6_songs-from-the-cloud - This is a fork due to permission issues

Users » timbeight » Code » 6_songs-from-the-cloud

Timothy Beight / Mbed 2 deprecated 6_songs-from-the-cloud

This is a fork due to permission issues

Dependencies: mbed Socket lwip-eth lwip-sys lwip

Fork of 6_songs-from-the-cloud by MakingMusicWorkshop

mbed-client/mbedtls/source/ssl_srv.c@0:f7c60d3e7b8a, 2016-05-18 (annotated)

Committer:: maclobdell
Date:: Wed May 18 19:06:32 2016 +0000
Revision:: 0:f7c60d3e7b8a

clean version

Who changed what in which revision?

User	Revision	Line number	New contents of line
maclobdell	0:f7c60d3e7b8a	1	/*
maclobdell	0:f7c60d3e7b8a	2	* SSLv3/TLSv1 server-side functions
maclobdell	0:f7c60d3e7b8a	3	*
maclobdell	0:f7c60d3e7b8a	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
maclobdell	0:f7c60d3e7b8a	5	* SPDX-License-Identifier: Apache-2.0
maclobdell	0:f7c60d3e7b8a	6	*
maclobdell	0:f7c60d3e7b8a	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
maclobdell	0:f7c60d3e7b8a	8	* not use this file except in compliance with the License.
maclobdell	0:f7c60d3e7b8a	9	* You may obtain a copy of the License at
maclobdell	0:f7c60d3e7b8a	10	*
maclobdell	0:f7c60d3e7b8a	11	* http://www.apache.org/licenses/LICENSE-2.0
maclobdell	0:f7c60d3e7b8a	12	*
maclobdell	0:f7c60d3e7b8a	13	* Unless required by applicable law or agreed to in writing, software
maclobdell	0:f7c60d3e7b8a	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
maclobdell	0:f7c60d3e7b8a	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
maclobdell	0:f7c60d3e7b8a	16	* See the License for the specific language governing permissions and
maclobdell	0:f7c60d3e7b8a	17	* limitations under the License.
maclobdell	0:f7c60d3e7b8a	18	*
maclobdell	0:f7c60d3e7b8a	19	* This file is part of mbed TLS (https://tls.mbed.org)
maclobdell	0:f7c60d3e7b8a	20	*/
maclobdell	0:f7c60d3e7b8a	21
maclobdell	0:f7c60d3e7b8a	22	#if !defined(MBEDTLS_CONFIG_FILE)
maclobdell	0:f7c60d3e7b8a	23	#include "mbedtls/config.h"
maclobdell	0:f7c60d3e7b8a	24	#else
maclobdell	0:f7c60d3e7b8a	25	#include MBEDTLS_CONFIG_FILE
maclobdell	0:f7c60d3e7b8a	26	#endif
maclobdell	0:f7c60d3e7b8a	27
maclobdell	0:f7c60d3e7b8a	28	#if defined(MBEDTLS_SSL_SRV_C)
maclobdell	0:f7c60d3e7b8a	29
maclobdell	0:f7c60d3e7b8a	30	#include "mbedtls/debug.h"
maclobdell	0:f7c60d3e7b8a	31	#include "mbedtls/ssl.h"
maclobdell	0:f7c60d3e7b8a	32	#include "mbedtls/ssl_internal.h"
maclobdell	0:f7c60d3e7b8a	33
maclobdell	0:f7c60d3e7b8a	34	#include <string.h>
maclobdell	0:f7c60d3e7b8a	35
maclobdell	0:f7c60d3e7b8a	36	#if defined(MBEDTLS_ECP_C)
maclobdell	0:f7c60d3e7b8a	37	#include "mbedtls/ecp.h"
maclobdell	0:f7c60d3e7b8a	38	#endif
maclobdell	0:f7c60d3e7b8a	39
maclobdell	0:f7c60d3e7b8a	40	#if defined(MBEDTLS_PLATFORM_C)
maclobdell	0:f7c60d3e7b8a	41	#include "mbedtls/platform.h"
maclobdell	0:f7c60d3e7b8a	42	#else
maclobdell	0:f7c60d3e7b8a	43	#include <stdlib.h>
maclobdell	0:f7c60d3e7b8a	44	#define mbedtls_calloc calloc
maclobdell	0:f7c60d3e7b8a	45	#define mbedtls_free free
maclobdell	0:f7c60d3e7b8a	46	#endif
maclobdell	0:f7c60d3e7b8a	47
maclobdell	0:f7c60d3e7b8a	48	#if defined(MBEDTLS_HAVE_TIME)
maclobdell	0:f7c60d3e7b8a	49	#include <time.h>
maclobdell	0:f7c60d3e7b8a	50	#endif
maclobdell	0:f7c60d3e7b8a	51
maclobdell	0:f7c60d3e7b8a	52	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	53	/* Implementation that should never be optimized out by the compiler */
maclobdell	0:f7c60d3e7b8a	54	static void mbedtls_zeroize( void *v, size_t n ) {
maclobdell	0:f7c60d3e7b8a	55	volatile unsigned char p = v; while( n-- ) p++ = 0;
maclobdell	0:f7c60d3e7b8a	56	}
maclobdell	0:f7c60d3e7b8a	57	#endif
maclobdell	0:f7c60d3e7b8a	58
maclobdell	0:f7c60d3e7b8a	59	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
maclobdell	0:f7c60d3e7b8a	60	int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	61	const unsigned char *info,
maclobdell	0:f7c60d3e7b8a	62	size_t ilen )
maclobdell	0:f7c60d3e7b8a	63	{
maclobdell	0:f7c60d3e7b8a	64	if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
maclobdell	0:f7c60d3e7b8a	65	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
maclobdell	0:f7c60d3e7b8a	66
maclobdell	0:f7c60d3e7b8a	67	mbedtls_free( ssl->cli_id );
maclobdell	0:f7c60d3e7b8a	68
maclobdell	0:f7c60d3e7b8a	69	if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
maclobdell	0:f7c60d3e7b8a	70	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
maclobdell	0:f7c60d3e7b8a	71
maclobdell	0:f7c60d3e7b8a	72	memcpy( ssl->cli_id, info, ilen );
maclobdell	0:f7c60d3e7b8a	73	ssl->cli_id_len = ilen;
maclobdell	0:f7c60d3e7b8a	74
maclobdell	0:f7c60d3e7b8a	75	return( 0 );
maclobdell	0:f7c60d3e7b8a	76	}
maclobdell	0:f7c60d3e7b8a	77
maclobdell	0:f7c60d3e7b8a	78	void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
maclobdell	0:f7c60d3e7b8a	79	mbedtls_ssl_cookie_write_t *f_cookie_write,
maclobdell	0:f7c60d3e7b8a	80	mbedtls_ssl_cookie_check_t *f_cookie_check,
maclobdell	0:f7c60d3e7b8a	81	void *p_cookie )
maclobdell	0:f7c60d3e7b8a	82	{
maclobdell	0:f7c60d3e7b8a	83	conf->f_cookie_write = f_cookie_write;
maclobdell	0:f7c60d3e7b8a	84	conf->f_cookie_check = f_cookie_check;
maclobdell	0:f7c60d3e7b8a	85	conf->p_cookie = p_cookie;
maclobdell	0:f7c60d3e7b8a	86	}
maclobdell	0:f7c60d3e7b8a	87	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
maclobdell	0:f7c60d3e7b8a	88
maclobdell	0:f7c60d3e7b8a	89	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
maclobdell	0:f7c60d3e7b8a	90	static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	91	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	92	size_t len )
maclobdell	0:f7c60d3e7b8a	93	{
maclobdell	0:f7c60d3e7b8a	94	int ret;
maclobdell	0:f7c60d3e7b8a	95	size_t servername_list_size, hostname_len;
maclobdell	0:f7c60d3e7b8a	96	const unsigned char *p;
maclobdell	0:f7c60d3e7b8a	97
maclobdell	0:f7c60d3e7b8a	98	MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
maclobdell	0:f7c60d3e7b8a	99
maclobdell	0:f7c60d3e7b8a	100	servername_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
maclobdell	0:f7c60d3e7b8a	101	if( servername_list_size + 2 != len )
maclobdell	0:f7c60d3e7b8a	102	{
maclobdell	0:f7c60d3e7b8a	103	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	104	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	105	}
maclobdell	0:f7c60d3e7b8a	106
maclobdell	0:f7c60d3e7b8a	107	p = buf + 2;
maclobdell	0:f7c60d3e7b8a	108	while( servername_list_size > 0 )
maclobdell	0:f7c60d3e7b8a	109	{
maclobdell	0:f7c60d3e7b8a	110	hostname_len = ( ( p[1] << 8 ) \| p[2] );
maclobdell	0:f7c60d3e7b8a	111	if( hostname_len + 3 > servername_list_size )
maclobdell	0:f7c60d3e7b8a	112	{
maclobdell	0:f7c60d3e7b8a	113	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	114	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	115	}
maclobdell	0:f7c60d3e7b8a	116
maclobdell	0:f7c60d3e7b8a	117	if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
maclobdell	0:f7c60d3e7b8a	118	{
maclobdell	0:f7c60d3e7b8a	119	ret = ssl->conf->f_sni( ssl->conf->p_sni,
maclobdell	0:f7c60d3e7b8a	120	ssl, p + 3, hostname_len );
maclobdell	0:f7c60d3e7b8a	121	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	122	{
maclobdell	0:f7c60d3e7b8a	123	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
maclobdell	0:f7c60d3e7b8a	124	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	125	MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
maclobdell	0:f7c60d3e7b8a	126	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	127	}
maclobdell	0:f7c60d3e7b8a	128	return( 0 );
maclobdell	0:f7c60d3e7b8a	129	}
maclobdell	0:f7c60d3e7b8a	130
maclobdell	0:f7c60d3e7b8a	131	servername_list_size -= hostname_len + 3;
maclobdell	0:f7c60d3e7b8a	132	p += hostname_len + 3;
maclobdell	0:f7c60d3e7b8a	133	}
maclobdell	0:f7c60d3e7b8a	134
maclobdell	0:f7c60d3e7b8a	135	if( servername_list_size != 0 )
maclobdell	0:f7c60d3e7b8a	136	{
maclobdell	0:f7c60d3e7b8a	137	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	138	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	139	}
maclobdell	0:f7c60d3e7b8a	140
maclobdell	0:f7c60d3e7b8a	141	return( 0 );
maclobdell	0:f7c60d3e7b8a	142	}
maclobdell	0:f7c60d3e7b8a	143	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
maclobdell	0:f7c60d3e7b8a	144
maclobdell	0:f7c60d3e7b8a	145	static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	146	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	147	size_t len )
maclobdell	0:f7c60d3e7b8a	148	{
maclobdell	0:f7c60d3e7b8a	149	int ret;
maclobdell	0:f7c60d3e7b8a	150
maclobdell	0:f7c60d3e7b8a	151	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	152	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	153	{
maclobdell	0:f7c60d3e7b8a	154	/* Check verify-data in constant-time. The length OTOH is no secret */
maclobdell	0:f7c60d3e7b8a	155	if( len != 1 + ssl->verify_data_len \|\|
maclobdell	0:f7c60d3e7b8a	156	buf[0] != ssl->verify_data_len \|\|
maclobdell	0:f7c60d3e7b8a	157	mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
maclobdell	0:f7c60d3e7b8a	158	ssl->verify_data_len ) != 0 )
maclobdell	0:f7c60d3e7b8a	159	{
maclobdell	0:f7c60d3e7b8a	160	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
maclobdell	0:f7c60d3e7b8a	161
maclobdell	0:f7c60d3e7b8a	162	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	163	return( ret );
maclobdell	0:f7c60d3e7b8a	164
maclobdell	0:f7c60d3e7b8a	165	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	166	}
maclobdell	0:f7c60d3e7b8a	167	}
maclobdell	0:f7c60d3e7b8a	168	else
maclobdell	0:f7c60d3e7b8a	169	#endif /* MBEDTLS_SSL_RENEGOTIATION */
maclobdell	0:f7c60d3e7b8a	170	{
maclobdell	0:f7c60d3e7b8a	171	if( len != 1 \|\| buf[0] != 0x0 )
maclobdell	0:f7c60d3e7b8a	172	{
maclobdell	0:f7c60d3e7b8a	173	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
maclobdell	0:f7c60d3e7b8a	174
maclobdell	0:f7c60d3e7b8a	175	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	176	return( ret );
maclobdell	0:f7c60d3e7b8a	177
maclobdell	0:f7c60d3e7b8a	178	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	179	}
maclobdell	0:f7c60d3e7b8a	180
maclobdell	0:f7c60d3e7b8a	181	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
maclobdell	0:f7c60d3e7b8a	182	}
maclobdell	0:f7c60d3e7b8a	183
maclobdell	0:f7c60d3e7b8a	184	return( 0 );
maclobdell	0:f7c60d3e7b8a	185	}
maclobdell	0:f7c60d3e7b8a	186
maclobdell	0:f7c60d3e7b8a	187	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
maclobdell	0:f7c60d3e7b8a	188	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
maclobdell	0:f7c60d3e7b8a	189	static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	190	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	191	size_t len )
maclobdell	0:f7c60d3e7b8a	192	{
maclobdell	0:f7c60d3e7b8a	193	size_t sig_alg_list_size;
maclobdell	0:f7c60d3e7b8a	194	const unsigned char *p;
maclobdell	0:f7c60d3e7b8a	195	const unsigned char *end = buf + len;
maclobdell	0:f7c60d3e7b8a	196	const int *md_cur;
maclobdell	0:f7c60d3e7b8a	197
maclobdell	0:f7c60d3e7b8a	198
maclobdell	0:f7c60d3e7b8a	199	sig_alg_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
maclobdell	0:f7c60d3e7b8a	200	if( sig_alg_list_size + 2 != len \|\|
maclobdell	0:f7c60d3e7b8a	201	sig_alg_list_size % 2 != 0 )
maclobdell	0:f7c60d3e7b8a	202	{
maclobdell	0:f7c60d3e7b8a	203	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	204	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	205	}
maclobdell	0:f7c60d3e7b8a	206
maclobdell	0:f7c60d3e7b8a	207	/*
maclobdell	0:f7c60d3e7b8a	208	* For now, ignore the SignatureAlgorithm part and rely on offered
maclobdell	0:f7c60d3e7b8a	209	* ciphersuites only for that part. To be fixed later.
maclobdell	0:f7c60d3e7b8a	210	*
maclobdell	0:f7c60d3e7b8a	211	* So, just look at the HashAlgorithm part.
maclobdell	0:f7c60d3e7b8a	212	*/
maclobdell	0:f7c60d3e7b8a	213	for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
maclobdell	0:f7c60d3e7b8a	214	for( p = buf + 2; p < end; p += 2 ) {
maclobdell	0:f7c60d3e7b8a	215	if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
maclobdell	0:f7c60d3e7b8a	216	ssl->handshake->sig_alg = p[0];
maclobdell	0:f7c60d3e7b8a	217	goto have_sig_alg;
maclobdell	0:f7c60d3e7b8a	218	}
maclobdell	0:f7c60d3e7b8a	219	}
maclobdell	0:f7c60d3e7b8a	220	}
maclobdell	0:f7c60d3e7b8a	221
maclobdell	0:f7c60d3e7b8a	222	/* Some key echanges do not need signatures at all */
maclobdell	0:f7c60d3e7b8a	223	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
maclobdell	0:f7c60d3e7b8a	224	return( 0 );
maclobdell	0:f7c60d3e7b8a	225
maclobdell	0:f7c60d3e7b8a	226	have_sig_alg:
maclobdell	0:f7c60d3e7b8a	227	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
maclobdell	0:f7c60d3e7b8a	228	ssl->handshake->sig_alg ) );
maclobdell	0:f7c60d3e7b8a	229
maclobdell	0:f7c60d3e7b8a	230	return( 0 );
maclobdell	0:f7c60d3e7b8a	231	}
maclobdell	0:f7c60d3e7b8a	232	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
maclobdell	0:f7c60d3e7b8a	233	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
maclobdell	0:f7c60d3e7b8a	234
maclobdell	0:f7c60d3e7b8a	235	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
maclobdell	0:f7c60d3e7b8a	236	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	237	static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	238	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	239	size_t len )
maclobdell	0:f7c60d3e7b8a	240	{
maclobdell	0:f7c60d3e7b8a	241	size_t list_size, our_size;
maclobdell	0:f7c60d3e7b8a	242	const unsigned char *p;
maclobdell	0:f7c60d3e7b8a	243	const mbedtls_ecp_curve_info curve_info, *curves;
maclobdell	0:f7c60d3e7b8a	244
maclobdell	0:f7c60d3e7b8a	245	list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
maclobdell	0:f7c60d3e7b8a	246	if( list_size + 2 != len \|\|
maclobdell	0:f7c60d3e7b8a	247	list_size % 2 != 0 )
maclobdell	0:f7c60d3e7b8a	248	{
maclobdell	0:f7c60d3e7b8a	249	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	250	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	251	}
maclobdell	0:f7c60d3e7b8a	252
maclobdell	0:f7c60d3e7b8a	253	/* Should never happen unless client duplicates the extension */
maclobdell	0:f7c60d3e7b8a	254	if( ssl->handshake->curves != NULL )
maclobdell	0:f7c60d3e7b8a	255	{
maclobdell	0:f7c60d3e7b8a	256	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	257	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	258	}
maclobdell	0:f7c60d3e7b8a	259
maclobdell	0:f7c60d3e7b8a	260	/* Don't allow our peer to make us allocate too much memory,
maclobdell	0:f7c60d3e7b8a	261	* and leave room for a final 0 */
maclobdell	0:f7c60d3e7b8a	262	our_size = list_size / 2 + 1;
maclobdell	0:f7c60d3e7b8a	263	if( our_size > MBEDTLS_ECP_DP_MAX )
maclobdell	0:f7c60d3e7b8a	264	our_size = MBEDTLS_ECP_DP_MAX;
maclobdell	0:f7c60d3e7b8a	265
maclobdell	0:f7c60d3e7b8a	266	if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
maclobdell	0:f7c60d3e7b8a	267	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
maclobdell	0:f7c60d3e7b8a	268
maclobdell	0:f7c60d3e7b8a	269	ssl->handshake->curves = curves;
maclobdell	0:f7c60d3e7b8a	270
maclobdell	0:f7c60d3e7b8a	271	p = buf + 2;
maclobdell	0:f7c60d3e7b8a	272	while( list_size > 0 && our_size > 1 )
maclobdell	0:f7c60d3e7b8a	273	{
maclobdell	0:f7c60d3e7b8a	274	curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) \| p[1] );
maclobdell	0:f7c60d3e7b8a	275
maclobdell	0:f7c60d3e7b8a	276	if( curve_info != NULL )
maclobdell	0:f7c60d3e7b8a	277	{
maclobdell	0:f7c60d3e7b8a	278	*curves++ = curve_info;
maclobdell	0:f7c60d3e7b8a	279	our_size--;
maclobdell	0:f7c60d3e7b8a	280	}
maclobdell	0:f7c60d3e7b8a	281
maclobdell	0:f7c60d3e7b8a	282	list_size -= 2;
maclobdell	0:f7c60d3e7b8a	283	p += 2;
maclobdell	0:f7c60d3e7b8a	284	}
maclobdell	0:f7c60d3e7b8a	285
maclobdell	0:f7c60d3e7b8a	286	return( 0 );
maclobdell	0:f7c60d3e7b8a	287	}
maclobdell	0:f7c60d3e7b8a	288
maclobdell	0:f7c60d3e7b8a	289	static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	290	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	291	size_t len )
maclobdell	0:f7c60d3e7b8a	292	{
maclobdell	0:f7c60d3e7b8a	293	size_t list_size;
maclobdell	0:f7c60d3e7b8a	294	const unsigned char *p;
maclobdell	0:f7c60d3e7b8a	295
maclobdell	0:f7c60d3e7b8a	296	list_size = buf[0];
maclobdell	0:f7c60d3e7b8a	297	if( list_size + 1 != len )
maclobdell	0:f7c60d3e7b8a	298	{
maclobdell	0:f7c60d3e7b8a	299	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	300	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	301	}
maclobdell	0:f7c60d3e7b8a	302
maclobdell	0:f7c60d3e7b8a	303	p = buf + 1;
maclobdell	0:f7c60d3e7b8a	304	while( list_size > 0 )
maclobdell	0:f7c60d3e7b8a	305	{
maclobdell	0:f7c60d3e7b8a	306	if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED \|\|
maclobdell	0:f7c60d3e7b8a	307	p[0] == MBEDTLS_ECP_PF_COMPRESSED )
maclobdell	0:f7c60d3e7b8a	308	{
maclobdell	0:f7c60d3e7b8a	309	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
maclobdell	0:f7c60d3e7b8a	310	ssl->handshake->ecdh_ctx.point_format = p[0];
maclobdell	0:f7c60d3e7b8a	311	#endif
maclobdell	0:f7c60d3e7b8a	312	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	313	ssl->handshake->ecjpake_ctx.point_format = p[0];
maclobdell	0:f7c60d3e7b8a	314	#endif
maclobdell	0:f7c60d3e7b8a	315	MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
maclobdell	0:f7c60d3e7b8a	316	return( 0 );
maclobdell	0:f7c60d3e7b8a	317	}
maclobdell	0:f7c60d3e7b8a	318
maclobdell	0:f7c60d3e7b8a	319	list_size--;
maclobdell	0:f7c60d3e7b8a	320	p++;
maclobdell	0:f7c60d3e7b8a	321	}
maclobdell	0:f7c60d3e7b8a	322
maclobdell	0:f7c60d3e7b8a	323	return( 0 );
maclobdell	0:f7c60d3e7b8a	324	}
maclobdell	0:f7c60d3e7b8a	325	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
maclobdell	0:f7c60d3e7b8a	326	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	327
maclobdell	0:f7c60d3e7b8a	328	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	329	static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	330	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	331	size_t len )
maclobdell	0:f7c60d3e7b8a	332	{
maclobdell	0:f7c60d3e7b8a	333	int ret;
maclobdell	0:f7c60d3e7b8a	334
maclobdell	0:f7c60d3e7b8a	335	if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
maclobdell	0:f7c60d3e7b8a	336	{
maclobdell	0:f7c60d3e7b8a	337	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
maclobdell	0:f7c60d3e7b8a	338	return( 0 );
maclobdell	0:f7c60d3e7b8a	339	}
maclobdell	0:f7c60d3e7b8a	340
maclobdell	0:f7c60d3e7b8a	341	if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
maclobdell	0:f7c60d3e7b8a	342	buf, len ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	343	{
maclobdell	0:f7c60d3e7b8a	344	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
maclobdell	0:f7c60d3e7b8a	345	return( ret );
maclobdell	0:f7c60d3e7b8a	346	}
maclobdell	0:f7c60d3e7b8a	347
maclobdell	0:f7c60d3e7b8a	348	/* Only mark the extension as OK when we're sure it is */
maclobdell	0:f7c60d3e7b8a	349	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
maclobdell	0:f7c60d3e7b8a	350
maclobdell	0:f7c60d3e7b8a	351	return( 0 );
maclobdell	0:f7c60d3e7b8a	352	}
maclobdell	0:f7c60d3e7b8a	353	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	354
maclobdell	0:f7c60d3e7b8a	355	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
maclobdell	0:f7c60d3e7b8a	356	static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	357	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	358	size_t len )
maclobdell	0:f7c60d3e7b8a	359	{
maclobdell	0:f7c60d3e7b8a	360	if( len != 1 \|\| buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
maclobdell	0:f7c60d3e7b8a	361	{
maclobdell	0:f7c60d3e7b8a	362	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	363	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	364	}
maclobdell	0:f7c60d3e7b8a	365
maclobdell	0:f7c60d3e7b8a	366	ssl->session_negotiate->mfl_code = buf[0];
maclobdell	0:f7c60d3e7b8a	367
maclobdell	0:f7c60d3e7b8a	368	return( 0 );
maclobdell	0:f7c60d3e7b8a	369	}
maclobdell	0:f7c60d3e7b8a	370	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
maclobdell	0:f7c60d3e7b8a	371
maclobdell	0:f7c60d3e7b8a	372	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
maclobdell	0:f7c60d3e7b8a	373	static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	374	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	375	size_t len )
maclobdell	0:f7c60d3e7b8a	376	{
maclobdell	0:f7c60d3e7b8a	377	if( len != 0 )
maclobdell	0:f7c60d3e7b8a	378	{
maclobdell	0:f7c60d3e7b8a	379	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	380	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	381	}
maclobdell	0:f7c60d3e7b8a	382
maclobdell	0:f7c60d3e7b8a	383	((void) buf);
maclobdell	0:f7c60d3e7b8a	384
maclobdell	0:f7c60d3e7b8a	385	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
maclobdell	0:f7c60d3e7b8a	386	ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
maclobdell	0:f7c60d3e7b8a	387
maclobdell	0:f7c60d3e7b8a	388	return( 0 );
maclobdell	0:f7c60d3e7b8a	389	}
maclobdell	0:f7c60d3e7b8a	390	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
maclobdell	0:f7c60d3e7b8a	391
maclobdell	0:f7c60d3e7b8a	392	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
maclobdell	0:f7c60d3e7b8a	393	static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	394	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	395	size_t len )
maclobdell	0:f7c60d3e7b8a	396	{
maclobdell	0:f7c60d3e7b8a	397	if( len != 0 )
maclobdell	0:f7c60d3e7b8a	398	{
maclobdell	0:f7c60d3e7b8a	399	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	400	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	401	}
maclobdell	0:f7c60d3e7b8a	402
maclobdell	0:f7c60d3e7b8a	403	((void) buf);
maclobdell	0:f7c60d3e7b8a	404
maclobdell	0:f7c60d3e7b8a	405	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
maclobdell	0:f7c60d3e7b8a	406	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
maclobdell	0:f7c60d3e7b8a	407	{
maclobdell	0:f7c60d3e7b8a	408	ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
maclobdell	0:f7c60d3e7b8a	409	}
maclobdell	0:f7c60d3e7b8a	410
maclobdell	0:f7c60d3e7b8a	411	return( 0 );
maclobdell	0:f7c60d3e7b8a	412	}
maclobdell	0:f7c60d3e7b8a	413	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
maclobdell	0:f7c60d3e7b8a	414
maclobdell	0:f7c60d3e7b8a	415	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
maclobdell	0:f7c60d3e7b8a	416	static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	417	const unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	418	size_t len )
maclobdell	0:f7c60d3e7b8a	419	{
maclobdell	0:f7c60d3e7b8a	420	if( len != 0 )
maclobdell	0:f7c60d3e7b8a	421	{
maclobdell	0:f7c60d3e7b8a	422	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	423	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	424	}
maclobdell	0:f7c60d3e7b8a	425
maclobdell	0:f7c60d3e7b8a	426	((void) buf);
maclobdell	0:f7c60d3e7b8a	427
maclobdell	0:f7c60d3e7b8a	428	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
maclobdell	0:f7c60d3e7b8a	429	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
maclobdell	0:f7c60d3e7b8a	430	{
maclobdell	0:f7c60d3e7b8a	431	ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
maclobdell	0:f7c60d3e7b8a	432	}
maclobdell	0:f7c60d3e7b8a	433
maclobdell	0:f7c60d3e7b8a	434	return( 0 );
maclobdell	0:f7c60d3e7b8a	435	}
maclobdell	0:f7c60d3e7b8a	436	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
maclobdell	0:f7c60d3e7b8a	437
maclobdell	0:f7c60d3e7b8a	438	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	439	static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	440	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	441	size_t len )
maclobdell	0:f7c60d3e7b8a	442	{
maclobdell	0:f7c60d3e7b8a	443	int ret;
maclobdell	0:f7c60d3e7b8a	444	mbedtls_ssl_session session;
maclobdell	0:f7c60d3e7b8a	445
maclobdell	0:f7c60d3e7b8a	446	mbedtls_ssl_session_init( &session );
maclobdell	0:f7c60d3e7b8a	447
maclobdell	0:f7c60d3e7b8a	448	if( ssl->conf->f_ticket_parse == NULL \|\|
maclobdell	0:f7c60d3e7b8a	449	ssl->conf->f_ticket_write == NULL )
maclobdell	0:f7c60d3e7b8a	450	{
maclobdell	0:f7c60d3e7b8a	451	return( 0 );
maclobdell	0:f7c60d3e7b8a	452	}
maclobdell	0:f7c60d3e7b8a	453
maclobdell	0:f7c60d3e7b8a	454	/* Remember the client asked us to send a new ticket */
maclobdell	0:f7c60d3e7b8a	455	ssl->handshake->new_session_ticket = 1;
maclobdell	0:f7c60d3e7b8a	456
maclobdell	0:f7c60d3e7b8a	457	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
maclobdell	0:f7c60d3e7b8a	458
maclobdell	0:f7c60d3e7b8a	459	if( len == 0 )
maclobdell	0:f7c60d3e7b8a	460	return( 0 );
maclobdell	0:f7c60d3e7b8a	461
maclobdell	0:f7c60d3e7b8a	462	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	463	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	464	{
maclobdell	0:f7c60d3e7b8a	465	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
maclobdell	0:f7c60d3e7b8a	466	return( 0 );
maclobdell	0:f7c60d3e7b8a	467	}
maclobdell	0:f7c60d3e7b8a	468	#endif /* MBEDTLS_SSL_RENEGOTIATION */
maclobdell	0:f7c60d3e7b8a	469
maclobdell	0:f7c60d3e7b8a	470	/*
maclobdell	0:f7c60d3e7b8a	471	* Failures are ok: just ignore the ticket and proceed.
maclobdell	0:f7c60d3e7b8a	472	*/
maclobdell	0:f7c60d3e7b8a	473	if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
maclobdell	0:f7c60d3e7b8a	474	buf, len ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	475	{
maclobdell	0:f7c60d3e7b8a	476	mbedtls_ssl_session_free( &session );
maclobdell	0:f7c60d3e7b8a	477
maclobdell	0:f7c60d3e7b8a	478	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
maclobdell	0:f7c60d3e7b8a	479	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
maclobdell	0:f7c60d3e7b8a	480	else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
maclobdell	0:f7c60d3e7b8a	481	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
maclobdell	0:f7c60d3e7b8a	482	else
maclobdell	0:f7c60d3e7b8a	483	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
maclobdell	0:f7c60d3e7b8a	484
maclobdell	0:f7c60d3e7b8a	485	return( 0 );
maclobdell	0:f7c60d3e7b8a	486	}
maclobdell	0:f7c60d3e7b8a	487
maclobdell	0:f7c60d3e7b8a	488	/*
maclobdell	0:f7c60d3e7b8a	489	* Keep the session ID sent by the client, since we MUST send it back to
maclobdell	0:f7c60d3e7b8a	490	* inform them we're accepting the ticket (RFC 5077 section 3.4)
maclobdell	0:f7c60d3e7b8a	491	*/
maclobdell	0:f7c60d3e7b8a	492	session.id_len = ssl->session_negotiate->id_len;
maclobdell	0:f7c60d3e7b8a	493	memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
maclobdell	0:f7c60d3e7b8a	494
maclobdell	0:f7c60d3e7b8a	495	mbedtls_ssl_session_free( ssl->session_negotiate );
