438d3	4429	#endif
switches	0:5c4d7b2438d3	4430	{
switches	0:5c4d7b2438d3	4431	ca_chain = ssl->conf->ca_chain;
switches	0:5c4d7b2438d3	4432	ca_crl = ssl->conf->ca_crl;
switches	0:5c4d7b2438d3	4433	}
switches	0:5c4d7b2438d3	4434
switches	0:5c4d7b2438d3	4435	if( ca_chain == NULL )
switches	0:5c4d7b2438d3	4436	{
switches	0:5c4d7b2438d3	4437	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
switches	0:5c4d7b2438d3	4438	return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED );
switches	0:5c4d7b2438d3	4439	}
switches	0:5c4d7b2438d3	4440
switches	0:5c4d7b2438d3	4441	/*
switches	0:5c4d7b2438d3	4442	* Main check: verify certificate
switches	0:5c4d7b2438d3	4443	*/
switches	0:5c4d7b2438d3	4444	ret = mbedtls_x509_crt_verify_with_profile(
switches	0:5c4d7b2438d3	4445	ssl->session_negotiate->peer_cert,
switches	0:5c4d7b2438d3	4446	ca_chain, ca_crl,
switches	0:5c4d7b2438d3	4447	ssl->conf->cert_profile,
switches	0:5c4d7b2438d3	4448	ssl->hostname,
switches	0:5c4d7b2438d3	4449	&ssl->session_negotiate->verify_result,
switches	0:5c4d7b2438d3	4450	ssl->conf->f_vrfy, ssl->conf->p_vrfy );
switches	0:5c4d7b2438d3	4451
switches	0:5c4d7b2438d3	4452	if( ret != 0 )
switches	0:5c4d7b2438d3	4453	{
switches	0:5c4d7b2438d3	4454	MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
switches	0:5c4d7b2438d3	4455	}
switches	0:5c4d7b2438d3	4456
switches	0:5c4d7b2438d3	4457	/*
switches	0:5c4d7b2438d3	4458	* Secondary checks: always done, but change 'ret' only if it was 0
switches	0:5c4d7b2438d3	4459	*/
switches	0:5c4d7b2438d3	4460
switches	0:5c4d7b2438d3	4461	#if defined(MBEDTLS_ECP_C)
switches	0:5c4d7b2438d3	4462	{
switches	0:5c4d7b2438d3	4463	const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
switches	0:5c4d7b2438d3	4464
switches	0:5c4d7b2438d3	4465	/* If certificate uses an EC key, make sure the curve is OK */
switches	0:5c4d7b2438d3	4466	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
switches	0:5c4d7b2438d3	4467	mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
switches	0:5c4d7b2438d3	4468	{
switches	0:5c4d7b2438d3	4469	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
switches	0:5c4d7b2438d3	4470	if( ret == 0 )
switches	0:5c4d7b2438d3	4471	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
switches	0:5c4d7b2438d3	4472	}
switches	0:5c4d7b2438d3	4473	}
switches	0:5c4d7b2438d3	4474	#endif /* MBEDTLS_ECP_C */
switches	0:5c4d7b2438d3	4475
switches	0:5c4d7b2438d3	4476	if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
switches	0:5c4d7b2438d3	4477	ciphersuite_info,
switches	0:5c4d7b2438d3	4478	! ssl->conf->endpoint,
switches	0:5c4d7b2438d3	4479	&ssl->session_negotiate->verify_result ) != 0 )
switches	0:5c4d7b2438d3	4480	{
switches	0:5c4d7b2438d3	4481	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
switches	0:5c4d7b2438d3	4482	if( ret == 0 )
switches	0:5c4d7b2438d3	4483	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
switches	0:5c4d7b2438d3	4484	}
switches	0:5c4d7b2438d3	4485
switches	0:5c4d7b2438d3	4486	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
switches	0:5c4d7b2438d3	4487	ret = 0;
switches	0:5c4d7b2438d3	4488	}
switches	0:5c4d7b2438d3	4489
switches	0:5c4d7b2438d3	4490	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
switches	0:5c4d7b2438d3	4491
switches	0:5c4d7b2438d3	4492	return( ret );
switches	0:5c4d7b2438d3	4493	}
switches	0:5c4d7b2438d3	4494	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
switches	0:5c4d7b2438d3	4495	!MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
switches	0:5c4d7b2438d3	4496	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
switches	0:5c4d7b2438d3	4497	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
switches	0:5c4d7b2438d3	4498	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
switches	0:5c4d7b2438d3	4499	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
switches	0:5c4d7b2438d3	4500	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
switches	0:5c4d7b2438d3	4501
switches	0:5c4d7b2438d3	4502	int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4503	{
switches	0:5c4d7b2438d3	4504	int ret;
switches	0:5c4d7b2438d3	4505
switches	0:5c4d7b2438d3	4506	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
switches	0:5c4d7b2438d3	4507
switches	0:5c4d7b2438d3	4508	ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
switches	0:5c4d7b2438d3	4509	ssl->out_msglen = 1;
switches	0:5c4d7b2438d3	4510	ssl->out_msg[0] = 1;
switches	0:5c4d7b2438d3	4511
switches	0:5c4d7b2438d3	4512	ssl->state++;
switches	0:5c4d7b2438d3	4513
switches	0:5c4d7b2438d3	4514	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	4515	{
switches	0:5c4d7b2438d3	4516	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	4517	return( ret );
switches	0:5c4d7b2438d3	4518	}
switches	0:5c4d7b2438d3	4519
switches	0:5c4d7b2438d3	4520	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
switches	0:5c4d7b2438d3	4521
switches	0:5c4d7b2438d3	4522	return( 0 );
switches	0:5c4d7b2438d3	4523	}
switches	0:5c4d7b2438d3	4524
switches	0:5c4d7b2438d3	4525	int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4526	{
switches	0:5c4d7b2438d3	4527	int ret;
switches	0:5c4d7b2438d3	4528
switches	0:5c4d7b2438d3	4529	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
switches	0:5c4d7b2438d3	4530
switches	0:5c4d7b2438d3	4531	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	4532	{
switches	0:5c4d7b2438d3	4533	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
switches	0:5c4d7b2438d3	4534	return( ret );
switches	0:5c4d7b2438d3	4535	}
switches	0:5c4d7b2438d3	4536
switches	0:5c4d7b2438d3	4537	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
switches	0:5c4d7b2438d3	4538	{
switches	0:5c4d7b2438d3	4539	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
switches	0:5c4d7b2438d3	4540	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	4541	}
switches	0:5c4d7b2438d3	4542
switches	0:5c4d7b2438d3	4543	if( ssl->in_msglen != 1 \|\| ssl->in_msg[0] != 1 )
switches	0:5c4d7b2438d3	4544	{
switches	0:5c4d7b2438d3	4545	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
switches	0:5c4d7b2438d3	4546	return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
switches	0:5c4d7b2438d3	4547	}
switches	0:5c4d7b2438d3	4548
switches	0:5c4d7b2438d3	4549	/*
switches	0:5c4d7b2438d3	4550	* Switch to our negotiated transform and session parameters for inbound
switches	0:5c4d7b2438d3	4551	* data.
switches	0:5c4d7b2438d3	4552	*/
switches	0:5c4d7b2438d3	4553	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
switches	0:5c4d7b2438d3	4554	ssl->transform_in = ssl->transform_negotiate;
switches	0:5c4d7b2438d3	4555	ssl->session_in = ssl->session_negotiate;
switches	0:5c4d7b2438d3	4556
switches	0:5c4d7b2438d3	4557	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	4558	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	4559	{
switches	0:5c4d7b2438d3	4560	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	4561	ssl_dtls_replay_reset( ssl );
switches	0:5c4d7b2438d3	4562	#endif
switches	0:5c4d7b2438d3	4563
switches	0:5c4d7b2438d3	4564	/* Increment epoch */
switches	0:5c4d7b2438d3	4565	if( ++ssl->in_epoch == 0 )
switches	0:5c4d7b2438d3	4566	{
switches	0:5c4d7b2438d3	4567	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
switches	0:5c4d7b2438d3	4568	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
switches	0:5c4d7b2438d3	4569	}
switches	0:5c4d7b2438d3	4570	}
switches	0:5c4d7b2438d3	4571	else
switches	0:5c4d7b2438d3	4572	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	4573	memset( ssl->in_ctr, 0, 8 );
switches	0:5c4d7b2438d3	4574
switches	0:5c4d7b2438d3	4575	/*
switches	0:5c4d7b2438d3	4576	* Set the in_msg pointer to the correct location based on IV length
switches	0:5c4d7b2438d3	4577	*/
switches	0:5c4d7b2438d3	4578	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	4579	{
switches	0:5c4d7b2438d3	4580	ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
switches	0:5c4d7b2438d3	4581	ssl->transform_negotiate->fixed_ivlen;
switches	0:5c4d7b2438d3	4582	}
switches	0:5c4d7b2438d3	4583	else
switches	0:5c4d7b2438d3	4584	ssl->in_msg = ssl->in_iv;
switches	0:5c4d7b2438d3	4585
switches	0:5c4d7b2438d3	4586	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	4587	if( mbedtls_ssl_hw_record_activate != NULL )
switches	0:5c4d7b2438d3	4588	{
switches	0:5c4d7b2438d3	4589	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
switches	0:5c4d7b2438d3	4590	{
switches	0:5c4d7b2438d3	4591	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
switches	0:5c4d7b2438d3	4592	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	4593	}
switches	0:5c4d7b2438d3	4594	}
switches	0:5c4d7b2438d3	4595	#endif
switches	0:5c4d7b2438d3	4596
switches	0:5c4d7b2438d3	4597	ssl->state++;
switches	0:5c4d7b2438d3	4598
switches	0:5c4d7b2438d3	4599	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
switches	0:5c4d7b2438d3	4600
switches	0:5c4d7b2438d3	4601	return( 0 );
switches	0:5c4d7b2438d3	4602	}
switches	0:5c4d7b2438d3	4603
switches	0:5c4d7b2438d3	4604	void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	4605	const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
switches	0:5c4d7b2438d3	4606	{
switches	0:5c4d7b2438d3	4607	((void) ciphersuite_info);
switches	0:5c4d7b2438d3	4608
switches	0:5c4d7b2438d3	4609	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	4610	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	4611	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	4612	ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
switches	0:5c4d7b2438d3	4613	else
switches	0:5c4d7b2438d3	4614	#endif
switches	0:5c4d7b2438d3	4615	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	4616	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	4617	if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
switches	0:5c4d7b2438d3	4618	ssl->handshake->update_checksum = ssl_update_checksum_sha384;
switches	0:5c4d7b2438d3	4619	else
switches	0:5c4d7b2438d3	4620	#endif
switches	0:5c4d7b2438d3	4621	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	4622	if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
switches	0:5c4d7b2438d3	4623	ssl->handshake->update_checksum = ssl_update_checksum_sha256;
switches	0:5c4d7b2438d3	4624	else
switches	0:5c4d7b2438d3	4625	#endif
switches	0:5c4d7b2438d3	4626	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	4627	{
switches	0:5c4d7b2438d3	4628	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	4629	return;
switches	0:5c4d7b2438d3	4630	}
switches	0:5c4d7b2438d3	4631	}
switches	0:5c4d7b2438d3	4632
switches	0:5c4d7b2438d3	4633	void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4634	{
switches	0:5c4d7b2438d3	4635	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	4636	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	4637	mbedtls_md5_starts( &ssl->handshake->fin_md5 );
switches	0:5c4d7b2438d3	4638	mbedtls_sha1_starts( &ssl->handshake->fin_sha1 );
switches	0:5c4d7b2438d3	4639	#endif
switches	0:5c4d7b2438d3	4640	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	4641	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	4642	mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
switches	0:5c4d7b2438d3	4643	#endif
switches	0:5c4d7b2438d3	4644	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	4645	mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
switches	0:5c4d7b2438d3	4646	#endif
switches	0:5c4d7b2438d3	4647	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	4648	}
switches	0:5c4d7b2438d3	4649
switches	0:5c4d7b2438d3	4650	static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	4651	const unsigned char *buf, size_t len )
switches	0:5c4d7b2438d3	4652	{
switches	0:5c4d7b2438d3	4653	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	4654	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	4655	mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
switches	0:5c4d7b2438d3	4656	mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
switches	0:5c4d7b2438d3	4657	#endif
switches	0:5c4d7b2438d3	4658	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	4659	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	4660	mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
switches	0:5c4d7b2438d3	4661	#endif
switches	0:5c4d7b2438d3	4662	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	4663	mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
switches	0:5c4d7b2438d3	4664	#endif
switches	0:5c4d7b2438d3	4665	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	4666	}
switches	0:5c4d7b2438d3	4667
switches	0:5c4d7b2438d3	4668	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	4669	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	4670	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	4671	const unsigned char *buf, size_t len )
switches	0:5c4d7b2438d3	4672	{
switches	0:5c4d7b2438d3	4673	mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
switches	0:5c4d7b2438d3	4674	mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
switches	0:5c4d7b2438d3	4675	}
switches	0:5c4d7b2438d3	4676	#endif
switches	0:5c4d7b2438d3	4677
switches	0:5c4d7b2438d3	4678	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	4679	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	4680	static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	4681	const unsigned char *buf, size_t len )
switches	0:5c4d7b2438d3	4682	{
switches	0:5c4d7b2438d3	4683	mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
switches	0:5c4d7b2438d3	4684	}
switches	0:5c4d7b2438d3	4685	#endif
switches	0:5c4d7b2438d3	4686
switches	0:5c4d7b2438d3	4687	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	4688	static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	4689	const unsigned char *buf, size_t len )
switches	0:5c4d7b2438d3	4690	{
switches	0:5c4d7b2438d3	4691	mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
switches	0:5c4d7b2438d3	4692	}
switches	0:5c4d7b2438d3	4693	#endif
switches	0:5c4d7b2438d3	4694	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	4695
switches	0:5c4d7b2438d3	4696	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	4697	static void ssl_calc_finished_ssl(
switches	0:5c4d7b2438d3	4698	mbedtls_ssl_context ssl, unsigned char buf, int from )
switches	0:5c4d7b2438d3	4699	{
switches	0:5c4d7b2438d3	4700	const char *sender;
switches	0:5c4d7b2438d3	4701	mbedtls_md5_context md5;
switches	0:5c4d7b2438d3	4702	mbedtls_sha1_context sha1;
switches	0:5c4d7b2438d3	4703
switches	0:5c4d7b2438d3	4704	unsigned char padbuf[48];
switches	0:5c4d7b2438d3	4705	unsigned char md5sum[16];
switches	0:5c4d7b2438d3	4706	unsigned char sha1sum[20];
switches	0:5c4d7b2438d3	4707
switches	0:5c4d7b2438d3	4708	mbedtls_ssl_session *session = ssl->session_negotiate;
switches	0:5c4d7b2438d3	4709	if( !session )
switches	0:5c4d7b2438d3	4710	session = ssl->session;
switches	0:5c4d7b2438d3	4711
switches	0:5c4d7b2438d3	4712	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
switches	0:5c4d7b2438d3	4713
switches	0:5c4d7b2438d3	4714	mbedtls_md5_init( &md5 );
switches	0:5c4d7b2438d3	4715	mbedtls_sha1_init( &sha1 );
switches	0:5c4d7b2438d3	4716
switches	0:5c4d7b2438d3	4717	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
switches	0:5c4d7b2438d3	4718	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
switches	0:5c4d7b2438d3	4719
switches	0:5c4d7b2438d3	4720	/*
switches	0:5c4d7b2438d3	4721	* SSLv3:
switches	0:5c4d7b2438d3	4722	* hash =
switches	0:5c4d7b2438d3	4723	* MD5( master + pad2 +
switches	0:5c4d7b2438d3	4724	* MD5( handshake + sender + master + pad1 ) )
switches	0:5c4d7b2438d3	4725	* + SHA1( master + pad2 +
switches	0:5c4d7b2438d3	4726	* SHA1( handshake + sender + master + pad1 ) )
switches	0:5c4d7b2438d3	4727	*/
switches	0:5c4d7b2438d3	4728
switches	0:5c4d7b2438d3	4729	#if !defined(MBEDTLS_MD5_ALT)
switches	0:5c4d7b2438d3	4730	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
switches	0:5c4d7b2438d3	4731	md5.state, sizeof( md5.state ) );
switches	0:5c4d7b2438d3	4732	#endif
switches	0:5c4d7b2438d3	4733
switches	0:5c4d7b2438d3	4734	#if !defined(MBEDTLS_SHA1_ALT)
switches	0:5c4d7b2438d3	4735	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
switches	0:5c4d7b2438d3	4736	sha1.state, sizeof( sha1.state ) );
switches	0:5c4d7b2438d3	4737	#endif
switches	0:5c4d7b2438d3	4738
switches	0:5c4d7b2438d3	4739	sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
switches	0:5c4d7b2438d3	4740	: "SRVR";
switches	0:5c4d7b2438d3	4741
switches	0:5c4d7b2438d3	4742	memset( padbuf, 0x36, 48 );
switches	0:5c4d7b2438d3	4743
switches	0:5c4d7b2438d3	4744	mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 );
switches	0:5c4d7b2438d3	4745	mbedtls_md5_update( &md5, session->master, 48 );
switches	0:5c4d7b2438d3	4746	mbedtls_md5_update( &md5, padbuf, 48 );
switches	0:5c4d7b2438d3	4747	mbedtls_md5_finish( &md5, md5sum );
switches	0:5c4d7b2438d3	4748
switches	0:5c4d7b2438d3	4749	mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 );
switches	0:5c4d7b2438d3	4750	mbedtls_sha1_update( &sha1, session->master, 48 );
switches	0:5c4d7b2438d3	4751	mbedtls_sha1_update( &sha1, padbuf, 40 );
switches	0:5c4d7b2438d3	4752	mbedtls_sha1_finish( &sha1, sha1sum );
switches	0:5c4d7b2438d3	4753
switches	0:5c4d7b2438d3	4754	memset( padbuf, 0x5C, 48 );
switches	0:5c4d7b2438d3	4755
switches	0:5c4d7b2438d3	4756	mbedtls_md5_starts( &md5 );
switches	0:5c4d7b2438d3	4757	mbedtls_md5_update( &md5, session->master, 48 );
switches	0:5c4d7b2438d3	4758	mbedtls_md5_update( &md5, padbuf, 48 );
switches	0:5c4d7b2438d3	4759	mbedtls_md5_update( &md5, md5sum, 16 );
switches	0:5c4d7b2438d3	4760	mbedtls_md5_finish( &md5, buf );
switches	0:5c4d7b2438d3	4761
switches	0:5c4d7b2438d3	4762	mbedtls_sha1_starts( &sha1 );
switches	0:5c4d7b2438d3	4763	mbedtls_sha1_update( &sha1, session->master, 48 );
switches	0:5c4d7b2438d3	4764	mbedtls_sha1_update( &sha1, padbuf , 40 );
switches	0:5c4d7b2438d3	4765	mbedtls_sha1_update( &sha1, sha1sum, 20 );
switches	0:5c4d7b2438d3	4766	mbedtls_sha1_finish( &sha1, buf + 16 );
switches	0:5c4d7b2438d3	4767
switches	0:5c4d7b2438d3	4768	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
switches	0:5c4d7b2438d3	4769
switches	0:5c4d7b2438d3	4770	mbedtls_md5_free( &md5 );
switches	0:5c4d7b2438d3	4771	mbedtls_sha1_free( &sha1 );
switches	0:5c4d7b2438d3	4772
switches	0:5c4d7b2438d3	4773	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
switches	0:5c4d7b2438d3	4774	mbedtls_zeroize( md5sum, sizeof( md5sum ) );
switches	0:5c4d7b2438d3	4775	mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
switches	0:5c4d7b2438d3	4776
switches	0:5c4d7b2438d3	4777	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
switches	0:5c4d7b2438d3	4778	}
switches	0:5c4d7b2438d3	4779	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	4780
switches	0:5c4d7b2438d3	4781	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	4782	static void ssl_calc_finished_tls(
switches	0:5c4d7b2438d3	4783	mbedtls_ssl_context ssl, unsigned char buf, int from )
switches	0:5c4d7b2438d3	4784	{
switches	0:5c4d7b2438d3	4785	int len = 12;
switches	0:5c4d7b2438d3	4786	const char *sender;
switches	0:5c4d7b2438d3	4787	mbedtls_md5_context md5;
switches	0:5c4d7b2438d3	4788	mbedtls_sha1_context sha1;
switches	0:5c4d7b2438d3	4789	unsigned char padbuf[36];
switches	0:5c4d7b2438d3	4790
switches	0:5c4d7b2438d3	4791	mbedtls_ssl_session *session = ssl->session_negotiate;
switches	0:5c4d7b2438d3	4792	if( !session )
switches	0:5c4d7b2438d3	4793	session = ssl->session;
switches	0:5c4d7b2438d3	4794
switches	0:5c4d7b2438d3	4795	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
switches	0:5c4d7b2438d3	4796
switches	0:5c4d7b2438d3	4797	mbedtls_md5_init( &md5 );
switches	0:5c4d7b2438d3	4798	mbedtls_sha1_init( &sha1 );
switches	0:5c4d7b2438d3	4799
switches	0:5c4d7b2438d3	4800	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
switches	0:5c4d7b2438d3	4801	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
switches	0:5c4d7b2438d3	4802
switches	0:5c4d7b2438d3	4803	/*
switches	0:5c4d7b2438d3	4804	* TLSv1:
switches	0:5c4d7b2438d3	4805	* hash = PRF( master, finished_label,
switches	0:5c4d7b2438d3	4806	* MD5( handshake ) + SHA1( handshake ) )[0..11]
switches	0:5c4d7b2438d3	4807	*/
switches	0:5c4d7b2438d3	4808
switches	0:5c4d7b2438d3	4809	#if !defined(MBEDTLS_MD5_ALT)
switches	0:5c4d7b2438d3	4810	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
switches	0:5c4d7b2438d3	4811	md5.state, sizeof( md5.state ) );
switches	0:5c4d7b2438d3	4812	#endif
switches	0:5c4d7b2438d3	4813
switches	0:5c4d7b2438d3	4814	#if !defined(MBEDTLS_SHA1_ALT)
switches	0:5c4d7b2438d3	4815	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
switches	0:5c4d7b2438d3	4816	sha1.state, sizeof( sha1.state ) );
switches	0:5c4d7b2438d3	4817	#endif
switches	0:5c4d7b2438d3	4818
switches	0:5c4d7b2438d3	4819	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	4820	? "client finished"
switches	0:5c4d7b2438d3	4821	: "server finished";
switches	0:5c4d7b2438d3	4822
switches	0:5c4d7b2438d3	4823	mbedtls_md5_finish( &md5, padbuf );
switches	0:5c4d7b2438d3	4824	mbedtls_sha1_finish( &sha1, padbuf + 16 );
switches	0:5c4d7b2438d3	4825
switches	0:5c4d7b2438d3	4826	ssl->handshake->tls_prf( session->master, 48, sender,
switches	0:5c4d7b2438d3	4827	padbuf, 36, buf, len );
switches	0:5c4d7b2438d3	4828
switches	0:5c4d7b2438d3	4829	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
switches	0:5c4d7b2438d3	4830
switches	0:5c4d7b2438d3	4831	mbedtls_md5_free( &md5 );
switches	0:5c4d7b2438d3	4832	mbedtls_sha1_free( &sha1 );
switches	0:5c4d7b2438d3	4833
switches	0:5c4d7b2438d3	4834	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
switches	0:5c4d7b2438d3	4835
switches	0:5c4d7b2438d3	4836	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
switches	0:5c4d7b2438d3	4837	}
switches	0:5c4d7b2438d3	4838	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
switches	0:5c4d7b2438d3	4839
switches	0:5c4d7b2438d3	4840	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	4841	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	4842	static void ssl_calc_finished_tls_sha256(
switches	0:5c4d7b2438d3	4843	mbedtls_ssl_context ssl, unsigned char buf, int from )
switches	0:5c4d7b2438d3	4844	{
switches	0:5c4d7b2438d3	4845	int len = 12;
switches	0:5c4d7b2438d3	4846	const char *sender;
switches	0:5c4d7b2438d3	4847	mbedtls_sha256_context sha256;
switches	0:5c4d7b2438d3	4848	unsigned char padbuf[32];
switches	0:5c4d7b2438d3	4849
switches	0:5c4d7b2438d3	4850	mbedtls_ssl_session *session = ssl->session_negotiate;
switches	0:5c4d7b2438d3	4851	if( !session )
switches	0:5c4d7b2438d3	4852	session = ssl->session;
switches	0:5c4d7b2438d3	4853
switches	0:5c4d7b2438d3	4854	mbedtls_sha256_init( &sha256 );
switches	0:5c4d7b2438d3	4855
switches	0:5c4d7b2438d3	4856	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
switches	0:5c4d7b2438d3	4857
switches	0:5c4d7b2438d3	4858	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
switches	0:5c4d7b2438d3	4859
switches	0:5c4d7b2438d3	4860	/*
switches	0:5c4d7b2438d3	4861	* TLSv1.2:
switches	0:5c4d7b2438d3	4862	* hash = PRF( master, finished_label,
switches	0:5c4d7b2438d3	4863	* Hash( handshake ) )[0.11]
switches	0:5c4d7b2438d3	4864	*/
switches	0:5c4d7b2438d3	4865
switches	0:5c4d7b2438d3	4866	#if !defined(MBEDTLS_SHA256_ALT)
switches	0:5c4d7b2438d3	4867	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
switches	0:5c4d7b2438d3	4868	sha256.state, sizeof( sha256.state ) );
switches	0:5c4d7b2438d3	4869	#endif
switches	0:5c4d7b2438d3	4870
switches	0:5c4d7b2438d3	4871	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	4872	? "client finished"
switches	0:5c4d7b2438d3	4873	: "server finished";
switches	0:5c4d7b2438d3	4874
switches	0:5c4d7b2438d3	4875	mbedtls_sha256_finish( &sha256, padbuf );
switches	0:5c4d7b2438d3	4876
switches	0:5c4d7b2438d3	4877	ssl->handshake->tls_prf( session->master, 48, sender,
switches	0:5c4d7b2438d3	4878	padbuf, 32, buf, len );
switches	0:5c4d7b2438d3	4879
switches	0:5c4d7b2438d3	4880	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
switches	0:5c4d7b2438d3	4881
switches	0:5c4d7b2438d3	4882	mbedtls_sha256_free( &sha256 );
switches	0:5c4d7b2438d3	4883
switches	0:5c4d7b2438d3	4884	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
switches	0:5c4d7b2438d3	4885
switches	0:5c4d7b2438d3	4886	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
switches	0:5c4d7b2438d3	4887	}
switches	0:5c4d7b2438d3	4888	#endif /* MBEDTLS_SHA256_C */
switches	0:5c4d7b2438d3	4889
switches	0:5c4d7b2438d3	4890	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	4891	static void ssl_calc_finished_tls_sha384(
switches	0:5c4d7b2438d3	4892	mbedtls_ssl_context ssl, unsigned char buf, int from )
switches	0:5c4d7b2438d3	4893	{
switches	0:5c4d7b2438d3	4894	int len = 12;
switches	0:5c4d7b2438d3	4895	const char *sender;
switches	0:5c4d7b2438d3	4896	mbedtls_sha512_context sha512;
switches	0:5c4d7b2438d3	4897	unsigned char padbuf[48];
switches	0:5c4d7b2438d3	4898
switches	0:5c4d7b2438d3	4899	mbedtls_ssl_session *session = ssl->session_negotiate;
switches	0:5c4d7b2438d3	4900	if( !session )
switches	0:5c4d7b2438d3	4901	session = ssl->session;
switches	0:5c4d7b2438d3	4902
switches	0:5c4d7b2438d3	4903	mbedtls_sha512_init( &sha512 );
switches	0:5c4d7b2438d3	4904
switches	0:5c4d7b2438d3	4905	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
switches	0:5c4d7b2438d3	4906
switches	0:5c4d7b2438d3	4907	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
switches	0:5c4d7b2438d3	4908
switches	0:5c4d7b2438d3	4909	/*
switches	0:5c4d7b2438d3	4910	* TLSv1.2:
switches	0:5c4d7b2438d3	4911	* hash = PRF( master, finished_label,
switches	0:5c4d7b2438d3	4912	* Hash( handshake ) )[0.11]
switches	0:5c4d7b2438d3	4913	*/
switches	0:5c4d7b2438d3	4914
switches	0:5c4d7b2438d3	4915	#if !defined(MBEDTLS_SHA512_ALT)
switches	0:5c4d7b2438d3	4916	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
switches	0:5c4d7b2438d3	4917	sha512.state, sizeof( sha512.state ) );
switches	0:5c4d7b2438d3	4918	#endif
switches	0:5c4d7b2438d3	4919
switches	0:5c4d7b2438d3	4920	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	4921	? "client finished"
switches	0:5c4d7b2438d3	4922	: "server finished";
switches	0:5c4d7b2438d3	4923
switches	0:5c4d7b2438d3	4924	mbedtls_sha512_finish( &sha512, padbuf );
switches	0:5c4d7b2438d3	4925
switches	0:5c4d7b2438d3	4926	ssl->handshake->tls_prf( session->master, 48, sender,
switches	0:5c4d7b2438d3	4927	padbuf, 48, buf, len );
switches	0:5c4d7b2438d3	4928
switches	0:5c4d7b2438d3	4929	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
switches	0:5c4d7b2438d3	4930
switches	0:5c4d7b2438d3	4931	mbedtls_sha512_free( &sha512 );
switches	0:5c4d7b2438d3	4932
switches	0:5c4d7b2438d3	4933	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
switches	0:5c4d7b2438d3	4934
switches	0:5c4d7b2438d3	4935	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
switches	0:5c4d7b2438d3	4936	}
switches	0:5c4d7b2438d3	4937	#endif /* MBEDTLS_SHA512_C */
switches	0:5c4d7b2438d3	4938	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	4939
switches	0:5c4d7b2438d3	4940	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4941	{
switches	0:5c4d7b2438d3	4942	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
switches	0:5c4d7b2438d3	4943
switches	0:5c4d7b2438d3	4944	/*
switches	0:5c4d7b2438d3	4945	* Free our handshake params
switches	0:5c4d7b2438d3	4946	*/
switches	0:5c4d7b2438d3	4947	mbedtls_ssl_handshake_free( ssl->handshake );
switches	0:5c4d7b2438d3	4948	mbedtls_free( ssl->handshake );
switches	0:5c4d7b2438d3	4949	ssl->handshake = NULL;
switches	0:5c4d7b2438d3	4950
switches	0:5c4d7b2438d3	4951	/*
switches	0:5c4d7b2438d3	4952	* Free the previous transform and swith in the current one
switches	0:5c4d7b2438d3	4953	*/
switches	0:5c4d7b2438d3	4954	if( ssl->transform )
switches	0:5c4d7b2438d3	4955	{
switches	0:5c4d7b2438d3	4956	mbedtls_ssl_transform_free( ssl->transform );
switches	0:5c4d7b2438d3	4957	mbedtls_free( ssl->transform );
switches	0:5c4d7b2438d3	4958	}
switches	0:5c4d7b2438d3	4959	ssl->transform = ssl->transform_negotiate;
switches	0:5c4d7b2438d3	4960	ssl->transform_negotiate = NULL;
switches	0:5c4d7b2438d3	4961
switches	0:5c4d7b2438d3	4962	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
switches	0:5c4d7b2438d3	4963	}
switches	0:5c4d7b2438d3	4964
switches	0:5c4d7b2438d3	4965	void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	4966	{
switches	0:5c4d7b2438d3	4967	int resume = ssl->handshake->resume;
switches	0:5c4d7b2438d3	4968
switches	0:5c4d7b2438d3	4969	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
switches	0:5c4d7b2438d3	4970
switches	0:5c4d7b2438d3	4971	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	4972	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
switches	0:5c4d7b2438d3	4973	{
switches	0:5c4d7b2438d3	4974	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
switches	0:5c4d7b2438d3	4975	ssl->renego_records_seen = 0;
switches	0:5c4d7b2438d3	4976	}
switches	0:5c4d7b2438d3	4977	#endif
switches	0:5c4d7b2438d3	4978
switches	0:5c4d7b2438d3	4979	/*
switches	0:5c4d7b2438d3	4980	* Free the previous session and switch in the current one
switches	0:5c4d7b2438d3	4981	*/
switches	0:5c4d7b2438d3	4982	if( ssl->session )
switches	0:5c4d7b2438d3	4983	{
switches	0:5c4d7b2438d3	4984	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	4985	/* RFC 7366 3.1: keep the EtM state */
switches	0:5c4d7b2438d3	4986	ssl->session_negotiate->encrypt_then_mac =
switches	0:5c4d7b2438d3	4987	ssl->session->encrypt_then_mac;
switches	0:5c4d7b2438d3	4988	#endif
switches	0:5c4d7b2438d3	4989
switches	0:5c4d7b2438d3	4990	mbedtls_ssl_session_free( ssl->session );
switches	0:5c4d7b2438d3	4991	mbedtls_free( ssl->session );
switches	0:5c4d7b2438d3	4992	}
switches	0:5c4d7b2438d3	4993	ssl->session = ssl->session_negotiate;
switches	0:5c4d7b2438d3	4994	ssl->session_negotiate = NULL;
switches	0:5c4d7b2438d3	4995
switches	0:5c4d7b2438d3	4996	/*
switches	0:5c4d7b2438d3	4997	* Add cache entry
switches	0:5c4d7b2438d3	4998	*/
switches	0:5c4d7b2438d3	4999	if( ssl->conf->f_set_cache != NULL &&
switches	0:5c4d7b2438d3	5000	ssl->session->id_len != 0 &&
switches	0:5c4d7b2438d3	5001	resume == 0 )
switches	0:5c4d7b2438d3	5002	{
switches	0:5c4d7b2438d3	5003	if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
switches	0:5c4d7b2438d3	5004	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
switches	0:5c4d7b2438d3	5005	}
switches	0:5c4d7b2438d3	5006
switches	0:5c4d7b2438d3	5007	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5008	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	5009	ssl->handshake->flight != NULL )
switches	0:5c4d7b2438d3	5010	{
switches	0:5c4d7b2438d3	5011	/* Cancel handshake timer */
switches	0:5c4d7b2438d3	5012	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	5013
switches	0:5c4d7b2438d3	5014	/* Keep last flight around in case we need to resend it:
switches	0:5c4d7b2438d3	5015	* we need the handshake and transform structures for that */
switches	0:5c4d7b2438d3	5016	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
switches	0:5c4d7b2438d3	5017	}
switches	0:5c4d7b2438d3	5018	else
switches	0:5c4d7b2438d3	5019	#endif
switches	0:5c4d7b2438d3	5020	ssl_handshake_wrapup_free_hs_transform( ssl );
switches	0:5c4d7b2438d3	5021
switches	0:5c4d7b2438d3	5022	ssl->state++;
switches	0:5c4d7b2438d3	5023
switches	0:5c4d7b2438d3	5024	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
switches	0:5c4d7b2438d3	5025	}
switches	0:5c4d7b2438d3	5026
switches	0:5c4d7b2438d3	5027	int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	5028	{
switches	0:5c4d7b2438d3	5029	int ret, hash_len;
switches	0:5c4d7b2438d3	5030
switches	0:5c4d7b2438d3	5031	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
switches	0:5c4d7b2438d3	5032
switches	0:5c4d7b2438d3	5033	/*
switches	0:5c4d7b2438d3	5034	* Set the out_msg pointer to the correct location based on IV length
switches	0:5c4d7b2438d3	5035	*/
switches	0:5c4d7b2438d3	5036	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	5037	{
switches	0:5c4d7b2438d3	5038	ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
switches	0:5c4d7b2438d3	5039	ssl->transform_negotiate->fixed_ivlen;
switches	0:5c4d7b2438d3	5040	}
switches	0:5c4d7b2438d3	5041	else
switches	0:5c4d7b2438d3	5042	ssl->out_msg = ssl->out_iv;
switches	0:5c4d7b2438d3	5043
switches	0:5c4d7b2438d3	5044	ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
switches	0:5c4d7b2438d3	5045
switches	0:5c4d7b2438d3	5046	/*
switches	0:5c4d7b2438d3	5047	* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
switches	0:5c4d7b2438d3	5048	* may define some other value. Currently (early 2016), no defined
switches	0:5c4d7b2438d3	5049	* ciphersuite does this (and this is unlikely to change as activity has
switches	0:5c4d7b2438d3	5050	* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
switches	0:5c4d7b2438d3	5051	*/
switches	0:5c4d7b2438d3	5052	hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
switches	0:5c4d7b2438d3	5053
switches	0:5c4d7b2438d3	5054	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	5055	ssl->verify_data_len = hash_len;
switches	0:5c4d7b2438d3	5056	memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
switches	0:5c4d7b2438d3	5057	#endif
switches	0:5c4d7b2438d3	5058
switches	0:5c4d7b2438d3	5059	ssl->out_msglen = 4 + hash_len;
switches	0:5c4d7b2438d3	5060	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
switches	0:5c4d7b2438d3	5061	ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
switches	0:5c4d7b2438d3	5062
switches	0:5c4d7b2438d3	5063	/*
switches	0:5c4d7b2438d3	5064	* In case of session resuming, invert the client and server
switches	0:5c4d7b2438d3	5065	* ChangeCipherSpec messages order.
switches	0:5c4d7b2438d3	5066	*/
switches	0:5c4d7b2438d3	5067	if( ssl->handshake->resume != 0 )
switches	0:5c4d7b2438d3	5068	{
switches	0:5c4d7b2438d3	5069	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	5070	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	5071	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
switches	0:5c4d7b2438d3	5072	#endif
switches	0:5c4d7b2438d3	5073	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	5074	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	5075	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
switches	0:5c4d7b2438d3	5076	#endif
switches	0:5c4d7b2438d3	5077	}
switches	0:5c4d7b2438d3	5078	else
switches	0:5c4d7b2438d3	5079	ssl->state++;
switches	0:5c4d7b2438d3	5080
switches	0:5c4d7b2438d3	5081	/*
switches	0:5c4d7b2438d3	5082	* Switch to our negotiated transform and session parameters for outbound
switches	0:5c4d7b2438d3	5083	* data.
switches	0:5c4d7b2438d3	5084	*/
switches	0:5c4d7b2438d3	5085	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
switches	0:5c4d7b2438d3	5086
switches	0:5c4d7b2438d3	5087	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5088	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	5089	{
switches	0:5c4d7b2438d3	5090	unsigned char i;
switches	0:5c4d7b2438d3	5091
switches	0:5c4d7b2438d3	5092	/* Remember current epoch settings for resending */
switches	0:5c4d7b2438d3	5093	ssl->handshake->alt_transform_out = ssl->transform_out;
switches	0:5c4d7b2438d3	5094	memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
switches	0:5c4d7b2438d3	5095
switches	0:5c4d7b2438d3	5096	/* Set sequence_number to zero */
switches	0:5c4d7b2438d3	5097	memset( ssl->out_ctr + 2, 0, 6 );
switches	0:5c4d7b2438d3	5098
switches	0:5c4d7b2438d3	5099	/* Increment epoch */
switches	0:5c4d7b2438d3	5100	for( i = 2; i > 0; i-- )
switches	0:5c4d7b2438d3	5101	if( ++ssl->out_ctr[i - 1] != 0 )
switches	0:5c4d7b2438d3	5102	break;
switches	0:5c4d7b2438d3	5103
switches	0:5c4d7b2438d3	5104	/* The loop goes to its end iff the counter is wrapping */
switches	0:5c4d7b2438d3	5105	if( i == 0 )
switches	0:5c4d7b2438d3	5106	{
switches	0:5c4d7b2438d3	5107	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
switches	0:5c4d7b2438d3	5108	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
switches	0:5c4d7b2438d3	5109	}
switches	0:5c4d7b2438d3	5110	}
switches	0:5c4d7b2438d3	5111	else
switches	0:5c4d7b2438d3	5112	#endif /* MBEDTLS_SSL_PROTO_DTLS */
switches	0:5c4d7b2438d3	5113	memset( ssl->out_ctr, 0, 8 );
switches	0:5c4d7b2438d3	5114
switches	0:5c4d7b2438d3	5115	ssl->transform_out = ssl->transform_negotiate;
switches	0:5c4d7b2438d3	5116	ssl->session_out = ssl->session_negotiate;
switches	0:5c4d7b2438d3	5117
switches	0:5c4d7b2438d3	5118	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	5119	if( mbedtls_ssl_hw_record_activate != NULL )
switches	0:5c4d7b2438d3	5120	{
switches	0:5c4d7b2438d3	5121	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
switches	0:5c4d7b2438d3	5122	{
switches	0:5c4d7b2438d3	5123	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
switches	0:5c4d7b2438d3	5124	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	5125	}
switches	0:5c4d7b2438d3	5126	}
switches	0:5c4d7b2438d3	5127	#endif
switches	0:5c4d7b2438d3	5128
switches	0:5c4d7b2438d3	5129	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5130	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	5131	mbedtls_ssl_send_flight_completed( ssl );
switches	0:5c4d7b2438d3	5132	#endif
switches	0:5c4d7b2438d3	5133
switches	0:5c4d7b2438d3	5134	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	5135	{
switches	0:5c4d7b2438d3	5136	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	5137	return( ret );
switches	0:5c4d7b2438d3	5138	}
switches	0:5c4d7b2438d3	5139
switches	0:5c4d7b2438d3	5140	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
switches	0:5c4d7b2438d3	5141
switches	0:5c4d7b2438d3	5142	return( 0 );
switches	0:5c4d7b2438d3	5143	}
switches	0:5c4d7b2438d3	5144
switches	0:5c4d7b2438d3	5145	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	5146	#define SSL_MAX_HASH_LEN 36
switches	0:5c4d7b2438d3	5147	#else
switches	0:5c4d7b2438d3	5148	#define SSL_MAX_HASH_LEN 12
switches	0:5c4d7b2438d3	5149	#endif
switches	0:5c4d7b2438d3	5150
switches	0:5c4d7b2438d3	5151	int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	5152	{
switches	0:5c4d7b2438d3	5153	int ret;
switches	0:5c4d7b2438d3	5154	unsigned int hash_len;
switches	0:5c4d7b2438d3	5155	unsigned char buf[SSL_MAX_HASH_LEN];
switches	0:5c4d7b2438d3	5156
switches	0:5c4d7b2438d3	5157	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
switches	0:5c4d7b2438d3	5158
switches	0:5c4d7b2438d3	5159	ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
switches	0:5c4d7b2438d3	5160
switches	0:5c4d7b2438d3	5161	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	5162	{
switches	0:5c4d7b2438d3	5163	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
switches	0:5c4d7b2438d3	5164	return( ret );
switches	0:5c4d7b2438d3	5165	}
switches	0:5c4d7b2438d3	5166
switches	0:5c4d7b2438d3	5167	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
switches	0:5c4d7b2438d3	5168	{
switches	0:5c4d7b2438d3	5169	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
switches	0:5c4d7b2438d3	5170	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	5171	}
switches	0:5c4d7b2438d3	5172
switches	0:5c4d7b2438d3	5173	/* There is currently no ciphersuite using another length with TLS 1.2 */
switches	0:5c4d7b2438d3	5174	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	5175	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	5176	hash_len = 36;
switches	0:5c4d7b2438d3	5177	else
switches	0:5c4d7b2438d3	5178	#endif
switches	0:5c4d7b2438d3	5179	hash_len = 12;
switches	0:5c4d7b2438d3	5180
switches	0:5c4d7b2438d3	5181	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED \|\|
switches	0:5c4d7b2438d3	5182	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
switches	0:5c4d7b2438d3	5183	{
switches	0:5c4d7b2438d3	5184	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
switches	0:5c4d7b2438d3	5185	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
switches	0:5c4d7b2438d3	5186	}
switches	0:5c4d7b2438d3	5187
switches	0:5c4d7b2438d3	5188	if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
switches	0:5c4d7b2438d3	5189	buf, hash_len ) != 0 )
switches	0:5c4d7b2438d3	5190	{
switches	0:5c4d7b2438d3	5191	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
switches	0:5c4d7b2438d3	5192	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
switches	0:5c4d7b2438d3	5193	}
switches	0:5c4d7b2438d3	5194
switches	0:5c4d7b2438d3	5195	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	5196	ssl->verify_data_len = hash_len;
switches	0:5c4d7b2438d3	5197	memcpy( ssl->peer_verify_data, buf, hash_len );
switches	0:5c4d7b2438d3	5198	#endif
switches	0:5c4d7b2438d3	5199
switches	0:5c4d7b2438d3	5200	if( ssl->handshake->resume != 0 )
switches	0:5c4d7b2438d3	5201	{
switches	0:5c4d7b2438d3	5202	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	5203	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	5204	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
switches	0:5c4d7b2438d3	5205	#endif
switches	0:5c4d7b2438d3	5206	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	5207	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	5208	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
switches	0:5c4d7b2438d3	5209	#endif
switches	0:5c4d7b2438d3	5210	}
switches	0:5c4d7b2438d3	5211	else
switches	0:5c4d7b2438d3	5212	ssl->state++;
switches	0:5c4d7b2438d3	5213
switches	0:5c4d7b2438d3	5214	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5215	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	5216	mbedtls_ssl_recv_flight_completed( ssl );
switches	0:5c4d7b2438d3	5217	#endif
switches	0:5c4d7b2438d3	5218
switches	0:5c4d7b2438d3	5219	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
switches	0:5c4d7b2438d3	5220
switches	0:5c4d7b2438d3	5221	return( 0 );
switches	0:5c4d7b2438d3	5222	}
switches	0:5c4d7b2438d3	5223
switches	0:5c4d7b2438d3	5224	static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
switches	0:5c4d7b2438d3	5225	{
switches	0:5c4d7b2438d3	5226	memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
switches	0:5c4d7b2438d3	5227
switches	0:5c4d7b2438d3	5228	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	5229	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	5230	mbedtls_md5_init( &handshake->fin_md5 );
switches	0:5c4d7b2438d3	5231	mbedtls_sha1_init( &handshake->fin_sha1 );
switches	0:5c4d7b2438d3	5232	mbedtls_md5_starts( &handshake->fin_md5 );
switches	0:5c4d7b2438d3	5233	mbedtls_sha1_starts( &handshake->fin_sha1 );
switches	0:5c4d7b2438d3	5234	#endif
switches	0:5c4d7b2438d3	5235	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	5236	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	5237	mbedtls_sha256_init( &handshake->fin_sha256 );
switches	0:5c4d7b2438d3	5238	mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
switches	0:5c4d7b2438d3	5239	#endif
switches	0:5c4d7b2438d3	5240	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	5241	mbedtls_sha512_init( &handshake->fin_sha512 );
switches	0:5c4d7b2438d3	5242	mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
switches	0:5c4d7b2438d3	5243	#endif
switches	0:5c4d7b2438d3	5244	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	5245
switches	0:5c4d7b2438d3	5246	handshake->update_checksum = ssl_update_checksum_start;
switches	0:5c4d7b2438d3	5247	handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1;
switches	0:5c4d7b2438d3	5248
switches	0:5c4d7b2438d3	5249	#if defined(MBEDTLS_DHM_C)
switches	0:5c4d7b2438d3	5250	mbedtls_dhm_init( &handshake->dhm_ctx );
switches	0:5c4d7b2438d3	5251	#endif
switches	0:5c4d7b2438d3	5252	#if defined(MBEDTLS_ECDH_C)
switches	0:5c4d7b2438d3	5253	mbedtls_ecdh_init( &handshake->ecdh_ctx );
switches	0:5c4d7b2438d3	5254	#endif
switches	0:5c4d7b2438d3	5255	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
switches	0:5c4d7b2438d3	5256	mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
switches	0:5c4d7b2438d3	5257	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	5258	handshake->ecjpake_cache = NULL;
switches	0:5c4d7b2438d3	5259	handshake->ecjpake_cache_len = 0;
switches	0:5c4d7b2438d3	5260	#endif
switches	0:5c4d7b2438d3	5261	#endif
switches	0:5c4d7b2438d3	5262
switches	0:5c4d7b2438d3	5263	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
switches	0:5c4d7b2438d3	5264	handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
switches	0:5c4d7b2438d3	5265	#endif
switches	0:5c4d7b2438d3	5266	}
switches	0:5c4d7b2438d3	5267
switches	0:5c4d7b2438d3	5268	static void ssl_transform_init( mbedtls_ssl_transform *transform )
switches	0:5c4d7b2438d3	5269	{
switches	0:5c4d7b2438d3	5270	memset( transform, 0, sizeof(mbedtls_ssl_transform) );
switches	0:5c4d7b2438d3	5271
switches	0:5c4d7b2438d3	5272	mbedtls_cipher_init( &transform->cipher_ctx_enc );
switches	0:5c4d7b2438d3	5273	mbedtls_cipher_init( &transform->cipher_ctx_dec );
switches	0:5c4d7b2438d3	5274
switches	0:5c4d7b2438d3	5275	mbedtls_md_init( &transform->md_ctx_enc );
switches	0:5c4d7b2438d3	5276	mbedtls_md_init( &transform->md_ctx_dec );
switches	0:5c4d7b2438d3	5277	}
switches	0:5c4d7b2438d3	5278
switches	0:5c4d7b2438d3	5279	void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
switches	0:5c4d7b2438d3	5280	{
switches	0:5c4d7b2438d3	5281	memset( session, 0, sizeof(mbedtls_ssl_session) );
switches	0:5c4d7b2438d3	5282	}
switches	0:5c4d7b2438d3	5283
switches	0:5c4d7b2438d3	5284	static int ssl_handshake_init( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	5285	{
switches	0:5c4d7b2438d3	5286	/* Clear old handshake information if present */
switches	0:5c4d7b2438d3	5287	if( ssl->transform_negotiate )
switches	0:5c4d7b2438d3	5288	mbedtls_ssl_transform_free( ssl->transform_negotiate );
switches	0:5c4d7b2438d3	5289	if( ssl->session_negotiate )
switches	0:5c4d7b2438d3	5290	mbedtls_ssl_session_free( ssl->session_negotiate );
switches	0:5c4d7b2438d3	5291	if( ssl->handshake )
switches	0:5c4d7b2438d3	5292	mbedtls_ssl_handshake_free( ssl->handshake );
switches	0:5c4d7b2438d3	5293
switches	0:5c4d7b2438d3	5294	/*
switches	0:5c4d7b2438d3	5295	* Either the pointers are now NULL or cleared properly and can be freed.