maclobdell	0:f7c60d3e7b8a	496	memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
maclobdell	0:f7c60d3e7b8a	497
maclobdell	0:f7c60d3e7b8a	498	/* Zeroize instead of free as we copied the content */
maclobdell	0:f7c60d3e7b8a	499	mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
maclobdell	0:f7c60d3e7b8a	500
maclobdell	0:f7c60d3e7b8a	501	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
maclobdell	0:f7c60d3e7b8a	502
maclobdell	0:f7c60d3e7b8a	503	ssl->handshake->resume = 1;
maclobdell	0:f7c60d3e7b8a	504
maclobdell	0:f7c60d3e7b8a	505	/* Don't send a new ticket after all, this one is OK */
maclobdell	0:f7c60d3e7b8a	506	ssl->handshake->new_session_ticket = 0;
maclobdell	0:f7c60d3e7b8a	507
maclobdell	0:f7c60d3e7b8a	508	return( 0 );
maclobdell	0:f7c60d3e7b8a	509	}
maclobdell	0:f7c60d3e7b8a	510	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
maclobdell	0:f7c60d3e7b8a	511
maclobdell	0:f7c60d3e7b8a	512	#if defined(MBEDTLS_SSL_ALPN)
maclobdell	0:f7c60d3e7b8a	513	static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	514	const unsigned char *buf, size_t len )
maclobdell	0:f7c60d3e7b8a	515	{
maclobdell	0:f7c60d3e7b8a	516	size_t list_len, cur_len, ours_len;
maclobdell	0:f7c60d3e7b8a	517	const unsigned char theirs, start, *end;
maclobdell	0:f7c60d3e7b8a	518	const char **ours;
maclobdell	0:f7c60d3e7b8a	519
maclobdell	0:f7c60d3e7b8a	520	/* If ALPN not configured, just ignore the extension */
maclobdell	0:f7c60d3e7b8a	521	if( ssl->conf->alpn_list == NULL )
maclobdell	0:f7c60d3e7b8a	522	return( 0 );
maclobdell	0:f7c60d3e7b8a	523
maclobdell	0:f7c60d3e7b8a	524	/*
maclobdell	0:f7c60d3e7b8a	525	* opaque ProtocolName<1..2^8-1>;
maclobdell	0:f7c60d3e7b8a	526	*
maclobdell	0:f7c60d3e7b8a	527	* struct {
maclobdell	0:f7c60d3e7b8a	528	* ProtocolName protocol_name_list<2..2^16-1>
maclobdell	0:f7c60d3e7b8a	529	* } ProtocolNameList;
maclobdell	0:f7c60d3e7b8a	530	*/
maclobdell	0:f7c60d3e7b8a	531
maclobdell	0:f7c60d3e7b8a	532	/* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
maclobdell	0:f7c60d3e7b8a	533	if( len < 4 )
maclobdell	0:f7c60d3e7b8a	534	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	535
maclobdell	0:f7c60d3e7b8a	536	list_len = ( buf[0] << 8 ) \| buf[1];
maclobdell	0:f7c60d3e7b8a	537	if( list_len != len - 2 )
maclobdell	0:f7c60d3e7b8a	538	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	539
maclobdell	0:f7c60d3e7b8a	540	/*
maclobdell	0:f7c60d3e7b8a	541	* Use our order of preference
maclobdell	0:f7c60d3e7b8a	542	*/
maclobdell	0:f7c60d3e7b8a	543	start = buf + 2;
maclobdell	0:f7c60d3e7b8a	544	end = buf + len;
maclobdell	0:f7c60d3e7b8a	545	for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
maclobdell	0:f7c60d3e7b8a	546	{
maclobdell	0:f7c60d3e7b8a	547	ours_len = strlen( *ours );
maclobdell	0:f7c60d3e7b8a	548	for( theirs = start; theirs != end; theirs += cur_len )
maclobdell	0:f7c60d3e7b8a	549	{
maclobdell	0:f7c60d3e7b8a	550	/* If the list is well formed, we should get equality first */
maclobdell	0:f7c60d3e7b8a	551	if( theirs > end )
maclobdell	0:f7c60d3e7b8a	552	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	553
maclobdell	0:f7c60d3e7b8a	554	cur_len = *theirs++;
maclobdell	0:f7c60d3e7b8a	555
maclobdell	0:f7c60d3e7b8a	556	/* Empty strings MUST NOT be included */
maclobdell	0:f7c60d3e7b8a	557	if( cur_len == 0 )
maclobdell	0:f7c60d3e7b8a	558	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	559
maclobdell	0:f7c60d3e7b8a	560	if( cur_len == ours_len &&
maclobdell	0:f7c60d3e7b8a	561	memcmp( theirs, *ours, cur_len ) == 0 )
maclobdell	0:f7c60d3e7b8a	562	{
maclobdell	0:f7c60d3e7b8a	563	ssl->alpn_chosen = *ours;
maclobdell	0:f7c60d3e7b8a	564	return( 0 );
maclobdell	0:f7c60d3e7b8a	565	}
maclobdell	0:f7c60d3e7b8a	566	}
maclobdell	0:f7c60d3e7b8a	567	}
maclobdell	0:f7c60d3e7b8a	568
maclobdell	0:f7c60d3e7b8a	569	/* If we get there, no match was found */
maclobdell	0:f7c60d3e7b8a	570	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	571	MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
maclobdell	0:f7c60d3e7b8a	572	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	573	}
maclobdell	0:f7c60d3e7b8a	574	#endif /* MBEDTLS_SSL_ALPN */
maclobdell	0:f7c60d3e7b8a	575
maclobdell	0:f7c60d3e7b8a	576	/*
maclobdell	0:f7c60d3e7b8a	577	* Auxiliary functions for ServerHello parsing and related actions
maclobdell	0:f7c60d3e7b8a	578	*/
maclobdell	0:f7c60d3e7b8a	579
maclobdell	0:f7c60d3e7b8a	580	#if defined(MBEDTLS_X509_CRT_PARSE_C)
maclobdell	0:f7c60d3e7b8a	581	/*
maclobdell	0:f7c60d3e7b8a	582	* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
maclobdell	0:f7c60d3e7b8a	583	*/
maclobdell	0:f7c60d3e7b8a	584	#if defined(MBEDTLS_ECDSA_C)
maclobdell	0:f7c60d3e7b8a	585	static int ssl_check_key_curve( mbedtls_pk_context *pk,
maclobdell	0:f7c60d3e7b8a	586	const mbedtls_ecp_curve_info **curves )
maclobdell	0:f7c60d3e7b8a	587	{
maclobdell	0:f7c60d3e7b8a	588	const mbedtls_ecp_curve_info **crv = curves;
maclobdell	0:f7c60d3e7b8a	589	mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
maclobdell	0:f7c60d3e7b8a	590
maclobdell	0:f7c60d3e7b8a	591	while( *crv != NULL )
maclobdell	0:f7c60d3e7b8a	592	{
maclobdell	0:f7c60d3e7b8a	593	if( (*crv)->grp_id == grp_id )
maclobdell	0:f7c60d3e7b8a	594	return( 0 );
maclobdell	0:f7c60d3e7b8a	595	crv++;
maclobdell	0:f7c60d3e7b8a	596	}
maclobdell	0:f7c60d3e7b8a	597
maclobdell	0:f7c60d3e7b8a	598	return( -1 );
maclobdell	0:f7c60d3e7b8a	599	}
maclobdell	0:f7c60d3e7b8a	600	#endif /* MBEDTLS_ECDSA_C */
maclobdell	0:f7c60d3e7b8a	601
maclobdell	0:f7c60d3e7b8a	602	/*
maclobdell	0:f7c60d3e7b8a	603	* Try picking a certificate for this ciphersuite,
maclobdell	0:f7c60d3e7b8a	604	* return 0 on success and -1 on failure.
maclobdell	0:f7c60d3e7b8a	605	*/
maclobdell	0:f7c60d3e7b8a	606	static int ssl_pick_cert( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	607	const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
maclobdell	0:f7c60d3e7b8a	608	{
maclobdell	0:f7c60d3e7b8a	609	mbedtls_ssl_key_cert cur, list, *fallback = NULL;
maclobdell	0:f7c60d3e7b8a	610	mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
maclobdell	0:f7c60d3e7b8a	611	uint32_t flags;
maclobdell	0:f7c60d3e7b8a	612
maclobdell	0:f7c60d3e7b8a	613	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
maclobdell	0:f7c60d3e7b8a	614	if( ssl->handshake->sni_key_cert != NULL )
maclobdell	0:f7c60d3e7b8a	615	list = ssl->handshake->sni_key_cert;
maclobdell	0:f7c60d3e7b8a	616	else
maclobdell	0:f7c60d3e7b8a	617	#endif
maclobdell	0:f7c60d3e7b8a	618	list = ssl->conf->key_cert;
maclobdell	0:f7c60d3e7b8a	619
maclobdell	0:f7c60d3e7b8a	620	if( pk_alg == MBEDTLS_PK_NONE )
maclobdell	0:f7c60d3e7b8a	621	return( 0 );
maclobdell	0:f7c60d3e7b8a	622
maclobdell	0:f7c60d3e7b8a	623	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
maclobdell	0:f7c60d3e7b8a	624
maclobdell	0:f7c60d3e7b8a	625	if( list == NULL )
maclobdell	0:f7c60d3e7b8a	626	{
maclobdell	0:f7c60d3e7b8a	627	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
maclobdell	0:f7c60d3e7b8a	628	return( -1 );
maclobdell	0:f7c60d3e7b8a	629	}
maclobdell	0:f7c60d3e7b8a	630
maclobdell	0:f7c60d3e7b8a	631	for( cur = list; cur != NULL; cur = cur->next )
maclobdell	0:f7c60d3e7b8a	632	{
maclobdell	0:f7c60d3e7b8a	633	MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
maclobdell	0:f7c60d3e7b8a	634	cur->cert );
maclobdell	0:f7c60d3e7b8a	635
maclobdell	0:f7c60d3e7b8a	636	if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
maclobdell	0:f7c60d3e7b8a	637	{
maclobdell	0:f7c60d3e7b8a	638	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
maclobdell	0:f7c60d3e7b8a	639	continue;
maclobdell	0:f7c60d3e7b8a	640	}
maclobdell	0:f7c60d3e7b8a	641
maclobdell	0:f7c60d3e7b8a	642	/*
maclobdell	0:f7c60d3e7b8a	643	* This avoids sending the client a cert it'll reject based on
maclobdell	0:f7c60d3e7b8a	644	* keyUsage or other extensions.
maclobdell	0:f7c60d3e7b8a	645	*
maclobdell	0:f7c60d3e7b8a	646	* It also allows the user to provision different certificates for
maclobdell	0:f7c60d3e7b8a	647	* different uses based on keyUsage, eg if they want to avoid signing
maclobdell	0:f7c60d3e7b8a	648	* and decrypting with the same RSA key.
maclobdell	0:f7c60d3e7b8a	649	*/
maclobdell	0:f7c60d3e7b8a	650	if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
maclobdell	0:f7c60d3e7b8a	651	MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
maclobdell	0:f7c60d3e7b8a	652	{
maclobdell	0:f7c60d3e7b8a	653	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
maclobdell	0:f7c60d3e7b8a	654	"(extended) key usage extension" ) );
maclobdell	0:f7c60d3e7b8a	655	continue;
maclobdell	0:f7c60d3e7b8a	656	}
maclobdell	0:f7c60d3e7b8a	657
maclobdell	0:f7c60d3e7b8a	658	#if defined(MBEDTLS_ECDSA_C)
maclobdell	0:f7c60d3e7b8a	659	if( pk_alg == MBEDTLS_PK_ECDSA &&
maclobdell	0:f7c60d3e7b8a	660	ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
maclobdell	0:f7c60d3e7b8a	661	{
maclobdell	0:f7c60d3e7b8a	662	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
maclobdell	0:f7c60d3e7b8a	663	continue;
maclobdell	0:f7c60d3e7b8a	664	}
maclobdell	0:f7c60d3e7b8a	665	#endif
maclobdell	0:f7c60d3e7b8a	666
maclobdell	0:f7c60d3e7b8a	667	/*
maclobdell	0:f7c60d3e7b8a	668	* Try to select a SHA-1 certificate for pre-1.2 clients, but still
maclobdell	0:f7c60d3e7b8a	669	* present them a SHA-higher cert rather than failing if it's the only
maclobdell	0:f7c60d3e7b8a	670	* one we got that satisfies the other conditions.
maclobdell	0:f7c60d3e7b8a	671	*/
maclobdell	0:f7c60d3e7b8a	672	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
maclobdell	0:f7c60d3e7b8a	673	cur->cert->sig_md != MBEDTLS_MD_SHA1 )
maclobdell	0:f7c60d3e7b8a	674	{
maclobdell	0:f7c60d3e7b8a	675	if( fallback == NULL )
maclobdell	0:f7c60d3e7b8a	676	fallback = cur;
maclobdell	0:f7c60d3e7b8a	677	{
maclobdell	0:f7c60d3e7b8a	678	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
maclobdell	0:f7c60d3e7b8a	679	"sha-2 with pre-TLS 1.2 client" ) );
maclobdell	0:f7c60d3e7b8a	680	continue;
maclobdell	0:f7c60d3e7b8a	681	}
maclobdell	0:f7c60d3e7b8a	682	}
maclobdell	0:f7c60d3e7b8a	683
maclobdell	0:f7c60d3e7b8a	684	/* If we get there, we got a winner */
maclobdell	0:f7c60d3e7b8a	685	break;
maclobdell	0:f7c60d3e7b8a	686	}
maclobdell	0:f7c60d3e7b8a	687
maclobdell	0:f7c60d3e7b8a	688	if( cur == NULL )
maclobdell	0:f7c60d3e7b8a	689	cur = fallback;
maclobdell	0:f7c60d3e7b8a	690
maclobdell	0:f7c60d3e7b8a	691	/* Do not update ssl->handshake->key_cert unless there is a match */
maclobdell	0:f7c60d3e7b8a	692	if( cur != NULL )
maclobdell	0:f7c60d3e7b8a	693	{
maclobdell	0:f7c60d3e7b8a	694	ssl->handshake->key_cert = cur;
maclobdell	0:f7c60d3e7b8a	695	MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
maclobdell	0:f7c60d3e7b8a	696	ssl->handshake->key_cert->cert );
maclobdell	0:f7c60d3e7b8a	697	return( 0 );
maclobdell	0:f7c60d3e7b8a	698	}
maclobdell	0:f7c60d3e7b8a	699
maclobdell	0:f7c60d3e7b8a	700	return( -1 );
maclobdell	0:f7c60d3e7b8a	701	}
maclobdell	0:f7c60d3e7b8a	702	#endif /* MBEDTLS_X509_CRT_PARSE_C */
maclobdell	0:f7c60d3e7b8a	703
maclobdell	0:f7c60d3e7b8a	704	/*
maclobdell	0:f7c60d3e7b8a	705	* Check if a given ciphersuite is suitable for use with our config/keys/etc
maclobdell	0:f7c60d3e7b8a	706	* Sets ciphersuite_info only if the suite matches.
maclobdell	0:f7c60d3e7b8a	707	*/
maclobdell	0:f7c60d3e7b8a	708	static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
maclobdell	0:f7c60d3e7b8a	709	const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
maclobdell	0:f7c60d3e7b8a	710	{
maclobdell	0:f7c60d3e7b8a	711	const mbedtls_ssl_ciphersuite_t *suite_info;
maclobdell	0:f7c60d3e7b8a	712
maclobdell	0:f7c60d3e7b8a	713	suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
maclobdell	0:f7c60d3e7b8a	714	if( suite_info == NULL )
maclobdell	0:f7c60d3e7b8a	715	{
maclobdell	0:f7c60d3e7b8a	716	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	717	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	718	}
maclobdell	0:f7c60d3e7b8a	719
maclobdell	0:f7c60d3e7b8a	720	MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
maclobdell	0:f7c60d3e7b8a	721
maclobdell	0:f7c60d3e7b8a	722	if( suite_info->min_minor_ver > ssl->minor_ver \|\|
maclobdell	0:f7c60d3e7b8a	723	suite_info->max_minor_ver < ssl->minor_ver )
maclobdell	0:f7c60d3e7b8a	724	{
maclobdell	0:f7c60d3e7b8a	725	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
maclobdell	0:f7c60d3e7b8a	726	return( 0 );
maclobdell	0:f7c60d3e7b8a	727	}
maclobdell	0:f7c60d3e7b8a	728
maclobdell	0:f7c60d3e7b8a	729	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	730	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
maclobdell	0:f7c60d3e7b8a	731	( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
maclobdell	0:f7c60d3e7b8a	732	return( 0 );
maclobdell	0:f7c60d3e7b8a	733	#endif
maclobdell	0:f7c60d3e7b8a	734
maclobdell	0:f7c60d3e7b8a	735	#if defined(MBEDTLS_ARC4_C)
maclobdell	0:f7c60d3e7b8a	736	if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
maclobdell	0:f7c60d3e7b8a	737	suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
maclobdell	0:f7c60d3e7b8a	738	{
maclobdell	0:f7c60d3e7b8a	739	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
maclobdell	0:f7c60d3e7b8a	740	return( 0 );
maclobdell	0:f7c60d3e7b8a	741	}
maclobdell	0:f7c60d3e7b8a	742	#endif
maclobdell	0:f7c60d3e7b8a	743
maclobdell	0:f7c60d3e7b8a	744	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	745	if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
maclobdell	0:f7c60d3e7b8a	746	( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
maclobdell	0:f7c60d3e7b8a	747	{
maclobdell	0:f7c60d3e7b8a	748	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
maclobdell	0:f7c60d3e7b8a	749	"not configured or ext missing" ) );
maclobdell	0:f7c60d3e7b8a	750	return( 0 );
maclobdell	0:f7c60d3e7b8a	751	}
maclobdell	0:f7c60d3e7b8a	752	#endif
maclobdell	0:f7c60d3e7b8a	753
maclobdell	0:f7c60d3e7b8a	754
maclobdell	0:f7c60d3e7b8a	755	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
maclobdell	0:f7c60d3e7b8a	756	if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
maclobdell	0:f7c60d3e7b8a	757	( ssl->handshake->curves == NULL \|\|
maclobdell	0:f7c60d3e7b8a	758	ssl->handshake->curves[0] == NULL ) )
maclobdell	0:f7c60d3e7b8a	759	{
maclobdell	0:f7c60d3e7b8a	760	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
maclobdell	0:f7c60d3e7b8a	761	"no common elliptic curve" ) );
maclobdell	0:f7c60d3e7b8a	762	return( 0 );
maclobdell	0:f7c60d3e7b8a	763	}
maclobdell	0:f7c60d3e7b8a	764	#endif
maclobdell	0:f7c60d3e7b8a	765
maclobdell	0:f7c60d3e7b8a	766	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	767	/* If the ciphersuite requires a pre-shared key and we don't
maclobdell	0:f7c60d3e7b8a	768	* have one, skip it now rather than failing later */
maclobdell	0:f7c60d3e7b8a	769	if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
maclobdell	0:f7c60d3e7b8a	770	ssl->conf->f_psk == NULL &&
maclobdell	0:f7c60d3e7b8a	771	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
maclobdell	0:f7c60d3e7b8a	772	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
maclobdell	0:f7c60d3e7b8a	773	{
maclobdell	0:f7c60d3e7b8a	774	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
maclobdell	0:f7c60d3e7b8a	775	return( 0 );
maclobdell	0:f7c60d3e7b8a	776	}
maclobdell	0:f7c60d3e7b8a	777	#endif
maclobdell	0:f7c60d3e7b8a	778
maclobdell	0:f7c60d3e7b8a	779	#if defined(MBEDTLS_X509_CRT_PARSE_C)
maclobdell	0:f7c60d3e7b8a	780	/*
maclobdell	0:f7c60d3e7b8a	781	* Final check: if ciphersuite requires us to have a
maclobdell	0:f7c60d3e7b8a	782	* certificate/key of a particular type:
maclobdell	0:f7c60d3e7b8a	783	* - select the appropriate certificate if we have one, or
maclobdell	0:f7c60d3e7b8a	784	* - try the next ciphersuite if we don't
maclobdell	0:f7c60d3e7b8a	785	* This must be done last since we modify the key_cert list.
maclobdell	0:f7c60d3e7b8a	786	*/
maclobdell	0:f7c60d3e7b8a	787	if( ssl_pick_cert( ssl, suite_info ) != 0 )
maclobdell	0:f7c60d3e7b8a	788	{
maclobdell	0:f7c60d3e7b8a	789	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
maclobdell	0:f7c60d3e7b8a	790	"no suitable certificate" ) );
maclobdell	0:f7c60d3e7b8a	791	return( 0 );
maclobdell	0:f7c60d3e7b8a	792	}
maclobdell	0:f7c60d3e7b8a	793	#endif
maclobdell	0:f7c60d3e7b8a	794
maclobdell	0:f7c60d3e7b8a	795	*ciphersuite_info = suite_info;
maclobdell	0:f7c60d3e7b8a	796	return( 0 );
maclobdell	0:f7c60d3e7b8a	797	}
maclobdell	0:f7c60d3e7b8a	798
maclobdell	0:f7c60d3e7b8a	799	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
maclobdell	0:f7c60d3e7b8a	800	static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	801	{
maclobdell	0:f7c60d3e7b8a	802	int ret, got_common_suite;
maclobdell	0:f7c60d3e7b8a	803	unsigned int i, j;
maclobdell	0:f7c60d3e7b8a	804	size_t n;
maclobdell	0:f7c60d3e7b8a	805	unsigned int ciph_len, sess_len, chal_len;
maclobdell	0:f7c60d3e7b8a	806	unsigned char buf, p;
maclobdell	0:f7c60d3e7b8a	807	const int *ciphersuites;
maclobdell	0:f7c60d3e7b8a	808	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	809
maclobdell	0:f7c60d3e7b8a	810	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
maclobdell	0:f7c60d3e7b8a	811
maclobdell	0:f7c60d3e7b8a	812	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	813	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	814	{
maclobdell	0:f7c60d3e7b8a	815	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
maclobdell	0:f7c60d3e7b8a	816
maclobdell	0:f7c60d3e7b8a	817	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	818	return( ret );
maclobdell	0:f7c60d3e7b8a	819
maclobdell	0:f7c60d3e7b8a	820	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	821	}
maclobdell	0:f7c60d3e7b8a	822	#endif /* MBEDTLS_SSL_RENEGOTIATION */
maclobdell	0:f7c60d3e7b8a	823
maclobdell	0:f7c60d3e7b8a	824	buf = ssl->in_hdr;
maclobdell	0:f7c60d3e7b8a	825
maclobdell	0:f7c60d3e7b8a	826	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
maclobdell	0:f7c60d3e7b8a	827
maclobdell	0:f7c60d3e7b8a	828	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
maclobdell	0:f7c60d3e7b8a	829	buf[2] ) );
maclobdell	0:f7c60d3e7b8a	830	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
maclobdell	0:f7c60d3e7b8a	831	( ( buf[0] & 0x7F ) << 8 ) \| buf[1] ) );
maclobdell	0:f7c60d3e7b8a	832	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
maclobdell	0:f7c60d3e7b8a	833	buf[3], buf[4] ) );
maclobdell	0:f7c60d3e7b8a	834
maclobdell	0:f7c60d3e7b8a	835	/*
maclobdell	0:f7c60d3e7b8a	836	* SSLv2 Client Hello
maclobdell	0:f7c60d3e7b8a	837	*
maclobdell	0:f7c60d3e7b8a	838	* Record layer:
maclobdell	0:f7c60d3e7b8a	839	* 0 . 1 message length
maclobdell	0:f7c60d3e7b8a	840	*
maclobdell	0:f7c60d3e7b8a	841	* SSL layer:
maclobdell	0:f7c60d3e7b8a	842	* 2 . 2 message type
maclobdell	0:f7c60d3e7b8a	843	* 3 . 4 protocol version
maclobdell	0:f7c60d3e7b8a	844	*/
maclobdell	0:f7c60d3e7b8a	845	if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO \|\|
maclobdell	0:f7c60d3e7b8a	846	buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	847	{
maclobdell	0:f7c60d3e7b8a	848	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	849	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	850	}
maclobdell	0:f7c60d3e7b8a	851
maclobdell	0:f7c60d3e7b8a	852	n = ( ( buf[0] << 8 ) \| buf[1] ) & 0x7FFF;
maclobdell	0:f7c60d3e7b8a	853
maclobdell	0:f7c60d3e7b8a	854	if( n < 17 \|\| n > 512 )
maclobdell	0:f7c60d3e7b8a	855	{
maclobdell	0:f7c60d3e7b8a	856	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	857	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	858	}
maclobdell	0:f7c60d3e7b8a	859
maclobdell	0:f7c60d3e7b8a	860	ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
maclobdell	0:f7c60d3e7b8a	861	ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
maclobdell	0:f7c60d3e7b8a	862	? buf[4] : ssl->conf->max_minor_ver;
maclobdell	0:f7c60d3e7b8a	863
maclobdell	0:f7c60d3e7b8a	864	if( ssl->minor_ver < ssl->conf->min_minor_ver )
maclobdell	0:f7c60d3e7b8a	865	{
maclobdell	0:f7c60d3e7b8a	866	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
maclobdell	0:f7c60d3e7b8a	867	" [%d:%d] < [%d:%d]",
maclobdell	0:f7c60d3e7b8a	868	ssl->major_ver, ssl->minor_ver,
maclobdell	0:f7c60d3e7b8a	869	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
maclobdell	0:f7c60d3e7b8a	870
maclobdell	0:f7c60d3e7b8a	871	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	872	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
maclobdell	0:f7c60d3e7b8a	873	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
maclobdell	0:f7c60d3e7b8a	874	}
maclobdell	0:f7c60d3e7b8a	875
maclobdell	0:f7c60d3e7b8a	876	ssl->handshake->max_major_ver = buf[3];
maclobdell	0:f7c60d3e7b8a	877	ssl->handshake->max_minor_ver = buf[4];
maclobdell	0:f7c60d3e7b8a	878
maclobdell	0:f7c60d3e7b8a	879	if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	880	{
maclobdell	0:f7c60d3e7b8a	881	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
maclobdell	0:f7c60d3e7b8a	882	return( ret );
maclobdell	0:f7c60d3e7b8a	883	}
maclobdell	0:f7c60d3e7b8a	884
maclobdell	0:f7c60d3e7b8a	885	ssl->handshake->update_checksum( ssl, buf + 2, n );
maclobdell	0:f7c60d3e7b8a	886
maclobdell	0:f7c60d3e7b8a	887	buf = ssl->in_msg;
maclobdell	0:f7c60d3e7b8a	888	n = ssl->in_left - 5;
maclobdell	0:f7c60d3e7b8a	889
maclobdell	0:f7c60d3e7b8a	890	/*
maclobdell	0:f7c60d3e7b8a	891	* 0 . 1 ciphersuitelist length
maclobdell	0:f7c60d3e7b8a	892	* 2 . 3 session id length
maclobdell	0:f7c60d3e7b8a	893	* 4 . 5 challenge length
maclobdell	0:f7c60d3e7b8a	894	* 6 . .. ciphersuitelist
maclobdell	0:f7c60d3e7b8a	895	* .. . .. session id
maclobdell	0:f7c60d3e7b8a	896	* .. . .. challenge
maclobdell	0:f7c60d3e7b8a	897	*/
maclobdell	0:f7c60d3e7b8a	898	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
maclobdell	0:f7c60d3e7b8a	899
maclobdell	0:f7c60d3e7b8a	900	ciph_len = ( buf[0] << 8 ) \| buf[1];
maclobdell	0:f7c60d3e7b8a	901	sess_len = ( buf[2] << 8 ) \| buf[3];
maclobdell	0:f7c60d3e7b8a	902	chal_len = ( buf[4] << 8 ) \| buf[5];
maclobdell	0:f7c60d3e7b8a	903
maclobdell	0:f7c60d3e7b8a	904	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
maclobdell	0:f7c60d3e7b8a	905	ciph_len, sess_len, chal_len ) );
maclobdell	0:f7c60d3e7b8a	906
maclobdell	0:f7c60d3e7b8a	907	/*
maclobdell	0:f7c60d3e7b8a	908	* Make sure each parameter length is valid
maclobdell	0:f7c60d3e7b8a	909	*/
maclobdell	0:f7c60d3e7b8a	910	if( ciph_len < 3 \|\| ( ciph_len % 3 ) != 0 )
maclobdell	0:f7c60d3e7b8a	911	{
maclobdell	0:f7c60d3e7b8a	912	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	913	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	914	}
maclobdell	0:f7c60d3e7b8a	915
maclobdell	0:f7c60d3e7b8a	916	if( sess_len > 32 )
maclobdell	0:f7c60d3e7b8a	917	{
maclobdell	0:f7c60d3e7b8a	918	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	919	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	920	}
maclobdell	0:f7c60d3e7b8a	921
maclobdell	0:f7c60d3e7b8a	922	if( chal_len < 8 \|\| chal_len > 32 )
maclobdell	0:f7c60d3e7b8a	923	{
maclobdell	0:f7c60d3e7b8a	924	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	925	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	926	}
maclobdell	0:f7c60d3e7b8a	927
maclobdell	0:f7c60d3e7b8a	928	if( n != 6 + ciph_len + sess_len + chal_len )
maclobdell	0:f7c60d3e7b8a	929	{
maclobdell	0:f7c60d3e7b8a	930	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	931	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	932	}
maclobdell	0:f7c60d3e7b8a	933
maclobdell	0:f7c60d3e7b8a	934	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
maclobdell	0:f7c60d3e7b8a	935	buf + 6, ciph_len );
maclobdell	0:f7c60d3e7b8a	936	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
maclobdell	0:f7c60d3e7b8a	937	buf + 6 + ciph_len, sess_len );
maclobdell	0:f7c60d3e7b8a	938	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
maclobdell	0:f7c60d3e7b8a	939	buf + 6 + ciph_len + sess_len, chal_len );
maclobdell	0:f7c60d3e7b8a	940
maclobdell	0:f7c60d3e7b8a	941	p = buf + 6 + ciph_len;
maclobdell	0:f7c60d3e7b8a	942	ssl->session_negotiate->id_len = sess_len;
maclobdell	0:f7c60d3e7b8a	943	memset( ssl->session_negotiate->id, 0,
maclobdell	0:f7c60d3e7b8a	944	sizeof( ssl->session_negotiate->id ) );
maclobdell	0:f7c60d3e7b8a	945	memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
maclobdell	0:f7c60d3e7b8a	946
maclobdell	0:f7c60d3e7b8a	947	p += sess_len;
maclobdell	0:f7c60d3e7b8a	948	memset( ssl->handshake->randbytes, 0, 64 );
maclobdell	0:f7c60d3e7b8a	949	memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
maclobdell	0:f7c60d3e7b8a	950
maclobdell	0:f7c60d3e7b8a	951	/*
maclobdell	0:f7c60d3e7b8a	952	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
maclobdell	0:f7c60d3e7b8a	953	*/
maclobdell	0:f7c60d3e7b8a	954	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
maclobdell	0:f7c60d3e7b8a	955	{
maclobdell	0:f7c60d3e7b8a	956	if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
maclobdell	0:f7c60d3e7b8a	957	{
maclobdell	0:f7c60d3e7b8a	958	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
maclobdell	0:f7c60d3e7b8a	959	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	960	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
maclobdell	0:f7c60d3e7b8a	961	{
maclobdell	0:f7c60d3e7b8a	962	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
maclobdell	0:f7c60d3e7b8a	963	"during renegotiation" ) );
maclobdell	0:f7c60d3e7b8a	964
maclobdell	0:f7c60d3e7b8a	965	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	966	return( ret );
maclobdell	0:f7c60d3e7b8a	967
maclobdell	0:f7c60d3e7b8a	968	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	969	}
maclobdell	0:f7c60d3e7b8a	970	#endif /* MBEDTLS_SSL_RENEGOTIATION */
maclobdell	0:f7c60d3e7b8a	971	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
maclobdell	0:f7c60d3e7b8a	972	break;
maclobdell	0:f7c60d3e7b8a	973	}
maclobdell	0:f7c60d3e7b8a	974	}
maclobdell	0:f7c60d3e7b8a	975
maclobdell	0:f7c60d3e7b8a	976	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
maclobdell	0:f7c60d3e7b8a	977	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
maclobdell	0:f7c60d3e7b8a	978	{
maclobdell	0:f7c60d3e7b8a	979	if( p[0] == 0 &&
maclobdell	0:f7c60d3e7b8a	980	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
maclobdell	0:f7c60d3e7b8a	981	p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
maclobdell	0:f7c60d3e7b8a	982	{
maclobdell	0:f7c60d3e7b8a	983	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
maclobdell	0:f7c60d3e7b8a	984