switches	0:5c4d7b2438d3	5296	* Now allocate missing structures.
switches	0:5c4d7b2438d3	5297	*/
switches	0:5c4d7b2438d3	5298	if( ssl->transform_negotiate == NULL )
switches	0:5c4d7b2438d3	5299	{
switches	0:5c4d7b2438d3	5300	ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
switches	0:5c4d7b2438d3	5301	}
switches	0:5c4d7b2438d3	5302
switches	0:5c4d7b2438d3	5303	if( ssl->session_negotiate == NULL )
switches	0:5c4d7b2438d3	5304	{
switches	0:5c4d7b2438d3	5305	ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
switches	0:5c4d7b2438d3	5306	}
switches	0:5c4d7b2438d3	5307
switches	0:5c4d7b2438d3	5308	if( ssl->handshake == NULL )
switches	0:5c4d7b2438d3	5309	{
switches	0:5c4d7b2438d3	5310	ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
switches	0:5c4d7b2438d3	5311	}
switches	0:5c4d7b2438d3	5312
switches	0:5c4d7b2438d3	5313	/* All pointers should exist and can be directly freed without issue */
switches	0:5c4d7b2438d3	5314	if( ssl->handshake == NULL \|\|
switches	0:5c4d7b2438d3	5315	ssl->transform_negotiate == NULL \|\|
switches	0:5c4d7b2438d3	5316	ssl->session_negotiate == NULL )
switches	0:5c4d7b2438d3	5317	{
switches	0:5c4d7b2438d3	5318	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
switches	0:5c4d7b2438d3	5319
switches	0:5c4d7b2438d3	5320	mbedtls_free( ssl->handshake );
switches	0:5c4d7b2438d3	5321	mbedtls_free( ssl->transform_negotiate );
switches	0:5c4d7b2438d3	5322	mbedtls_free( ssl->session_negotiate );
switches	0:5c4d7b2438d3	5323
switches	0:5c4d7b2438d3	5324	ssl->handshake = NULL;
switches	0:5c4d7b2438d3	5325	ssl->transform_negotiate = NULL;
switches	0:5c4d7b2438d3	5326	ssl->session_negotiate = NULL;
switches	0:5c4d7b2438d3	5327
switches	0:5c4d7b2438d3	5328	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	5329	}
switches	0:5c4d7b2438d3	5330
switches	0:5c4d7b2438d3	5331	/* Initialize structures */
switches	0:5c4d7b2438d3	5332	mbedtls_ssl_session_init( ssl->session_negotiate );
switches	0:5c4d7b2438d3	5333	ssl_transform_init( ssl->transform_negotiate );
switches	0:5c4d7b2438d3	5334	ssl_handshake_params_init( ssl->handshake );
switches	0:5c4d7b2438d3	5335
switches	0:5c4d7b2438d3	5336	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5337	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	5338	{
switches	0:5c4d7b2438d3	5339	ssl->handshake->alt_transform_out = ssl->transform_out;
switches	0:5c4d7b2438d3	5340
switches	0:5c4d7b2438d3	5341	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	5342	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
switches	0:5c4d7b2438d3	5343	else
switches	0:5c4d7b2438d3	5344	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
switches	0:5c4d7b2438d3	5345
switches	0:5c4d7b2438d3	5346	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	5347	}
switches	0:5c4d7b2438d3	5348	#endif
switches	0:5c4d7b2438d3	5349
switches	0:5c4d7b2438d3	5350	return( 0 );
switches	0:5c4d7b2438d3	5351	}
switches	0:5c4d7b2438d3	5352
switches	0:5c4d7b2438d3	5353	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	5354	/* Dummy cookie callbacks for defaults */
switches	0:5c4d7b2438d3	5355	static int ssl_cookie_write_dummy( void *ctx,
switches	0:5c4d7b2438d3	5356	unsigned char *p, unsigned char end,
switches	0:5c4d7b2438d3	5357	const unsigned char *cli_id, size_t cli_id_len )
switches	0:5c4d7b2438d3	5358	{
switches	0:5c4d7b2438d3	5359	((void) ctx);
switches	0:5c4d7b2438d3	5360	((void) p);
switches	0:5c4d7b2438d3	5361	((void) end);
switches	0:5c4d7b2438d3	5362	((void) cli_id);
switches	0:5c4d7b2438d3	5363	((void) cli_id_len);
switches	0:5c4d7b2438d3	5364
switches	0:5c4d7b2438d3	5365	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	5366	}
switches	0:5c4d7b2438d3	5367
switches	0:5c4d7b2438d3	5368	static int ssl_cookie_check_dummy( void *ctx,
switches	0:5c4d7b2438d3	5369	const unsigned char *cookie, size_t cookie_len,
switches	0:5c4d7b2438d3	5370	const unsigned char *cli_id, size_t cli_id_len )
switches	0:5c4d7b2438d3	5371	{
switches	0:5c4d7b2438d3	5372	((void) ctx);
switches	0:5c4d7b2438d3	5373	((void) cookie);
switches	0:5c4d7b2438d3	5374	((void) cookie_len);
switches	0:5c4d7b2438d3	5375	((void) cli_id);
switches	0:5c4d7b2438d3	5376	((void) cli_id_len);
switches	0:5c4d7b2438d3	5377
switches	0:5c4d7b2438d3	5378	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	5379	}
switches	0:5c4d7b2438d3	5380	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	5381
switches	0:5c4d7b2438d3	5382	/*
switches	0:5c4d7b2438d3	5383	* Initialize an SSL context
switches	0:5c4d7b2438d3	5384	*/
switches	0:5c4d7b2438d3	5385	void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	5386	{
switches	0:5c4d7b2438d3	5387	memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
switches	0:5c4d7b2438d3	5388	}
switches	0:5c4d7b2438d3	5389
switches	0:5c4d7b2438d3	5390	/*
switches	0:5c4d7b2438d3	5391	* Setup an SSL context
switches	0:5c4d7b2438d3	5392	*/
switches	0:5c4d7b2438d3	5393	int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5394	const mbedtls_ssl_config *conf )
switches	0:5c4d7b2438d3	5395	{
switches	0:5c4d7b2438d3	5396	int ret;
switches	0:5c4d7b2438d3	5397	const size_t len = MBEDTLS_SSL_BUFFER_LEN;
switches	0:5c4d7b2438d3	5398
switches	0:5c4d7b2438d3	5399	ssl->conf = conf;
switches	0:5c4d7b2438d3	5400
switches	0:5c4d7b2438d3	5401	/*
switches	0:5c4d7b2438d3	5402	* Prepare base structures
switches	0:5c4d7b2438d3	5403	*/
switches	0:5c4d7b2438d3	5404	if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL \|\|
switches	0:5c4d7b2438d3	5405	( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
switches	0:5c4d7b2438d3	5406	{
switches	0:5c4d7b2438d3	5407	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
switches	0:5c4d7b2438d3	5408	mbedtls_free( ssl->in_buf );
switches	0:5c4d7b2438d3	5409	ssl->in_buf = NULL;
switches	0:5c4d7b2438d3	5410	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	5411	}
switches	0:5c4d7b2438d3	5412
switches	0:5c4d7b2438d3	5413	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5414	if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	5415	{
switches	0:5c4d7b2438d3	5416	ssl->out_hdr = ssl->out_buf;
switches	0:5c4d7b2438d3	5417	ssl->out_ctr = ssl->out_buf + 3;
switches	0:5c4d7b2438d3	5418	ssl->out_len = ssl->out_buf + 11;
switches	0:5c4d7b2438d3	5419	ssl->out_iv = ssl->out_buf + 13;
switches	0:5c4d7b2438d3	5420	ssl->out_msg = ssl->out_buf + 13;
switches	0:5c4d7b2438d3	5421
switches	0:5c4d7b2438d3	5422	ssl->in_hdr = ssl->in_buf;
switches	0:5c4d7b2438d3	5423	ssl->in_ctr = ssl->in_buf + 3;
switches	0:5c4d7b2438d3	5424	ssl->in_len = ssl->in_buf + 11;
switches	0:5c4d7b2438d3	5425	ssl->in_iv = ssl->in_buf + 13;
switches	0:5c4d7b2438d3	5426	ssl->in_msg = ssl->in_buf + 13;
switches	0:5c4d7b2438d3	5427	}
switches	0:5c4d7b2438d3	5428	else
switches	0:5c4d7b2438d3	5429	#endif
switches	0:5c4d7b2438d3	5430	{
switches	0:5c4d7b2438d3	5431	ssl->out_ctr = ssl->out_buf;
switches	0:5c4d7b2438d3	5432	ssl->out_hdr = ssl->out_buf + 8;
switches	0:5c4d7b2438d3	5433	ssl->out_len = ssl->out_buf + 11;
switches	0:5c4d7b2438d3	5434	ssl->out_iv = ssl->out_buf + 13;
switches	0:5c4d7b2438d3	5435	ssl->out_msg = ssl->out_buf + 13;
switches	0:5c4d7b2438d3	5436
switches	0:5c4d7b2438d3	5437	ssl->in_ctr = ssl->in_buf;
switches	0:5c4d7b2438d3	5438	ssl->in_hdr = ssl->in_buf + 8;
switches	0:5c4d7b2438d3	5439	ssl->in_len = ssl->in_buf + 11;
switches	0:5c4d7b2438d3	5440	ssl->in_iv = ssl->in_buf + 13;
switches	0:5c4d7b2438d3	5441	ssl->in_msg = ssl->in_buf + 13;
switches	0:5c4d7b2438d3	5442	}
switches	0:5c4d7b2438d3	5443
switches	0:5c4d7b2438d3	5444	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	5445	return( ret );
switches	0:5c4d7b2438d3	5446
switches	0:5c4d7b2438d3	5447	return( 0 );
switches	0:5c4d7b2438d3	5448	}
switches	0:5c4d7b2438d3	5449
switches	0:5c4d7b2438d3	5450	/*
switches	0:5c4d7b2438d3	5451	* Reset an initialized and used SSL context for re-use while retaining
switches	0:5c4d7b2438d3	5452	* all application-set variables, function pointers and data.
switches	0:5c4d7b2438d3	5453	*
switches	0:5c4d7b2438d3	5454	* If partial is non-zero, keep data in the input buffer and client ID.
switches	0:5c4d7b2438d3	5455	* (Use when a DTLS client reconnects from the same port.)
switches	0:5c4d7b2438d3	5456	*/
switches	0:5c4d7b2438d3	5457	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
switches	0:5c4d7b2438d3	5458	{
switches	0:5c4d7b2438d3	5459	int ret;
switches	0:5c4d7b2438d3	5460
switches	0:5c4d7b2438d3	5461	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
switches	0:5c4d7b2438d3	5462
switches	0:5c4d7b2438d3	5463	/* Cancel any possibly running timer */
switches	0:5c4d7b2438d3	5464	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	5465
switches	0:5c4d7b2438d3	5466	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	5467	ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
switches	0:5c4d7b2438d3	5468	ssl->renego_records_seen = 0;
switches	0:5c4d7b2438d3	5469
switches	0:5c4d7b2438d3	5470	ssl->verify_data_len = 0;
switches	0:5c4d7b2438d3	5471	memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
switches	0:5c4d7b2438d3	5472	memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
switches	0:5c4d7b2438d3	5473	#endif
switches	0:5c4d7b2438d3	5474	ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
switches	0:5c4d7b2438d3	5475
switches	0:5c4d7b2438d3	5476	ssl->in_offt = NULL;
switches	0:5c4d7b2438d3	5477
switches	0:5c4d7b2438d3	5478	ssl->in_msg = ssl->in_buf + 13;
switches	0:5c4d7b2438d3	5479	ssl->in_msgtype = 0;
switches	0:5c4d7b2438d3	5480	ssl->in_msglen = 0;
switches	0:5c4d7b2438d3	5481	if( partial == 0 )
switches	0:5c4d7b2438d3	5482	ssl->in_left = 0;
switches	0:5c4d7b2438d3	5483	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5484	ssl->next_record_offset = 0;
switches	0:5c4d7b2438d3	5485	ssl->in_epoch = 0;
switches	0:5c4d7b2438d3	5486	#endif
switches	0:5c4d7b2438d3	5487	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	5488	ssl_dtls_replay_reset( ssl );
switches	0:5c4d7b2438d3	5489	#endif
switches	0:5c4d7b2438d3	5490
switches	0:5c4d7b2438d3	5491	ssl->in_hslen = 0;
switches	0:5c4d7b2438d3	5492	ssl->nb_zero = 0;
switches	0:5c4d7b2438d3	5493	ssl->record_read = 0;
switches	0:5c4d7b2438d3	5494
switches	0:5c4d7b2438d3	5495	ssl->out_msg = ssl->out_buf + 13;
switches	0:5c4d7b2438d3	5496	ssl->out_msgtype = 0;
switches	0:5c4d7b2438d3	5497	ssl->out_msglen = 0;
switches	0:5c4d7b2438d3	5498	ssl->out_left = 0;
switches	0:5c4d7b2438d3	5499	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
switches	0:5c4d7b2438d3	5500	if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
switches	0:5c4d7b2438d3	5501	ssl->split_done = 0;
switches	0:5c4d7b2438d3	5502	#endif
switches	0:5c4d7b2438d3	5503
switches	0:5c4d7b2438d3	5504	ssl->transform_in = NULL;
switches	0:5c4d7b2438d3	5505	ssl->transform_out = NULL;
switches	0:5c4d7b2438d3	5506
switches	0:5c4d7b2438d3	5507	memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
switches	0:5c4d7b2438d3	5508	if( partial == 0 )
switches	0:5c4d7b2438d3	5509	memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
switches	0:5c4d7b2438d3	5510
switches	0:5c4d7b2438d3	5511	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	5512	if( mbedtls_ssl_hw_record_reset != NULL )
switches	0:5c4d7b2438d3	5513	{
switches	0:5c4d7b2438d3	5514	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
switches	0:5c4d7b2438d3	5515	if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	5516	{
switches	0:5c4d7b2438d3	5517	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
switches	0:5c4d7b2438d3	5518	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
switches	0:5c4d7b2438d3	5519	}
switches	0:5c4d7b2438d3	5520	}
switches	0:5c4d7b2438d3	5521	#endif
switches	0:5c4d7b2438d3	5522
switches	0:5c4d7b2438d3	5523	if( ssl->transform )
switches	0:5c4d7b2438d3	5524	{
switches	0:5c4d7b2438d3	5525	mbedtls_ssl_transform_free( ssl->transform );
switches	0:5c4d7b2438d3	5526	mbedtls_free( ssl->transform );
switches	0:5c4d7b2438d3	5527	ssl->transform = NULL;
switches	0:5c4d7b2438d3	5528	}
switches	0:5c4d7b2438d3	5529
switches	0:5c4d7b2438d3	5530	if( ssl->session )
switches	0:5c4d7b2438d3	5531	{
switches	0:5c4d7b2438d3	5532	mbedtls_ssl_session_free( ssl->session );
switches	0:5c4d7b2438d3	5533	mbedtls_free( ssl->session );
switches	0:5c4d7b2438d3	5534	ssl->session = NULL;
switches	0:5c4d7b2438d3	5535	}
switches	0:5c4d7b2438d3	5536
switches	0:5c4d7b2438d3	5537	#if defined(MBEDTLS_SSL_ALPN)
switches	0:5c4d7b2438d3	5538	ssl->alpn_chosen = NULL;
switches	0:5c4d7b2438d3	5539	#endif
switches	0:5c4d7b2438d3	5540
switches	0:5c4d7b2438d3	5541	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	5542	if( partial == 0 )
switches	0:5c4d7b2438d3	5543	{
switches	0:5c4d7b2438d3	5544	mbedtls_free( ssl->cli_id );
switches	0:5c4d7b2438d3	5545	ssl->cli_id = NULL;
switches	0:5c4d7b2438d3	5546	ssl->cli_id_len = 0;
switches	0:5c4d7b2438d3	5547	}
switches	0:5c4d7b2438d3	5548	#endif
switches	0:5c4d7b2438d3	5549
switches	0:5c4d7b2438d3	5550	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	5551	return( ret );
switches	0:5c4d7b2438d3	5552
switches	0:5c4d7b2438d3	5553	return( 0 );
switches	0:5c4d7b2438d3	5554	}
switches	0:5c4d7b2438d3	5555
switches	0:5c4d7b2438d3	5556	/*
switches	0:5c4d7b2438d3	5557	* Reset an initialized and used SSL context for re-use while retaining
switches	0:5c4d7b2438d3	5558	* all application-set variables, function pointers and data.
switches	0:5c4d7b2438d3	5559	*/
switches	0:5c4d7b2438d3	5560	int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	5561	{
switches	0:5c4d7b2438d3	5562	return( ssl_session_reset_int( ssl, 0 ) );
switches	0:5c4d7b2438d3	5563	}
switches	0:5c4d7b2438d3	5564
switches	0:5c4d7b2438d3	5565	/*
switches	0:5c4d7b2438d3	5566	* SSL set accessors
switches	0:5c4d7b2438d3	5567	*/
switches	0:5c4d7b2438d3	5568	void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
switches	0:5c4d7b2438d3	5569	{
switches	0:5c4d7b2438d3	5570	conf->endpoint = endpoint;
switches	0:5c4d7b2438d3	5571	}
switches	0:5c4d7b2438d3	5572
switches	0:5c4d7b2438d3	5573	void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
switches	0:5c4d7b2438d3	5574	{
switches	0:5c4d7b2438d3	5575	conf->transport = transport;
switches	0:5c4d7b2438d3	5576	}
switches	0:5c4d7b2438d3	5577
switches	0:5c4d7b2438d3	5578	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	5579	void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
switches	0:5c4d7b2438d3	5580	{
switches	0:5c4d7b2438d3	5581	conf->anti_replay = mode;
switches	0:5c4d7b2438d3	5582	}
switches	0:5c4d7b2438d3	5583	#endif
switches	0:5c4d7b2438d3	5584
switches	0:5c4d7b2438d3	5585	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
switches	0:5c4d7b2438d3	5586	void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
switches	0:5c4d7b2438d3	5587	{
switches	0:5c4d7b2438d3	5588	conf->badmac_limit = limit;
switches	0:5c4d7b2438d3	5589	}
switches	0:5c4d7b2438d3	5590	#endif
switches	0:5c4d7b2438d3	5591
switches	0:5c4d7b2438d3	5592	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	5593	void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
switches	0:5c4d7b2438d3	5594	{
switches	0:5c4d7b2438d3	5595	conf->hs_timeout_min = min;
switches	0:5c4d7b2438d3	5596	conf->hs_timeout_max = max;
switches	0:5c4d7b2438d3	5597	}
switches	0:5c4d7b2438d3	5598	#endif
switches	0:5c4d7b2438d3	5599
switches	0:5c4d7b2438d3	5600	void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
switches	0:5c4d7b2438d3	5601	{
switches	0:5c4d7b2438d3	5602	conf->authmode = authmode;
switches	0:5c4d7b2438d3	5603	}
switches	0:5c4d7b2438d3	5604
switches	0:5c4d7b2438d3	5605	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	5606	void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5607	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
switches	0:5c4d7b2438d3	5608	void *p_vrfy )
switches	0:5c4d7b2438d3	5609	{
switches	0:5c4d7b2438d3	5610	conf->f_vrfy = f_vrfy;
switches	0:5c4d7b2438d3	5611	conf->p_vrfy = p_vrfy;
switches	0:5c4d7b2438d3	5612	}
switches	0:5c4d7b2438d3	5613	#endif /* MBEDTLS_X509_CRT_PARSE_C */
switches	0:5c4d7b2438d3	5614
switches	0:5c4d7b2438d3	5615	void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5616	int (f_rng)(void , unsigned char *, size_t),
switches	0:5c4d7b2438d3	5617	void *p_rng )
switches	0:5c4d7b2438d3	5618	{
switches	0:5c4d7b2438d3	5619	conf->f_rng = f_rng;
switches	0:5c4d7b2438d3	5620	conf->p_rng = p_rng;
switches	0:5c4d7b2438d3	5621	}
switches	0:5c4d7b2438d3	5622
switches	0:5c4d7b2438d3	5623	void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5624	void (f_dbg)(void , int, const char , int, const char ),
switches	0:5c4d7b2438d3	5625	void *p_dbg )
switches	0:5c4d7b2438d3	5626	{
switches	0:5c4d7b2438d3	5627	conf->f_dbg = f_dbg;
switches	0:5c4d7b2438d3	5628	conf->p_dbg = p_dbg;
switches	0:5c4d7b2438d3	5629	}
switches	0:5c4d7b2438d3	5630
switches	0:5c4d7b2438d3	5631	void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5632	void *p_bio,
switches	0:5c4d7b2438d3	5633	mbedtls_ssl_send_t *f_send,
switches	0:5c4d7b2438d3	5634	mbedtls_ssl_recv_t *f_recv,
switches	0:5c4d7b2438d3	5635	mbedtls_ssl_recv_timeout_t *f_recv_timeout )
switches	0:5c4d7b2438d3	5636	{
switches	0:5c4d7b2438d3	5637	ssl->p_bio = p_bio;
switches	0:5c4d7b2438d3	5638	ssl->f_send = f_send;
switches	0:5c4d7b2438d3	5639	ssl->f_recv = f_recv;
switches	0:5c4d7b2438d3	5640	ssl->f_recv_timeout = f_recv_timeout;
switches	0:5c4d7b2438d3	5641	}
switches	0:5c4d7b2438d3	5642
switches	0:5c4d7b2438d3	5643	void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
switches	0:5c4d7b2438d3	5644	{
switches	0:5c4d7b2438d3	5645	conf->read_timeout = timeout;
switches	0:5c4d7b2438d3	5646	}
switches	0:5c4d7b2438d3	5647
switches	0:5c4d7b2438d3	5648	void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5649	void *p_timer,
switches	0:5c4d7b2438d3	5650	mbedtls_ssl_set_timer_t *f_set_timer,
switches	0:5c4d7b2438d3	5651	mbedtls_ssl_get_timer_t *f_get_timer )
switches	0:5c4d7b2438d3	5652	{
switches	0:5c4d7b2438d3	5653	ssl->p_timer = p_timer;
switches	0:5c4d7b2438d3	5654	ssl->f_set_timer = f_set_timer;
switches	0:5c4d7b2438d3	5655	ssl->f_get_timer = f_get_timer;
switches	0:5c4d7b2438d3	5656
switches	0:5c4d7b2438d3	5657	/* Make sure we start with no timer running */
switches	0:5c4d7b2438d3	5658	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	5659	}
switches	0:5c4d7b2438d3	5660
switches	0:5c4d7b2438d3	5661	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	5662	void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5663	void *p_cache,
switches	0:5c4d7b2438d3	5664	int (f_get_cache)(void , mbedtls_ssl_session *),
switches	0:5c4d7b2438d3	5665	int (f_set_cache)(void , const mbedtls_ssl_session *) )
switches	0:5c4d7b2438d3	5666	{
switches	0:5c4d7b2438d3	5667	conf->p_cache = p_cache;
switches	0:5c4d7b2438d3	5668	conf->f_get_cache = f_get_cache;
switches	0:5c4d7b2438d3	5669	conf->f_set_cache = f_set_cache;
switches	0:5c4d7b2438d3	5670	}
switches	0:5c4d7b2438d3	5671	#endif /* MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	5672
switches	0:5c4d7b2438d3	5673	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	5674	int mbedtls_ssl_set_session( mbedtls_ssl_context ssl, const mbedtls_ssl_session session )
switches	0:5c4d7b2438d3	5675	{
switches	0:5c4d7b2438d3	5676	int ret;
switches	0:5c4d7b2438d3	5677
switches	0:5c4d7b2438d3	5678	if( ssl == NULL \|\|
switches	0:5c4d7b2438d3	5679	session == NULL \|\|
switches	0:5c4d7b2438d3	5680	ssl->session_negotiate == NULL \|\|
switches	0:5c4d7b2438d3	5681	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	5682	{
switches	0:5c4d7b2438d3	5683	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5684	}
switches	0:5c4d7b2438d3	5685
switches	0:5c4d7b2438d3	5686	if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
switches	0:5c4d7b2438d3	5687	return( ret );
switches	0:5c4d7b2438d3	5688
switches	0:5c4d7b2438d3	5689	ssl->handshake->resume = 1;
switches	0:5c4d7b2438d3	5690
switches	0:5c4d7b2438d3	5691	return( 0 );
switches	0:5c4d7b2438d3	5692	}
switches	0:5c4d7b2438d3	5693	#endif /* MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	5694
switches	0:5c4d7b2438d3	5695	void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5696	const int *ciphersuites )
switches	0:5c4d7b2438d3	5697	{
switches	0:5c4d7b2438d3	5698	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
switches	0:5c4d7b2438d3	5699	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
switches	0:5c4d7b2438d3	5700	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
switches	0:5c4d7b2438d3	5701	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
switches	0:5c4d7b2438d3	5702	}
switches	0:5c4d7b2438d3	5703
switches	0:5c4d7b2438d3	5704	void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5705	const int *ciphersuites,
switches	0:5c4d7b2438d3	5706	int major, int minor )
switches	0:5c4d7b2438d3	5707	{
switches	0:5c4d7b2438d3	5708	if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
switches	0:5c4d7b2438d3	5709	return;
switches	0:5c4d7b2438d3	5710
switches	0:5c4d7b2438d3	5711	if( minor < MBEDTLS_SSL_MINOR_VERSION_0 \|\| minor > MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	5712	return;
switches	0:5c4d7b2438d3	5713
switches	0:5c4d7b2438d3	5714	conf->ciphersuite_list[minor] = ciphersuites;
switches	0:5c4d7b2438d3	5715	}
switches	0:5c4d7b2438d3	5716
switches	0:5c4d7b2438d3	5717	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	5718	void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5719	const mbedtls_x509_crt_profile *profile )
switches	0:5c4d7b2438d3	5720	{
switches	0:5c4d7b2438d3	5721	conf->cert_profile = profile;
switches	0:5c4d7b2438d3	5722	}
switches	0:5c4d7b2438d3	5723
switches	0:5c4d7b2438d3	5724	/* Append a new keycert entry to a (possibly empty) list */
switches	0:5c4d7b2438d3	5725	static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
switches	0:5c4d7b2438d3	5726	mbedtls_x509_crt *cert,
switches	0:5c4d7b2438d3	5727	mbedtls_pk_context *key )
switches	0:5c4d7b2438d3	5728	{
switches	0:5c4d7b2438d3	5729	mbedtls_ssl_key_cert *new;
switches	0:5c4d7b2438d3	5730
switches	0:5c4d7b2438d3	5731	new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
switches	0:5c4d7b2438d3	5732	if( new == NULL )
switches	0:5c4d7b2438d3	5733	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	5734
switches	0:5c4d7b2438d3	5735	new->cert = cert;
switches	0:5c4d7b2438d3	5736	new->key = key;
switches	0:5c4d7b2438d3	5737	new->next = NULL;
switches	0:5c4d7b2438d3	5738
switches	0:5c4d7b2438d3	5739	/* Update head is the list was null, else add to the end */
switches	0:5c4d7b2438d3	5740	if( *head == NULL )
switches	0:5c4d7b2438d3	5741	{
switches	0:5c4d7b2438d3	5742	*head = new;
switches	0:5c4d7b2438d3	5743	}
switches	0:5c4d7b2438d3	5744	else
switches	0:5c4d7b2438d3	5745	{
switches	0:5c4d7b2438d3	5746	mbedtls_ssl_key_cert cur = head;
switches	0:5c4d7b2438d3	5747	while( cur->next != NULL )
switches	0:5c4d7b2438d3	5748	cur = cur->next;
switches	0:5c4d7b2438d3	5749	cur->next = new;
switches	0:5c4d7b2438d3	5750	}
switches	0:5c4d7b2438d3	5751
switches	0:5c4d7b2438d3	5752	return( 0 );
switches	0:5c4d7b2438d3	5753	}
switches	0:5c4d7b2438d3	5754
switches	0:5c4d7b2438d3	5755	int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5756	mbedtls_x509_crt *own_cert,
switches	0:5c4d7b2438d3	5757	mbedtls_pk_context *pk_key )
switches	0:5c4d7b2438d3	5758	{
switches	0:5c4d7b2438d3	5759	return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
switches	0:5c4d7b2438d3	5760	}
switches	0:5c4d7b2438d3	5761
switches	0:5c4d7b2438d3	5762	void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5763	mbedtls_x509_crt *ca_chain,
switches	0:5c4d7b2438d3	5764	mbedtls_x509_crl *ca_crl )
switches	0:5c4d7b2438d3	5765	{
switches	0:5c4d7b2438d3	5766	conf->ca_chain = ca_chain;
switches	0:5c4d7b2438d3	5767	conf->ca_crl = ca_crl;
switches	0:5c4d7b2438d3	5768	}
switches	0:5c4d7b2438d3	5769	#endif /* MBEDTLS_X509_CRT_PARSE_C */
switches	0:5c4d7b2438d3	5770
switches	0:5c4d7b2438d3	5771	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
switches	0:5c4d7b2438d3	5772	int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5773	mbedtls_x509_crt *own_cert,
switches	0:5c4d7b2438d3	5774	mbedtls_pk_context *pk_key )
switches	0:5c4d7b2438d3	5775	{
switches	0:5c4d7b2438d3	5776	return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
switches	0:5c4d7b2438d3	5777	own_cert, pk_key ) );
switches	0:5c4d7b2438d3	5778	}
switches	0:5c4d7b2438d3	5779
switches	0:5c4d7b2438d3	5780	void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5781	mbedtls_x509_crt *ca_chain,
switches	0:5c4d7b2438d3	5782	mbedtls_x509_crl *ca_crl )
switches	0:5c4d7b2438d3	5783	{
switches	0:5c4d7b2438d3	5784	ssl->handshake->sni_ca_chain = ca_chain;
switches	0:5c4d7b2438d3	5785	ssl->handshake->sni_ca_crl = ca_crl;
switches	0:5c4d7b2438d3	5786	}
switches	0:5c4d7b2438d3	5787
switches	0:5c4d7b2438d3	5788	void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5789	int authmode )
switches	0:5c4d7b2438d3	5790	{
switches	0:5c4d7b2438d3	5791	ssl->handshake->sni_authmode = authmode;
switches	0:5c4d7b2438d3	5792	}
switches	0:5c4d7b2438d3	5793	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
switches	0:5c4d7b2438d3	5794
switches	0:5c4d7b2438d3	5795	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
switches	0:5c4d7b2438d3	5796	/*
switches	0:5c4d7b2438d3	5797	* Set EC J-PAKE password for current handshake
switches	0:5c4d7b2438d3	5798	*/
switches	0:5c4d7b2438d3	5799	int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5800	const unsigned char *pw,
switches	0:5c4d7b2438d3	5801	size_t pw_len )
switches	0:5c4d7b2438d3	5802	{
switches	0:5c4d7b2438d3	5803	mbedtls_ecjpake_role role;
switches	0:5c4d7b2438d3	5804
switches	0:5c4d7b2438d3	5805	if( ssl->handshake == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	5806	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5807
switches	0:5c4d7b2438d3	5808	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	5809	role = MBEDTLS_ECJPAKE_SERVER;
switches	0:5c4d7b2438d3	5810	else
switches	0:5c4d7b2438d3	5811	role = MBEDTLS_ECJPAKE_CLIENT;
switches	0:5c4d7b2438d3	5812
switches	0:5c4d7b2438d3	5813	return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
switches	0:5c4d7b2438d3	5814	role,
switches	0:5c4d7b2438d3	5815	MBEDTLS_MD_SHA256,
switches	0:5c4d7b2438d3	5816	MBEDTLS_ECP_DP_SECP256R1,
switches	0:5c4d7b2438d3	5817	pw, pw_len ) );
switches	0:5c4d7b2438d3	5818	}
switches	0:5c4d7b2438d3	5819	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
switches	0:5c4d7b2438d3	5820
switches	0:5c4d7b2438d3	5821	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
switches	0:5c4d7b2438d3	5822	int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5823	const unsigned char *psk, size_t psk_len,
switches	0:5c4d7b2438d3	5824	const unsigned char *psk_identity, size_t psk_identity_len )
switches	0:5c4d7b2438d3	5825	{
switches	0:5c4d7b2438d3	5826	if( psk == NULL \|\| psk_identity == NULL )
switches	0:5c4d7b2438d3	5827	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5828
switches	0:5c4d7b2438d3	5829	if( psk_len > MBEDTLS_PSK_MAX_LEN )
switches	0:5c4d7b2438d3	5830	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5831
switches	0:5c4d7b2438d3	5832	/* Identity len will be encoded on two bytes */
switches	0:5c4d7b2438d3	5833	if( ( psk_identity_len >> 16 ) != 0 \|\|
switches	0:5c4d7b2438d3	5834	psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
switches	0:5c4d7b2438d3	5835	{
switches	0:5c4d7b2438d3	5836	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5837	}
switches	0:5c4d7b2438d3	5838
switches	0:5c4d7b2438d3	5839	if( conf->psk != NULL \|\| conf->psk_identity != NULL )
switches	0:5c4d7b2438d3	5840	{
switches	0:5c4d7b2438d3	5841	mbedtls_free( conf->psk );
switches	0:5c4d7b2438d3	5842	mbedtls_free( conf->psk_identity );
switches	0:5c4d7b2438d3	5843	conf->psk = NULL;
switches	0:5c4d7b2438d3	5844	conf->psk_identity = NULL;
switches	0:5c4d7b2438d3	5845	}
switches	0:5c4d7b2438d3	5846
switches	0:5c4d7b2438d3	5847	if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL \|\|
switches	0:5c4d7b2438d3	5848	( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
switches	0:5c4d7b2438d3	5849	{
switches	0:5c4d7b2438d3	5850	mbedtls_free( conf->psk );
switches	0:5c4d7b2438d3	5851	mbedtls_free( conf->psk_identity );
switches	0:5c4d7b2438d3	5852	conf->psk = NULL;
switches	0:5c4d7b2438d3	5853	conf->psk_identity = NULL;
switches	0:5c4d7b2438d3	5854	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	5855	}
switches	0:5c4d7b2438d3	5856
switches	0:5c4d7b2438d3	5857	conf->psk_len = psk_len;
switches	0:5c4d7b2438d3	5858	conf->psk_identity_len = psk_identity_len;
switches	0:5c4d7b2438d3	5859
switches	0:5c4d7b2438d3	5860	memcpy( conf->psk, psk, conf->psk_len );
switches	0:5c4d7b2438d3	5861	memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
switches	0:5c4d7b2438d3	5862
switches	0:5c4d7b2438d3	5863	return( 0 );
switches	0:5c4d7b2438d3	5864	}
switches	0:5c4d7b2438d3	5865
switches	0:5c4d7b2438d3	5866	int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	5867	const unsigned char *psk, size_t psk_len )
switches	0:5c4d7b2438d3	5868	{
switches	0:5c4d7b2438d3	5869	if( psk == NULL \|\| ssl->handshake == NULL )
switches	0:5c4d7b2438d3	5870	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5871
switches	0:5c4d7b2438d3	5872	if( psk_len > MBEDTLS_PSK_MAX_LEN )
switches	0:5c4d7b2438d3	5873	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5874
switches	0:5c4d7b2438d3	5875	if( ssl->handshake->psk != NULL )
switches	0:5c4d7b2438d3	5876	mbedtls_free( ssl->handshake->psk );
switches	0:5c4d7b2438d3	5877
switches	0:5c4d7b2438d3	5878	if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
switches	0:5c4d7b2438d3	5879	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	5880
switches	0:5c4d7b2438d3	5881	ssl->handshake->psk_len = psk_len;
switches	0:5c4d7b2438d3	5882	memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
switches	0:5c4d7b2438d3	5883
switches	0:5c4d7b2438d3	5884	return( 0 );
switches	0:5c4d7b2438d3	5885	}
switches	0:5c4d7b2438d3	5886
switches	0:5c4d7b2438d3	5887	void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5888	int (f_psk)(void , mbedtls_ssl_context , const unsigned char ,
switches	0:5c4d7b2438d3	5889	size_t),
switches	0:5c4d7b2438d3	5890	void *p_psk )
switches	0:5c4d7b2438d3	5891	{
switches	0:5c4d7b2438d3	5892	conf->f_psk = f_psk;
switches	0:5c4d7b2438d3	5893	conf->p_psk = p_psk;
switches	0:5c4d7b2438d3	5894	}
switches	0:5c4d7b2438d3	5895	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
switches	0:5c4d7b2438d3	5896
switches	0:5c4d7b2438d3	5897	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	5898	int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config conf, const char dhm_P, const char *dhm_G )
switches	0:5c4d7b2438d3	5899	{
switches	0:5c4d7b2438d3	5900	int ret;
switches	0:5c4d7b2438d3	5901
switches	0:5c4d7b2438d3	5902	if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 \|\|
switches	0:5c4d7b2438d3	5903	( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
switches	0:5c4d7b2438d3	5904	{
switches	0:5c4d7b2438d3	5905	mbedtls_mpi_free( &conf->dhm_P );
switches	0:5c4d7b2438d3	5906	mbedtls_mpi_free( &conf->dhm_G );
switches	0:5c4d7b2438d3	5907	return( ret );
switches	0:5c4d7b2438d3	5908	}
switches	0:5c4d7b2438d3	5909
switches	0:5c4d7b2438d3	5910	return( 0 );
switches	0:5c4d7b2438d3	5911	}
switches	0:5c4d7b2438d3	5912
switches	0:5c4d7b2438d3	5913	int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config conf, mbedtls_dhm_context dhm_ctx )
switches	0:5c4d7b2438d3	5914	{
switches	0:5c4d7b2438d3	5915	int ret;
switches	0:5c4d7b2438d3	5916
switches	0:5c4d7b2438d3	5917	if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 \|\|
switches	0:5c4d7b2438d3	5918	( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
switches	0:5c4d7b2438d3	5919	{
switches	0:5c4d7b2438d3	5920	mbedtls_mpi_free( &conf->dhm_P );
switches	0:5c4d7b2438d3	5921	mbedtls_mpi_free( &conf->dhm_G );
switches	0:5c4d7b2438d3	5922	return( ret );
switches	0:5c4d7b2438d3	5923	}
switches	0:5c4d7b2438d3	5924
switches	0:5c4d7b2438d3	5925	return( 0 );
switches	0:5c4d7b2438d3	5926	}
switches	0:5c4d7b2438d3	5927	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	5928
switches	0:5c4d7b2438d3	5929	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	5930	/*
switches	0:5c4d7b2438d3	5931	* Set the minimum length for Diffie-Hellman parameters
switches	0:5c4d7b2438d3	5932	*/
switches	0:5c4d7b2438d3	5933	void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5934	unsigned int bitlen )
switches	0:5c4d7b2438d3	5935	{
switches	0:5c4d7b2438d3	5936	conf->dhm_min_bitlen = bitlen;
switches	0:5c4d7b2438d3	5937	}
switches	0:5c4d7b2438d3	5938	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	5939
switches	0:5c4d7b2438d3	5940	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
switches	0:5c4d7b2438d3	5941	/*
switches	0:5c4d7b2438d3	5942	* Set allowed/preferred hashes for handshake signatures
switches	0:5c4d7b2438d3	5943	*/
switches	0:5c4d7b2438d3	5944	void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5945	const int *hashes )
switches	0:5c4d7b2438d3	5946	{
switches	0:5c4d7b2438d3	5947	conf->sig_hashes = hashes;
switches	0:5c4d7b2438d3	5948	}
switches	0:5c4d7b2438d3	5949	#endif
switches	0:5c4d7b2438d3	5950
switches	0:5c4d7b2438d3	5951	#if defined(MBEDTLS_ECP_C)
switches	0:5c4d7b2438d3	5952	/*
switches	0:5c4d7b2438d3	5953	* Set the allowed elliptic curves
switches	0:5c4d7b2438d3	5954	*/
switches	0:5c4d7b2438d3	5955	void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5956	const mbedtls_ecp_group_id *curve_list )
switches	0:5c4d7b2438d3	5957	{
switches	0:5c4d7b2438d3	5958	conf->curve_list = curve_list;
switches	0:5c4d7b2438d3	5959	}
switches	0:5c4d7b2438d3	5960	#endif
switches	0:5c4d7b2438d3	5961
switches	0:5c4d7b2438d3	5962	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	5963	int mbedtls_ssl_set_hostname( mbedtls_ssl_context ssl, const char hostname )
switches	0:5c4d7b2438d3	5964	{
switches	0:5c4d7b2438d3	5965	size_t hostname_len;
switches	0:5c4d7b2438d3	5966
switches	0:5c4d7b2438d3	5967	if( hostname == NULL )
switches	0:5c4d7b2438d3	5968	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5969
switches	0:5c4d7b2438d3	5970	hostname_len = strlen( hostname );
switches	0:5c4d7b2438d3	5971
switches	0:5c4d7b2438d3	5972	if( hostname_len + 1 == 0 )
switches	0:5c4d7b2438d3	5973	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5974
switches	0:5c4d7b2438d3	5975	if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
switches	0:5c4d7b2438d3	5976	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	5977
switches	0:5c4d7b2438d3	5978	ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
switches	0:5c4d7b2438d3	5979
switches	0:5c4d7b2438d3	5980	if( ssl->hostname == NULL )
switches	0:5c4d7b2438d3	5981	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
switches	0:5c4d7b2438d3	5982
switches	0:5c4d7b2438d3	5983	memcpy( ssl->hostname, hostname, hostname_len );
switches	0:5c4d7b2438d3	5984
switches	0:5c4d7b2438d3	5985	ssl->hostname[hostname_len] = '\0';
switches	0:5c4d7b2438d3	5986
switches	0:5c4d7b2438d3	5987	return( 0 );
switches	0:5c4d7b2438d3	5988	}
switches	0:5c4d7b2438d3	5989	#endif
switches	0:5c4d7b2438d3	5990
switches	0:5c4d7b2438d3	5991	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
switches	0:5c4d7b2438d3	5992	void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	5993	int (f_sni)(void , mbedtls_ssl_context *,
switches	0:5c4d7b2438d3	5994	const unsigned char *, size_t),
switches	0:5c4d7b2438d3	5995	void *p_sni )
switches	0:5c4d7b2438d3	5996	{
switches	0:5c4d7b2438d3	5997	conf->f_sni = f_sni;
switches	0:5c4d7b2438d3	5998	conf->p_sni = p_sni;
switches	0:5c4d7b2438d3	5999	}
switches	0:5c4d7b2438d3	6000	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
switches	0:5c4d7b2438d3	6001
switches	0:5c4d7b2438d3	6002	#if defined(MBEDTLS_SSL_ALPN)
switches	0:5c4d7b2438d3	6003	int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config conf, const char *protos )
switches	0:5c4d7b2438d3	6004	{
switches	0:5c4d7b2438d3	6005	size_t cur_len, tot_len;
switches	0:5c4d7b2438d3	6006	const char **p;
switches	0:5c4d7b2438d3	6007
switches	0:5c4d7b2438d3	6008	/*
switches	0:5c4d7b2438d3	6009	* "Empty strings MUST NOT be included and byte strings MUST NOT be
switches	0:5c4d7b2438d3	6010	* truncated". Check lengths now rather than later.