maclobdell	0:f7c60d3e7b8a	985	if( ssl->minor_ver < ssl->conf->max_minor_ver )
maclobdell	0:f7c60d3e7b8a	986	{
maclobdell	0:f7c60d3e7b8a	987	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
maclobdell	0:f7c60d3e7b8a	988
maclobdell	0:f7c60d3e7b8a	989	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	990	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
maclobdell	0:f7c60d3e7b8a	991
maclobdell	0:f7c60d3e7b8a	992	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	993	}
maclobdell	0:f7c60d3e7b8a	994
maclobdell	0:f7c60d3e7b8a	995	break;
maclobdell	0:f7c60d3e7b8a	996	}
maclobdell	0:f7c60d3e7b8a	997	}
maclobdell	0:f7c60d3e7b8a	998	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
maclobdell	0:f7c60d3e7b8a	999
maclobdell	0:f7c60d3e7b8a	1000	got_common_suite = 0;
maclobdell	0:f7c60d3e7b8a	1001	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
maclobdell	0:f7c60d3e7b8a	1002	ciphersuite_info = NULL;
maclobdell	0:f7c60d3e7b8a	1003	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
maclobdell	0:f7c60d3e7b8a	1004	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
maclobdell	0:f7c60d3e7b8a	1005	{
maclobdell	0:f7c60d3e7b8a	1006	for( i = 0; ciphersuites[i] != 0; i++ )
maclobdell	0:f7c60d3e7b8a	1007	#else
maclobdell	0:f7c60d3e7b8a	1008	for( i = 0; ciphersuites[i] != 0; i++ )
maclobdell	0:f7c60d3e7b8a	1009	{
maclobdell	0:f7c60d3e7b8a	1010	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
maclobdell	0:f7c60d3e7b8a	1011	#endif
maclobdell	0:f7c60d3e7b8a	1012	{
maclobdell	0:f7c60d3e7b8a	1013	if( p[0] != 0 \|\|
maclobdell	0:f7c60d3e7b8a	1014	p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
maclobdell	0:f7c60d3e7b8a	1015	p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
maclobdell	0:f7c60d3e7b8a	1016	continue;
maclobdell	0:f7c60d3e7b8a	1017
maclobdell	0:f7c60d3e7b8a	1018	got_common_suite = 1;
maclobdell	0:f7c60d3e7b8a	1019
maclobdell	0:f7c60d3e7b8a	1020	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
maclobdell	0:f7c60d3e7b8a	1021	&ciphersuite_info ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1022	return( ret );
maclobdell	0:f7c60d3e7b8a	1023
maclobdell	0:f7c60d3e7b8a	1024	if( ciphersuite_info != NULL )
maclobdell	0:f7c60d3e7b8a	1025	goto have_ciphersuite_v2;
maclobdell	0:f7c60d3e7b8a	1026	}
maclobdell	0:f7c60d3e7b8a	1027	}
maclobdell	0:f7c60d3e7b8a	1028
maclobdell	0:f7c60d3e7b8a	1029	if( got_common_suite )
maclobdell	0:f7c60d3e7b8a	1030	{
maclobdell	0:f7c60d3e7b8a	1031	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
maclobdell	0:f7c60d3e7b8a	1032	"but none of them usable" ) );
maclobdell	0:f7c60d3e7b8a	1033	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
maclobdell	0:f7c60d3e7b8a	1034	}
maclobdell	0:f7c60d3e7b8a	1035	else
maclobdell	0:f7c60d3e7b8a	1036	{
maclobdell	0:f7c60d3e7b8a	1037	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
maclobdell	0:f7c60d3e7b8a	1038	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
maclobdell	0:f7c60d3e7b8a	1039	}
maclobdell	0:f7c60d3e7b8a	1040
maclobdell	0:f7c60d3e7b8a	1041	have_ciphersuite_v2:
maclobdell	0:f7c60d3e7b8a	1042	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
maclobdell	0:f7c60d3e7b8a	1043
maclobdell	0:f7c60d3e7b8a	1044	ssl->session_negotiate->ciphersuite = ciphersuites[i];
maclobdell	0:f7c60d3e7b8a	1045	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	1046	mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
maclobdell	0:f7c60d3e7b8a	1047
maclobdell	0:f7c60d3e7b8a	1048	/*
maclobdell	0:f7c60d3e7b8a	1049	* SSLv2 Client Hello relevant renegotiation security checks
maclobdell	0:f7c60d3e7b8a	1050	*/
maclobdell	0:f7c60d3e7b8a	1051	if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
maclobdell	0:f7c60d3e7b8a	1052	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	1053	{
maclobdell	0:f7c60d3e7b8a	1054	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
maclobdell	0:f7c60d3e7b8a	1055
maclobdell	0:f7c60d3e7b8a	1056	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1057	return( ret );
maclobdell	0:f7c60d3e7b8a	1058
maclobdell	0:f7c60d3e7b8a	1059	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1060	}
maclobdell	0:f7c60d3e7b8a	1061
maclobdell	0:f7c60d3e7b8a	1062	ssl->in_left = 0;
maclobdell	0:f7c60d3e7b8a	1063	ssl->state++;
maclobdell	0:f7c60d3e7b8a	1064
maclobdell	0:f7c60d3e7b8a	1065	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
maclobdell	0:f7c60d3e7b8a	1066
maclobdell	0:f7c60d3e7b8a	1067	return( 0 );
maclobdell	0:f7c60d3e7b8a	1068	}
maclobdell	0:f7c60d3e7b8a	1069	#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
maclobdell	0:f7c60d3e7b8a	1070
maclobdell	0:f7c60d3e7b8a	1071	static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	1072	{
maclobdell	0:f7c60d3e7b8a	1073	int ret, got_common_suite;
maclobdell	0:f7c60d3e7b8a	1074	size_t i, j;
maclobdell	0:f7c60d3e7b8a	1075	size_t ciph_offset, comp_offset, ext_offset;
maclobdell	0:f7c60d3e7b8a	1076	size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
maclobdell	0:f7c60d3e7b8a	1077	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1078	size_t cookie_offset, cookie_len;
maclobdell	0:f7c60d3e7b8a	1079	#endif
maclobdell	0:f7c60d3e7b8a	1080	unsigned char buf, p, *ext;
maclobdell	0:f7c60d3e7b8a	1081	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1082	int renegotiation_info_seen = 0;
maclobdell	0:f7c60d3e7b8a	1083	#endif
maclobdell	0:f7c60d3e7b8a	1084	int handshake_failure = 0;
maclobdell	0:f7c60d3e7b8a	1085	const int *ciphersuites;
maclobdell	0:f7c60d3e7b8a	1086	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	1087	int major, minor;
maclobdell	0:f7c60d3e7b8a	1088
maclobdell	0:f7c60d3e7b8a	1089	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
maclobdell	0:f7c60d3e7b8a	1090
maclobdell	0:f7c60d3e7b8a	1091	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
maclobdell	0:f7c60d3e7b8a	1092	read_record_header:
maclobdell	0:f7c60d3e7b8a	1093	#endif
maclobdell	0:f7c60d3e7b8a	1094	/*
maclobdell	0:f7c60d3e7b8a	1095	* If renegotiating, then the input was read with mbedtls_ssl_read_record(),
maclobdell	0:f7c60d3e7b8a	1096	* otherwise read it ourselves manually in order to support SSLv2
maclobdell	0:f7c60d3e7b8a	1097	* ClientHello, which doesn't use the same record layer format.
maclobdell	0:f7c60d3e7b8a	1098	*/
maclobdell	0:f7c60d3e7b8a	1099	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1100	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	1101	#endif
maclobdell	0:f7c60d3e7b8a	1102	{
maclobdell	0:f7c60d3e7b8a	1103	if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1104	{
maclobdell	0:f7c60d3e7b8a	1105	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
maclobdell	0:f7c60d3e7b8a	1106	return( ret );
maclobdell	0:f7c60d3e7b8a	1107	}
maclobdell	0:f7c60d3e7b8a	1108	}
maclobdell	0:f7c60d3e7b8a	1109
maclobdell	0:f7c60d3e7b8a	1110	buf = ssl->in_hdr;
maclobdell	0:f7c60d3e7b8a	1111
maclobdell	0:f7c60d3e7b8a	1112	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
maclobdell	0:f7c60d3e7b8a	1113	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1114	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
maclobdell	0:f7c60d3e7b8a	1115	#endif
maclobdell	0:f7c60d3e7b8a	1116	if( ( buf[0] & 0x80 ) != 0 )
maclobdell	0:f7c60d3e7b8a	1117	return ssl_parse_client_hello_v2( ssl );
maclobdell	0:f7c60d3e7b8a	1118	#endif
maclobdell	0:f7c60d3e7b8a	1119
maclobdell	0:f7c60d3e7b8a	1120	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
maclobdell	0:f7c60d3e7b8a	1121
maclobdell	0:f7c60d3e7b8a	1122	/*
maclobdell	0:f7c60d3e7b8a	1123	* SSLv3/TLS Client Hello
maclobdell	0:f7c60d3e7b8a	1124	*
maclobdell	0:f7c60d3e7b8a	1125	* Record layer:
maclobdell	0:f7c60d3e7b8a	1126	* 0 . 0 message type
maclobdell	0:f7c60d3e7b8a	1127	* 1 . 2 protocol version
maclobdell	0:f7c60d3e7b8a	1128	* 3 . 11 DTLS: epoch + record sequence number
maclobdell	0:f7c60d3e7b8a	1129	* 3 . 4 message length
maclobdell	0:f7c60d3e7b8a	1130	*/
maclobdell	0:f7c60d3e7b8a	1131	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
maclobdell	0:f7c60d3e7b8a	1132	buf[0] ) );
maclobdell	0:f7c60d3e7b8a	1133
maclobdell	0:f7c60d3e7b8a	1134	if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	1135	{
maclobdell	0:f7c60d3e7b8a	1136	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1137	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1138	}
maclobdell	0:f7c60d3e7b8a	1139
maclobdell	0:f7c60d3e7b8a	1140	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
maclobdell	0:f7c60d3e7b8a	1141	( ssl->in_len[0] << 8 ) \| ssl->in_len[1] ) );
maclobdell	0:f7c60d3e7b8a	1142
maclobdell	0:f7c60d3e7b8a	1143	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
maclobdell	0:f7c60d3e7b8a	1144	buf[1], buf[2] ) );
maclobdell	0:f7c60d3e7b8a	1145
maclobdell	0:f7c60d3e7b8a	1146	mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
maclobdell	0:f7c60d3e7b8a	1147
maclobdell	0:f7c60d3e7b8a	1148	/* According to RFC 5246 Appendix E.1, the version here is typically
maclobdell	0:f7c60d3e7b8a	1149	* "{03,00}, the lowest version number supported by the client, [or] the
maclobdell	0:f7c60d3e7b8a	1150	* value of ClientHello.client_version", so the only meaningful check here
maclobdell	0:f7c60d3e7b8a	1151	* is the major version shouldn't be less than 3 */
maclobdell	0:f7c60d3e7b8a	1152	if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	1153	{
maclobdell	0:f7c60d3e7b8a	1154	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1155	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1156	}
maclobdell	0:f7c60d3e7b8a	1157
maclobdell	0:f7c60d3e7b8a	1158	/* For DTLS if this is the initial handshake, remember the client sequence
maclobdell	0:f7c60d3e7b8a	1159	* number to use it in our next message (RFC 6347 4.2.1) */
maclobdell	0:f7c60d3e7b8a	1160	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1161	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
maclobdell	0:f7c60d3e7b8a	1162	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1163	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
maclobdell	0:f7c60d3e7b8a	1164	#endif
maclobdell	0:f7c60d3e7b8a	1165	)
maclobdell	0:f7c60d3e7b8a	1166	{
maclobdell	0:f7c60d3e7b8a	1167	/* Epoch should be 0 for initial handshakes */
maclobdell	0:f7c60d3e7b8a	1168	if( ssl->in_ctr[0] != 0 \|\| ssl->in_ctr[1] != 0 )
maclobdell	0:f7c60d3e7b8a	1169	{
maclobdell	0:f7c60d3e7b8a	1170	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1171	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1172	}
maclobdell	0:f7c60d3e7b8a	1173
maclobdell	0:f7c60d3e7b8a	1174	memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
maclobdell	0:f7c60d3e7b8a	1175
maclobdell	0:f7c60d3e7b8a	1176	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
maclobdell	0:f7c60d3e7b8a	1177	if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
maclobdell	0:f7c60d3e7b8a	1178	{
maclobdell	0:f7c60d3e7b8a	1179	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
maclobdell	0:f7c60d3e7b8a	1180	ssl->next_record_offset = 0;
maclobdell	0:f7c60d3e7b8a	1181	ssl->in_left = 0;
maclobdell	0:f7c60d3e7b8a	1182	goto read_record_header;
maclobdell	0:f7c60d3e7b8a	1183	}
maclobdell	0:f7c60d3e7b8a	1184
maclobdell	0:f7c60d3e7b8a	1185	/* No MAC to check yet, so we can update right now */
maclobdell	0:f7c60d3e7b8a	1186	mbedtls_ssl_dtls_replay_update( ssl );
maclobdell	0:f7c60d3e7b8a	1187	#endif
maclobdell	0:f7c60d3e7b8a	1188	}
maclobdell	0:f7c60d3e7b8a	1189	#endif /* MBEDTLS_SSL_PROTO_DTLS */
maclobdell	0:f7c60d3e7b8a	1190
maclobdell	0:f7c60d3e7b8a	1191	msg_len = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
maclobdell	0:f7c60d3e7b8a	1192
maclobdell	0:f7c60d3e7b8a	1193	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1194	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	1195	{
maclobdell	0:f7c60d3e7b8a	1196	/* Set by mbedtls_ssl_read_record() */
maclobdell	0:f7c60d3e7b8a	1197	msg_len = ssl->in_hslen;
maclobdell	0:f7c60d3e7b8a	1198	}
maclobdell	0:f7c60d3e7b8a	1199	else
maclobdell	0:f7c60d3e7b8a	1200	#endif
maclobdell	0:f7c60d3e7b8a	1201	{
maclobdell	0:f7c60d3e7b8a	1202	if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
maclobdell	0:f7c60d3e7b8a	1203	{
maclobdell	0:f7c60d3e7b8a	1204	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1205	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1206	}
maclobdell	0:f7c60d3e7b8a	1207
maclobdell	0:f7c60d3e7b8a	1208	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1209	{
maclobdell	0:f7c60d3e7b8a	1210	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
maclobdell	0:f7c60d3e7b8a	1211	return( ret );
maclobdell	0:f7c60d3e7b8a	1212	}
maclobdell	0:f7c60d3e7b8a	1213
maclobdell	0:f7c60d3e7b8a	1214	/* Done reading this record, get ready for the next one */
maclobdell	0:f7c60d3e7b8a	1215	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1216	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
maclobdell	0:f7c60d3e7b8a	1217	ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
maclobdell	0:f7c60d3e7b8a	1218	else
maclobdell	0:f7c60d3e7b8a	1219	#endif
maclobdell	0:f7c60d3e7b8a	1220	ssl->in_left = 0;
maclobdell	0:f7c60d3e7b8a	1221	}
maclobdell	0:f7c60d3e7b8a	1222
maclobdell	0:f7c60d3e7b8a	1223	buf = ssl->in_msg;
maclobdell	0:f7c60d3e7b8a	1224
maclobdell	0:f7c60d3e7b8a	1225	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
maclobdell	0:f7c60d3e7b8a	1226
maclobdell	0:f7c60d3e7b8a	1227	ssl->handshake->update_checksum( ssl, buf, msg_len );
maclobdell	0:f7c60d3e7b8a	1228
maclobdell	0:f7c60d3e7b8a	1229	/*
maclobdell	0:f7c60d3e7b8a	1230	* Handshake layer:
maclobdell	0:f7c60d3e7b8a	1231	* 0 . 0 handshake type
maclobdell	0:f7c60d3e7b8a	1232	* 1 . 3 handshake length
maclobdell	0:f7c60d3e7b8a	1233	* 4 . 5 DTLS only: message seqence number
maclobdell	0:f7c60d3e7b8a	1234	* 6 . 8 DTLS only: fragment offset
maclobdell	0:f7c60d3e7b8a	1235	* 9 . 11 DTLS only: fragment length
maclobdell	0:f7c60d3e7b8a	1236	*/
maclobdell	0:f7c60d3e7b8a	1237	if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
maclobdell	0:f7c60d3e7b8a	1238	{
maclobdell	0:f7c60d3e7b8a	1239	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1240	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1241	}
maclobdell	0:f7c60d3e7b8a	1242
maclobdell	0:f7c60d3e7b8a	1243	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
maclobdell	0:f7c60d3e7b8a	1244
maclobdell	0:f7c60d3e7b8a	1245	if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
maclobdell	0:f7c60d3e7b8a	1246	{
maclobdell	0:f7c60d3e7b8a	1247	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1248	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1249	}
maclobdell	0:f7c60d3e7b8a	1250
maclobdell	0:f7c60d3e7b8a	1251	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
maclobdell	0:f7c60d3e7b8a	1252	( buf[1] << 16 ) \| ( buf[2] << 8 ) \| buf[3] ) );
maclobdell	0:f7c60d3e7b8a	1253
maclobdell	0:f7c60d3e7b8a	1254	/* We don't support fragmentation of ClientHello (yet?) */
maclobdell	0:f7c60d3e7b8a	1255	if( buf[1] != 0 \|\|
maclobdell	0:f7c60d3e7b8a	1256	msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) \| buf[3] ) )
maclobdell	0:f7c60d3e7b8a	1257	{
maclobdell	0:f7c60d3e7b8a	1258	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1259	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1260	}
maclobdell	0:f7c60d3e7b8a	1261
maclobdell	0:f7c60d3e7b8a	1262	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1263	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
maclobdell	0:f7c60d3e7b8a	1264	{
maclobdell	0:f7c60d3e7b8a	1265	/*
maclobdell	0:f7c60d3e7b8a	1266	* Copy the client's handshake message_seq on initial handshakes,
maclobdell	0:f7c60d3e7b8a	1267	* check sequence number on renego.
maclobdell	0:f7c60d3e7b8a	1268	*/
maclobdell	0:f7c60d3e7b8a	1269	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1270	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
maclobdell	0:f7c60d3e7b8a	1271	{
maclobdell	0:f7c60d3e7b8a	1272	/* This couldn't be done in ssl_prepare_handshake_record() */
maclobdell	0:f7c60d3e7b8a	1273	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
maclobdell	0:f7c60d3e7b8a	1274	ssl->in_msg[5];
maclobdell	0:f7c60d3e7b8a	1275
maclobdell	0:f7c60d3e7b8a	1276	if( cli_msg_seq != ssl->handshake->in_msg_seq )
maclobdell	0:f7c60d3e7b8a	1277	{
maclobdell	0:f7c60d3e7b8a	1278	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
maclobdell	0:f7c60d3e7b8a	1279	"%d (expected %d)", cli_msg_seq,
maclobdell	0:f7c60d3e7b8a	1280	ssl->handshake->in_msg_seq ) );
maclobdell	0:f7c60d3e7b8a	1281	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1282	}
maclobdell	0:f7c60d3e7b8a	1283
maclobdell	0:f7c60d3e7b8a	1284	ssl->handshake->in_msg_seq++;
maclobdell	0:f7c60d3e7b8a	1285	}
maclobdell	0:f7c60d3e7b8a	1286	else
maclobdell	0:f7c60d3e7b8a	1287	#endif
maclobdell	0:f7c60d3e7b8a	1288	{
maclobdell	0:f7c60d3e7b8a	1289	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
maclobdell	0:f7c60d3e7b8a	1290	ssl->in_msg[5];
maclobdell	0:f7c60d3e7b8a	1291	ssl->handshake->out_msg_seq = cli_msg_seq;
maclobdell	0:f7c60d3e7b8a	1292	ssl->handshake->in_msg_seq = cli_msg_seq + 1;
maclobdell	0:f7c60d3e7b8a	1293	}
maclobdell	0:f7c60d3e7b8a	1294
maclobdell	0:f7c60d3e7b8a	1295	/*
maclobdell	0:f7c60d3e7b8a	1296	* For now we don't support fragmentation, so make sure
maclobdell	0:f7c60d3e7b8a	1297	* fragment_offset == 0 and fragment_length == length
maclobdell	0:f7c60d3e7b8a	1298	*/
maclobdell	0:f7c60d3e7b8a	1299	if( ssl->in_msg[6] != 0 \|\| ssl->in_msg[7] != 0 \|\| ssl->in_msg[8] != 0 \|\|
maclobdell	0:f7c60d3e7b8a	1300	memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
maclobdell	0:f7c60d3e7b8a	1301	{
maclobdell	0:f7c60d3e7b8a	1302	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
maclobdell	0:f7c60d3e7b8a	1303	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
maclobdell	0:f7c60d3e7b8a	1304	}
maclobdell	0:f7c60d3e7b8a	1305	}
maclobdell	0:f7c60d3e7b8a	1306	#endif /* MBEDTLS_SSL_PROTO_DTLS */
maclobdell	0:f7c60d3e7b8a	1307
maclobdell	0:f7c60d3e7b8a	1308	buf += mbedtls_ssl_hs_hdr_len( ssl );
maclobdell	0:f7c60d3e7b8a	1309	msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
maclobdell	0:f7c60d3e7b8a	1310
maclobdell	0:f7c60d3e7b8a	1311	/*
maclobdell	0:f7c60d3e7b8a	1312	* ClientHello layer:
maclobdell	0:f7c60d3e7b8a	1313	* 0 . 1 protocol version
maclobdell	0:f7c60d3e7b8a	1314	* 2 . 33 random bytes (starting with 4 bytes of Unix time)
maclobdell	0:f7c60d3e7b8a	1315	* 34 . 35 session id length (1 byte)
maclobdell	0:f7c60d3e7b8a	1316	* 35 . 34+x session id
maclobdell	0:f7c60d3e7b8a	1317	* 35+x . 35+x DTLS only: cookie length (1 byte)
maclobdell	0:f7c60d3e7b8a	1318	* 36+x . .. DTLS only: cookie
maclobdell	0:f7c60d3e7b8a	1319	* .. . .. ciphersuite list length (2 bytes)
maclobdell	0:f7c60d3e7b8a	1320	* .. . .. ciphersuite list
maclobdell	0:f7c60d3e7b8a	1321	* .. . .. compression alg. list length (1 byte)
maclobdell	0:f7c60d3e7b8a	1322	* .. . .. compression alg. list
maclobdell	0:f7c60d3e7b8a	1323	* .. . .. extensions length (2 bytes, optional)
maclobdell	0:f7c60d3e7b8a	1324	* .. . .. extensions (optional)
maclobdell	0:f7c60d3e7b8a	1325	*/
maclobdell	0:f7c60d3e7b8a	1326
maclobdell	0:f7c60d3e7b8a	1327	/*
maclobdell	0:f7c60d3e7b8a	1328	* Minimal length (with everything empty and extensions ommitted) is
maclobdell	0:f7c60d3e7b8a	1329	* 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
maclobdell	0:f7c60d3e7b8a	1330	* read at least up to session id length without worrying.
maclobdell	0:f7c60d3e7b8a	1331	*/
maclobdell	0:f7c60d3e7b8a	1332	if( msg_len < 38 )
maclobdell	0:f7c60d3e7b8a	1333	{
maclobdell	0:f7c60d3e7b8a	1334	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1335	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1336	}
maclobdell	0:f7c60d3e7b8a	1337
maclobdell	0:f7c60d3e7b8a	1338	/*
maclobdell	0:f7c60d3e7b8a	1339	* Check and save the protocol version
maclobdell	0:f7c60d3e7b8a	1340	*/
maclobdell	0:f7c60d3e7b8a	1341	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
maclobdell	0:f7c60d3e7b8a	1342
maclobdell	0:f7c60d3e7b8a	1343	mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
maclobdell	0:f7c60d3e7b8a	1344	ssl->conf->transport, buf );
maclobdell	0:f7c60d3e7b8a	1345
maclobdell	0:f7c60d3e7b8a	1346	ssl->handshake->max_major_ver = ssl->major_ver;
maclobdell	0:f7c60d3e7b8a	1347	ssl->handshake->max_minor_ver = ssl->minor_ver;
maclobdell	0:f7c60d3e7b8a	1348
maclobdell	0:f7c60d3e7b8a	1349	if( ssl->major_ver < ssl->conf->min_major_ver \|\|
maclobdell	0:f7c60d3e7b8a	1350	ssl->minor_ver < ssl->conf->min_minor_ver )
maclobdell	0:f7c60d3e7b8a	1351	{
maclobdell	0:f7c60d3e7b8a	1352	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
maclobdell	0:f7c60d3e7b8a	1353	" [%d:%d] < [%d:%d]",
maclobdell	0:f7c60d3e7b8a	1354	ssl->major_ver, ssl->minor_ver,
maclobdell	0:f7c60d3e7b8a	1355	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
maclobdell	0:f7c60d3e7b8a	1356
maclobdell	0:f7c60d3e7b8a	1357	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	1358	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
maclobdell	0:f7c60d3e7b8a	1359
maclobdell	0:f7c60d3e7b8a	1360	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
maclobdell	0:f7c60d3e7b8a	1361	}
maclobdell	0:f7c60d3e7b8a	1362
maclobdell	0:f7c60d3e7b8a	1363	if( ssl->major_ver > ssl->conf->max_major_ver )
maclobdell	0:f7c60d3e7b8a	1364	{
maclobdell	0:f7c60d3e7b8a	1365	ssl->major_ver = ssl->conf->max_major_ver;
maclobdell	0:f7c60d3e7b8a	1366	ssl->minor_ver = ssl->conf->max_minor_ver;
maclobdell	0:f7c60d3e7b8a	1367	}
maclobdell	0:f7c60d3e7b8a	1368	else if( ssl->minor_ver > ssl->conf->max_minor_ver )
maclobdell	0:f7c60d3e7b8a	1369	ssl->minor_ver = ssl->conf->max_minor_ver;
maclobdell	0:f7c60d3e7b8a	1370
maclobdell	0:f7c60d3e7b8a	1371	/*
maclobdell	0:f7c60d3e7b8a	1372	* Save client random (inc. Unix time)
maclobdell	0:f7c60d3e7b8a	1373	*/
maclobdell	0:f7c60d3e7b8a	1374	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
maclobdell	0:f7c60d3e7b8a	1375
maclobdell	0:f7c60d3e7b8a	1376	memcpy( ssl->handshake->randbytes, buf + 2, 32 );
maclobdell	0:f7c60d3e7b8a	1377
maclobdell	0:f7c60d3e7b8a	1378	/*
maclobdell	0:f7c60d3e7b8a	1379	* Check the session ID length and save session ID
maclobdell	0:f7c60d3e7b8a	1380	*/
maclobdell	0:f7c60d3e7b8a	1381	sess_len = buf[34];
maclobdell	0:f7c60d3e7b8a	1382
maclobdell	0:f7c60d3e7b8a	1383	if( sess_len > sizeof( ssl->session_negotiate->id ) \|\|
maclobdell	0:f7c60d3e7b8a	1384	sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
maclobdell	0:f7c60d3e7b8a	1385	{
maclobdell	0:f7c60d3e7b8a	1386	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1387	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1388	}
maclobdell	0:f7c60d3e7b8a	1389
maclobdell	0:f7c60d3e7b8a	1390	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
maclobdell	0:f7c60d3e7b8a	1391
maclobdell	0:f7c60d3e7b8a	1392	ssl->session_negotiate->id_len = sess_len;
maclobdell	0:f7c60d3e7b8a	1393	memset( ssl->session_negotiate->id, 0,
maclobdell	0:f7c60d3e7b8a	1394	sizeof( ssl->session_negotiate->id ) );
maclobdell	0:f7c60d3e7b8a	1395	memcpy( ssl->session_negotiate->id, buf + 35,
maclobdell	0:f7c60d3e7b8a	1396	ssl->session_negotiate->id_len );
maclobdell	0:f7c60d3e7b8a	1397
maclobdell	0:f7c60d3e7b8a	1398	/*
maclobdell	0:f7c60d3e7b8a	1399	* Check the cookie length and content
maclobdell	0:f7c60d3e7b8a	1400	*/
maclobdell	0:f7c60d3e7b8a	1401	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1402	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
maclobdell	0:f7c60d3e7b8a	1403	{
maclobdell	0:f7c60d3e7b8a	1404	cookie_offset = 35 + sess_len;
maclobdell	0:f7c60d3e7b8a	1405	cookie_len = buf[cookie_offset];
maclobdell	0:f7c60d3e7b8a	1406
maclobdell	0:f7c60d3e7b8a	1407	if( cookie_offset + 1 + cookie_len + 2 > msg_len )
maclobdell	0:f7c60d3e7b8a	1408	{
maclobdell	0:f7c60d3e7b8a	1409	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1410	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1411	}
maclobdell	0:f7c60d3e7b8a	1412
maclobdell	0:f7c60d3e7b8a	1413	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
maclobdell	0:f7c60d3e7b8a	1414	buf + cookie_offset + 1, cookie_len );
maclobdell	0:f7c60d3e7b8a	1415
maclobdell	0:f7c60d3e7b8a	1416	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
maclobdell	0:f7c60d3e7b8a	1417	if( ssl->conf->f_cookie_check != NULL
maclobdell	0:f7c60d3e7b8a	1418	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1419	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
maclobdell	0:f7c60d3e7b8a	1420	#endif
maclobdell	0:f7c60d3e7b8a	1421	)
maclobdell	0:f7c60d3e7b8a	1422	{
maclobdell	0:f7c60d3e7b8a	1423	if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
maclobdell	0:f7c60d3e7b8a	1424	buf + cookie_offset + 1, cookie_len,
maclobdell	0:f7c60d3e7b8a	1425	ssl->cli_id, ssl->cli_id_len ) != 0 )
maclobdell	0:f7c60d3e7b8a	1426	{
maclobdell	0:f7c60d3e7b8a	1427	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
maclobdell	0:f7c60d3e7b8a	1428	ssl->handshake->verify_cookie_len = 1;
maclobdell	0:f7c60d3e7b8a	1429	}
maclobdell	0:f7c60d3e7b8a	1430	else
maclobdell	0:f7c60d3e7b8a	1431	{
maclobdell	0:f7c60d3e7b8a	1432	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
maclobdell	0:f7c60d3e7b8a	1433	ssl->handshake->verify_cookie_len = 0;
maclobdell	0:f7c60d3e7b8a	1434	}
maclobdell	0:f7c60d3e7b8a	1435	}
maclobdell	0:f7c60d3e7b8a	1436	else
maclobdell	0:f7c60d3e7b8a	1437	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
maclobdell	0:f7c60d3e7b8a	1438	{
maclobdell	0:f7c60d3e7b8a	1439	/* We know we didn't send a cookie, so it should be empty */
maclobdell	0:f7c60d3e7b8a	1440	if( cookie_len != 0 )
maclobdell	0:f7c60d3e7b8a	1441	{
maclobdell	0:f7c60d3e7b8a	1442	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1443	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1444	}
maclobdell	0:f7c60d3e7b8a	1445
maclobdell	0:f7c60d3e7b8a	1446	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
maclobdell	0:f7c60d3e7b8a	1447	}
maclobdell	0:f7c60d3e7b8a	1448
maclobdell	0:f7c60d3e7b8a	1449	/*
maclobdell	0:f7c60d3e7b8a	1450	* Check the ciphersuitelist length (will be parsed later)
maclobdell	0:f7c60d3e7b8a	1451	*/
maclobdell	0:f7c60d3e7b8a	1452	ciph_offset = cookie_offset + 1 + cookie_len;
maclobdell	0:f7c60d3e7b8a	1453	}
maclobdell	0:f7c60d3e7b8a	1454	else
maclobdell	0:f7c60d3e7b8a	1455	#endif /* MBEDTLS_SSL_PROTO_DTLS */
maclobdell	0:f7c60d3e7b8a	1456	ciph_offset = 35 + sess_len;
maclobdell	0:f7c60d3e7b8a	1457
maclobdell	0:f7c60d3e7b8a	1458	ciph_len = ( buf[ciph_offset + 0] << 8 )
maclobdell	0:f7c60d3e7b8a	1459	\| ( buf[ciph_offset + 1] );