switches	0:5c4d7b2438d3	6011	*/
switches	0:5c4d7b2438d3	6012	tot_len = 0;
switches	0:5c4d7b2438d3	6013	for( p = protos; *p != NULL; p++ )
switches	0:5c4d7b2438d3	6014	{
switches	0:5c4d7b2438d3	6015	cur_len = strlen( *p );
switches	0:5c4d7b2438d3	6016	tot_len += cur_len;
switches	0:5c4d7b2438d3	6017
switches	0:5c4d7b2438d3	6018	if( cur_len == 0 \|\| cur_len > 255 \|\| tot_len > 65535 )
switches	0:5c4d7b2438d3	6019	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6020	}
switches	0:5c4d7b2438d3	6021
switches	0:5c4d7b2438d3	6022	conf->alpn_list = protos;
switches	0:5c4d7b2438d3	6023
switches	0:5c4d7b2438d3	6024	return( 0 );
switches	0:5c4d7b2438d3	6025	}
switches	0:5c4d7b2438d3	6026
switches	0:5c4d7b2438d3	6027	const char mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context ssl )
switches	0:5c4d7b2438d3	6028	{
switches	0:5c4d7b2438d3	6029	return( ssl->alpn_chosen );
switches	0:5c4d7b2438d3	6030	}
switches	0:5c4d7b2438d3	6031	#endif /* MBEDTLS_SSL_ALPN */
switches	0:5c4d7b2438d3	6032
switches	0:5c4d7b2438d3	6033	void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
switches	0:5c4d7b2438d3	6034	{
switches	0:5c4d7b2438d3	6035	conf->max_major_ver = major;
switches	0:5c4d7b2438d3	6036	conf->max_minor_ver = minor;
switches	0:5c4d7b2438d3	6037	}
switches	0:5c4d7b2438d3	6038
switches	0:5c4d7b2438d3	6039	void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
switches	0:5c4d7b2438d3	6040	{
switches	0:5c4d7b2438d3	6041	conf->min_major_ver = major;
switches	0:5c4d7b2438d3	6042	conf->min_minor_ver = minor;
switches	0:5c4d7b2438d3	6043	}
switches	0:5c4d7b2438d3	6044
switches	0:5c4d7b2438d3	6045	#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6046	void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
switches	0:5c4d7b2438d3	6047	{
switches	0:5c4d7b2438d3	6048	conf->fallback = fallback;
switches	0:5c4d7b2438d3	6049	}
switches	0:5c4d7b2438d3	6050	#endif
switches	0:5c4d7b2438d3	6051
switches	0:5c4d7b2438d3	6052	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	6053	void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
switches	0:5c4d7b2438d3	6054	{
switches	0:5c4d7b2438d3	6055	conf->encrypt_then_mac = etm;
switches	0:5c4d7b2438d3	6056	}
switches	0:5c4d7b2438d3	6057	#endif
switches	0:5c4d7b2438d3	6058
switches	0:5c4d7b2438d3	6059	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
switches	0:5c4d7b2438d3	6060	void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
switches	0:5c4d7b2438d3	6061	{
switches	0:5c4d7b2438d3	6062	conf->extended_ms = ems;
switches	0:5c4d7b2438d3	6063	}
switches	0:5c4d7b2438d3	6064	#endif
switches	0:5c4d7b2438d3	6065
switches	0:5c4d7b2438d3	6066	#if defined(MBEDTLS_ARC4_C)
switches	0:5c4d7b2438d3	6067	void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
switches	0:5c4d7b2438d3	6068	{
switches	0:5c4d7b2438d3	6069	conf->arc4_disabled = arc4;
switches	0:5c4d7b2438d3	6070	}
switches	0:5c4d7b2438d3	6071	#endif
switches	0:5c4d7b2438d3	6072
switches	0:5c4d7b2438d3	6073	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
switches	0:5c4d7b2438d3	6074	int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
switches	0:5c4d7b2438d3	6075	{
switches	0:5c4d7b2438d3	6076	if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID \|\|
switches	0:5c4d7b2438d3	6077	mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
switches	0:5c4d7b2438d3	6078	{
switches	0:5c4d7b2438d3	6079	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6080	}
switches	0:5c4d7b2438d3	6081
switches	0:5c4d7b2438d3	6082	conf->mfl_code = mfl_code;
switches	0:5c4d7b2438d3	6083
switches	0:5c4d7b2438d3	6084	return( 0 );
switches	0:5c4d7b2438d3	6085	}
switches	0:5c4d7b2438d3	6086	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
switches	0:5c4d7b2438d3	6087
switches	0:5c4d7b2438d3	6088	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
switches	0:5c4d7b2438d3	6089	void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
switches	0:5c4d7b2438d3	6090	{
switches	0:5c4d7b2438d3	6091	conf->trunc_hmac = truncate;
switches	0:5c4d7b2438d3	6092	}
switches	0:5c4d7b2438d3	6093	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
switches	0:5c4d7b2438d3	6094
switches	0:5c4d7b2438d3	6095	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
switches	0:5c4d7b2438d3	6096	void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
switches	0:5c4d7b2438d3	6097	{
switches	0:5c4d7b2438d3	6098	conf->cbc_record_splitting = split;
switches	0:5c4d7b2438d3	6099	}
switches	0:5c4d7b2438d3	6100	#endif
switches	0:5c4d7b2438d3	6101
switches	0:5c4d7b2438d3	6102	void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
switches	0:5c4d7b2438d3	6103	{
switches	0:5c4d7b2438d3	6104	conf->allow_legacy_renegotiation = allow_legacy;
switches	0:5c4d7b2438d3	6105	}
switches	0:5c4d7b2438d3	6106
switches	0:5c4d7b2438d3	6107	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	6108	void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
switches	0:5c4d7b2438d3	6109	{
switches	0:5c4d7b2438d3	6110	conf->disable_renegotiation = renegotiation;
switches	0:5c4d7b2438d3	6111	}
switches	0:5c4d7b2438d3	6112
switches	0:5c4d7b2438d3	6113	void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
switches	0:5c4d7b2438d3	6114	{
switches	0:5c4d7b2438d3	6115	conf->renego_max_records = max_records;
switches	0:5c4d7b2438d3	6116	}
switches	0:5c4d7b2438d3	6117
switches	0:5c4d7b2438d3	6118	void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	6119	const unsigned char period[8] )
switches	0:5c4d7b2438d3	6120	{
switches	0:5c4d7b2438d3	6121	memcpy( conf->renego_period, period, 8 );
switches	0:5c4d7b2438d3	6122	}
switches	0:5c4d7b2438d3	6123	#endif /* MBEDTLS_SSL_RENEGOTIATION */
switches	0:5c4d7b2438d3	6124
switches	0:5c4d7b2438d3	6125	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
switches	0:5c4d7b2438d3	6126	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6127	void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
switches	0:5c4d7b2438d3	6128	{
switches	0:5c4d7b2438d3	6129	conf->session_tickets = use_tickets;
switches	0:5c4d7b2438d3	6130	}
switches	0:5c4d7b2438d3	6131	#endif
switches	0:5c4d7b2438d3	6132
switches	0:5c4d7b2438d3	6133	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	6134	void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	6135	mbedtls_ssl_ticket_write_t *f_ticket_write,
switches	0:5c4d7b2438d3	6136	mbedtls_ssl_ticket_parse_t *f_ticket_parse,
switches	0:5c4d7b2438d3	6137	void *p_ticket )
switches	0:5c4d7b2438d3	6138	{
switches	0:5c4d7b2438d3	6139	conf->f_ticket_write = f_ticket_write;
switches	0:5c4d7b2438d3	6140	conf->f_ticket_parse = f_ticket_parse;
switches	0:5c4d7b2438d3	6141	conf->p_ticket = p_ticket;
switches	0:5c4d7b2438d3	6142	}
switches	0:5c4d7b2438d3	6143	#endif
switches	0:5c4d7b2438d3	6144	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
switches	0:5c4d7b2438d3	6145
switches	0:5c4d7b2438d3	6146	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
switches	0:5c4d7b2438d3	6147	void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	6148	mbedtls_ssl_export_keys_t *f_export_keys,
switches	0:5c4d7b2438d3	6149	void *p_export_keys )
switches	0:5c4d7b2438d3	6150	{
switches	0:5c4d7b2438d3	6151	conf->f_export_keys = f_export_keys;
switches	0:5c4d7b2438d3	6152	conf->p_export_keys = p_export_keys;
switches	0:5c4d7b2438d3	6153	}
switches	0:5c4d7b2438d3	6154	#endif
switches	0:5c4d7b2438d3	6155
switches	0:5c4d7b2438d3	6156	/*
switches	0:5c4d7b2438d3	6157	* SSL get accessors
switches	0:5c4d7b2438d3	6158	*/
switches	0:5c4d7b2438d3	6159	size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6160	{
switches	0:5c4d7b2438d3	6161	return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
switches	0:5c4d7b2438d3	6162	}
switches	0:5c4d7b2438d3	6163
switches	0:5c4d7b2438d3	6164	uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6165	{
switches	0:5c4d7b2438d3	6166	if( ssl->session != NULL )
switches	0:5c4d7b2438d3	6167	return( ssl->session->verify_result );
switches	0:5c4d7b2438d3	6168
switches	0:5c4d7b2438d3	6169	if( ssl->session_negotiate != NULL )
switches	0:5c4d7b2438d3	6170	return( ssl->session_negotiate->verify_result );
switches	0:5c4d7b2438d3	6171
switches	0:5c4d7b2438d3	6172	return( 0xFFFFFFFF );
switches	0:5c4d7b2438d3	6173	}
switches	0:5c4d7b2438d3	6174
switches	0:5c4d7b2438d3	6175	const char mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context ssl )
switches	0:5c4d7b2438d3	6176	{
switches	0:5c4d7b2438d3	6177	if( ssl == NULL \|\| ssl->session == NULL )
switches	0:5c4d7b2438d3	6178	return( NULL );
switches	0:5c4d7b2438d3	6179
switches	0:5c4d7b2438d3	6180	return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
switches	0:5c4d7b2438d3	6181	}
switches	0:5c4d7b2438d3	6182
switches	0:5c4d7b2438d3	6183	const char mbedtls_ssl_get_version( const mbedtls_ssl_context ssl )
switches	0:5c4d7b2438d3	6184	{
switches	0:5c4d7b2438d3	6185	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6186	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	6187	{
switches	0:5c4d7b2438d3	6188	switch( ssl->minor_ver )
switches	0:5c4d7b2438d3	6189	{
switches	0:5c4d7b2438d3	6190	case MBEDTLS_SSL_MINOR_VERSION_2:
switches	0:5c4d7b2438d3	6191	return( "DTLSv1.0" );
switches	0:5c4d7b2438d3	6192
switches	0:5c4d7b2438d3	6193	case MBEDTLS_SSL_MINOR_VERSION_3:
switches	0:5c4d7b2438d3	6194	return( "DTLSv1.2" );
switches	0:5c4d7b2438d3	6195
switches	0:5c4d7b2438d3	6196	default:
switches	0:5c4d7b2438d3	6197	return( "unknown (DTLS)" );
switches	0:5c4d7b2438d3	6198	}
switches	0:5c4d7b2438d3	6199	}
switches	0:5c4d7b2438d3	6200	#endif
switches	0:5c4d7b2438d3	6201
switches	0:5c4d7b2438d3	6202	switch( ssl->minor_ver )
switches	0:5c4d7b2438d3	6203	{
switches	0:5c4d7b2438d3	6204	case MBEDTLS_SSL_MINOR_VERSION_0:
switches	0:5c4d7b2438d3	6205	return( "SSLv3.0" );
switches	0:5c4d7b2438d3	6206
switches	0:5c4d7b2438d3	6207	case MBEDTLS_SSL_MINOR_VERSION_1:
switches	0:5c4d7b2438d3	6208	return( "TLSv1.0" );
switches	0:5c4d7b2438d3	6209
switches	0:5c4d7b2438d3	6210	case MBEDTLS_SSL_MINOR_VERSION_2:
switches	0:5c4d7b2438d3	6211	return( "TLSv1.1" );
switches	0:5c4d7b2438d3	6212
switches	0:5c4d7b2438d3	6213	case MBEDTLS_SSL_MINOR_VERSION_3:
switches	0:5c4d7b2438d3	6214	return( "TLSv1.2" );
switches	0:5c4d7b2438d3	6215
switches	0:5c4d7b2438d3	6216	default:
switches	0:5c4d7b2438d3	6217	return( "unknown" );
switches	0:5c4d7b2438d3	6218	}
switches	0:5c4d7b2438d3	6219	}
switches	0:5c4d7b2438d3	6220
switches	0:5c4d7b2438d3	6221	int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6222	{
switches	0:5c4d7b2438d3	6223	size_t transform_expansion;
switches	0:5c4d7b2438d3	6224	const mbedtls_ssl_transform *transform = ssl->transform_out;
switches	0:5c4d7b2438d3	6225
switches	0:5c4d7b2438d3	6226	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	6227	if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
switches	0:5c4d7b2438d3	6228	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
switches	0:5c4d7b2438d3	6229	#endif
switches	0:5c4d7b2438d3	6230
switches	0:5c4d7b2438d3	6231	if( transform == NULL )
switches	0:5c4d7b2438d3	6232	return( (int) mbedtls_ssl_hdr_len( ssl ) );
switches	0:5c4d7b2438d3	6233
switches	0:5c4d7b2438d3	6234	switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
switches	0:5c4d7b2438d3	6235	{
switches	0:5c4d7b2438d3	6236	case MBEDTLS_MODE_GCM:
switches	0:5c4d7b2438d3	6237	case MBEDTLS_MODE_CCM:
switches	0:5c4d7b2438d3	6238	case MBEDTLS_MODE_STREAM:
switches	0:5c4d7b2438d3	6239	transform_expansion = transform->minlen;
switches	0:5c4d7b2438d3	6240	break;
switches	0:5c4d7b2438d3	6241
switches	0:5c4d7b2438d3	6242	case MBEDTLS_MODE_CBC:
switches	0:5c4d7b2438d3	6243	transform_expansion = transform->maclen
switches	0:5c4d7b2438d3	6244	+ mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc );
switches	0:5c4d7b2438d3	6245	break;
switches	0:5c4d7b2438d3	6246
switches	0:5c4d7b2438d3	6247	default:
switches	0:5c4d7b2438d3	6248	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	6249	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	6250	}
switches	0:5c4d7b2438d3	6251
switches	0:5c4d7b2438d3	6252	return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
switches	0:5c4d7b2438d3	6253	}
switches	0:5c4d7b2438d3	6254
switches	0:5c4d7b2438d3	6255	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
switches	0:5c4d7b2438d3	6256	size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6257	{
switches	0:5c4d7b2438d3	6258	size_t max_len;
switches	0:5c4d7b2438d3	6259
switches	0:5c4d7b2438d3	6260	/*
switches	0:5c4d7b2438d3	6261	* Assume mfl_code is correct since it was checked when set
switches	0:5c4d7b2438d3	6262	*/
switches	0:5c4d7b2438d3	6263	max_len = mfl_code_to_length[ssl->conf->mfl_code];
switches	0:5c4d7b2438d3	6264
switches	0:5c4d7b2438d3	6265	/*
switches	0:5c4d7b2438d3	6266	* Check if a smaller max length was negotiated
switches	0:5c4d7b2438d3	6267	*/
switches	0:5c4d7b2438d3	6268	if( ssl->session_out != NULL &&
switches	0:5c4d7b2438d3	6269	mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
switches	0:5c4d7b2438d3	6270	{
switches	0:5c4d7b2438d3	6271	max_len = mfl_code_to_length[ssl->session_out->mfl_code];
switches	0:5c4d7b2438d3	6272	}
switches	0:5c4d7b2438d3	6273
switches	0:5c4d7b2438d3	6274	return max_len;
switches	0:5c4d7b2438d3	6275	}
switches	0:5c4d7b2438d3	6276	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
switches	0:5c4d7b2438d3	6277
switches	0:5c4d7b2438d3	6278	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	6279	const mbedtls_x509_crt mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context ssl )
switches	0:5c4d7b2438d3	6280	{
switches	0:5c4d7b2438d3	6281	if( ssl == NULL \|\| ssl->session == NULL )
switches	0:5c4d7b2438d3	6282	return( NULL );
switches	0:5c4d7b2438d3	6283
switches	0:5c4d7b2438d3	6284	return( ssl->session->peer_cert );
switches	0:5c4d7b2438d3	6285	}
switches	0:5c4d7b2438d3	6286	#endif /* MBEDTLS_X509_CRT_PARSE_C */
switches	0:5c4d7b2438d3	6287
switches	0:5c4d7b2438d3	6288	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6289	int mbedtls_ssl_get_session( const mbedtls_ssl_context ssl, mbedtls_ssl_session dst )
switches	0:5c4d7b2438d3	6290	{
switches	0:5c4d7b2438d3	6291	if( ssl == NULL \|\|
switches	0:5c4d7b2438d3	6292	dst == NULL \|\|
switches	0:5c4d7b2438d3	6293	ssl->session == NULL \|\|
switches	0:5c4d7b2438d3	6294	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	6295	{
switches	0:5c4d7b2438d3	6296	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6297	}
switches	0:5c4d7b2438d3	6298
switches	0:5c4d7b2438d3	6299	return( ssl_session_copy( dst, ssl->session ) );
switches	0:5c4d7b2438d3	6300	}
switches	0:5c4d7b2438d3	6301	#endif /* MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	6302
switches	0:5c4d7b2438d3	6303	/*
switches	0:5c4d7b2438d3	6304	* Perform a single step of the SSL handshake
switches	0:5c4d7b2438d3	6305	*/
switches	0:5c4d7b2438d3	6306	int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6307	{
switches	0:5c4d7b2438d3	6308	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
switches	0:5c4d7b2438d3	6309
switches	0:5c4d7b2438d3	6310	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	6311	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6312
switches	0:5c4d7b2438d3	6313	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6314	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	6315	ret = mbedtls_ssl_handshake_client_step( ssl );
switches	0:5c4d7b2438d3	6316	#endif
switches	0:5c4d7b2438d3	6317	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	6318	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	6319	ret = mbedtls_ssl_handshake_server_step( ssl );
switches	0:5c4d7b2438d3	6320	#endif
switches	0:5c4d7b2438d3	6321
switches	0:5c4d7b2438d3	6322	return( ret );
switches	0:5c4d7b2438d3	6323	}
switches	0:5c4d7b2438d3	6324
switches	0:5c4d7b2438d3	6325	/*
switches	0:5c4d7b2438d3	6326	* Perform the SSL handshake
switches	0:5c4d7b2438d3	6327	*/
switches	0:5c4d7b2438d3	6328	int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6329	{
switches	0:5c4d7b2438d3	6330	int ret = 0;
switches	0:5c4d7b2438d3	6331
switches	0:5c4d7b2438d3	6332	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	6333	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6334
switches	0:5c4d7b2438d3	6335	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
switches	0:5c4d7b2438d3	6336
switches	0:5c4d7b2438d3	6337	while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6338	{
switches	0:5c4d7b2438d3	6339	ret = mbedtls_ssl_handshake_step( ssl );
switches	0:5c4d7b2438d3	6340
switches	0:5c4d7b2438d3	6341	if( ret != 0 )
switches	0:5c4d7b2438d3	6342	break;
switches	0:5c4d7b2438d3	6343	}
switches	0:5c4d7b2438d3	6344
switches	0:5c4d7b2438d3	6345	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
switches	0:5c4d7b2438d3	6346
switches	0:5c4d7b2438d3	6347	return( ret );
switches	0:5c4d7b2438d3	6348	}
switches	0:5c4d7b2438d3	6349
switches	0:5c4d7b2438d3	6350	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	6351	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	6352	/*
switches	0:5c4d7b2438d3	6353	* Write HelloRequest to request renegotiation on server
switches	0:5c4d7b2438d3	6354	*/
switches	0:5c4d7b2438d3	6355	static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6356	{
switches	0:5c4d7b2438d3	6357	int ret;
switches	0:5c4d7b2438d3	6358
switches	0:5c4d7b2438d3	6359	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
switches	0:5c4d7b2438d3	6360
switches	0:5c4d7b2438d3	6361	ssl->out_msglen = 4;
switches	0:5c4d7b2438d3	6362	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
switches	0:5c4d7b2438d3	6363	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
switches	0:5c4d7b2438d3	6364
switches	0:5c4d7b2438d3	6365	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6366	{
switches	0:5c4d7b2438d3	6367	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	6368	return( ret );
switches	0:5c4d7b2438d3	6369	}
switches	0:5c4d7b2438d3	6370
switches	0:5c4d7b2438d3	6371	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
switches	0:5c4d7b2438d3	6372
switches	0:5c4d7b2438d3	6373	return( 0 );
switches	0:5c4d7b2438d3	6374	}
switches	0:5c4d7b2438d3	6375	#endif /* MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	6376
switches	0:5c4d7b2438d3	6377	/*
switches	0:5c4d7b2438d3	6378	* Actually renegotiate current connection, triggered by either:
switches	0:5c4d7b2438d3	6379	* - any side: calling mbedtls_ssl_renegotiate(),
switches	0:5c4d7b2438d3	6380	* - client: receiving a HelloRequest during mbedtls_ssl_read(),
switches	0:5c4d7b2438d3	6381	* - server: receiving any handshake message on server during mbedtls_ssl_read() after
switches	0:5c4d7b2438d3	6382	* the initial handshake is completed.
switches	0:5c4d7b2438d3	6383	* If the handshake doesn't complete due to waiting for I/O, it will continue
switches	0:5c4d7b2438d3	6384	* during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
switches	0:5c4d7b2438d3	6385	*/
switches	0:5c4d7b2438d3	6386	static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6387	{
switches	0:5c4d7b2438d3	6388	int ret;
switches	0:5c4d7b2438d3	6389
switches	0:5c4d7b2438d3	6390	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
switches	0:5c4d7b2438d3	6391
switches	0:5c4d7b2438d3	6392	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6393	return( ret );
switches	0:5c4d7b2438d3	6394
switches	0:5c4d7b2438d3	6395	/* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
switches	0:5c4d7b2438d3	6396	* the ServerHello will have message_seq = 1" */
switches	0:5c4d7b2438d3	6397	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6398	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	6399	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
switches	0:5c4d7b2438d3	6400	{
switches	0:5c4d7b2438d3	6401	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	6402	ssl->handshake->out_msg_seq = 1;
switches	0:5c4d7b2438d3	6403	else
switches	0:5c4d7b2438d3	6404	ssl->handshake->in_msg_seq = 1;
switches	0:5c4d7b2438d3	6405	}
switches	0:5c4d7b2438d3	6406	#endif
switches	0:5c4d7b2438d3	6407
switches	0:5c4d7b2438d3	6408	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
switches	0:5c4d7b2438d3	6409	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
switches	0:5c4d7b2438d3	6410
switches	0:5c4d7b2438d3	6411	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6412	{
switches	0:5c4d7b2438d3	6413	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
switches	0:5c4d7b2438d3	6414	return( ret );
switches	0:5c4d7b2438d3	6415	}
switches	0:5c4d7b2438d3	6416
switches	0:5c4d7b2438d3	6417	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
switches	0:5c4d7b2438d3	6418
switches	0:5c4d7b2438d3	6419	return( 0 );
switches	0:5c4d7b2438d3	6420	}
switches	0:5c4d7b2438d3	6421
switches	0:5c4d7b2438d3	6422	/*
switches	0:5c4d7b2438d3	6423	* Renegotiate current connection on client,
switches	0:5c4d7b2438d3	6424	* or request renegotiation on server
switches	0:5c4d7b2438d3	6425	*/
switches	0:5c4d7b2438d3	6426	int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6427	{
switches	0:5c4d7b2438d3	6428	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
switches	0:5c4d7b2438d3	6429
switches	0:5c4d7b2438d3	6430	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	6431	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6432
switches	0:5c4d7b2438d3	6433	#if defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	6434	/* On server, just send the request */
switches	0:5c4d7b2438d3	6435	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	6436	{
switches	0:5c4d7b2438d3	6437	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6438	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6439
switches	0:5c4d7b2438d3	6440	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
switches	0:5c4d7b2438d3	6441
switches	0:5c4d7b2438d3	6442	/* Did we already try/start sending HelloRequest? */
switches	0:5c4d7b2438d3	6443	if( ssl->out_left != 0 )
switches	0:5c4d7b2438d3	6444	return( mbedtls_ssl_flush_output( ssl ) );
switches	0:5c4d7b2438d3	6445
switches	0:5c4d7b2438d3	6446	return( ssl_write_hello_request( ssl ) );
switches	0:5c4d7b2438d3	6447	}
switches	0:5c4d7b2438d3	6448	#endif /* MBEDTLS_SSL_SRV_C */
switches	0:5c4d7b2438d3	6449
switches	0:5c4d7b2438d3	6450	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6451	/*
switches	0:5c4d7b2438d3	6452	* On client, either start the renegotiation process or,
switches	0:5c4d7b2438d3	6453	* if already in progress, continue the handshake
switches	0:5c4d7b2438d3	6454	*/
switches	0:5c4d7b2438d3	6455	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
switches	0:5c4d7b2438d3	6456	{
switches	0:5c4d7b2438d3	6457	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6458	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6459
switches	0:5c4d7b2438d3	6460	if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6461	{
switches	0:5c4d7b2438d3	6462	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
switches	0:5c4d7b2438d3	6463	return( ret );
switches	0:5c4d7b2438d3	6464	}
switches	0:5c4d7b2438d3	6465	}
switches	0:5c4d7b2438d3	6466	else
switches	0:5c4d7b2438d3	6467	{
switches	0:5c4d7b2438d3	6468	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6469	{
switches	0:5c4d7b2438d3	6470	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
switches	0:5c4d7b2438d3	6471	return( ret );
switches	0:5c4d7b2438d3	6472	}
switches	0:5c4d7b2438d3	6473	}
switches	0:5c4d7b2438d3	6474	#endif /* MBEDTLS_SSL_CLI_C */
switches	0:5c4d7b2438d3	6475
switches	0:5c4d7b2438d3	6476	return( ret );
switches	0:5c4d7b2438d3	6477	}
switches	0:5c4d7b2438d3	6478
switches	0:5c4d7b2438d3	6479	/*
switches	0:5c4d7b2438d3	6480	* Check record counters and renegotiate if they're above the limit.
switches	0:5c4d7b2438d3	6481	*/
switches	0:5c4d7b2438d3	6482	static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6483	{
switches	0:5c4d7b2438d3	6484	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER \|\|
switches	0:5c4d7b2438d3	6485	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING \|\|
switches	0:5c4d7b2438d3	6486	ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
switches	0:5c4d7b2438d3	6487	{
switches	0:5c4d7b2438d3	6488	return( 0 );
switches	0:5c4d7b2438d3	6489	}
switches	0:5c4d7b2438d3	6490
switches	0:5c4d7b2438d3	6491	if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 &&
switches	0:5c4d7b2438d3	6492	memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 )
switches	0:5c4d7b2438d3	6493	{
switches	0:5c4d7b2438d3	6494	return( 0 );
switches	0:5c4d7b2438d3	6495	}
switches	0:5c4d7b2438d3	6496
switches	0:5c4d7b2438d3	6497	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
switches	0:5c4d7b2438d3	6498	return( mbedtls_ssl_renegotiate( ssl ) );
switches	0:5c4d7b2438d3	6499	}
switches	0:5c4d7b2438d3	6500	#endif /* MBEDTLS_SSL_RENEGOTIATION */
switches	0:5c4d7b2438d3	6501
switches	0:5c4d7b2438d3	6502	/*
switches	0:5c4d7b2438d3	6503	* Receive application data decrypted from the SSL layer
switches	0:5c4d7b2438d3	6504	*/
switches	0:5c4d7b2438d3	6505	int mbedtls_ssl_read( mbedtls_ssl_context ssl, unsigned char buf, size_t len )
switches	0:5c4d7b2438d3	6506	{
switches	0:5c4d7b2438d3	6507	int ret, record_read = 0;
switches	0:5c4d7b2438d3	6508	size_t n;
switches	0:5c4d7b2438d3	6509
switches	0:5c4d7b2438d3	6510	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	6511	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6512
switches	0:5c4d7b2438d3	6513	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
switches	0:5c4d7b2438d3	6514
switches	0:5c4d7b2438d3	6515	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6516	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	6517	{
switches	0:5c4d7b2438d3	6518	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6519	return( ret );
switches	0:5c4d7b2438d3	6520
switches	0:5c4d7b2438d3	6521	if( ssl->handshake != NULL &&
switches	0:5c4d7b2438d3	6522	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
switches	0:5c4d7b2438d3	6523	{
switches	0:5c4d7b2438d3	6524	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6525	return( ret );
switches	0:5c4d7b2438d3	6526	}
switches	0:5c4d7b2438d3	6527	}
switches	0:5c4d7b2438d3	6528	#endif
switches	0:5c4d7b2438d3	6529
switches	0:5c4d7b2438d3	6530	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	6531	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6532	{
switches	0:5c4d7b2438d3	6533	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
switches	0:5c4d7b2438d3	6534	return( ret );
switches	0:5c4d7b2438d3	6535	}
switches	0:5c4d7b2438d3	6536	#endif
switches	0:5c4d7b2438d3	6537
switches	0:5c4d7b2438d3	6538	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6539	{
switches	0:5c4d7b2438d3	6540	ret = mbedtls_ssl_handshake( ssl );
switches	0:5c4d7b2438d3	6541	if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
switches	0:5c4d7b2438d3	6542	{
switches	0:5c4d7b2438d3	6543	record_read = 1;
switches	0:5c4d7b2438d3	6544	}
switches	0:5c4d7b2438d3	6545	else if( ret != 0 )
switches	0:5c4d7b2438d3	6546	{
switches	0:5c4d7b2438d3	6547	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
switches	0:5c4d7b2438d3	6548	return( ret );
switches	0:5c4d7b2438d3	6549	}
switches	0:5c4d7b2438d3	6550	}
switches	0:5c4d7b2438d3	6551
switches	0:5c4d7b2438d3	6552	if( ssl->in_offt == NULL )
switches	0:5c4d7b2438d3	6553	{
switches	0:5c4d7b2438d3	6554	/* Start timer if not already running */
switches	0:5c4d7b2438d3	6555	if( ssl->f_get_timer != NULL &&
switches	0:5c4d7b2438d3	6556	ssl->f_get_timer( ssl->p_timer ) == -1 )
switches	0:5c4d7b2438d3	6557	{
switches	0:5c4d7b2438d3	6558	ssl_set_timer( ssl, ssl->conf->read_timeout );
switches	0:5c4d7b2438d3	6559	}
switches	0:5c4d7b2438d3	6560
switches	0:5c4d7b2438d3	6561	if( ! record_read )
switches	0:5c4d7b2438d3	6562	{
switches	0:5c4d7b2438d3	6563	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6564	{
switches	0:5c4d7b2438d3	6565	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
switches	0:5c4d7b2438d3	6566	return( 0 );
switches	0:5c4d7b2438d3	6567
switches	0:5c4d7b2438d3	6568	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
switches	0:5c4d7b2438d3	6569	return( ret );
switches	0:5c4d7b2438d3	6570	}
switches	0:5c4d7b2438d3	6571	}
switches	0:5c4d7b2438d3	6572
switches	0:5c4d7b2438d3	6573	if( ssl->in_msglen == 0 &&
switches	0:5c4d7b2438d3	6574	ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
switches	0:5c4d7b2438d3	6575	{
switches	0:5c4d7b2438d3	6576	/*
switches	0:5c4d7b2438d3	6577	* OpenSSL sends empty messages to randomize the IV
switches	0:5c4d7b2438d3	6578	*/
switches	0:5c4d7b2438d3	6579	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6580	{
switches	0:5c4d7b2438d3	6581	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
switches	0:5c4d7b2438d3	6582	return( 0 );
switches	0:5c4d7b2438d3	6583
switches	0:5c4d7b2438d3	6584	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
switches	0:5c4d7b2438d3	6585	return( ret );
switches	0:5c4d7b2438d3	6586	}
switches	0:5c4d7b2438d3	6587	}
switches	0:5c4d7b2438d3	6588
switches	0:5c4d7b2438d3	6589	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	6590	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
switches	0:5c4d7b2438d3	6591	{
switches	0:5c4d7b2438d3	6592	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
switches	0:5c4d7b2438d3	6593
switches	0:5c4d7b2438d3	6594	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6595	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
switches	0:5c4d7b2438d3	6596	( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST \|\|
switches	0:5c4d7b2438d3	6597	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
switches	0:5c4d7b2438d3	6598	{
switches	0:5c4d7b2438d3	6599	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
switches	0:5c4d7b2438d3	6600
switches	0:5c4d7b2438d3	6601	/* With DTLS, drop the packet (probably from last handshake) */
switches	0:5c4d7b2438d3	6602	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6603	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	6604	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	6605	#endif
switches	0:5c4d7b2438d3	6606	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	6607	}
switches	0:5c4d7b2438d3	6608
switches	0:5c4d7b2438d3	6609	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	6610	ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
switches	0:5c4d7b2438d3	6611	{
switches	0:5c4d7b2438d3	6612	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
switches	0:5c4d7b2438d3	6613
switches	0:5c4d7b2438d3	6614	/* With DTLS, drop the packet (probably from last handshake) */
switches	0:5c4d7b2438d3	6615	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6616	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	6617	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	6618	#endif
switches	0:5c4d7b2438d3	6619	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	6620	}
switches	0:5c4d7b2438d3	6621	#endif
switches	0:5c4d7b2438d3	6622
switches	0:5c4d7b2438d3	6623	if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED \|\|
switches	0:5c4d7b2438d3	6624	( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
switches	0:5c4d7b2438d3	6625	ssl->conf->allow_legacy_renegotiation ==
switches	0:5c4d7b2438d3	6626	MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) )
switches	0:5c4d7b2438d3	6627	{
switches	0:5c4d7b2438d3	6628	MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
switches	0:5c4d7b2438d3	6629
switches	0:5c4d7b2438d3	6630	#if defined(MBEDTLS_SSL_PROTO_SSL3)
switches	0:5c4d7b2438d3	6631	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
switches	0:5c4d7b2438d3	6632	{
switches	0:5c4d7b2438d3	6633	/*
switches	0:5c4d7b2438d3	6634	* SSLv3 does not have a "no_renegotiation" alert
switches	0:5c4d7b2438d3	6635	*/
switches	0:5c4d7b2438d3	6636	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6637	return( ret );
switches	0:5c4d7b2438d3	6638	}
switches	0:5c4d7b2438d3	6639	else
switches	0:5c4d7b2438d3	6640	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
switches	0:5c4d7b2438d3	6641	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
switches	0:5c4d7b2438d3	6642	defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	6643	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
switches	0:5c4d7b2438d3	6644	{
switches	0:5c4d7b2438d3	6645	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
switches	0:5c4d7b2438d3	6646	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
switches	0:5c4d7b2438d3	6647	MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
switches	0:5c4d7b2438d3	6648	{
switches	0:5c4d7b2438d3	6649	return( ret );
switches	0:5c4d7b2438d3	6650	}
switches	0:5c4d7b2438d3	6651	}
switches	0:5c4d7b2438d3	6652	else
switches	0:5c4d7b2438d3	6653	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\|
switches	0:5c4d7b2438d3	6654	MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	6655	{
switches	0:5c4d7b2438d3	6656	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
switches	0:5c4d7b2438d3	6657	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
switches	0:5c4d7b2438d3	6658	}
switches	0:5c4d7b2438d3	6659	}
switches	0:5c4d7b2438d3	6660	else
switches	0:5c4d7b2438d3	6661	{
switches	0:5c4d7b2438d3	6662	/* DTLS clients need to know renego is server-initiated */
switches	0:5c4d7b2438d3	6663	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6664	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
switches	0:5c4d7b2438d3	6665	ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	6666	{
switches	0:5c4d7b2438d3	6667	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
switches	0:5c4d7b2438d3	6668	}
switches	0:5c4d7b2438d3	6669	#endif
switches	0:5c4d7b2438d3	6670	ret = ssl_start_renegotiation( ssl );
switches	0:5c4d7b2438d3	6671	if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
switches	0:5c4d7b2438d3	6672	{
switches	0:5c4d7b2438d3	6673	record_read = 1;
switches	0:5c4d7b2438d3	6674	}
switches	0:5c4d7b2438d3	6675	else if( ret != 0 )
switches	0:5c4d7b2438d3	6676	{
switches	0:5c4d7b2438d3	6677	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
switches	0:5c4d7b2438d3	6678	return( ret );
switches	0:5c4d7b2438d3	6679	}
switches	0:5c4d7b2438d3	6680	}
switches	0:5c4d7b2438d3	6681
switches	0:5c4d7b2438d3	6682	/* If a non-handshake record was read during renego, fallthrough,
switches	0:5c4d7b2438d3	6683	* else tell the user they should call mbedtls_ssl_read() again */
switches	0:5c4d7b2438d3	6684	if( ! record_read )
switches	0:5c4d7b2438d3	6685	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	6686	}
switches	0:5c4d7b2438d3	6687	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
switches	0:5c4d7b2438d3	6688	{
switches	0:5c4d7b2438d3	6689
switches	0:5c4d7b2438d3	6690	if( ssl->conf->renego_max_records >= 0 )
switches	0:5c4d7b2438d3	6691	{
switches	0:5c4d7b2438d3	6692	if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
switches	0:5c4d7b2438d3	6693	{
switches	0:5c4d7b2438d3	6694	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
switches	0:5c4d7b2438d3	6695	"but not honored by client" ) );
switches	0:5c4d7b2438d3	6696	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	6697	}
switches	0:5c4d7b2438d3	6698	}
switches	0:5c4d7b2438d3	6699	}
switches	0:5c4d7b2438d3	6700	#endif /* MBEDTLS_SSL_RENEGOTIATION */
switches	0:5c4d7b2438d3	6701
switches	0:5c4d7b2438d3	6702	/* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
switches	0:5c4d7b2438d3	6703	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
switches	0:5c4d7b2438d3	6704	{
switches	0:5c4d7b2438d3	6705	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
switches	0:5c4d7b2438d3	6706	return( MBEDTLS_ERR_SSL_WANT_READ );
switches	0:5c4d7b2438d3	6707	}
switches	0:5c4d7b2438d3	6708
switches	0:5c4d7b2438d3	6709	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
switches	0:5c4d7b2438d3	6710	{
switches	0:5c4d7b2438d3	6711	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
switches	0:5c4d7b2438d3	6712	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
switches	0:5c4d7b2438d3	6713	}
switches	0:5c4d7b2438d3	6714
switches	0:5c4d7b2438d3	6715	ssl->in_offt = ssl->in_msg;
switches	0:5c4d7b2438d3	6716
switches	0:5c4d7b2438d3	6717	/* We're going to return something now, cancel timer,
switches	0:5c4d7b2438d3	6718	* except if handshake (renegotiation) is in progress */
switches	0:5c4d7b2438d3	6719	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6720	ssl_set_timer( ssl, 0 );
switches	0:5c4d7b2438d3	6721
switches	0:5c4d7b2438d3	6722	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6723	/* If we requested renego but received AppData, resend HelloRequest.
switches	0:5c4d7b2438d3	6724	* Do it now, after setting in_offt, to avoid taking this branch
switches	0:5c4d7b2438d3	6725	* again if ssl_write_hello_request() returns WANT_WRITE */
switches	0:5c4d7b2438d3	6726	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	6727	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
switches	0:5c4d7b2438d3	6728	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
switches	0:5c4d7b2438d3	6729	{
switches	0:5c4d7b2438d3	6730	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6731	{
switches	0:5c4d7b2438d3	6732	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
switches	0:5c4d7b2438d3	6733	return( ret );
switches	0:5c4d7b2438d3	6734	}
switches	0:5c4d7b2438d3	6735	}
switches	0:5c4d7b2438d3	6736	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
switches	0:5c4d7b2438d3	6737	#endif
switches	0:5c4d7b2438d3	6738	}
switches	0:5c4d7b2438d3	6739
switches	0:5c4d7b2438d3	6740	n = ( len < ssl->in_msglen )
switches	0:5c4d7b2438d3	6741	? len : ssl->in_msglen;
switches	0:5c4d7b2438d3	6742
switches	0:5c4d7b2438d3	6743	memcpy( buf, ssl->in_offt, n );
switches	0:5c4d7b2438d3	6744	ssl->in_msglen -= n;
switches	0:5c4d7b2438d3	6745
switches	0:5c4d7b2438d3	6746	if( ssl->in_msglen == 0 )
switches	0:5c4d7b2438d3	6747	/* all bytes consumed */
switches	0:5c4d7b2438d3	6748	ssl->in_offt = NULL;
switches	0:5c4d7b2438d3	6749	else
switches	0:5c4d7b2438d3	6750	/* more data available */
switches	0:5c4d7b2438d3	6751	ssl->in_offt += n;
switches	0:5c4d7b2438d3	6752
switches	0:5c4d7b2438d3	6753	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
switches	0:5c4d7b2438d3	6754
switches	0:5c4d7b2438d3	6755	return( (int) n );
switches	0:5c4d7b2438d3	6756	}
switches	0:5c4d7b2438d3	6757
switches	0:5c4d7b2438d3	6758	/*
switches	0:5c4d7b2438d3	6759	* Send application data to be encrypted by the SSL layer,
switches	0:5c4d7b2438d3	6760	* taking care of max fragment length and buffer size
switches	0:5c4d7b2438d3	6761	*/
switches	0:5c4d7b2438d3	6762	static int ssl_write_real( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	6763	const unsigned char *buf, size_t len )
switches	0:5c4d7b2438d3	6764	{
switches	0:5c4d7b2438d3	6765	int ret;
switches	0:5c4d7b2438d3	6766	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
switches	0:5c4d7b2438d3	6767	size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
switches	0:5c4d7b2438d3	6768
switches	0:5c4d7b2438d3	6769	if( len > max_len )
switches	0:5c4d7b2438d3	6770	{
switches	0:5c4d7b2438d3	6771	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	6772	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	6773	{
switches	0:5c4d7b2438d3	6774	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
switches	0:5c4d7b2438d3	6775	"maximum fragment length: %d > %d",
switches	0:5c4d7b2438d3	6776	len, max_len ) );
switches	0:5c4d7b2438d3	6777	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6778	}
switches	0:5c4d7b2438d3	6779	else
switches	0:5c4d7b2438d3	6780	#endif
switches	0:5c4d7b2438d3	6781	len = max_len;
switches	0:5c4d7b2438d3	6782	}
switches	0:5c4d7b2438d3	6783	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
switches	0:5c4d7b2438d3	6784
switches	0:5c4d7b2438d3	6785	if( ssl->out_left != 0 )
switches	0:5c4d7b2438d3	6786	{
switches	0:5c4d7b2438d3	6787	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6788	{
switches	0:5c4d7b2438d3	6789	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
switches	0:5c4d7b2438d3	6790	return( ret );
switches	0:5c4d7b2438d3	6791	}
switches	0:5c4d7b2438d3	6792	}
switches	0:5c4d7b2438d3	6793	else
switches	0:5c4d7b2438d3	6794	{
switches	0:5c4d7b2438d3	6795	ssl->out_msglen = len;
switches	0:5c4d7b2438d3	6796	ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
switches	0:5c4d7b2438d3	6797	memcpy( ssl->out_msg, buf, len );
switches	0:5c4d7b2438d3	6798
switches	0:5c4d7b2438d3	6799	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6800	{
switches	0:5c4d7b2438d3	6801	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
switches	0:5c4d7b2438d3	6802	return( ret );
switches	0:5c4d7b2438d3	6803	}
switches	0:5c4d7b2438d3	6804	}
switches	0:5c4d7b2438d3	6805
switches	0:5c4d7b2438d3	6806	return( (int) len );
switches	0:5c4d7b2438d3	6807	}
switches	0:5c4d7b2438d3	6808
switches	0:5c4d7b2438d3	6809	/*
switches	0:5c4d7b2438d3	6810	* Write application data, doing 1/n-1 splitting if necessary.
switches	0:5c4d7b2438d3	6811	*
switches	0:5c4d7b2438d3	6812	* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
switches	0:5c4d7b2438d3	6813	* then the caller will call us again with the same arguments, so
switches	0:5c4d7b2438d3	6814	* remember wether we already did the split or not.