maclobdell	0:f7c60d3e7b8a	1460
maclobdell	0:f7c60d3e7b8a	1461	if( ciph_len < 2 \|\|
maclobdell	0:f7c60d3e7b8a	1462	ciph_len + 2 + ciph_offset + 1 > msg_len \|\| /* 1 for comp. alg. len */
maclobdell	0:f7c60d3e7b8a	1463	( ciph_len % 2 ) != 0 )
maclobdell	0:f7c60d3e7b8a	1464	{
maclobdell	0:f7c60d3e7b8a	1465	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1466	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1467	}
maclobdell	0:f7c60d3e7b8a	1468
maclobdell	0:f7c60d3e7b8a	1469	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
maclobdell	0:f7c60d3e7b8a	1470	buf + ciph_offset + 2, ciph_len );
maclobdell	0:f7c60d3e7b8a	1471
maclobdell	0:f7c60d3e7b8a	1472	/*
maclobdell	0:f7c60d3e7b8a	1473	* Check the compression algorithms length and pick one
maclobdell	0:f7c60d3e7b8a	1474	*/
maclobdell	0:f7c60d3e7b8a	1475	comp_offset = ciph_offset + 2 + ciph_len;
maclobdell	0:f7c60d3e7b8a	1476
maclobdell	0:f7c60d3e7b8a	1477	comp_len = buf[comp_offset];
maclobdell	0:f7c60d3e7b8a	1478
maclobdell	0:f7c60d3e7b8a	1479	if( comp_len < 1 \|\|
maclobdell	0:f7c60d3e7b8a	1480	comp_len > 16 \|\|
maclobdell	0:f7c60d3e7b8a	1481	comp_len + comp_offset + 1 > msg_len )
maclobdell	0:f7c60d3e7b8a	1482	{
maclobdell	0:f7c60d3e7b8a	1483	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1484	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1485	}
maclobdell	0:f7c60d3e7b8a	1486
maclobdell	0:f7c60d3e7b8a	1487	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
maclobdell	0:f7c60d3e7b8a	1488	buf + comp_offset + 1, comp_len );
maclobdell	0:f7c60d3e7b8a	1489
maclobdell	0:f7c60d3e7b8a	1490	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
maclobdell	0:f7c60d3e7b8a	1491	#if defined(MBEDTLS_ZLIB_SUPPORT)
maclobdell	0:f7c60d3e7b8a	1492	for( i = 0; i < comp_len; ++i )
maclobdell	0:f7c60d3e7b8a	1493	{
maclobdell	0:f7c60d3e7b8a	1494	if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
maclobdell	0:f7c60d3e7b8a	1495	{
maclobdell	0:f7c60d3e7b8a	1496	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
maclobdell	0:f7c60d3e7b8a	1497	break;
maclobdell	0:f7c60d3e7b8a	1498	}
maclobdell	0:f7c60d3e7b8a	1499	}
maclobdell	0:f7c60d3e7b8a	1500	#endif
maclobdell	0:f7c60d3e7b8a	1501
maclobdell	0:f7c60d3e7b8a	1502	/* See comments in ssl_write_client_hello() */
maclobdell	0:f7c60d3e7b8a	1503	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1504	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
maclobdell	0:f7c60d3e7b8a	1505	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
maclobdell	0:f7c60d3e7b8a	1506	#endif
maclobdell	0:f7c60d3e7b8a	1507
maclobdell	0:f7c60d3e7b8a	1508	/*
maclobdell	0:f7c60d3e7b8a	1509	* Check the extension length
maclobdell	0:f7c60d3e7b8a	1510	*/
maclobdell	0:f7c60d3e7b8a	1511	ext_offset = comp_offset + 1 + comp_len;
maclobdell	0:f7c60d3e7b8a	1512	if( msg_len > ext_offset )
maclobdell	0:f7c60d3e7b8a	1513	{
maclobdell	0:f7c60d3e7b8a	1514	if( msg_len < ext_offset + 2 )
maclobdell	0:f7c60d3e7b8a	1515	{
maclobdell	0:f7c60d3e7b8a	1516	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1517	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1518	}
maclobdell	0:f7c60d3e7b8a	1519
maclobdell	0:f7c60d3e7b8a	1520	ext_len = ( buf[ext_offset + 0] << 8 )
maclobdell	0:f7c60d3e7b8a	1521	\| ( buf[ext_offset + 1] );
maclobdell	0:f7c60d3e7b8a	1522
maclobdell	0:f7c60d3e7b8a	1523	if( ( ext_len > 0 && ext_len < 4 ) \|\|
maclobdell	0:f7c60d3e7b8a	1524	msg_len != ext_offset + 2 + ext_len )
maclobdell	0:f7c60d3e7b8a	1525	{
maclobdell	0:f7c60d3e7b8a	1526	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1527	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1528	}
maclobdell	0:f7c60d3e7b8a	1529	}
maclobdell	0:f7c60d3e7b8a	1530	else
maclobdell	0:f7c60d3e7b8a	1531	ext_len = 0;
maclobdell	0:f7c60d3e7b8a	1532
maclobdell	0:f7c60d3e7b8a	1533	ext = buf + ext_offset + 2;
maclobdell	0:f7c60d3e7b8a	1534	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
maclobdell	0:f7c60d3e7b8a	1535
maclobdell	0:f7c60d3e7b8a	1536	while( ext_len != 0 )
maclobdell	0:f7c60d3e7b8a	1537	{
maclobdell	0:f7c60d3e7b8a	1538	unsigned int ext_id = ( ( ext[0] << 8 )
maclobdell	0:f7c60d3e7b8a	1539	\| ( ext[1] ) );
maclobdell	0:f7c60d3e7b8a	1540	unsigned int ext_size = ( ( ext[2] << 8 )
maclobdell	0:f7c60d3e7b8a	1541	\| ( ext[3] ) );
maclobdell	0:f7c60d3e7b8a	1542
maclobdell	0:f7c60d3e7b8a	1543	if( ext_size + 4 > ext_len )
maclobdell	0:f7c60d3e7b8a	1544	{
maclobdell	0:f7c60d3e7b8a	1545	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1546	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1547	}
maclobdell	0:f7c60d3e7b8a	1548	switch( ext_id )
maclobdell	0:f7c60d3e7b8a	1549	{
maclobdell	0:f7c60d3e7b8a	1550	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
maclobdell	0:f7c60d3e7b8a	1551	case MBEDTLS_TLS_EXT_SERVERNAME:
maclobdell	0:f7c60d3e7b8a	1552	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
maclobdell	0:f7c60d3e7b8a	1553	if( ssl->conf->f_sni == NULL )
maclobdell	0:f7c60d3e7b8a	1554	break;
maclobdell	0:f7c60d3e7b8a	1555
maclobdell	0:f7c60d3e7b8a	1556	ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1557	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1558	return( ret );
maclobdell	0:f7c60d3e7b8a	1559	break;
maclobdell	0:f7c60d3e7b8a	1560	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
maclobdell	0:f7c60d3e7b8a	1561
maclobdell	0:f7c60d3e7b8a	1562	case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
maclobdell	0:f7c60d3e7b8a	1563	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
maclobdell	0:f7c60d3e7b8a	1564	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1565	renegotiation_info_seen = 1;
maclobdell	0:f7c60d3e7b8a	1566	#endif
maclobdell	0:f7c60d3e7b8a	1567
maclobdell	0:f7c60d3e7b8a	1568	ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1569	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1570	return( ret );
maclobdell	0:f7c60d3e7b8a	1571	break;
maclobdell	0:f7c60d3e7b8a	1572
maclobdell	0:f7c60d3e7b8a	1573	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
maclobdell	0:f7c60d3e7b8a	1574	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
maclobdell	0:f7c60d3e7b8a	1575	case MBEDTLS_TLS_EXT_SIG_ALG:
maclobdell	0:f7c60d3e7b8a	1576	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
maclobdell	0:f7c60d3e7b8a	1577	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1578	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
maclobdell	0:f7c60d3e7b8a	1579	break;
maclobdell	0:f7c60d3e7b8a	1580	#endif
maclobdell	0:f7c60d3e7b8a	1581
maclobdell	0:f7c60d3e7b8a	1582	ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1583	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1584	return( ret );
maclobdell	0:f7c60d3e7b8a	1585	break;
maclobdell	0:f7c60d3e7b8a	1586	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
maclobdell	0:f7c60d3e7b8a	1587	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
maclobdell	0:f7c60d3e7b8a	1588
maclobdell	0:f7c60d3e7b8a	1589	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
maclobdell	0:f7c60d3e7b8a	1590	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	1591	case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
maclobdell	0:f7c60d3e7b8a	1592	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
maclobdell	0:f7c60d3e7b8a	1593
maclobdell	0:f7c60d3e7b8a	1594	ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1595	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1596	return( ret );
maclobdell	0:f7c60d3e7b8a	1597	break;
maclobdell	0:f7c60d3e7b8a	1598
maclobdell	0:f7c60d3e7b8a	1599	case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
maclobdell	0:f7c60d3e7b8a	1600	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
maclobdell	0:f7c60d3e7b8a	1601	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
maclobdell	0:f7c60d3e7b8a	1602
maclobdell	0:f7c60d3e7b8a	1603	ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1604	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1605	return( ret );
maclobdell	0:f7c60d3e7b8a	1606	break;
maclobdell	0:f7c60d3e7b8a	1607	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
maclobdell	0:f7c60d3e7b8a	1608	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	1609
maclobdell	0:f7c60d3e7b8a	1610	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	1611	case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
maclobdell	0:f7c60d3e7b8a	1612	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
maclobdell	0:f7c60d3e7b8a	1613
maclobdell	0:f7c60d3e7b8a	1614	ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1615	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1616	return( ret );
maclobdell	0:f7c60d3e7b8a	1617	break;
maclobdell	0:f7c60d3e7b8a	1618	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	1619
maclobdell	0:f7c60d3e7b8a	1620	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
maclobdell	0:f7c60d3e7b8a	1621	case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
maclobdell	0:f7c60d3e7b8a	1622	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
maclobdell	0:f7c60d3e7b8a	1623
maclobdell	0:f7c60d3e7b8a	1624	ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1625	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1626	return( ret );
maclobdell	0:f7c60d3e7b8a	1627	break;
maclobdell	0:f7c60d3e7b8a	1628	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
maclobdell	0:f7c60d3e7b8a	1629
maclobdell	0:f7c60d3e7b8a	1630	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
maclobdell	0:f7c60d3e7b8a	1631	case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
maclobdell	0:f7c60d3e7b8a	1632	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
maclobdell	0:f7c60d3e7b8a	1633
maclobdell	0:f7c60d3e7b8a	1634	ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1635	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1636	return( ret );
maclobdell	0:f7c60d3e7b8a	1637	break;
maclobdell	0:f7c60d3e7b8a	1638	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
maclobdell	0:f7c60d3e7b8a	1639
maclobdell	0:f7c60d3e7b8a	1640	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
maclobdell	0:f7c60d3e7b8a	1641	case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
maclobdell	0:f7c60d3e7b8a	1642	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
maclobdell	0:f7c60d3e7b8a	1643
maclobdell	0:f7c60d3e7b8a	1644	ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1645	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1646	return( ret );
maclobdell	0:f7c60d3e7b8a	1647	break;
maclobdell	0:f7c60d3e7b8a	1648	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
maclobdell	0:f7c60d3e7b8a	1649
maclobdell	0:f7c60d3e7b8a	1650	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
maclobdell	0:f7c60d3e7b8a	1651	case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
maclobdell	0:f7c60d3e7b8a	1652	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
maclobdell	0:f7c60d3e7b8a	1653
maclobdell	0:f7c60d3e7b8a	1654	ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1655	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1656	return( ret );
maclobdell	0:f7c60d3e7b8a	1657	break;
maclobdell	0:f7c60d3e7b8a	1658	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
maclobdell	0:f7c60d3e7b8a	1659
maclobdell	0:f7c60d3e7b8a	1660	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	1661	case MBEDTLS_TLS_EXT_SESSION_TICKET:
maclobdell	0:f7c60d3e7b8a	1662	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
maclobdell	0:f7c60d3e7b8a	1663
maclobdell	0:f7c60d3e7b8a	1664	ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1665	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1666	return( ret );
maclobdell	0:f7c60d3e7b8a	1667	break;
maclobdell	0:f7c60d3e7b8a	1668	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
maclobdell	0:f7c60d3e7b8a	1669
maclobdell	0:f7c60d3e7b8a	1670	#if defined(MBEDTLS_SSL_ALPN)
maclobdell	0:f7c60d3e7b8a	1671	case MBEDTLS_TLS_EXT_ALPN:
maclobdell	0:f7c60d3e7b8a	1672	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
maclobdell	0:f7c60d3e7b8a	1673
maclobdell	0:f7c60d3e7b8a	1674	ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
maclobdell	0:f7c60d3e7b8a	1675	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	1676	return( ret );
maclobdell	0:f7c60d3e7b8a	1677	break;
maclobdell	0:f7c60d3e7b8a	1678	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
maclobdell	0:f7c60d3e7b8a	1679
maclobdell	0:f7c60d3e7b8a	1680	default:
maclobdell	0:f7c60d3e7b8a	1681	MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
maclobdell	0:f7c60d3e7b8a	1682	ext_id ) );
maclobdell	0:f7c60d3e7b8a	1683	}
maclobdell	0:f7c60d3e7b8a	1684
maclobdell	0:f7c60d3e7b8a	1685	ext_len -= 4 + ext_size;
maclobdell	0:f7c60d3e7b8a	1686	ext += 4 + ext_size;
maclobdell	0:f7c60d3e7b8a	1687
maclobdell	0:f7c60d3e7b8a	1688	if( ext_len > 0 && ext_len < 4 )
maclobdell	0:f7c60d3e7b8a	1689	{
maclobdell	0:f7c60d3e7b8a	1690	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
maclobdell	0:f7c60d3e7b8a	1691	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1692	}
maclobdell	0:f7c60d3e7b8a	1693	}
maclobdell	0:f7c60d3e7b8a	1694
maclobdell	0:f7c60d3e7b8a	1695	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
maclobdell	0:f7c60d3e7b8a	1696	for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
maclobdell	0:f7c60d3e7b8a	1697	{
maclobdell	0:f7c60d3e7b8a	1698	if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
maclobdell	0:f7c60d3e7b8a	1699	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
maclobdell	0:f7c60d3e7b8a	1700	{
maclobdell	0:f7c60d3e7b8a	1701	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
maclobdell	0:f7c60d3e7b8a	1702
maclobdell	0:f7c60d3e7b8a	1703	if( ssl->minor_ver < ssl->conf->max_minor_ver )
maclobdell	0:f7c60d3e7b8a	1704	{
maclobdell	0:f7c60d3e7b8a	1705	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
maclobdell	0:f7c60d3e7b8a	1706
maclobdell	0:f7c60d3e7b8a	1707	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	1708	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
maclobdell	0:f7c60d3e7b8a	1709
maclobdell	0:f7c60d3e7b8a	1710	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1711	}
maclobdell	0:f7c60d3e7b8a	1712
maclobdell	0:f7c60d3e7b8a	1713	break;
maclobdell	0:f7c60d3e7b8a	1714	}
maclobdell	0:f7c60d3e7b8a	1715	}
maclobdell	0:f7c60d3e7b8a	1716	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
maclobdell	0:f7c60d3e7b8a	1717
maclobdell	0:f7c60d3e7b8a	1718	/*
maclobdell	0:f7c60d3e7b8a	1719	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
maclobdell	0:f7c60d3e7b8a	1720	*/
maclobdell	0:f7c60d3e7b8a	1721	for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
maclobdell	0:f7c60d3e7b8a	1722	{
maclobdell	0:f7c60d3e7b8a	1723	if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
maclobdell	0:f7c60d3e7b8a	1724	{
maclobdell	0:f7c60d3e7b8a	1725	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
maclobdell	0:f7c60d3e7b8a	1726	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1727	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
maclobdell	0:f7c60d3e7b8a	1728	{
maclobdell	0:f7c60d3e7b8a	1729	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
maclobdell	0:f7c60d3e7b8a	1730
maclobdell	0:f7c60d3e7b8a	1731	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1732	return( ret );
maclobdell	0:f7c60d3e7b8a	1733
maclobdell	0:f7c60d3e7b8a	1734	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1735	}
maclobdell	0:f7c60d3e7b8a	1736	#endif
maclobdell	0:f7c60d3e7b8a	1737	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
maclobdell	0:f7c60d3e7b8a	1738	break;
maclobdell	0:f7c60d3e7b8a	1739	}
maclobdell	0:f7c60d3e7b8a	1740	}
maclobdell	0:f7c60d3e7b8a	1741
maclobdell	0:f7c60d3e7b8a	1742	/*
maclobdell	0:f7c60d3e7b8a	1743	* Renegotiation security checks
maclobdell	0:f7c60d3e7b8a	1744	*/
maclobdell	0:f7c60d3e7b8a	1745	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
maclobdell	0:f7c60d3e7b8a	1746	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	1747	{
maclobdell	0:f7c60d3e7b8a	1748	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
maclobdell	0:f7c60d3e7b8a	1749	handshake_failure = 1;
maclobdell	0:f7c60d3e7b8a	1750	}
maclobdell	0:f7c60d3e7b8a	1751	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1752	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
maclobdell	0:f7c60d3e7b8a	1753	ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
maclobdell	0:f7c60d3e7b8a	1754	renegotiation_info_seen == 0 )
maclobdell	0:f7c60d3e7b8a	1755	{
maclobdell	0:f7c60d3e7b8a	1756	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
maclobdell	0:f7c60d3e7b8a	1757	handshake_failure = 1;
maclobdell	0:f7c60d3e7b8a	1758	}
maclobdell	0:f7c60d3e7b8a	1759	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
maclobdell	0:f7c60d3e7b8a	1760	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
maclobdell	0:f7c60d3e7b8a	1761	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
maclobdell	0:f7c60d3e7b8a	1762	{
maclobdell	0:f7c60d3e7b8a	1763	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
maclobdell	0:f7c60d3e7b8a	1764	handshake_failure = 1;
maclobdell	0:f7c60d3e7b8a	1765	}
maclobdell	0:f7c60d3e7b8a	1766	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
maclobdell	0:f7c60d3e7b8a	1767	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
maclobdell	0:f7c60d3e7b8a	1768	renegotiation_info_seen == 1 )
maclobdell	0:f7c60d3e7b8a	1769	{
maclobdell	0:f7c60d3e7b8a	1770	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
maclobdell	0:f7c60d3e7b8a	1771	handshake_failure = 1;
maclobdell	0:f7c60d3e7b8a	1772	}
maclobdell	0:f7c60d3e7b8a	1773	#endif /* MBEDTLS_SSL_RENEGOTIATION */
maclobdell	0:f7c60d3e7b8a	1774
maclobdell	0:f7c60d3e7b8a	1775	if( handshake_failure == 1 )
maclobdell	0:f7c60d3e7b8a	1776	{
maclobdell	0:f7c60d3e7b8a	1777	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1778	return( ret );
maclobdell	0:f7c60d3e7b8a	1779
maclobdell	0:f7c60d3e7b8a	1780	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
maclobdell	0:f7c60d3e7b8a	1781	}
maclobdell	0:f7c60d3e7b8a	1782
maclobdell	0:f7c60d3e7b8a	1783	/*
maclobdell	0:f7c60d3e7b8a	1784	* Search for a matching ciphersuite
maclobdell	0:f7c60d3e7b8a	1785	* (At the end because we need information from the EC-based extensions
maclobdell	0:f7c60d3e7b8a	1786	* and certificate from the SNI callback triggered by the SNI extension.)
maclobdell	0:f7c60d3e7b8a	1787	*/
maclobdell	0:f7c60d3e7b8a	1788	got_common_suite = 0;
maclobdell	0:f7c60d3e7b8a	1789	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
maclobdell	0:f7c60d3e7b8a	1790	ciphersuite_info = NULL;
maclobdell	0:f7c60d3e7b8a	1791	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
maclobdell	0:f7c60d3e7b8a	1792	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
maclobdell	0:f7c60d3e7b8a	1793	{
maclobdell	0:f7c60d3e7b8a	1794	for( i = 0; ciphersuites[i] != 0; i++ )
maclobdell	0:f7c60d3e7b8a	1795	#else
maclobdell	0:f7c60d3e7b8a	1796	for( i = 0; ciphersuites[i] != 0; i++ )
maclobdell	0:f7c60d3e7b8a	1797	{
maclobdell	0:f7c60d3e7b8a	1798	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
maclobdell	0:f7c60d3e7b8a	1799	#endif
maclobdell	0:f7c60d3e7b8a	1800	{
maclobdell	0:f7c60d3e7b8a	1801	if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
maclobdell	0:f7c60d3e7b8a	1802	p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
maclobdell	0:f7c60d3e7b8a	1803	continue;
maclobdell	0:f7c60d3e7b8a	1804
maclobdell	0:f7c60d3e7b8a	1805	got_common_suite = 1;
maclobdell	0:f7c60d3e7b8a	1806
maclobdell	0:f7c60d3e7b8a	1807	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
maclobdell	0:f7c60d3e7b8a	1808	&ciphersuite_info ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	1809	return( ret );
maclobdell	0:f7c60d3e7b8a	1810
maclobdell	0:f7c60d3e7b8a	1811	if( ciphersuite_info != NULL )
maclobdell	0:f7c60d3e7b8a	1812	goto have_ciphersuite;
maclobdell	0:f7c60d3e7b8a	1813	}
maclobdell	0:f7c60d3e7b8a	1814	}
maclobdell	0:f7c60d3e7b8a	1815
maclobdell	0:f7c60d3e7b8a	1816	if( got_common_suite )
maclobdell	0:f7c60d3e7b8a	1817	{
maclobdell	0:f7c60d3e7b8a	1818	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
maclobdell	0:f7c60d3e7b8a	1819	"but none of them usable" ) );
maclobdell	0:f7c60d3e7b8a	1820	mbedtls_ssl_send_fatal_handshake_failure( ssl );
maclobdell	0:f7c60d3e7b8a	1821	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
maclobdell	0:f7c60d3e7b8a	1822	}
maclobdell	0:f7c60d3e7b8a	1823	else
maclobdell	0:f7c60d3e7b8a	1824	{
maclobdell	0:f7c60d3e7b8a	1825	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
maclobdell	0:f7c60d3e7b8a	1826	mbedtls_ssl_send_fatal_handshake_failure( ssl );
maclobdell	0:f7c60d3e7b8a	1827	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
maclobdell	0:f7c60d3e7b8a	1828	}
maclobdell	0:f7c60d3e7b8a	1829
maclobdell	0:f7c60d3e7b8a	1830	have_ciphersuite:
maclobdell	0:f7c60d3e7b8a	1831	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
maclobdell	0:f7c60d3e7b8a	1832
maclobdell	0:f7c60d3e7b8a	1833	ssl->session_negotiate->ciphersuite = ciphersuites[i];
maclobdell	0:f7c60d3e7b8a	1834	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	1835	mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
maclobdell	0:f7c60d3e7b8a	1836
maclobdell	0:f7c60d3e7b8a	1837	ssl->state++;
maclobdell	0:f7c60d3e7b8a	1838
maclobdell	0:f7c60d3e7b8a	1839	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	1840	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
maclobdell	0:f7c60d3e7b8a	1841	mbedtls_ssl_recv_flight_completed( ssl );
maclobdell	0:f7c60d3e7b8a	1842	#endif
maclobdell	0:f7c60d3e7b8a	1843
maclobdell	0:f7c60d3e7b8a	1844	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
maclobdell	0:f7c60d3e7b8a	1845
maclobdell	0:f7c60d3e7b8a	1846	return( 0 );
maclobdell	0:f7c60d3e7b8a	1847	}
maclobdell	0:f7c60d3e7b8a	1848
maclobdell	0:f7c60d3e7b8a	1849	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
maclobdell	0:f7c60d3e7b8a	1850	static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	1851	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	1852	size_t *olen )
maclobdell	0:f7c60d3e7b8a	1853	{
maclobdell	0:f7c60d3e7b8a	1854	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	1855
maclobdell	0:f7c60d3e7b8a	1856	if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
maclobdell	0:f7c60d3e7b8a	1857	{
maclobdell	0:f7c60d3e7b8a	1858	*olen = 0;
maclobdell	0:f7c60d3e7b8a	1859	return;
maclobdell	0:f7c60d3e7b8a	1860	}
maclobdell	0:f7c60d3e7b8a	1861
maclobdell	0:f7c60d3e7b8a	1862	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
maclobdell	0:f7c60d3e7b8a	1863
maclobdell	0:f7c60d3e7b8a	1864	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1865	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1866
maclobdell	0:f7c60d3e7b8a	1867	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1868	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1869
maclobdell	0:f7c60d3e7b8a	1870	*olen = 4;
maclobdell	0:f7c60d3e7b8a	1871	}
maclobdell	0:f7c60d3e7b8a	1872	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
maclobdell	0:f7c60d3e7b8a	1873
maclobdell	0:f7c60d3e7b8a	1874	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
maclobdell	0:f7c60d3e7b8a	1875	static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	1876	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	1877	size_t *olen )
maclobdell	0:f7c60d3e7b8a	1878	{
maclobdell	0:f7c60d3e7b8a	1879	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	1880	const mbedtls_ssl_ciphersuite_t *suite = NULL;
maclobdell	0:f7c60d3e7b8a	1881	const mbedtls_cipher_info_t *cipher = NULL;
maclobdell	0:f7c60d3e7b8a	1882
maclobdell	0:f7c60d3e7b8a	1883	if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
maclobdell	0:f7c60d3e7b8a	1884	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
maclobdell	0:f7c60d3e7b8a	1885	{
maclobdell	0:f7c60d3e7b8a	1886	*olen = 0;
maclobdell	0:f7c60d3e7b8a	1887	return;
maclobdell	0:f7c60d3e7b8a	1888	}
maclobdell	0:f7c60d3e7b8a	1889
maclobdell	0:f7c60d3e7b8a	1890	/*
maclobdell	0:f7c60d3e7b8a	1891	* RFC 7366: "If a server receives an encrypt-then-MAC request extension
maclobdell	0:f7c60d3e7b8a	1892	* from a client and then selects a stream or Authenticated Encryption
maclobdell	0:f7c60d3e7b8a	1893	* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
maclobdell	0:f7c60d3e7b8a	1894	* encrypt-then-MAC response extension back to the client."
maclobdell	0:f7c60d3e7b8a	1895	*/
maclobdell	0:f7c60d3e7b8a	1896	if( ( suite = mbedtls_ssl_ciphersuite_from_id(
maclobdell	0:f7c60d3e7b8a	1897	ssl->session_negotiate->ciphersuite ) ) == NULL \|\|
maclobdell	0:f7c60d3e7b8a	1898	( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL \|\|
maclobdell	0:f7c60d3e7b8a	1899	cipher->mode != MBEDTLS_MODE_CBC )
maclobdell	0:f7c60d3e7b8a	1900	{
maclobdell	0:f7c60d3e7b8a	1901	*olen = 0;
maclobdell	0:f7c60d3e7b8a	1902	return;
maclobdell	0:f7c60d3e7b8a	1903	}
maclobdell	0:f7c60d3e7b8a	1904
maclobdell	0:f7c60d3e7b8a	1905	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
maclobdell	0:f7c60d3e7b8a	1906
maclobdell	0:f7c60d3e7b8a	1907	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1908	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1909
maclobdell	0:f7c60d3e7b8a	1910	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1911	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1912
maclobdell	0:f7c60d3e7b8a	1913	*olen = 4;
maclobdell	0:f7c60d3e7b8a	1914	}
maclobdell	0:f7c60d3e7b8a	1915	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
maclobdell	0:f7c60d3e7b8a	1916
maclobdell	0:f7c60d3e7b8a	1917	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
maclobdell	0:f7c60d3e7b8a	1918	static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	1919	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	1920	size_t *olen )
maclobdell	0:f7c60d3e7b8a	1921	{
maclobdell	0:f7c60d3e7b8a	1922	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	1923
maclobdell	0:f7c60d3e7b8a	1924	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
maclobdell	0:f7c60d3e7b8a	1925	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
maclobdell	0:f7c60d3e7b8a	1926	{
maclobdell	0:f7c60d3e7b8a	1927	*olen = 0;
maclobdell	0:f7c60d3e7b8a	1928	return;
maclobdell	0:f7c60d3e7b8a	1929	}
maclobdell	0:f7c60d3e7b8a	1930
maclobdell	0:f7c60d3e7b8a	1931	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
maclobdell	0:f7c60d3e7b8a	1932	"extension" ) );
maclobdell	0:f7c60d3e7b8a	1933
maclobdell	0:f7c60d3e7b8a	1934	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1935	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1936
maclobdell	0:f7c60d3e7b8a	1937	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1938	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1939
maclobdell	0:f7c60d3e7b8a	1940	*olen = 4;
maclobdell	0:f7c60d3e7b8a	1941	}
maclobdell	0:f7c60d3e7b8a	1942	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
maclobdell	0:f7c60d3e7b8a	1943
maclobdell	0:f7c60d3e7b8a	1944	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	1945	static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	1946	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	1947	size_t *olen )
maclobdell	0:f7c60d3e7b8a	1948	{
maclobdell	0:f7c60d3e7b8a	1949	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	1950
maclobdell	0:f7c60d3e7b8a	1951	if( ssl->handshake->new_session_ticket == 0 )
maclobdell	0:f7c60d3e7b8a	1952	{
maclobdell	0:f7c60d3e7b8a	1953	*olen = 0;
maclobdell	0:f7c60d3e7b8a	1954	return;
maclobdell	0:f7c60d3e7b8a	1955	}
maclobdell	0:f7c60d3e7b8a	1956
maclobdell	0:f7c60d3e7b8a	1957	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
maclobdell	0:f7c60d3e7b8a	1958
maclobdell	0:f7c60d3e7b8a	1959	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1960	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1961
maclobdell	0:f7c60d3e7b8a	1962	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1963	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1964
maclobdell	0:f7c60d3e7b8a	1965	*olen = 4;
maclobdell	0:f7c60d3e7b8a	1966	}
maclobdell	0:f7c60d3e7b8a	1967	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
maclobdell	0:f7c60d3e7b8a	1968
maclobdell	0:f7c60d3e7b8a	1969	static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	1970	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	1971	size_t *olen )
maclobdell	0:f7c60d3e7b8a	1972	{
maclobdell	0:f7c60d3e7b8a	1973	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	1974
maclobdell	0:f7c60d3e7b8a	1975	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
maclobdell	0:f7c60d3e7b8a	1976	{
maclobdell	0:f7c60d3e7b8a	1977	*olen = 0;
maclobdell	0:f7c60d3e7b8a	1978	return;
maclobdell	0:f7c60d3e7b8a	1979	}
maclobdell	0:f7c60d3e7b8a	1980
maclobdell	0:f7c60d3e7b8a	1981	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
maclobdell	0:f7c60d3e7b8a	1982
maclobdell	0:f7c60d3e7b8a	1983	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1984	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	1985
maclobdell	0:f7c60d3e7b8a	1986	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	1987	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	1988	{
maclobdell	0:f7c60d3e7b8a	1989	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	1990	p++ = ( ssl->verify_data_len 2 + 1 ) & 0xFF;
maclobdell	0:f7c60d3e7b8a	1991	p++ = ssl->verify_data_len 2 & 0xFF;
maclobdell	0:f7c60d3e7b8a	1992
maclobdell	0:f7c60d3e7b8a	1993	memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
maclobdell	0:f7c60d3e7b8a	1994	p += ssl->verify_data_len;
maclobdell	0:f7c60d3e7b8a	1995	memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
maclobdell	0:f7c60d3e7b8a	1996	p += ssl->verify_data_len;
maclobdell	0:f7c60d3e7b8a	1997	}
maclobdell	0:f7c60d3e7b8a	1998	else
maclobdell	0:f7c60d3e7b8a	1999	#endif /* MBEDTLS_SSL_RENEGOTIATION */
maclobdell	0:f7c60d3e7b8a	2000	{
maclobdell	0:f7c60d3e7b8a	2001	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	2002	*p++ = 0x01;
maclobdell	0:f7c60d3e7b8a	2003	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	2004	}
maclobdell	0:f7c60d3e7b8a	2005
maclobdell	0:f7c60d3e7b8a	2006	*olen = p - buf;
maclobdell	0:f7c60d3e7b8a	2007	}
maclobdell	0:f7c60d3e7b8a	2008
maclobdell	0:f7c60d3e7b8a	2009	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
maclobdell	0:f7c60d3e7b8a	2010	static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	2011	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	2012	size_t *olen )
maclobdell	0:f7c60d3e7b8a	2013	{
maclobdell	0:f7c60d3e7b8a	2014	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	2015
maclobdell	0:f7c60d3e7b8a	2016	if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
maclobdell	0:f7c60d3e7b8a	2017	{
maclobdell	0:f7c60d3e7b8a	2018	*olen = 0;
maclobdell	0:f7c60d3e7b8a	2019	return;
maclobdell	0:f7c60d3e7b8a	2020	}
maclobdell	0:f7c60d3e7b8a	2021
maclobdell	0:f7c60d3e7b8a	2022	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
maclobdell	0:f7c60d3e7b8a	2023
maclobdell	0:f7c60d3e7b8a	2024	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2025	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2026
maclobdell	0:f7c60d3e7b8a	2027	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	2028	*p++ = 1;
maclobdell	0:f7c60d3e7b8a	2029
maclobdell	0:f7c60d3e7b8a	2030	*p++ = ssl->session_negotiate->mfl_code;
maclobdell	0:f7c60d3e7b8a	2031
maclobdell	0:f7c60d3e7b8a	2032	*olen = 5;
maclobdell	0:f7c60d3e7b8a	2033	}
maclobdell	0:f7c60d3e7b8a	2034	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
maclobdell	0:f7c60d3e7b8a	2035
maclobdell	0:f7c60d3e7b8a	2036	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
maclobdell	0:f7c60d3e7b8a	2037	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2038	static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	2039	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	2040	size_t *olen )
maclobdell	0:f7c60d3e7b8a	2041	{
maclobdell	0:f7c60d3e7b8a	2042	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	2043	((void) ssl);
maclobdell	0:f7c60d3e7b8a	2044
maclobdell	0:f7c60d3e7b8a	2045	if( ( ssl->handshake->cli_exts &
maclobdell	0:f7c60d3e7b8a	2046	MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
maclobdell	0:f7c60d3e7b8a	2047	{
maclobdell	0:f7c60d3e7b8a	2048	*olen = 0;
maclobdell	0:f7c60d3e7b8a	2049	return;
maclobdell	0:f7c60d3e7b8a	2050	}
maclobdell	0:f7c60d3e7b8a	2051
maclobdell	0:f7c60d3e7b8a	2052	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
maclobdell	0:f7c60d3e7b8a	2053
maclobdell	0:f7c60d3e7b8a	2054	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2055	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2056
maclobdell	0:f7c60d3e7b8a	2057	*p++ = 0x00;
maclobdell	0:f7c60d3e7b8a	2058	*p++ = 2;
maclobdell	0:f7c60d3e7b8a	2059
maclobdell	0:f7c60d3e7b8a	2060	*p++ = 1;
maclobdell	0:f7c60d3e7b8a	2061	*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
maclobdell	0:f7c60d3e7b8a	2062
maclobdell	0:f7c60d3e7b8a	2063	*olen = 6;
maclobdell	0:f7c60d3e7b8a	2064	}
maclobdell	0:f7c60d3e7b8a	2065	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\| MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	2066
maclobdell	0:f7c60d3e7b8a	2067	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2068	static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	2069	unsigned char *buf,
maclobdell	0:f7c60d3e7b8a	2070	size_t *olen )
maclobdell	0:f7c60d3e7b8a	2071	{
maclobdell	0:f7c60d3e7b8a	2072	int ret;
maclobdell	0:f7c60d3e7b8a	2073	unsigned char *p = buf;
maclobdell	0:f7c60d3e7b8a	2074	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
maclobdell	0:f7c60d3e7b8a	2075	size_t kkpp_len;
maclobdell	0:f7c60d3e7b8a	2076
maclobdell	0:f7c60d3e7b8a	2077	*olen = 0;
maclobdell	0:f7c60d3e7b8a	2078
maclobdell	0:f7c60d3e7b8a	2079	/* Skip costly computation if not needed */
maclobdell	0:f7c60d3e7b8a	2080	if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
maclobdell	0:f7c60d3e7b8a	2081	MBEDTLS_KEY_EXCHANGE_ECJPAKE )
maclobdell	0:f7c60d3e7b8a	2082	return;
maclobdell	0:f7c60d3e7b8a	2083
maclobdell	0:f7c60d3e7b8a	2084	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
maclobdell	0:f7c60d3e7b8a	2085
maclobdell	0:f7c60d3e7b8a	2086	if( end - p < 4 )
maclobdell	0:f7c60d3e7b8a	2087	{
maclobdell	0:f7c60d3e7b8a	2088	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
maclobdell	0:f7c60d3e7b8a	2089	return;
maclobdell	0:f7c60d3e7b8a	2090	}
maclobdell	0:f7c60d3e7b8a	2091
maclobdell	0:f7c60d3e7b8a	2092	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2093	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2094
maclobdell	0:f7c60d3e7b8a	2095	ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
maclobdell	0:f7c60d3e7b8a	2096	p + 2, end - p - 2, &kkpp_len,
maclobdell	0:f7c60d3e7b8a	2097	ssl->conf->f_rng, ssl->conf->p_rng );
maclobdell	0:f7c60d3e7b8a	2098	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	2099	{
maclobdell	0:f7c60d3e7b8a	2100	MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
maclobdell	0:f7c60d3e7b8a	2101	return;
maclobdell	0:f7c60d3e7b8a	2102	}
maclobdell	0:f7c60d3e7b8a	2103
maclobdell	0:f7c60d3e7b8a	2104	*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2105	*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2106
maclobdell	0:f7c60d3e7b8a	2107	*olen = kkpp_len + 4;
maclobdell	0:f7c60d3e7b8a	2108	}
maclobdell	0:f7c60d3e7b8a	2109	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	2110
maclobdell	0:f7c60d3e7b8a	2111	#if defined(MBEDTLS_SSL_ALPN )
maclobdell	0:f7c60d3e7b8a	2112	static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	2113	unsigned char buf, size_t olen )
maclobdell	0:f7c60d3e7b8a	2114	{
maclobdell	0:f7c60d3e7b8a	2115	if( ssl->alpn_chosen == NULL )
maclobdell	0:f7c60d3e7b8a	2116	{
maclobdell	0:f7c60d3e7b8a	2117	*olen = 0;
maclobdell	0:f7c60d3e7b8a	2118	return;
maclobdell	0:f7c60d3e7b8a	2119	}
maclobdell	0:f7c60d3e7b8a	2120
maclobdell	0:f7c60d3e7b8a	2121	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
maclobdell	0:f7c60d3e7b8a	2122
maclobdell	0:f7c60d3e7b8a	2123	/*
maclobdell	0:f7c60d3e7b8a	2124	* 0 . 1 ext identifier
maclobdell	0:f7c60d3e7b8a	2125	* 2 . 3 ext length
maclobdell	0:f7c60d3e7b8a	2126	* 4 . 5 protocol list length
maclobdell	0:f7c60d3e7b8a	2127	* 6 . 6 protocol name length
maclobdell	0:f7c60d3e7b8a	2128	* 7 . 7+n protocol name
maclobdell	0:f7c60d3e7b8a	2129	*/
maclobdell	0:f7c60d3e7b8a	2130	buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2131	buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2132
maclobdell	0:f7c60d3e7b8a	2133	*olen = 7 + strlen( ssl->alpn_chosen );
maclobdell	0:f7c60d3e7b8a	2134
maclobdell	0:f7c60d3e7b8a	2135	buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2136	buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2137
maclobdell	0:f7c60d3e7b8a	2138	buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2139	buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2140
maclobdell	0:f7c60d3e7b8a	2141	buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2142
maclobdell	0:f7c60d3e7b8a	2143	memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
maclobdell	0:f7c60d3e7b8a	2144	}
maclobdell	0:f7c60d3e7b8a	2145	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C */
maclobdell	0:f7c60d3e7b8a	2146
maclobdell	0:f7c60d3e7b8a	2147	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
maclobdell	0:f7c60d3e7b8a	2148	static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	2149	{
maclobdell	0:f7c60d3e7b8a	2150	int ret;
maclobdell	0:f7c60d3e7b8a	2151	unsigned char *p = ssl->out_msg + 4;
maclobdell	0:f7c60d3e7b8a	2152	unsigned char *cookie_len_byte;
maclobdell	0:f7c60d3e7b8a	2153
maclobdell	0:f7c60d3e7b8a	2154	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
maclobdell	0:f7c60d3e7b8a	2155
maclobdell	0:f7c60d3e7b8a	2156	/*
maclobdell	0:f7c60d3e7b8a	2157	* struct {
maclobdell	0:f7c60d3e7b8a	2158	* ProtocolVersion server_version;
maclobdell	0:f7c60d3e7b8a	2159	* opaque cookie<0..2^8-1>;
maclobdell	0:f7c60d3e7b8a	2160	* } HelloVerifyRequest;
maclobdell	0:f7c60d3e7b8a	2161	*/
maclobdell	0:f7c60d3e7b8a	2162
maclobdell	0:f7c60d3e7b8a	2163	/* The RFC is not clear on this point, but sending the actual negotiated
maclobdell	0:f7c60d3e7b8a	2164	* version looks like the most interoperable thing to do. */
maclobdell	0:f7c60d3e7b8a	2165	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
maclobdell	0:f7c60d3e7b8a	2166	ssl->conf->transport, p );
maclobdell	0:f7c60d3e7b8a	2167	MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
maclobdell	0:f7c60d3e7b8a	2168	p += 2;
maclobdell	0:f7c60d3e7b8a	2169
maclobdell	0:f7c60d3e7b8a	2170	/* If we get here, f_cookie_check is not null */
maclobdell	0:f7c60d3e7b8a	2171	if( ssl->conf->f_cookie_write == NULL )
maclobdell	0:f7c60d3e7b8a	2172	{
maclobdell	0:f7c60d3e7b8a	2173	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
maclobdell	0:f7c60d3e7b8a	2174	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	2175	}
maclobdell	0:f7c60d3e7b8a	2176
maclobdell	0:f7c60d3e7b8a	2177	/* Skip length byte until we know the length */
maclobdell	0:f7c60d3e7b8a	2178	cookie_len_byte = p++;
maclobdell	0:f7c60d3e7b8a	2179
maclobdell	0:f7c60d3e7b8a	2180	if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
maclobdell	0:f7c60d3e7b8a	2181	&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
maclobdell	0:f7c60d3e7b8a	2182	ssl->cli_id, ssl->cli_id_len ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2183	{
maclobdell	0:f7c60d3e7b8a	2184	MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
maclobdell	0:f7c60d3e7b8a	2185	return( ret );
maclobdell	0:f7c60d3e7b8a	2186	}
maclobdell	0:f7c60d3e7b8a	2187
maclobdell	0:f7c60d3e7b8a	2188	*cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
maclobdell	0:f7c60d3e7b8a	2189
maclobdell	0:f7c60d3e7b8a	2190	MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
maclobdell	0:f7c60d3e7b8a	2191
maclobdell	0:f7c60d3e7b8a	2192	ssl->out_msglen = p - ssl->out_msg;
maclobdell	0:f7c60d3e7b8a	2193	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
maclobdell	0:f7c60d3e7b8a	2194	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
maclobdell	0:f7c60d3e7b8a	2195
maclobdell	0:f7c60d3e7b8a	2196	ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
maclobdell	0:f7c60d3e7b8a	2197
maclobdell	0:f7c60d3e7b8a	2198	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2199	{
maclobdell	0:f7c60d3e7b8a	2200	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
maclobdell	0:f7c60d3e7b8a	2201	return( ret );
maclobdell	0:f7c60d3e7b8a	2202	}
maclobdell	0:f7c60d3e7b8a	2203
maclobdell	0:f7c60d3e7b8a	2204	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
maclobdell	0:f7c60d3e7b8a	2205
maclobdell	0:f7c60d3e7b8a	2206	return( 0 );
maclobdell	0:f7c60d3e7b8a	2207	}
maclobdell	0:f7c60d3e7b8a	2208	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
maclobdell	0:f7c60d3e7b8a	2209
maclobdell	0:f7c60d3e7b8a	2210	static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	2211	{
maclobdell	0:f7c60d3e7b8a	2212	#if defined(MBEDTLS_HAVE_TIME)
maclobdell	0:f7c60d3e7b8a	2213	time_t t;
maclobdell	0:f7c60d3e7b8a	2214	#endif
maclobdell	0:f7c60d3e7b8a	2215	int ret;
maclobdell	0:f7c60d3e7b8a	2216	size_t olen, ext_len = 0, n;
maclobdell	0:f7c60d3e7b8a	2217	unsigned char buf, p;
maclobdell	0:f7c60d3e7b8a	2218
maclobdell	0:f7c60d3e7b8a	2219	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
maclobdell	0:f7c60d3e7b8a	2220
maclobdell	0:f7c60d3e7b8a	2221	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
maclobdell	0:f7c60d3e7b8a	2222	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
maclobdell	0:f7c60d3e7b8a	2223	ssl->handshake->verify_cookie_len != 0 )
maclobdell	0:f7c60d3e7b8a	2224	{
maclobdell	0:f7c60d3e7b8a	2225	MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
maclobdell	0:f7c60d3e7b8a	2226	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
maclobdell	0:f7c60d3e7b8a	2227
maclobdell	0:f7c60d3e7b8a	2228	return( ssl_write_hello_verify_request( ssl ) );
maclobdell	0:f7c60d3e7b8a	2229	}
maclobdell	0:f7c60d3e7b8a	2230	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
maclobdell	0:f7c60d3e7b8a	2231
maclobdell	0:f7c60d3e7b8a	2232	if( ssl->conf->f_rng == NULL )
maclobdell	0:f7c60d3e7b8a	2233	{
maclobdell	0:f7c60d3e7b8a	2234	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
maclobdell	0:f7c60d3e7b8a	2235	return( MBEDTLS_ERR_SSL_NO_RNG );
maclobdell	0:f7c60d3e7b8a	2236	}
maclobdell	0:f7c60d3e7b8a	2237
maclobdell	0:f7c60d3e7b8a	2238	/*
maclobdell	0:f7c60d3e7b8a	2239	* 0 . 0 handshake type
maclobdell	0:f7c60d3e7b8a	2240	* 1 . 3 handshake length
maclobdell	0:f7c60d3e7b8a	2241	* 4 . 5 protocol version
maclobdell	0:f7c60d3e7b8a	2242	* 6 . 9 UNIX time()
maclobdell	0:f7c60d3e7b8a	2243	* 10 . 37 random bytes
maclobdell	0:f7c60d3e7b8a	2244	*/
maclobdell	0:f7c60d3e7b8a	2245	buf = ssl->out_msg;
maclobdell	0:f7c60d3e7b8a	2246	p = buf + 4;
maclobdell	0:f7c60d3e7b8a	2247
maclobdell	0:f7c60d3e7b8a	2248	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
maclobdell	0:f7c60d3e7b8a	2249	ssl->conf->transport, p );
maclobdell	0:f7c60d3e7b8a	2250	p += 2;
maclobdell	0:f7c60d3e7b8a	2251
maclobdell	0:f7c60d3e7b8a	2252	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
maclobdell	0:f7c60d3e7b8a	2253	buf[4], buf[5] ) );
maclobdell	0:f7c60d3e7b8a	2254
maclobdell	0:f7c60d3e7b8a	2255	#if defined(MBEDTLS_HAVE_TIME)
maclobdell	0:f7c60d3e7b8a	2256	t = time( NULL );
maclobdell	0:f7c60d3e7b8a	2257	*p++ = (unsigned char)( t >> 24 );
maclobdell	0:f7c60d3e7b8a	2258	*p++ = (unsigned char)( t >> 16 );
maclobdell	0:f7c60d3e7b8a	2259	*p++ = (unsigned char)( t >> 8 );
maclobdell	0:f7c60d3e7b8a	2260	*p++ = (unsigned char)( t );
maclobdell	0:f7c60d3e7b8a	2261
maclobdell	0:f7c60d3e7b8a	2262	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
maclobdell	0:f7c60d3e7b8a	2263	#else
maclobdell	0:f7c60d3e7b8a	2264	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2265	return( ret );
maclobdell	0:f7c60d3e7b8a	2266
maclobdell	0:f7c60d3e7b8a	2267	p += 4;
maclobdell	0:f7c60d3e7b8a	2268	#endif /* MBEDTLS_HAVE_TIME */
maclobdell	0:f7c60d3e7b8a	2269
maclobdell	0:f7c60d3e7b8a	2270	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2271	return( ret );
maclobdell	0:f7c60d3e7b8a	2272
maclobdell	0:f7c60d3e7b8a	2273	p += 28;
maclobdell	0:f7c60d3e7b8a	2274
maclobdell	0:f7c60d3e7b8a	2275	memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
maclobdell	0:f7c60d3e7b8a	2276
maclobdell	0:f7c60d3e7b8a	2277	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
maclobdell	0:f7c60d3e7b8a	2278
maclobdell	0:f7c60d3e7b8a	2279	/*
maclobdell	0:f7c60d3e7b8a	2280	* Resume is 0 by default, see ssl_handshake_init().
maclobdell	0:f7c60d3e7b8a	2281	* It may be already set to 1 by ssl_parse_session_ticket_ext().
maclobdell	0:f7c60d3e7b8a	2282	* If not, try looking up session ID in our cache.
maclobdell	0:f7c60d3e7b8a	2283	*/
maclobdell	0:f7c60d3e7b8a	2284	if( ssl->handshake->resume == 0 &&
maclobdell	0:f7c60d3e7b8a	2285	#if defined(MBEDTLS_SSL_RENEGOTIATION)
maclobdell	0:f7c60d3e7b8a	2286	ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
maclobdell	0:f7c60d3e7b8a	2287	#endif
maclobdell	0:f7c60d3e7b8a	2288	ssl->session_negotiate->id_len != 0 &&
maclobdell	0:f7c60d3e7b8a	2289	ssl->conf->f_get_cache != NULL &&
maclobdell	0:f7c60d3e7b8a	2290	ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
maclobdell	0:f7c60d3e7b8a	2291	{
maclobdell	0:f7c60d3e7b8a	2292	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
maclobdell	0:f7c60d3e7b8a	2293	ssl->handshake->resume = 1;
maclobdell	0:f7c60d3e7b8a	2294	}
maclobdell	0:f7c60d3e7b8a	2295
maclobdell	0:f7c60d3e7b8a	2296	if( ssl->handshake->resume == 0 )
maclobdell	0:f7c60d3e7b8a	2297	{
maclobdell	0:f7c60d3e7b8a	2298	/*
maclobdell	0:f7c60d3e7b8a	2299	* New session, create a new session id,
maclobdell	0:f7c60d3e7b8a	2300	* unless we're about to issue a session ticket
maclobdell	0:f7c60d3e7b8a	2301	*/
maclobdell	0:f7c60d3e7b8a	2302	ssl->state++;
maclobdell	0:f7c60d3e7b8a	2303
maclobdell	0:f7c60d3e7b8a	2304	#if defined(MBEDTLS_HAVE_TIME)
maclobdell	0:f7c60d3e7b8a	2305	ssl->session_negotiate->start = time( NULL );
maclobdell	0:f7c60d3e7b8a	2306	#endif
maclobdell	0:f7c60d3e7b8a	2307
maclobdell	0:f7c60d3e7b8a	2308	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	2309	if( ssl->handshake->new_session_ticket != 0 )
maclobdell	0:f7c60d3e7b8a	2310	{
maclobdell	0:f7c60d3e7b8a	2311	ssl->session_negotiate->id_len = n = 0;
maclobdell	0:f7c60d3e7b8a	2312	memset( ssl->session_negotiate->id, 0, 32 );
maclobdell	0:f7c60d3e7b8a	2313	}
maclobdell	0:f7c60d3e7b8a	2314	else
maclobdell	0:f7c60d3e7b8a	2315	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
maclobdell	0:f7c60d3e7b8a	2316	{
maclobdell	0:f7c60d3e7b8a	2317	ssl->session_negotiate->id_len = n = 32;
maclobdell	0:f7c60d3e7b8a	2318	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
maclobdell	0:f7c60d3e7b8a	2319	n ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2320	return( ret );
maclobdell	0:f7c60d3e7b8a	2321	}
maclobdell	0:f7c60d3e7b8a	2322	}
maclobdell	0:f7c60d3e7b8a	2323	else
maclobdell	0:f7c60d3e7b8a	2324	{
maclobdell	0:f7c60d3e7b8a	2325	/*
maclobdell	0:f7c60d3e7b8a	2326	* Resuming a session
maclobdell	0:f7c60d3e7b8a	2327	*/
maclobdell	0:f7c60d3e7b8a	2328	n = ssl->session_negotiate->id_len;
maclobdell	0:f7c60d3e7b8a	2329	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
maclobdell	0:f7c60d3e7b8a	2330
maclobdell	0:f7c60d3e7b8a	2331	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2332	{
maclobdell	0:f7c60d3e7b8a	2333	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
maclobdell	0:f7c60d3e7b8a	2334	return( ret );
maclobdell	0:f7c60d3e7b8a	2335	}
maclobdell	0:f7c60d3e7b8a	2336	}
maclobdell	0:f7c60d3e7b8a	2337
maclobdell	0:f7c60d3e7b8a	2338	/*
maclobdell	0:f7c60d3e7b8a	2339	* 38 . 38 session id length
maclobdell	0:f7c60d3e7b8a	2340	* 39 . 38+n session id
maclobdell	0:f7c60d3e7b8a	2341	* 39+n . 40+n chosen ciphersuite
maclobdell	0:f7c60d3e7b8a	2342	* 41+n . 41+n chosen compression alg.
maclobdell	0:f7c60d3e7b8a	2343	* 42+n . 43+n extensions length
maclobdell	0:f7c60d3e7b8a	2344	* 44+n . 43+n+m extensions
maclobdell	0:f7c60d3e7b8a	2345	*/
maclobdell	0:f7c60d3e7b8a	2346	*p++ = (unsigned char) ssl->session_negotiate->id_len;
maclobdell	0:f7c60d3e7b8a	2347	memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
maclobdell	0:f7c60d3e7b8a	2348	p += ssl->session_negotiate->id_len;
maclobdell	0:f7c60d3e7b8a	2349
maclobdell	0:f7c60d3e7b8a	2350	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
maclobdell	0:f7c60d3e7b8a	2351	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
maclobdell	0:f7c60d3e7b8a	2352	MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
maclobdell	0:f7c60d3e7b8a	2353	ssl->handshake->resume ? "a" : "no" ) );
maclobdell	0:f7c60d3e7b8a	2354
maclobdell	0:f7c60d3e7b8a	2355	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
maclobdell	0:f7c60d3e7b8a	2356	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
maclobdell	0:f7c60d3e7b8a	2357	*p++ = (unsigned char)( ssl->session_negotiate->compression );
maclobdell	0:f7c60d3e7b8a	2358
maclobdell	0:f7c60d3e7b8a	2359	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
maclobdell	0:f7c60d3e7b8a	2360	mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
maclobdell	0:f7c60d3e7b8a	2361	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
maclobdell	0:f7c60d3e7b8a	2362	ssl->session_negotiate->compression ) );
maclobdell	0:f7c60d3e7b8a	2363
maclobdell	0:f7c60d3e7b8a	2364	/*
maclobdell	0:f7c60d3e7b8a	2365	* First write extensions, then the total length
maclobdell	0:f7c60d3e7b8a	2366	*/
maclobdell	0:f7c60d3e7b8a	2367	ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2368	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2369
maclobdell	0:f7c60d3e7b8a	2370	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
maclobdell	0:f7c60d3e7b8a	2371	ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2372	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2373	#endif
maclobdell	0:f7c60d3e7b8a	2374
maclobdell	0:f7c60d3e7b8a	2375	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
maclobdell	0:f7c60d3e7b8a	2376	ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2377	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2378	#endif
maclobdell	0:f7c60d3e7b8a	2379
maclobdell	0:f7c60d3e7b8a	2380	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
maclobdell	0:f7c60d3e7b8a	2381	ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2382	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2383	#endif
maclobdell	0:f7c60d3e7b8a	2384
maclobdell	0:f7c60d3e7b8a	2385	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
maclobdell	0:f7c60d3e7b8a	2386	ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2387	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2388	#endif
maclobdell	0:f7c60d3e7b8a	2389
maclobdell	0:f7c60d3e7b8a	2390	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	2391	ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2392	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2393	#endif
maclobdell	0:f7c60d3e7b8a	2394
maclobdell	0:f7c60d3e7b8a	2395	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
maclobdell	0:f7c60d3e7b8a	2396	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2397	ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2398	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2399	#endif
maclobdell	0:f7c60d3e7b8a	2400
maclobdell	0:f7c60d3e7b8a	2401	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2402	ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2403	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2404	#endif
maclobdell	0:f7c60d3e7b8a	2405
maclobdell	0:f7c60d3e7b8a	2406	#if defined(MBEDTLS_SSL_ALPN)
maclobdell	0:f7c60d3e7b8a	2407	ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
maclobdell	0:f7c60d3e7b8a	2408	ext_len += olen;
maclobdell	0:f7c60d3e7b8a	2409	#endif
maclobdell	0:f7c60d3e7b8a	2410
maclobdell	0:f7c60d3e7b8a	2411	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
maclobdell	0:f7c60d3e7b8a	2412
maclobdell	0:f7c60d3e7b8a	2413	if( ext_len > 0 )
maclobdell	0:f7c60d3e7b8a	2414	{
maclobdell	0:f7c60d3e7b8a	2415	*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2416	*p++ = (unsigned char)( ( ext_len ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	2417	p += ext_len;
maclobdell	0:f7c60d3e7b8a	2418	}
maclobdell	0:f7c60d3e7b8a	2419
maclobdell	0:f7c60d3e7b8a	2420	ssl->out_msglen = p - buf;
maclobdell	0:f7c60d3e7b8a	2421	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
maclobdell	0:f7c60d3e7b8a	2422	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
maclobdell	0:f7c60d3e7b8a	2423
maclobdell	0:f7c60d3e7b8a	2424	ret = mbedtls_ssl_write_record( ssl );
maclobdell	0:f7c60d3e7b8a	2425
maclobdell	0:f7c60d3e7b8a	2426	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
maclobdell	0:f7c60d3e7b8a	2427
maclobdell	0:f7c60d3e7b8a	2428	return( ret );
maclobdell	0:f7c60d3e7b8a	2429	}
maclobdell	0:f7c60d3e7b8a	2430
maclobdell	0:f7c60d3e7b8a	2431	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
maclobdell	0:f7c60d3e7b8a	2432	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