switches	0:5c4d7b2438d3	6815	*/
switches	0:5c4d7b2438d3	6816	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
switches	0:5c4d7b2438d3	6817	static int ssl_write_split( mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	6818	const unsigned char *buf, size_t len )
switches	0:5c4d7b2438d3	6819	{
switches	0:5c4d7b2438d3	6820	int ret;
switches	0:5c4d7b2438d3	6821
switches	0:5c4d7b2438d3	6822	if( ssl->conf->cbc_record_splitting ==
switches	0:5c4d7b2438d3	6823	MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED \|\|
switches	0:5c4d7b2438d3	6824	len <= 1 \|\|
switches	0:5c4d7b2438d3	6825	ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 \|\|
switches	0:5c4d7b2438d3	6826	mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
switches	0:5c4d7b2438d3	6827	!= MBEDTLS_MODE_CBC )
switches	0:5c4d7b2438d3	6828	{
switches	0:5c4d7b2438d3	6829	return( ssl_write_real( ssl, buf, len ) );
switches	0:5c4d7b2438d3	6830	}
switches	0:5c4d7b2438d3	6831
switches	0:5c4d7b2438d3	6832	if( ssl->split_done == 0 )
switches	0:5c4d7b2438d3	6833	{
switches	0:5c4d7b2438d3	6834	if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
switches	0:5c4d7b2438d3	6835	return( ret );
switches	0:5c4d7b2438d3	6836	ssl->split_done = 1;
switches	0:5c4d7b2438d3	6837	}
switches	0:5c4d7b2438d3	6838
switches	0:5c4d7b2438d3	6839	if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
switches	0:5c4d7b2438d3	6840	return( ret );
switches	0:5c4d7b2438d3	6841	ssl->split_done = 0;
switches	0:5c4d7b2438d3	6842
switches	0:5c4d7b2438d3	6843	return( ret + 1 );
switches	0:5c4d7b2438d3	6844	}
switches	0:5c4d7b2438d3	6845	#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
switches	0:5c4d7b2438d3	6846
switches	0:5c4d7b2438d3	6847	/*
switches	0:5c4d7b2438d3	6848	* Write application data (public-facing wrapper)
switches	0:5c4d7b2438d3	6849	*/
switches	0:5c4d7b2438d3	6850	int mbedtls_ssl_write( mbedtls_ssl_context ssl, const unsigned char buf, size_t len )
switches	0:5c4d7b2438d3	6851	{
switches	0:5c4d7b2438d3	6852	int ret;
switches	0:5c4d7b2438d3	6853
switches	0:5c4d7b2438d3	6854	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
switches	0:5c4d7b2438d3	6855
switches	0:5c4d7b2438d3	6856	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	6857	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6858
switches	0:5c4d7b2438d3	6859	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	6860	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6861	{
switches	0:5c4d7b2438d3	6862	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
switches	0:5c4d7b2438d3	6863	return( ret );
switches	0:5c4d7b2438d3	6864	}
switches	0:5c4d7b2438d3	6865	#endif
switches	0:5c4d7b2438d3	6866
switches	0:5c4d7b2438d3	6867	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6868	{
switches	0:5c4d7b2438d3	6869	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
switches	0:5c4d7b2438d3	6870	{
switches	0:5c4d7b2438d3	6871	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
switches	0:5c4d7b2438d3	6872	return( ret );
switches	0:5c4d7b2438d3	6873	}
switches	0:5c4d7b2438d3	6874	}
switches	0:5c4d7b2438d3	6875
switches	0:5c4d7b2438d3	6876	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
switches	0:5c4d7b2438d3	6877	ret = ssl_write_split( ssl, buf, len );
switches	0:5c4d7b2438d3	6878	#else
switches	0:5c4d7b2438d3	6879	ret = ssl_write_real( ssl, buf, len );
switches	0:5c4d7b2438d3	6880	#endif
switches	0:5c4d7b2438d3	6881
switches	0:5c4d7b2438d3	6882	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
switches	0:5c4d7b2438d3	6883
switches	0:5c4d7b2438d3	6884	return( ret );
switches	0:5c4d7b2438d3	6885	}
switches	0:5c4d7b2438d3	6886
switches	0:5c4d7b2438d3	6887	/*
switches	0:5c4d7b2438d3	6888	* Notify the peer that the connection is being closed
switches	0:5c4d7b2438d3	6889	*/
switches	0:5c4d7b2438d3	6890	int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	6891	{
switches	0:5c4d7b2438d3	6892	int ret;
switches	0:5c4d7b2438d3	6893
switches	0:5c4d7b2438d3	6894	if( ssl == NULL \|\| ssl->conf == NULL )
switches	0:5c4d7b2438d3	6895	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
switches	0:5c4d7b2438d3	6896
switches	0:5c4d7b2438d3	6897	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
switches	0:5c4d7b2438d3	6898
switches	0:5c4d7b2438d3	6899	if( ssl->out_left != 0 )
switches	0:5c4d7b2438d3	6900	return( mbedtls_ssl_flush_output( ssl ) );
switches	0:5c4d7b2438d3	6901
switches	0:5c4d7b2438d3	6902	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
switches	0:5c4d7b2438d3	6903	{
switches	0:5c4d7b2438d3	6904	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
switches	0:5c4d7b2438d3	6905	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
switches	0:5c4d7b2438d3	6906	MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
switches	0:5c4d7b2438d3	6907	{
switches	0:5c4d7b2438d3	6908	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
switches	0:5c4d7b2438d3	6909	return( ret );
switches	0:5c4d7b2438d3	6910	}
switches	0:5c4d7b2438d3	6911	}
switches	0:5c4d7b2438d3	6912
switches	0:5c4d7b2438d3	6913	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
switches	0:5c4d7b2438d3	6914
switches	0:5c4d7b2438d3	6915	return( 0 );
switches	0:5c4d7b2438d3	6916	}
switches	0:5c4d7b2438d3	6917
switches	0:5c4d7b2438d3	6918	void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
switches	0:5c4d7b2438d3	6919	{
switches	0:5c4d7b2438d3	6920	if( transform == NULL )
switches	0:5c4d7b2438d3	6921	return;
switches	0:5c4d7b2438d3	6922
switches	0:5c4d7b2438d3	6923	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	6924	deflateEnd( &transform->ctx_deflate );
switches	0:5c4d7b2438d3	6925	inflateEnd( &transform->ctx_inflate );
switches	0:5c4d7b2438d3	6926	#endif
switches	0:5c4d7b2438d3	6927
switches	0:5c4d7b2438d3	6928	mbedtls_cipher_free( &transform->cipher_ctx_enc );
switches	0:5c4d7b2438d3	6929	mbedtls_cipher_free( &transform->cipher_ctx_dec );
switches	0:5c4d7b2438d3	6930
switches	0:5c4d7b2438d3	6931	mbedtls_md_free( &transform->md_ctx_enc );
switches	0:5c4d7b2438d3	6932	mbedtls_md_free( &transform->md_ctx_dec );
switches	0:5c4d7b2438d3	6933
switches	0:5c4d7b2438d3	6934	mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
switches	0:5c4d7b2438d3	6935	}
switches	0:5c4d7b2438d3	6936
switches	0:5c4d7b2438d3	6937	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	6938	static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
switches	0:5c4d7b2438d3	6939	{
switches	0:5c4d7b2438d3	6940	mbedtls_ssl_key_cert cur = key_cert, next;
switches	0:5c4d7b2438d3	6941
switches	0:5c4d7b2438d3	6942	while( cur != NULL )
switches	0:5c4d7b2438d3	6943	{
switches	0:5c4d7b2438d3	6944	next = cur->next;
switches	0:5c4d7b2438d3	6945	mbedtls_free( cur );
switches	0:5c4d7b2438d3	6946	cur = next;
switches	0:5c4d7b2438d3	6947	}
switches	0:5c4d7b2438d3	6948	}
switches	0:5c4d7b2438d3	6949	#endif /* MBEDTLS_X509_CRT_PARSE_C */
switches	0:5c4d7b2438d3	6950
switches	0:5c4d7b2438d3	6951	void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
switches	0:5c4d7b2438d3	6952	{
switches	0:5c4d7b2438d3	6953	if( handshake == NULL )
switches	0:5c4d7b2438d3	6954	return;
switches	0:5c4d7b2438d3	6955
switches	0:5c4d7b2438d3	6956	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
switches	0:5c4d7b2438d3	6957	defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	6958	mbedtls_md5_free( &handshake->fin_md5 );
switches	0:5c4d7b2438d3	6959	mbedtls_sha1_free( &handshake->fin_sha1 );
switches	0:5c4d7b2438d3	6960	#endif
switches	0:5c4d7b2438d3	6961	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	6962	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	6963	mbedtls_sha256_free( &handshake->fin_sha256 );
switches	0:5c4d7b2438d3	6964	#endif
switches	0:5c4d7b2438d3	6965	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	6966	mbedtls_sha512_free( &handshake->fin_sha512 );
switches	0:5c4d7b2438d3	6967	#endif
switches	0:5c4d7b2438d3	6968	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	6969
switches	0:5c4d7b2438d3	6970	#if defined(MBEDTLS_DHM_C)
switches	0:5c4d7b2438d3	6971	mbedtls_dhm_free( &handshake->dhm_ctx );
switches	0:5c4d7b2438d3	6972	#endif
switches	0:5c4d7b2438d3	6973	#if defined(MBEDTLS_ECDH_C)
switches	0:5c4d7b2438d3	6974	mbedtls_ecdh_free( &handshake->ecdh_ctx );
switches	0:5c4d7b2438d3	6975	#endif
switches	0:5c4d7b2438d3	6976	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
switches	0:5c4d7b2438d3	6977	mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
switches	0:5c4d7b2438d3	6978	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	6979	mbedtls_free( handshake->ecjpake_cache );
switches	0:5c4d7b2438d3	6980	handshake->ecjpake_cache = NULL;
switches	0:5c4d7b2438d3	6981	handshake->ecjpake_cache_len = 0;
switches	0:5c4d7b2438d3	6982	#endif
switches	0:5c4d7b2438d3	6983	#endif
switches	0:5c4d7b2438d3	6984
switches	0:5c4d7b2438d3	6985	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
switches	0:5c4d7b2438d3	6986	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
switches	0:5c4d7b2438d3	6987	/* explicit void pointer cast for buggy MS compiler */
switches	0:5c4d7b2438d3	6988	mbedtls_free( (void *) handshake->curves );
switches	0:5c4d7b2438d3	6989	#endif
switches	0:5c4d7b2438d3	6990
switches	0:5c4d7b2438d3	6991	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
switches	0:5c4d7b2438d3	6992	if( handshake->psk != NULL )
switches	0:5c4d7b2438d3	6993	{
switches	0:5c4d7b2438d3	6994	mbedtls_zeroize( handshake->psk, handshake->psk_len );
switches	0:5c4d7b2438d3	6995	mbedtls_free( handshake->psk );
switches	0:5c4d7b2438d3	6996	}
switches	0:5c4d7b2438d3	6997	#endif
switches	0:5c4d7b2438d3	6998
switches	0:5c4d7b2438d3	6999	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
switches	0:5c4d7b2438d3	7000	defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
switches	0:5c4d7b2438d3	7001	/*
switches	0:5c4d7b2438d3	7002	* Free only the linked list wrapper, not the keys themselves
switches	0:5c4d7b2438d3	7003	* since the belong to the SNI callback
switches	0:5c4d7b2438d3	7004	*/
switches	0:5c4d7b2438d3	7005	if( handshake->sni_key_cert != NULL )
switches	0:5c4d7b2438d3	7006	{
switches	0:5c4d7b2438d3	7007	mbedtls_ssl_key_cert cur = handshake->sni_key_cert, next;
switches	0:5c4d7b2438d3	7008
switches	0:5c4d7b2438d3	7009	while( cur != NULL )
switches	0:5c4d7b2438d3	7010	{
switches	0:5c4d7b2438d3	7011	next = cur->next;
switches	0:5c4d7b2438d3	7012	mbedtls_free( cur );
switches	0:5c4d7b2438d3	7013	cur = next;
switches	0:5c4d7b2438d3	7014	}
switches	0:5c4d7b2438d3	7015	}
switches	0:5c4d7b2438d3	7016	#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
switches	0:5c4d7b2438d3	7017
switches	0:5c4d7b2438d3	7018	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	7019	mbedtls_free( handshake->verify_cookie );
switches	0:5c4d7b2438d3	7020	mbedtls_free( handshake->hs_msg );
switches	0:5c4d7b2438d3	7021	ssl_flight_free( handshake->flight );
switches	0:5c4d7b2438d3	7022	#endif
switches	0:5c4d7b2438d3	7023
switches	0:5c4d7b2438d3	7024	mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) );
switches	0:5c4d7b2438d3	7025	}
switches	0:5c4d7b2438d3	7026
switches	0:5c4d7b2438d3	7027	void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
switches	0:5c4d7b2438d3	7028	{
switches	0:5c4d7b2438d3	7029	if( session == NULL )
switches	0:5c4d7b2438d3	7030	return;
switches	0:5c4d7b2438d3	7031
switches	0:5c4d7b2438d3	7032	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	7033	if( session->peer_cert != NULL )
switches	0:5c4d7b2438d3	7034	{
switches	0:5c4d7b2438d3	7035	mbedtls_x509_crt_free( session->peer_cert );
switches	0:5c4d7b2438d3	7036	mbedtls_free( session->peer_cert );
switches	0:5c4d7b2438d3	7037	}
switches	0:5c4d7b2438d3	7038	#endif
switches	0:5c4d7b2438d3	7039
switches	0:5c4d7b2438d3	7040	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	7041	mbedtls_free( session->ticket );
switches	0:5c4d7b2438d3	7042	#endif
switches	0:5c4d7b2438d3	7043
switches	0:5c4d7b2438d3	7044	mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) );
switches	0:5c4d7b2438d3	7045	}
switches	0:5c4d7b2438d3	7046
switches	0:5c4d7b2438d3	7047	/*
switches	0:5c4d7b2438d3	7048	* Free an SSL context
switches	0:5c4d7b2438d3	7049	*/
switches	0:5c4d7b2438d3	7050	void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
switches	0:5c4d7b2438d3	7051	{
switches	0:5c4d7b2438d3	7052	if( ssl == NULL )
switches	0:5c4d7b2438d3	7053	return;
switches	0:5c4d7b2438d3	7054
switches	0:5c4d7b2438d3	7055	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
switches	0:5c4d7b2438d3	7056
switches	0:5c4d7b2438d3	7057	if( ssl->out_buf != NULL )
switches	0:5c4d7b2438d3	7058	{
switches	0:5c4d7b2438d3	7059	mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
switches	0:5c4d7b2438d3	7060	mbedtls_free( ssl->out_buf );
switches	0:5c4d7b2438d3	7061	}
switches	0:5c4d7b2438d3	7062
switches	0:5c4d7b2438d3	7063	if( ssl->in_buf != NULL )
switches	0:5c4d7b2438d3	7064	{
switches	0:5c4d7b2438d3	7065	mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
switches	0:5c4d7b2438d3	7066	mbedtls_free( ssl->in_buf );
switches	0:5c4d7b2438d3	7067	}
switches	0:5c4d7b2438d3	7068
switches	0:5c4d7b2438d3	7069	#if defined(MBEDTLS_ZLIB_SUPPORT)
switches	0:5c4d7b2438d3	7070	if( ssl->compress_buf != NULL )
switches	0:5c4d7b2438d3	7071	{
switches	0:5c4d7b2438d3	7072	mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
switches	0:5c4d7b2438d3	7073	mbedtls_free( ssl->compress_buf );
switches	0:5c4d7b2438d3	7074	}
switches	0:5c4d7b2438d3	7075	#endif
switches	0:5c4d7b2438d3	7076
switches	0:5c4d7b2438d3	7077	if( ssl->transform )
switches	0:5c4d7b2438d3	7078	{
switches	0:5c4d7b2438d3	7079	mbedtls_ssl_transform_free( ssl->transform );
switches	0:5c4d7b2438d3	7080	mbedtls_free( ssl->transform );
switches	0:5c4d7b2438d3	7081	}
switches	0:5c4d7b2438d3	7082
switches	0:5c4d7b2438d3	7083	if( ssl->handshake )
switches	0:5c4d7b2438d3	7084	{
switches	0:5c4d7b2438d3	7085	mbedtls_ssl_handshake_free( ssl->handshake );
switches	0:5c4d7b2438d3	7086	mbedtls_ssl_transform_free( ssl->transform_negotiate );
switches	0:5c4d7b2438d3	7087	mbedtls_ssl_session_free( ssl->session_negotiate );
switches	0:5c4d7b2438d3	7088
switches	0:5c4d7b2438d3	7089	mbedtls_free( ssl->handshake );
switches	0:5c4d7b2438d3	7090	mbedtls_free( ssl->transform_negotiate );
switches	0:5c4d7b2438d3	7091	mbedtls_free( ssl->session_negotiate );
switches	0:5c4d7b2438d3	7092	}
switches	0:5c4d7b2438d3	7093
switches	0:5c4d7b2438d3	7094	if( ssl->session )
switches	0:5c4d7b2438d3	7095	{
switches	0:5c4d7b2438d3	7096	mbedtls_ssl_session_free( ssl->session );
switches	0:5c4d7b2438d3	7097	mbedtls_free( ssl->session );
switches	0:5c4d7b2438d3	7098	}
switches	0:5c4d7b2438d3	7099
switches	0:5c4d7b2438d3	7100	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	7101	if( ssl->hostname != NULL )
switches	0:5c4d7b2438d3	7102	{
switches	0:5c4d7b2438d3	7103	mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
switches	0:5c4d7b2438d3	7104	mbedtls_free( ssl->hostname );
switches	0:5c4d7b2438d3	7105	}
switches	0:5c4d7b2438d3	7106	#endif
switches	0:5c4d7b2438d3	7107
switches	0:5c4d7b2438d3	7108	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
switches	0:5c4d7b2438d3	7109	if( mbedtls_ssl_hw_record_finish != NULL )
switches	0:5c4d7b2438d3	7110	{
switches	0:5c4d7b2438d3	7111	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
switches	0:5c4d7b2438d3	7112	mbedtls_ssl_hw_record_finish( ssl );
switches	0:5c4d7b2438d3	7113	}
switches	0:5c4d7b2438d3	7114	#endif
switches	0:5c4d7b2438d3	7115
switches	0:5c4d7b2438d3	7116	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	7117	mbedtls_free( ssl->cli_id );
switches	0:5c4d7b2438d3	7118	#endif
switches	0:5c4d7b2438d3	7119
switches	0:5c4d7b2438d3	7120	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
switches	0:5c4d7b2438d3	7121
switches	0:5c4d7b2438d3	7122	/* Actually clear after last debug message */
switches	0:5c4d7b2438d3	7123	mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
switches	0:5c4d7b2438d3	7124	}
switches	0:5c4d7b2438d3	7125
switches	0:5c4d7b2438d3	7126	/*
switches	0:5c4d7b2438d3	7127	* Initialze mbedtls_ssl_config
switches	0:5c4d7b2438d3	7128	*/
switches	0:5c4d7b2438d3	7129	void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
switches	0:5c4d7b2438d3	7130	{
switches	0:5c4d7b2438d3	7131	memset( conf, 0, sizeof( mbedtls_ssl_config ) );
switches	0:5c4d7b2438d3	7132	}
switches	0:5c4d7b2438d3	7133
switches	0:5c4d7b2438d3	7134	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
switches	0:5c4d7b2438d3	7135	static int ssl_preset_default_hashes[] = {
switches	0:5c4d7b2438d3	7136	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	7137	MBEDTLS_MD_SHA512,
switches	0:5c4d7b2438d3	7138	MBEDTLS_MD_SHA384,
switches	0:5c4d7b2438d3	7139	#endif
switches	0:5c4d7b2438d3	7140	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	7141	MBEDTLS_MD_SHA256,
switches	0:5c4d7b2438d3	7142	MBEDTLS_MD_SHA224,
switches	0:5c4d7b2438d3	7143	#endif
switches	0:5c4d7b2438d3	7144	#if defined(MBEDTLS_SHA1_C)
switches	0:5c4d7b2438d3	7145	MBEDTLS_MD_SHA1,
switches	0:5c4d7b2438d3	7146	#endif
switches	0:5c4d7b2438d3	7147	MBEDTLS_MD_NONE
switches	0:5c4d7b2438d3	7148	};
switches	0:5c4d7b2438d3	7149	#endif
switches	0:5c4d7b2438d3	7150
switches	0:5c4d7b2438d3	7151	static int ssl_preset_suiteb_ciphersuites[] = {
switches	0:5c4d7b2438d3	7152	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
switches	0:5c4d7b2438d3	7153	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
switches	0:5c4d7b2438d3	7154	0
switches	0:5c4d7b2438d3	7155	};
switches	0:5c4d7b2438d3	7156
switches	0:5c4d7b2438d3	7157	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
switches	0:5c4d7b2438d3	7158	static int ssl_preset_suiteb_hashes[] = {
switches	0:5c4d7b2438d3	7159	MBEDTLS_MD_SHA256,
switches	0:5c4d7b2438d3	7160	MBEDTLS_MD_SHA384,
switches	0:5c4d7b2438d3	7161	MBEDTLS_MD_NONE
switches	0:5c4d7b2438d3	7162	};
switches	0:5c4d7b2438d3	7163	#endif
switches	0:5c4d7b2438d3	7164
switches	0:5c4d7b2438d3	7165	#if defined(MBEDTLS_ECP_C)
switches	0:5c4d7b2438d3	7166	static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
switches	0:5c4d7b2438d3	7167	MBEDTLS_ECP_DP_SECP256R1,
switches	0:5c4d7b2438d3	7168	MBEDTLS_ECP_DP_SECP384R1,
switches	0:5c4d7b2438d3	7169	MBEDTLS_ECP_DP_NONE
switches	0:5c4d7b2438d3	7170	};
switches	0:5c4d7b2438d3	7171	#endif
switches	0:5c4d7b2438d3	7172
switches	0:5c4d7b2438d3	7173	/*
switches	0:5c4d7b2438d3	7174	* Load default in mbedtls_ssl_config
switches	0:5c4d7b2438d3	7175	*/
switches	0:5c4d7b2438d3	7176	int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
switches	0:5c4d7b2438d3	7177	int endpoint, int transport, int preset )
switches	0:5c4d7b2438d3	7178	{
switches	0:5c4d7b2438d3	7179	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	7180	int ret;
switches	0:5c4d7b2438d3	7181	#endif
switches	0:5c4d7b2438d3	7182
switches	0:5c4d7b2438d3	7183	/* Use the functions here so that they are covered in tests,
switches	0:5c4d7b2438d3	7184	* but otherwise access member directly for efficiency */
switches	0:5c4d7b2438d3	7185	mbedtls_ssl_conf_endpoint( conf, endpoint );
switches	0:5c4d7b2438d3	7186	mbedtls_ssl_conf_transport( conf, transport );
switches	0:5c4d7b2438d3	7187
switches	0:5c4d7b2438d3	7188	/*
switches	0:5c4d7b2438d3	7189	* Things that are common to all presets
switches	0:5c4d7b2438d3	7190	*/
switches	0:5c4d7b2438d3	7191	#if defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	7192	if( endpoint == MBEDTLS_SSL_IS_CLIENT )
switches	0:5c4d7b2438d3	7193	{
switches	0:5c4d7b2438d3	7194	conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
switches	0:5c4d7b2438d3	7195	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
switches	0:5c4d7b2438d3	7196	conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
switches	0:5c4d7b2438d3	7197	#endif
switches	0:5c4d7b2438d3	7198	}
switches	0:5c4d7b2438d3	7199	#endif
switches	0:5c4d7b2438d3	7200
switches	0:5c4d7b2438d3	7201	#if defined(MBEDTLS_ARC4_C)
switches	0:5c4d7b2438d3	7202	conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
switches	0:5c4d7b2438d3	7203	#endif
switches	0:5c4d7b2438d3	7204
switches	0:5c4d7b2438d3	7205	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
switches	0:5c4d7b2438d3	7206	conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
switches	0:5c4d7b2438d3	7207	#endif
switches	0:5c4d7b2438d3	7208
switches	0:5c4d7b2438d3	7209	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
switches	0:5c4d7b2438d3	7210	conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
switches	0:5c4d7b2438d3	7211	#endif
switches	0:5c4d7b2438d3	7212
switches	0:5c4d7b2438d3	7213	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
switches	0:5c4d7b2438d3	7214	conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
switches	0:5c4d7b2438d3	7215	#endif
switches	0:5c4d7b2438d3	7216
switches	0:5c4d7b2438d3	7217	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	7218	conf->f_cookie_write = ssl_cookie_write_dummy;
switches	0:5c4d7b2438d3	7219	conf->f_cookie_check = ssl_cookie_check_dummy;
switches	0:5c4d7b2438d3	7220	#endif
switches	0:5c4d7b2438d3	7221
switches	0:5c4d7b2438d3	7222	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
switches	0:5c4d7b2438d3	7223	conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
switches	0:5c4d7b2438d3	7224	#endif
switches	0:5c4d7b2438d3	7225
switches	0:5c4d7b2438d3	7226	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	7227	conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
switches	0:5c4d7b2438d3	7228	conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
switches	0:5c4d7b2438d3	7229	#endif
switches	0:5c4d7b2438d3	7230
switches	0:5c4d7b2438d3	7231	#if defined(MBEDTLS_SSL_RENEGOTIATION)
switches	0:5c4d7b2438d3	7232	conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
switches	0:5c4d7b2438d3	7233	memset( conf->renego_period, 0xFF, 7 );
switches	0:5c4d7b2438d3	7234	conf->renego_period[7] = 0x00;
switches	0:5c4d7b2438d3	7235	#endif
switches	0:5c4d7b2438d3	7236
switches	0:5c4d7b2438d3	7237	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
switches	0:5c4d7b2438d3	7238	if( endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	7239	{
switches	0:5c4d7b2438d3	7240	if( ( ret = mbedtls_ssl_conf_dh_param( conf,
switches	0:5c4d7b2438d3	7241	MBEDTLS_DHM_RFC5114_MODP_2048_P,
switches	0:5c4d7b2438d3	7242	MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
switches	0:5c4d7b2438d3	7243	{
switches	0:5c4d7b2438d3	7244	return( ret );
switches	0:5c4d7b2438d3	7245	}
switches	0:5c4d7b2438d3	7246	}
switches	0:5c4d7b2438d3	7247	#endif
switches	0:5c4d7b2438d3	7248
switches	0:5c4d7b2438d3	7249	/*
switches	0:5c4d7b2438d3	7250	* Preset-specific defaults
switches	0:5c4d7b2438d3	7251	*/
switches	0:5c4d7b2438d3	7252	switch( preset )
switches	0:5c4d7b2438d3	7253	{
switches	0:5c4d7b2438d3	7254	/*
switches	0:5c4d7b2438d3	7255	* NSA Suite B
switches	0:5c4d7b2438d3	7256	*/
switches	0:5c4d7b2438d3	7257	case MBEDTLS_SSL_PRESET_SUITEB:
switches	0:5c4d7b2438d3	7258	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
switches	0:5c4d7b2438d3	7259	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
switches	0:5c4d7b2438d3	7260	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
switches	0:5c4d7b2438d3	7261	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
switches	0:5c4d7b2438d3	7262
switches	0:5c4d7b2438d3	7263	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
switches	0:5c4d7b2438d3	7264	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
switches	0:5c4d7b2438d3	7265	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
switches	0:5c4d7b2438d3	7266	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
switches	0:5c4d7b2438d3	7267	ssl_preset_suiteb_ciphersuites;
switches	0:5c4d7b2438d3	7268
switches	0:5c4d7b2438d3	7269	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	7270	conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
switches	0:5c4d7b2438d3	7271	#endif
switches	0:5c4d7b2438d3	7272
switches	0:5c4d7b2438d3	7273	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
switches	0:5c4d7b2438d3	7274	conf->sig_hashes = ssl_preset_suiteb_hashes;
switches	0:5c4d7b2438d3	7275	#endif
switches	0:5c4d7b2438d3	7276
switches	0:5c4d7b2438d3	7277	#if defined(MBEDTLS_ECP_C)
switches	0:5c4d7b2438d3	7278	conf->curve_list = ssl_preset_suiteb_curves;
switches	0:5c4d7b2438d3	7279	#endif
switches	0:5c4d7b2438d3	7280	break;
switches	0:5c4d7b2438d3	7281
switches	0:5c4d7b2438d3	7282	/*
switches	0:5c4d7b2438d3	7283	* Default
switches	0:5c4d7b2438d3	7284	*/
switches	0:5c4d7b2438d3	7285	default:
switches	0:5c4d7b2438d3	7286	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
switches	0:5c4d7b2438d3	7287	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
switches	0:5c4d7b2438d3	7288	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
switches	0:5c4d7b2438d3	7289	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
switches	0:5c4d7b2438d3	7290
switches	0:5c4d7b2438d3	7291	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	7292	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	7293	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
switches	0:5c4d7b2438d3	7294	#endif
switches	0:5c4d7b2438d3	7295
switches	0:5c4d7b2438d3	7296	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
switches	0:5c4d7b2438d3	7297	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
switches	0:5c4d7b2438d3	7298	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
switches	0:5c4d7b2438d3	7299	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
switches	0:5c4d7b2438d3	7300	mbedtls_ssl_list_ciphersuites();
switches	0:5c4d7b2438d3	7301
switches	0:5c4d7b2438d3	7302	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	7303	conf->cert_profile = &mbedtls_x509_crt_profile_default;
switches	0:5c4d7b2438d3	7304	#endif
switches	0:5c4d7b2438d3	7305
switches	0:5c4d7b2438d3	7306	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
switches	0:5c4d7b2438d3	7307	conf->sig_hashes = ssl_preset_default_hashes;
switches	0:5c4d7b2438d3	7308	#endif
switches	0:5c4d7b2438d3	7309
switches	0:5c4d7b2438d3	7310	#if defined(MBEDTLS_ECP_C)
switches	0:5c4d7b2438d3	7311	conf->curve_list = mbedtls_ecp_grp_id_list();
switches	0:5c4d7b2438d3	7312	#endif
switches	0:5c4d7b2438d3	7313
switches	0:5c4d7b2438d3	7314	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
switches	0:5c4d7b2438d3	7315	conf->dhm_min_bitlen = 1024;
switches	0:5c4d7b2438d3	7316	#endif
switches	0:5c4d7b2438d3	7317	}
switches	0:5c4d7b2438d3	7318
switches	0:5c4d7b2438d3	7319	return( 0 );
switches	0:5c4d7b2438d3	7320	}
switches	0:5c4d7b2438d3	7321
switches	0:5c4d7b2438d3	7322	/*
switches	0:5c4d7b2438d3	7323	* Free mbedtls_ssl_config
switches	0:5c4d7b2438d3	7324	*/
switches	0:5c4d7b2438d3	7325	void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
switches	0:5c4d7b2438d3	7326	{
switches	0:5c4d7b2438d3	7327	#if defined(MBEDTLS_DHM_C)
switches	0:5c4d7b2438d3	7328	mbedtls_mpi_free( &conf->dhm_P );
switches	0:5c4d7b2438d3	7329	mbedtls_mpi_free( &conf->dhm_G );
switches	0:5c4d7b2438d3	7330	#endif
switches	0:5c4d7b2438d3	7331
switches	0:5c4d7b2438d3	7332	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
switches	0:5c4d7b2438d3	7333	if( conf->psk != NULL )
switches	0:5c4d7b2438d3	7334	{
switches	0:5c4d7b2438d3	7335	mbedtls_zeroize( conf->psk, conf->psk_len );
switches	0:5c4d7b2438d3	7336	mbedtls_zeroize( conf->psk_identity, conf->psk_identity_len );
switches	0:5c4d7b2438d3	7337	mbedtls_free( conf->psk );
switches	0:5c4d7b2438d3	7338	mbedtls_free( conf->psk_identity );
switches	0:5c4d7b2438d3	7339	conf->psk_len = 0;
switches	0:5c4d7b2438d3	7340	conf->psk_identity_len = 0;
switches	0:5c4d7b2438d3	7341	}
switches	0:5c4d7b2438d3	7342	#endif
switches	0:5c4d7b2438d3	7343
switches	0:5c4d7b2438d3	7344	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	7345	ssl_key_cert_free( conf->key_cert );
switches	0:5c4d7b2438d3	7346	#endif
switches	0:5c4d7b2438d3	7347
switches	0:5c4d7b2438d3	7348	mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
switches	0:5c4d7b2438d3	7349	}
switches	0:5c4d7b2438d3	7350
switches	0:5c4d7b2438d3	7351	#if defined(MBEDTLS_PK_C) && \
switches	0:5c4d7b2438d3	7352	( defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C) )
switches	0:5c4d7b2438d3	7353	/*
switches	0:5c4d7b2438d3	7354	* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
switches	0:5c4d7b2438d3	7355	*/
switches	0:5c4d7b2438d3	7356	unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
switches	0:5c4d7b2438d3	7357	{
switches	0:5c4d7b2438d3	7358	#if defined(MBEDTLS_RSA_C)
switches	0:5c4d7b2438d3	7359	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
switches	0:5c4d7b2438d3	7360	return( MBEDTLS_SSL_SIG_RSA );
switches	0:5c4d7b2438d3	7361	#endif
switches	0:5c4d7b2438d3	7362	#if defined(MBEDTLS_ECDSA_C)
switches	0:5c4d7b2438d3	7363	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
switches	0:5c4d7b2438d3	7364	return( MBEDTLS_SSL_SIG_ECDSA );
switches	0:5c4d7b2438d3	7365	#endif
switches	0:5c4d7b2438d3	7366	return( MBEDTLS_SSL_SIG_ANON );
switches	0:5c4d7b2438d3	7367	}
switches	0:5c4d7b2438d3	7368
switches	0:5c4d7b2438d3	7369	mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
switches	0:5c4d7b2438d3	7370	{
switches	0:5c4d7b2438d3	7371	switch( sig )
switches	0:5c4d7b2438d3	7372	{
switches	0:5c4d7b2438d3	7373	#if defined(MBEDTLS_RSA_C)
switches	0:5c4d7b2438d3	7374	case MBEDTLS_SSL_SIG_RSA:
switches	0:5c4d7b2438d3	7375	return( MBEDTLS_PK_RSA );
switches	0:5c4d7b2438d3	7376	#endif
switches	0:5c4d7b2438d3	7377	#if defined(MBEDTLS_ECDSA_C)
switches	0:5c4d7b2438d3	7378	case MBEDTLS_SSL_SIG_ECDSA:
switches	0:5c4d7b2438d3	7379	return( MBEDTLS_PK_ECDSA );
switches	0:5c4d7b2438d3	7380	#endif
switches	0:5c4d7b2438d3	7381	default:
switches	0:5c4d7b2438d3	7382	return( MBEDTLS_PK_NONE );
switches	0:5c4d7b2438d3	7383	}
switches	0:5c4d7b2438d3	7384	}
switches	0:5c4d7b2438d3	7385	#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C \|\| MBEDTLS_ECDSA_C ) */
switches	0:5c4d7b2438d3	7386
switches	0:5c4d7b2438d3	7387	/*
switches	0:5c4d7b2438d3	7388	* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
switches	0:5c4d7b2438d3	7389	*/
switches	0:5c4d7b2438d3	7390	mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
switches	0:5c4d7b2438d3	7391	{
switches	0:5c4d7b2438d3	7392	switch( hash )
switches	0:5c4d7b2438d3	7393	{
switches	0:5c4d7b2438d3	7394	#if defined(MBEDTLS_MD5_C)
switches	0:5c4d7b2438d3	7395	case MBEDTLS_SSL_HASH_MD5:
switches	0:5c4d7b2438d3	7396	return( MBEDTLS_MD_MD5 );
switches	0:5c4d7b2438d3	7397	#endif
switches	0:5c4d7b2438d3	7398	#if defined(MBEDTLS_SHA1_C)
switches	0:5c4d7b2438d3	7399	case MBEDTLS_SSL_HASH_SHA1:
switches	0:5c4d7b2438d3	7400	return( MBEDTLS_MD_SHA1 );
switches	0:5c4d7b2438d3	7401	#endif
switches	0:5c4d7b2438d3	7402	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	7403	case MBEDTLS_SSL_HASH_SHA224:
switches	0:5c4d7b2438d3	7404	return( MBEDTLS_MD_SHA224 );
switches	0:5c4d7b2438d3	7405	case MBEDTLS_SSL_HASH_SHA256:
switches	0:5c4d7b2438d3	7406	return( MBEDTLS_MD_SHA256 );
switches	0:5c4d7b2438d3	7407	#endif
switches	0:5c4d7b2438d3	7408	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	7409	case MBEDTLS_SSL_HASH_SHA384:
switches	0:5c4d7b2438d3	7410	return( MBEDTLS_MD_SHA384 );
switches	0:5c4d7b2438d3	7411	case MBEDTLS_SSL_HASH_SHA512:
switches	0:5c4d7b2438d3	7412	return( MBEDTLS_MD_SHA512 );
switches	0:5c4d7b2438d3	7413	#endif
switches	0:5c4d7b2438d3	7414	default:
switches	0:5c4d7b2438d3	7415	return( MBEDTLS_MD_NONE );
switches	0:5c4d7b2438d3	7416	}
switches	0:5c4d7b2438d3	7417	}
switches	0:5c4d7b2438d3	7418
switches	0:5c4d7b2438d3	7419	/*
switches	0:5c4d7b2438d3	7420	* Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
switches	0:5c4d7b2438d3	7421	*/
switches	0:5c4d7b2438d3	7422	unsigned char mbedtls_ssl_hash_from_md_alg( int md )
switches	0:5c4d7b2438d3	7423	{
switches	0:5c4d7b2438d3	7424	switch( md )
switches	0:5c4d7b2438d3	7425	{
switches	0:5c4d7b2438d3	7426	#if defined(MBEDTLS_MD5_C)
switches	0:5c4d7b2438d3	7427	case MBEDTLS_MD_MD5:
switches	0:5c4d7b2438d3	7428	return( MBEDTLS_SSL_HASH_MD5 );
switches	0:5c4d7b2438d3	7429	#endif
switches	0:5c4d7b2438d3	7430	#if defined(MBEDTLS_SHA1_C)
switches	0:5c4d7b2438d3	7431	case MBEDTLS_MD_SHA1:
switches	0:5c4d7b2438d3	7432	return( MBEDTLS_SSL_HASH_SHA1 );
switches	0:5c4d7b2438d3	7433	#endif
switches	0:5c4d7b2438d3	7434	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	7435	case MBEDTLS_MD_SHA224:
switches	0:5c4d7b2438d3	7436	return( MBEDTLS_SSL_HASH_SHA224 );
switches	0:5c4d7b2438d3	7437	case MBEDTLS_MD_SHA256:
switches	0:5c4d7b2438d3	7438	return( MBEDTLS_SSL_HASH_SHA256 );
switches	0:5c4d7b2438d3	7439	#endif
switches	0:5c4d7b2438d3	7440	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	7441	case MBEDTLS_MD_SHA384:
switches	0:5c4d7b2438d3	7442	return( MBEDTLS_SSL_HASH_SHA384 );
switches	0:5c4d7b2438d3	7443	case MBEDTLS_MD_SHA512:
switches	0:5c4d7b2438d3	7444	return( MBEDTLS_SSL_HASH_SHA512 );
switches	0:5c4d7b2438d3	7445	#endif
switches	0:5c4d7b2438d3	7446	default:
switches	0:5c4d7b2438d3	7447	return( MBEDTLS_SSL_HASH_NONE );
switches	0:5c4d7b2438d3	7448	}
switches	0:5c4d7b2438d3	7449	}
switches	0:5c4d7b2438d3	7450
switches	0:5c4d7b2438d3	7451	#if defined(MBEDTLS_ECP_C)
switches	0:5c4d7b2438d3	7452	/*
switches	0:5c4d7b2438d3	7453	* Check if a curve proposed by the peer is in our list.
switches	0:5c4d7b2438d3	7454	* Return 0 if we're willing to use it, -1 otherwise.
switches	0:5c4d7b2438d3	7455	*/
switches	0:5c4d7b2438d3	7456	int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
switches	0:5c4d7b2438d3	7457	{
switches	0:5c4d7b2438d3	7458	const mbedtls_ecp_group_id *gid;
switches	0:5c4d7b2438d3	7459
switches	0:5c4d7b2438d3	7460	if( ssl->conf->curve_list == NULL )
switches	0:5c4d7b2438d3	7461	return( -1 );
switches	0:5c4d7b2438d3	7462
switches	0:5c4d7b2438d3	7463	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
switches	0:5c4d7b2438d3	7464	if( *gid == grp_id )
switches	0:5c4d7b2438d3	7465	return( 0 );
switches	0:5c4d7b2438d3	7466
switches	0:5c4d7b2438d3	7467	return( -1 );
switches	0:5c4d7b2438d3	7468	}
switches	0:5c4d7b2438d3	7469	#endif /* MBEDTLS_ECP_C */
switches	0:5c4d7b2438d3	7470
switches	0:5c4d7b2438d3	7471	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
switches	0:5c4d7b2438d3	7472	/*
switches	0:5c4d7b2438d3	7473	* Check if a hash proposed by the peer is in our list.
switches	0:5c4d7b2438d3	7474	* Return 0 if we're willing to use it, -1 otherwise.
switches	0:5c4d7b2438d3	7475	*/
switches	0:5c4d7b2438d3	7476	int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
switches	0:5c4d7b2438d3	7477	mbedtls_md_type_t md )
switches	0:5c4d7b2438d3	7478	{
switches	0:5c4d7b2438d3	7479	const int *cur;
switches	0:5c4d7b2438d3	7480
switches	0:5c4d7b2438d3	7481	if( ssl->conf->sig_hashes == NULL )
switches	0:5c4d7b2438d3	7482	return( -1 );
switches	0:5c4d7b2438d3	7483
switches	0:5c4d7b2438d3	7484	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
switches	0:5c4d7b2438d3	7485	if( *cur == (int) md )
switches	0:5c4d7b2438d3	7486	return( 0 );
switches	0:5c4d7b2438d3	7487
switches	0:5c4d7b2438d3	7488	return( -1 );
switches	0:5c4d7b2438d3	7489	}
switches	0:5c4d7b2438d3	7490	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
switches	0:5c4d7b2438d3	7491
switches	0:5c4d7b2438d3	7492	#if defined(MBEDTLS_X509_CRT_PARSE_C)
switches	0:5c4d7b2438d3	7493	int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
switches	0:5c4d7b2438d3	7494	const mbedtls_ssl_ciphersuite_t *ciphersuite,
switches	0:5c4d7b2438d3	7495	int cert_endpoint,
switches	0:5c4d7b2438d3	7496	uint32_t *flags )
switches	0:5c4d7b2438d3	7497	{
switches	0:5c4d7b2438d3	7498	int ret = 0;
switches	0:5c4d7b2438d3	7499	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
switches	0:5c4d7b2438d3	7500	int usage = 0;
switches	0:5c4d7b2438d3	7501	#endif
switches	0:5c4d7b2438d3	7502	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
switches	0:5c4d7b2438d3	7503	const char *ext_oid;
switches	0:5c4d7b2438d3	7504	size_t ext_len;
switches	0:5c4d7b2438d3	7505	#endif
switches	0:5c4d7b2438d3	7506
switches	0:5c4d7b2438d3	7507	#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
switches	0:5c4d7b2438d3	7508	!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
switches	0:5c4d7b2438d3	7509	((void) cert);
switches	0:5c4d7b2438d3	7510	((void) cert_endpoint);
switches	0:5c4d7b2438d3	7511	((void) flags);
switches	0:5c4d7b2438d3	7512	#endif
switches	0:5c4d7b2438d3	7513
switches	0:5c4d7b2438d3	7514	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
switches	0:5c4d7b2438d3	7515	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	7516	{
switches	0:5c4d7b2438d3	7517	/* Server part of the key exchange */
switches	0:5c4d7b2438d3	7518	switch( ciphersuite->key_exchange )
switches	0:5c4d7b2438d3	7519	{
switches	0:5c4d7b2438d3	7520	case MBEDTLS_KEY_EXCHANGE_RSA:
switches	0:5c4d7b2438d3	7521	case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
switches	0:5c4d7b2438d3	7522	usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
switches	0:5c4d7b2438d3	7523	break;
switches	0:5c4d7b2438d3	7524
switches	0:5c4d7b2438d3	7525	case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
switches	0:5c4d7b2438d3	7526	case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
switches	0:5c4d7b2438d3	7527	case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
switches	0:5c4d7b2438d3	7528	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
switches	0:5c4d7b2438d3	7529	break;
switches	0:5c4d7b2438d3	7530
switches	0:5c4d7b2438d3	7531	case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
switches	0:5c4d7b2438d3	7532	case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
switches	0:5c4d7b2438d3	7533	usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
switches	0:5c4d7b2438d3	7534	break;
switches	0:5c4d7b2438d3	7535
switches	0:5c4d7b2438d3	7536	/* Don't use default: we want warnings when adding new values */
switches	0:5c4d7b2438d3	7537	case MBEDTLS_KEY_EXCHANGE_NONE:
switches	0:5c4d7b2438d3	7538	case MBEDTLS_KEY_EXCHANGE_PSK:
switches	0:5c4d7b2438d3	7539	case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
switches	0:5c4d7b2438d3	7540	case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
switches	0:5c4d7b2438d3	7541	case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
switches	0:5c4d7b2438d3	7542	usage = 0;
switches	0:5c4d7b2438d3	7543	}
switches	0:5c4d7b2438d3	7544	}
switches	0:5c4d7b2438d3	7545	else
switches	0:5c4d7b2438d3	7546	{
switches	0:5c4d7b2438d3	7547	/* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
switches	0:5c4d7b2438d3	7548	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
switches	0:5c4d7b2438d3	7549	}
switches	0:5c4d7b2438d3	7550
switches	0:5c4d7b2438d3	7551	if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
switches	0:5c4d7b2438d3	7552	{
switches	0:5c4d7b2438d3	7553	*flags \|= MBEDTLS_X509_BADCERT_KEY_USAGE;
switches	0:5c4d7b2438d3	7554	ret = -1;
switches	0:5c4d7b2438d3	7555	}
switches	0:5c4d7b2438d3	7556	#else
switches	0:5c4d7b2438d3	7557	((void) ciphersuite);
switches	0:5c4d7b2438d3	7558	#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
switches	0:5c4d7b2438d3	7559
switches	0:5c4d7b2438d3	7560	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
switches	0:5c4d7b2438d3	7561	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
switches	0:5c4d7b2438d3	7562	{
switches	0:5c4d7b2438d3	7563	ext_oid = MBEDTLS_OID_SERVER_AUTH;
switches	0:5c4d7b2438d3	7564	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
switches	0:5c4d7b2438d3	7565	}
switches	0:5c4d7b2438d3	7566	else
switches	0:5c4d7b2438d3	7567	{
switches	0:5c4d7b2438d3	7568	ext_oid = MBEDTLS_OID_CLIENT_AUTH;
switches	0:5c4d7b2438d3	7569	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
switches	0:5c4d7b2438d3	7570	}
switches	0:5c4d7b2438d3	7571
switches	0:5c4d7b2438d3	7572	if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
switches	0:5c4d7b2438d3	7573	{
switches	0:5c4d7b2438d3	7574	*flags \|= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
switches	0:5c4d7b2438d3	7575	ret = -1;
switches	0:5c4d7b2438d3	7576	}
switches	0:5c4d7b2438d3	7577	#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
switches	0:5c4d7b2438d3	7578
switches	0:5c4d7b2438d3	7579	return( ret );
switches	0:5c4d7b2438d3	7580	}
switches	0:5c4d7b2438d3	7581	#endif /* MBEDTLS_X509_CRT_PARSE_C */
switches	0:5c4d7b2438d3	7582
switches	0:5c4d7b2438d3	7583	/*
switches	0:5c4d7b2438d3	7584	* Convert version numbers to/from wire format
switches	0:5c4d7b2438d3	7585	* and, for DTLS, to/from TLS equivalent.
switches	0:5c4d7b2438d3	7586	*
switches	0:5c4d7b2438d3	7587	* For TLS this is the identity.
switches	0:5c4d7b2438d3	7588	* For DTLS, use one complement (v -> 255 - v, and then map as follows:
switches	0:5c4d7b2438d3	7589	* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
switches	0:5c4d7b2438d3	7590	* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
switches	0:5c4d7b2438d3	7591	*/
switches	0:5c4d7b2438d3	7592	void mbedtls_ssl_write_version( int major, int minor, int transport,
switches	0:5c4d7b2438d3	7593	unsigned char ver[2] )
switches	0:5c4d7b2438d3	7594	{
switches	0:5c4d7b2438d3	7595	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	7596	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	7597	{
switches	0:5c4d7b2438d3	7598	if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
switches	0:5c4d7b2438d3	7599	--minor; /* DTLS 1.0 stored as TLS 1.1 internally */
switches	0:5c4d7b2438d3	7600
switches	0:5c4d7b2438d3	7601	ver[0] = (unsigned char)( 255 - ( major - 2 ) );
switches	0:5c4d7b2438d3	7602	ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
switches	0:5c4d7b2438d3	7603	}
switches	0:5c4d7b2438d3	7604	else
switches	0:5c4d7b2438d3	7605	#else
switches	0:5c4d7b2438d3	7606	((void) transport);
switches	0:5c4d7b2438d3	7607	#endif
switches	0:5c4d7b2438d3	7608	{
switches	0:5c4d7b2438d3	7609	ver[0] = (unsigned char) major;
switches	0:5c4d7b2438d3	7610	ver[1] = (unsigned char) minor;
switches	0:5c4d7b2438d3	7611	}
switches	0:5c4d7b2438d3	7612	}
switches	0:5c4d7b2438d3	7613
switches	0:5c4d7b2438d3	7614	void mbedtls_ssl_read_version( int major, int minor, int transport,
switches	0:5c4d7b2438d3	7615	const unsigned char ver[2] )
switches	0:5c4d7b2438d3	7616	{
switches	0:5c4d7b2438d3	7617	#if defined(MBEDTLS_SSL_PROTO_DTLS)
switches	0:5c4d7b2438d3	7618	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
switches	0:5c4d7b2438d3	7619	{
switches	0:5c4d7b2438d3	7620	*major = 255 - ver[0] + 2;
switches	0:5c4d7b2438d3	7621	*minor = 255 - ver[1] + 1;
switches	0:5c4d7b2438d3	7622
switches	0:5c4d7b2438d3	7623	if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
switches	0:5c4d7b2438d3	7624	++minor; / DTLS 1.0 stored as TLS 1.1 internally */
switches	0:5c4d7b2438d3	7625	}
switches	0:5c4d7b2438d3	7626	else
switches	0:5c4d7b2438d3	7627	#else
switches	0:5c4d7b2438d3	7628	((void) transport);
switches	0:5c4d7b2438d3	7629	#endif
switches	0:5c4d7b2438d3	7630	{
switches	0:5c4d7b2438d3	7631	*major = ver[0];
switches	0:5c4d7b2438d3	7632	*minor = ver[1];
switches	0:5c4d7b2438d3	7633	}
switches	0:5c4d7b2438d3	7634	}
switches	0:5c4d7b2438d3	7635
switches	0:5c4d7b2438d3	7636	int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
switches	0:5c4d7b2438d3	7637	{
switches	0:5c4d7b2438d3	7638	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
switches	0:5c4d7b2438d3	7639	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
switches	0:5c4d7b2438d3	7640	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
switches	0:5c4d7b2438d3	7641
switches	0:5c4d7b2438d3	7642	switch( md )
switches	0:5c4d7b2438d3	7643	{
switches	0:5c4d7b2438d3	7644	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
switches	0:5c4d7b2438d3	7645	#if defined(MBEDTLS_MD5_C)
switches	0:5c4d7b2438d3	7646	case MBEDTLS_SSL_HASH_MD5:
switches	0:5c4d7b2438d3	7647	ssl->handshake->calc_verify = ssl_calc_verify_tls;
switches	0:5c4d7b2438d3	7648	break;
switches	0:5c4d7b2438d3	7649	#endif
switches	0:5c4d7b2438d3	7650	#if defined(MBEDTLS_SHA1_C)
switches	0:5c4d7b2438d3	7651	case MBEDTLS_SSL_HASH_SHA1:
switches	0:5c4d7b2438d3	7652	ssl->handshake->calc_verify = ssl_calc_verify_tls;
switches	0:5c4d7b2438d3	7653	break;
switches	0:5c4d7b2438d3	7654	#endif
switches	0:5c4d7b2438d3	7655	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
switches	0:5c4d7b2438d3	7656	#if defined(MBEDTLS_SHA512_C)
switches	0:5c4d7b2438d3	7657	case MBEDTLS_SSL_HASH_SHA384:
switches	0:5c4d7b2438d3	7658	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
switches	0:5c4d7b2438d3	7659	break;
switches	0:5c4d7b2438d3	7660	#endif
switches	0:5c4d7b2438d3	7661	#if defined(MBEDTLS_SHA256_C)
switches	0:5c4d7b2438d3	7662	case MBEDTLS_SSL_HASH_SHA256:
switches	0:5c4d7b2438d3	7663	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
switches	0:5c4d7b2438d3	7664	break;
switches	0:5c4d7b2438d3	7665	#endif
switches	0:5c4d7b2438d3	7666	default:
switches	0:5c4d7b2438d3	7667	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
switches	0:5c4d7b2438d3	7668	}
switches	0:5c4d7b2438d3	7669
switches	0:5c4d7b2438d3	7670	return 0;
switches	0:5c4d7b2438d3	7671	#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	7672	(void) ssl;
switches	0:5c4d7b2438d3	7673	(void) md;
switches	0:5c4d7b2438d3	7674
switches	0:5c4d7b2438d3	7675	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
switches	0:5c4d7b2438d3	7676	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
switches	0:5c4d7b2438d3	7677	}
switches	0:5c4d7b2438d3	7678
switches	0:5c4d7b2438d3	7679	#endif /* MBEDTLS_SSL_TLS_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	11 Nov 2016
Imports:	21
Forks:	0
Commits:	4
Dependents:	1
Dependencies:	0
Followers:	4

This repository is Public (Unlisted).

Developers

Greg Steiert

Jesse Marroquin

features/mbedtls/src/ssl_tls.c@3:1198227e6421, 2016-12-16 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Developers

Important Information for this Arm website

Access Warning