maclobdell	0:f7c60d3e7b8a	2433	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
maclobdell	0:f7c60d3e7b8a	2434	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	2435	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	2436	{
maclobdell	0:f7c60d3e7b8a	2437	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	2438
maclobdell	0:f7c60d3e7b8a	2439	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
maclobdell	0:f7c60d3e7b8a	2440
maclobdell	0:f7c60d3e7b8a	2441	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2442	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2443	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2444	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2445	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
maclobdell	0:f7c60d3e7b8a	2446	{
maclobdell	0:f7c60d3e7b8a	2447	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
maclobdell	0:f7c60d3e7b8a	2448	ssl->state++;
maclobdell	0:f7c60d3e7b8a	2449	return( 0 );
maclobdell	0:f7c60d3e7b8a	2450	}
maclobdell	0:f7c60d3e7b8a	2451
maclobdell	0:f7c60d3e7b8a	2452	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	2453	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	2454	}
maclobdell	0:f7c60d3e7b8a	2455	#else
maclobdell	0:f7c60d3e7b8a	2456	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	2457	{
maclobdell	0:f7c60d3e7b8a	2458	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
maclobdell	0:f7c60d3e7b8a	2459	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	2460	size_t dn_size, total_dn_size; /* excluding length bytes */
maclobdell	0:f7c60d3e7b8a	2461	size_t ct_len, sa_len; /* including length bytes */
maclobdell	0:f7c60d3e7b8a	2462	unsigned char buf, p;
maclobdell	0:f7c60d3e7b8a	2463	const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
maclobdell	0:f7c60d3e7b8a	2464	const mbedtls_x509_crt *crt;
maclobdell	0:f7c60d3e7b8a	2465	int authmode;
maclobdell	0:f7c60d3e7b8a	2466
maclobdell	0:f7c60d3e7b8a	2467	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
maclobdell	0:f7c60d3e7b8a	2468
maclobdell	0:f7c60d3e7b8a	2469	ssl->state++;
maclobdell	0:f7c60d3e7b8a	2470
maclobdell	0:f7c60d3e7b8a	2471	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
maclobdell	0:f7c60d3e7b8a	2472	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
maclobdell	0:f7c60d3e7b8a	2473	authmode = ssl->handshake->sni_authmode;
maclobdell	0:f7c60d3e7b8a	2474	else
maclobdell	0:f7c60d3e7b8a	2475	#endif
maclobdell	0:f7c60d3e7b8a	2476	authmode = ssl->conf->authmode;
maclobdell	0:f7c60d3e7b8a	2477
maclobdell	0:f7c60d3e7b8a	2478	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2479	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2480	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2481	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2482	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
maclobdell	0:f7c60d3e7b8a	2483	authmode == MBEDTLS_SSL_VERIFY_NONE )
maclobdell	0:f7c60d3e7b8a	2484	{
maclobdell	0:f7c60d3e7b8a	2485	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
maclobdell	0:f7c60d3e7b8a	2486	return( 0 );
maclobdell	0:f7c60d3e7b8a	2487	}
maclobdell	0:f7c60d3e7b8a	2488
maclobdell	0:f7c60d3e7b8a	2489	/*
maclobdell	0:f7c60d3e7b8a	2490	* 0 . 0 handshake type
maclobdell	0:f7c60d3e7b8a	2491	* 1 . 3 handshake length
maclobdell	0:f7c60d3e7b8a	2492	* 4 . 4 cert type count
maclobdell	0:f7c60d3e7b8a	2493	* 5 .. m-1 cert types
maclobdell	0:f7c60d3e7b8a	2494	* m .. m+1 sig alg length (TLS 1.2 only)
maclobdell	0:f7c60d3e7b8a	2495	* m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
maclobdell	0:f7c60d3e7b8a	2496	* n .. n+1 length of all DNs
maclobdell	0:f7c60d3e7b8a	2497	* n+2 .. n+3 length of DN 1
maclobdell	0:f7c60d3e7b8a	2498	* n+4 .. ... Distinguished Name #1
maclobdell	0:f7c60d3e7b8a	2499	* ... .. ... length of DN 2, etc.
maclobdell	0:f7c60d3e7b8a	2500	*/
maclobdell	0:f7c60d3e7b8a	2501	buf = ssl->out_msg;
maclobdell	0:f7c60d3e7b8a	2502	p = buf + 4;
maclobdell	0:f7c60d3e7b8a	2503
maclobdell	0:f7c60d3e7b8a	2504	/*
maclobdell	0:f7c60d3e7b8a	2505	* Supported certificate types
maclobdell	0:f7c60d3e7b8a	2506	*
maclobdell	0:f7c60d3e7b8a	2507	* ClientCertificateType certificate_types<1..2^8-1>;
maclobdell	0:f7c60d3e7b8a	2508	* enum { (255) } ClientCertificateType;
maclobdell	0:f7c60d3e7b8a	2509	*/
maclobdell	0:f7c60d3e7b8a	2510	ct_len = 0;
maclobdell	0:f7c60d3e7b8a	2511
maclobdell	0:f7c60d3e7b8a	2512	#if defined(MBEDTLS_RSA_C)
maclobdell	0:f7c60d3e7b8a	2513	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
maclobdell	0:f7c60d3e7b8a	2514	#endif
maclobdell	0:f7c60d3e7b8a	2515	#if defined(MBEDTLS_ECDSA_C)
maclobdell	0:f7c60d3e7b8a	2516	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
maclobdell	0:f7c60d3e7b8a	2517	#endif
maclobdell	0:f7c60d3e7b8a	2518
maclobdell	0:f7c60d3e7b8a	2519	p[0] = (unsigned char) ct_len++;
maclobdell	0:f7c60d3e7b8a	2520	p += ct_len;
maclobdell	0:f7c60d3e7b8a	2521
maclobdell	0:f7c60d3e7b8a	2522	sa_len = 0;
maclobdell	0:f7c60d3e7b8a	2523	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	2524	/*
maclobdell	0:f7c60d3e7b8a	2525	* Add signature_algorithms for verify (TLS 1.2)
maclobdell	0:f7c60d3e7b8a	2526	*
maclobdell	0:f7c60d3e7b8a	2527	* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
maclobdell	0:f7c60d3e7b8a	2528	*
maclobdell	0:f7c60d3e7b8a	2529	* struct {
maclobdell	0:f7c60d3e7b8a	2530	* HashAlgorithm hash;
maclobdell	0:f7c60d3e7b8a	2531	* SignatureAlgorithm signature;
maclobdell	0:f7c60d3e7b8a	2532	* } SignatureAndHashAlgorithm;
maclobdell	0:f7c60d3e7b8a	2533	*
maclobdell	0:f7c60d3e7b8a	2534	* enum { (255) } HashAlgorithm;
maclobdell	0:f7c60d3e7b8a	2535	* enum { (255) } SignatureAlgorithm;
maclobdell	0:f7c60d3e7b8a	2536	*/
maclobdell	0:f7c60d3e7b8a	2537	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	2538	{
maclobdell	0:f7c60d3e7b8a	2539	/*
maclobdell	0:f7c60d3e7b8a	2540	* Only use current running hash algorithm that is already required
maclobdell	0:f7c60d3e7b8a	2541	* for requested ciphersuite.
maclobdell	0:f7c60d3e7b8a	2542	*/
maclobdell	0:f7c60d3e7b8a	2543	ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA256;
maclobdell	0:f7c60d3e7b8a	2544
maclobdell	0:f7c60d3e7b8a	2545	if( ssl->transform_negotiate->ciphersuite_info->mac ==
maclobdell	0:f7c60d3e7b8a	2546	MBEDTLS_MD_SHA384 )
maclobdell	0:f7c60d3e7b8a	2547	{
maclobdell	0:f7c60d3e7b8a	2548	ssl->handshake->verify_sig_alg = MBEDTLS_SSL_HASH_SHA384;
maclobdell	0:f7c60d3e7b8a	2549	}
maclobdell	0:f7c60d3e7b8a	2550
maclobdell	0:f7c60d3e7b8a	2551	/*
maclobdell	0:f7c60d3e7b8a	2552	* Supported signature algorithms
maclobdell	0:f7c60d3e7b8a	2553	*/
maclobdell	0:f7c60d3e7b8a	2554	#if defined(MBEDTLS_RSA_C)
maclobdell	0:f7c60d3e7b8a	2555	p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
maclobdell	0:f7c60d3e7b8a	2556	p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
maclobdell	0:f7c60d3e7b8a	2557	#endif
maclobdell	0:f7c60d3e7b8a	2558	#if defined(MBEDTLS_ECDSA_C)
maclobdell	0:f7c60d3e7b8a	2559	p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
maclobdell	0:f7c60d3e7b8a	2560	p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
maclobdell	0:f7c60d3e7b8a	2561	#endif
maclobdell	0:f7c60d3e7b8a	2562
maclobdell	0:f7c60d3e7b8a	2563	p[0] = (unsigned char)( sa_len >> 8 );
maclobdell	0:f7c60d3e7b8a	2564	p[1] = (unsigned char)( sa_len );
maclobdell	0:f7c60d3e7b8a	2565	sa_len += 2;
maclobdell	0:f7c60d3e7b8a	2566	p += sa_len;
maclobdell	0:f7c60d3e7b8a	2567	}
maclobdell	0:f7c60d3e7b8a	2568	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
maclobdell	0:f7c60d3e7b8a	2569
maclobdell	0:f7c60d3e7b8a	2570	/*
maclobdell	0:f7c60d3e7b8a	2571	* DistinguishedName certificate_authorities<0..2^16-1>;
maclobdell	0:f7c60d3e7b8a	2572	* opaque DistinguishedName<1..2^16-1>;
maclobdell	0:f7c60d3e7b8a	2573	*/
maclobdell	0:f7c60d3e7b8a	2574	p += 2;
maclobdell	0:f7c60d3e7b8a	2575	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
maclobdell	0:f7c60d3e7b8a	2576	if( ssl->handshake->sni_ca_chain != NULL )
maclobdell	0:f7c60d3e7b8a	2577	crt = ssl->handshake->sni_ca_chain;
maclobdell	0:f7c60d3e7b8a	2578	else
maclobdell	0:f7c60d3e7b8a	2579	#endif
maclobdell	0:f7c60d3e7b8a	2580	crt = ssl->conf->ca_chain;
maclobdell	0:f7c60d3e7b8a	2581
maclobdell	0:f7c60d3e7b8a	2582	total_dn_size = 0;
maclobdell	0:f7c60d3e7b8a	2583	while( crt != NULL && crt->version != 0 )
maclobdell	0:f7c60d3e7b8a	2584	{
maclobdell	0:f7c60d3e7b8a	2585	dn_size = crt->subject_raw.len;
maclobdell	0:f7c60d3e7b8a	2586
maclobdell	0:f7c60d3e7b8a	2587	if( end < p \|\| (size_t)( end - p ) < 2 + dn_size )
maclobdell	0:f7c60d3e7b8a	2588	{
maclobdell	0:f7c60d3e7b8a	2589	MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
maclobdell	0:f7c60d3e7b8a	2590	break;
maclobdell	0:f7c60d3e7b8a	2591	}
maclobdell	0:f7c60d3e7b8a	2592
maclobdell	0:f7c60d3e7b8a	2593	*p++ = (unsigned char)( dn_size >> 8 );
maclobdell	0:f7c60d3e7b8a	2594	*p++ = (unsigned char)( dn_size );
maclobdell	0:f7c60d3e7b8a	2595	memcpy( p, crt->subject_raw.p, dn_size );
maclobdell	0:f7c60d3e7b8a	2596	p += dn_size;
maclobdell	0:f7c60d3e7b8a	2597
maclobdell	0:f7c60d3e7b8a	2598	MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
maclobdell	0:f7c60d3e7b8a	2599
maclobdell	0:f7c60d3e7b8a	2600	total_dn_size += 2 + dn_size;
maclobdell	0:f7c60d3e7b8a	2601	crt = crt->next;
maclobdell	0:f7c60d3e7b8a	2602	}
maclobdell	0:f7c60d3e7b8a	2603
maclobdell	0:f7c60d3e7b8a	2604	ssl->out_msglen = p - buf;
maclobdell	0:f7c60d3e7b8a	2605	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
maclobdell	0:f7c60d3e7b8a	2606	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
maclobdell	0:f7c60d3e7b8a	2607	ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
maclobdell	0:f7c60d3e7b8a	2608	ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
maclobdell	0:f7c60d3e7b8a	2609
maclobdell	0:f7c60d3e7b8a	2610	ret = mbedtls_ssl_write_record( ssl );
maclobdell	0:f7c60d3e7b8a	2611
maclobdell	0:f7c60d3e7b8a	2612	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
maclobdell	0:f7c60d3e7b8a	2613
maclobdell	0:f7c60d3e7b8a	2614	return( ret );
maclobdell	0:f7c60d3e7b8a	2615	}
maclobdell	0:f7c60d3e7b8a	2616	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
maclobdell	0:f7c60d3e7b8a	2617	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
maclobdell	0:f7c60d3e7b8a	2618	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
maclobdell	0:f7c60d3e7b8a	2619	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	2620
maclobdell	0:f7c60d3e7b8a	2621	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2622	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	2623	static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	2624	{
maclobdell	0:f7c60d3e7b8a	2625	int ret;
maclobdell	0:f7c60d3e7b8a	2626
maclobdell	0:f7c60d3e7b8a	2627	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
maclobdell	0:f7c60d3e7b8a	2628	{
maclobdell	0:f7c60d3e7b8a	2629	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
maclobdell	0:f7c60d3e7b8a	2630	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
maclobdell	0:f7c60d3e7b8a	2631	}
maclobdell	0:f7c60d3e7b8a	2632
maclobdell	0:f7c60d3e7b8a	2633	if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
maclobdell	0:f7c60d3e7b8a	2634	mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
maclobdell	0:f7c60d3e7b8a	2635	MBEDTLS_ECDH_OURS ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2636	{
maclobdell	0:f7c60d3e7b8a	2637	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
maclobdell	0:f7c60d3e7b8a	2638	return( ret );
maclobdell	0:f7c60d3e7b8a	2639	}
maclobdell	0:f7c60d3e7b8a	2640
maclobdell	0:f7c60d3e7b8a	2641	return( 0 );
maclobdell	0:f7c60d3e7b8a	2642	}
maclobdell	0:f7c60d3e7b8a	2643	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\|
maclobdell	0:f7c60d3e7b8a	2644	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	2645
maclobdell	0:f7c60d3e7b8a	2646	static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	2647	{
maclobdell	0:f7c60d3e7b8a	2648	int ret;
maclobdell	0:f7c60d3e7b8a	2649	size_t n = 0;
maclobdell	0:f7c60d3e7b8a	2650	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
maclobdell	0:f7c60d3e7b8a	2651	ssl->transform_negotiate->ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	2652
maclobdell	0:f7c60d3e7b8a	2653	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2654	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2655	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2656	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2657	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2658	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2659	unsigned char *p = ssl->out_msg + 4;
maclobdell	0:f7c60d3e7b8a	2660	unsigned char *dig_signed = p;
maclobdell	0:f7c60d3e7b8a	2661	size_t dig_signed_len = 0, len;
maclobdell	0:f7c60d3e7b8a	2662	((void) dig_signed);
maclobdell	0:f7c60d3e7b8a	2663	((void) dig_signed_len);
maclobdell	0:f7c60d3e7b8a	2664	((void) len);
maclobdell	0:f7c60d3e7b8a	2665	#endif
maclobdell	0:f7c60d3e7b8a	2666
maclobdell	0:f7c60d3e7b8a	2667	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
maclobdell	0:f7c60d3e7b8a	2668
maclobdell	0:f7c60d3e7b8a	2669	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2670	defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2671	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	2672	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA \|\|
maclobdell	0:f7c60d3e7b8a	2673	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2674	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
maclobdell	0:f7c60d3e7b8a	2675	{
maclobdell	0:f7c60d3e7b8a	2676	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
maclobdell	0:f7c60d3e7b8a	2677	ssl->state++;
maclobdell	0:f7c60d3e7b8a	2678	return( 0 );
maclobdell	0:f7c60d3e7b8a	2679	}
maclobdell	0:f7c60d3e7b8a	2680	#endif
maclobdell	0:f7c60d3e7b8a	2681
maclobdell	0:f7c60d3e7b8a	2682	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2683	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	2684	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
maclobdell	0:f7c60d3e7b8a	2685	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
maclobdell	0:f7c60d3e7b8a	2686	{
maclobdell	0:f7c60d3e7b8a	2687	ssl_get_ecdh_params_from_cert( ssl );
maclobdell	0:f7c60d3e7b8a	2688
maclobdell	0:f7c60d3e7b8a	2689	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
maclobdell	0:f7c60d3e7b8a	2690	ssl->state++;
maclobdell	0:f7c60d3e7b8a	2691	return( 0 );
maclobdell	0:f7c60d3e7b8a	2692	}
maclobdell	0:f7c60d3e7b8a	2693	#endif
maclobdell	0:f7c60d3e7b8a	2694
maclobdell	0:f7c60d3e7b8a	2695	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2696	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
maclobdell	0:f7c60d3e7b8a	2697	{
maclobdell	0:f7c60d3e7b8a	2698	size_t jlen;
maclobdell	0:f7c60d3e7b8a	2699	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
maclobdell	0:f7c60d3e7b8a	2700
maclobdell	0:f7c60d3e7b8a	2701	ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
maclobdell	0:f7c60d3e7b8a	2702	p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );
maclobdell	0:f7c60d3e7b8a	2703	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	2704	{
maclobdell	0:f7c60d3e7b8a	2705	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
maclobdell	0:f7c60d3e7b8a	2706	return( ret );
maclobdell	0:f7c60d3e7b8a	2707	}
maclobdell	0:f7c60d3e7b8a	2708
maclobdell	0:f7c60d3e7b8a	2709	p += jlen;
maclobdell	0:f7c60d3e7b8a	2710	n += jlen;
maclobdell	0:f7c60d3e7b8a	2711	}
maclobdell	0:f7c60d3e7b8a	2712	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	2713
maclobdell	0:f7c60d3e7b8a	2714	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2715	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	2716	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	2717	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
maclobdell	0:f7c60d3e7b8a	2718	{
maclobdell	0:f7c60d3e7b8a	2719	/* TODO: Support identity hints */
maclobdell	0:f7c60d3e7b8a	2720	*(p++) = 0x00;
maclobdell	0:f7c60d3e7b8a	2721	*(p++) = 0x00;
maclobdell	0:f7c60d3e7b8a	2722
maclobdell	0:f7c60d3e7b8a	2723	n += 2;
maclobdell	0:f7c60d3e7b8a	2724	}
maclobdell	0:f7c60d3e7b8a	2725	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	2726	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	2727
maclobdell	0:f7c60d3e7b8a	2728	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2729	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	2730	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
maclobdell	0:f7c60d3e7b8a	2731	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
maclobdell	0:f7c60d3e7b8a	2732	{
maclobdell	0:f7c60d3e7b8a	2733	if( ssl->conf->dhm_P.p == NULL \|\| ssl->conf->dhm_G.p == NULL )
maclobdell	0:f7c60d3e7b8a	2734	{
maclobdell	0:f7c60d3e7b8a	2735	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
maclobdell	0:f7c60d3e7b8a	2736	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
maclobdell	0:f7c60d3e7b8a	2737	}
maclobdell	0:f7c60d3e7b8a	2738
maclobdell	0:f7c60d3e7b8a	2739	/*
maclobdell	0:f7c60d3e7b8a	2740	* Ephemeral DH parameters:
maclobdell	0:f7c60d3e7b8a	2741	*
maclobdell	0:f7c60d3e7b8a	2742	* struct {
maclobdell	0:f7c60d3e7b8a	2743	* opaque dh_p<1..2^16-1>;
maclobdell	0:f7c60d3e7b8a	2744	* opaque dh_g<1..2^16-1>;
maclobdell	0:f7c60d3e7b8a	2745	* opaque dh_Ys<1..2^16-1>;
maclobdell	0:f7c60d3e7b8a	2746	* } ServerDHParams;
maclobdell	0:f7c60d3e7b8a	2747	*/
maclobdell	0:f7c60d3e7b8a	2748	if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 \|\|
maclobdell	0:f7c60d3e7b8a	2749	( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2750	{
maclobdell	0:f7c60d3e7b8a	2751	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
maclobdell	0:f7c60d3e7b8a	2752	return( ret );
maclobdell	0:f7c60d3e7b8a	2753	}
maclobdell	0:f7c60d3e7b8a	2754
maclobdell	0:f7c60d3e7b8a	2755	if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
maclobdell	0:f7c60d3e7b8a	2756	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
maclobdell	0:f7c60d3e7b8a	2757	p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2758	{
maclobdell	0:f7c60d3e7b8a	2759	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
maclobdell	0:f7c60d3e7b8a	2760	return( ret );
maclobdell	0:f7c60d3e7b8a	2761	}
maclobdell	0:f7c60d3e7b8a	2762
maclobdell	0:f7c60d3e7b8a	2763	dig_signed = p;
maclobdell	0:f7c60d3e7b8a	2764	dig_signed_len = len;
maclobdell	0:f7c60d3e7b8a	2765
maclobdell	0:f7c60d3e7b8a	2766	p += len;
maclobdell	0:f7c60d3e7b8a	2767	n += len;
maclobdell	0:f7c60d3e7b8a	2768
maclobdell	0:f7c60d3e7b8a	2769	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
maclobdell	0:f7c60d3e7b8a	2770	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
maclobdell	0:f7c60d3e7b8a	2771	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
maclobdell	0:f7c60d3e7b8a	2772	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
maclobdell	0:f7c60d3e7b8a	2773	}
maclobdell	0:f7c60d3e7b8a	2774	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	2775	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	2776
maclobdell	0:f7c60d3e7b8a	2777	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
maclobdell	0:f7c60d3e7b8a	2778	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
maclobdell	0:f7c60d3e7b8a	2779	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
maclobdell	0:f7c60d3e7b8a	2780	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
maclobdell	0:f7c60d3e7b8a	2781	{
maclobdell	0:f7c60d3e7b8a	2782	/*
maclobdell	0:f7c60d3e7b8a	2783	* Ephemeral ECDH parameters:
maclobdell	0:f7c60d3e7b8a	2784	*
maclobdell	0:f7c60d3e7b8a	2785	* struct {
maclobdell	0:f7c60d3e7b8a	2786	* ECParameters curve_params;
maclobdell	0:f7c60d3e7b8a	2787	* ECPoint public;
maclobdell	0:f7c60d3e7b8a	2788	* } ServerECDHParams;
maclobdell	0:f7c60d3e7b8a	2789	*/
maclobdell	0:f7c60d3e7b8a	2790	const mbedtls_ecp_curve_info **curve = NULL;
maclobdell	0:f7c60d3e7b8a	2791	const mbedtls_ecp_group_id *gid;
maclobdell	0:f7c60d3e7b8a	2792
maclobdell	0:f7c60d3e7b8a	2793	/* Match our preference list against the offered curves */
maclobdell	0:f7c60d3e7b8a	2794	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
maclobdell	0:f7c60d3e7b8a	2795	for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
maclobdell	0:f7c60d3e7b8a	2796	if( (curve)->grp_id == gid )
maclobdell	0:f7c60d3e7b8a	2797	goto curve_matching_done;
maclobdell	0:f7c60d3e7b8a	2798
maclobdell	0:f7c60d3e7b8a	2799	curve_matching_done:
maclobdell	0:f7c60d3e7b8a	2800	if( curve == NULL \|\| *curve == NULL )
maclobdell	0:f7c60d3e7b8a	2801	{
maclobdell	0:f7c60d3e7b8a	2802	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
maclobdell	0:f7c60d3e7b8a	2803	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
maclobdell	0:f7c60d3e7b8a	2804	}
maclobdell	0:f7c60d3e7b8a	2805
maclobdell	0:f7c60d3e7b8a	2806	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
maclobdell	0:f7c60d3e7b8a	2807
maclobdell	0:f7c60d3e7b8a	2808	if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
maclobdell	0:f7c60d3e7b8a	2809	(*curve)->grp_id ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2810	{
maclobdell	0:f7c60d3e7b8a	2811	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
maclobdell	0:f7c60d3e7b8a	2812	return( ret );
maclobdell	0:f7c60d3e7b8a	2813	}
maclobdell	0:f7c60d3e7b8a	2814
maclobdell	0:f7c60d3e7b8a	2815	if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
maclobdell	0:f7c60d3e7b8a	2816	p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
maclobdell	0:f7c60d3e7b8a	2817	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2818	{
maclobdell	0:f7c60d3e7b8a	2819	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
maclobdell	0:f7c60d3e7b8a	2820	return( ret );
maclobdell	0:f7c60d3e7b8a	2821	}
maclobdell	0:f7c60d3e7b8a	2822
maclobdell	0:f7c60d3e7b8a	2823	dig_signed = p;
maclobdell	0:f7c60d3e7b8a	2824	dig_signed_len = len;
maclobdell	0:f7c60d3e7b8a	2825
maclobdell	0:f7c60d3e7b8a	2826	p += len;
maclobdell	0:f7c60d3e7b8a	2827	n += len;
maclobdell	0:f7c60d3e7b8a	2828
maclobdell	0:f7c60d3e7b8a	2829	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
maclobdell	0:f7c60d3e7b8a	2830	}
maclobdell	0:f7c60d3e7b8a	2831	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
maclobdell	0:f7c60d3e7b8a	2832
maclobdell	0:f7c60d3e7b8a	2833	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2834	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	2835	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	2836	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
maclobdell	0:f7c60d3e7b8a	2837	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
maclobdell	0:f7c60d3e7b8a	2838	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
maclobdell	0:f7c60d3e7b8a	2839	{
maclobdell	0:f7c60d3e7b8a	2840	size_t signature_len = 0;
maclobdell	0:f7c60d3e7b8a	2841	unsigned int hashlen = 0;
maclobdell	0:f7c60d3e7b8a	2842	unsigned char hash[64];
maclobdell	0:f7c60d3e7b8a	2843	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
maclobdell	0:f7c60d3e7b8a	2844
maclobdell	0:f7c60d3e7b8a	2845	/*
maclobdell	0:f7c60d3e7b8a	2846	* Choose hash algorithm. NONE means MD5 + SHA1 here.
maclobdell	0:f7c60d3e7b8a	2847	*/
maclobdell	0:f7c60d3e7b8a	2848	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	2849	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	2850	{
maclobdell	0:f7c60d3e7b8a	2851	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
maclobdell	0:f7c60d3e7b8a	2852
maclobdell	0:f7c60d3e7b8a	2853	if( md_alg == MBEDTLS_MD_NONE )
maclobdell	0:f7c60d3e7b8a	2854	{
maclobdell	0:f7c60d3e7b8a	2855	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	2856	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	2857	}
maclobdell	0:f7c60d3e7b8a	2858	}
maclobdell	0:f7c60d3e7b8a	2859	else
maclobdell	0:f7c60d3e7b8a	2860	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
maclobdell	0:f7c60d3e7b8a	2861	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
maclobdell	0:f7c60d3e7b8a	2862	defined(MBEDTLS_SSL_PROTO_TLS1_1)
maclobdell	0:f7c60d3e7b8a	2863	if( ciphersuite_info->key_exchange ==
maclobdell	0:f7c60d3e7b8a	2864	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
maclobdell	0:f7c60d3e7b8a	2865	{
maclobdell	0:f7c60d3e7b8a	2866	md_alg = MBEDTLS_MD_SHA1;
maclobdell	0:f7c60d3e7b8a	2867	}
maclobdell	0:f7c60d3e7b8a	2868	else
maclobdell	0:f7c60d3e7b8a	2869	#endif
maclobdell	0:f7c60d3e7b8a	2870	{
maclobdell	0:f7c60d3e7b8a	2871	md_alg = MBEDTLS_MD_NONE;
maclobdell	0:f7c60d3e7b8a	2872	}
maclobdell	0:f7c60d3e7b8a	2873
maclobdell	0:f7c60d3e7b8a	2874	/*
maclobdell	0:f7c60d3e7b8a	2875	* Compute the hash to be signed
maclobdell	0:f7c60d3e7b8a	2876	*/
maclobdell	0:f7c60d3e7b8a	2877	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
maclobdell	0:f7c60d3e7b8a	2878	defined(MBEDTLS_SSL_PROTO_TLS1_1)
maclobdell	0:f7c60d3e7b8a	2879	if( md_alg == MBEDTLS_MD_NONE )
maclobdell	0:f7c60d3e7b8a	2880	{
maclobdell	0:f7c60d3e7b8a	2881	mbedtls_md5_context mbedtls_md5;
maclobdell	0:f7c60d3e7b8a	2882	mbedtls_sha1_context mbedtls_sha1;
maclobdell	0:f7c60d3e7b8a	2883
maclobdell	0:f7c60d3e7b8a	2884	mbedtls_md5_init( &mbedtls_md5 );
maclobdell	0:f7c60d3e7b8a	2885	mbedtls_sha1_init( &mbedtls_sha1 );
maclobdell	0:f7c60d3e7b8a	2886
maclobdell	0:f7c60d3e7b8a	2887	/*
maclobdell	0:f7c60d3e7b8a	2888	* digitally-signed struct {
maclobdell	0:f7c60d3e7b8a	2889	* opaque md5_hash[16];
maclobdell	0:f7c60d3e7b8a	2890	* opaque sha_hash[20];
maclobdell	0:f7c60d3e7b8a	2891	* };
maclobdell	0:f7c60d3e7b8a	2892	*
maclobdell	0:f7c60d3e7b8a	2893	* md5_hash
maclobdell	0:f7c60d3e7b8a	2894	* MD5(ClientHello.random + ServerHello.random
maclobdell	0:f7c60d3e7b8a	2895	* + ServerParams);
maclobdell	0:f7c60d3e7b8a	2896	* sha_hash
maclobdell	0:f7c60d3e7b8a	2897	* SHA(ClientHello.random + ServerHello.random
maclobdell	0:f7c60d3e7b8a	2898	* + ServerParams);
maclobdell	0:f7c60d3e7b8a	2899	*/
maclobdell	0:f7c60d3e7b8a	2900	mbedtls_md5_starts( &mbedtls_md5 );
maclobdell	0:f7c60d3e7b8a	2901	mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
maclobdell	0:f7c60d3e7b8a	2902	mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
maclobdell	0:f7c60d3e7b8a	2903	mbedtls_md5_finish( &mbedtls_md5, hash );
maclobdell	0:f7c60d3e7b8a	2904
maclobdell	0:f7c60d3e7b8a	2905	mbedtls_sha1_starts( &mbedtls_sha1 );
maclobdell	0:f7c60d3e7b8a	2906	mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
maclobdell	0:f7c60d3e7b8a	2907	mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
maclobdell	0:f7c60d3e7b8a	2908	mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
maclobdell	0:f7c60d3e7b8a	2909
maclobdell	0:f7c60d3e7b8a	2910	hashlen = 36;
maclobdell	0:f7c60d3e7b8a	2911
maclobdell	0:f7c60d3e7b8a	2912	mbedtls_md5_free( &mbedtls_md5 );
maclobdell	0:f7c60d3e7b8a	2913	mbedtls_sha1_free( &mbedtls_sha1 );
maclobdell	0:f7c60d3e7b8a	2914	}
maclobdell	0:f7c60d3e7b8a	2915	else
maclobdell	0:f7c60d3e7b8a	2916	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
maclobdell	0:f7c60d3e7b8a	2917	MBEDTLS_SSL_PROTO_TLS1_1 */
maclobdell	0:f7c60d3e7b8a	2918	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
maclobdell	0:f7c60d3e7b8a	2919	defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	2920	if( md_alg != MBEDTLS_MD_NONE )
maclobdell	0:f7c60d3e7b8a	2921	{
maclobdell	0:f7c60d3e7b8a	2922	mbedtls_md_context_t ctx;
maclobdell	0:f7c60d3e7b8a	2923	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
maclobdell	0:f7c60d3e7b8a	2924
maclobdell	0:f7c60d3e7b8a	2925	mbedtls_md_init( &ctx );
maclobdell	0:f7c60d3e7b8a	2926
maclobdell	0:f7c60d3e7b8a	2927	/* Info from md_alg will be used instead */
maclobdell	0:f7c60d3e7b8a	2928	hashlen = 0;
maclobdell	0:f7c60d3e7b8a	2929
maclobdell	0:f7c60d3e7b8a	2930	/*
maclobdell	0:f7c60d3e7b8a	2931	* digitally-signed struct {
maclobdell	0:f7c60d3e7b8a	2932	* opaque client_random[32];
maclobdell	0:f7c60d3e7b8a	2933	* opaque server_random[32];
maclobdell	0:f7c60d3e7b8a	2934	* ServerDHParams params;
maclobdell	0:f7c60d3e7b8a	2935	* };
maclobdell	0:f7c60d3e7b8a	2936	*/
maclobdell	0:f7c60d3e7b8a	2937	if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2938	{
maclobdell	0:f7c60d3e7b8a	2939	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
maclobdell	0:f7c60d3e7b8a	2940	return( ret );
maclobdell	0:f7c60d3e7b8a	2941	}
maclobdell	0:f7c60d3e7b8a	2942
maclobdell	0:f7c60d3e7b8a	2943	mbedtls_md_starts( &ctx );
maclobdell	0:f7c60d3e7b8a	2944	mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
maclobdell	0:f7c60d3e7b8a	2945	mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
maclobdell	0:f7c60d3e7b8a	2946	mbedtls_md_finish( &ctx, hash );
maclobdell	0:f7c60d3e7b8a	2947	mbedtls_md_free( &ctx );
maclobdell	0:f7c60d3e7b8a	2948	}
maclobdell	0:f7c60d3e7b8a	2949	else
maclobdell	0:f7c60d3e7b8a	2950	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
maclobdell	0:f7c60d3e7b8a	2951	MBEDTLS_SSL_PROTO_TLS1_2 */
maclobdell	0:f7c60d3e7b8a	2952	{
maclobdell	0:f7c60d3e7b8a	2953	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	2954	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	2955	}
maclobdell	0:f7c60d3e7b8a	2956
maclobdell	0:f7c60d3e7b8a	2957	MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
maclobdell	0:f7c60d3e7b8a	2958	(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
maclobdell	0:f7c60d3e7b8a	2959
maclobdell	0:f7c60d3e7b8a	2960	/*
maclobdell	0:f7c60d3e7b8a	2961	* Make the signature
maclobdell	0:f7c60d3e7b8a	2962	*/
maclobdell	0:f7c60d3e7b8a	2963	if( mbedtls_ssl_own_key( ssl ) == NULL )
maclobdell	0:f7c60d3e7b8a	2964	{
maclobdell	0:f7c60d3e7b8a	2965	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
maclobdell	0:f7c60d3e7b8a	2966	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
maclobdell	0:f7c60d3e7b8a	2967	}
maclobdell	0:f7c60d3e7b8a	2968
maclobdell	0:f7c60d3e7b8a	2969	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	2970	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	2971	{
maclobdell	0:f7c60d3e7b8a	2972	*(p++) = ssl->handshake->sig_alg;
maclobdell	0:f7c60d3e7b8a	2973	*(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
maclobdell	0:f7c60d3e7b8a	2974
maclobdell	0:f7c60d3e7b8a	2975	n += 2;
maclobdell	0:f7c60d3e7b8a	2976	}
maclobdell	0:f7c60d3e7b8a	2977	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
maclobdell	0:f7c60d3e7b8a	2978
maclobdell	0:f7c60d3e7b8a	2979	if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
maclobdell	0:f7c60d3e7b8a	2980	p + 2 , &signature_len,
maclobdell	0:f7c60d3e7b8a	2981	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	2982	{
maclobdell	0:f7c60d3e7b8a	2983	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
maclobdell	0:f7c60d3e7b8a	2984	return( ret );
maclobdell	0:f7c60d3e7b8a	2985	}
maclobdell	0:f7c60d3e7b8a	2986
maclobdell	0:f7c60d3e7b8a	2987	*(p++) = (unsigned char)( signature_len >> 8 );
maclobdell	0:f7c60d3e7b8a	2988	*(p++) = (unsigned char)( signature_len );
maclobdell	0:f7c60d3e7b8a	2989	n += 2;
maclobdell	0:f7c60d3e7b8a	2990
maclobdell	0:f7c60d3e7b8a	2991	MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
maclobdell	0:f7c60d3e7b8a	2992
maclobdell	0:f7c60d3e7b8a	2993	n += signature_len;
maclobdell	0:f7c60d3e7b8a	2994	}
maclobdell	0:f7c60d3e7b8a	2995	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\|
maclobdell	0:f7c60d3e7b8a	2996	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	2997	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	2998
maclobdell	0:f7c60d3e7b8a	2999	ssl->out_msglen = 4 + n;
maclobdell	0:f7c60d3e7b8a	3000	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
maclobdell	0:f7c60d3e7b8a	3001	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
maclobdell	0:f7c60d3e7b8a	3002
maclobdell	0:f7c60d3e7b8a	3003	ssl->state++;
maclobdell	0:f7c60d3e7b8a	3004
maclobdell	0:f7c60d3e7b8a	3005	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3006	{
maclobdell	0:f7c60d3e7b8a	3007	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
maclobdell	0:f7c60d3e7b8a	3008	return( ret );
maclobdell	0:f7c60d3e7b8a	3009	}
maclobdell	0:f7c60d3e7b8a	3010
maclobdell	0:f7c60d3e7b8a	3011	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
maclobdell	0:f7c60d3e7b8a	3012
maclobdell	0:f7c60d3e7b8a	3013	return( 0 );
maclobdell	0:f7c60d3e7b8a	3014	}
maclobdell	0:f7c60d3e7b8a	3015
maclobdell	0:f7c60d3e7b8a	3016	static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	3017	{
maclobdell	0:f7c60d3e7b8a	3018	int ret;
maclobdell	0:f7c60d3e7b8a	3019
maclobdell	0:f7c60d3e7b8a	3020	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
maclobdell	0:f7c60d3e7b8a	3021
maclobdell	0:f7c60d3e7b8a	3022	ssl->out_msglen = 4;
maclobdell	0:f7c60d3e7b8a	3023	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
maclobdell	0:f7c60d3e7b8a	3024	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
maclobdell	0:f7c60d3e7b8a	3025
maclobdell	0:f7c60d3e7b8a	3026	ssl->state++;
maclobdell	0:f7c60d3e7b8a	3027
maclobdell	0:f7c60d3e7b8a	3028	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	3029	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
maclobdell	0:f7c60d3e7b8a	3030	mbedtls_ssl_send_flight_completed( ssl );
maclobdell	0:f7c60d3e7b8a	3031	#endif
maclobdell	0:f7c60d3e7b8a	3032
maclobdell	0:f7c60d3e7b8a	3033	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3034	{
maclobdell	0:f7c60d3e7b8a	3035	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
maclobdell	0:f7c60d3e7b8a	3036	return( ret );
maclobdell	0:f7c60d3e7b8a	3037	}
maclobdell	0:f7c60d3e7b8a	3038
maclobdell	0:f7c60d3e7b8a	3039	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
maclobdell	0:f7c60d3e7b8a	3040
maclobdell	0:f7c60d3e7b8a	3041	return( 0 );
maclobdell	0:f7c60d3e7b8a	3042	}
maclobdell	0:f7c60d3e7b8a	3043
maclobdell	0:f7c60d3e7b8a	3044	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	3045	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3046	static int ssl_parse_client_dh_public( mbedtls_ssl_context ssl, unsigned char *p,
maclobdell	0:f7c60d3e7b8a	3047	const unsigned char *end )
maclobdell	0:f7c60d3e7b8a	3048	{
maclobdell	0:f7c60d3e7b8a	3049	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
maclobdell	0:f7c60d3e7b8a	3050	size_t n;
maclobdell	0:f7c60d3e7b8a	3051
maclobdell	0:f7c60d3e7b8a	3052	/*
maclobdell	0:f7c60d3e7b8a	3053	* Receive G^Y mod P, premaster = (G^Y)^X mod P
maclobdell	0:f7c60d3e7b8a	3054	*/
maclobdell	0:f7c60d3e7b8a	3055	if( *p + 2 > end )
maclobdell	0:f7c60d3e7b8a	3056	{
maclobdell	0:f7c60d3e7b8a	3057	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3058	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3059	}
maclobdell	0:f7c60d3e7b8a	3060
maclobdell	0:f7c60d3e7b8a	3061	n = ( (p)[0] << 8 ) \| (p)[1];
maclobdell	0:f7c60d3e7b8a	3062	*p += 2;
maclobdell	0:f7c60d3e7b8a	3063
maclobdell	0:f7c60d3e7b8a	3064	if( *p + n > end )
maclobdell	0:f7c60d3e7b8a	3065	{
maclobdell	0:f7c60d3e7b8a	3066	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3067	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3068	}
maclobdell	0:f7c60d3e7b8a	3069
maclobdell	0:f7c60d3e7b8a	3070	if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3071	{
maclobdell	0:f7c60d3e7b8a	3072	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
maclobdell	0:f7c60d3e7b8a	3073	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
maclobdell	0:f7c60d3e7b8a	3074	}
maclobdell	0:f7c60d3e7b8a	3075
maclobdell	0:f7c60d3e7b8a	3076	*p += n;
maclobdell	0:f7c60d3e7b8a	3077
maclobdell	0:f7c60d3e7b8a	3078	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
maclobdell	0:f7c60d3e7b8a	3079
maclobdell	0:f7c60d3e7b8a	3080	return( ret );
maclobdell	0:f7c60d3e7b8a	3081	}
maclobdell	0:f7c60d3e7b8a	3082	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	3083	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3084
maclobdell	0:f7c60d3e7b8a	3085	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	3086	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3087	static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
maclobdell	0:f7c60d3e7b8a	3088	const unsigned char *p,
maclobdell	0:f7c60d3e7b8a	3089	const unsigned char *end,
maclobdell	0:f7c60d3e7b8a	3090	size_t pms_offset )
maclobdell	0:f7c60d3e7b8a	3091	{
maclobdell	0:f7c60d3e7b8a	3092	int ret;
maclobdell	0:f7c60d3e7b8a	3093	size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
maclobdell	0:f7c60d3e7b8a	3094	unsigned char *pms = ssl->handshake->premaster + pms_offset;
maclobdell	0:f7c60d3e7b8a	3095	unsigned char ver[2];
maclobdell	0:f7c60d3e7b8a	3096	unsigned char fake_pms[48], peer_pms[48];
maclobdell	0:f7c60d3e7b8a	3097	unsigned char mask;
maclobdell	0:f7c60d3e7b8a	3098	size_t i, peer_pmslen;
maclobdell	0:f7c60d3e7b8a	3099	unsigned int diff;
maclobdell	0:f7c60d3e7b8a	3100
maclobdell	0:f7c60d3e7b8a	3101	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
maclobdell	0:f7c60d3e7b8a	3102	{
maclobdell	0:f7c60d3e7b8a	3103	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
maclobdell	0:f7c60d3e7b8a	3104	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
maclobdell	0:f7c60d3e7b8a	3105	}
maclobdell	0:f7c60d3e7b8a	3106
maclobdell	0:f7c60d3e7b8a	3107	/*
maclobdell	0:f7c60d3e7b8a	3108	* Decrypt the premaster using own private RSA key
maclobdell	0:f7c60d3e7b8a	3109	*/
maclobdell	0:f7c60d3e7b8a	3110	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
maclobdell	0:f7c60d3e7b8a	3111	defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	3112	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
maclobdell	0:f7c60d3e7b8a	3113	{
maclobdell	0:f7c60d3e7b8a	3114	if( *p++ != ( ( len >> 8 ) & 0xFF ) \|\|
maclobdell	0:f7c60d3e7b8a	3115	*p++ != ( ( len ) & 0xFF ) )
maclobdell	0:f7c60d3e7b8a	3116	{
maclobdell	0:f7c60d3e7b8a	3117	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3118	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3119	}
maclobdell	0:f7c60d3e7b8a	3120	}
maclobdell	0:f7c60d3e7b8a	3121	#endif
maclobdell	0:f7c60d3e7b8a	3122
maclobdell	0:f7c60d3e7b8a	3123	if( p + len != end )
maclobdell	0:f7c60d3e7b8a	3124	{
maclobdell	0:f7c60d3e7b8a	3125	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3126	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3127	}
maclobdell	0:f7c60d3e7b8a	3128
maclobdell	0:f7c60d3e7b8a	3129	mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
maclobdell	0:f7c60d3e7b8a	3130	ssl->handshake->max_minor_ver,
maclobdell	0:f7c60d3e7b8a	3131	ssl->conf->transport, ver );
maclobdell	0:f7c60d3e7b8a	3132
maclobdell	0:f7c60d3e7b8a	3133	/*
maclobdell	0:f7c60d3e7b8a	3134	* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
maclobdell	0:f7c60d3e7b8a	3135	* must not cause the connection to end immediately; instead, send a
maclobdell	0:f7c60d3e7b8a	3136	* bad_record_mac later in the handshake.
maclobdell	0:f7c60d3e7b8a	3137	* Also, avoid data-dependant branches here to protect against
maclobdell	0:f7c60d3e7b8a	3138	* timing-based variants.
maclobdell	0:f7c60d3e7b8a	3139	*/
maclobdell	0:f7c60d3e7b8a	3140	ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
maclobdell	0:f7c60d3e7b8a	3141	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	3142	return( ret );
maclobdell	0:f7c60d3e7b8a	3143
maclobdell	0:f7c60d3e7b8a	3144	ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
maclobdell	0:f7c60d3e7b8a	3145	peer_pms, &peer_pmslen,
maclobdell	0:f7c60d3e7b8a	3146	sizeof( peer_pms ),
maclobdell	0:f7c60d3e7b8a	3147	ssl->conf->f_rng, ssl->conf->p_rng );
maclobdell	0:f7c60d3e7b8a	3148
maclobdell	0:f7c60d3e7b8a	3149	diff = (unsigned int) ret;
maclobdell	0:f7c60d3e7b8a	3150	diff \|= peer_pmslen ^ 48;
maclobdell	0:f7c60d3e7b8a	3151	diff \|= peer_pms[0] ^ ver[0];
maclobdell	0:f7c60d3e7b8a	3152	diff \|= peer_pms[1] ^ ver[1];
maclobdell	0:f7c60d3e7b8a	3153
maclobdell	0:f7c60d3e7b8a	3154	#if defined(MBEDTLS_SSL_DEBUG_ALL)
maclobdell	0:f7c60d3e7b8a	3155	if( diff != 0 )
maclobdell	0:f7c60d3e7b8a	3156	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3157	#endif
maclobdell	0:f7c60d3e7b8a	3158
maclobdell	0:f7c60d3e7b8a	3159	if( sizeof( ssl->handshake->premaster ) < pms_offset \|\|
maclobdell	0:f7c60d3e7b8a	3160	sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
maclobdell	0:f7c60d3e7b8a	3161	{
maclobdell	0:f7c60d3e7b8a	3162	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	3163	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	3164	}
maclobdell	0:f7c60d3e7b8a	3165	ssl->handshake->pmslen = 48;
maclobdell	0:f7c60d3e7b8a	3166
maclobdell	0:f7c60d3e7b8a	3167	/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
maclobdell	0:f7c60d3e7b8a	3168	/* MSVC has a warning about unary minus on unsigned, but this is
maclobdell	0:f7c60d3e7b8a	3169	* well-defined and precisely what we want to do here */
maclobdell	0:f7c60d3e7b8a	3170	#if defined(_MSC_VER)
maclobdell	0:f7c60d3e7b8a	3171	#pragma warning( push )
maclobdell	0:f7c60d3e7b8a	3172	#pragma warning( disable : 4146 )
maclobdell	0:f7c60d3e7b8a	3173	#endif
maclobdell	0:f7c60d3e7b8a	3174	mask = - ( ( diff \| - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
maclobdell	0:f7c60d3e7b8a	3175	#if defined(_MSC_VER)
maclobdell	0:f7c60d3e7b8a	3176	#pragma warning( pop )
maclobdell	0:f7c60d3e7b8a	3177	#endif
maclobdell	0:f7c60d3e7b8a	3178
maclobdell	0:f7c60d3e7b8a	3179	for( i = 0; i < ssl->handshake->pmslen; i++ )
maclobdell	0:f7c60d3e7b8a	3180	pms[i] = ( mask & fake_pms[i] ) \| ( (~mask) & peer_pms[i] );
maclobdell	0:f7c60d3e7b8a	3181
maclobdell	0:f7c60d3e7b8a	3182	return( 0 );
maclobdell	0:f7c60d3e7b8a	3183	}
maclobdell	0:f7c60d3e7b8a	3184	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	3185	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3186
maclobdell	0:f7c60d3e7b8a	3187	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3188	static int ssl_parse_client_psk_identity( mbedtls_ssl_context ssl, unsigned char *p,
maclobdell	0:f7c60d3e7b8a	3189	const unsigned char *end )
maclobdell	0:f7c60d3e7b8a	3190	{
maclobdell	0:f7c60d3e7b8a	3191	int ret = 0;
maclobdell	0:f7c60d3e7b8a	3192	size_t n;
maclobdell	0:f7c60d3e7b8a	3193
maclobdell	0:f7c60d3e7b8a	3194	if( ssl->conf->f_psk == NULL &&
maclobdell	0:f7c60d3e7b8a	3195	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
maclobdell	0:f7c60d3e7b8a	3196	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
maclobdell	0:f7c60d3e7b8a	3197	{
maclobdell	0:f7c60d3e7b8a	3198	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
maclobdell	0:f7c60d3e7b8a	3199	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
maclobdell	0:f7c60d3e7b8a	3200	}
maclobdell	0:f7c60d3e7b8a	3201
maclobdell	0:f7c60d3e7b8a	3202	/*
maclobdell	0:f7c60d3e7b8a	3203	* Receive client pre-shared key identity name
maclobdell	0:f7c60d3e7b8a	3204	*/
maclobdell	0:f7c60d3e7b8a	3205	if( *p + 2 > end )
maclobdell	0:f7c60d3e7b8a	3206	{
maclobdell	0:f7c60d3e7b8a	3207	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3208	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3209	}
maclobdell	0:f7c60d3e7b8a	3210
maclobdell	0:f7c60d3e7b8a	3211	n = ( (p)[0] << 8 ) \| (p)[1];
maclobdell	0:f7c60d3e7b8a	3212	*p += 2;
maclobdell	0:f7c60d3e7b8a	3213
maclobdell	0:f7c60d3e7b8a	3214	if( n < 1 \|\| n > 65535 \|\| *p + n > end )
maclobdell	0:f7c60d3e7b8a	3215	{
maclobdell	0:f7c60d3e7b8a	3216	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3217	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3218	}
maclobdell	0:f7c60d3e7b8a	3219
maclobdell	0:f7c60d3e7b8a	3220	if( ssl->conf->f_psk != NULL )
maclobdell	0:f7c60d3e7b8a	3221	{
maclobdell	0:f7c60d3e7b8a	3222	if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
maclobdell	0:f7c60d3e7b8a	3223	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
maclobdell	0:f7c60d3e7b8a	3224	}
maclobdell	0:f7c60d3e7b8a	3225	else
maclobdell	0:f7c60d3e7b8a	3226	{
maclobdell	0:f7c60d3e7b8a	3227	/* Identity is not a big secret since clients send it in the clear,
maclobdell	0:f7c60d3e7b8a	3228	* but treat it carefully anyway, just in case */
maclobdell	0:f7c60d3e7b8a	3229	if( n != ssl->conf->psk_identity_len \|\|
maclobdell	0:f7c60d3e7b8a	3230	mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
maclobdell	0:f7c60d3e7b8a	3231	{
maclobdell	0:f7c60d3e7b8a	3232	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
maclobdell	0:f7c60d3e7b8a	3233	}
maclobdell	0:f7c60d3e7b8a	3234	}
maclobdell	0:f7c60d3e7b8a	3235
maclobdell	0:f7c60d3e7b8a	3236	if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
maclobdell	0:f7c60d3e7b8a	3237	{
maclobdell	0:f7c60d3e7b8a	3238	MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
maclobdell	0:f7c60d3e7b8a	3239	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
maclobdell	0:f7c60d3e7b8a	3240	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
maclobdell	0:f7c60d3e7b8a	3241	MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3242	{
maclobdell	0:f7c60d3e7b8a	3243	return( ret );
maclobdell	0:f7c60d3e7b8a	3244	}
maclobdell	0:f7c60d3e7b8a	3245
maclobdell	0:f7c60d3e7b8a	3246	return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
maclobdell	0:f7c60d3e7b8a	3247	}
maclobdell	0:f7c60d3e7b8a	3248
maclobdell	0:f7c60d3e7b8a	3249	*p += n;
maclobdell	0:f7c60d3e7b8a	3250
maclobdell	0:f7c60d3e7b8a	3251	return( 0 );
maclobdell	0:f7c60d3e7b8a	3252	}
maclobdell	0:f7c60d3e7b8a	3253	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3254
maclobdell	0:f7c60d3e7b8a	3255	static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	3256	{
maclobdell	0:f7c60d3e7b8a	3257	int ret;
maclobdell	0:f7c60d3e7b8a	3258	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	3259	unsigned char p, end;
maclobdell	0:f7c60d3e7b8a	3260
maclobdell	0:f7c60d3e7b8a	3261	ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	3262
maclobdell	0:f7c60d3e7b8a	3263	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
maclobdell	0:f7c60d3e7b8a	3264
maclobdell	0:f7c60d3e7b8a	3265	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3266	{
maclobdell	0:f7c60d3e7b8a	3267	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
maclobdell	0:f7c60d3e7b8a	3268	return( ret );
maclobdell	0:f7c60d3e7b8a	3269	}
maclobdell	0:f7c60d3e7b8a	3270
maclobdell	0:f7c60d3e7b8a	3271	p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
maclobdell	0:f7c60d3e7b8a	3272	end = ssl->in_msg + ssl->in_hslen;
maclobdell	0:f7c60d3e7b8a	3273
maclobdell	0:f7c60d3e7b8a	3274	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
maclobdell	0:f7c60d3e7b8a	3275	{
maclobdell	0:f7c60d3e7b8a	3276	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3277	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3278	}
maclobdell	0:f7c60d3e7b8a	3279
maclobdell	0:f7c60d3e7b8a	3280	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
maclobdell	0:f7c60d3e7b8a	3281	{
maclobdell	0:f7c60d3e7b8a	3282	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
maclobdell	0:f7c60d3e7b8a	3283	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3284	}
maclobdell	0:f7c60d3e7b8a	3285
maclobdell	0:f7c60d3e7b8a	3286	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	3287	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
maclobdell	0:f7c60d3e7b8a	3288	{
maclobdell	0:f7c60d3e7b8a	3289	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3290	{
maclobdell	0:f7c60d3e7b8a	3291	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
maclobdell	0:f7c60d3e7b8a	3292	return( ret );
maclobdell	0:f7c60d3e7b8a	3293	}
maclobdell	0:f7c60d3e7b8a	3294
maclobdell	0:f7c60d3e7b8a	3295	if( p != end )
maclobdell	0:f7c60d3e7b8a	3296	{
maclobdell	0:f7c60d3e7b8a	3297	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
maclobdell	0:f7c60d3e7b8a	3298	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3299	}
maclobdell	0:f7c60d3e7b8a	3300
maclobdell	0:f7c60d3e7b8a	3301	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
maclobdell	0:f7c60d3e7b8a	3302	ssl->handshake->premaster,
maclobdell	0:f7c60d3e7b8a	3303	MBEDTLS_PREMASTER_SIZE,
maclobdell	0:f7c60d3e7b8a	3304	&ssl->handshake->pmslen,
maclobdell	0:f7c60d3e7b8a	3305	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3306	{
maclobdell	0:f7c60d3e7b8a	3307	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
maclobdell	0:f7c60d3e7b8a	3308	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
maclobdell	0:f7c60d3e7b8a	3309	}
maclobdell	0:f7c60d3e7b8a	3310
maclobdell	0:f7c60d3e7b8a	3311	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
maclobdell	0:f7c60d3e7b8a	3312	}
maclobdell	0:f7c60d3e7b8a	3313	else
maclobdell	0:f7c60d3e7b8a	3314	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	3315	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	3316	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	3317	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
maclobdell	0:f7c60d3e7b8a	3318	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	3319	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
maclobdell	0:f7c60d3e7b8a	3320	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
maclobdell	0:f7c60d3e7b8a	3321	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
maclobdell	0:f7c60d3e7b8a	3322	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
maclobdell	0:f7c60d3e7b8a	3323	{
maclobdell	0:f7c60d3e7b8a	3324	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
maclobdell	0:f7c60d3e7b8a	3325	p, end - p) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3326	{
maclobdell	0:f7c60d3e7b8a	3327	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
maclobdell	0:f7c60d3e7b8a	3328	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
maclobdell	0:f7c60d3e7b8a	3329	}
maclobdell	0:f7c60d3e7b8a	3330
maclobdell	0:f7c60d3e7b8a	3331	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
maclobdell	0:f7c60d3e7b8a	3332
maclobdell	0:f7c60d3e7b8a	3333	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
maclobdell	0:f7c60d3e7b8a	3334	&ssl->handshake->pmslen,
maclobdell	0:f7c60d3e7b8a	3335	ssl->handshake->premaster,
maclobdell	0:f7c60d3e7b8a	3336	MBEDTLS_MPI_MAX_SIZE,
maclobdell	0:f7c60d3e7b8a	3337	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3338	{
maclobdell	0:f7c60d3e7b8a	3339	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
maclobdell	0:f7c60d3e7b8a	3340	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
maclobdell	0:f7c60d3e7b8a	3341	}
maclobdell	0:f7c60d3e7b8a	3342
maclobdell	0:f7c60d3e7b8a	3343	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
maclobdell	0:f7c60d3e7b8a	3344	}
maclobdell	0:f7c60d3e7b8a	3345	else
maclobdell	0:f7c60d3e7b8a	3346	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	3347	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	3348	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
maclobdell	0:f7c60d3e7b8a	3349	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	3350	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3351	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
maclobdell	0:f7c60d3e7b8a	3352	{
maclobdell	0:f7c60d3e7b8a	3353	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3354	{
maclobdell	0:f7c60d3e7b8a	3355	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
maclobdell	0:f7c60d3e7b8a	3356	return( ret );
maclobdell	0:f7c60d3e7b8a	3357	}
maclobdell	0:f7c60d3e7b8a	3358
maclobdell	0:f7c60d3e7b8a	3359	if( p != end )
maclobdell	0:f7c60d3e7b8a	3360	{
maclobdell	0:f7c60d3e7b8a	3361	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
maclobdell	0:f7c60d3e7b8a	3362	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3363	}
maclobdell	0:f7c60d3e7b8a	3364
maclobdell	0:f7c60d3e7b8a	3365	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
maclobdell	0:f7c60d3e7b8a	3366	ciphersuite_info->key_exchange ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3367	{
maclobdell	0:f7c60d3e7b8a	3368	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
maclobdell	0:f7c60d3e7b8a	3369	return( ret );
maclobdell	0:f7c60d3e7b8a	3370	}
maclobdell	0:f7c60d3e7b8a	3371	}
maclobdell	0:f7c60d3e7b8a	3372	else
maclobdell	0:f7c60d3e7b8a	3373	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3374	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3375	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
maclobdell	0:f7c60d3e7b8a	3376	{
maclobdell	0:f7c60d3e7b8a	3377	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3378	{
maclobdell	0:f7c60d3e7b8a	3379	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
maclobdell	0:f7c60d3e7b8a	3380	return( ret );
maclobdell	0:f7c60d3e7b8a	3381	}
maclobdell	0:f7c60d3e7b8a	3382
maclobdell	0:f7c60d3e7b8a	3383	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3384	{
maclobdell	0:f7c60d3e7b8a	3385	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
maclobdell	0:f7c60d3e7b8a	3386	return( ret );
maclobdell	0:f7c60d3e7b8a	3387	}
maclobdell	0:f7c60d3e7b8a	3388
maclobdell	0:f7c60d3e7b8a	3389	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
maclobdell	0:f7c60d3e7b8a	3390	ciphersuite_info->key_exchange ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3391	{
maclobdell	0:f7c60d3e7b8a	3392	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
maclobdell	0:f7c60d3e7b8a	3393	return( ret );
maclobdell	0:f7c60d3e7b8a	3394	}
maclobdell	0:f7c60d3e7b8a	3395	}
maclobdell	0:f7c60d3e7b8a	3396	else
maclobdell	0:f7c60d3e7b8a	3397	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3398	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3399	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
maclobdell	0:f7c60d3e7b8a	3400	{
maclobdell	0:f7c60d3e7b8a	3401	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3402	{
maclobdell	0:f7c60d3e7b8a	3403	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
maclobdell	0:f7c60d3e7b8a	3404	return( ret );
maclobdell	0:f7c60d3e7b8a	3405	}
maclobdell	0:f7c60d3e7b8a	3406	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3407	{
maclobdell	0:f7c60d3e7b8a	3408	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
maclobdell	0:f7c60d3e7b8a	3409	return( ret );
maclobdell	0:f7c60d3e7b8a	3410	}
maclobdell	0:f7c60d3e7b8a	3411
maclobdell	0:f7c60d3e7b8a	3412	if( p != end )
maclobdell	0:f7c60d3e7b8a	3413	{
maclobdell	0:f7c60d3e7b8a	3414	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
maclobdell	0:f7c60d3e7b8a	3415	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3416	}
maclobdell	0:f7c60d3e7b8a	3417
maclobdell	0:f7c60d3e7b8a	3418	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
maclobdell	0:f7c60d3e7b8a	3419	ciphersuite_info->key_exchange ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3420	{
maclobdell	0:f7c60d3e7b8a	3421	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
maclobdell	0:f7c60d3e7b8a	3422	return( ret );
maclobdell	0:f7c60d3e7b8a	3423	}
maclobdell	0:f7c60d3e7b8a	3424	}
maclobdell	0:f7c60d3e7b8a	3425	else
maclobdell	0:f7c60d3e7b8a	3426	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3427	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
maclobdell	0:f7c60d3e7b8a	3428	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
maclobdell	0:f7c60d3e7b8a	3429	{
maclobdell	0:f7c60d3e7b8a	3430	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3431	{
maclobdell	0:f7c60d3e7b8a	3432	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
maclobdell	0:f7c60d3e7b8a	3433	return( ret );
maclobdell	0:f7c60d3e7b8a	3434	}
maclobdell	0:f7c60d3e7b8a	3435
maclobdell	0:f7c60d3e7b8a	3436	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
maclobdell	0:f7c60d3e7b8a	3437	p, end - p ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3438	{
maclobdell	0:f7c60d3e7b8a	3439	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
maclobdell	0:f7c60d3e7b8a	3440	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
maclobdell	0:f7c60d3e7b8a	3441	}
maclobdell	0:f7c60d3e7b8a	3442
maclobdell	0:f7c60d3e7b8a	3443	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
maclobdell	0:f7c60d3e7b8a	3444
maclobdell	0:f7c60d3e7b8a	3445	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
maclobdell	0:f7c60d3e7b8a	3446	ciphersuite_info->key_exchange ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3447	{
maclobdell	0:f7c60d3e7b8a	3448	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
maclobdell	0:f7c60d3e7b8a	3449	return( ret );
maclobdell	0:f7c60d3e7b8a	3450	}
maclobdell	0:f7c60d3e7b8a	3451	}
maclobdell	0:f7c60d3e7b8a	3452	else
maclobdell	0:f7c60d3e7b8a	3453	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
maclobdell	0:f7c60d3e7b8a	3454	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	3455	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
maclobdell	0:f7c60d3e7b8a	3456	{
maclobdell	0:f7c60d3e7b8a	3457	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3458	{
maclobdell	0:f7c60d3e7b8a	3459	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
maclobdell	0:f7c60d3e7b8a	3460	return( ret );
maclobdell	0:f7c60d3e7b8a	3461	}
maclobdell	0:f7c60d3e7b8a	3462	}
maclobdell	0:f7c60d3e7b8a	3463	else
maclobdell	0:f7c60d3e7b8a	3464	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	3465	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
maclobdell	0:f7c60d3e7b8a	3466	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
maclobdell	0:f7c60d3e7b8a	3467	{
maclobdell	0:f7c60d3e7b8a	3468	ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
maclobdell	0:f7c60d3e7b8a	3469	p, end - p );
maclobdell	0:f7c60d3e7b8a	3470	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	3471	{
maclobdell	0:f7c60d3e7b8a	3472	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
maclobdell	0:f7c60d3e7b8a	3473	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
maclobdell	0:f7c60d3e7b8a	3474	}
maclobdell	0:f7c60d3e7b8a	3475
maclobdell	0:f7c60d3e7b8a	3476	ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
maclobdell	0:f7c60d3e7b8a	3477	ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
maclobdell	0:f7c60d3e7b8a	3478	ssl->conf->f_rng, ssl->conf->p_rng );
maclobdell	0:f7c60d3e7b8a	3479	if( ret != 0 )
maclobdell	0:f7c60d3e7b8a	3480	{
maclobdell	0:f7c60d3e7b8a	3481	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
maclobdell	0:f7c60d3e7b8a	3482	return( ret );
maclobdell	0:f7c60d3e7b8a	3483	}
maclobdell	0:f7c60d3e7b8a	3484	}
maclobdell	0:f7c60d3e7b8a	3485	else
maclobdell	0:f7c60d3e7b8a	3486	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
maclobdell	0:f7c60d3e7b8a	3487	{
maclobdell	0:f7c60d3e7b8a	3488	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	3489	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	3490	}
maclobdell	0:f7c60d3e7b8a	3491
maclobdell	0:f7c60d3e7b8a	3492	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3493	{
maclobdell	0:f7c60d3e7b8a	3494	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
maclobdell	0:f7c60d3e7b8a	3495	return( ret );
maclobdell	0:f7c60d3e7b8a	3496	}
maclobdell	0:f7c60d3e7b8a	3497
maclobdell	0:f7c60d3e7b8a	3498	ssl->state++;
maclobdell	0:f7c60d3e7b8a	3499
maclobdell	0:f7c60d3e7b8a	3500	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
maclobdell	0:f7c60d3e7b8a	3501
maclobdell	0:f7c60d3e7b8a	3502	return( 0 );
maclobdell	0:f7c60d3e7b8a	3503	}
maclobdell	0:f7c60d3e7b8a	3504
maclobdell	0:f7c60d3e7b8a	3505	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
maclobdell	0:f7c60d3e7b8a	3506	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
maclobdell	0:f7c60d3e7b8a	3507	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
maclobdell	0:f7c60d3e7b8a	3508	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
maclobdell	0:f7c60d3e7b8a	3509	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	3510	{
maclobdell	0:f7c60d3e7b8a	3511	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	3512
maclobdell	0:f7c60d3e7b8a	3513	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
maclobdell	0:f7c60d3e7b8a	3514
maclobdell	0:f7c60d3e7b8a	3515	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3516	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3517	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3518	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3519	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
maclobdell	0:f7c60d3e7b8a	3520	{
maclobdell	0:f7c60d3e7b8a	3521	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
maclobdell	0:f7c60d3e7b8a	3522	ssl->state++;
maclobdell	0:f7c60d3e7b8a	3523	return( 0 );
maclobdell	0:f7c60d3e7b8a	3524	}
maclobdell	0:f7c60d3e7b8a	3525
maclobdell	0:f7c60d3e7b8a	3526	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	3527	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	3528	}
maclobdell	0:f7c60d3e7b8a	3529	#else
maclobdell	0:f7c60d3e7b8a	3530	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	3531	{
maclobdell	0:f7c60d3e7b8a	3532	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
maclobdell	0:f7c60d3e7b8a	3533	size_t i, sig_len;
maclobdell	0:f7c60d3e7b8a	3534	unsigned char hash[48];
maclobdell	0:f7c60d3e7b8a	3535	unsigned char *hash_start = hash;
maclobdell	0:f7c60d3e7b8a	3536	size_t hashlen;
maclobdell	0:f7c60d3e7b8a	3537	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	3538	mbedtls_pk_type_t pk_alg;
maclobdell	0:f7c60d3e7b8a	3539	#endif
maclobdell	0:f7c60d3e7b8a	3540	mbedtls_md_type_t md_alg;
maclobdell	0:f7c60d3e7b8a	3541	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
maclobdell	0:f7c60d3e7b8a	3542
maclobdell	0:f7c60d3e7b8a	3543	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
maclobdell	0:f7c60d3e7b8a	3544
maclobdell	0:f7c60d3e7b8a	3545	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3546	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3547	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3548	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
maclobdell	0:f7c60d3e7b8a	3549	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
maclobdell	0:f7c60d3e7b8a	3550	ssl->session_negotiate->peer_cert == NULL )
maclobdell	0:f7c60d3e7b8a	3551	{
maclobdell	0:f7c60d3e7b8a	3552	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
maclobdell	0:f7c60d3e7b8a	3553	ssl->state++;
maclobdell	0:f7c60d3e7b8a	3554	return( 0 );
maclobdell	0:f7c60d3e7b8a	3555	}
maclobdell	0:f7c60d3e7b8a	3556
maclobdell	0:f7c60d3e7b8a	3557	/* Needs to be done before read_record() to exclude current message */
maclobdell	0:f7c60d3e7b8a	3558	ssl->handshake->calc_verify( ssl, hash );
maclobdell	0:f7c60d3e7b8a	3559
maclobdell	0:f7c60d3e7b8a	3560	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3561	{
maclobdell	0:f7c60d3e7b8a	3562	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
maclobdell	0:f7c60d3e7b8a	3563	return( ret );
maclobdell	0:f7c60d3e7b8a	3564	}
maclobdell	0:f7c60d3e7b8a	3565
maclobdell	0:f7c60d3e7b8a	3566	ssl->state++;
maclobdell	0:f7c60d3e7b8a	3567
maclobdell	0:f7c60d3e7b8a	3568	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
maclobdell	0:f7c60d3e7b8a	3569	ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
maclobdell	0:f7c60d3e7b8a	3570	{
maclobdell	0:f7c60d3e7b8a	3571	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
maclobdell	0:f7c60d3e7b8a	3572	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3573	}
maclobdell	0:f7c60d3e7b8a	3574
maclobdell	0:f7c60d3e7b8a	3575	i = mbedtls_ssl_hs_hdr_len( ssl );
maclobdell	0:f7c60d3e7b8a	3576
maclobdell	0:f7c60d3e7b8a	3577	/*
maclobdell	0:f7c60d3e7b8a	3578	* struct {
maclobdell	0:f7c60d3e7b8a	3579	* SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
maclobdell	0:f7c60d3e7b8a	3580	* opaque signature<0..2^16-1>;
maclobdell	0:f7c60d3e7b8a	3581	* } DigitallySigned;
maclobdell	0:f7c60d3e7b8a	3582	*/
maclobdell	0:f7c60d3e7b8a	3583	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
maclobdell	0:f7c60d3e7b8a	3584	defined(MBEDTLS_SSL_PROTO_TLS1_1)
maclobdell	0:f7c60d3e7b8a	3585	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	3586	{
maclobdell	0:f7c60d3e7b8a	3587	md_alg = MBEDTLS_MD_NONE;
maclobdell	0:f7c60d3e7b8a	3588	hashlen = 36;
maclobdell	0:f7c60d3e7b8a	3589
maclobdell	0:f7c60d3e7b8a	3590	/* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
maclobdell	0:f7c60d3e7b8a	3591	if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
maclobdell	0:f7c60d3e7b8a	3592	MBEDTLS_PK_ECDSA ) )
maclobdell	0:f7c60d3e7b8a	3593	{
maclobdell	0:f7c60d3e7b8a	3594	hash_start += 16;
maclobdell	0:f7c60d3e7b8a	3595	hashlen -= 16;
maclobdell	0:f7c60d3e7b8a	3596	md_alg = MBEDTLS_MD_SHA1;
maclobdell	0:f7c60d3e7b8a	3597	}
maclobdell	0:f7c60d3e7b8a	3598	}
maclobdell	0:f7c60d3e7b8a	3599	else
maclobdell	0:f7c60d3e7b8a	3600	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\|
maclobdell	0:f7c60d3e7b8a	3601	MBEDTLS_SSL_PROTO_TLS1_1 */
maclobdell	0:f7c60d3e7b8a	3602	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
maclobdell	0:f7c60d3e7b8a	3603	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
maclobdell	0:f7c60d3e7b8a	3604	{
maclobdell	0:f7c60d3e7b8a	3605	if( i + 2 > ssl->in_hslen )
maclobdell	0:f7c60d3e7b8a	3606	{
maclobdell	0:f7c60d3e7b8a	3607	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
maclobdell	0:f7c60d3e7b8a	3608	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3609	}
maclobdell	0:f7c60d3e7b8a	3610
maclobdell	0:f7c60d3e7b8a	3611	/*
maclobdell	0:f7c60d3e7b8a	3612	* Hash
maclobdell	0:f7c60d3e7b8a	3613	*/
maclobdell	0:f7c60d3e7b8a	3614	if( ssl->in_msg[i] != ssl->handshake->verify_sig_alg )
maclobdell	0:f7c60d3e7b8a	3615	{
maclobdell	0:f7c60d3e7b8a	3616	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
maclobdell	0:f7c60d3e7b8a	3617	" for verify message" ) );
maclobdell	0:f7c60d3e7b8a	3618	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3619	}
maclobdell	0:f7c60d3e7b8a	3620
maclobdell	0:f7c60d3e7b8a	3621	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
maclobdell	0:f7c60d3e7b8a	3622
maclobdell	0:f7c60d3e7b8a	3623	/* Info from md_alg will be used instead */
maclobdell	0:f7c60d3e7b8a	3624	hashlen = 0;
maclobdell	0:f7c60d3e7b8a	3625
maclobdell	0:f7c60d3e7b8a	3626	i++;
maclobdell	0:f7c60d3e7b8a	3627
maclobdell	0:f7c60d3e7b8a	3628	/*
maclobdell	0:f7c60d3e7b8a	3629	* Signature
maclobdell	0:f7c60d3e7b8a	3630	*/
maclobdell	0:f7c60d3e7b8a	3631	if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
maclobdell	0:f7c60d3e7b8a	3632	== MBEDTLS_PK_NONE )
maclobdell	0:f7c60d3e7b8a	3633	{
maclobdell	0:f7c60d3e7b8a	3634	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
maclobdell	0:f7c60d3e7b8a	3635	" for verify message" ) );
maclobdell	0:f7c60d3e7b8a	3636	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3637	}
maclobdell	0:f7c60d3e7b8a	3638
maclobdell	0:f7c60d3e7b8a	3639	/*
maclobdell	0:f7c60d3e7b8a	3640	* Check the certificate's key type matches the signature alg
maclobdell	0:f7c60d3e7b8a	3641	*/
maclobdell	0:f7c60d3e7b8a	3642	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
maclobdell	0:f7c60d3e7b8a	3643	{
maclobdell	0:f7c60d3e7b8a	3644	MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
maclobdell	0:f7c60d3e7b8a	3645	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3646	}
maclobdell	0:f7c60d3e7b8a	3647
maclobdell	0:f7c60d3e7b8a	3648	i++;
maclobdell	0:f7c60d3e7b8a	3649	}
maclobdell	0:f7c60d3e7b8a	3650	else
maclobdell	0:f7c60d3e7b8a	3651	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
maclobdell	0:f7c60d3e7b8a	3652	{
maclobdell	0:f7c60d3e7b8a	3653	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
maclobdell	0:f7c60d3e7b8a	3654	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
maclobdell	0:f7c60d3e7b8a	3655	}
maclobdell	0:f7c60d3e7b8a	3656
maclobdell	0:f7c60d3e7b8a	3657	if( i + 2 > ssl->in_hslen )
maclobdell	0:f7c60d3e7b8a	3658	{
maclobdell	0:f7c60d3e7b8a	3659	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
maclobdell	0:f7c60d3e7b8a	3660	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3661	}
maclobdell	0:f7c60d3e7b8a	3662
maclobdell	0:f7c60d3e7b8a	3663	sig_len = ( ssl->in_msg[i] << 8 ) \| ssl->in_msg[i+1];
maclobdell	0:f7c60d3e7b8a	3664	i += 2;
maclobdell	0:f7c60d3e7b8a	3665
maclobdell	0:f7c60d3e7b8a	3666	if( i + sig_len != ssl->in_hslen )
maclobdell	0:f7c60d3e7b8a	3667	{
maclobdell	0:f7c60d3e7b8a	3668	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
maclobdell	0:f7c60d3e7b8a	3669	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
maclobdell	0:f7c60d3e7b8a	3670	}
maclobdell	0:f7c60d3e7b8a	3671
maclobdell	0:f7c60d3e7b8a	3672	if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
maclobdell	0:f7c60d3e7b8a	3673	md_alg, hash_start, hashlen,
maclobdell	0:f7c60d3e7b8a	3674	ssl->in_msg + i, sig_len ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3675	{
maclobdell	0:f7c60d3e7b8a	3676	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
maclobdell	0:f7c60d3e7b8a	3677	return( ret );
maclobdell	0:f7c60d3e7b8a	3678	}
maclobdell	0:f7c60d3e7b8a	3679
maclobdell	0:f7c60d3e7b8a	3680	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
maclobdell	0:f7c60d3e7b8a	3681
maclobdell	0:f7c60d3e7b8a	3682	return( ret );
maclobdell	0:f7c60d3e7b8a	3683	}
maclobdell	0:f7c60d3e7b8a	3684	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
maclobdell	0:f7c60d3e7b8a	3685	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
maclobdell	0:f7c60d3e7b8a	3686	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
maclobdell	0:f7c60d3e7b8a	3687
maclobdell	0:f7c60d3e7b8a	3688	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	3689	static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	3690	{
maclobdell	0:f7c60d3e7b8a	3691	int ret;
maclobdell	0:f7c60d3e7b8a	3692	size_t tlen;
maclobdell	0:f7c60d3e7b8a	3693	uint32_t lifetime;
maclobdell	0:f7c60d3e7b8a	3694
maclobdell	0:f7c60d3e7b8a	3695	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
maclobdell	0:f7c60d3e7b8a	3696
maclobdell	0:f7c60d3e7b8a	3697	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
maclobdell	0:f7c60d3e7b8a	3698	ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
maclobdell	0:f7c60d3e7b8a	3699
maclobdell	0:f7c60d3e7b8a	3700	/*
maclobdell	0:f7c60d3e7b8a	3701	* struct {
maclobdell	0:f7c60d3e7b8a	3702	* uint32 ticket_lifetime_hint;
maclobdell	0:f7c60d3e7b8a	3703	* opaque ticket<0..2^16-1>;
maclobdell	0:f7c60d3e7b8a	3704	* } NewSessionTicket;
maclobdell	0:f7c60d3e7b8a	3705	*
maclobdell	0:f7c60d3e7b8a	3706	* 4 . 7 ticket_lifetime_hint (0 = unspecified)
maclobdell	0:f7c60d3e7b8a	3707	* 8 . 9 ticket_len (n)
maclobdell	0:f7c60d3e7b8a	3708	* 10 . 9+n ticket content
maclobdell	0:f7c60d3e7b8a	3709	*/
maclobdell	0:f7c60d3e7b8a	3710
maclobdell	0:f7c60d3e7b8a	3711	if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
maclobdell	0:f7c60d3e7b8a	3712	ssl->session_negotiate,
maclobdell	0:f7c60d3e7b8a	3713	ssl->out_msg + 10,
maclobdell	0:f7c60d3e7b8a	3714	ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
maclobdell	0:f7c60d3e7b8a	3715	&tlen, &lifetime ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3716	{
maclobdell	0:f7c60d3e7b8a	3717	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
maclobdell	0:f7c60d3e7b8a	3718	tlen = 0;
maclobdell	0:f7c60d3e7b8a	3719	}
maclobdell	0:f7c60d3e7b8a	3720
maclobdell	0:f7c60d3e7b8a	3721	ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
maclobdell	0:f7c60d3e7b8a	3722	ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
maclobdell	0:f7c60d3e7b8a	3723	ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
maclobdell	0:f7c60d3e7b8a	3724	ssl->out_msg[7] = ( lifetime ) & 0xFF;
maclobdell	0:f7c60d3e7b8a	3725
maclobdell	0:f7c60d3e7b8a	3726	ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	3727	ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
maclobdell	0:f7c60d3e7b8a	3728
maclobdell	0:f7c60d3e7b8a	3729	ssl->out_msglen = 10 + tlen;
maclobdell	0:f7c60d3e7b8a	3730
maclobdell	0:f7c60d3e7b8a	3731	/*
maclobdell	0:f7c60d3e7b8a	3732	* Morally equivalent to updating ssl->state, but NewSessionTicket and
maclobdell	0:f7c60d3e7b8a	3733	* ChangeCipherSpec share the same state.
maclobdell	0:f7c60d3e7b8a	3734	*/
maclobdell	0:f7c60d3e7b8a	3735	ssl->handshake->new_session_ticket = 0;
maclobdell	0:f7c60d3e7b8a	3736
maclobdell	0:f7c60d3e7b8a	3737	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3738	{
maclobdell	0:f7c60d3e7b8a	3739	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
maclobdell	0:f7c60d3e7b8a	3740	return( ret );
maclobdell	0:f7c60d3e7b8a	3741	}
maclobdell	0:f7c60d3e7b8a	3742
maclobdell	0:f7c60d3e7b8a	3743	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
maclobdell	0:f7c60d3e7b8a	3744
maclobdell	0:f7c60d3e7b8a	3745	return( 0 );
maclobdell	0:f7c60d3e7b8a	3746	}
maclobdell	0:f7c60d3e7b8a	3747	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
maclobdell	0:f7c60d3e7b8a	3748
maclobdell	0:f7c60d3e7b8a	3749	/*
maclobdell	0:f7c60d3e7b8a	3750	* SSL handshake -- server side -- single step
maclobdell	0:f7c60d3e7b8a	3751	*/
maclobdell	0:f7c60d3e7b8a	3752	int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
maclobdell	0:f7c60d3e7b8a	3753	{
maclobdell	0:f7c60d3e7b8a	3754	int ret = 0;
maclobdell	0:f7c60d3e7b8a	3755
maclobdell	0:f7c60d3e7b8a	3756	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER \|\| ssl->handshake == NULL )
maclobdell	0:f7c60d3e7b8a	3757	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
maclobdell	0:f7c60d3e7b8a	3758
maclobdell	0:f7c60d3e7b8a	3759	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
maclobdell	0:f7c60d3e7b8a	3760
maclobdell	0:f7c60d3e7b8a	3761	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3762	return( ret );
maclobdell	0:f7c60d3e7b8a	3763
maclobdell	0:f7c60d3e7b8a	3764	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	3765	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
maclobdell	0:f7c60d3e7b8a	3766	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
maclobdell	0:f7c60d3e7b8a	3767	{
maclobdell	0:f7c60d3e7b8a	3768	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
maclobdell	0:f7c60d3e7b8a	3769	return( ret );
maclobdell	0:f7c60d3e7b8a	3770	}
maclobdell	0:f7c60d3e7b8a	3771	#endif
maclobdell	0:f7c60d3e7b8a	3772
maclobdell	0:f7c60d3e7b8a	3773	switch( ssl->state )
maclobdell	0:f7c60d3e7b8a	3774	{
maclobdell	0:f7c60d3e7b8a	3775	case MBEDTLS_SSL_HELLO_REQUEST:
maclobdell	0:f7c60d3e7b8a	3776	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
maclobdell	0:f7c60d3e7b8a	3777	break;
maclobdell	0:f7c60d3e7b8a	3778
maclobdell	0:f7c60d3e7b8a	3779	/*
maclobdell	0:f7c60d3e7b8a	3780	* <== ClientHello
maclobdell	0:f7c60d3e7b8a	3781	*/
maclobdell	0:f7c60d3e7b8a	3782	case MBEDTLS_SSL_CLIENT_HELLO:
maclobdell	0:f7c60d3e7b8a	3783	ret = ssl_parse_client_hello( ssl );
maclobdell	0:f7c60d3e7b8a	3784	break;
maclobdell	0:f7c60d3e7b8a	3785
maclobdell	0:f7c60d3e7b8a	3786	#if defined(MBEDTLS_SSL_PROTO_DTLS)
maclobdell	0:f7c60d3e7b8a	3787	case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
maclobdell	0:f7c60d3e7b8a	3788	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
maclobdell	0:f7c60d3e7b8a	3789	#endif
maclobdell	0:f7c60d3e7b8a	3790
maclobdell	0:f7c60d3e7b8a	3791	/*
maclobdell	0:f7c60d3e7b8a	3792	* ==> ServerHello
maclobdell	0:f7c60d3e7b8a	3793	* Certificate
maclobdell	0:f7c60d3e7b8a	3794	* ( ServerKeyExchange )
maclobdell	0:f7c60d3e7b8a	3795	* ( CertificateRequest )
maclobdell	0:f7c60d3e7b8a	3796	* ServerHelloDone
maclobdell	0:f7c60d3e7b8a	3797	*/
maclobdell	0:f7c60d3e7b8a	3798	case MBEDTLS_SSL_SERVER_HELLO:
maclobdell	0:f7c60d3e7b8a	3799	ret = ssl_write_server_hello( ssl );
maclobdell	0:f7c60d3e7b8a	3800	break;
maclobdell	0:f7c60d3e7b8a	3801
maclobdell	0:f7c60d3e7b8a	3802	case MBEDTLS_SSL_SERVER_CERTIFICATE:
maclobdell	0:f7c60d3e7b8a	3803	ret = mbedtls_ssl_write_certificate( ssl );
maclobdell	0:f7c60d3e7b8a	3804	break;
maclobdell	0:f7c60d3e7b8a	3805
maclobdell	0:f7c60d3e7b8a	3806	case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
maclobdell	0:f7c60d3e7b8a	3807	ret = ssl_write_server_key_exchange( ssl );
maclobdell	0:f7c60d3e7b8a	3808	break;
maclobdell	0:f7c60d3e7b8a	3809
maclobdell	0:f7c60d3e7b8a	3810	case MBEDTLS_SSL_CERTIFICATE_REQUEST:
maclobdell	0:f7c60d3e7b8a	3811	ret = ssl_write_certificate_request( ssl );
maclobdell	0:f7c60d3e7b8a	3812	break;
maclobdell	0:f7c60d3e7b8a	3813
maclobdell	0:f7c60d3e7b8a	3814	case MBEDTLS_SSL_SERVER_HELLO_DONE:
maclobdell	0:f7c60d3e7b8a	3815	ret = ssl_write_server_hello_done( ssl );
maclobdell	0:f7c60d3e7b8a	3816	break;
maclobdell	0:f7c60d3e7b8a	3817
maclobdell	0:f7c60d3e7b8a	3818	/*
maclobdell	0:f7c60d3e7b8a	3819	* <== ( Certificate/Alert )
maclobdell	0:f7c60d3e7b8a	3820	* ClientKeyExchange
maclobdell	0:f7c60d3e7b8a	3821	* ( CertificateVerify )
maclobdell	0:f7c60d3e7b8a	3822	* ChangeCipherSpec
maclobdell	0:f7c60d3e7b8a	3823	* Finished
maclobdell	0:f7c60d3e7b8a	3824	*/
maclobdell	0:f7c60d3e7b8a	3825	case MBEDTLS_SSL_CLIENT_CERTIFICATE:
maclobdell	0:f7c60d3e7b8a	3826	ret = mbedtls_ssl_parse_certificate( ssl );
maclobdell	0:f7c60d3e7b8a	3827	break;
maclobdell	0:f7c60d3e7b8a	3828
maclobdell	0:f7c60d3e7b8a	3829	case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
maclobdell	0:f7c60d3e7b8a	3830	ret = ssl_parse_client_key_exchange( ssl );
maclobdell	0:f7c60d3e7b8a	3831	break;
maclobdell	0:f7c60d3e7b8a	3832
maclobdell	0:f7c60d3e7b8a	3833	case MBEDTLS_SSL_CERTIFICATE_VERIFY:
maclobdell	0:f7c60d3e7b8a	3834	ret = ssl_parse_certificate_verify( ssl );
maclobdell	0:f7c60d3e7b8a	3835	break;
maclobdell	0:f7c60d3e7b8a	3836
maclobdell	0:f7c60d3e7b8a	3837	case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
maclobdell	0:f7c60d3e7b8a	3838	ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
maclobdell	0:f7c60d3e7b8a	3839	break;
maclobdell	0:f7c60d3e7b8a	3840
maclobdell	0:f7c60d3e7b8a	3841	case MBEDTLS_SSL_CLIENT_FINISHED:
maclobdell	0:f7c60d3e7b8a	3842	ret = mbedtls_ssl_parse_finished( ssl );
maclobdell	0:f7c60d3e7b8a	3843	break;
maclobdell	0:f7c60d3e7b8a	3844
maclobdell	0:f7c60d3e7b8a	3845	/*
maclobdell	0:f7c60d3e7b8a	3846	* ==> ( NewSessionTicket )
maclobdell	0:f7c60d3e7b8a	3847	* ChangeCipherSpec
maclobdell	0:f7c60d3e7b8a	3848	* Finished
maclobdell	0:f7c60d3e7b8a	3849	*/
maclobdell	0:f7c60d3e7b8a	3850	case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
maclobdell	0:f7c60d3e7b8a	3851	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
maclobdell	0:f7c60d3e7b8a	3852	if( ssl->handshake->new_session_ticket != 0 )
maclobdell	0:f7c60d3e7b8a	3853	ret = ssl_write_new_session_ticket( ssl );
maclobdell	0:f7c60d3e7b8a	3854	else
maclobdell	0:f7c60d3e7b8a	3855	#endif
maclobdell	0:f7c60d3e7b8a	3856	ret = mbedtls_ssl_write_change_cipher_spec( ssl );
maclobdell	0:f7c60d3e7b8a	3857	break;
maclobdell	0:f7c60d3e7b8a	3858
maclobdell	0:f7c60d3e7b8a	3859	case MBEDTLS_SSL_SERVER_FINISHED:
maclobdell	0:f7c60d3e7b8a	3860	ret = mbedtls_ssl_write_finished( ssl );
maclobdell	0:f7c60d3e7b8a	3861	break;
maclobdell	0:f7c60d3e7b8a	3862
maclobdell	0:f7c60d3e7b8a	3863	case MBEDTLS_SSL_FLUSH_BUFFERS:
maclobdell	0:f7c60d3e7b8a	3864	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
maclobdell	0:f7c60d3e7b8a	3865	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
maclobdell	0:f7c60d3e7b8a	3866	break;
maclobdell	0:f7c60d3e7b8a	3867
maclobdell	0:f7c60d3e7b8a	3868	case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
maclobdell	0:f7c60d3e7b8a	3869	mbedtls_ssl_handshake_wrapup( ssl );
maclobdell	0:f7c60d3e7b8a	3870	break;
maclobdell	0:f7c60d3e7b8a	3871
maclobdell	0:f7c60d3e7b8a	3872	default:
maclobdell	0:f7c60d3e7b8a	3873	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
maclobdell	0:f7c60d3e7b8a	3874	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
maclobdell	0:f7c60d3e7b8a	3875	}
maclobdell	0:f7c60d3e7b8a	3876
maclobdell	0:f7c60d3e7b8a	3877	return( ret );
maclobdell	0:f7c60d3e7b8a	3878	}
maclobdell	0:f7c60d3e7b8a	3879	#endif /* MBEDTLS_SSL_SRV_C */

Repository toolbox

Export to desktop IDE

Build repository

Repository details

Type:	Program
Mbed OS support:	Mbed 2 deprecated
Created:	19 May 2016
Imports:	0
Forks:	0
Commits:	2
Dependents:	0
Dependencies:	5
Followers:	1

mbed-client/mbedtls/source/ssl_srv.c@0:f7c60d3e7b8a, 2016-05-18 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning